security February 2007

security@lists.fedoraproject.org

7 participants
37 discussions

[Bug 229990] New: CVE-2007-1030: libevent < 1.3 DoS
by Red Hat Bugzilla 04 Apr '08

04 Apr '08

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229990 Summary: CVE-2007-1030: libevent < 1.3 DoS Product: Fedora Extras Version: devel Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: libevent AssignedTo: redhat-bugzilla(a)camperquake.de ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list@redhat.com,steved@redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1030 "Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of service (infinite loop) via a DNS response containing a label pointer that references its own offset." FE5 and FC6 are at 1.1a, not clear if those versions are affected. Rawhide was updated to 1.2a a few days ago, however (unlike the changelog says) the latest upstream is 1.3a, not 1.2a. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 7

[Bug 221694] New: CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information disclosure
by Red Hat Bugzilla 10 Dec '07

10 Dec '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221694 Summary: CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: normal Component: phpMyAdmin AssignedTo: imlinux(a)gmail.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com,redhat- bugzilla(a)linuxnetz.de http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0095 "phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message." FC5+ apparently affected, even though I'm not sure if this is an issue at all. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 13

[Bug 192830] New: CVE-2006-2453 Additional dia format string flaws
by Red Hat Bugzilla 30 Aug '07

30 Aug '07

1 13

[Bug 215136] New: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow
by Red Hat Bugzilla 30 Aug '07

30 Aug '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136 Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: gv AssignedTo: orion(a)cora.nwra.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-security- list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864 "Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the DocumentMedia header." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 5

[Bug 228764] New: CVE-2007-0901, CVE-2007-0902: moin 1.5.7 XSS, information disclosure
by Red Hat Bugzilla 07 May '07

07 May '07

1 3

[Bug 229253] New: CVE-2007-0981: seamonkey cookie setting / same-domain bypass vulnerability
by Red Hat Bugzilla 17 Apr '07

17 Apr '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253 Summary: CVE-2007-0981: seamonkey cookie setting / same-domain bypass vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: seamonkey AssignedTo: kengert(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981 "Mozilla based browsers allows remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code." Seamonkey seems vulnerable. See also https://bugzilla.mozilla.org/show_bug.cgi?id=370445 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

3 3

[Bug 220041] New: CVE-2006-6625, CVE-2006-6626: moodle XSS vulnerabilities
by Red Hat Bugzilla 15 Apr '07

15 Apr '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220041 Summary: CVE-2006-6625, CVE-2006-6626: moodle XSS vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: moodle AssignedTo: imlinux(a)gmail.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-security- list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6625 Reported against 1.6.1 but an upstream patch which I suppose fixes this is not applied in 1.6.3: http://moodle.cvs.sourceforge.net/moodle/moodle/mod/forum/discuss.php?r1=1.… http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6626 Reported against 1.5, too little information available at the moment to say whether this is an issue with 1.6.3. All FC4+ distro releases are equally affected (or not). -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 3

[Bug 209167] New: seamonkey < 1.0.5 multiple vulnerabilities
by Red Hat Bugzilla 10 Apr '07

10 Apr '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167 Summary: seamonkey < 1.0.5 multiple vulnerabilities Product: Fedora Extras Version: fc4 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: seamonkey AssignedTo: kengert(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-security- list(a)redhat.com seamonkey 1.0.4 in FE4 is probably affected by CVE-2006-4253, CVE-2006-4340, CVE-2006-4565, CVE-2006-4566, CVE-2006-4568, CVE-2006-4570 and CVE-2006-4571. According to upstream, these are fixed in 1.0.5 (FE5+) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 13

[Bug 228763] New: CVE-2007-0894: mediawiki full path disclosure
by Red Hat Bugzilla 26 Mar '07

26 Mar '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228763 Summary: CVE-2007-0894: mediawiki full path disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: mediawiki AssignedTo: Axel.Thimm(a)ATrpms.net ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security- list@redhat.com,fedora@theholbrooks.org,roozbeh@farsiweb .info http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0894 "MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information via a direct request to (1) Simple.deps.php, (2) MonoBook.deps.php, (3) MySkin.deps.php, or (4) Chick.deps.php in wiki/skins, which shows the installation path in the resulting error message." 1.8.3 (current FE6) in the CVE entry is not listed as vulnerable, don't know if the omission is intentional. And whether installation path disclosure is an issue with Fedora packages can also be debated, reporting here just in case there's more to it. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 3

[Bug 228758] New: CVE-2007-0770: GraphicsMagick buffer overflow
by Red Hat Bugzilla 07 Mar '07

07 Mar '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228758 Summary: CVE-2007-0770: GraphicsMagick buffer overflow Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: GraphicsMagick AssignedTo: andreas(a)bawue.net ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0770 "Buffer overflow in GraphicsMagick and ImageMagick allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. NOTE: this issue is due to an incomplete patch for CVE-2006-5456." CVE-2006-5456 says that it is an issue with < 1.1.7, but the discussion in bug 210921 refers to a post-1.1.7 GraphicsMagick, so whether this affects the FE GraphicsMagick package should be investigated. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security February 2007