Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > September 2005 > Fedora Legacy - Four Update Advisories

September 2005

Fedora Legacy - Four Update Advisories

ID: 00800
Ref: 744/05
Date: 15 September 2005:11:28:05
Version: 1
Title: Fedora Legacy - Four Update Advisories
Abstract:
Vendors affected: Fedora Legacy
Operating systems affected: Fedora Legacy
Applications affected: Fedora Legacy

Title
=====

Fedora Legacy - Four Update Advisories:
1. Updated mozilla packages fix security issues [FLSA-2005:160202]
2. Updated Zlib packages fix security issues [FLSA-2005:162680]
3. Updated squirrelmail package fixes security issues [FLSA-2005:163047]
4. Updated CUPS packages fix security issue [FLSA-2005:163274]

Detail
======

Update advisory summaries:

1. Updated mozilla packages that fix various security issues are now
available.

2. Updated Zlib packages that fix buffer overflows are now available.

3. An updated squirrelmail package that fixes two security issues is now
available.

4. Updated CUPS packages that fix a security issue are now available.


Update advisory content follows:


1.


- ---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated mozilla packages fix security issues
Advisory ID: FLSA:160202
Issue date: 2005-09-14
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2005-2260 CAN-2005-2261 CAN-2005-2263
CAN-2005-2265 CAN-2005-1937 CAN-2005-2266
CAN-2005-2267 CAN-2005-2268 CAN-2005-2269
CAN-2005-2270
- ---------------------------------------------------------------------


- ---------------------------------------------------------------------
1. Topic:

Updated mozilla packages that fix various security issues are now
available.

Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way Mozilla handled synthetic events. It is
possible that Web content could generate events such as keystrokes or
mouse clicks that could be used to steal data or execute malicious
Javascript code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-2260 to this issue.

A bug was found in the way Mozilla executed Javascript in XBL controls.
It is possible for a malicious webpage to leverage this vulnerability to
execute other JavaScript based attacks even when JavaScript is disabled.
(CAN-2005-2261)

A bug was found in the way Mozilla installed its extensions. If a user
can be tricked into visiting a malicious webpage, it may be possible to
obtain sensitive information such as cookies or passwords.
(CAN-2005-2263)

A bug was found in the way Mozilla handled certain Javascript functions.
It is possible for a malicious webpage to crash the browser by executing
malformed Javascript code. (CAN-2005-2265)

A bug was found in the way Mozilla handled multiple frame domains. It is
possible for a frame as part of a malicious website to inject content
into a frame that belongs to another domain. This issue was previously
fixed as CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937)

A bug was found in the way Mozilla handled child frames. It is possible
for a malicious framed page to steal sensitive information from its
parent page. (CAN-2005-2266)

A bug was found in the way Mozilla opened URLs from media players. If a
media player opens a URL which is Javascript, the Javascript executes
with access to the currently open webpage. (CAN-2005-2267)

A design flaw was found in the way Mozilla displayed alerts and prompts.
Alerts and prompts were given the generic title [JavaScript Application]
which prevented a user from knowing which site created them.
(CAN-2005-2268)

A bug was found in the way Mozilla handled DOM node names. It is
possible for a malicious site to overwrite a DOM node name, allowing
certain privileged chrome actions to execute the malicious Javascript.
(CAN-2005-2269)

A bug was found in the way Mozilla cloned base objects. It is possible
for Web content to traverse the prototype chain to gain access to
privileged chrome objects. (CAN-2005-2270)

Users of Mozilla are advised to upgrade to these updated packages, which
contain Mozilla version 1.7.10 and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160202

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.10-0.73.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.14-0.73.4.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.10-0.90.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.14-0.90.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-devel-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-devel-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.14-0.90.4.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.7.10-1.1.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-chat-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-devel-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-dom-inspector-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-js-debugger-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-mail-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-devel-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-devel-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/epiphany-1.0.8-1.fc1.4.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mozilla-1.7.10-1.2.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.5.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.8.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-chat-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-devel-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-dom-inspector-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-js-debugger-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-mail-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-devel-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-devel-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/epiphany-1.2.10-0.2.5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-0.9.1-0.2.8.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.8.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
- ---------------------------------------------------------------------

