Summary of vulnerabilities with FC3

Michael Tiemann tiemann at redhat.com
Tue Nov 9 13:56:39 UTC 2004


Great message--thanks for sending!

M

On Tue, 2004-11-09 at 07:20, Mark J Cox wrote:
> Near the release time of each new distribution the Red Hat security team
> go through all the security advisories for the past few years as well as
> issues that affected others but not Red Hat to ensure that the new
> distribution is up to date with security patches.  We did this with FC3 a
> few weeks ago and corrected most of the issues we found that were unfixed.  
> So this email is just really a FYI so we have the details stored for
> future reference.
> 
> (The method is to collect a list of all possible vulnerabilities that
> could affect the FC3 package set, by CVE name.  This list comes from all
> RHEL3 advisories to date, all FC1 and FC2 update notifications, our
> internal list of issues that didn't need fixing for whatever reason, the
> CVE named issues in Bugzilla, and finally looking at new packages in FC3
> that were not previously in another release).  Then for each CVE issue we
> look to see which upstream version (if any) the vulnerability is fixed in,
> and if FC3 contains that (or a better) upstream version.  If not, we check
> to see if the FC3 package contains a backported fix for the issue.  For
> this audit we trust changelog entries that say that a backported fix is
> included since these will have already been audited by us when the
> relevant FC2/1 or RHEL advisory came out.  We also trust upstream
> announcements that state which versions have fixed particular
> vulnerabilities.)
> 
> So this table gives the CVE name, the reason why FC3 isn't vulnerable 
> (either it has an upstream version that isn't vulnerable, or it contains a 
> backported security fix), and optional comments showing the package name, 
> version it was fixed in, or method used to verify the details.
> 
> Corrections or missed issues appreciated to secalert at redhat.com (although
> now FC3 is out we track all new issues in a different way, so we won't do
> new versions of this table).
> 
> CAN-2003-0328 backport (epic, changelog)
> CAN-2003-0542 version (httpd, fixed 2.0.48)
> CAN-2003-0564 version (Mozilla, ICAT)
> CAN-2003-0594 version (Mozilla, ICAT)
> CAN-2003-0789 version (httpd, fixed 2.0.48)
> CAN-2003-0848 backport (slocate, changelog)
> CAN-2003-0853 version (coreutils, fixed 5.1.3)
> CAN-2003-0856 version (iproute)
> CAN-2003-0858 version (quagga, fixed 0.95)
> CAN-2003-0859 version (glibc, checked source)
> CAN-2003-0925 version (ethereal, fixed 0.9.16)
> CAN-2003-0926 version (ethereal, fixed 0.9.16)
> CAN-2003-0927 version (ethereal, fixed 0.9.16)
> CAN-2003-0935 version (Net-SNMP, fixed 5.0.9)
> CAN-2003-0962 version (rsync, fixed 2.5.7)
> CAN-2003-0963 version (lftp, fixed after 2.6.9)
> CAN-2003-0967 version (FreeRADIUS, fixed after 0.9.2)
> CAN-2003-0971 version (GnuPG, fixed after 1.0.2)
> CAN-2003-0973 version (mod_python, fixed 3.0.4)
> CAN-2003-0977 version (CVS, fixed 1.11.10)
> CAN-2003-0989 version (tcpdump, fixed 3.8.1)
> CAN-2003-0992 version (mailman, fixed 2.1.4)
> CAN-2003-1012 version (ethereal, fixed 0.10.0)
> CAN-2003-1013 version (ethereal, fixed 0.10.0)
> CAN-2003-1023 version (mc, 4.6.1)
> CAN-2004-0006 version (Gaim, fixed 0.76)
> CAN-2004-0007 version (Gaim, fixed 0.75)
> CAN-2004-0008 version (Gaim, fixed 0.75)
> CAN-2004-0055 version (tcpdump, fixed 3.8.2)
> CAN-2004-0057 version (tcpdump, fixed 3.8.2)
> CAN-2004-0079 backport (OpenSSL, changelog)
> CAN-2004-0081 VULNERABLE (openssl096b only, see bug 138365)
> CAN-2004-0083 version (XFree86)
> CAN-2004-0084 version (XFree86)
> CAN-2004-0097 version (PWLib, fixed 1.6.0)
> CAN-2004-0098 version (php)
> CAN-2004-0106 version (XFree86)
> CAN-2004-0107 version (sysstat, fixed after 4.0.7)
> CAN-2004-0110 version (libxml2, fixed 2.6.6)
> CAN-2004-0112 backport (OpenSSL, changelog)
> CAN-2004-0150 version (python, fixed 2.2.2)
> CAN-2004-0155 version (Racoon)
> CAN-2004-0164 version (Racoon)
> CAN-2004-0174 version (httpd, fixed 2.0.49)
> CAN-2004-0176 version (ethereal, fixed 0.10.3)
> CAN-2004-0179 version (neon, fixed 0.24.5)
> CAN-2004-0179 version (openoffice.org)
> CAN-2004-0180 version (cvs, fixed 1.11.15)
> CAN-2004-0182 version (mailman, only affected RH packages)
> CAN-2004-0183 version (tcpdump, fixed 3.8.2)
> CAN-2004-0184 version (tcpdump, fixed 3.8.2)
> CAN-2004-0186 version (samba, not 3.0.2a)
> CAN-2004-0226 version (mc, fixed 4.6.0)
> CAN-2004-0231 version (mc, fixed 4.6.0)
> CAN-2004-0232 version (mc, fixed 4.6.0)
> CAN-2004-0233 backport (utempter, changelog)
> CAN-2004-0234 backport (lha, changelog)
> CAN-2004-0235 backport (lha, changelog)
> CAN-2004-0256 version (libtool, fixed 1.5.2)
> CAN-2004-0365 version (ethereal, fixed 0.10.3)
> CAN-2004-0367 version (ethereal, fixed 0.10.3)
> CAN-2004-0381 backport (mysql, changelog)
> CAN-2004-0388 backport (mysql, changelog)
> CAN-2004-0396 version (cvs, fixed 1.12.8)
> CAN-2004-0397 version (subversion, fixed 1.0.1)
> CAN-2004-0398 version (neon, fixed 0.24.6)
> CAN-2004-0403 version (racoon, fixed 20040408a)
> CAN-2004-0405 version (cvs, fixed 1.11)
> CAN-2004-0409 version (xchat, fixed after 2.0.8)
> CAN-2004-0411 version (kde, fixed 3.3*)
> CAN-2004-0412 version (mailman, fixed 2.1.5)
> CAN-2004-0413 version (subversion, fixed 1.0.5)
> CAN-2004-0414 version (cvs, fixed 1.11.17)
> CAN-2004-0416 version (cvs, fixed 1.11.17)
> CAN-2004-0417 version (cvs, fixed 1.11.17)
> CAN-2004-0418 version (cvs, fixed 1.11.17)
> CAN-2004-0419 version (xorg-x11)
> CAN-2004-0421 version (libpng, fixed 1.0.16)
> CAN-2004-0422 version (flim, fixed 1.14.3)
> CAN-2004-0426 version (rsync, fixed 2.6.1)
> CAN-2004-0457 backport (mysql, changelog)
> CAN-2004-0460 version (dhcp, fixed after 3.0.1rc13)
> CAN-2004-0461 version (dhcp, fixed after 3.0.1rc13)
> CAN-2004-0488 version (httpd, fixed 2.0.50)
> CAN-2004-0493 version (httpd, fixed 2.0.50)
> CAN-2004-0494 version (mc, fixed 4.6.1)
> CAN-2004-0500 version (gaim, fixed 0.82)
> CAN-2004-0504 version (ethereal, fixed 0.10.4)
> CAN-2004-0505 version (ethereal, fixed 0.10.4)
> CAN-2004-0506 version (ethereal, fixed 0.10.4)
> CAN-2004-0507 version (ethereal, fixed 0.10.4)
> CAN-2004-0519 version (squirrelmail, fixed 1.4.3a)
> CAN-2004-0520 version (squirrelmail, fixed 1.4.3a)
> CAN-2004-0521 version (squirrelmail, fixed 1.4.3a)
> CAN-2004-0523 version (krb5, fixed 1.3.4)
> CAN-2004-0541 version (squid)
> CAN-2004-0557 version (sox, fixed after 12.17.4)
> CAN-2004-0558 version (cups, fixed 1.1.21)
> CAN-2004-0594 version (php, fixed 4.3.8)
> CAN-2004-0595 version (php, fixed 4.3.8)
> CAN-2004-0597 version (libpng, fixed 1.2.6)
> CAN-2004-0597 version (mozilla, fixed 1.7.2)
> CAN-2004-0598 version (libpng, fixed 1.2.6)
> CAN-2004-0599 version (libpng, fixed 1.2.6)
> CAN-2004-0599 version (mozilla, fixed 1.7.2)
> CAN-2004-0600 version (samba, fixed 3.0.6)
> CAN-2004-0607 version (racoon, note RHSA-2004:308 has wrong text)
> CAN-2004-0633 version (ethereal, fixed 0.10.5)
> CAN-2004-0634 version (ethereal, fixed 0.10.5)
> CAN-2004-0635 version (ethereal, fixed 0.10.5)
> CAN-2004-0642 backport (krb5, changelog)
> CAN-2004-0644 backport (krb5, changelog)
> CAN-2004-0645 version (abiword, fixed 2.0.9)
> CAN-2004-0686 version (samba, fixed 3.0.6)
> CAN-2004-0687 version (OpenMotif libxpm)
> CAN-2004-0687 VULNERABLE (lesstif libxpm, see bug 135080)
> CAN-2004-0688 version (OpenMotif libxpm)
> CAN-2004-0687 VULNERABLE (lesstif libxpm, see bug 135081)
> CAN-2004-0689 version (kde, fixed 3.3.0)
> CAN-2004-0691 version (gdk-pixbuf; qt, fixed 3.3.3)
> CAN-2004-0692 version (qt, fixed 3.3.3)
> CAN-2004-0693 version (qt, fixed 3.3.3)
> CAN-2004-0694 backport (lha, changelog)
> CAN-2004-0718 version (mozilla #246448, fixed 1.7)
> CAN-2004-0721 version (kde, fixed 3.3*)
> CAN-2004-0722 version (mozilla #236618, fixed 1.7)
> CAN-2004-0745 backport (lha, changelog)
> CAN-2004-0746 version (kde, fixed 3.3*)
> CAN-2004-0747 version (httpd, fixed 2.0.51)
> CAN-2004-0748 version (httpd, fixed 2.0.51)
> CAN-2004-0749 version (subversion, fixed 1.0.8)
> CAN-2004-0750 version (redhat-config-nfs, fixed 1.0.13)
> CAN-2004-0751 version (httpd, fixed 2.0.51)
> CAN-2004-0752 backport (openoffice.org, in ooo-build-cvs)
> CAN-2004-0753 backport (gtk2; gdk-pixbuf, changelog)
> CAN-2004-0753 version (gdk-pixbuf, fixed 0.22)
> CAN-2004-0754 version (gaim, fixed 0.82)
> CAN-2004-0755 version (ruby, fixed 1.8.1)
> CAN-2004-0757 version (mozilla #229374, fixed 1.7)
> CAN-2004-0758 version (mozilla, fixed 1.7.2)
> CAN-2004-0759 version (mozilla #241924, fixed 1.7)
> CAN-2004-0760 version (mozilla #250906, fixed 1.7.2)
> CAN-2004-0761 version (mozilla #240053, fixed 1.7)
> CAN-2004-0762 version (mozilla #162020, fixed 1.7)
> CAN-2004-0763 version (mozilla #253121, fixed 1.7.2)
> CAN-2004-0764 version (mozilla #244965, fixed 1.7)
> CAN-2004-0765 version (mozilla #234058, fixed 1.7)
> CAN-2004-0769 backport (lha, changelog)
> CAN-2004-0771 backport (lha, changelog)
> CAN-2004-0772 backport (krb5, changelog)
> CAN-2004-0778 version (cvs, fixed 1.11.17)
> CAN-2004-0782 backport (gtk2; gdk-pixbuf, patch)
> CAN-2004-0782 version (gtk;gdk-pixbuf, fixed 0.22)
> CAN-2004-0783 backport (gtk2; gdk-pixbuf, patch)
> CAN-2004-0783 version (gtk;gdk-pixbuf, fixed 0.22)
> CAN-2004-0784 version (gaim, fixed 0.82)
> CAN-2004-0785 version (gaim, fixed 0.82)
> CAN-2004-0786 backport (apr-util, changelog)
> CAN-2004-0788 backport (gtk2; gdk-pixbuf, patch)
> CAN-2004-0788 version (gtk;gdk-pixbuf, fixed 0.22)
> CAN-2004-0792 version (rsync)
> CAN-2004-0796 version (spamassassin, fixed 2.64)
> CAN-2004-0797 version (zlib)
> CAN-2004-0801 version (foomatic, fixed 3.0.2)
> CAN-2004-0803 backport (libtiff, changelog)
> CAN-2004-0803 version (kdegraphics, fixed by Update on 20041109)
> CAN-2004-0804 backport (libtiff, changelog)
