From fedora-security-commits at redhat.com Tue Jul 1 09:59:30 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Tue, 1 Jul 2008 09:59:30 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.8, 1.9 f8, 1.226, 1.227 f9, 1.216, 1.217 Message-ID: <200807010959.m619xUs4017894@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17671/audit Modified Files: f10 f8 f9 Log Message: last week's issues Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- f10 20 Jun 2008 19:34:29 -0000 1.8 +++ f10 1 Jul 2008 09:59:00 -0000 1.9 @@ -4,28 +4,32 @@ # *CVE are items that need verification for Fedora 10 # (mozilla) = (gecko-libs dependent stuff) +CVE-2008-2841 ignore (xchat) windows-only, IE bug +CVE-2008-2827 backport (perl) #452642 [since perl-5.10.0-28.fc10] CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 -CVE-2008-2726 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 -CVE-2008-2725 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 +CVE-2008-2726 version (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 [since ruby-1.8.6.230-1.fc10] +CVE-2008-2725 version (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 [since ruby-1.8.6.230-1.fc10] CVE-2008-2724 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2723 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2722 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2721 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2720 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2713 version (clamav, fixed 0.93.1) [since clamav-0.93.1-1.fc10] +CVE-2008-2711 backport (fetchmail, fixed 6.3.9) #452959 crash only in verbose mode [since fetchmail-6.3.8-7.fc10] CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) -CVE-2008-2664 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 -CVE-2008-2663 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 -CVE-2008-2662 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 +CVE-2008-2664 version (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 [since ruby-1.8.6.230-1.fc10] +CVE-2008-2663 version (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 [since ruby-1.8.6.230-1.fc10] +CVE-2008-2662 version (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 [since ruby-1.8.6.230-1.fc10] CVE-2008-2575 version (cbrpager) [since cbrpager-0.9.17-2.fc10] CVE-2008-2426 backport (imlib2) [since imlib2-1.4.0-7.fc10] CVE-2008-2420 version (stunnel, fixed 4.24) [since stunnel-4.24-2] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2375 ignore (vsftpd) pre-2.0.5 versions only CVE-2008-2363 VULNERABLE (pan) #449335 -CVE-2008-2362 VULNERABLE (xorg-x11-server) #450927 -CVE-2008-2361 VULNERABLE (xorg-x11-server) #450927 -CVE-2008-2360 VULNERABLE (xorg-x11-server) #450927 +CVE-2008-2362 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] +CVE-2008-2361 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] +CVE-2008-2360 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 version (Django, fixed 0.96.2) #447260 [since Django-0.96.2-1.fc10] @@ -35,11 +39,11 @@ CVE-2008-2168 ignore (httpd) browser issue, not apache CVE-2008-2152 version (openoffice.org, fixed 2.4.1) [since openoffice.org-3.0.0-0.0.17.1.fc10] CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x -CVE-2008-2108 VULNERABLE (php, fixed 5.2.6) -CVE-2008-2107 VULNERABLE (php, fixed 5.2.6) +CVE-2008-2108 version (php, fixed 5.2.6) [since php-5.2.6-2.fc9] +CVE-2008-2107 version (php, fixed 5.2.6) [since php-5.2.6-2.fc9] CVE-2008-2085 VULNERABLE (sipp) #446222 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 -CVE-2008-2051 VULNERABLE (php, fixed 5.2.6) +CVE-2008-2051 version (php, fixed 5.2.6) [since php-5.2.6-2.fc9] CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc10] CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes CVE-2008-2004 VULNERABLE (kvm) fix mostly useless without libvirt changes @@ -76,8 +80,8 @@ CVE-2008-1387 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-1382 version (libpng, fixed 1.2.27) [since libpng-1.2.29-1.fc10] CVE-2008-1382 version (libpng10) [since libpng10-1.0.37-1.fc10] -CVE-2008-1379 VULNERABLE (xorg-x11-server) #450927 -CVE-2008-1377 VULNERABLE (xorg-x11-server) #450927 +CVE-2008-1379 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] +CVE-2008-1377 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] CVE-2008-1360 version (nagios) #437852 [since nagios-2.11-3.fc9] CVE-2008-1109 backport (evolution) #449925 [since evolution-2.23.3.1-2.fc10] CVE-2008-1108 backport (evolution) #449925 [since evolution-2.23.3.1-2.fc10] @@ -88,7 +92,7 @@ CVE-2008-1033 version (cups, fixed 1.3.7) [since cups-1.3.7-1.fc9] CVE-2008-0960 backport (net-snmp, fixed 5.4.1.1) [since net-snmp-5.4.1-19.fc10] CVE-2008-0891 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10] -CVE-2008-0599 VULNERABLE (php, fixed 5.2.6) +CVE-2008-0599 version (php, fixed 5.2.6) [since php-5.2.6-2.fc9] CVE-2008-0553 version (tkimg) [since tkimg-1.3-0.10.20080505svn.fc10] CVE-2008-0314 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-0166 ignore (openssl) Debian specific Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.226 retrieving revision 1.227 diff -u -r1.226 -r1.227 --- f8 20 Jun 2008 19:34:29 -0000 1.226 +++ f8 1 Jul 2008 09:59:00 -0000 1.227 @@ -6,25 +6,29 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2841 ignore (xchat) windows-only, IE bug +CVE-2008-2827 ignore (perl) perl 5.10 only CVE-2008-2783 VULNERABLE (kronolith) CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 -CVE-2008-2726 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 -CVE-2008-2725 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 -CVE-2008-2724 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] -CVE-2008-2723 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] -CVE-2008-2722 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] -CVE-2008-2721 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] -CVE-2008-2720 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] +CVE-2008-2726 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 [since FEDORA-2008-5649] +CVE-2008-2725 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 [since FEDORA-2008-5649] +CVE-2008-2724 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] +CVE-2008-2723 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] +CVE-2008-2722 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] +CVE-2008-2721 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] +CVE-2008-2720 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] CVE-2008-2713 VULNERABLE (clamav, fixed 0.93.1) +CVE-2008-2711 VULNERABLE (fetchmail, fixed 6.3.9) crash only in verbose mode CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) -CVE-2008-2664 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 -CVE-2008-2663 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 -CVE-2008-2662 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 +CVE-2008-2664 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 [since FEDORA-2008-5649] +CVE-2008-2663 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 [since FEDORA-2008-5649] +CVE-2008-2662 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 [since FEDORA-2008-5649] CVE-2008-2575 fixed (cbrpager) [since FEDORA-2008-4528] CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4842] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4579] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2375 ignore (vsftpd) pre-2.0.5 versions only CVE-2008-2363 VULNERABLE (pan) #449333 CVE-2008-2362 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-2361 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] @@ -40,15 +44,15 @@ CVE-2008-2146 version (wordpress, fixed 2.2.3) CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2109 fixed (libid3tag) #445814 [since FEDORA-2008-3976] -CVE-2008-2108 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3864] -CVE-2008-2107 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3864] +CVE-2008-2108 fixed (php, fixed 5.2.6) [since FEDORA-2008-3864] +CVE-2008-2107 fixed (php, fixed 5.2.6) [since FEDORA-2008-3864] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] CVE-2008-2085 VULNERABLE (sipp) #446220 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445805 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3397] -CVE-2008-2051 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3864] +CVE-2008-2051 fixed (php, fixed 5.2.6) [since FEDORA-2008-3864] CVE-2008-2050 ignore (php, fixed 5.2.6) CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.1.2-3.fc8] @@ -74,7 +78,7 @@ CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since FEDORA-2008-3461] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3390] -CVE-2008-1891 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 +CVE-2008-1891 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 [since FEDORA-2008-5649] CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443055 [since FEDORA-2008-3353] nsf demuxer overflow CVE-2008-1845 version (mksh, fixed 33d) [since FEDORA-2008-3174] CVE-2008-1837 ignore (clamav, fixed 0.93) unrar code