[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 634/05 - Fedora - Six Update Notifications



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 634/05 dated 16.08.05  Time: 10:55  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Fedora - Six Update Notifications:
     1.  Fedora Core 4 Update: xpdf-3.00-20.FC4.2     [FEDORA-2005-729]
     2.  Fedora Core 4 Update: evolution-2.2.3-2.fc4  [FEDORA-2005-743]
     3.  Fedora Core 3 Update: xpdf-3.00-10.6.FC3     [FEDORA-2005-730]
     4.  Fedora Core 3 Update: vim-6.3.086-0.fc3.1    [FEDORA-2005-741]
     5.  Fedora Core 3 Update: evolution-2.0.4-6      [FEDORA-2005-742]
     6.  Fedora Core 3 Update: kdeedu-3.4.2-0.fc3.2   [FEDORA-2005-745]


Detail
====== 

Update notification summaries:

     1.  A flaw was discovered in Xpdf in that an attacker could
         construct a carefully crafted PDF file that would cause
         Xpdf to consume all available disk space in /tmp when
         opened.

     2.  Fix for SITIC Vulnerability Advisory SA05-001

     3.  A flaw was discovered in Xpdf in that an attacker could
         construct a carefully crafted PDF file that would cause
         Xpdf to consume all available disk space in /tmp when
         opened.

     4.  This update is supposed to fix GTK2 dependency problems of
         the vim-6.3.086-0.fc3 package.

     5.  Fix for SITIC Vulnerability Advisory SA05-001

     6.  The KDE security team were notified about several tempfile 
         handling related vulnerabilities in langen2kvtml, a conversion 
         script for kvoctrain. The script must be manually invoked.


Update notification content follows:


1.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-729
2005-08-15
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : xpdf
Version     : 3.00                      
Release     : 20.FC4.2                  
Summary     : A PDF file viewer for the X Window System.
Description :
Xpdf is an X Window System based viewer for Portable Document Format
(PDF) files. Xpdf is a small and efficient program which uses
standard X fonts.

- ---------------------------------------------------------------------
Update Information:

A flaw was discovered in Xpdf in that an attacker could
construct a carefully crafted PDF file that would cause
Xpdf to consume all available disk space in /tmp when
opened. The Common Vulnerabilities and Exposures project
assigned the name CAN-2005-2097 to this issue.

Users of xpdf should upgrade to this updated package, which 
contains a patch to resolve this issue. 
- ---------------------------------------------------------------------
* Wed Jul 27 2005 Than Ngo <than@xxxxxxxxxx> 1:3.00-20.FC4.2
- - better patch to fix CAN-2005-2097, #163918
- - fix build problem with gcc4

* Tue Jul 26 2005 Than Ngo <than@xxxxxxxxxx> 3.00-20.FC4.1
- - backport patch to fix xpdf DoS, CAN-2005-2097, #163918
- - fix xpdf crash #163807


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

45702d839a744d7e47a1fe03bf6e4e40  SRPMS/xpdf-3.00-20.FC4.2.src.rpm
1a726ed1bd8b5dc3141a1614258ebff1  ppc/xpdf-3.00-20.FC4.2.ppc.rpm
61348dbd1b1c3d798f6862446242a7ec  ppc/debug/xpdf-debuginfo-3.00-20.FC4.2.ppc.rpm
ff2f134d6361527f9d18d94e46796ebf  x86_64/xpdf-3.00-20.FC4.2.x86_64.rpm
11e6090deb68034abb58429a1c415d46 
x86_64/debug/xpdf-debuginfo-3.00-20.FC4.2.x86_64.rpm
db028d8f8f8d8242e6ccccdeb26408c7  i386/xpdf-3.00-20.FC4.2.i386.rpm
2aafd3c99dc2931060df6e7aedacff9a  i386/debug/xpdf-debuginfo-3.00-20.FC4.2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




2.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-743
2005-08-11
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : evolution
Version     : 2.2.3                      
Release     : 2.fc4                  
Summary     : GNOME's next-generation groupware suite
Description :
Evolution is the GNOME collection of personal information management
(PIM) tools.

Evolution includes a mailer, calendar, contact manager and
communication facility.  The tools which make up Evolution will be
tightly integrated with one another and act as a seamless personal
information-management tool.

- ---------------------------------------------------------------------
Update Information:

Fix for SITIC Vulnerability Advisory SA05-001
- ---------------------------------------------------------------------
* Wed Aug 10 2005 David Malcolm <dmalcolm@xxxxxxxxxx> - 2.2.3-2.fc4
- - Fix format string issues (Sitic SA05-001)

* Wed Jun 29 2005 David Malcolm <dmalcolm@xxxxxxxxxx> - 2.2.3-1.fc4
- - 2.2.3
- - Moved .conduit files to libdir/gnome-pilot/conduits, rather than beneath
datadir, to match gnome-pilot (patch 802)
- - Remove GNOME_COMPILE_WARNINGS from configure.in (since gnome-common might not
be available when we rerun the autotools; patch 803)

* Mon Jun 27 2005 David Malcolm <dmalcolm@xxxxxxxxxx> - 2.2.2-8.fc4
- - Replaced patch to port conduits to pilot-link-0.12 with Mark G Adams's version
of same (#161817)
- - Added Mark G Adams's memory leak fix (patch 801)

* Thu May 26 2005 David Malcolm <dmalcolm@xxxxxxxxxx> - 2.2.2-7
- - Added Akira Tagoh's patch for calendar keypress handling (#154360)

* Mon May 23 2005 David Malcolm <dmalcolm@xxxxxxxxxx> - 2.2.2-6
- - Remove static versions of libraries


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

ccee53b0a13d204288d8809a108cb127  SRPMS/evolution-2.2.3-2.fc4.src.rpm
988d3fd22ec18bf30c4e515f9fee4b01  ppc/evolution-2.2.3-2.fc4.ppc.rpm
ec9f1921257b07e9220dc08f6a439220  ppc/evolution-devel-2.2.3-2.fc4.ppc.rpm
bf35b5a403fcc1c251b51ea27d6afc3c  ppc/debug/evolution-debuginfo-2.2.3-2.fc4.ppc.rpm
1d6875b87f50308c420d9f23247751a8  x86_64/evolution-2.2.3-2.fc4.x86_64.rpm
78214e62b6b41ef1ac5dd74c09921c4c  x86_64/evolution-devel-2.2.3-2.fc4.x86_64.rpm
0c62019667c5f4bce20806e4b8438799 
x86_64/debug/evolution-debuginfo-2.2.3-2.fc4.x86_64.rpm
7337dd5d5b8ba3a9a67e1d67aa89c227  i386/evolution-2.2.3-2.fc4.i386.rpm
5c18b0732760fbc9e8ac62881c4ded08  i386/evolution-devel-2.2.3-2.fc4.i386.rpm
56833f31ef1bc111c44306708a0750bf 
i386/debug/evolution-debuginfo-2.2.3-2.fc4.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




3.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-730
2005-08-15
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : xpdf
Version     : 3.00                      
Release     : 10.6.FC3                  
Summary     : A PDF file viewer for the X Window System.
Description :
Xpdf is an X Window System based viewer for Portable Document Format
(PDF) files. Xpdf is a small and efficient program which uses
standard X fonts.

- ---------------------------------------------------------------------
Update Information:

A flaw was discovered in Xpdf in that an attacker could 
construct a carefully crafted PDF file that would cause Xpdf
to consume all available disk space in /tmp when opened. The
Common Vulnerabilities and Exposures project assigned the name
CAN-2005-2097 to this issue.

Users of xpdf should upgrade to this updated package, which
contains a backported patch to resolve this issue. 
- ---------------------------------------------------------------------
* Wed Jul 27 2005 Than Ngo <than@xxxxxxxxxx> 1:3.00-10.6.FC3
- - better patch to fix CAN-2005-2097, #163918

* Tue Jul 26 2005 Than Ngo <than@xxxxxxxxxx> 1:3.00-10.5.FC3
- - backport patch to fix xpdf DoS, CAN-2005-2097, #163918
- - fix xpdf crash #163807


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

f0fa9a37ace898d04be68f16b5a7bb14  SRPMS/xpdf-3.00-10.6.FC3.src.rpm
405fdeddfd2ca96646fcb2ae605f1c59  x86_64/xpdf-3.00-10.6.FC3.x86_64.rpm
f577bca35f06c9c74460ffad33665614 
x86_64/debug/xpdf-debuginfo-3.00-10.6.FC3.x86_64.rpm
80095ec93707eb9b74872f9b49d1a99a  i386/xpdf-3.00-10.6.FC3.i386.rpm
14798c621432d77e3a41ec594a47f545  i386/debug/xpdf-debuginfo-3.00-10.6.FC3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




4.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-741
2005-08-15
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : vim
Version     : 6.3.086                      
Release     : 0.fc3.1                  
Summary     : The VIM editor.
Description :
VIM (VIsual editor iMproved) is an updated and improved version of the
vi editor.  Vi was the first real screen-based editor for UNIX, and is
still very popular.  VIM improves on vi by adding new features:
multiple windows, multi-level undo, block highlighting and more.

- ---------------------------------------------------------------------
Update Information:

CAN-2005-2368

This update is supposed to fix GTK2 dependency problems of
the vim-6.3.086-0.fc3 package.
- ---------------------------------------------------------------------

- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

e3c48fb411011ce5bb368444f6ac050d  SRPMS/vim-6.3.086-0.fc3.1.src.rpm
b41241ae1cb86a03471165b979969348  x86_64/vim-common-6.3.086-0.fc3.1.x86_64.rpm
3d7dce499e60e19e3a63a2bed277ed4c  x86_64/vim-minimal-6.3.086-0.fc3.1.x86_64.rpm
a1d674c5016fa76289b4105221b24b7c  x86_64/vim-enhanced-6.3.086-0.fc3.1.x86_64.rpm
bc98ae67ec18d0926aa0aa54811d6fa5  x86_64/vim-X11-6.3.086-0.fc3.1.x86_64.rpm
b4bf0c75567619f48461aa2ed2041cd7 
x86_64/debug/vim-debuginfo-6.3.086-0.fc3.1.x86_64.rpm
c67ee7b64220dc0521ea2b72b2e3b2c9  i386/vim-common-6.3.086-0.fc3.1.i386.rpm
cab215674875e6fa2694c23ceb4f4907  i386/vim-minimal-6.3.086-0.fc3.1.i386.rpm
b14498c851773faa41806e5a3b0ca937  i386/vim-enhanced-6.3.086-0.fc3.1.i386.rpm
1421cd29da6bf1b8ecbe84b9d0734285  i386/vim-X11-6.3.086-0.fc3.1.i386.rpm
5c192cfc430fb476d4415db4d3b314ae  i386/debug/vim-debuginfo-6.3.086-0.fc3.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




5.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-742
2005-08-11
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : evolution
Version     : 2.0.4                      
Release     : 6                  
Summary     : GNOME's next-generation groupware suite
Description :
Evolution is the GNOME collection of personal information management
(PIM) tools.

Evolution includes a mailer, calendar, contact manager and
communication facility.  The tools which make up Evolution will be
tightly integrated with one another and act as a seamless personal
information-management tool.

- ---------------------------------------------------------------------
Update Information:

Fix for SITIC Vulnerability Advisory SA05-001
- ---------------------------------------------------------------------
* Wed Aug 10 2005 David Malcolm <dmalcolm@xxxxxxxxxx> - 2.0.4-6
- - Fix format string issues (Sitic SA05-001)

* Wed May 18 2005 David Malcolm <dmalcolm@xxxxxxxxxx> - 2.0.4-5
- - Backport fix to use gnome-vfs API to launch external applications (#157767)
- - Removed explicit mozilla_build_version; instead use pkg-config to determine 
the path to the NSS/NSPR headers.


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

4bb729900ab8ce3337529440e9d728b3  SRPMS/evolution-2.0.4-6.src.rpm
7998bd3fffe71e5985979b158c7971ba  x86_64/evolution-2.0.4-6.x86_64.rpm
d9fb0898d26db48f83e05b3e58828cdd  x86_64/evolution-devel-2.0.4-6.x86_64.rpm
e425a2930c867c9eb01d6246146c0637 
x86_64/debug/evolution-debuginfo-2.0.4-6.x86_64.rpm
ac6345f4b82c0351902142f669c4e8df  i386/evolution-2.0.4-6.i386.rpm
0cf6447171556ec6c93befc72569486d  i386/evolution-devel-2.0.4-6.i386.rpm
ce88acc8a83c13bd3d8d05de684969b3  i386/debug/evolution-debuginfo-2.0.4-6.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




6.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-745
2005-08-15
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : kdeedu
Version     : 3.4.2                      
Release     : 0.fc3.2                  
Summary     : Educational/Edutainment applications for KDE
Description :
Educational/Edutainment applications for KDE

- ---------------------------------------------------------------------
Update Information:

Ben Burton notified the KDE security team about several
tempfile handling related vulnerabilities in langen2kvtml,
a conversion script for kvoctrain. The script must be
manually invoked.

The script uses known filenames in /tmp which allow an local 
attacker to overwrite files writeable by the user invoking the 
conversion script.

This update fixes these vulnerabilities.
- ---------------------------------------------------------------------
* Tue Aug  9 2005 Than Ngo <than@xxxxxxxxxx> 3.4.2-0.fc3.2
- - apply patch to fix tempfile vulnerability, CAN-2005-2101, #165606


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

16f0ba99cbd812599efc87f439e3cd3e  SRPMS/kdeedu-3.4.2-0.fc3.2.src.rpm
d76cb28b1363d42cc95ed2e8b6ce453f  x86_64/kdeedu-3.4.2-0.fc3.2.x86_64.rpm
9e3beda785a248d2b32fda76c8274be8  x86_64/kdeedu-devel-3.4.2-0.fc3.2.x86_64.rpm
14ba8ddbcb79d5c5800024843c7dd2f7 
x86_64/debug/kdeedu-debuginfo-3.4.2-0.fc3.2.x86_64.rpm
918f1d116b2b47b7fc7be55ef1ce5dd8  i386/kdeedu-3.4.2-0.fc3.2.i386.rpm
0461f594898e6caa6745cbf4017ce617  i386/kdeedu-devel-3.4.2-0.fc3.2.i386.rpm
f0a8f527a6f30c9e78118804e54b73ca  i386/debug/kdeedu-debuginfo-3.4.2-0.fc3.2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Fedora for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQwG4zIpao72zK539AQF1CAQAgdI7Cx2xPqCiUf4H6WTQ6CCoadZq5RRX
9sHu4GA7Bte4D5hIcyREaCpF4ZuynUCdE42QQXhR3t+53y1+TmufyKH5aicWyhKg
/qSwrVZFNjJelJ3bRgKcOpR0fHGc1RlybczqdikKVb9+zhK2uZ0MvajSAVPAHsgf
7zpuIF4PfYk=
=H9lL
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________