---

Home Security

Fedora Core Advisories: mailman, neon, cvs, kdelibs

By

Fedora Update Notification
FEDORA-2004-060
2004-02-26

Name : mailman
Version : 2.1.4
Release : 1
Summary : Mailing list manager with built in Web access.

Description :
Mailman is software to help manage email discussion lists, much
like Majordomo and Smartmail. Unlike most similar products, Mailman
gives each mailing list a webpage, and allows users to subscribe,
unsubscribe, etc. over the Web. Even the list manager can
administer his or her list entirely from the Web. Mailman also
integrates most things people want to do with mailing lists,
including archiving, mail <-> news gateways, and so on.

Documentation can be found in: /usr/share/doc/mailman-2.1.4

When the package has finished installing, you will need to
perform some additional installation steps, these are described in:
/usr/share/doc/mailman-2.1.4/INSTALL.REDHAT

Update Information:

A cross-site scripting (XSS) vulnerability exists in the admin
CGI script for Mailman before 2.1.4. This update moves Mailman to
version 2.1.4 which is not vulnerable to this issue.

Updated packages were made available in February 2004 however
the original update notification email did not make it to
fedora-announce-list at that time.

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

4b8e7161d1a2bb7f912efd294775b887
SRPMS/mailman-2.1.4-1.src.rpm

6e387ba96c1d651a55b329b0ab678824 i386/mailman-2.1.4-1.i386.rpm
60c4f5f77c01e8521c8079f00fadf1e8
i386/debug/mailman-debuginfo-2.1.4-1.i386.rpm
c823903d2b33ce9ff794f5ba3c9d514d
x86_64/mailman-2.1.4-1.x86_64.rpm
15a0c4d8f8069395602a40ee121eff0a
x86_64/debug/mailman-debuginfo-2.1.4-1.x86_64.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.

Fedora Update Notification
FEDORA-2004-103
2004-04-14

Name : neon
Version : 0.24.5
Release : 1
Summary : An HTTP and WebDAV client library

Description :
neon is an HTTP and WebDAV client library, with a C interface;
providing a high-level interface to HTTP and WebDAV methods along
with a low-level interface for HTTP request handling. neon supports
persistent connections, proxy servers, basic, digest and Kerberos
authentication, and has complete SSL support.

Update Information:

Multiple format string vulnerabilities in neon 0.24.4 and
earlier allow remote malicious WebDAV servers to execute arbitrary
code.

Updated packages were made available in April 2004 however the
original update notification email did not make it to
fedora-announce-list at that time.

  • Wed Apr 14 2004 Joe Orton <jorton@redhat.com> 0.24.5-1
    • update to 0.24.5 for CAN 2004-0179 fix
  • Thu Mar 25 2004 Joe Orton <jorton@redhat.com> 0.24.4-4
    • implement the Negotate auth scheme, and only over SSL
  • Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Wed Feb 25 2004 Joe Orton <jorton@redhat.com> 0.24.4-3
    • use BuildRequires not BuildPrereq, drop autoconf, libtool;
      -devel requires {openssl,zlib}-devel (#116744)
  • Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> 0.24.4-2
    • rebuilt
  • Mon Feb 09 2004 Joe Orton <jorton@redhat.com> 0.24.4-1
    • update to 0.24.4

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

f34a346e0d945707e888874699ed958a SRPMS/neon-0.24.5-1.src.rpm
4c3c9a53a1916566c3822e5ac9eed67d i386/neon-0.24.5-1.i386.rpm
c00098bf0548dcf7e3f8ad1db90c78e8
i386/neon-devel-0.24.5-1.i386.rpm
c6faddb460bff55de5571630324f5381
i386/debug/neon-debuginfo-0.24.5-1.i386.rpm
e192a575ff1184e7ba35326a0ba84b5c
x86_64/neon-0.24.5-1.x86_64.rpm
50d3157693574508440893e5dcf48ac3
x86_64/neon-devel-0.24.5-1.x86_64.rpm
eb12e5f3ed12849c26b949ce7c3c5aa0
x86_64/debug/neon-debuginfo-0.24.5-1.x86_64.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.

Fedora Update Notification
FEDORA-2004-110
2004-04-22

Name : cvs
Version : 1.11.15
Release : 1
Summary : A version control system.

