Bug 436546 (CVE-2008-1474) - CVE-2008-1474 Roundup 1.4.4 contains security fixes
Summary: CVE-2008-1474 Roundup 1.4.4 contains security fixes
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1474
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 436547 436548 436549
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-07 20:25 UTC by Lubomir Kundrak
Modified: 2008-06-06 07:42 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-04-23 06:15:19 UTC
Embargoed:


Attachments (Terms of Use)

Description Lubomir Kundrak 2008-03-07 20:25:24 UTC
1.) First one is this:

http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788

The ticket more-or-less describes the fix
The pertinent changes are these:

http://sourceforge.net/mailarchive/forum.php?thread_name=E1JXR7v-0000BC-C0%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JXR7v-0000B9-5n%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JXR7v-0000B8-5X%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins

2.) And second one will probably need some more thinking; all upstream says is
"security fix"

Documentation:

http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gZ-HE%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gU-Dg%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gV-DP%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins

Serious business:

http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gf-J2%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gs-To%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gr-TW%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins

I might have forgotten some as well:

http://sourceforge.net/mailarchive/forum.php?forum_name=roundup-checkins

Comment 1 Lubomir Kundrak 2008-03-07 20:30:13 UTC
CVE names requested

Comment 3 Paul P Komkoff Jr 2008-03-07 22:36:58 UTC
Thank you for bringing this into my attention.
I am putting together 1.4.4 rpm now.

Comment 4 Paul P Komkoff Jr 2008-03-07 23:24:29 UTC
This is my first security update; shall I wait for CVE names to include them
into the %changelog or I can just go ahead and build everything now? Thanks.

Comment 5 Lubomir Kundrak 2008-03-08 07:07:40 UTC
Paul feel free to build the packages even without the CVE names. Refer to this
bug report in changelog. Thanks!

Comment 6 Paul P Komkoff Jr 2008-03-09 12:11:20 UTC
I've done a builds. If/when you'll have CVE numbers you can create the updates.
Or I can do it if you say so.

Comment 7 Lubomir Kundrak 2008-03-09 15:06:05 UTC
Please create the updates.

Thanks!

Comment 8 Fedora Update System 2008-03-10 11:06:06 UTC
roundup-1.4.4-1.fc7 has been submitted as an update for Fedora 7

Comment 9 Fedora Update System 2008-03-10 11:07:15 UTC
roundup-1.4.4-1.fc8 has been submitted as an update for Fedora 8

Comment 10 Fedora Update System 2008-03-13 07:38:58 UTC
roundup-1.4.4-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2008-03-13 07:48:55 UTC
roundup-1.4.4-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Red Hat Product Security 2008-04-23 06:15:19 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2370
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2471



Comment 13 Tomas Hoger 2008-06-06 07:42:51 UTC
CVE-2008-1474:

Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact
and attack vectors, some of which may be related to cross-site scripting (XSS).


Note You need to log in before you can comment on or make changes to this bug.