[Fedora-security-commits] fedora-security/audit f8, 1.1, 1.2 f9, 1.1, 1.2 fc6, 1.288, 1.289 fc7, 1.161, 1.162

fedora-security-commits at redhat.com fedora-security-commits at redhat.com
Thu Nov 1 17:02:08 UTC 2007 

Author: lkundrak

Update of /cvs/fedora/fedora-security/audit
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10002

Modified Files:
	f8 f9 fc6 fc7 
Log Message:
Updated a couple of outstanding rawhide issues, tidied up a bit.



Index: f8
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/f8,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- f8	1 Nov 2007 15:20:35 -0000	1.1
+++ f8	1 Nov 2007 17:02:06 -0000	1.2
@@ -12,12 +12,12 @@
 CVE-2007-5708 VULNERABLE (openldap, fixed 2.3.39) #360081
 CVE-2007-5707 VULNERABLE (openldap, fixed 2.3.39) #360081
 CVE-2007-5624 VULNERABLE (nagios, fixed 2.10) #349011
-*CVE-2007-5623 VULNERABLE (nagios-plugins, not fixed 1.4.10) #348731
+CVE-2007-5623 VULNERABLE (nagios-plugins, not fixed 1.4.10) #348731
 CVE-2007-5589 VULNERABLE (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6
 CVE-2007-5461 VULNERABLE (tomcat5, not fixed 5.5.25) #334531
 CVE-2007-5386 version (phpmyadmin, fixed 2.11.1.1) #333661 PMASA-2007-5
 CVE-2007-5201 VULNERABLE (duplicity, no upstream fix) #293081
-*CVE-2007-5200 VULNERABLE (hugin) #332401
+CVE-2007-5200 VULNERABLE (hugin) #332401
 CVE-2007-5198 VULNERABLE (nagios-plugins, fixed 1.4.10) #315101
 CVE-2007-5079 VULNERABLE (gdm) #239820 Red Hat specific problem
 CVE-2007-5037 version (inotify-tools, fixed 3.11) #299771
@@ -29,28 +29,28 @@
 CVE-2007-4619 version (flac, fixed 1.2) #332581
 CVE-2007-4568 version (xorg-x11-xfs, fixed 1.0.5)
 CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code.
-CVE-2007-4476 VULNERABLE (cpio, not fixed 2.9) Needs bug
+CVE-2007-4476 VULNERABLE (cpio, not fixed 2.9) #339691
 CVE-2007-4400 VULNERABLE (konversation) #253545 Remove media script?
-*CVE-2007-3999 VULNERABLE (nfs-utils-lib) #294901
-*CVE-2007-3999 VULNERABLE (libtirpc) #294921
+CVE-2007-3999 VULNERABLE (nfs-utils-lib) #362091
+CVE-2007-3999 VULNERABLE (libtirpc) #362111
 CVE-2007-3920 VULNERABLE (compiz, not fixed upstream) #350271
-CVE-2007-3919 VULNERABLE (xen, not fixed 3.1)
+CVE-2007-3919 backport (xen, fixed 3.1.0-13) #361991
 CVE-2007-3844 version (firefox, fixed 2.0.0.6)
-*CVE-2007-3843 VULNERABLE (kernel) #246595 I suspect this is already fixed in Fedora
+CVE-2007-3843 version (kernel) #246595 No idea which version fixed this
 CVE-2007-3544 VULNERABLE (wordpress, NOT fixed 2.2.1) #245211 Incomplete fix for CVE-2007-3543
 CVE-2007-3387 version (poppler, fixed 0.5.91) #251512
-*CVE-2007-3145 VULNERABLE (galeon) **
+CVE-2007-3145 ignore (galeon) in 2.0.3 the truncation still occurs, but at reasonable length
 CVE-2007-2450 VULNERABLE (tomcat5, not fixed 5.5.24) #244810
 CVE-2007-2449 VULNERABLE (tomcat5, not fixed 5.5.24) #244810
 CVE-2007-2245 version (phpMyAdmin, fixed 2.10.1) #237882
 CVE-2007-2165 version (proftpd, fixed 1.3.1rc3) #237533
