oss-sec mailing list archives
CVE Request - cups, dovecot-managesieve, perl, wireshark
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 28 Nov 2008 15:58:48 +0100
Hello Steve, could you please allocate a new CVE ids for the following vulnerabilities: ------------------------------------------------------------ cups -- buffer overflow in the PNG image read -- incomplete fix for CVE-2008-1722 (http://www.cups.org/strfiles/2790/str2790.patch) -- advisory: http://www.cups.org/str.php?L2974 -- patch: http://www.cups.org/strfiles/2974/str2974.patch -- affects: cups-1.1.17 <= x <= cups-1.3.9 -- references: http://www.cups.org/str.php?L2974 http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt (Part "- SECURITY:") ------------------------------------------------------------ dovecot-managesieve -- virtual users can edit sieve scripts of other virtual users of the same uid -- advisory: http://www.dovecot.org/list/dovecot/2008-November/035259.html -- affects: all versions of dovecot-managesieve till dovecot-1.2-managesieve-0.11.0 -- references: http://www.dovecot.org/list/dovecot/2008-November/035259.html http://secunia.com/Advisories/32768/ http://bugs.gentoo.org/show_bug.cgi?id=248840 http://www.frsirt.com/english/advisories/2008/3190 ------------------------------------------------------------ perl -- perl-File-Path rmtree race condition (CVE-2005-0448 was assigned to address this) -- from below posted proposed fix: "This vulnerability was fixed in 5.8.4-7 but re-introduced in 5.8.8-1. It's also present in File::Path 2.xx, up to and including 2.07 which has only a partial fix." -- affects all upstream 5.8.8-1 based perl releases (have checked perl-5.8.8-1+ is reaffected, perl-5.8.10 already contains the fix) -- needs a new CVE id -- references: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0448 http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=85;filename=etch_03_fix_file_path;att=1;bug=286905 http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=85;filename=sid_fix_file_path;att=2;bug=286905 ------------------------------------------------------------ wireshark -- DoS (infinite loop) in SMTP dissector via large SMTP request -- affects: All versions of Wireshark <= 1.0.4 -- references: https://bugzilla.redhat.com/show_bug.cgi?id=472737 http://packetstormsecurity.org/0811-advisories/wireshark104-dos.txt http://www.securityfocus.com/archive/1/498562/30/0/threaded http://www.nabble.com/-SVRT-04-08--Vulnerability-in-WireShark-1.0.4-for-DoS-Attack-td20640164.html -- upstream patches: http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24989&r2=24988&pathrev=24989&view=patch http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24994&r2=24993&pathrev=24994&view=patch ------------------------------------------------------------- Thanks!, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request - cups, dovecot-managesieve, perl, wireshark Jan Lieskovsky (Nov 28)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Jan Lieskovsky (Nov 28)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Eygene Ryabinkin (Nov 30)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Eygene Ryabinkin (Nov 30)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Steven M. Christey (Dec 01)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Eygene Ryabinkin (Dec 02)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Eygene Ryabinkin (Nov 30)
- Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Jan Lieskovsky (Nov 28)