> CAN-2004-0804 version (kdegraphics, fixed by Update on 20041109)
> CAN-2004-0806 version (cdrecord, fixed 2.0.1)
> CAN-2004-0807 version (samba, fixed 3.0.7)
> CAN-2004-0808 version (samba, fixed 3.0.7)
> CAN-2004-0809 version (httpd, fixed 2.0.51)
> CAN-2004-0811 version (httpd, fixed 2.0.52)
> CAN-2004-0817 backport (imlib, changelog)
> CAN-2004-0827 version (ImageMagick, fixed 6.0.6.2)
> CAN-2004-0829 (not a security issue)
> CAN-2004-0832 version (squid, fixed 2.5.7)
> CAN-2004-0835 backport (mysql, changelog)
> CAN-2004-0836 backport (mysql, changelog)
> CAN-2004-0837 backport (mysql, changelog)
> CAN-2003-0860 version (php, fixed 4.3.3)
> CAN-2003-0861 version (php, fixed 4.3.3)
> CAN-2004-0884 backport (cyrus-sasl, changelog)
> CAN-2004-0885 backport (httpd, changelog)
> CAN-2004-0886 backport (libtiff, changelog)
> CAN-2004-0886 version (kdegraphics, fixed by Update on 20041109)
> CAN-2004-0888 backport (xpdf, changelog)
> CAN-2004-0888 backport (cups, **since 1.1.22-0.rc1.8** FC3-3.3)
> CAN-2004-0888 backport (gpdf, **since 2.8.0-5** FC3-3.4)
> CAN-2004-0888 VULNERABLE (tetex, see bug 137476)
> CAN-2004-0889 backport (xpdf, changelog)
> CAN-2004-0891 backport (gaim, changelog)
> CAN-2004-0902 version (mozilla #133023, fixed 1.7.3)
> CAN-2004-0903 version (mozilla #133016, fixed 1.7.3)
> CAN-2004-0904 version (mozilla #133014, fixed 1.7.3)
> CAN-2004-0905 version (mozilla #133012, fixed 1.7.3)
> CAN-2004-0908 version (mozilla #133021, fixed 1.7.3)
> CAN-2004-0918 backport (squid, changelog)
> CAN-2004-0923 backport (cups, changelog)
> CAN-2004-0930 VULNERABLE (Samba, see bug 138326)
> CAN-2004-0938 version (freeradius, fixed 1.0.1)
> CAN-2004-0942 VULNERABLE (httpd, see bug 138065)
> CAN-2004-0957 backport (mysql, changelog)
> CAN-2004-0958 version (php, fixed 4.3.9)
> CAN-2004-0959 version (php, fixed 4.3.9)
> CAN-2004-0960 version (freeradius, fixed 1.0.1)
> CAN-2004-0961 version (freeradius, fixed 1.0.1)
> CAN-2004-0966 backport (gettext, **since 0.14.1-12** FC3-3.8)
> CAN-2004-0967 backport (ghostscript, changelog)
> CAN-2004-0968 backport (glibc, changelog)
> CAN-2004-0969 backport (groff, changelog)
> CAN-2004-0971 VULNERABLE (krb5, see bug 136307)
> CAN-2004-0972 VULNERABLE (lvm, see bug 136309)
> CAN-2004-0974 VULNERABLE (tetex, see bug 137966)
> CAN-2004-0975 VULNERABLE (openssl, see bug 136303)
> CAN-2004-0976 version (perl, since 5.8.4)
> CAN-2004-0977 backport (postgresql, **since 7.4.5-4** FC3-3.2)
> CAN-2004-0981 VULNERABLE (ImakeMagick, see bug 138385)
> CAN-2004-0983 VULNERABLE (Ruby, see bug 138366)
> CAN-2004-0989 backport (libxml2, **since 2.6.14-2** FC3-3.3)
> CAN-2004-0990 VULNERABLE (gd, see bug 137247)
> CVE-2002-1363 version (libpng, fixed 1.2.6)
> CVE-2003-0020 version (httpd, fixed 2.0.49)
> CVE-2003-0924 version (netpbm, fixed 9.26)
> CVE-2003-0988 version (kde, fixed 3.1.5)
> CVE-2004-0078 backport (mutt, changelog)
> CVE-2004-0082 version (samba, fixed 3.0.2)
> CVE-2004-0096 version (mod_python, fixed after 2.7.9)
> CVE-2004-0108 version (sysstat)
> CVE-2004-0111 version (gdk-pixbuf, fixed 0.20)
> CVE-2004-0113 version (httpd, fixed 2.0.49)
> CVE-2004-0189 version (squid, fixed 2.5stable5)
> CVE-2004-0191 version (Mozilla, fixed 1.4.2)
> 




More information about the fedora-devel-list mailing list