Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Fedora Core Advisories: mailman, neon, cvs, kdelibs

May 19, 2004, 17:28 (0 Talkback[s])

Fedora Update Notification
FEDORA-2004-060
2004-02-26

Name : mailman
Version : 2.1.4
Release : 1
Summary : Mailing list manager with built in Web access.

Description :
Mailman is software to help manage email discussion lists, much like Majordomo and Smartmail. Unlike most similar products, Mailman gives each mailing list a webpage, and allows users to subscribe, unsubscribe, etc. over the Web. Even the list manager can administer his or her list entirely from the Web. Mailman also integrates most things people want to do with mailing lists, including archiving, mail <-> news gateways, and so on.

Documentation can be found in: /usr/share/doc/mailman-2.1.4

When the package has finished installing, you will need to perform some additional installation steps, these are described in: /usr/share/doc/mailman-2.1.4/INSTALL.REDHAT


Update Information:

A cross-site scripting (XSS) vulnerability exists in the admin CGI script for Mailman before 2.1.4. This update moves Mailman to version 2.1.4 which is not vulnerable to this issue.

Updated packages were made available in February 2004 however the original update notification email did not make it to fedora-announce-list at that time.



This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

4b8e7161d1a2bb7f912efd294775b887 SRPMS/mailman-2.1.4-1.src.rpm

6e387ba96c1d651a55b329b0ab678824 i386/mailman-2.1.4-1.i386.rpm
60c4f5f77c01e8521c8079f00fadf1e8 i386/debug/mailman-debuginfo-2.1.4-1.i386.rpm
c823903d2b33ce9ff794f5ba3c9d514d x86_64/mailman-2.1.4-1.x86_64.rpm
15a0c4d8f8069395602a40ee121eff0a x86_64/debug/mailman-debuginfo-2.1.4-1.x86_64.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.



Fedora Update Notification
FEDORA-2004-103
2004-04-14

Name : neon
Version : 0.24.5
Release : 1
Summary : An HTTP and WebDAV client library

Description :
neon is an HTTP and WebDAV client library, with a C interface; providing a high-level interface to HTTP and WebDAV methods along with a low-level interface for HTTP request handling. neon supports persistent connections, proxy servers, basic, digest and Kerberos authentication, and has complete SSL support.


Update Information:

Multiple format string vulnerabilities in neon 0.24.4 and earlier allow remote malicious WebDAV servers to execute arbitrary code.

Updated packages were made available in April 2004 however the original update notification email did not make it to fedora-announce-list at that time.


  • Wed Apr 14 2004 Joe Orton <jorton@redhat.com> 0.24.5-1
    • update to 0.24.5 for CAN 2004-0179 fix
  • Thu Mar 25 2004 Joe Orton <jorton@redhat.com> 0.24.4-4
    • implement the Negotate auth scheme, and only over SSL
  • Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Wed Feb 25 2004 Joe Orton <jorton@redhat.com> 0.24.4-3
    • use BuildRequires not BuildPrereq, drop autoconf, libtool; -devel requires {openssl,zlib}-devel (#116744)
  • Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> 0.24.4-2
    • rebuilt
  • Mon Feb 09 2004 Joe Orton <jorton@redhat.com> 0.24.4-1
    • update to 0.24.4

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

f34a346e0d945707e888874699ed958a SRPMS/neon-0.24.5-1.src.rpm
4c3c9a53a1916566c3822e5ac9eed67d i386/neon-0.24.5-1.i386.rpm
c00098bf0548dcf7e3f8ad1db90c78e8 i386/neon-devel-0.24.5-1.i386.rpm
c6faddb460bff55de5571630324f5381 i386/debug/neon-debuginfo-0.24.5-1.i386.rpm
e192a575ff1184e7ba35326a0ba84b5c x86_64/neon-0.24.5-1.x86_64.rpm
50d3157693574508440893e5dcf48ac3 x86_64/neon-devel-0.24.5-1.x86_64.rpm
eb12e5f3ed12849c26b949ce7c3c5aa0 x86_64/debug/neon-debuginfo-0.24.5-1.x86_64.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.



