This week was rather slow from a security standpoint. This was a good thing as it game me some time to catchup on some things that were lagging behind. One of the more interesting things I did was get a
webcam and used ekiga for some video conferencing. It's still a bit clunky I thought, but in general very usable.
Security Updates
- kernel
Fixed in Red Hat Enterprise Linux 2.1, FC6
While there were kernel update for FC6 and RHEL2.1, they have virtually nothing in common. A kernel update for any version of Red Hat Enterprise Linux has rather strict process for including a fix. This is done because of issues such as a stable ABI and having to maintain the kernel for 7 years. The Fedora kernel update follows upstream as closely as possible, this is by design, and can be an advantage when trying to support new hardware.
- w3m
Fixed in FC5, FC6
- fetchmail
Fixed in FC5, FC6
- squirrelmail
Fixed in FC5, FC6
This squirrelmail update fixes a cross site scripting flaw that was discovered in 2006. We usually consider cross site scripting flaws to be of moderate severity. Ideally we like to sit on moderate issues for a short period of time so if another flaw is discovered in squirrelmail we can fix them all at once, instead of many little updates.
- squid
Fixed in FC5
The flaw fixed in this update, CVE-2007-0247, also affects FC6. That update should come out in the near future.
- ed
Fixed in FC5, FC6
Yes, a security update in ed. I can't help but keep think that Ed is the standard text editor. It's a minor temporary file flaw that's being fixed. I think it's noteworthy that ed is still packaged even though it's incredibly old.
A cacti flaw has been brought to my attention this week. I've heard from multiple sources that there is active exploitation of a rather foul cacti
hole. If you're a cacti user, you will want to apply these patches:
http://www.cacti.net/download_patches.php?version=0.8.6i.
This is a fine example of why there are serious advantages to running things that are packaged by your distribution. Usually the various distribution security teams will know about and fix security flaws before they are widely exploited.
