[SECURITY] Fedora 8 Update: adminutil-1.1.7-1.fc8

updates at fedoraproject.org updates at fedoraproject.org
Wed Sep 10 06:50:06 UTC 2008


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-7642
2008-09-05 10:57:50
--------------------------------------------------------------------------------

Name        : adminutil
Product     : Fedora 8
Version     : 1.1.7
Release     : 1.fc8
URL         : http://directory.fedoraproject.org/wiki/AdminUtil
Summary     : Utility library for directory server administration
Description :
adminutil is libraries of functions used to administer directory
servers, usually in conjunction with the admin server.  adminutil is
broken into two libraries - libadminutil contains the basic
functionality, and libadmsslutil contains SSL versions and wrappers
around the basic functions.  The PSET functions allow applications to
store their preferences and configuration parameters in LDAP, without
having to know anything about LDAP.  The configuration is cached in a
local file, allowing applications to function even if the LDAP server
is down.  The other code is typically used by CGI programs used for
directory server management, containing GET/POST processing code as
well as resource handling (ICU ures API).

--------------------------------------------------------------------------------
Update Information:

Fixes these bugs:    - CVE-2008-2928 - buffer overflow in Accept-Language
parsing    413531 Web browser accepted languages configuration causes dsgw CGI
binaries to segfault    - improved fix for CVE-2008-2929 XSS issues (originally
addressed in 1.1.6), that does not introduce heap overflow in parsing %-encoded
inputs (CVE-2008-2932)    245248 dsgw doesn't escape filename in error message
454060 ViewLog CGI crash with new adminutil 1.1.6
--------------------------------------------------------------------------------
ChangeLog:

* Wed Aug 27 2008 Rich Megginson <rmeggins at redhat.com> - 1.1.7-1
- Resolves bug 454060   -  ViewLog CGI crash with new adminutil
- Resolves bug 413531   -  Web browser accepted languages configuration causes dsgw CGI binaries to segfault
* Mon Mar  3 2008 Rich Megginson <rmeggins at redhat.com> - 1.1.6-1
- Resolves bug 245248 - dsgw doesn't escape filename in error message
- The new dsgw hasn't been released yet, and the old one doesn't use
- this code.
* Thu Oct 18 2007 Rich Megginson <rmeggins at redhat.com> - 1.1.5-1
- bump version to 1.1.5
- fix icu linking issue
- disable libtool rpath by default - added --enable-rpath option to configure
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #453916 - CVE-2008-2928 Directory Server: CGI accept language buffer overflow
        https://bugzilla.redhat.com/show_bug.cgi?id=453916
  [ 2 ] Bug #454662 - CVE-2008-2932 Directory Server: adminutil / CGI heap overflow
        https://bugzilla.redhat.com/show_bug.cgi?id=454662
  [ 3 ] Bug #454621 - CVE-2008-2929 Directory Server: multiple XSS issues
        https://bugzilla.redhat.com/show_bug.cgi?id=454621
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update adminutil' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------




More information about the Fedora-package-announce mailing list