Fedora Update Notification
FEDORA-2004-110
2004-04-22

Name : cvs
Version : 1.11.15
Release : 1
Summary : A version control system.

Description :
CVS (Concurrent Version System) is a version control system that can record the history of your files (usually, but not always, source code). CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred.

CVS is very helpful for managing releases and controlling the concurrent editing of source files among multiple authors. Instead of providing version control for a collection of files in a single directory, CVS provides version control for a hierarchical collection of directories consisting of revision controlled files. These directories and files can then be combined together to form a software release.


Update Information:

The client for CVS before 1.11.15 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates.

Updated packages were made available in April 2004 however the original update notification email did not make it to fedora-announce-list at that time.


  • Wed Apr 21 2004 Nalin Dahyabhai <nalin@redhat.com> 1.11.15-1
    • update to 1.11.15, fixing CAN-2004-0180 (#120969)
  • Tue Mar 23 2004 Nalin Dahyabhai <nalin@redhat.com> 1.11.14-1
    • update to 1.11.14
  • Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Wed Jan 07 2004 Nalin Dahyabhai <nalin@redhat.com> 1.11.11-1
    • turn kserver, which people shouldn't use any more, back on
  • Tue Dec 30 2003 Nalin Dahyabhai <nalin@redhat.com>
    • update to 1.11.11
  • Thu Dec 18 2003 Nalin Dahyabhai <nalin@redhat.com> 1.11.10-1
    • update to 1.11.10

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

a4f1dea17be76c29ad0bdeff09a80bba SRPMS/cvs-1.11.15-1.src.rpm
a356c7be00016bd9594462eb7e8041dc i386/cvs-1.11.15-1.i386.rpm
4d9ce4478aa261890870c5eca81320bf i386/debug/cvs-debuginfo-1.11.15-1.i386.rpm
dc36b21f10740253a6927f815c8a28ff x86_64/cvs-1.11.15-1.x86_64.rpm
f2601fe6b89fb6ff9136e46e02b8880b x86_64/debug/cvs-debuginfo-1.11.15-1.x86_64.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.



Fedora Update Notification
FEDORA-2004-121
2004-05-17

Name : kdelibs
Version : 3.1.4
Release : 5
Summary : K Desktop Environment - Libraries

Description :
Libraries for the K Desktop Environment: KDE Libraries included: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (javascript), kab (addressbook), kimgio (image manipulation).


Update Information:

iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that a similar vulnerability exists in KDE.

A flaw in the telnet URL handler can allow options to be passed to the telnet program which can be used to allow file creation or overwriting. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file in the victims home directory. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0411 to this issue.


* Sun May 16 2004 Than Ngo <than@redhat.com> 6:3.1.4-5
  • KDE Telnet URI Handler File Vulnerability, vulnerability in the mailto handler, CAN-2004-0411

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

17ef612d8376994d49d775e65f7cf3e2 SRPMS/kdelibs-3.1.4-5.src.rpm
67043b7db880bd1c5a6f6a860e357c3f i386/kdelibs-3.1.4-5.i386.rpm
4d7004becf7fb55a35530c49e77c36b7 i386/kdelibs-devel-3.1.4-5.i386.rpm
d2ecc5a35193a30df1fa70bb382bc708
i386/debug/kdelibs-debuginfo-3.1.4-5.i386.rpm
7b91158e81b7291826d5ba614179d706 x86_64/kdelibs-3.1.4-5.x86_64.rpm
6a213815b2584be92ec32da05a985cba x86_64/kdelibs-devel-3.1.4-5.x86_64.rpm
b136d3d183e72666f6f56e6a507c10f3
x86_64/debug/kdelibs-debuginfo-3.1.4-5.x86_64.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.