not shipped @@ -246,7 +250,7 @@ CVE-2008-0658 fixed (openldap) #432012 [since FEDORA-2008-1616] CVE-2008-0646 fixed (deluge, fixed 0.5.8.3) [since FEDORA-2008-1287] CVE-2008-0646 fixed (rb_libtorrent) [since FEDORA-2008-1198] -CVE-2008-0599 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3864] +CVE-2008-0599 fixed (php, fixed 5.2.6) [since FEDORA-2008-3864] CVE-2008-0597 version (cups) only old CUPS versions affected CVE-2008-0596 version (cups) only old CUPS versions affected CVE-2008-0595 backport (dbus, fixed 1.1.20) [since FEDORA-2008-2070] @@ -455,8 +459,8 @@ CVE-2007-5902 ignore (krb5, fixed 1.6.4) not exploitable CVE-2007-5901 fixed (krb5, fixed 1.6.4) #438023 [since FEDORA-2008-2647] CVE-2007-5900 ignore (php, fixed 5.2.5) -CVE-2007-5899 VULNERABLE (php, fixed 5.2.5) [since FEDORA-2008-3864] -CVE-2007-5898 VULNERABLE (php, fixed 5.2.5) [since FEDORA-2008-3864] +CVE-2007-5899 fixed (php, fixed 5.2.5) [since FEDORA-2008-3864] +CVE-2007-5898 fixed (php, fixed 5.2.5) [since FEDORA-2008-3864] CVE-2007-5894 ignore (krb5, fixed 1.6.4) not exploitable CVE-2007-5849 ignore (cups, fixed 1.3.5) minimal impact, see #415131 CVE-2007-5848 version (cups, fixed 1.2.0) @@ -524,7 +528,7 @@ CVE-2007-4825 ignore (php, fixed 5.2.5) CVE-2007-4784 ignore (php, fixed 5.2.5) CVE-2007-4783 ignore (php, fixed 5.2.5) -CVE-2007-4782 VULNERABLE (php, fixed 5.2.5) [since FEDORA-2008-3864] +CVE-2007-4782 fixed (php, fixed 5.2.5) [since FEDORA-2008-3864] CVE-2007-4772 fixed (postgresql, fixed 8.2.6) #427773 [since FEDORA-2008-0478] CVE-2007-4771 fixed (icu) #430233 [since FEDORA-2008-1036] CVE-2007-4770 fixed (icu) #430233 [since FEDORA-2008-1036] Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.216 retrieving revision 1.217 diff -u -r1.216 -r1.217 --- f9 20 Jun 2008 19:34:29 -0000 1.216 +++ f9 1 Jul 2008 09:59:00 -0000 1.217 @@ -5,24 +5,28 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2841 ignore (xchat) windows-only, IE bug +CVE-2008-2827 fixed (perl) #452641 [since FEDORA-2008-5739] CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 -CVE-2008-2726 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 -CVE-2008-2725 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 -CVE-2008-2724 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] -CVE-2008-2723 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] -CVE-2008-2722 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] -CVE-2008-2721 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] -CVE-2008-2720 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] -CVE-2008-2713 VULNERABLE (clamav, fixed 0.93.1) [since clamav-0.93.1-1.fc9] +CVE-2008-2726 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 [since FEDORA-2008-5664] +CVE-2008-2725 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 [since FEDORA-2008-5664] +CVE-2008-2724 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] +CVE-2008-2723 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] +CVE-2008-2722 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] +CVE-2008-2721 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] +CVE-2008-2720 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] +CVE-2008-2713 fixed (clamav, fixed 0.93.1) [since FEDORA-2008-5476] +CVE-2008-2711 VULNERABLE (fetchmail, fixed 6.3.9) crash only in verbose mode CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) -CVE-2008-2664 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 -CVE-2008-2663 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 -CVE-2008-2662 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 +CVE-2008-2664 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 [since FEDORA-2008-5664] +CVE-2008-2663 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 [since FEDORA-2008-5664] +CVE-2008-2662 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 [since FEDORA-2008-5664] CVE-2008-2575 fixed (cbrpager) [since FEDORA-2008-4501] CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4871] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4531] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2375 ignore (vsftpd) pre-2.0.5 versions only CVE-2008-2363 VULNERABLE (pan) #449334 CVE-2008-2362 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-2361 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] @@ -38,15 +42,15 @@ CVE-2008-2146 version (wordpress, fixed 2.2.3) CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2109 fixed (libid3tag) #445815 [since FEDORA-2008-3757] -CVE-2008-2108 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3606] -CVE-2008-2107 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3606] +CVE-2008-2108 fixed (php, fixed 5.2.6) [since FEDORA-2008-3606] +CVE-2008-2107 fixed (php, fixed 5.2.6) [since FEDORA-2008-3606] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445823 [since FEDORA-2008-3668] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445823 [since FEDORA-2008-3668] CVE-2008-2085 VULNERABLE (sipp) #446221 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445806 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc9] -CVE-2008-2051 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3606] +CVE-2008-2051 fixed (php, fixed 5.2.6) [since FEDORA-2008-3606] CVE-2008-2050 ignore (php, fixed 5.2.6) CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc9] @@ -73,7 +77,7 @@ CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc9] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 CVE-2008-1897 version (asterisk, fixed 1.6.0.beta3) [since asterisk-1.6.0-0.13.beta8.fc9] -CVE-2008-1891 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 +CVE-2008-1891 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 [since FEDORA-2008-5664] CVE-2008-1878 backport (xine-lib, fixed 1.1.12.1) #443056 nsf demuxer overflow [since xine-lib-1.1.12-2.fc9] CVE-2008-1845 version (mksh, fixed 33d) [since mksh-33d-1.fc9] what is real impact on fedora? CVE-2008-1837 ignore (clamav, fixed 0.93) unrar code not shipped @@ -242,7 +246,7 @@ CVE-2008-0658 backport (openldap) #432014 [since openldap-2.4.7-7.fc9] CVE-2008-0646 version (deluge, fixed 0.5.8.3) [since deluge-0.5.8.3-1.fc9] CVE-2008-0646 backport (rb_libtorrent) [since rb_libtorrent-0.12-3.fc9] -CVE-2008-0599 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3606] +CVE-2008-0599 fixed (php, fixed 5.2.6) [since FEDORA-2008-3606] CVE-2008-0597 version (cups) only old CUPS versions affected CVE-2008-0596 version (cups) only old CUPS versions affected CVE-2008-0595 version (dbus, fixed 1.1.20) [since dbus-1.1.20-1.fc9] From fedora-security-commits at redhat.com Fri Jul 4 20:12:40 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 4 Jul 2008 20:12:40 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.9, 1.10 f8, 1.227, 1.228 f9, 1.217, 1.218 Message-ID: <200807042012.m64KCel7028581@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28443/audit Modified Files: f10 f8 f9 Log Message: week of issues Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- f10 1 Jul 2008 09:59:00 -0000 1.9 +++ f10 4 Jul 2008 20:12:09 -0000 1.10 @@ -4,8 +4,39 @@ # *CVE are items that need verification for Fedora 10 # (mozilla) = (gecko-libs dependent stuff) +CVE-2008-2960 version (phpMyAdmin, fixed 2.11.7) [since phpMyAdmin-2.11.7-1.fc10] PMASA-2008-4 +CVE-2008-2954 backport (linuxdcpp) #453734 [since linuxdcpp-1.0.1-3.fc10] +CVE-2008-2953 backport (linuxdcpp) #453734 [since linuxdcpp-1.0.1-3.fc10] +CVE-2008-2952 backport (openldap) #453728 [since openldap-2.4.10-2.fc10] +CVE-2008-2942 VULNERABLE (mercurial) CVE-2008-2841 ignore (xchat) windows-only, IE bug CVE-2008-2827 backport (perl) #452642 [since perl-5.10.0-28.fc10] +CVE-2008-2811 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2811 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2810 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2810 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2809 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2809 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2808 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2808 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2807 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2807 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2806 ignore (firefox, fixed 3.0) Mac OS X specific +CVE-2008-2806 ignore (seamonkey, fixed 1.1.10) Mac OS X specific +CVE-2008-2805 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2805 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2803 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2803 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2802 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2802 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2801 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2801 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2800 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2800 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2799 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2799 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2798 