 CVE-2007-1841 version (ipsec-tools, fixed 0.6.7) #238052
 CVE-2007-1804 version (pulseaudio) #235013 NOTABUG, there are other known ways to crash pulse.
-*CVE-2007-1558 VULNERABLE (evolution)
+CVE-2007-1558 version (evolution, fixed 1.8.3-5)
 CVE-2007-1352 version (libXfont, fixed 1.2.8) #235265
 CVE-2007-1351 version (libXfont, fixed 1.2.8) #235265
 CVE-2007-1103 ignore (tor) #230927 CANTFIX really
-CVE-2007-1004 VULNERABLE (mozilla) Needs an upstream bug
+CVE-2007-1004 VULNERABLE (mozilla) https://bugzilla.mozilla.org/show_bug.cgi?id=402060
 CVE-2007-1003 version (xorg-x11-server, fixed 1.2.1) #235263
 CVE-2007-1002 version (evolution, fixed 2.8.2.1) #233587
 CVE-2007-0654 backport (xmms, not fixed 1.2.10) #233705 Fixed in older ones?
@@ -59,20 +59,20 @@
 CVE-2007-0235 version (libgtop2, fixed 2.14.6) #222637 not sure, will triage
 CVE-2007-0095 ignore (phpMyAdmin) #221694 "Reveals path"
 CVE-2006-6698 VULNERABLE (GConf2) #219280
-*CVE-2006-6128 VULNERABLE (kernel, fixed **) ReiserFS MOKB
+CVE-2006-6128 version (kernel, fixed 2.6.19-1.2911.fc6) #250625 ReiserFS MOKB
 CVE-2006-6107 version (dbus, fixed 1.0.2) #219665
 CVE-2006-6077 version (firefox, fixed 1.5.0.10)
-*CVE-2006-6058 VULNERABLE (kernel, fixed **) Minix MOKB. I though this one had a bug. RHSA-2007:0672. Will ping esandeen.
-*CVE-2006-6057 VULNERABLE (kernel, fixed **) GFS2 MOKB.
+CVE-2006-6058 VULNERABLE (kernel) #250623 Minix MOKB. In stable tree, should be fixed in 2.6.24
+CVE-2006-6057 version (kernel, fixed 2_6_20-1_2924_fc6) GFS2 MOKB.
 CVE-2006-5868 version (ImageMagick, fixed 6.2.9.1) #217560
 CVE-2006-5864 version (evince, fixed 0.6.3) #217672
 CVE-2006-5779 version (openldap, fixed 2.3.29) #214768
 CVE-2006-5749 version (kernel, fixed 2.6.20-rc2)
-*CVE-2006-5701 VULNERABLE (kernel) squashfs MOKB
+CVE-2006-5701 version (kernel, kernel-2_6_20-1_2927_fc6) squashfs MOKB
 CVE-2006-5466 version (rpm, fixed 4.4.2.1) #212833
 CVE-2006-5461 version (avahi, fixed 0.6.15)
 CVE-2006-5397 version (libX11, fixed 1.0.4) #213280
-*CVE-2006-5214 VULNERABLE (xorg-x11-xinit) #212167
+CVE-2006-5214 backport (xorg-x11-xinit, fixed xorg-x11-xinit-1.0.2-21) #212167
 CVE-2006-5178 ignore (php) safe_mode WONTFIX
 CVE-2006-5170 version (nss_ldap, fixed 183)
 CVE-2006-4573 version (screen, fixed 4.0.3) #212057
@@ -85,7 +85,7 @@
 CVE-2006-0987 ignore (bind) example config file only
 CVE-2006-0496 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=324253
 CVE-2005-4809 ignore (firefox) Status bar can be modified anyways
-*CVE-2005-4790 VULNERABLE (tomboy) #252294
-*CVE-2005-3675 VULNERABLE (kernel) optack, no upstream fix
+CVE-2005-4790 VULNERABLE (tomboy) #252294
+CVE-2005-3675 VULNERABLE (kernel) optack, no upstream fix -- TCP protocol weakness
 CVE-2003-1265 VULNERABLE (thunderbird) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 (probably "ignore")
 CVE-2003-1265 VULNERABLE (seamonkey) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 (probably "ignore")