21ef0fc3fb4a4b1bab035a3ca39f05793980f96c
redhat/7.3/updates/i386/mozilla-1.7.10-0.73.1.legacy.i386.rpm
bd577e6f2da710d29e4b80178c06824dc49f777e
redhat/7.3/updates/i386/mozilla-chat-1.7.10-0.73.1.legacy.i386.rpm
ead8a39e3bf89266c46ad4416b7089b1685c1611
redhat/7.3/updates/i386/mozilla-devel-1.7.10-0.73.1.legacy.i386.rpm
f3cbc0d33c063472bd02836c5bb6fa1358a07144
redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.10-0.73.1.legacy.i386.rpm
d80e8e4ca42908fcddb3fe210ca7e3239572d645
redhat/7.3/updates/i386/mozilla-js-debugger-1.7.10-0.73.1.legacy.i386.rpm
cd099e3c6886784093ab23fc4217c3d9c8202ddc
redhat/7.3/updates/i386/mozilla-mail-1.7.10-0.73.1.legacy.i386.rpm
7423c24f838e81e69f14363324bebad96c87bf87
redhat/7.3/updates/i386/mozilla-nspr-1.7.10-0.73.1.legacy.i386.rpm
1b4d201829286b23cf6f86068e82e1f116f5e238
redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.10-0.73.1.legacy.i386.rpm
afce419aeac48067ec55ba4c54b75a96b84ae248
redhat/7.3/updates/i386/mozilla-nss-1.7.10-0.73.1.legacy.i386.rpm
9e2b0fc1e17b6a014fb78b1d4ed73aa9b33a6998
redhat/7.3/updates/i386/mozilla-nss-devel-1.7.10-0.73.1.legacy.i386.rpm
a055ace074f9d074f8dc24b8467ef03ab2a4f56d
redhat/7.3/updates/SRPMS/mozilla-1.7.10-0.73.1.legacy.src.rpm
9e617122c902d6a41fe8ab5a7541c6ad7d7a4274
redhat/7.3/updates/i386/galeon-1.2.14-0.73.4.legacy.i386.rpm
9a09d9823313a758f7d73631e46d5fd44f018a04
redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.4.legacy.src.rpm
361bb85b2bd856bb6f75a2067ca9f8b64740d55e
redhat/9/updates/i386/mozilla-1.7.10-0.90.1.legacy.i386.rpm
5b5331a02a50612518a9b04e8e25e1f0e61afbc9
redhat/9/updates/i386/mozilla-chat-1.7.10-0.90.1.legacy.i386.rpm
1cef67b7101ca5ef94c2da52cf7e6fa1904ddab7
redhat/9/updates/i386/mozilla-devel-1.7.10-0.90.1.legacy.i386.rpm
ebfd6b8d96a12c32c8c32cd06a0eb29ce44ebd9c
redhat/9/updates/i386/mozilla-dom-inspector-1.7.10-0.90.1.legacy.i386.rpm
00a5dc6a4da814c68efa0e6f0bebaeb2e5af43e4
redhat/9/updates/i386/mozilla-js-debugger-1.7.10-0.90.1.legacy.i386.rpm
3cff356510a48956b0ce9e7ab7cc158da2f37906
redhat/9/updates/i386/mozilla-mail-1.7.10-0.90.1.legacy.i386.rpm
998feb261e696dcd5a08cfd2d884b30063944f78
redhat/9/updates/i386/mozilla-nspr-1.7.10-0.90.1.legacy.i386.rpm
12d4caa735df18edaf636d30de98ab41b0c394ac
redhat/9/updates/i386/mozilla-nspr-devel-1.7.10-0.90.1.legacy.i386.rpm
e20f1d5b4111a23b1f6ec30547ebd447c2c9eb54
redhat/9/updates/i386/mozilla-nss-1.7.10-0.90.1.legacy.i386.rpm
815236f90f4778e52a364ae4795b762f95b11909
redhat/9/updates/i386/mozilla-nss-devel-1.7.10-0.90.1.legacy.i386.rpm
49801c7d362ba0e659096516f7dc89960aaba5ab
redhat/9/updates/SRPMS/mozilla-1.7.10-0.90.1.legacy.src.rpm
abd5ff8e4e92dacc43cd8ddbb88061bee410a965
redhat/9/updates/i386/galeon-1.2.14-0.90.4.legacy.i386.rpm
f252f4ec0b3132199e30362b5aa12fcf70345708
redhat/9/updates/SRPMS/galeon-1.2.14-0.90.4.legacy.src.rpm
024af661649ccdd80f61cdbcd67405146ddd290e
fedora/1/updates/i386/mozilla-1.7.10-1.1.1.legacy.i386.rpm
c714508dfbf5194b518ab8c36ef15e35b5f9f34d
fedora/1/updates/i386/mozilla-chat-1.7.10-1.1.1.legacy.i386.rpm