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] +CVE-2008-2798 VULNERABLE (seamonkey, fixed 1.1.10) CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 CVE-2008-2726 version (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 [since ruby-1.8.6.230-1.fc10] @@ -15,6 +46,7 @@ CVE-2008-2722 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2721 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2720 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] +CVE-2008-2719 version (nasm, fixed 2.03.01) [since nasm-2.03.01-1.fc10] CVE-2008-2713 version (clamav, fixed 0.93.1) [since clamav-0.93.1-1.fc10] CVE-2008-2711 backport (fetchmail, fixed 6.3.9) #452959 crash only in verbose mode [since fetchmail-6.3.8-7.fc10] CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) @@ -25,13 +57,20 @@ CVE-2008-2426 backport (imlib2) [since imlib2-1.4.0-7.fc10] CVE-2008-2420 version (stunnel, fixed 4.24) [since stunnel-4.24-2] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2377 version (gnutls, fixed 2.4.1) [since gnutls-2.4.1-1.fc10] +CVE-2008-2376 backport (ruby, fixed 1.8.6-p257) [since ruby-1.8.6.230-4.fc10] CVE-2008-2375 ignore (vsftpd) pre-2.0.5 versions only +CVE-2008-2374 version (bluez-libs, fixed 3.34) #452822 [since bluez-libs-3.34-1.fc10] +CVE-2008-2371 backport (pcre) #453557 [since pcre-7.3-4.fc10] +CVE-2008-2371 version (glib2) #453561 [since glib2-2.17.3-1.fc10] CVE-2008-2363 VULNERABLE (pan) #449335 CVE-2008-2362 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] CVE-2008-2361 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] CVE-2008-2360 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) +CVE-2008-2310 ignore (binutils) blocked by fortify_source +CVE-2008-2307 version (WebKit, fixed svn34204) [since WebKit-1.0.0-0.11.svn34279.fc10] CVE-2008-2302 version (Django, fixed 0.96.2) #447260 [since Django-0.96.2-1.fc10] CVE-2008-2292 backport (net-snmp, fixed 5.4.2.pre1) [since net-snmp-5.4.1-19.fc10] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless @@ -54,10 +93,10 @@ CVE-2008-1947 VULNERABLE (tomcat5, fixed 5.5.27) CVE-2008-1947 VULNERABLE (tomcat6, fixed 6.0.17) CVE-2008-1944 version (xen, fixed 3.2) -CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc10] +CVE-2008-1943 backport (xen) [since xen-3.2.0-11.fc10] CVE-2008-1928 version (perl-Imager, fixed 0.64) [since perl-Imager-0.64-2.fc10] CVE-2008-1926 backport (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9] -CVE-2008-1891 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 +CVE-2008-1891 version (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 [since ruby-1.8.6.230-1.fc10] CVE-2008-1836 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-1808 version (freetype, fixed 2.3.6) [since freetype-2.3.6-1.fc10] CVE-2008-1807 version (freetype, fixed 2.3.6) [since freetype-2.3.6-1.fc10] @@ -69,7 +108,7 @@ CVE-2008-1771 version (mt-daapd) [since mt-daapd-0.2.4.2-2.fc10] CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc10] CVE-2008-1678 VULNERABLE (httpd) #447312 only affects systems with openssl >= 0.9.8e -CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810 +CVE-2008-1677 version (fedora-ds-base, fixed 1.1.1) #445810 [since fedora-ds-base-1.1.1-1.fc10] CVE-2008-1672 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10] CVE-2008-1531 backport (lighttpd) [since lighttpd-1.4.19-4.fc10] CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 @@ -104,6 +143,9 @@ CVE-2007-5907 VULNERABLE (xen) #390121 CVE-2007-5906 VULNERABLE (xen) #390121 CVE-2007-5803 version (nagios, fixed 2.12) #446383 [since nagios-2.12-3.fc10] +CVE-2007-5615 backport (jetty) [since jetty-5.1.14-1jpp.1.fc10] +CVE-2007-5614 backport (jetty) [since jetty-5.1.14-1jpp.1.fc10] +CVE-2007-5613 backport (jetty) [since jetty-5.1.14-1jpp.1.fc10] CVE-2007-5079 VULNERABLE (gdm) #363041 Red Hat specific problem CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 perl-Archive-Tar directory traversal CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code. @@ -112,4 +154,4 @@ CVE-2007-0062 version (dhcp, fixed 4.0.0) CVE-2006-6698 fixed (GConf2) CVE-2006-1390 VULNERABLE (nethack) bz#187353, but requires other access to games group - +CVE-2004-0918 version (squid) [since squid-3.0.STABLE7-1.fc10] Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.227 retrieving revision 1.228 diff -u -r1.227 -r1.228 --- f8 1 Jul 2008 09:59:00 -0000 1.227 +++ f8 4 Jul 2008 20:12:09 -0000 1.228 @@ -6,8 +6,39 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2960 fixed (phpMyAdmin, fixed 2.11.7) [since FEDORA-2008-5640] PMASA-2008-4 +CVE-2008-2954 fixed (linuxdcpp) #453732 [since FEDORA-2008-6038] +CVE-2008-2953 fixed (linuxdcpp) #453732 [since FEDORA-2008-6038] +CVE-2008-2952 fixed (openldap) #453726 [since FEDORA-2008-6029] +CVE-2008-2942 VULNERABLE (mercurial) CVE-2008-2841 ignore (xchat) windows-only, IE bug CVE-2008-2827 ignore (perl) perl 5.10 only +CVE-2008-2811 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2811 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2810 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2810 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2809 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2809 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2808 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2808 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2807 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2807 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2806 ignore (firefox, fixed 2.0.0.15) Mac OS X specific +CVE-2008-2806 ignore (seamonkey, fixed 1.1.10) Mac OS X specific +CVE-2008-2805 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2805 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2803 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2803 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2802 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2802 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2801 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2801 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2800 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2800 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2799 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2799 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2798 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] +CVE-2008-2798 VULNERABLE (seamonkey, fixed 1.1.10) #453954 CVE-2008-2783 VULNERABLE (kronolith) CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 @@ -18,6 +49,7 @@ CVE-2008-2722 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] CVE-2008-2721 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] CVE-2008-2720 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] +CVE-2008-2719 ignore (nasm, fixed 2.03.01) not affected CVE-2008-2713 VULNERABLE (clamav, fixed 0.93.1) CVE-2008-2711 VULNERABLE (fetchmail, fixed 6.3.9) crash only in verbose mode CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) @@ -28,13 +60,20 @@ CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4842] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4579] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2377 ignore (gnutls, fixed 2.4.1) 2.3.5+ only +CVE-2008-2376 fixed (ruby, fixed 1.8.6-p257) [since FEDORA-2008-6094] CVE-2008-2375 ignore (vsftpd) pre-2.0.5 versions only +CVE-2008-2374 VULNERABLE (bluez-libs, fixed 3.34) #452820 +CVE-2008-2371 VULNERABLE (pcre) #453555 +CVE-2008-2371 fixed (glib2) #453559 [since FEDORA-2008-6025] CVE-2008-2363 VULNERABLE (pan) #449333 CVE-2008-2362 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-2361 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-2360 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-2359 fixed (system-config-network) [since FEDORA-2008-4633] CVE-2008-2357 fixed (mtr, fixed 0.73) +CVE-2008-2310 ignore (binutils) blocked by fortify_source +CVE-2008-2307 VULNERABLE (WebKit, fixed svn34204) #454094 CVE-2008-2302 fixed (Django, fixed 0.96.2) #447258 [since FEDORA-2008-4248] CVE-2008-2292 fixed (net-snmp, fixed 5.4.2.pre1) [since FEDORA-2008-5218] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless @@ -109,7 +148,7 @@ CVE-2008-1686 fixed (libfishsound, fixed 0.9.1) #441247 [since FEDORA-2008-3059] CVE-2008-1686 fixed (speex) #442572 [since FEDORA-2008-3103] CVE-2008-1678 ignore (httpd) only affects systems with openssl >= 0.9.8e -CVE-2008-1677 VULNERABLE (fedora-ds-base) #445809 +CVE-2008-1677 version (fedora-ds-base, fixed 1.1.1) #445809 [since FEDORA-2008-4941] CVE-2008-1672 ignore (openssl, fixed 0.9.8h) not affected CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only @@ -481,6 +520,9 @@ CVE-2007-5690 version (zaptel) [since FEDORA-2007-2860] not really an issue CVE-2007-5624 version (nagios, fixed 2.10) #362801 [since FEDORA-2007-4145] CVE-2007-5623 backport (nagios-plugins, not fixed 1.4.10) #348731 [since FEDORA-2007-2876] nagios-plugins-1.4.8-9.fc8 +CVE-2007-5615 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc8] +CVE-2007-5614 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc8] +CVE-2007-5613 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc8] CVE-2007-5589 version (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6 [since FEDORA-2007-3636] CVE-2007-5503 version (cairo, fixed 1.4.12) [since FEDORA-2007-3913] CVE-2007-5501 version (kernel) [since FEDORA-2007-3837] @@ -628,5 +670,6 @@ CVE-2005-4790 backport (blam, fixed 1.8.4) #395761 [since FEDORA-2007-3798] CVE-2005-4790 backport (tomboy) #362951 [since FEDORA-2007-3253] CVE-2005-3675 ignore (kernel) optack, no upstream fix -- TCP protocol weakness +CVE-2004-0918 version (squid) CVE-2003-1265 ignore (thunderbird) Stuff deleted from userspace is not guarranteed to go away physically moz#198442 CVE-2003-1265 ignore (seamonkey) Stuff deleted from userspace is not guarranteed to go away physically moz#198442 Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.217 retrieving revision 1.218 diff -u -r1.217 -r1.218 --- f9 1 Jul 2008 09:59:00 -0000 1.217 +++ f9 4 Jul 2008 20:12:10 -0000 1.218 @@ -5,8 +5,39 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2960 fixed (phpMyAdmin, fixed 2.11.7) [since FEDORA-2008-5676] PMASA-2008-4 +CVE-2008-2954 fixed (linuxdcpp) #453733 [since FEDORA-2008-6018] +CVE-2008-2953 fixed (linuxdcpp) #453733 [since FEDORA-2008-6018] +CVE-2008-2952 fixed (openldap) #453727 [since FEDORA-2008-6062] +CVE-2008-2942 VULNERABLE (mercurial) CVE-2008-2841 ignore (xchat) windows-only, IE bug CVE-2008-2827 fixed (perl) #452641 [since FEDORA-2008-5739] +CVE-2008-2811 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2811 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2810 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2810 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2809 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2809 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2808 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2808 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2807 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2807 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2806 ignore (firefox, fixed 3.0) Mac OS X specific +CVE-2008-2806 ignore (seamonkey, fixed 1.1.10) Mac OS X specific +CVE-2008-2805 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2805 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2803 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2803 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2802 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2802 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2801 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2801 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2800 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2800 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2799 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2799 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2798 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] +CVE-2008-2798 VULNERABLE (seamonkey, fixed 1.1.10) #453955 CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 CVE-2008-2726 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 [since FEDORA-2008-5664] @@ -16,6 +47,7 @@ CVE-2008-2722 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] CVE-2008-2721 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] CVE-2008-2720 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] +CVE-2008-2719 VULNERABLE (nasm, fixed 2.03.01) [since nasm-2.03.01-1.fc9] CVE-2008-2713 fixed (clamav, fixed 0.93.1) [since FEDORA-2008-5476] CVE-2008-2711 VULNERABLE (fetchmail, fixed 6.3.9) crash only in verbose mode CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) @@ -26,13 +58,20 @@ CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4871] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4531] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2377 ignore (gnutls, fixed 2.4.1) 2.3.5+ only +CVE-2008-2376 fixed (ruby, fixed 1.8.6-p257) [since FEDORA-2008-6033] CVE-2008-2375 ignore (vsftpd) pre-2.0.5 versions only +CVE-2008-2374 VULNERABLE (bluez-libs, fixed 3.34) #452821 +CVE-2008-2371 VULNERABLE (pcre) #453556 +CVE-2008-2371 fixed (glib2) #453560 [since FEDORA-2008-6048] CVE-2008-2363 VULNERABLE (pan) #449334 CVE-2008-2362 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-2361 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-2360 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) +CVE-2008-2310 ignore (binutils) blocked by fortify_source +CVE-2008-2307 VULNERABLE (WebKit, fixed svn34204) #454095 CVE-2008-2302 fixed (Django, fixed 0.96.2) #447259 [since FEDORA-2008-4267] CVE-2008-2292 fixed (net-snmp, fixed 5.4.2.pre1) [since FEDORA-2008-5215] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless @@ -110,7 +149,7 @@ CVE-2008-1686 version (libfishsound, fixed 0.9.1) #441248 [since libfishsound-0.9.1-1.fc9] CVE-2008-1686 backport (speex) [since speex-1.2-0.7.beta3] CVE-2008-1678 VULNERABLE (httpd) #447311 only affects systems with openssl >= 0.9.8e -CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810 +CVE-2008-1677 version (fedora-ds-base, fixed 1.1.1) #445810 [since FEDORA-2008-4884] CVE-2008-1672 fixed (openssl, fixed 0.9.8h) #448690 [since FEDORA-2008-4723] CVE-2008-1671 ignore (kdelibs) start_kdeinit not shipped CVE-2008-1670 backport (kdelibs) [since kdelibs-4.0.3-7.fc9] @@ -473,6 +512,9 @@ CVE-2007-5707 version (openldap, fixed 2.3.39) #360091 [since openldap-2.3.39-1.fc9] CVE-2007-5624 version (nagios, fixed 2.10) #362811 [since nagios-2.10-3.fc9] CVE-2007-5623 backport (nagios-plugins, not fixed 1.4.10) #348731 +CVE-2007-5615 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc9] +CVE-2007-5614 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc9] +CVE-2007-5613 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc9] CVE-2007-5589 version (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6 CVE-2007-5503 version (cairo, fixed 1.4.12) [since cairo-1.5.4-1.fc9] CVE-2007-5497 backport (e2fsprogs) #414591 [since e2fsprogs-1.40.2-14.fc9] @@ -599,5 +641,6 @@ CVE-2005-4790 backport (blam, fixed 1.8.4) #395771 [since blam-1.8.3-11.fc9] CVE-2005-4790 backport (tomboy) #362961 [since tomboy-0.8.1-2.fc9] CVE-2005-3675 ignore (kernel) optack, no upstream fix -- TCP protocol weakness +CVE-2004-0918 fixed (squid) [since FEDORA-2008-6045] CVE-2003-1265 ignore (thunderbird) Stuff deleted from userspace is not guarranteed to go away physically moz#198442 CVE-2003-1265 ignore (seamonkey) Stuff deleted from userspace is not guarranteed to go away physically moz#198442 From fedora-security-commits at redhat.com Mon Jul 14 06:45:25 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Mon, 14 Jul 2008 06:45:25 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.10, 1.11 f8, 1.228, 1.229 f9, 1.218, 1.219 Message-ID: <200807140645.m6E6jPlZ008267@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv8206/audit Modified Files: f10 f8 f9 Log Message: last week issues Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- f10 4 Jul 2008 20:12:09 -0000 1.10 +++ f10 14 Jul 2008 06:44:55 -0000 1.11 @@ -4,10 +4,18 @@ # *CVE are items that need verification for Fedora 10 # (mozilla) = (gecko-libs dependent stuff) +CVE-2008-3145 version (wireshark, fixed 1.0.2) [since wireshark-1.0.2-1.fc10] +CVE-2008-3141 version (wireshark, fixed 1.0.1) [since wireshark-1.0.1-1.fc10] +CVE-2008-3140 version (wireshark, fixed 1.0.1) [since wireshark-1.0.1-1.fc10] +CVE-2008-3139 version (wireshark, fixed 1.0.1) [since wireshark-1.0.1-1.fc10] +CVE-2008-3138 version (wireshark, fixed 1.0.1) [since wireshark-1.0.1-1.fc10] +CVE-2008-3137 version (wireshark, fixed 1.0.1) [since wireshark-1.0.1-1.fc10] +CVE-2008-3067 version (sudo, fixed 1.6.9p12) CVE-2008-2960 version (phpMyAdmin, fixed 2.11.7) [since phpMyAdmin-2.11.7-1.fc10] PMASA-2008-4 CVE-2008-2954 backport (linuxdcpp) #453734 [since linuxdcpp-1.0.1-3.fc10] CVE-2008-2953 backport (linuxdcpp) #453734 [since linuxdcpp-1.0.1-3.fc10] CVE-2008-2952 backport (openldap) #453728 [since openldap-2.4.10-2.fc10] +CVE-2008-2950 VULNERABLE (poppler) #454290 CVE-2008-2942 VULNERABLE (mercurial) CVE-2008-2841 ignore (xchat) windows-only, IE bug CVE-2008-2827 backport (perl) #452642 [since perl-5.10.0-28.fc10] @@ -63,6 +71,7 @@ CVE-2008-2374 version (bluez-libs, fixed 3.34) #452822 [since bluez-libs-3.34-1.fc10] CVE-2008-2371 backport (pcre) #453557 [since pcre-7.3-4.fc10] CVE-2008-2371 version (glib2) #453561 [since glib2-2.17.3-1.fc10] +CVE-2008-2364 VULNERABLE (httpd, fixed 2.2.9) #447312 CVE-2008-2363 VULNERABLE (pan) #449335 CVE-2008-2362 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] CVE-2008-2361 version (xorg-x11-server) #450927 [since xorg-x11-server-1.4.99.902-2.20080612.fc10] @@ -80,7 +89,7 @@ CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2108 version (php, fixed 5.2.6) [since php-5.2.6-2.fc9] CVE-2008-2107 version (php, fixed 5.2.6) [since php-5.2.6-2.fc9] -CVE-2008-2085 VULNERABLE (sipp) #446222 +CVE-2008-2085 backport (sipp) #446222 [since sipp-3.1-2.fc10] CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 CVE-2008-2051 version (php, fixed 5.2.6) [since php-5.2.6-2.fc9] CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc10] @@ -111,8 +120,10 @@ CVE-2008-1677 version (fedora-ds-base, fixed 1.1.1) #445810 [since fedora-ds-base-1.1.1-1.fc10] CVE-2008-1672 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10] CVE-2008-1531 backport (lighttpd) [since lighttpd-1.4.19-4.fc10] +CVE-2008-1502 version (moodle, fixed 1.9) CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 CVE-2008-1475 VULNERABLE (roundup, fixed 1.4.5) +CVE-2008-1447 VULNERABLE (bind) #454477 CVE-2008-1423 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] CVE-2008-1420 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] CVE-2008-1419 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.228 retrieving revision 1.229 diff -u -r1.228 -r1.229 --- f8 4 Jul 2008 20:12:09 -0000 1.228 +++ f8 14 Jul 2008 06:44:55 -0000 1.229 @@ -6,39 +6,47 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-3145 VULNERABLE (wireshark, fixed 1.0.1) +CVE-2008-3141 VULNERABLE (wireshark, fixed 1.0.2) +CVE-2008-3140 VULNERABLE (wireshark, fixed 1.0.1) +CVE-2008-3139 VULNERABLE (wireshark, fixed 1.0.1) +CVE-2008-3138 VULNERABLE (wireshark, fixed 1.0.1) +CVE-2008-3137 VULNERABLE (wireshark, fixed 1.0.1) +CVE-2008-3067 VULNERABLE (sudo, fixed 1.6.9p12) CVE-2008-2960 fixed (phpMyAdmin, fixed 2.11.7) [since FEDORA-2008-5640] PMASA-2008-4 CVE-2008-2954 fixed (linuxdcpp) #453732 [since FEDORA-2008-6038] CVE-2008-2953 fixed (linuxdcpp) #453732 [since FEDORA-2008-6038] CVE-2008-2952 fixed (openldap) #453726 [since FEDORA-2008-6029] +CVE-2008-2950 VULNERABLE (poppler) #454288 CVE-2008-2942 VULNERABLE (mercurial) CVE-2008-2841 ignore (xchat) windows-only, IE bug CVE-2008-2827 ignore (perl) perl 5.10 only -CVE-2008-2811 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2811 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2810 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2810 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2809 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2809 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2808 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2808 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2807 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2807 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2811 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2811 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2810 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2810 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2809 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2809 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2808 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2808 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2807 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2807 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] CVE-2008-2806 ignore (firefox, fixed 2.0.0.15) Mac OS X specific CVE-2008-2806 ignore (seamonkey, fixed 1.1.10) Mac OS X specific -CVE-2008-2805 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2805 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2803 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2803 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2802 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2802 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2801 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2801 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2800 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2800 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2799 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2799 VULNERABLE (seamonkey, fixed 1.1.10) #453954 -CVE-2008-2798 VULNERABLE (firefox, fixed 2.0.0.15) [since firefox-2.0.0.15-1.fc8] -CVE-2008-2798 VULNERABLE (seamonkey, fixed 1.1.10) #453954 +CVE-2008-2805 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2805 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2803 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2803 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2802 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2802 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2801 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2801 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2800 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2800 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2799 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2799 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2798 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] +CVE-2008-2798 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] CVE-2008-2783 VULNERABLE (kronolith) CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 @@ -63,9 +71,10 @@ CVE-2008-2377 ignore (gnutls, fixed 2.4.1) 2.3.5+ only CVE-2008-2376 fixed (ruby, fixed 1.8.6-p257) [since FEDORA-2008-6094] CVE-2008-2375 ignore (vsftpd) pre-2.0.5 versions only -CVE-2008-2374 VULNERABLE (bluez-libs, fixed 3.34) #452820 -CVE-2008-2371 VULNERABLE (pcre) #453555 +CVE-2008-2374 VULNERABLE (bluez-libs, fixed 3.34) #452820 [since FEDORA-2008-6140] +CVE-2008-2371 fixed (pcre) #453555 [since FEDORA-2008-6111] CVE-2008-2371 fixed (glib2) #453559 [since FEDORA-2008-6025] +CVE-2008-2364 VULNERABLE (httpd, fixed 2.2.9) #454423 CVE-2008-2363 VULNERABLE (pan) #449333 CVE-2008-2362 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-2361 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] @@ -73,7 +82,7 @@ CVE-2008-2359 fixed (system-config-network) [since FEDORA-2008-4633] CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2310 ignore (binutils) blocked by fortify_source -CVE-2008-2307 VULNERABLE (WebKit, fixed svn34204) #454094 +CVE-2008-2307 fixed (WebKit, fixed svn34204) #454094 [since FEDORA-2008-6220] CVE-2008-2302 fixed (Django, fixed 0.96.2) #447258 [since FEDORA-2008-4248] CVE-2008-2292 fixed (net-snmp, fixed 5.4.2.pre1) [since FEDORA-2008-5218] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless @@ -88,7 +97,7 @@ CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] -CVE-2008-2085 VULNERABLE (sipp) #446220 +CVE-2008-2085 fixed (sipp) #446220 [since FEDORA-2008-6219] CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445805 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3397] CVE-2008-2051 fixed (php, fixed 5.2.6) [since FEDORA-2008-3864] @@ -168,6 +177,7 @@ CVE-2008-1552 fixed (libsilc, fixed 1.1.7) #438382 [since FEDORA-2008-2641] CVE-2008-1532 version (Perlbal, fixed 1.70) #439056 [since FEDORA-2008-2778] CVE-2008-1531 fixed (lighttpd) #439068 [since FEDORA-2008-3376] +CVE-2008-1502 fixed (moodle, fixed 1.8.5) #454247 [since FEDORA-2008-6226] CVE-2008-1488 VULNERABLE (php-pecl-apc) #438847 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 fixed (xine-lib) #438670 [since FEDORA-2008-2849] @@ -175,6 +185,7 @@ CVE-2008-1474 fixed (roundup) #436547 [since FEDORA-2008-2370] CVE-2008-1468 fixed (namazu, fixed 2.0.18) #438667 [since FEDORA-2008-2767] CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] +CVE-2008-1447 fixed (bind) #454475 [since FEDORA-2008-6281] CVE-2008-1423 fixed (libvorbis) #446342 [since FEDORA-2008-3934] CVE-2008-1420 fixed (libvorbis) #446342 [since FEDORA-2008-3934] CVE-2008-1419 fixed (libvorbis) #446342 [since FEDORA-2008-3934] @@ -520,9 +531,9 @@ CVE-2007-5690 version (zaptel) [since FEDORA-2007-2860] not really an issue CVE-2007-5624 version (nagios, fixed 2.10) #362801 [since FEDORA-2007-4145] CVE-2007-5623 backport (nagios-plugins, not fixed 1.4.10) #348731 [since FEDORA-2007-2876] nagios-plugins-1.4.8-9.fc8 -CVE-2007-5615 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc8] -CVE-2007-5614 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc8] -CVE-2007-5613 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc8] +CVE-2007-5615 fixed (jetty) [since FEDORA-2008-6164] +CVE-2007-5614 fixed (jetty) [since FEDORA-2008-6164] +CVE-2007-5613 fixed (jetty) [since FEDORA-2008-6164] CVE-2007-5589 version (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6 [since FEDORA-2007-3636] CVE-2007-5503 version (cairo, fixed 1.4.12) [since FEDORA-2007-3913] CVE-2007-5501 version (kernel) [since FEDORA-2007-3837] Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.218 retrieving revision 1.219 diff -u -r1.218 -r1.219 --- f9 4 Jul 2008 20:12:10 -0000 1.218 +++ f9 14 Jul 2008 06:44:55 -0000 1.219 @@ -5,39 +5,47 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-3145 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] +CVE-2008-3141 VULNERABLE (wireshark, fixed 1.0.2) [since wireshark-1.0.2-1.fc9] +CVE-2008-3140 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] +CVE-2008-3139 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] +CVE-2008-3138 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] +CVE-2008-3137 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] +CVE-2008-3067 version (sudo, fixed 1.6.9p12) CVE-2008-2960 fixed (phpMyAdmin, fixed 2.11.7) [since FEDORA-2008-5676] PMASA-2008-4 CVE-2008-2954 fixed (linuxdcpp) #453733 [since FEDORA-2008-6018] CVE-2008-2953 fixed (linuxdcpp) #453733 [since FEDORA-2008-6018] CVE-2008-2952 fixed (openldap) #453727 [since FEDORA-2008-6062] +CVE-2008-2950 VULNERABLE (poppler) #454289 CVE-2008-2942 VULNERABLE (mercurial) CVE-2008-2841 ignore (xchat) windows-only, IE bug CVE-2008-2827 fixed (perl) #452641 [since FEDORA-2008-5739] CVE-2008-2811 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2811 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2811 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2810 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2810 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2810 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2809 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2809 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2809 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2808 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2808 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2808 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2807 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2807 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2807 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2806 ignore (firefox, fixed 3.0) Mac OS X specific CVE-2008-2806 ignore (seamonkey, fixed 1.1.10) Mac OS X specific CVE-2008-2805 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2805 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2805 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2803 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2803 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2803 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2802 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2802 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2802 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2801 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2801 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2801 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2800 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2800 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2800 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2799 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2799 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2799 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2798 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] -CVE-2008-2798 VULNERABLE (seamonkey, fixed 1.1.10) #453955 +CVE-2008-2798 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 CVE-2008-2726 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 [since FEDORA-2008-5664] @@ -47,7 +55,7 @@ CVE-2008-2722 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] CVE-2008-2721 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] CVE-2008-2720 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5576] -CVE-2008-2719 VULNERABLE (nasm, fixed 2.03.01) [since nasm-2.03.01-1.fc9] +CVE-2008-2719 fixed (nasm, fixed 2.03.01) [since FEDORA-2008-5473] CVE-2008-2713 fixed (clamav, fixed 0.93.1) [since FEDORA-2008-5476] CVE-2008-2711 VULNERABLE (fetchmail, fixed 6.3.9) crash only in verbose mode CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) @@ -61,9 +69,10 @@ CVE-2008-2377 ignore (gnutls, fixed 2.4.1) 2.3.5+ only CVE-2008-2376 fixed (ruby, fixed 1.8.6-p257) [since FEDORA-2008-6033] CVE-2008-2375 ignore (vsftpd) pre-2.0.5 versions only -CVE-2008-2374 VULNERABLE (bluez-libs, fixed 3.34) #452821 -CVE-2008-2371 VULNERABLE (pcre) #453556 +CVE-2008-2374 VULNERABLE (bluez-libs, fixed 3.34) #452821 [since FEDORA-2008-6133] +CVE-2008-2371 fixed (pcre) #453556 [since FEDORA-2008-6110] CVE-2008-2371 fixed (glib2) #453560 [since FEDORA-2008-6048] +CVE-2008-2364 VULNERABLE (httpd, fixed 2.2.9) #447311 CVE-2008-2363 VULNERABLE (pan) #449334 CVE-2008-2362 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-2361 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] @@ -71,7 +80,7 @@ CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2310 ignore (binutils) blocked by fortify_source -CVE-2008-2307 VULNERABLE (WebKit, fixed svn34204) #454095 +CVE-2008-2307 fixed (WebKit, fixed svn34204) #454095 [since FEDORA-2008-6186] CVE-2008-2302 fixed (Django, fixed 0.96.2) #447259 [since FEDORA-2008-4267] CVE-2008-2292 fixed (net-snmp, fixed 5.4.2.pre1) [since FEDORA-2008-5215] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless @@ -168,6 +177,7 @@ CVE-2008-1552 version (libsilc, fixed 1.1.7) #438382 [since libsilc-1.1.7-1.fc9] CVE-2008-1532 version (Perlbal, fixed 1.70) [since Perlbal-1.70-1.fc9] CVE-2008-1531 fixed (lighttpd) #439069 [since FEDORA-2008-4119] +CVE-2008-1502 version (moodle, fixed 1.9) CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 version (xine-lib) #438671 [since xine-lib-1.1.11.1-1.fc9] @@ -175,6 +185,7 @@ CVE-2008-1474 version (roundup) #436549 [since roundup-1.4.4-1.fc9] CVE-2008-1468 version (namazu, fixed 2.0.18) #438668 [since namazu-2.0.18-1.fc9] CVE-2008-1467 fixed (centerim) #438871 +CVE-2008-1447 fixed (bind) #454476 [since FEDORA-2008-6256] CVE-2008-1423 fixed (libvorbis) #446343 [since FEDORA-2008-3910] CVE-2008-1420 fixed (libvorbis) #446343 [since FEDORA-2008-3910] CVE-2008-1419 fixed (libvorbis) #446343 [since FEDORA-2008-3910] From fedora-security-commits at redhat.com Fri Jul 25 15:29:55 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 25 Jul 2008 15:29:55 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.11, 1.12 f8, 1.229, 1.230 f9, 1.219, 1.220 Message-ID: <200807251529.m6PFTt0o032462@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv32363/audit Modified Files: f10 f8 f9 Log Message: commit changes after some long time... Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- f10 14 Jul 2008 06:44:55 -0000 1.11 +++ f10 25 Jul 2008 15:29:25 -0000 1.12 @@ -4,6 +4,24 @@ # *CVE are items that need verification for Fedora 10 # (mozilla) = (gecko-libs dependent stuff) +CVE-2008-3294 ignore (vim) build-time tmp file usage +CVE-2008-3264 ignore (asterisk) AST-2008-011 - 1.6.x not affected +CVE-2008-3263 ignore (asterisk) AST-2008-010 - 1.6.x not affected +CVE-2008-3259 ignore (openssh, fixed 5.1) HP-UX only +CVE-2008-3252 backport (newsx) [since newsx-1.6-9.fc10] +CVE-2008-3233 ignore (wordrepss, fixed 2.6) only 2.6 devel versions affected +CVE-2008-3231 VULNERABLE (xine-lib) +CVE-2008-3223 version (drupal, fixed 6.3) [since drupal-6.3-1.fc10] +CVE-2008-3222 version (drupal, fixed 6.3) [since drupal-6.3-1.fc10] +CVE-2008-3221 version (drupal, fixed 6.3) [since drupal-6.3-1.fc10] +CVE-2008-3220 version (drupal, fixed 6.3) [since drupal-6.3-1.fc10] +CVE-2008-3219 version (drupal, fixed 6.3) [since drupal-6.3-1.fc10] +CVE-2008-3218 version (drupal, fixed 6.3) [since drupal-6.3-1.fc10] +CVE-2008-3217 version (pdns-recursor, fixed 3.1.6) [since pdns-recursor-3.1.6-1.fc10] +CVE-2008-3215 version (clamav, fixed 0.93.3) [since clamav-0.93.3-1.fc10] +CVE-2008-3198 VULNERABLE (firefox, fixed 3.0.1) +CVE-2008-3197 version (phpMyAdmin, fixed 2.11.7.1) [since phpMyAdmin-2.11.7.1-1.fc10] +CVE-2008-3196 backport (byacc) [since byacc-1.9.20070509-4.fc10] CVE-2008-3145 version (wireshark, fixed 1.0.2) [since wireshark-1.0.2-1.fc10] CVE-2008-3141 version (wireshark, fixed 1.0.1) [since wireshark-1.0.1-1.fc10] CVE-2008-3140 version (wireshark, fixed 1.0.1) [since wireshark-1.0.1-1.fc10] @@ -17,34 +35,45 @@ CVE-2008-2952 backport (openldap) #453728 [since openldap-2.4.10-2.fc10] CVE-2008-2950 VULNERABLE (poppler) #454290 CVE-2008-2942 VULNERABLE (mercurial) +CVE-2008-2933 VULNERABLE (firefox, fixed 3.0.1) CVE-2008-2841 ignore (xchat) windows-only, IE bug CVE-2008-2827 backport (perl) #452642 [since perl-5.10.0-28.fc10] CVE-2008-2811 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2811 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2811 version (thunderbird, fixed 2.0.0.16) [since thunderbird-2.0.0.16-1.fc10] CVE-2008-2810 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2810 VULNERABLE (seamonkey, fixed 1.1.10) CVE-2008-2809 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2809 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2809 version (thunderbird, fixed 2.0.0.16) [since thunderbird-2.0.0.16-1.fc10] CVE-2008-2808 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2808 VULNERABLE (seamonkey, fixed 1.1.10) CVE-2008-2807 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2807 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2807 version (thunderbird, fixed 2.0.0.16) [since thunderbird-2.0.0.16-1.fc10] CVE-2008-2806 ignore (firefox, fixed 3.0) Mac OS X specific CVE-2008-2806 ignore (seamonkey, fixed 1.1.10) Mac OS X specific CVE-2008-2805 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2805 VULNERABLE (seamonkey, fixed 1.1.10) CVE-2008-2803 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2803 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2803 version (thunderbird, fixed 2.0.0.16) [since thunderbird-2.0.0.16-1.fc10] CVE-2008-2802 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2802 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2802 version (thunderbird, fixed 2.0.0.16) [since thunderbird-2.0.0.16-1.fc10] CVE-2008-2801 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2801 VULNERABLE (seamonkey, fixed 1.1.10) CVE-2008-2800 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2800 VULNERABLE (seamonkey, fixed 1.1.10) CVE-2008-2799 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2799 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2799 version (thunderbird, fixed 2.0.0.16) [since thunderbird-2.0.0.16-1.fc10] CVE-2008-2798 version (firefox, fixed 3.0) [since firefox-3.0-1.fc10] CVE-2008-2798 VULNERABLE (seamonkey, fixed 1.1.10) +CVE-2008-2798 version (thunderbird, fixed 2.0.0.16) [since thunderbird-2.0.0.16-1.fc10] +CVE-2008-2785 VULNERABLE (seamonkey, fixed 1.1.11) +CVE-2008-2785 VULNERABLE (firefox, fixed 3.0.1) +CVE-2008-2785 version (thunderbird, fixed 2.0.0.16) [since thunderbird-2.0.0.16-1.fc10] CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 CVE-2008-2726 version (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 [since ruby-1.8.6.230-1.fc10] @@ -121,9 +150,10 @@ CVE-2008-1672 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10] CVE-2008-1531 backport (lighttpd) [since lighttpd-1.4.19-4.fc10] CVE-2008-1502 version (moodle, fixed 1.9) -CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 +CVE-2008-1488 version (php-pecl-apc) #438848 [since php-pecl-apc-3.0.19-1.fc10] CVE-2008-1475 VULNERABLE (roundup, fixed 1.4.5) -CVE-2008-1447 VULNERABLE (bind) #454477 +CVE-2008-1447 version (bind) #454477 [since bind-9.5.1-0.1.b1.fc10)] +CVE-2008-1447 version (dnssec-tools) [since dnssec-tools-1.4.1-2.fc10] CVE-2008-1423 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] CVE-2008-1420 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] CVE-2008-1419 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] @@ -154,9 +184,9 @@ CVE-2007-5907 VULNERABLE (xen) #390121 CVE-2007-5906 VULNERABLE (xen) #390121 CVE-2007-5803 version (nagios, fixed 2.12) #446383 [since nagios-2.12-3.fc10] -CVE-2007-5615 backport (jetty) [since jetty-5.1.14-1jpp.1.fc10] -CVE-2007-5614 backport (jetty) [since jetty-5.1.14-1jpp.1.fc10] -CVE-2007-5613 backport (jetty) [since jetty-5.1.14-1jpp.1.fc10] +CVE-2007-5615 backport (jetty) [since jetty-5.1.14-1jpp.2.fc10] +CVE-2007-5614 backport (jetty) [since jetty-5.1.14-1jpp.2.fc10] +CVE-2007-5613 backport (jetty) [since jetty-5.1.14-1jpp.2.fc10] CVE-2007-5079 VULNERABLE (gdm) #363041 Red Hat specific problem CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 perl-Archive-Tar directory traversal CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code. Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.229 retrieving revision 1.230 diff -u -r1.229 -r1.230 --- f8 14 Jul 2008 06:44:55 -0000 1.229 +++ f8 25 Jul 2008 15:29:25 -0000 1.230 @@ -6,12 +6,29 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) -CVE-2008-3145 VULNERABLE (wireshark, fixed 1.0.1) -CVE-2008-3141 VULNERABLE (wireshark, fixed 1.0.2) -CVE-2008-3140 VULNERABLE (wireshark, fixed 1.0.1) -CVE-2008-3139 VULNERABLE (wireshark, fixed 1.0.1) -CVE-2008-3138 VULNERABLE (wireshark, fixed 1.0.1) -CVE-2008-3137 VULNERABLE (wireshark, fixed 1.0.1) +CVE-2008-3294 ignore (vim) build-time tmp file usage +CVE-2008-3264 fixed (asterisk, fixed 1.4.21.2) [since FEDORA-2008-6676] AST-2008-011 +CVE-2008-3263 fixed (asterisk, fixed 1.4.21.2) [since FEDORA-2008-6676] AST-2008-010 +CVE-2008-3259 ignore (openssh, fixed 5.1) HP-UX only +CVE-2008-3252 fixed (newsx) [since FEDORA-2008-6319] +CVE-2008-3233 ignore (wordrepss, fixed 2.6) only 2.6 devel versions affected +CVE-2008-3231 VULNERABLE (xine-lib) +CVE-2008-3223 ignore (drupal) 6.x only +CVE-2008-3222 fixed (drupal, fixed 5.8) [since FEDORA-2008-6411] +CVE-2008-3221 ignore (drupal) 6.x only +CVE-2008-3220 fixed (drupal, fixed 5.8) [since FEDORA-2008-6411] +CVE-2008-3219 fixed (drupal, fixed 5.8) [since FEDORA-2008-6411] +CVE-2008-3218 ignore (drupal) 6.x only +CVE-2008-3217 VULNERABLE (pdns-recursor, fixed 3.1.6) +CVE-2008-3215 fixed (clamav, fixed 0.93.3) [since FEDORA-2008-6422] +CVE-2008-3197 fixed (phpMyAdmin, fixed 2.11.7.1) [since FEDORA-2008-6450] +CVE-2008-3196 VULNERABLE (byacc) [since FEDORA-2008-6429] +CVE-2008-3145 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6645] +CVE-2008-3141 fixed (wireshark, fixed 1.0.2) [since FEDORA-2008-6645] +CVE-2008-3140 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6645] +CVE-2008-3139 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6645] +CVE-2008-3138 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6645] +CVE-2008-3137 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6645] CVE-2008-3067 VULNERABLE (sudo, fixed 1.6.9p12) CVE-2008-2960 fixed (phpMyAdmin, fixed 2.11.7) [since FEDORA-2008-5640] PMASA-2008-4 CVE-2008-2954 fixed (linuxdcpp) #453732 [since FEDORA-2008-6038] @@ -19,34 +36,45 @@ CVE-2008-2952 fixed (openldap) #453726 [since FEDORA-2008-6029] CVE-2008-2950 VULNERABLE (poppler) #454288 CVE-2008-2942 VULNERABLE (mercurial) +CVE-2008-2933 fixed (firefox, fixed 2.0.0.16) [since FEDORA-2008-6491] CVE-2008-2841 ignore (xchat) windows-only, IE bug CVE-2008-2827 ignore (perl) perl 5.10 only CVE-2008-2811 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2811 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2811 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6706] CVE-2008-2810 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2810 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] CVE-2008-2809 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2809 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2809 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6706] CVE-2008-2808 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2808 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] CVE-2008-2807 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2807 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2807 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6706] CVE-2008-2806 ignore (firefox, fixed 2.0.0.15) Mac OS X specific CVE-2008-2806 ignore (seamonkey, fixed 1.1.10) Mac OS X specific CVE-2008-2805 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2805 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] CVE-2008-2803 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2803 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2803 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6706] CVE-2008-2802 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2802 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2802 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6706] CVE-2008-2801 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2801 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] CVE-2008-2800 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2800 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] CVE-2008-2799 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2799 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2799 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6706] CVE-2008-2798 fixed (firefox, fixed 2.0.0.15) [since FEDORA-2008-6127] CVE-2008-2798 fixed (seamonkey, fixed 1.1.10) #453954 [since FEDORA-2008-6196] +CVE-2008-2798 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6706] +CVE-2008-2785 fixed (seamonkey, fixed 1.1.11) [since FEDORA-2008-6517] +CVE-2008-2785 fixed (firefox, fixed 2.0.0.16) [since FEDORA-2008-6491] +CVE-2008-2785 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6706] CVE-2008-2783 VULNERABLE (kronolith) CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 @@ -58,7 +86,7 @@ CVE-2008-2721 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] CVE-2008-2720 fixed (gallery2, fixed 2.2.5) [since FEDORA-2008-5479] CVE-2008-2719 ignore (nasm, fixed 2.03.01) not affected -CVE-2008-2713 VULNERABLE (clamav, fixed 0.93.1) +CVE-2008-2713 fixed (clamav, fixed 0.93.1) [since FEDORA-2008-6422] CVE-2008-2711 VULNERABLE (fetchmail, fixed 6.3.9) crash only in verbose mode CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) CVE-2008-2664 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 [since FEDORA-2008-5649] @@ -74,7 +102,7 @@ CVE-2008-2374 VULNERABLE (bluez-libs, fixed 3.34) #452820 [since FEDORA-2008-6140] CVE-2008-2371 fixed (pcre) #453555 [since FEDORA-2008-6111] CVE-2008-2371 fixed (glib2) #453559 [since FEDORA-2008-6025] -CVE-2008-2364 VULNERABLE (httpd, fixed 2.2.9) #454423 +CVE-2008-2364 VULNERABLE (httpd, fixed 2.2.9) #454423 [since FEDORA-2008-6314] CVE-2008-2363 VULNERABLE (pan) #449333 CVE-2008-2362 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-2361 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] @@ -178,7 +206,7 @@ CVE-2008-1532 version (Perlbal, fixed 1.70) #439056 [since FEDORA-2008-2778] CVE-2008-1531 fixed (lighttpd) #439068 [since FEDORA-2008-3376] CVE-2008-1502 fixed (moodle, fixed 