Index: f9
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/f9,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- f9	1 Nov 2007 15:21:22 -0000	1.1
+++ f9	1 Nov 2007 17:02:06 -0000	1.2
@@ -1,23 +1,23 @@
 # $Id$
 
 # ** are items that need attention
-# *CVE are items that need verification for Fedora 9
+# *CVE are items that need verification for Fedora 8
 # (mozilla) = (gecko-libs dependent stuff)
 
 # Up to date CVE as of CVE email 20071030
-# Up to date F9 as of 20071029
+# Up to date F8 as of 20071029
 
 GENERIC-MAP-NOMATCH VULNERABLE (nx) #293031
 CVE-2007-5712 VULNERABLE (Django, fixed 0.96.1) #357051
 CVE-2007-5708 VULNERABLE (openldap, fixed 2.3.39) #360081
 CVE-2007-5707 VULNERABLE (openldap, fixed 2.3.39) #360081
 CVE-2007-5624 VULNERABLE (nagios, fixed 2.10) #349011
-*CVE-2007-5623 VULNERABLE (nagios-plugins, not fixed 1.4.10) #348731
+CVE-2007-5623 VULNERABLE (nagios-plugins, not fixed 1.4.10) #348731
 CVE-2007-5589 VULNERABLE (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6
 CVE-2007-5461 VULNERABLE (tomcat5, not fixed 5.5.25) #334531
 CVE-2007-5386 version (phpmyadmin, fixed 2.11.1.1) #333661 PMASA-2007-5
 CVE-2007-5201 VULNERABLE (duplicity, no upstream fix) #293081
-*CVE-2007-5200 VULNERABLE (hugin) #332401
+CVE-2007-5200 VULNERABLE (hugin) #332401
 CVE-2007-5198 VULNERABLE (nagios-plugins, fixed 1.4.10) #315101
 CVE-2007-5079 VULNERABLE (gdm) #239820 Red Hat specific problem
 CVE-2007-5037 version (inotify-tools, fixed 3.11) #299771
@@ -29,28 +29,28 @@
 CVE-2007-4619 version (flac, fixed 1.2) #332581
 CVE-2007-4568 version (xorg-x11-xfs, fixed 1.0.5)
 CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code.
-CVE-2007-4476 VULNERABLE (cpio, not fixed 2.9) Needs bug
+CVE-2007-4476 VULNERABLE (cpio, not fixed 2.9) #339691
 CVE-2007-4400 VULNERABLE (konversation) #253545 Remove media script?
-*CVE-2007-3999 VULNERABLE (nfs-utils-lib) #294901
-*CVE-2007-3999 VULNERABLE (libtirpc) #294921
+CVE-2007-3999 VULNERABLE (nfs-utils-lib) #362101
+CVE-2007-3999 VULNERABLE (libtirpc) #362121
 CVE-2007-3920 VULNERABLE (compiz, not fixed upstream) #350271
-CVE-2007-3919 VULNERABLE (xen, not fixed 3.1)
+CVE-2007-3919 backport (xen, fixed 3.1.0-13) #362011
 CVE-2007-3844 version (firefox, fixed 2.0.0.6)
-*CVE-2007-3843 VULNERABLE (kernel) #246595 I suspect this is already fixed in Fedora
+CVE-2007-3843 version (kernel) #246595 No idea which version fixed this
 CVE-2007-3544 VULNERABLE (wordpress, NOT fixed 2.2.1) #245211 Incomplete fix for CVE-2007-3543
 CVE-2007-3387 version (poppler, fixed 0.5.91) #251512
-*CVE-2007-3145 VULNERABLE (galeon) **
+CVE-2007-3145 ignore (galeon) in 2.0.3 the truncation still occurs, but at reasonable length
 CVE-2007-2450 VULNERABLE (tomcat5, not fixed 5.5.24) #244810
 CVE-2007-2449 VULNERABLE (tomcat5, not fixed 5.5.24) #244810
 CVE-2007-2245 version (phpMyAdmin, fixed 2.10.1) #237882
 CVE-2007-2165 version (proftpd, fixed 1.3.1rc3) #237533
 CVE-2007-1841 version (ipsec-tools, fixed 0.6.7) #238052
 CVE-2007-1804 version (pulseaudio) #235013 NOTABUG, there are other known ways to crash pulse.
-*CVE-2007-1558 VULNERABLE (evolution)
+CVE-2007-1558 version (evolution, fixed 1.8.3-5)
 CVE-2007-1352 version (libXfont, fixed 1.2.8) #235265
 CVE-2007-1351 version (libXfont, fixed 1.2.8) #235265
 CVE-2007-1103 ignore (tor) #230927 CANTFIX really
-CVE-2007-1004 VULNERABLE (mozilla) Needs an upstream bug
+CVE-2007-1004 VULNERABLE (mozilla) https://bugzilla.mozilla.org/show_bug.cgi?id=402060
 CVE-2007-1003 version (xorg-x11-server, fixed 1.2.1) #235263
 CVE-2007-1002 version (evolution, fixed 2.8.2.1) #233587
 CVE-2007-0654 backport (xmms, not fixed 1.2.10) #233705 Fixed in older ones?
@@ -59,20 +59,20 @@
 CVE-2007-0235 version (libgtop2, fixed 2.14.6) #222637 not sure, will triage
 CVE-2007-0095 ignore (phpMyAdmin) #221694 "Reveals path"
 CVE-2006-6698 VULNERABLE (GConf2) #219280
-*CVE-2006-6128 VULNERABLE (kernel, fixed **) ReiserFS MOKB
+CVE-2006-6128 version (kernel, fixed 2.6.19-1.2911.fc6) #250625 ReiserFS MOKB
 CVE-2006-6107 version (dbus, fixed 1.0.2) #219665
 CVE-2006-6077 version (firefox, fixed 1.5.0.10)
-*CVE-2006-6058 VULNERABLE (kernel, fixed **) Minix MOKB. I though this one had a bug. RHSA-2007:0672. Will ping esandeen.
-*CVE-2006-6057 VULNERABLE (kernel, fixed **) GFS2 MOKB.
+CVE-2006-6058 VULNERABLE (kernel) #250623 Minix MOKB. In stable tree, should be fixed in 2.6.24
+CVE-2006-6057 version (kernel, fixed 2_6_20-1_2924_fc6) GFS2 MOKB.
 CVE-2006-5868 version (ImageMagick, fixed 6.2.9.1) #217560
 CVE-2006-5864 version (evince, fixed 0.6.3) #217672
 CVE-2006-5779 version (openldap, fixed 2.3.29) #214768
 CVE-2006-5749 version (kernel, fixed 2.6.20-rc2)
-*CVE-2006-5701 VULNERABLE (kernel) squashfs MOKB
+CVE-2006-5701 version (kernel, kernel-2_6_20-1_2927_fc6) squashfs MOKB
 CVE-2006-5466 version (rpm, fixed 4.4.2.1) #212833
 CVE-2006-5461 version (avahi, fixed 0.6.15)
 CVE-2006-5397 version (libX11, fixed 1.0.4) #213280
-*CVE-2006-5214 VULNERABLE (xorg-x11-xinit) #212167
+CVE-2006-5214 backport (xorg-x11-xinit, fixed xorg-x11-xinit-1.0.2-21) #212167
 CVE-2006-5178 ignore (php) safe_mode WONTFIX
 CVE-2006-5170 version (nss_ldap, fixed 183)
 CVE-2006-4573 version (screen, fixed 4.0.3) #212057
@@ -85,7 +85,7 @@
 CVE-2006-0987 ignore (bind) example config file only
 CVE-2006-0496 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=324253
 CVE-2005-4809 ignore (firefox) Status bar can be modified anyways
-*CVE-2005-4790 VULNERABLE (tomboy) #252294
-*CVE-2005-3675 VULNERABLE (kernel) optack, no upstream fix
+CVE-2005-4790 VULNERABLE (tomboy) #252294
+CVE-2005-3675 VULNERABLE (kernel) optack, no upstream fix -- TCP protocol weakness
 CVE-2003-1265 VULNERABLE (thunderbird) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 (probably "ignore")
 CVE-2003-1265 VULNERABLE (seamonkey) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 (probably "ignore")


