Bug#697666: [oss-security] CVE request for Movable Type
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/21/2013 01:48 PM, Yves-Alexis Perez wrote: > Hi, > > Movable Type 4.38 has been released few weeks ago, fixing a > security issue in the upgrade page. > > More information can be found at [1] but basically it looks like > missing input sanitation on the mt-upgrade.cgi page. > > As far as I can tell, no CVE has been allocated yet, could someone > allocate one? > > Regards, > > [1]: > http://www.movabletype.org/2013/01/movable_type_438_patch.html Please use CVE-2013-0209 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ/hI+AAoJEBYNRVNeJnmT1mMP/jDNdTdLcLUW2LXXZIO5L7yp P8krZsVT0A6jNJA4EK3wC/i7XPq8tWVW6zpRJhHEvyvpLovmu97EpIF/ULZxqmM6 mFrtoaJzoqjTKKeHyLlEg2e0TOiMzo8vLGj/T6AoD8phV+1feu12I5AbMBun+41y inhcNDXZnL5qU8YCNWcY/YpfuheTbRlCehqt94RvIa2/24QFW7HXl9JxIsnZ0k2H RKERnL5daWorHxjuonUzZRz6N2ApES1py/d67eBSlnYtXr6KLMJzQA2NImkQpykL 094cywuPp5hMjNiPf+RaVnLqJCzaJE6q6PP/iApWrA2id/BfyOEkLgygWr6zIwnG PYpqk94PmFlCcVjU0hXC3g8rXyvMf04iIQm5A52RLwr0VRMNvuW6Bbyu+RTHItTl bviGHmscpeEfCm+K7SH8bCXKsVaMEyYOJlNq7HpgDDj3ry9QoF6cf+vkHYI6SbG3 w4Jsv3CDBRRNKunjN6Fp0se3s72LtcB2VUbcmNyMTzF4Qgx0tHD3w0lAsT64ukt6 +zlaCHK6MZiGTmUUGvv3wpOSp1LD0clfv8uhU7rn9H/vUR6X/IZGZKmB3e1Eeoak 7tzkgR7SRYuagxZtqmQ413LZqoZ0CoSxW2toEg72ROX3JK2PtiSDFJAIEmIPSa2K kxWM2tY4evMUUqqOkQMl =XScr -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#693048: Gajim fails to handle invalid certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/14/2012 02:19 AM, Florian Weimer wrote: > On 11/14/2012 08:19 AM, Kurt Seiifried wrote: > >> So do we consider this to be an OpenSSL issue of gajim? I'm sure >> gajim is not the only program that does something like this. > > As far as I understand things, it is not necessarily at all to set > a verification callback in OpenSSL. If you load the root > certificate store and examine SSL_get_verify_result, that should be > sufficient. You can even look at the peer certificate and continue > anyway if the user has overridden the certificate validity. So > far, I haven't found a good reason to use a verify callback at all. > You need it to implement a custom PKIX validation policy, but that > should be pretty rare. (I still have to check older OpenSSL > versions, though, perhaps there, the behavior was different.) > > Anyway, if application developers set a verification callback, it > is their responsibility to implement it correctly. Therefore, I > don't think this is an OpenSSL issue. Makes sense, just wanted to confirm this problem resides within Gajim. Please use CVE-2012-5524 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQo2YLAAoJEBYNRVNeJnmTfi4P/1WHAiTvcHoJRbouSwyzIWvZ PSaQd23ubVbji4Te+4ZaJ1se9fSw0j5RdrkXisTZYuoo5Fg/ev3CDU5K1dZFyZMz tZCZSuXmJeSTWSN4lW/59CbLUgL4kaJy+uxCx0kNObBT2BIiIg4/zNu4PIJttwdH +G4/iAGrEDOJAutiHg6zbG5kBgvr+rWnxEELBxV3IoctWBrdZ509OmVIYT6HuSkx cSM2nRauhtYGjVR+e0x8PpbX+xFTVET5i82m7N/TPLjtzP7RJPg5jQKl/1eu6tPy +SpTGZsoXN9dBSHf3cIw1d/Ysl5wuxN/wj9nSoNpcr3jPqLdEGvbK5Bqem8UyQxp yJa7Yk3Ge5LmR92HKJUo01VHWkuqeW1TyQ52tc+1592PN3xYIWHA6xP9DyiqdvHP ekMa6wm6G8Tqa/k5rTVWMB1TqJtHq9a46ClHNINSe1aDh/HVitVKVgEm65QpXwTt m62/VCGzkFVYa+p8ZVL/7SK0/NoDK7Gxckn7yta/XUzpH70j21yTsYyQNt/W4IDD YN6SXc0yMvyjaUEFAIADCIQwlfnLSYeYNh3iVMi4o4YTACVTxumYu4LfU6Tt5dT6 USJlpnorGD7dSHVeky00vjxAtVJH2U8Nx61Fk/ZdB0qovK72VuSe+uvpmj41kors FsA39sWFXGjeqK+yHjkj =sFXa -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#692791: [oss-security] Privilege escalation (lpadmin -> root) in cups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/10/2012 05:49 AM, Yves-Alexis Perez wrote: > Hi, > > a Debian user reported a bug in our BTS concerning cupsd. The bug > is available at > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791 and > upstream bug at http://www.cups.org/str.php?L4223 (restricted > because it's tagged security). > > I'm unsure right now if it's an upstream issue or specific to > Debian. On Red Hat Enterprise 6 and Fedora 16 the file is owned by root:sys, and the cupsd.conf defaults to: AuthType Default Require user @SYSTEM Order allow,deny so that should be like "root", "bin" and "adm" so yeah it would appear to be vendor specific. > Basically, members of the lpadmin group (which is the group having > admin rights to cups, meaning they're supposed to be able to > add/remove printeers etc.) have admin access to the web interface, > where they can edit the config file and set some “dangerous” > directives (like the log filenames), which enable them to read or > write files as the user running the cupsd webserver. > > In Debian case at least, it's run as root, meaning we have a > privilege escalation issue from lpadmin group to root. I think as a rule cupsd runs as root, to touch the various files/dirs/etc. > A fix would be to not run cupsd web server as root, and maybe to > restrict it to some kind of chroot so it doesn't have access to > sensitive files Tricky, /dev/*, log dirs, etc. Probably better to just use a print specific user/group and make all the standard locations owned by it, and require the admin to setup anything like say /non-standard/log/printers/ and so on. > Can a CVE be allocated for this? Please use CVE-2012-5519 for this issue. Also if other vendors could check the permissions/configs/etc. and reply if they are vulnerable that would be good. > Regards, > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQn1E1AAoJEBYNRVNeJnmTAk0QAJzI9+STxsFAL7YJm4obCLAY PhVVZYau19qUxMlMEIahfvcV46/36zYZPKYtNJCNtH7G30lPqC2gfZ3upNbri8+u 71tZw15UMU6qAt/WNpfe9URjSNHRcO8tJ6OqN6u6er13YhdVkls6/Yudty1hAZoU wqd1xcBDv2uhaOsI5SswfSHC61JkBLRD7f13T6eWfSz5VT1TBwzJyP5yLTygx4jt wRnF/dBUSToSSqlLyP1gdSJWs6ksTtaVc7vHkCD2NVCZMPOn9lm9RiVj52Q1e/eR osbqbCwx8P3FC4w+MvN29+GbfRxdFA6ik4IHrpzR3Q+j105aQwIm0pubsENA2Lr3 YHnvoD4oysfr3zUGYs5dbH1qITTw2t5c2oAP1wfG7C52jjblg3AaDDSgACyJFciQ kqcmSnDdBdcpc9dpGFo02LSOkh1jyVmBUCjTfXiNkpTtMv++CtgGdQM6j/UgAh1Q 28yf5WhxuhdGPo28XNWbYj9ELAe4aDAssggTL+ysM8Xjc23hfBXowCNbkO4LqrlQ S14M04wi4eHrd8sj+DpzODm9ttOrnCCmzuNc5UBlxH2Mxk6LUVczU5RwDJ/wFPKA DoHFiCldax69zjRsLv/wgu3oNfn8Hi3Piyn/TfGmFEnnnejCUe5lDUIRzZgj+LoB 62nQOCDF/bsxQWwJdDPl =zMgY -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#684076: CVE-2012-3513 munin: User can load new config, pointing log to arbitrary file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3513 munin: User can load new config, pointing log to arbitrary file - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQMxToAAoJEBYNRVNeJnmTuHcP/1VJlN2FGZByEKh56IkDrrAf hh/x5dXhZUvQaKH1kZmuPOd80xaZnGv7/NoE8E5QliRfLUR5K3is1MIekK9El6pO 5XPa51IZpnRtdrm6ULhzvOq8525dZJ1rOFPYitgmDGRNfO5DK4weV1FtGF1NzOtH 6s5N+0O0YVhmW8YHnb31xVUmLa8VGGO5ojlbCetf0h04gb5gATwf4Z25YDAfgl4Q sJMiqpJ0yIfe6h2u6S3lAHm8JIW8SuzYOyP/gXS0XvaijmCnnthSFcRq8nSsrFf2 yiZTCpB9nFghtYgEYJ/0iLSonmajskigvIRgIZyk3/FU5KILFQhDnSfQErRMp9BH 8g5sDHDHQacshrBvXx+ESVwYOXnldiJ5bfU1xYQwq+PwumgcMyv8VqCp43JQgxBx ChU0uOaTLlccMc7kZHnfTbc5D3M1jX+lxeDk9YAKN/n1OSuNrnegps7HaUa1jfwg QWoatHqa1PHNJeXdQYGHwRNWq/IfrftaTYV/lvEdHhHA4bcaWTG9CaZDJ/3AMHFP bUITod3zNrRE0nXFV+VKy1u8Ps3TFDeN4JP2P2uRd/iahl++7RV1jhtNFpCFZZ+T l6OQ/gXfYBdF1+TWGmp5/j/HtmFF+5YlVAkwvxCHLh2E6afafNTcSwiSu1LCEk5B vKrXzXPZpai3uqN5awfK =zSD8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#684075: CVE-2012-3512 munin: insecure state file handling, munin->root privilege
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3512 munin: insecure state file handling, munin->root privilege - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQMxTWAAoJEBYNRVNeJnmTFwkP/3QyJJ7K+n4IT7IsrCyosVdp vP3mGM6ZngV5G6xKUx+s9hs096N7uDErs0gMuHbgF/lFtz1X6o9VyKJ4pFL+tk3s kD1DM+2pvv+iF/MpqHlka1Qvaj68tupr0n3d6VtGJ3+B7GuZf4eNtWSj8aDYdM+Z 1UCPggBlX1i+3D6W2sOBt91EkL15vqbxgfw7m0G5YfCL4mMlFiadxfJgKpOAEbrO Z7LoXVdDl01oqioUICOPNGWgBfaNKmal6LOdF//B1ItOQHDaNNJtmgbCpR/TXz/5 k522qWxcgw09VjEGa98WogWQNEGGthMniaK6EZGC6QEBygfVmAJaUhOZ9y0dRM9l tlJNDA+iNBY/3RrTFSfKOqcjHknEgq/E+eaOTQYA89HfJUp8JuxPDKPV9rEKV9iu pwaKWVOJjKQWtf2fPjWv90lTJnYoxro3+f0vx/oLWOMwkvF3UFF9bPMNlVUzlHEO DxEkGhFK4qRkVhDrqbtKvxtiKFaqRXsrHKg0OqaqsOfs8XDzAhlytLPpePLG43J3 BuXZOYDyUiImFi8aw4CQCXh7Vr3TzVmT4Agwso16zi7n4wNX2j+SWQ37MMvxid2H jWltfykz9UX9Q+/VR0HwM5OOcoTaPbm5RSuRaQ3yUv96wngR77N15kFWHH1tzpBq Yb3D76TIk3ZZzxsxtGUX =PVk0 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/27/2012 09:41 AM, Steve Schnepp wrote: > On Wed, Apr 18, 2012 at 07:04, Kurt Seifried > wrote: >>> In addition munin parses parts of the query string. You are >>> allowed to modify the size of the image. By choosing a path >>> "png?size_x=2&size_y=2&uniquestuff" you can do the >>> same attack while simultaneously using a large image size. The >>> raw image would be 381M (assuming 8bits/pixel) in this case. A >>> png version will likely be smaller, say 4M? So now you have an >>> amplification of 4M/request. Note that this query can get a >>> node into swapping, because rrdtool needs to create the whole >>> image in main memory. Please use CVE-2012-2147 for this issue (specifying the size = lots of ram/storage space used up during image creation). > >> Ouch. > > I believe I fixed the bug in r4825, since : - url with query string > aren't stored permanently anymore. - /tmp isn't used anymore per > default (to fix #668536) > > Could you confirm that ? > > OTOH, the issue about very big imgs that gets the cgi into > swapping isn't the same bug to be. > > As Helmut noticed, there is already a size cap in rrd, so do I > still need implement one in munin ? If yes, would you mind to file > another bugreport (for RAM exhaustion) ? > > Thx ! > > r4825: http://munin-monitoring.org/changeset/4825 > > -- Steve Schnepp http://blog.pwkf.org/ - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPnOXzAAoJEBYNRVNeJnmTLncP/RHZ+19XnFy/mLRv+CqqwOSB MEwn6nDbgN8+MP4uhq0542cOy0611VYpB8ftPJxWBPRWhLPuyYTtaxe87esYmLp6 JTO/OPonytkmWrBtD7Ta7amxiJAJFERjoZVuByiY+aZAX9WsVYiCpzlAl7E8NL5u L11RuZU7vsnn7vSsRomlKcQ/eRMHouUKqwcVB8GAW0vh1V2l+bpAorBTZvI1/zPX QcDGYWX7w7GsmUXAe4P6TcpS9lXJDzHpYTf9YzSMLaPDDevhcoR+hwSdnia6Uz22 mpH2mf/d2vCY0o1FKWwR7ZDB7I8zdUmRSx96Umo/UikJknbHEc4zwfSYW2TefZIv G8cGMSYo35i/chJpf23iIcvKIvkQSs+1FCHep7OLuF6R1P0XnxXx2q78v3GjZC6C u6gSia1jT672xo1qEMArEOzj3h9/tNLt0YdIR+vTENYo/qhZf5DidbYZvIjlA24b Krbz/Fbcf8ayzctwuWvju4Kep602eM002FnYowXbN9rziz636yIWqJiQMaPMHYYo A7Y9qJFCUcophkaY0WAc6E1doM/+yKYduIsDbenXFoSqS6NFyjmlTfNA7rbxeWC3 HvDnM1tG5YLd2PpzfmvMZfyH95ora0ecAiqAbZyn/On4ddgh9jEdwn3E0wt6N3N3 h9sOLiYT90i3gZibguID =E8X5 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/17/2012 11:16 PM, Helmut Grohne wrote: > On Tue, Apr 17, 2012 at 11:04:56PM -0600, Kurt Seifried wrote: >> On 04/16/2012 11:34 PM, Helmut Grohne wrote: >>> The basic requirement is that a plugin called vmstat is >>> configured for the node localhost.localdomain. I just picked it >>> as an example, cause it is present on my system. In practise >>> any plugin for any host will do. >> >> Is this the default configuration? > > I am not that sure about the defaults, because I changed them. > However running a Munin without any plugins is pointless. It is > like running a mail server that does not transport any mail. You > don't even have to guess the name of a configured plugin, because > those images are linked from the html. Finding a configured plugin > is really no issue on any sane munin installation. Sane > administrators may have to restricted access to munin to themselves > as to not expose the monitoring results to the public though. > > Helmut If anyone can comment on this (default/not), and if you install a plugin does it expose it publicly or does the administrator have to enable remote access? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPj141AAoJEBYNRVNeJnmT8d8P/A/A0j1ruHMoKQitgRHMoY/o c+BIoadQGo5vqoi+wwbLa7gt2ftUQt88ETYILQmL9VkPmgMr9UGnh86eDk66HRnv vda9+DmVIJ+DfuKsNFQp4uwCr+pwIW+wpCLoB0m2zAuUN0aNYm2wVmKHyRtg6hk6 7dr9lG5464Z5F+qNQqN/x+S0muNklcOL4P0Eu/jxpR8GQSNglU5CVRWUJYJu8Vpv stIPEaQujiSuw0WVM/t42cYBY0zGmZvT4Ar7AREg/ORj+GPxJqgKR/gG8yvI/QTV ffk1xaI7ewvjTo2fmCvyLYzUNgGzR2Ih45GKOzbqY2vxhE2DxLxwRUKwd6ntZjpl qJjidYO4RlSnroQisCjBdscdGgDKdnsDBO3s0mnJ7DxtRUf1CpHX4Ou8v0SeoFxr slE8w1WMF4I7/G1U6ZlZiM62mnM/xYRzwuoCcMzy5S9MvZRiRlMO8UbJyCyBkoct QPFr1eHd6Q5UkGeeyGon9xmjPbEdi0abI0fghHvN8p72OKcKzMq3+HCmW1DhrHK/ V+WbewsEiCemlEhYR5Bk3htDOtfytO71KDUTVKg1w56qLe/kBlUBjc7SgHFWxiYS +f4F+RXaVRi1mAX/qst1Dq9vH78afraPiZvJEBSaon2vR+7uiyYZxf8K/prfz/yn OwKeVEJDB874Z2tBNQ6H =bwVP -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/16/2012 11:34 PM, Helmut Grohne wrote: > Hi Kurt, > > Please always CC the bug report when adding detail to it. Doing it > now for you. > > On Mon, Apr 16, 2012 at 01:19:32PM -0600, Kurt Seifried wrote: >>> [3] Remote users can fill /tmp filesystem: Red Hat would not >>> consider this to be a security flaw => no RH BTS entry. >>> >>> Original report: >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667 >> >> I reread this one a few times, I'm not clear on what: >> >> == printf 'GET >> /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo >> >> HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc >> localhost 80 >> >> Provided that the filename actually exists, munin will render the >> image == >> >> means exactly, does the file vmstat-day.png need to exist where? >> It seems like if the image is of any size (say 20k or more) the >> amplification (each get request = 20k of tmp space usage) and >> the files have to be deleted manually it might qualify as a DoS. >> >> hel...@subdivi.de can you shed more light on this? > > The basic requirement is that a plugin called vmstat is configured > for the node localhost.localdomain. I just picked it as an example, > cause it is present on my system. In practise any plugin for any > host will do. Is this the default configuration? > In addition munin parses parts of the query string. You are allowed > to modify the size of the image. By choosing a path > "png?size_x=2&size_y=2&uniquestuff" you can do the > same attack while simultaneously using a large image size. The raw > image would be 381M (assuming 8bits/pixel) in this case. A png > version will likely be smaller, say 4M? So now you have an > amplification of 4M/request. Note that this query can get a node > into swapping, because rrdtool needs to create the whole image in > main memory. > > Hope this helps Ouch. > Helmut - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPjkt4AAoJEBYNRVNeJnmTzqwQAKn7u4+dg9mYpMuAAC14fIYh JGQGLSRJ98s3IgH14dOO6q9nASErz5wBPhcTnTwOKOLAdbbFHU5Z1DKm+ARyLMXw XPIGHrdTb5TkWvsRKilA7iIbUhaXuMckELJj2WWi5LdHvzVLG8mEivQQKMtSY8b1 Wmp0JmDguHpqcToYq4uwYA1O22fHxwPjBFnsZ6A2HjLtMwCUkZ6WZZEuc85+v2C5 utfJm3AYSRgW1mI24kLxTIsige88txXZpUt44Bx3T26UkUz2X4ebbO/z5slqXt7n RLZ4IDWEs03yau8vJD6vuNtOvQ+p3SmQYeRr6GvEXYrem+mTPB6toKLUeRUr7fNR +RO4syrQ1KMoGfcAlNJ9ide2qZHsByXseriSJ02yb0VYKqYD1peUo1wR3Kw/EBnC lnWNfb54JmwJih4qzEpE/SKoVEgxTKfuJGT4QcZ1PDrABQSfOWc4v3bughgLNH6m c/voNTCuk7XI0//hCj4qF9jx/SPAB0xnnxnhqgmPTCBUVB3WHlSK0V335DV4KIGm 9c4GqdEJ0lxtKWJpwpZbNBU00LksXpHFQHMjcJ+0Bc0B1CrbaL0Hi9+1/kWH0aYG X+N6Ah6/eY1bP78B1rH91CqcSRm5fouIbY5QSraN7ZGvrKXAvrQrnRqdEj+XKYUL YTFUs403T/QOG6KuIGhg =/Jxz -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#659376: Please use CVE-2012-0844 for this issue.
Please use CVE-2012-0844 for this issue. www.openwall.com/lists/oss-security/2012/02/11/3 -- Kurt Seifried Red Hat Security Response Team (SRT) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#659379: Please use CVE-2012-0843 for this issue.
Please use CVE-2012-0843 for this issue. www.openwall.com/lists/oss-security/2012/02/11/3 -- Kurt Seifried Red Hat Security Response Team (SRT) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#654270: Please use CVE-2012-0824 for this issue.
Please use CVE-2012-0824 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#654270: Does this need a CVE #?
Does this need a CVE #? -- Kurt Seifried Red Hat Security Response Team (SRT) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#652417: Please use CVE-2012-0813 for this issue.
Please use CVE-2012-0813 for this issue. http://seclists.org/oss-sec/2012/q1/294 -- Kurt Seifried Red Hat Security Response Team (SRT) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#652417: Does this issue need a CVE #?
Does this issue need a CVE #? -- -- Kurt Seifried / Red Hat Security Response Team kseifr...@redhat.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#656494: Please use CVE-2012-0064 for this issue.
Please use CVE-2012-0064 for this issue. http://www.openwall.com/lists/oss-security/2012/01/19/6 -- -- Kurt Seifried / Red Hat Security Response Team -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#652996: [Secure-testing-team] Bug#652996: t1lib:, CVE-2011-0764
More info on those CVE's is available at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1552 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1553 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1554 Hope this helps. -- -Kurt Seifried / Red Hat Security Response Team -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
