1.) First one is this: http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788 The ticket more-or-less describes the fix The pertinent changes are these: http://sourceforge.net/mailarchive/forum.php?thread_name=E1JXR7v-0000BC-C0%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins http://sourceforge.net/mailarchive/forum.php?thread_name=E1JXR7v-0000B9-5n%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins http://sourceforge.net/mailarchive/forum.php?thread_name=E1JXR7v-0000B8-5X%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins 2.) And second one will probably need some more thinking; all upstream says is "security fix" Documentation: http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gZ-HE%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gU-Dg%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gV-DP%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins Serious business: http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gf-J2%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gs-To%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gr-TW%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins I might have forgotten some as well: http://sourceforge.net/mailarchive/forum.php?forum_name=roundup-checkins
CVE names requested
Thank you for bringing this into my attention. I am putting together 1.4.4 rpm now.
This is my first security update; shall I wait for CVE names to include them into the %changelog or I can just go ahead and build everything now? Thanks.
Paul feel free to build the packages even without the CVE names. Refer to this bug report in changelog. Thanks!
I've done a builds. If/when you'll have CVE numbers you can create the updates. Or I can do it if you say so.
Please create the updates. Thanks!
roundup-1.4.4-1.fc7 has been submitted as an update for Fedora 7
roundup-1.4.4-1.fc8 has been submitted as an update for Fedora 8
roundup-1.4.4-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
roundup-1.4.4-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2370 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2471
CVE-2008-1474: Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS).