Another issue of the Fedora News Updates has been released and is
available at:
http://fedoranews.org/colin/fnu/issue12.shtml
The current issue is always linked to
http://fedoranews.org/colin/fnu/current.shtml
Covering Fedora Core 2's release, and some migration topics. Arjan, the
kernel maintainer talks about why 'sg' isn't needed for regular
burning/ripping of CDs, while Alexandre has some great stuff on
Firewire. Fedora Legacy has interesting news of stopping support for
RH7.2/8.0, and Fedora works on a Mac! Excellent public discussion of
performance tuning the Fedora Desktop, a must read.
--
Colin Charles, byte(a)aeon.com.my
http://www.bytebot.net/
Subject: Fedora Core 2 Update: libgnome-2.6.0-3
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-134
2004-05-20
---------------------------------------------------------------------
Product : Fedora Core 2
Name : libgnome
Version : 2.6.0
Release : 3
Summary : GNOME base library
Description :
GNOME (GNU Network Object Model Environment) is a user-friendly set of
GUI applications and desktop tools to be used in conjunction with a
window manager for the X Window System. The libgnome package includes
non-GUI-related libraries that are needed to run GNOME. The libgnomeui
package contains X11-dependent GNOME library features.
---------------------------------------------------------------------
Update Information:
This updated libgnome package allows GNOME sound events to work in FC2.
---------------------------------------------------------------------
* Sat May 15 2004 Colin Walters <walters(a)redhat.com> 2.6.0-3
- Apply another patch which fixes GNOME sound events, which
due to what appears to be a glib bug, were broken by my
previous patch.
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
881324410f3f62632b0a33d72f560eee SRPMS/libgnome-2.6.0-3.src.rpm
6b548ef29b51b46957cae5a2eb07dcb9 i386/libgnome-2.6.0-3.i386.rpm
2fe93f6f27fdff138df2305b9013abf1 i386/libgnome-devel-2.6.0-3.i386.rpm
f5a4f166e664c5c3e28f9fc3105b7283 i386/debug/libgnome-debuginfo-2.6.0-3.i386.rpm
d08a508a00d152ac3f4f47ae5543b0be x86_64/libgnome-2.6.0-3.x86_64.rpm
d6544332881e8d1a95b3b57cc09c6340 x86_64/libgnome-devel-2.6.0-3.x86_64.rpm
1756f5ba07cc35985895c845122b88e8 x86_64/debug/libgnome-debuginfo-2.6.0-3.x86_64.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-133
2004-05-19
---------------------------------------------------------------------
Product : Fedora Core 1
Name : kdepim
Version : 3.1.4
Release : 2
Summary : PIM (Personal Information Manager) for KDE
Description :
A PIM (Personal Information Manager) for KDE.
---------------------------------------------------------------------
Update Information:
The KDE team found a buffer overflow in the file information reader of
VCF files. An attacker could construct a VCF file so that when it was
opened by a victim it would execute arbitrary commands. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0988 to this issue.
---------------------------------------------------------------------
* Thu Dec 18 2003 Than Ngo <than(a)redhat.com> 6:3.1.4-2
- added patch from KDE stable branch to fix buffer overflow in vcf
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
20a4f053aba0eccfd4e22b816714e27a SRPMS/kdepim-3.1.4-2.src.rpm
216304bb47999422716bc39b1b992d5e i386/kdepim-3.1.4-2.i386.rpm
a1b17e1958b623c414751bfb0044bf37
i386/debug/kdepim-debuginfo-3.1.4-2.i386.rpm
e750576e7c01bdc9242fc31299cd07b4 i386/kdepim-devel-3.1.4-2.i386.rpm
1c5694e3993b93e5a242a4acb725e18c x86_64/kdepim-3.1.4-2.x86_64.rpm
f7fa93f04c386d21cbdd380c9606766d
x86_64/debug/kdepim-debuginfo-3.1.4-2.x86_64.rpm
2024ae0a406a8aaf39e00a5997cc76f0 x86_64/kdepim-devel-3.1.4-2.x86_64.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
---------------------------------------------------------------------
Fedora Security Update Notification
FEDORA-2004-132
2004-05-19
---------------------------------------------------------------------
Product : Fedora Core 2
Name : ipsec-tools
Version : 0.2.5
Release : 2
Summary : Tools for configuring and using IPSEC
Description :
This is the IPsec-Tools package. You need this package in order to
really use the IPsec functionality in the linux-2.5+ kernels. This
package builds:
- libipsec, a PFKeyV2 library
- setkey, a program to directly manipulate policies and SAs
- racoon, an IKEv1 keying daemon
---------------------------------------------------------------------
Update Information:
An updated ipsec-tools package that fixes vulnerabilities in racoon (the
ISAKMP daemon) is now available.
When ipsec-tools receives an ISAKMP header, it will attempt to allocate
sufficient memory for the entire ISAKMP message according to the header's
length field. If an attacker crafts an ISAKMP header with a extremely large
value in the length field, racoon may exceed operating system resource
limits and be terminated, resulting in a denial of service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0403 to this issue.
---------------------------------------------------------------------
* Wed Apr 14 2004 Bill Nottingham <notting(a)redhat.com> - 0.2.5-2
- add patch for potential remote DoS (CAN-2004-0403)
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
3e2e04aca6ff5ad9b87a58f360b5bdfd SRPMS/ipsec-tools-0.2.5-2.src.rpm
b5cf2f91174df9363be3fae649278f33 i386/ipsec-tools-0.2.5-2.i386.rpm
9f0262afaad8669bb6d194874845ba19 i386/debug/ipsec-tools-debuginfo-0.2.5-2.i386.rpm
4783879e9aa712ddd98373aad9429333 x86_64/ipsec-tools-0.2.5-2.x86_64.rpm
7447cbdca523ad5b185d697388386f2e x86_64/debug/ipsec-tools-debuginfo-0.2.5-2.x86_64.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-128
2004-05-19
---------------------------------------------------------------------
Product : Fedora Core 2
Name : subversion
Version : 1.0.2
Release : 2.1
Summary : Modern Version Control System designed to replace CVS
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes. Subversion only stores the differences between versions,
instead of every complete file. Subversion is intended to be a
compelling replacement for CVS.
---------------------------------------------------------------------
Update Information:
Stefan Esser discovered an issue in the date parsing routines in
Subversion which allows a buffer overflow. An attacker could send
malicious requests to a Subversion server (either Apache-based using
mod_dav_svn, or using the svnserve daemon) and perform arbitrary
execution of code.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0397 to this issue. This update includes
packages with a patch for this issue.
---------------------------------------------------------------------
* Sat May 15 2004 Joe Orton <jorton(a)redhat.com> 1.0.2-2.1
- add security fix for CVE CAN-2004-0397 (Ben Reser)
* Tue May 04 2004 Joe Orton <jorton(a)redhat.com> 1.0.2-2
- add perl MODULE_COMPAT requirement for -perl subpackage
- move perl man pages into -perl subpackage
- clean up -perl installation and dependencies (Ville Skyttä, #123045)
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
92cc070981eae85dc2220126a7cbd9d0 SRPMS/subversion-1.0.2-2.1.src.rpm
2ff7ecbf8f8c10b6ab761c3cbc913bf2 i386/subversion-1.0.2-2.1.i386.rpm
a9e16d37859ee2168af5d2f0e53560a5 i386/subversion-devel-1.0.2-2.1.i386.rpm
6bd4b498f5c13bf4d2b2ad6668c86008 i386/mod_dav_svn-1.0.2-2.1.i386.rpm
bfbbc9af5bbc287f74260bacb3bd3126 i386/subversion-perl-1.0.2-2.1.i386.rpm
8d4671361745f71e67310007ef8c6449 i386/debug/subversion-debuginfo-1.0.2-2.1.i386.rpm
ca4fddfff4fff8a5496e29f3c314d32f x86_64/subversion-1.0.2-2.1.x86_64.rpm
0af6c873bcffd22fb0e1e4d60bcf1813 x86_64/subversion-devel-1.0.2-2.1.x86_64.rpm
9f8cef2892d8929b76f61562850e0648 x86_64/mod_dav_svn-1.0.2-2.1.x86_64.rpm
3e0bdc13b5fcd141416ec102b8608ac7 x86_64/subversion-perl-1.0.2-2.1.x86_64.rpm
f7d2a0c88fcaeba74ef0bc9c9cb97dc9 x86_64/debug/subversion-debuginfo-1.0.2-2.1.x86_64.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-127
2004-05-19
---------------------------------------------------------------------
Product : Fedora Core 1
Name : subversion
Version : 0.32.1
Release : 2
Summary : A Concurrent Versioning system similar to, but better than, CVS.
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes. Subversion only stores the differences between versions,
instead of every complete file. Subversion is intended to be a
compelling replacement for CVS.
---------------------------------------------------------------------
Update Information:
Stefan Esser discovered an issue in the date parsing routines in
Subversion which allows a buffer overflow. An attacker could send
malicious requests to a Subversion server (either Apache-based using
mod_dav_svn, or using the svnserve daemon) and perform arbitrary
execution of code.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0397 to this issue. This update includes
packages with a patch for this issue.
---------------------------------------------------------------------
* Wed May 12 2004 Joe Orton <jorton(a)redhat.com> 0.32.1-2
- add security fix for CVE CAN-2004-0397 (Ben Reser)
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
21f86e755d58ec2ca68c2dc338e26743 SRPMS/subversion-0.32.1-2.src.rpm
e844f7f47bdae053bfe94d4b0fd2ee16 i386/subversion-0.32.1-2.i386.rpm
18413a741fb6a6ffac48b3765bb0dd6d i386/subversion-devel-0.32.1-2.i386.rpm
8565cf933e01213c9cfd741e66fb49d9 i386/mod_dav_svn-0.32.1-2.i386.rpm
04be62fe37bf0a0af958f4dba83dc717 i386/debug/subversion-debuginfo-0.32.1-2.i386.rpm
fc9cec597b0ac29f8af2311059c0325a x86_64/subversion-0.32.1-2.x86_64.rpm
69617e64446f47824698ffd94cb3f01b x86_64/subversion-devel-0.32.1-2.x86_64.rpm
903b1f372340c0099ee7876175b3dc23 x86_64/mod_dav_svn-0.32.1-2.x86_64.rpm
0f4755e17c255b54dfdd9c9982d52910 x86_64/debug/subversion-debuginfo-0.32.1-2.x86_64.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-130
2004-05-19
---------------------------------------------------------------------
Product : Fedora Core 2
Name : neon
Version : 0.24.5
Release : 2.2
Summary : An HTTP and WebDAV client library
Description :
neon is an HTTP and WebDAV client library, with a C interface;
providing a high-level interface to HTTP and WebDAV methods along
with a low-level interface for HTTP request handling. neon
supports persistent connections, proxy servers, basic, digest and
Kerberos authentication, and has complete SSL support.
---------------------------------------------------------------------
Update Information:
Stefan Esser discovered a flaw in the neon library which allows a heap
buffer overflow in a date parsing routine. An attacker could create a
malicious WebDAV server in such a way as to allow arbitrary code
execution on the client should a user connect to it using a neon-based
application which uses the date parsing routines, such as cadaver.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0398 to this issue. This update includes
packages with a patch for this issue.
---------------------------------------------------------------------
* Sun May 16 2004 Joe Orton <jorton(a)redhat.com> 0.24.5-2.2
- rebuild for FC2 update
* Sun May 16 2004 Joe Orton <jorton(a)redhat.com> 0.24.5-2.1
- add security fix for CVE CAN-2004-0398
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
435cce4188891f20707b16615c893413 SRPMS/neon-0.24.5-2.2.src.rpm
6dece9ed94cbf68834f7d84b6868f4d9 i386/neon-0.24.5-2.2.i386.rpm
d307e0e58a179d12b1c40c840279d6c9 i386/neon-devel-0.24.5-2.2.i386.rpm
4d4b66a4a49c82ed57ce4c00a2b0cebc i386/debug/neon-debuginfo-0.24.5-2.2.i386.rpm
ab0fb62241d6373f83081580d144cfee x86_64/neon-0.24.5-2.2.x86_64.rpm
ba481e85f740f718c10fc9e8ccc60f9f x86_64/neon-devel-0.24.5-2.2.x86_64.rpm
fcab8e5e26dccd7f1f904b0d1379198f x86_64/debug/neon-debuginfo-0.24.5-2.2.x86_64.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-129
2004-05-19
---------------------------------------------------------------------
Product : Fedora Core 1
Name : neon
Version : 0.24.5
Release : 2.1
Summary : An HTTP and WebDAV client library
Description :
neon is an HTTP and WebDAV client library, with a C interface;
providing a high-level interface to HTTP and WebDAV methods along
with a low-level interface for HTTP request handling. neon
supports persistent connections, proxy servers, basic, digest and
Kerberos authentication, and has complete SSL support.
---------------------------------------------------------------------
Update Information:
Stefan Esser discovered a flaw in the neon library which allows a heap
buffer overflow in a date parsing routine. An attacker could create a
malicious WebDAV server in such a way as to allow arbitrary code
execution on the client should a user connect to it using a neon-based
application which uses the date parsing routines, such as cadaver.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0398 to this issue. This update includes
packages with a patch for this issue.
---------------------------------------------------------------------
* Sun May 16 2004 Joe Orton <jorton(a)redhat.com> 0.24.5-2.1
- add security fix for CVE CAN-2004-0398
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
71f0ddffbe8b5171b2fa2d93e55f8e35 SRPMS/neon-0.24.5-2.1.src.rpm
c215af0bae2c90672573090fee1ec706 i386/neon-0.24.5-2.1.i386.rpm
89c59069a0b48258b8b5f8cc66be5bf7 i386/neon-devel-0.24.5-2.1.i386.rpm
f7d813c7a96814072b097f15692771e9 i386/debug/neon-debuginfo-0.24.5-2.1.i386.rpm
841d910930f3def3f0202570b8c984a6 x86_64/neon-0.24.5-2.1.x86_64.rpm
92cc5ffa0588fe59bdd976308ea52971 x86_64/neon-devel-0.24.5-2.1.x86_64.rpm
03c24e6f0cd267e655a40127696a71b6 x86_64/debug/neon-debuginfo-0.24.5-2.1.x86_64.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-131
2004-05-19
---------------------------------------------------------------------
Product : Fedora Core 2
Name : cvs
Version : 1.11.15
Release : 6
Summary : A version control system.
Description :
CVS (Concurrent Version System) is a version control system that can
record the history of your files (usually, but not always, source
code). CVS only stores the differences between versions, instead of
every version of every file you have ever created. CVS also keeps a log
of who, when, and why changes occurred.
CVS is very helpful for managing releases and controlling the
concurrent editing of source files among multiple authors. Instead of
providing version control for a collection of files in a single
directory, CVS provides version control for a hierarchical collection
of directories consisting of revision controlled files. These
directories and files can then be combined together to form a software
release.
---------------------------------------------------------------------
Update Information:
Stefan Esser discovered a flaw in cvs where malformed "Entry" lines
could cause a heap overflow. An attacker who has access to a CVS
server could use this flaw to execute arbitrary code under the UID
which the CVS server is executing. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0396
to this issue.
This update includes a patch by Derek Price, based on a patch by
Stefan Esser, which corrects this flaw.
---------------------------------------------------------------------
* Tue May 18 2004 Nalin Dahyabhai <nalin(a)redhat.com> 1.11.15-6
- rebuild
* Thu May 13 2004 Nalin Dahyabhai <nalin(a)redhat.com> 1.11.15-5
- use revised version of Stefan Esser's patch provided by Derek Robert Price
* Mon May 03 2004 Nalin Dahyabhai <nalin(a)redhat.com> 1.11.15-4
- rebuild
* Mon May 03 2004 Nalin Dahyabhai <nalin(a)redhat.com> 1.11.15-3
- add patch from Stefan Esser to close CAN-2004-0396
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
e4e908430953b43fcd8543b4cf3ba123 SRPMS/cvs-1.11.15-6.src.rpm
a05f5a97fa3e6b9a51eba6f418b51092 i386/cvs-1.11.15-6.i386.rpm
8484fea6acfc241e351a16ad9199db47 i386/debug/cvs-debuginfo-1.11.15-6.i386.rpm
727d6b8fa0bd49ef2c9bbe4cf3205250 x86_64/cvs-1.11.15-6.x86_64.rpm
b7ad37eee7739318c78985d2b598f878 x86_64/debug/cvs-debuginfo-1.11.15-6.x86_64.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-126
2004-05-19
---------------------------------------------------------------------
Product : Fedora Core 1
Name : cvs
Version : 1.11.15
Release : 5
Summary : A version control system.
Description :
CVS (Concurrent Version System) is a version control system that can
record the history of your files (usually, but not always, source
code). CVS only stores the differences between versions, instead of
every version of every file you have ever created. CVS also keeps a log
of who, when, and why changes occurred.
CVS is very helpful for managing releases and controlling the
concurrent editing of source files among multiple authors. Instead of
providing version control for a collection of files in a single
directory, CVS provides version control for a hierarchical collection
of directories consisting of revision controlled files. These
directories and files can then be combined together to form a software
release.
---------------------------------------------------------------------
Update Information:
Stefan Esser discovered a flaw in cvs where malformed "Entry" lines
could cause a heap overflow. An attacker who has access to a CVS
server could use this flaw to execute arbitrary code under the UID
which the CVS server is executing. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0396
to this issue.
This update includes a patch by Derek Price, based on a patch by
Stefan Esser, which corrects this flaw.
---------------------------------------------------------------------
* Thu May 13 2004 Nalin Dahyabhai <nalin(a)redhat.com> 1.11.15-5
- use revised version of Stefan Esser's patch provided by Derek Robert Price
* Mon May 03 2004 Nalin Dahyabhai <nalin(a)redhat.com> 1.11.15-4
- rebuild
* Mon May 03 2004 Nalin Dahyabhai <nalin(a)redhat.com> 1.11.15-3
- add patch from Stefan Esser to close CAN-2004-0396
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
6de72febc153af0e5e8b1670372c767e SRPMS/cvs-1.11.15-5.src.rpm
0e70cb1a6940f6b2b7b71b64ada84e0a i386/cvs-1.11.15-5.i386.rpm
e7bb5244e9e067b6cc22b2f408ada206 i386/debug/cvs-debuginfo-1.11.15-5.i386.rpm
6dc5672173170e2a3b1a89a8f928364e x86_64/cvs-1.11.15-5.x86_64.rpm
e9ae30cfbc082e6e7f1a0ad8e0d0a37f x86_64/debug/cvs-debuginfo-1.11.15-5.x86_64.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------