1.8.5) #454247 [since FEDORA-2008-6226] -CVE-2008-1488 VULNERABLE (php-pecl-apc) #438847 +CVE-2008-1488 fixed (php-pecl-apc) #438847 [since FEDORA-2008-6344] CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 fixed (xine-lib) #438670 [since FEDORA-2008-2849] CVE-2008-1475 VULNERABLE (roundup, fixed 1.4.5) @@ -186,6 +214,7 @@ CVE-2008-1468 fixed (namazu, fixed 2.0.18) #438667 [since FEDORA-2008-2767] CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] CVE-2008-1447 fixed (bind) #454475 [since FEDORA-2008-6281] +CVE-2008-1447 fixed (dnssec-tools) [since FEDORA-2008-6691] CVE-2008-1423 fixed (libvorbis) #446342 [since FEDORA-2008-3934] CVE-2008-1420 fixed (libvorbis) #446342 [since FEDORA-2008-3934] CVE-2008-1419 fixed (libvorbis) #446342 [since FEDORA-2008-3934] Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.219 retrieving revision 1.220 diff -u -r1.219 -r1.220 --- f9 14 Jul 2008 06:44:55 -0000 1.219 +++ f9 25 Jul 2008 15:29:25 -0000 1.220 @@ -5,12 +5,30 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) -CVE-2008-3145 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] -CVE-2008-3141 VULNERABLE (wireshark, fixed 1.0.2) [since wireshark-1.0.2-1.fc9] -CVE-2008-3140 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] -CVE-2008-3139 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] -CVE-2008-3138 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] -CVE-2008-3137 VULNERABLE (wireshark, fixed 1.0.1) [since wireshark-1.0.2-1.fc9] +CVE-2008-3294 ignore (vim) build-time tmp file usage +CVE-2008-3264 ignore (asterisk) AST-2008-011 - 1.6.x not affected +CVE-2008-3263 ignore (asterisk) AST-2008-010 - 1.6.x not affected +CVE-2008-3259 ignore (openssh, fixed 5.1) HP-UX only +CVE-2008-3252 fixed (newsx) [since FEDORA-2008-6321] +CVE-2008-3233 ignore (wordrepss, fixed 2.6) only 2.6 devel versions affected +CVE-2008-3231 VULNERABLE (xine-lib) +CVE-2008-3223 fixed (drupal, fixed 6.3) [since FEDORA-2008-6415] +CVE-2008-3222 fixed (drupal, fixed 6.3) [since FEDORA-2008-6415] +CVE-2008-3221 fixed (drupal, fixed 6.3) [since FEDORA-2008-6415] +CVE-2008-3220 fixed (drupal, fixed 6.3) [since FEDORA-2008-6415] +CVE-2008-3219 fixed (drupal, fixed 6.3) [since FEDORA-2008-6415] +CVE-2008-3218 fixed (drupal, fixed 6.3) [since FEDORA-2008-6415] +CVE-2008-3217 VULNERABLE (pdns-recursor, fixed 3.1.6) +CVE-2008-3215 fixed (clamav, fixed 0.93.3) [since FEDORA-2008-6338] +CVE-2008-3198 fixed (firefox, fixed 3.0.1) [since FEDORA-2008-6518] +CVE-2008-3197 fixed (phpMyAdmin, fixed 2.11.7.1) [since FEDORA-2008-6502] +CVE-2008-3196 VULNERABLE (byacc) [since FEDORA-2008-6414] +CVE-2008-3145 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6440] +CVE-2008-3141 fixed (wireshark, fixed 1.0.2) [since FEDORA-2008-6440] +CVE-2008-3140 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6440] +CVE-2008-3139 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6440] +CVE-2008-3138 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6440] +CVE-2008-3137 fixed (wireshark, fixed 1.0.1) [since FEDORA-2008-6440] CVE-2008-3067 version (sudo, fixed 1.6.9p12) CVE-2008-2960 fixed (phpMyAdmin, fixed 2.11.7) [since FEDORA-2008-5676] PMASA-2008-4 CVE-2008-2954 fixed (linuxdcpp) #453733 [since FEDORA-2008-6018] @@ -18,34 +36,45 @@ CVE-2008-2952 fixed (openldap) #453727 [since FEDORA-2008-6062] CVE-2008-2950 VULNERABLE (poppler) #454289 CVE-2008-2942 VULNERABLE (mercurial) +CVE-2008-2933 fixed (firefox, fixed 3.0.1) [since FEDORA-2008-6518] CVE-2008-2841 ignore (xchat) windows-only, IE bug CVE-2008-2827 fixed (perl) #452641 [since FEDORA-2008-5739] CVE-2008-2811 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2811 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] +CVE-2008-2811 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6737] CVE-2008-2810 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2810 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2809 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2809 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] +CVE-2008-2809 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6737] CVE-2008-2808 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2808 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2807 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2807 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] +CVE-2008-2807 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6737] CVE-2008-2806 ignore (firefox, fixed 3.0) Mac OS X specific CVE-2008-2806 ignore (seamonkey, fixed 1.1.10) Mac OS X specific CVE-2008-2805 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2805 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2803 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2803 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] +CVE-2008-2803 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6737] CVE-2008-2802 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2802 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] +CVE-2008-2802 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6737] CVE-2008-2801 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2801 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2800 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2800 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] CVE-2008-2799 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2799 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] +CVE-2008-2799 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6737] CVE-2008-2798 version (firefox, fixed 3.0) [since firefox-3.0-1.fc9] CVE-2008-2798 fixed (seamonkey, fixed 1.1.10) #453955 [since FEDORA-2008-6193] +CVE-2008-2798 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6737] +CVE-2008-2785 fixed (seamonkey, fixed 1.1.11) [since FEDORA-2008-6519] +CVE-2008-2785 fixed (firefox, fixed 3.0.1) [since FEDORA-2008-6518] +CVE-2008-2785 VULNERABLE (thunderbird, fixed 2.0.0.16) [since FEDORA-2008-6737] CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 CVE-2008-2726 fixed (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 [since FEDORA-2008-5664] @@ -72,7 +101,7 @@ CVE-2008-2374 VULNERABLE (bluez-libs, fixed 3.34) #452821 [since FEDORA-2008-6133] CVE-2008-2371 fixed (pcre) #453556 [since FEDORA-2008-6110] CVE-2008-2371 fixed (glib2) #453560 [since FEDORA-2008-6048] -CVE-2008-2364 VULNERABLE (httpd, fixed 2.2.9) #447311 +CVE-2008-2364 VULNERABLE (httpd, fixed 2.2.9) #447311 [since FEDORA-2008-6393] CVE-2008-2363 VULNERABLE (pan) #449334 CVE-2008-2362 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-2361 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] @@ -157,7 +186,7 @@ CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue CVE-2008-1686 version (libfishsound, fixed 0.9.1) #441248 [since libfishsound-0.9.1-1.fc9] CVE-2008-1686 backport (speex) [since speex-1.2-0.7.beta3] -CVE-2008-1678 VULNERABLE (httpd) #447311 only affects systems with openssl >= 0.9.8e +CVE-2008-1678 VULNERABLE (httpd) #447311 [since FEDORA-2008-6393] only affects systems with openssl >= 0.9.8e CVE-2008-1677 version (fedora-ds-base, fixed 1.1.1) #445810 [since FEDORA-2008-4884] CVE-2008-1672 fixed (openssl, fixed 0.9.8h) #448690 [since FEDORA-2008-4723] CVE-2008-1671 ignore (kdelibs) start_kdeinit not shipped @@ -178,7 +207,7 @@ CVE-2008-1532 version (Perlbal, fixed 1.70) [since Perlbal-1.70-1.fc9] CVE-2008-1531 fixed (lighttpd) #439069 [since FEDORA-2008-4119] CVE-2008-1502 version (moodle, fixed 1.9) -CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 +CVE-2008-1488 fixed (php-pecl-apc) #455166 [since FEDORA-2008-6401] CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 version (xine-lib) #438671 [since xine-lib-1.1.11.1-1.fc9] CVE-2008-1475 VULNERABLE (roundup, fixed 1.4.5) @@ -186,6 +215,7 @@ CVE-2008-1468 version (namazu, fixed 2.0.18) #438668 [since namazu-2.0.18-1.fc9] CVE-2008-1467 fixed (centerim) #438871 CVE-2008-1447 fixed (bind) #454476 [since FEDORA-2008-6256] +CVE-2008-1447 fixed (dnssec-tools) [since FEDORA-2008-6703] CVE-2008-1423 fixed (libvorbis) #446343 [since FEDORA-2008-3910] CVE-2008-1420 fixed (libvorbis) #446343 [since FEDORA-2008-3910] CVE-2008-1419 fixed (libvorbis) #446343 [since FEDORA-2008-3910] @@ -523,9 +553,9 @@ CVE-2007-5707 version (openldap, fixed 2.3.39) #360091 [since openldap-2.3.39-1.fc9] CVE-2007-5624 version (nagios, fixed 2.10) #362811 [since nagios-2.10-3.fc9] CVE-2007-5623 backport (nagios-plugins, not fixed 1.4.10) #348731 -CVE-2007-5615 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc9] -CVE-2007-5614 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc9] -CVE-2007-5613 VULNERABLE (jetty) [since jetty-5.1.14-1jpp.1.fc9] +CVE-2007-5615 fixed (jetty) [since FEDORA-2008-6141] +CVE-2007-5614 fixed (jetty) [since FEDORA-2008-6141] +CVE-2007-5613 fixed (jetty) [since FEDORA-2008-6141] CVE-2007-5589 version (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6 CVE-2007-5503 version (cairo, fixed 1.4.12) [since cairo-1.5.4-1.fc9] CVE-2007-5497 backport (e2fsprogs) #414591 [since e2fsprogs-1.40.2-14.fc9]