Description :
CVS (Concurrent Version System) is a version control system that
can record the history of your files (usually, but not always,
source code). CVS only stores the differences between versions,
instead of every version of every file you have ever created. CVS
also keeps a log of who, when, and why changes occurred.

CVS is very helpful for managing releases and controlling the
concurrent editing of source files among multiple authors. Instead
of providing version control for a collection of files in a single
directory, CVS provides version control for a hierarchical
collection of directories consisting of revision controlled files.
These directories and files can then be combined together to form a
software release.

Update Information:

The client for CVS before 1.11.15 allows a remote malicious CVS
server to create arbitrary files using certain RCS diff files that
use absolute pathnames during checkouts or updates.

Updated packages were made available in April 2004 however the
original update notification email did not make it to
fedora-announce-list at that time.

  • Wed Apr 21 2004 Nalin Dahyabhai <nalin@redhat.com> 1.11.15-1
    • update to 1.11.15, fixing CAN-2004-0180 (#120969)
  • Tue Mar 23 2004 Nalin Dahyabhai <nalin@redhat.com> 1.11.14-1
    • update to 1.11.14
  • Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
    • rebuilt
  • Wed Jan 07 2004 Nalin Dahyabhai <nalin@redhat.com> 1.11.11-1
    • turn kserver, which people shouldn’t use any more, back on
  • Tue Dec 30 2003 Nalin Dahyabhai <nalin@redhat.com>
    • update to 1.11.11
  • Thu Dec 18 2003 Nalin Dahyabhai <nalin@redhat.com> 1.11.10-1
    • update to 1.11.10

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

a4f1dea17be76c29ad0bdeff09a80bba SRPMS/cvs-1.11.15-1.src.rpm
a356c7be00016bd9594462eb7e8041dc i386/cvs-1.11.15-1.i386.rpm
4d9ce4478aa261890870c5eca81320bf
i386/debug/cvs-debuginfo-1.11.15-1.i386.rpm
dc36b21f10740253a6927f815c8a28ff
x86_64/cvs-1.11.15-1.x86_64.rpm
f2601fe6b89fb6ff9136e46e02b8880b
x86_64/debug/cvs-debuginfo-1.11.15-1.x86_64.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.

Fedora Update Notification
FEDORA-2004-121
2004-05-17

Name : kdelibs
Version : 3.1.4
Release : 5
Summary : K Desktop Environment – Libraries

Description :
Libraries for the K Desktop Environment: KDE Libraries included:
kdecore (KDE core library), kdeui (user interface), kfm (file
manager), khtmlw (HTML widget), kio (Input/Output, networking),
kspell (spelling checker), jscript (javascript), kab (addressbook),
kimgio (image manipulation).

Update Information:

iDEFENSE identified a vulnerability in the Opera Web Browser
that could allow remote attackers to create or truncate arbitrary
files. The KDE team has found that a similar vulnerability exists
in KDE.

A flaw in the telnet URL handler can allow options to be passed
to the telnet program which can be used to allow file creation or
overwriting. An attacker could create a carefully crafted link such
that when opened by a victim it creates or overwrites a file in the
victims home directory. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2004-0411 to this issue.

* Sun May 16 2004 Than Ngo <than@redhat.com> 6:3.1.4-5

  • KDE Telnet URI Handler File Vulnerability, vulnerability in the
    mailto handler, CAN-2004-0411

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

17ef612d8376994d49d775e65f7cf3e2
SRPMS/kdelibs-3.1.4-5.src.rpm
67043b7db880bd1c5a6f6a860e357c3f i386/kdelibs-3.1.4-5.i386.rpm
4d7004becf7fb55a35530c49e77c36b7
i386/kdelibs-devel-3.1.4-5.i386.rpm
d2ecc5a35193a30df1fa70bb382bc708
i386/debug/kdelibs-debuginfo-3.1.4-5.i386.rpm
7b91158e81b7291826d5ba614179d706
x86_64/kdelibs-3.1.4-5.x86_64.rpm
6a213815b2584be92ec32da05a985cba
x86_64/kdelibs-devel-3.1.4-5.x86_64.rpm
b136d3d183e72666f6f56e6a507c10f3
x86_64/debug/kdelibs-debuginfo-3.1.4-5.x86_64.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.