9f87a7c1b15b1eacf77d785ba02a6e5272786483
fedora/1/updates/i386/mozilla-devel-1.7.10-1.1.1.legacy.i386.rpm
40d6a447c6fa50971449a12ed04d2139e7f38c86
fedora/1/updates/i386/mozilla-dom-inspector-1.7.10-1.1.1.legacy.i386.rpm
7d7993584caf000376d414adfea09ef03b5dcfcc
fedora/1/updates/i386/mozilla-js-debugger-1.7.10-1.1.1.legacy.i386.rpm
ddb668ea5ef6354bcea561d396f322b812986d3c
fedora/1/updates/i386/mozilla-mail-1.7.10-1.1.1.legacy.i386.rpm
ba21eee7662528448aeab774f9f1eedcd27bef6e
fedora/1/updates/i386/mozilla-nspr-1.7.10-1.1.1.legacy.i386.rpm
6fc9017c5f1712648f83f74dfc289097244bf2fb
fedora/1/updates/i386/mozilla-nspr-devel-1.7.10-1.1.1.legacy.i386.rpm
b16af5524e6b5ae6d00b978aa7ae7e382045e42a
fedora/1/updates/i386/mozilla-nss-1.7.10-1.1.1.legacy.i386.rpm
fe6babcc981d3d8d00405bc668a163c762325556
fedora/1/updates/i386/mozilla-nss-devel-1.7.10-1.1.1.legacy.i386.rpm
b897549c97460c0c77cb7cd2a5cc09fa2b87e648
fedora/1/updates/SRPMS/mozilla-1.7.10-1.1.1.legacy.src.rpm
8e927ac2f8ef17d3d33a5f244944c8e23bd349a5
fedora/1/updates/i386/epiphany-1.0.8-1.fc1.4.legacy.i386.rpm
e7269e1c82160199d9922ee85116ca6c3b968aa4
fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.4.legacy.src.rpm
84191565518894d9064043591f6bd8a87aadf7c1
fedora/2/updates/i386/mozilla-1.7.10-1.2.1.legacy.i386.rpm
840981293c815a81a1e2731cb70890fdcf4a9439
fedora/2/updates/i386/mozilla-chat-1.7.10-1.2.1.legacy.i386.rpm
c8239468a1ee288b4a4c476d3499e2dd21f9e15f
fedora/2/updates/i386/mozilla-devel-1.7.10-1.2.1.legacy.i386.rpm
ead0223ae156bc10bc98d7b3e2b3d73fe295a3b8
fedora/2/updates/i386/mozilla-dom-inspector-1.7.10-1.2.1.legacy.i386.rpm
8f8ce4d865ca4f1a39044c5be16aa3226c379336
fedora/2/updates/i386/mozilla-js-debugger-1.7.10-1.2.1.legacy.i386.rpm
f7f86824465f7cefb863edd0185a1d10dd1a9e5b
fedora/2/updates/i386/mozilla-mail-1.7.10-1.2.1.legacy.i386.rpm
6ddbbe1bf072839e4d614f875c4bf2b9e613c252
fedora/2/updates/i386/mozilla-nspr-1.7.10-1.2.1.legacy.i386.rpm
b19179e3c9636c693519859168c15a374868265b
fedora/2/updates/i386/mozilla-nspr-devel-1.7.10-1.2.1.legacy.i386.rpm
cb906332518766343ce2e0b42b1daa8ea365f5c2
fedora/2/updates/i386/mozilla-nss-1.7.10-1.2.1.legacy.i386.rpm
b321daec595fa820fa1c61636b6e7ae04bc93ec0
fedora/2/updates/i386/mozilla-nss-devel-1.7.10-1.2.1.legacy.i386.rpm
84b27211a322366ed7b55ebd56b27bd311f268b1
fedora/2/updates/SRPMS/mozilla-1.7.10-1.2.1.legacy.src.rpm
602ce3dc7e96667ca3c854208447873660bbbbec
fedora/2/updates/i386/epiphany-1.2.10-0.2.5.legacy.i386.rpm
d1c8debf69421cf879a8cc124999f09b86849743
fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.5.legacy.src.rpm
616b84cd1427ed5692afaad68e75fa78a306853d
fedora/2/updates/i386/devhelp-0.9.1-0.2.8.legacy.i386.rpm
2f93f6d05bf459305427ee159b798a939087d125
fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.8.legacy.i386.rpm
08ac95e7d0f4bdcebbe03994cdacd5074f166479
fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.8.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2261
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2265
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2270

