Bug 436546 - (CVE-2008-1474) CVE-2008-1474 Roundup 1.4.4 contains security fixes
CVE-2008-1474 Roundup 1.4.4 contains security fixes
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 436547 436548 436549
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-07 15:25 EST by Lubomir Kundrak
Modified: 2008-06-06 03:42 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-23 02:15:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2008-03-07 15:25:24 EST
1.) First one is this:

http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788

The ticket more-or-less describes the fix
The pertinent changes are these:

http://sourceforge.net/mailarchive/forum.php?thread_name=E1JXR7v-0000BC-C0%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JXR7v-0000B9-5n%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JXR7v-0000B8-5X%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins

2.) And second one will probably need some more thinking; all upstream says is
"security fix"

Documentation:

http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gZ-HE%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gU-Dg%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gV-DP%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins

Serious business:

http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gf-J2%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gs-To%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gr-TW%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins

I might have forgotten some as well:

http://sourceforge.net/mailarchive/forum.php?forum_name=roundup-checkins
Comment 1 Lubomir Kundrak 2008-03-07 15:30:13 EST
CVE names requested
Comment 3 Paul P Komkoff Jr 2008-03-07 17:36:58 EST
Thank you for bringing this into my attention.
I am putting together 1.4.4 rpm now.
Comment 4 Paul P Komkoff Jr 2008-03-07 18:24:29 EST
This is my first security update; shall I wait for CVE names to include them
into the %changelog or I can just go ahead and build everything now? Thanks.
Comment 5 Lubomir Kundrak 2008-03-08 02:07:40 EST
Paul feel free to build the packages even without the CVE names. Refer to this
bug report in changelog. Thanks!
Comment 6 Paul P Komkoff Jr 2008-03-09 08:11:20 EDT
I've done a builds. If/when you'll have CVE numbers you can create the updates.
Or I can do it if you say so.
Comment 7 Lubomir Kundrak 2008-03-09 11:06:05 EDT
Please create the updates.

Thanks!
Comment 8 Fedora Update System 2008-03-10 07:06:06 EDT
roundup-1.4.4-1.fc7 has been submitted as an update for Fedora 7
Comment 9 Fedora Update System 2008-03-10 07:07:15 EDT
roundup-1.4.4-1.fc8 has been submitted as an update for Fedora 8
Comment 10 Fedora Update System 2008-03-13 03:38:58 EDT
roundup-1.4.4-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-03-13 03:48:55 EDT
roundup-1.4.4-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Red Hat Product Security 2008-04-23 02:15:19 EDT
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2370
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2471

Comment 13 Tomas Hoger 2008-06-06 03:42:51 EDT
CVE-2008-1474:

Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact
and attack vectors, some of which may be related to cross-site scripting (XSS).

Note You need to log in before you can comment on or make changes to this bug.