Fedora: 2004-103 Critical: Remote Code Execution in Neon Library

neon is an HTTP and WebDAV client library, with a C interface;

providing a high-level interface to HTTP and WebDAV methods along

with a low-level interface for HTTP request handling. neon

supports persistent connections, proxy servers, basic, digest and

Kerberos authentication, and has complete SSL support.

Multiple format string vulnerabilities in neon 0.24.4 and earlier allow remote malicious WebDAV servers to execute arbitrary code.

Updated packages were made available in April 2004 however the original update notification email did not make it to fedora-announce-list at that time.

* Wed Apr 14 2004 Joe Orton <jorton@redhat.com> 0.24.5-1

- update to 0.24.5 for CAN 2004-0179 fix

* Thu Mar 25 2004 Joe Orton <jorton@redhat.com> 0.24.4-4

- implement the Negotate auth scheme, and only over SSL

* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>

- rebuilt

* Wed Feb 25 2004 Joe Orton <jorton@redhat.com> 0.24.4-3

- use BuildRequires not BuildPrereq, drop autoconf, libtool; -devel requires {openssl,zlib}-devel (#116744)

* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> 0.24.4-2

- rebuilt

* Mon Feb 09 2004 Joe Orton <jorton@redhat.com> 0.24.4-1

- update to 0.24.4

This update can be downloaded from:

f34a346e0d945707e888874699ed958a SRPMS/neon-0.24.5-1.src.r...