9. Contact:

The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org

- ---------------------------------------------------------------------




2.


- ---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated Zlib packagea fix security issues
Advisory ID: FLSA:162680
Issue date: 2005-09-14
Product: Fedora Core
Keywords: Bugfix
CVE Names: CAN-2005-1849 CAN-2005-2096
- ---------------------------------------------------------------------


- ---------------------------------------------------------------------
1. Topic:

Updated Zlib packages that fix buffer overflows are now available.

Zlib is a general-purpose lossless data compression library which is
used by many different programs.

2. Relevant releases/architectures:

Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Tavis Ormandy discovered a buffer overflow affecting Zlib version 1.2
and above. An attacker could create a carefully crafted compressed
stream that would cause an application to crash if the stream is opened
by a user. As an example, an attacker could create a malicious PNG image
file which would cause a web browser or mail viewer to crash if the
image is viewed. The Common Vulnerabilities and Exposures project
assigned the name CAN-2005-2096 to this issue.

Markus Oberhumer discovered additional ways a stream could trigger an
overflow. An attacker could create a carefully crafted compressed stream
that would cause an application to crash if the stream is opened by a
user. As an example, an attacker could create a malicious PNG image file
that would cause a Web browser or mail viewer to crash if the image is
viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CAN-2005-1849 to this issue.

All users should update to these erratum packages which contain a patch
from Mark Adler which corrects this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162680

6. RPMs required:

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/zlib-1.2.0.7-2.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/zlib-1.2.0.7-2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/zlib-devel-1.2.0.7-2.3.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/zlib-1.2.1.2-0.fc2.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/zlib-1.2.1.2-0.fc2.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/zlib-devel-1.2.1.2-0.fc2.2.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
- ---------------------------------------------------------------------

