This is a rollup bug for security related issues that need to be addressed before final release. Use this bug # for "blocks" on individual bugs feeding into this.
Priority: Normal => release_blockerStatus: NEW => ASSIGNEDAssignee: bugsquad => stewbintnTarget Milestone: --- => Mageia 1
Severity: normal => critical
CC: (none) => balcaen.john
Priority: release_blocker => High
Depends on: (none) => 989
updating as blocker, we will close it before final release
Priority: High => release_blockerStatus: ASSIGNED => NEWCC: (none) => ennael1
Depends on: (none) => 895
Sigh, I don't seem to even have time this week to open bug reports, but I've seen other vendor's reports go by on rsync, kerberos, php, fail2ban, mount, qemu-kvm, and the kernel. (osvdb mailer or oss-security list).
Status: NEW => ASSIGNED
Rsync is ok ( CVE-2011-1097 ), we have rsync 3.0.8. Kerberos is CVE-2011-0285, not patched. Qemu-kvm is CVE-2011-0011 CVE-2011-1750 , not patched. For the vnc issue ( CVE-2011-0011 ), the code changed in qemu 0.14 so I think we are covered ( http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=commitdiff;h=1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b ), for the other one, I patched the code and submitted. I didn't found fail2ban problem ( I didn't searched much besides mdv and debian advisory ) For php, well, I would not even start to look at it. For mount, I didn't found much ( again, didn't look in detail ).
CC: (none) => misc
Here's some more info on fail2ban: References: > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544232 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=700763 > > Patch applied by Debian distribution: > [3] http://git.onerussian.com/?p=deb/fail2ban.git;a=commitdiff;h=ea7d352616b1e2232fcaa99b11807a86ce29ed8b CVE-2009-5023 Mount is issues with suid helpers (extract from oss-security): CVE-2011-1675 - CVE-2011-1681 based on your list here: http://thread.gmane.org/gmane.comp.security.oss.general/4374/focus=4516 CVE-2011-1089 for similar nfs-utils: http://thread.gmane.org/gmane.comp.security.oss.general/4954 php is the usual fun, Ubuntu has issued an update for several CVE's: http://www.ubuntu.com/usn/usn-1126-1/
May also be a gstreamer issue (from RH advisory): An integer overflow flaw, leading to a heap-based buffer overflow, and a stack-based buffer overflow flaw were found in various ModPlug music file format library (libmodplug) modules, embedded in GStreamer. An attacker could create specially-crafted music files that, when played by a victim, would cause applications using GStreamer to crash or, potentially, execute arbitrary code. (CVE-2006-4192, CVE-2011-1574) All users of gstreamer-plugins are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications using GStreamer (such as Rhythmbox) must be restarted for the changes to take effect.
Vino package have two CVE (CVE-2011-0904, CVE-2011-0905) which is not included, see USN-1128-1 for more information. I will patch vino and push it.
CC: (none) => saispo
Depends on: (none) => 1115
Depends on: (none) => 1116
Depends on: (none) => 1117
Depends on: (none) => 1121
I fixed fail2ban too, but same as Michael said i didn't found some patch or more information about mount and nfs-utils.
Blocks: (none) => 1142
Blocks: (none) => 1150
Blocks: (none) => 1149
Blocks: 1142 => (none)Depends on: (none) => 1142
Blocks: 1149 => (none)Depends on: (none) => 1149
Blocks: 1150 => (none)Depends on: (none) => 1150
Depends on: (none) => 1157
Depends on: (none) => 1165
Blocks: (none) => 1232
Depends on: (none) => 1280
Depends on: (none) => 1281
Blocks: 1232 => (none)Depends on: (none) => 1232
Depends on: (none) => 1298
Depends on: (none) => 1299
Depends on: (none) => 1300
Please do not add new bugs there as we are now working on releasing final release
Depends on: 1157 => (none)
Closing now as we won't add any new security updates before stable release
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED