[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 660/05 - Fedora - Four Update Notifications



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 660/05 dated 23.08.05  Time: 10:30
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Fedora - Four Update Notifications:
     1.  Fedora Core 4 Update: slocate-2.7-22.fc4.1                    [FEDORA-2005-770]
     2.  Fedora Core 4 Update:squirrelmail-1.4.6-0.cvs20050812.1.fc4   [FEDORA-2005-780]
     3.  Fedora Core 3 Update: slocate-2.7-12.fc3.1                    [FEDORA-2005-771]
     4.  Fedora Core 3 Update:squirrelmail-1.4.6-0.cvs20050812.1.fc3   [FEDORA-2005-779]


Detail
====== 

Update notification summaries:

     1.  A carefully prepared directory structure could stop the
         updatedb file system scan, resulting in an incomplete slocate
         database.

     2.  It appears that Fedora have released an update to version 1.4.6 of
         Squirrelmail due to perceived problems with the public version 1.4.5.

     3.  A carefully prepared directory structure could stop the
         updatedb file system scan, resulting in an incomplete slocate
         database.

     4.  It appears that Fedora have released an update to version 1.4.6 of
         Squirrelmail due to perceived problems with the public version 1.4.5.


Update notification content follows:


1.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-770
2005-08-22
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : slocate
Version     : 2.7                      
Release     : 22.fc4.1                  
Summary     : Finds files on a system via a central database.
Description :
Slocate is a security-enhanced version of locate. Just like locate,
slocate searches through a central database (which is updated nightly)
for files that match a given pattern. Slocate allows you to quickly
find files anywhere on your system.

- ---------------------------------------------------------------------
Update Information:

A carefully prepared directory structure could stop the
updatedb file system scan, resulting in an incomplete slocate
database. The Common Vulnerabilities and Exposures project has
assigned the name CAN-2005-2499 to this issue.

- ---------------------------------------------------------------------
* Tue Aug  9 2005 Miloslav Trmac <mitr@xxxxxxxxxx> - 2.7-22.fc4.1
- - Replace sl_fs.[ch] by glibc-derived versions
- - Skip subtrees with paths longer than 32k


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

be933a409ee095e558d20b56e6c3aac5  SRPMS/slocate-2.7-22.fc4.1.src.rpm
4456c2873f2cc9a75afa6a9989445d4e  ppc/slocate-2.7-22.fc4.1.ppc.rpm
7cb7dfde2ee74b9b282b4ff002d3eb8c  ppc/debug/slocate-debuginfo-2.7-22.fc4.1.ppc.rpm
76bddbbc65171d8060a6f2c1a8bfa62d  x86_64/slocate-2.7-22.fc4.1.x86_64.rpm
856ef7ffcef6e41eef0e93f23fc57998  x86_64/debug/slocate-debuginfo-2.7-22.fc4.1.x86_64.rpm
50b3461440c9efe25d55f34d79a0272a  i386/slocate-2.7-22.fc4.1.i386.rpm
b35ba3b183c2e37773ddf07147b1a98d  i386/debug/slocate-debuginfo-2.7-22.fc4.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




2.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-780
2005-08-22
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : squirrelmail
Version     : 1.4.6                      
Release     : 0.cvs20050812.1.fc4                  
Summary     : SquirrelMail webmail client
Description :
SquirrelMail is a standards-based webmail package written in PHP4. It
includes built-in pure PHP support for the IMAP and SMTP protocols, and
all pages render in pure HTML 4.0 (with no Javascript) for maximum
compatibility across browsers.  It has very few requirements and is very
easy to configure and install. SquirrelMail has all the functionality
you would want from an email client, including strong MIME support,
address books, and folder manipulation.

- ---------------------------------------------------------------------
Update Information:

It probably is not a good idea to push a CVS snapshot here,
but upstream screwed up their 1.4.5 release and CVS contains
further fixes like PHP5 related stuff that might make
squirrelmail usable on FC4.  This snapshot worked on my
personal server for the past week, so hopefully it will be
good for everyone else too.

CAN-2005-1769 and CAN-2005-2095 security issues are solved
in this update.

Please report regressions in behavior from our previous
1.4.4 package to Red Hat Bugzilla, product Fedora Core.  All
other squirrelmail bugs please report upstream.
- ---------------------------------------------------------------------
* Sun Aug 14 2005 Warren Togami <wtogami@xxxxxxxxxx> 1.4.6-0.cvs20050812.1
- - snapshot of 1.4.6 because 1.4.5 upstream was a bad release
  this hopefully will also work on PHP5 too...

* Mon Jun 20 2005 Warren Togami <wtogami@xxxxxxxxxx> 1.4.5-0.rc1
- - 1.4.5-0.rc1


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

508ddbe3e2fadfd928529173321aecb4  SRPMS/squirrelmail-1.4.6-0.cvs20050812.1.fc4.src.rpm
8de6255428c1ba23029430ca8a4e0e43  x86_64/squirrelmail-1.4.6-0.cvs20050812.1.fc4.noarch.rpm
8de6255428c1ba23029430ca8a4e0e43  i386/squirrelmail-1.4.6-0.cvs20050812.1.fc4.noarch.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




3.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-771
2005-08-22
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : slocate
Version     : 2.7                      
Release     : 12.fc3.1                  
Summary     : Finds files on a system via a central database.
Description :
Slocate is a security-enhanced version of locate. Just like locate,
slocate searches through a central database (which is updated nightly)
for files that match a given pattern. Slocate allows you to quickly
find files anywhere on your system.

- ---------------------------------------------------------------------
Update Information:

A carefully prepared directory structure could stop the
updatedb file system scan, resulting in an incomplete slocate
database. The Common Vulnerabilities and Exposures project has
assigned the name CAN-2005-2499 to this issue. 
- ---------------------------------------------------------------------
* Wed Aug 10 2005 Miloslav Trmac <mitr@xxxxxxxxxx> - 2.7-12.fc3.1
- - s/Copyright/License/
- - Skip subtrees with paths longer than 32k
- - Drop the ineffective fts patch


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

858e1b03ea946b5c03e00721dc1709dd  SRPMS/slocate-2.7-12.fc3.1.src.rpm
dd00e1dc7ec8e90b51e404f2cae597e3  x86_64/slocate-2.7-12.fc3.1.x86_64.rpm
48d65ce1efe5f1e303b05ba46f74f7d7  x86_64/debug/slocate-debuginfo-2.7-12.fc3.1.x86_64.rpm
c83bfb7641c6c2e6bfc6209ea33f0157  i386/slocate-2.7-12.fc3.1.i386.rpm
364b3432b2b09a96b7a447f0fcd6aa23  i386/debug/slocate-debuginfo-2.7-12.fc3.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




4.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-779
2005-08-22
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : squirrelmail
Version     : 1.4.6                      
Release     : 0.cvs20050812.1.fc3                  
Summary     : SquirrelMail webmail client
Description :
SquirrelMail is a standards-based webmail package written in PHP4. It
includes built-in pure PHP support for the IMAP and SMTP protocols, and
all pages render in pure HTML 4.0 (with no Javascript) for maximum
compatibility across browsers.  It has very few requirements and is very
easy to configure and install. SquirrelMail has all the functionality
you would want from an email client, including strong MIME support,
address books, and folder manipulation.

- ---------------------------------------------------------------------
Update Information:

It probably is not a good idea to push a CVS snapshot here,
but upstream screwed up their 1.4.5 release and CVS contains
further fixes like PHP5 related stuff that might make
squirrelmail usable on FC4. This snapshot worked on my
personal server for the past week, so hopefully it will be
good for everyone else too.

CAN-2005-1769 and CAN-2005-2095 security issues are solved
in this update.

Please report regressions in behavior from our previous
1.4.4 package to Red Hat Bugzilla, product Fedora Core. All
other squirrelmail bugs please report upstream.
- ---------------------------------------------------------------------
* Sun Aug 14 2005 Warren Togami <wtogami@xxxxxxxxxx> 1.4.6-0.cvs20050812.1
- - snapshot of 1.4.6 because 1.4.5 upstream was a bad release
  this hopefully will also work on PHP5 too...

* Mon Jun 20 2005 Warren Togami <wtogami@xxxxxxxxxx> 1.4.5-0.rc1
- - 1.4.5-0.rc1


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

eedfb9666898895bb5dded84697d0b1a  SRPMS/squirrelmail-1.4.6-0.cvs20050812.1.fc3.src.rpm
843b6ffb98c87b5cb992a2c674410ad3  x86_64/squirrelmail-1.4.6-0.cvs20050812.1.fc3.noarch.rpm
843b6ffb98c87b5cb992a2c674410ad3  i386/squirrelmail-1.4.6-0.cvs20050812.1.fc3.noarch.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------



- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Fedora for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQwrs4Ypao72zK539AQEZ0QQAipduXmEh0dcr+Mqq1N0g7iSk8kw0dn7R
GUaDfcV39Ce+t5/3vpw4Jv4AmC5nmXUnwQo2dO/e/EGzxu9CHD11i3P7eC6x8cSO
RTq5XHdJjx1yG5cY5XIcac1h1aexyJK8RE0KBdv2pQOJv62+n4MPrSlTrkOUTJW8
JC6xTLZkcMw=
=w7mc
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________