f242225e07d39648b0d7d6558150285ddf7f62d8
fedora/1/updates/i386/zlib-1.2.0.7-2.3.legacy.i386.rpm
618d744e5a8f9a895b40f952a8593985c93fd6d6
fedora/1/updates/i386/zlib-devel-1.2.0.7-2.3.legacy.i386.rpm
c812abcd0c5bcfccc86573e81d68ebff5b615ded
fedora/1/updates/SRPMS/zlib-1.2.0.7-2.3.legacy.src.rpm
d07c43de860f476302fcd1fc82d18db1835e1ba1
fedora/2/updates/i386/zlib-1.2.1.2-0.fc2.2.legacy.i386.rpm
f3326c134c6346ca8f120d86d28908ad45907bf9
fedora/2/updates/i386/zlib-devel-1.2.1.2-0.fc2.2.legacy.i386.rpm
2d288f7b2dd848a4c3f36d3ff7c200b9b629c868
fedora/2/updates/SRPMS/zlib-1.2.1.2-0.fc2.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096

9. Contact:

The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org

- ---------------------------------------------------------------------




3.


- ---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated squirrelmail package fixes security issues
Advisory ID: FLSA:163047
Issue date: 2005-09-14
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2005-1769 CAN-2005-2095
- ---------------------------------------------------------------------


- ---------------------------------------------------------------------
1. Topic:

An updated squirrelmail package that fixes two security issues is now
available.

SquirrelMail is a standards-based webmail package written in PHP4.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way SquirrelMail handled the $_POST variable. If
a user is tricked into visiting a malicious URL, the user's SquirrelMail
preferences could be read or modified. The Common Vulnerabilities and
Exposures project assigned the name CAN-2005-2095 to this issue.

Several cross-site scripting bugs were discovered in SquirrelMail. An
attacker could inject arbitrary Javascript or HTML content into
SquirrelMail pages by tricking a user into visiting a carefully crafted
URL, or by sending them a carefully constructed HTML email message. The
Common Vulnerabilities and Exposures project assigned the name
CAN-2005-1769 to this issue.

All users of SquirrelMail should upgrade to this updated package, which
contains backported patches that resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163047

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.3-0.f0.9.6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.3-0.f0.9.6.legacy.noarch.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.3-0.f1.1.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.3-0.f1.1.5.legacy.noarch.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squirrelmail-1.4.4-1.FC2.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/squirrelmail-1.4.4-1.FC2.2.legacy.noarch.rpm


7. Verification:

SHA1 sum Package Name
- ---------------------------------------------------------------------

5182c295693a72d9602945a5985c39c125f2b422
redhat/9/updates/i386/squirrelmail-1.4.3-0.f0.9.6.legacy.noarch.rpm
1aec842c861408106c2818cf4c58caf762367230
redhat/9/updates/SRPMS/squirrelmail-1.4.3-0.f0.9.6.legacy.src.rpm
10dcfc4975cbe049df638ff43304e0a6a22f58a2
fedora/1/updates/i386/squirrelmail-1.4.3-0.f1.1.5.legacy.noarch.rpm
5f0c54493ae619de8a85813947470bfedd5415f2
fedora/1/updates/SRPMS/squirrelmail-1.4.3-0.f1.1.5.legacy.src.rpm
83e7c1b6a1f070894be5456b3dd850b3a6f090b2
fedora/2/updates/i386/squirrelmail-1.4.4-1.FC2.2.legacy.noarch.rpm
de4f2ef84e23b310f7f845ee8624360dadb7b74d
fedora/2/updates/SRPMS/squirrelmail-1.4.4-1.FC2.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1769
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2095

9. Contact:

The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org

- ---------------------------------------------------------------------




4.


- ---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated CUPS packages fix security issue
Advisory ID: FLSA:163274
Issue date: 2005-09-14
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2005-2154
- ---------------------------------------------------------------------


- ---------------------------------------------------------------------
1. Topic:

Updated CUPS packages that fix a security issue are now available.

The Common UNIX Printing System provides a portable printing layer for
UNIX(R) operating systems.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

When processing a request, the CUPS scheduler would use case-sensitive
matching on the queue name to decide which authorization policy should
be used. However, queue names are not case-sensitive. An unauthorized
user could print to a password-protected queue without needing a
password. The Common Vulnerabilities and Exposures project has assigned
the name CAN-2005-2154 to this issue.

All users of CUPS should upgrade to these erratum packages which contain
a backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163274

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cups-1.1.14-15.4.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cups-1.1.14-15.4.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cups-devel-1.1.14-15.4.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cups-libs-1.1.14-15.4.5.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cups-1.1.17-13.3.0.14.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/cups-1.1.17-13.3.0.14.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cups-devel-1.1.17-13.3.0.14.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cups-libs-1.1.17-13.3.0.14.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/cups-1.1.19-13.9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/cups-1.1.19-13.9.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cups-devel-1.1.19-13.9.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cups-libs-1.1.19-13.9.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/cups-1.1.20-11.11.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/cups-1.1.20-11.11.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/cups-devel-1.1.20-11.11.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/cups-libs-1.1.20-11.11.2.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
- ---------------------------------------------------------------------

0c703164c4314cc91e31a859ed8e149e4249bd68
redhat/7.3/updates/i386/cups-1.1.14-15.4.5.legacy.i386.rpm
62414dc09ab8e240f92fe476dc272d227ba223ce
redhat/7.3/updates/i386/cups-devel-1.1.14-15.4.5.legacy.i386.rpm
4bce41d4c0323700d3a78adf21bb3ff0790cbe44
redhat/7.3/updates/i386/cups-libs-1.1.14-15.4.5.legacy.i386.rpm
2fa58515d46929fe6116c8c72e50c26b8313c504
redhat/7.3/updates/SRPMS/cups-1.1.14-15.4.5.legacy.src.rpm
4d6585d937c4855c8d999bc292d17e13258d5cb5
redhat/9/updates/i386/cups-1.1.17-13.3.0.14.legacy.i386.rpm
445a0332fff4b09cd2c4f8d7643fb12213498608
redhat/9/updates/i386/cups-devel-1.1.17-13.3.0.14.legacy.i386.rpm
d65b045173aba91de7fa2d44217ba6d939a775a3
redhat/9/updates/i386/cups-libs-1.1.17-13.3.0.14.legacy.i386.rpm
35bf3fdafd340588d4c8f167709d53bcc2eb6ff4
redhat/9/updates/SRPMS/cups-1.1.17-13.3.0.14.legacy.src.rpm
97265e88f58dde6d0a9956ef9de0fce61c256077
fedora/1/updates/i386/cups-1.1.19-13.9.legacy.i386.rpm
cb73c7d7e91cff10fab3c11a63dbcb002f1242d9
fedora/1/updates/i386/cups-devel-1.1.19-13.9.legacy.i386.rpm
d3ae92680bbadfa11ce5f0c92c8243950e92d441
fedora/1/updates/i386/cups-libs-1.1.19-13.9.legacy.i386.rpm
244deb8d82130ecc23e143574cee05bda29d9e7c
fedora/1/updates/SRPMS/cups-1.1.19-13.9.legacy.src.rpm
1973c00db116e6f20afb96acfc3f98d240ac1b1e
fedora/2/updates/i386/cups-1.1.20-11.11.2.legacy.i386.rpm
0a6c53922499dc4a5917e25660478c25921752a7
fedora/2/updates/i386/cups-devel-1.1.20-11.11.2.legacy.i386.rpm
5989d3bc71592333e6dba34d37b2251e776b7318
fedora/2/updates/i386/cups-libs-1.1.20-11.11.2.legacy.i386.rpm
e3fd4d455daaee834ab6b1888454b082a56d52ea
fedora/2/updates/SRPMS/cups-1.1.20-11.11.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2154

9. Contact:

The Fedora Legacy security contact is . More
project details at http://www.fedoralegacy.org

- ---------------------------------------------------------------------



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |