This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
HEADSUP: Security updates outstanding
- From: "Yaakov (Cygwin Ports)" <yselkowitz at users dot sourceforge dot net>
- To: cygwin-apps at cygwin dot com
- Date: Sun, 17 Aug 2008 20:00:36 -0500
- Subject: HEADSUP: Security updates outstanding
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Before packagers start focusing on 1.7, it appears that we still have a
number of security updates required for the 1.5 tree:
By maintainer
=============
ORPAHNED: apache2
Jari Aalto: mercurial, pngcrush, python-paramiko
Lapo Luchini: lighttpd
David Rothenberger: libvorbis
Reini Urban: icu
Charles Wilson: unzip
Dr. Volker Zell: gnutls, openldap
By package
==========
apache2
problem: multiple vulnerabilities (CVE-2007-6420, CVE-2008-1672/2364)
solution: bump to 2.2.9
info: http://www.gentoo.org/security/en/glsa/glsa-200807-06.xml
gnutls
problem: execution of arbitrary code (CVE-2008-1948/1949/1950)
solution: bump to 2.2.5+ (current stable 2.4.1)
info: http://www.gentoo.org/security/en/glsa/glsa-200805-20.xml
icu
problem: multiple vulnerabilities (CVE-2007-4770/4771)
solution: apply this patch:
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/dev-libs/icu/files/icu-3.8-regexp-CVE-2007-4770+4771.diff
info: http://www.gentoo.org/security/en/glsa/glsa-200803-20.xml
libvorbis
problem: heap-based buffer overflows (CVE-2008-1419/1420/1423)
solution: bump to 1.2.1-rc1, OR apply these patches to 1.2.0:
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-libs/libvorbis/files/libvorbis-1.2.0-CVE-2008-1419.patch
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-libs/libvorbis/files/libvorbis-1.2.0-CVE-2008-1420.patch
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-libs/libvorbis/files/libvorbis-1.2.0-CVE-2008-1423.patch
info: http://www.gentoo.org/security/en/glsa/glsa-200806-09.xml
lighttpd
problem: multiple vulnerabilities (CVE-2008-1270/1531)
solution: bump to 1.4.19 AND apply these patches:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.19-r2/
info: http://www.gentoo.org/security/en/glsa/glsa-200804-08.xml
mercurial
problem: directory traversal (CVE-2008-2942)
solution: bump to 1.0.2
info: http://www.gentoo.org/security/en/glsa/glsa-200807-09.xml
openldap
problem: DoS (CVE-2008-2952)
solution: bump to 2.3.43 or 2.4.11
info: http://www.gentoo.org/security/en/glsa/glsa-200808-09.xml
pngcrush
problem: user-assisted execution of arbitrary code (CVE-2008-1382)
solution: bump to 1.6.7 and patch to use system libpng:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-gfx/pngcrush/files/pngcrush-1.6.7-modified_debian_patchset_1.patch
info: http://www.gentoo.org/security/en/glsa/glsa-200805-10.xml
python-paramiko
problem: information disclosure (CVE-2008-0299)
solution: bump to 1.7.2
info: http://www.gentoo.org/security/en/glsa/glsa-200803-07.xml
unzip
problem: execution of arbitrary code (CVE-2008-0888)
solution: apply this patch
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/app-arch/unzip/files/unzip-5.52-CVE-2008-0888.patch
info: http://www.gentoo.org/security/en/glsa/glsa-200804-06.xml
Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkioybQACgkQpiWmPGlmQSPcWgCg+iuHvJPW9zwZeRJVVkEzzYMW
1GcAoPQDveXwTGKE8u7Hp+/K4M3GM+XA
=+nV6
-----END PGP SIGNATURE-----