Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229990
Summary: CVE-2007-1030: libevent < 1.3 DoS
Product: Fedora Extras
Version: devel
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: libevent
AssignedTo: redhat-bugzilla(a)camperquake.de
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list@redhat.com,steved@redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1030
"Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of
service (infinite loop) via a DNS response containing a label pointer that
references its own offset."
FE5 and FC6 are at 1.1a, not clear if those versions are affected. Rawhide was
updated to 1.2a a few days ago, however (unlike the changelog says) the latest
upstream is 1.3a, not 1.2a.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221694
Summary: CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information
disclosure
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: normal
Component: phpMyAdmin
AssignedTo: imlinux(a)gmail.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com,redhat-
bugzilla(a)linuxnetz.de
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0095
"phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via
a direct request for themes/darkblue_orange/layout.inc.php, which reveals the
path in an error message."
FC5+ apparently affected, even though I'm not sure if this is an issue at all.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
Summary: CVE-2006-2453 Additional dia format string flaws
Product: Fedora Extras
Version: fc5
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: dia
AssignedTo: j.w.r.degoede(a)hhs.nl
ReportedBy: bressers(a)redhat.com
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-security-
list(a)redhat.com
A number of additional format string issues were discovered by Hans de Goede and
has been assigned the CVE id CVE-2006-2453.
The fix is attachment 129852
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136
Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow
Product: Fedora Extras
Version: fc6
Platform: All
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: gv
AssignedTo: orion(a)cora.nwra.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-security-
list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864
"Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to execute
arbitrary code via a PostScript (PS) file with certain headers that contain long
comments, as demonstrated using the DocumentMedia header."
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228764
Summary: CVE-2007-0901, CVE-2007-0902: moin 1.5.7 XSS,
information disclosure
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: moin
AssignedTo: matthias(a)rpmforge.net
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
CVE's against moin 1.5.7, with little useful information available at the moment:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0901http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0902
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253
Summary: CVE-2007-0981: seamonkey cookie setting / same-domain
bypass vulnerability
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: seamonkey
AssignedTo: kengert(a)redhat.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981
"Mozilla based browsers allows remote attackers to bypass the same origin
policy, steal cookies, and conduct other attacks by writing a URI with a null
byte to the hostname (location.hostname) DOM property, due to interactions with
DNS resolver code."
Seamonkey seems vulnerable. See also
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220041
Summary: CVE-2006-6625, CVE-2006-6626: moodle XSS vulnerabilities
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: moodle
AssignedTo: imlinux(a)gmail.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-security-
list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6625
Reported against 1.6.1 but an upstream patch which I suppose fixes this is not
applied in 1.6.3:
http://moodle.cvs.sourceforge.net/moodle/moodle/mod/forum/discuss.php?r1=1.…http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6626
Reported against 1.5, too little information available at the moment to say
whether this is an issue with 1.6.3.
All FC4+ distro releases are equally affected (or not).
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167
Summary: seamonkey < 1.0.5 multiple vulnerabilities
Product: Fedora Extras
Version: fc4
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: seamonkey
AssignedTo: kengert(a)redhat.com
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-security-
list(a)redhat.com
seamonkey 1.0.4 in FE4 is probably affected by CVE-2006-4253, CVE-2006-4340,
CVE-2006-4565, CVE-2006-4566, CVE-2006-4568, CVE-2006-4570 and CVE-2006-4571.
According to upstream, these are fixed in 1.0.5 (FE5+)
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228763
Summary: CVE-2007-0894: mediawiki full path disclosure
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: mediawiki
AssignedTo: Axel.Thimm(a)ATrpms.net
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-
list@redhat.com,fedora@theholbrooks.org,roozbeh@farsiweb
.info
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0894
"MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information
via a direct request to (1) Simple.deps.php, (2) MonoBook.deps.php, (3)
MySkin.deps.php, or (4) Chick.deps.php in wiki/skins, which shows the
installation path in the resulting error message."
1.8.3 (current FE6) in the CVE entry is not listed as vulnerable, don't know if
the omission is intentional. And whether installation path disclosure is an
issue with Fedora packages can also be debated, reporting here just in case
there's more to it.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228758
Summary: CVE-2007-0770: GraphicsMagick buffer overflow
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: normal
Component: GraphicsMagick
AssignedTo: andreas(a)bawue.net
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0770
"Buffer overflow in GraphicsMagick and ImageMagick allows user-assisted remote
attackers to cause a denial of service and possibly execute arbitrary code via a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. NOTE: this issue is due to an incomplete patch for CVE-2006-5456."
CVE-2006-5456 says that it is an issue with < 1.1.7, but the discussion in bug
210921 refers to a post-1.1.7 GraphicsMagick, so whether this affects the FE
GraphicsMagick package should be investigated.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.