Index: fc6
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/fc6,v
retrieving revision 1.288
retrieving revision 1.289
diff -u -r1.288 -r1.289
--- fc6	1 Nov 2007 12:55:51 -0000	1.288
+++ fc6	1 Nov 2007 17:02:06 -0000	1.289
@@ -74,7 +74,7 @@
 CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux
 CVE-2007-3961 ignore (gftp) off-by-one error in fsplib
 CVE-2007-3920 VULNERABLE (gnome-screensaver) #350271
-CVE-2007-3919 VULNERABLE (xen)
+CVE-2007-3919 VULNERABLE (xen) #362001
 CVE-2007-3852 backport (sysstat) #252296 [since FEDORA-2007-675]
 CVE-2007-3848 version (kernel) [since FEDORA-2007-679]
 CVE-2007-3847 version (httpd) #250756 [since FEDORA-2007-707]


Index: fc7
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/fc7,v
retrieving revision 1.161
retrieving revision 1.162
diff -u -r1.161 -r1.162
--- fc7	1 Nov 2007 12:55:51 -0000	1.161
+++ fc7	1 Nov 2007 17:02:06 -0000	1.162
@@ -151,7 +151,7 @@
 CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299]
 CVE-2007-3947 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299]
 CVE-2007-3946 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299]
-CVE-2007-3919 VULNERABLE (xen)
+CVE-2007-3919 VULNERABLE (xen) #361981
 CVE-2007-3917 version (wesnoth, fixed 1.2.7) #324841 [since FEDORA-2007-2496]
 CVE-2007-3848 version (kernel) [since FEDORA-2007-1785]
 CVE-2007-3847 version (httpd) #250755 [since FEDORA-2007-2214]

More information about the Fedora-security-commits mailing list