From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 4535 invoked by alias); 26 Sep 2008 04:29:52 -0000 Received: (qmail 4525 invoked by uid 22791); 26 Sep 2008 04:29:52 -0000 X-Spam-Check-By: sourceware.org Received: from el-out-1112.google.com (HELO el-out-1112.google.com) (209.85.162.178) by sourceware.org (qpsmtpd/0.31) with ESMTP; Fri, 26 Sep 2008 04:29:04 +0000 Received: by el-out-1112.google.com with SMTP id v27so169566ele.11 for ; Thu, 25 Sep 2008 21:29:02 -0700 (PDT) Received: by 10.150.155.13 with SMTP id c13mr1200052ybe.162.1222403342090; Thu, 25 Sep 2008 21:29:02 -0700 (PDT) Received: from ?192.168.0.101? ( [24.76.249.6]) by mx.google.com with ESMTPS id 5sm1435358ywl.4.2008.09.25.21.29.00 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 25 Sep 2008 21:29:01 -0700 (PDT) Message-ID: <48DC650B.7040407@users.sourceforge.net> Date: Fri, 26 Sep 2008 04:29:00 -0000 From: "Yaakov (Cygwin Ports)" User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: cygwin-apps@cygwin.com Subject: SECURITY vulnerabilities update 2007-Sep-25 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com X-SW-Source: 2008-09/txt/msg00086.txt.bz2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Unfortunately we haven't made any progress since my last update two weeks ago, and now there's a new vulnerability (clamav). By maintainer ============= ORPAHNED: apache2 Lapo Luchini: lighttpd Reini Urban: clamav Charles Wilson: tiff, unzip By package ========== apache2 *** ORPHANED *** problem: multiple vulnerabilities (CVE-2007-6420, CVE-2008-1672/2364, CVE-2008-2939) solution: bump to 2.2.9 AND add this patch: http://svn.apache.org/viewvc?view=rev&revision=682870 info: http://www.gentoo.org/security/en/glsa/glsa-200807-06.xml (Those wishing to take this over may find this helpful: http://cygwin-ports.svn.sourceforge.net/viewvc/cygwin-ports/ports/trunk/www/apache2/ BUT the recent patch is not included in SVN yet.) clamav problem: DoS (CVE-2008-1389/3912/3913/3914) solution: bump to 0.94 info: http://www.gentoo.org/security/en/glsa/glsa-200809-18.xml lighttpd problem: multiple vulnerabilities (CVE-2008-1270/1531) solution: bump to 1.4.19 AND apply these patches: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.19-r2/ info: http://www.gentoo.org/security/en/glsa/glsa-200804-08.xml tiff problem: multiple buffer underflows (CVE-2008-2327) solution: apply this patch http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-libs/tiff/files/tiff-3.8.2-CVE-2008-2327.patch info: http://www.gentoo.org/security/en/glsa/glsa-200809-07.xml unzip problem: execution of arbitrary code (CVE-2008-0888) solution: apply this patch http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/app-arch/unzip/files/unzip-5.52-CVE-2008-0888.patch info: http://www.gentoo.org/security/en/glsa/glsa-200804-06.xml Yaakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjcZQsACgkQpiWmPGlmQSN0+gCfXB1F11rTLbLXqru2vZ5DqdrX xBcAnAk7+rOaiTCaQ1UXX3IAgswvgHmR =RVaO -----END PGP SIGNATURE-----