security [ARCHIVED] July 2008

security@lists.fedoraproject.org

3 participants
4 discussions

[Bug 240397] New: CVE-2007-2721: jasper DoS, heap corruption
by Red Hat Bugzilla 08 Sep '08

08 Sep '08

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240397 Summary: CVE-2007-2721: jasper DoS, heap corruption Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: jasper AssignedTo: rdieter(a)math.unl.edu ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721 "The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert." Appears to affect 1.900.1 too. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 3

[Bug 237533] New: CVE-2007-2165: proftpd auth bypass vulnerability
by Red Hat Bugzilla 30 Jul '08

30 Jul '08

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237533 Summary: CVE-2007-2165: proftpd auth bypass vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: proftpd AssignedTo: matthias(a)rpmforge.net ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2165 http://bugs.proftpd.org/show_bug.cgi?id=2922 "The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 19

Re: Need Information Rergading US CERT VU#800113
by Josh Bressers 09 Jul '08

09 Jul '08

On 9 July 2008, Anne-Marie wrote: > That's wonderful! Thank you Josh. I understand only releases prior > to Fedora 8 will need to be patched. Is this correct? > > Thank you again for your help, > No, all versions of bind need to be patched, as bind will get a random UDP port from the kernel, but reuse it for subsequent queries. -- JB

1 0

Need Information Rergading US CERT VU#800113
by Anne-Marie 09 Jul '08

09 Jul '08

Hello, Could you confirm whether VU#800113 affects Fedora? The announcement for the Multiple DNS implementations vulnerable to cache poisoning is located at http://www.kb.cert.org/vuls/id/800113. Thank you for your help, Anne-Marie Keithley

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security [ARCHIVED] July 2008