From fedora-security-commits at redhat.com Fri Jun 6 20:00:30 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 6 Jun 2008 20:00:30 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.4, 1.5 f8, 1.222, 1.223 f9, 1.212, 1.213 fc7, 1.378, 1.379 Message-ID: <200806062000.m56K0Uoc015597@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15518/audit Modified Files: f10 f8 f9 fc7 Log Message: issue collected this week Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- f10 30 May 2008 15:18:25 -0000 1.4 +++ f10 6 Jun 2008 19:59:59 -0000 1.5 @@ -7,12 +7,14 @@ CVE-2008-2426 backport (imlib2) [since imlib2-1.4.0-7.fc10] CVE-2008-2420 version (stunnel, fixed 4.24) [since stunnel-4.24-2] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2363 VULNERABLE (pan) #449335 CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 version (Django, fixed 0.96.2) #447260 [since Django-0.96.2-1.fc10] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache +CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2085 VULNERABLE (sipp) #446222 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc10] @@ -22,6 +24,8 @@ CVE-2008-1950 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10] CVE-2008-1949 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10] CVE-2008-1948 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10] +CVE-2008-1947 VULNERABLE (tomcat5, fixed 5.5.27) +CVE-2008-1947 VULNERABLE (tomcat6, fixed 6.0.17) CVE-2008-1944 version (xen, fixed 3.2) CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc10] CVE-2008-1928 version (perl-Imager, fixed 0.64) [since perl-Imager-0.64-2.fc10] @@ -38,17 +42,21 @@ CVE-2008-1672 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10] CVE-2008-1531 backport (lighttpd) [since lighttpd-1.4.19-4.fc10] CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 +CVE-2008-1475 VULNERABLE (roundup, fixed 1.4.5) CVE-2008-1423 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] CVE-2008-1420 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] CVE-2008-1419 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] CVE-2008-1387 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] -CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used +CVE-2008-1382 version (libpng, fixed 1.2.27) [since libpng-1.2.29-1.fc10] CVE-2008-1382 version (libpng10) [since libpng10-1.0.37-1.fc10] CVE-2008-1360 version (nagios) #437852 [since nagios-2.11-3.fc9] +CVE-2008-1109 backport (evolution) #449925 [since evolution-2.23.3.1-2.fc10] +CVE-2008-1108 backport (evolution) #449925 [since evolution-2.23.3.1-2.fc10] CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1100 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-1078 backport (am-utils) #437746 [since am-utils-6.1.5-10.fc10] +CVE-2008-1033 version (cups, fixed 1.3.7) [since cups-1.3.7-1.fc9] CVE-2008-0891 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10] CVE-2008-0553 version (tkimg) [since tkimg-1.3-0.10.20080505svn.fc10] CVE-2008-0314 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] @@ -66,6 +74,7 @@ CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code. CVE-2007-1320 VULNERABLE (qemu) CVE-2007-1320 VULNERABLE (kvm) +CVE-2007-0062 version (dhcp, fixed 4.0.0) CVE-2006-6698 fixed (GConf2) CVE-2006-1390 VULNERABLE (nethack) bz#187353, but requires other access to games group Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.222 retrieving revision 1.223 diff -u -r1.222 -r1.223 --- f8 30 May 2008 15:18:25 -0000 1.222 +++ f8 6 Jun 2008 19:59:59 -0000 1.223 @@ -6,9 +6,10 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) -CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.4.0-7.fc8] +CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4842] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4579] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2363 VULNERABLE (pan) #449333 CVE-2008-2359 fixed (system-config-network) [since FEDORA-2008-4633] CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 fixed (Django, fixed 0.96.2) #447258 [since FEDORA-2008-4248] @@ -16,6 +17,7 @@ CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache CVE-2008-2146 version (wordpress, fixed 2.2.3) +CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2109 fixed (libid3tag) #445814 [since FEDORA-2008-3976] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora @@ -36,6 +38,7 @@ CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] +CVE-2008-1947 VULNERABLE (tomcat5, fixed 5.5.27) CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc8] CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc8] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only @@ -52,7 +55,7 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442363 [since FEDORA-2008-3420] -CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1) +CVE-2008-1804 fixed (snort, fixed 2.8.1) [since FEDORA-2008-5001] CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] @@ -93,6 +96,7 @@ CVE-2008-1488 VULNERABLE (php-pecl-apc) #438847 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 fixed (xine-lib) #438670 [since FEDORA-2008-2849] +CVE-2008-1475 VULNERABLE (roundup, fixed 1.4.5) CVE-2008-1474 fixed (roundup) #436547 [since FEDORA-2008-2370] CVE-2008-1468 fixed (namazu, fixed 2.0.18) #438667 [since FEDORA-2008-2767] CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] @@ -102,7 +106,7 @@ CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554] CVE-2008-1387 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] -CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used +CVE-2008-1382 fixed (libpng, fixed 1.2.27) [since FEDORA-2008-4847] CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3937] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444436 [since FEDORA-2008-3462] CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) @@ -111,6 +115,7 @@ CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 fixed (cups) #440040 [since FEDORA-2008-2131] CVE-2008-1372 fixed (bzip2, fixed 1.0.5) #439855 [since FEDORA-2008-2970] +CVE-2008-1364 ignore (dhcp) not affected CVE-2008-1360 fixed (nagios, fixed 2.11) #437850 [since FEDORA-2008-3098] CVE-2008-1353 ignore (zabbix) #437848 Needs authorization CVE-2008-1333 ignore (asterisk) not affected @@ -158,7 +163,9 @@ CVE-2008-1131 ignore (drupal) #435816 drupal 6.x only CVE-2008-1111 fixed (lighttpd) #435807 [since FEDORA-2008-2262] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1043] -CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.0.30-0.fc8] +CVE-2008-1109 fixed (evolution) #449923 [since FEDORA-2008-5016] +CVE-2008-1108 fixed (evolution) #449923 [since FEDORA-2008-5016] +CVE-2008-1105 fixed (samba, fixed 3.0.30) [since FEDORA-2008-4679] CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 fixed (blender) #443936 [since FEDORA-2008-3875] CVE-2008-1100 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] @@ -171,6 +178,7 @@ CVE-2008-1066 version (php-Smarty) #435811 [since FEDORA-2008-1911] CVE-2008-1066 fixed (gallery2) #438058 [since FEDORA-2008-2587] CVE-2008-1066 VULNERABLE (php-pear-PhpDocumentor) #438062 +CVE-2008-1033 version (cups, fixed 1.3.7) [since FEDORA-2008-3586] CVE-2008-1026 version (WebKit, fixed r31388) [since FEDORA-2008-3229] CVE-2008-1025 version (WebKit, fixed r31438) [since FEDORA-2008-3229] CVE-2008-1011 version (WebKit) [since FEDORA-2008-3229] @@ -535,6 +543,9 @@ CVE-2007-0537 version (kdebase, fixed 3.5.6) #225420 CVE-2007-0235 version (libgtop2, fixed 2.14.6) #222637 not sure, will triage CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since FEDORA-2007-4334] +CVE-2007-0063 ignore (dhcp) duplicate of CVE-2007-5365 +CVE-2007-0062 ignore (dhcp, fixed 3.0.7) +CVE-2007-0061 ignore (dhcp) not affected CVE-2006-7232 version (mysql, fixed 5.0.32) CVE-2006-6698 ignore (GConf2) #219280 minimal impact CVE-2006-6698 fixed (GConf2) Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.212 retrieving revision 1.213 diff -u -r1.212 -r1.213 --- f9 30 May 2008 15:18:25 -0000 1.212 +++ f9 6 Jun 2008 19:59:59 -0000 1.213 @@ -5,9 +5,10 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) -CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.4.0-7.fc9] +CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4871] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4531] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2363 VULNERABLE (pan) #449334 CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 fixed (Django, fixed 0.96.2) #447259 [since FEDORA-2008-4267] @@ -15,6 +16,7 @@ CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache CVE-2008-2146 version (wordpress, fixed 2.2.3) +CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2109 fixed (libid3tag) #445815 [since FEDORA-2008-3757] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445823 [since FEDORA-2008-3668] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora @@ -35,6 +37,8 @@ CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259] CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259] CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259] +CVE-2008-1947 VULNERABLE (tomcat5, fixed 5.5.27) +CVE-2008-1947 VULNERABLE (tomcat6, fixed 6.0.17) CVE-2008-1944 version (xen, fixed 3.2) CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc9] CVE-2008-1937 version (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9] @@ -52,7 +56,7 @@ CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1834 version (swfdec, fixed 0.6.4) [since swfdec-0.6.4-1.fc9] CVE-2008-1833 version (clamav, fixed 0.93-rc1) [since clamav-0.93-0.0.rc1.fc9] -CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1) +CVE-2008-1804 fixed (snort, fixed 2.8.1) [since FEDORA-2008-5045] CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] @@ -72,7 +76,7 @@ CVE-2008-1686 backport (speex) [since speex-1.2-0.7.beta3] CVE-2008-1678 VULNERABLE (httpd) #447311 only affects systems with openssl >= 0.9.8e CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810 -CVE-2008-1672 VULNERABLE (openssl, fixed 0.9.8h) #448690 +CVE-2008-1672 fixed (openssl, fixed 0.9.8h) #448690 [since FEDORA-2008-4723] CVE-2008-1671 ignore (kdelibs) start_kdeinit not shipped CVE-2008-1670 backport (kdelibs) [since kdelibs-4.0.3-7.fc9] CVE-2008-1658 backport (PolicyKit) #439996 [since PolicyKit-0.7-7.fc9] @@ -93,6 +97,7 @@ CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 version (xine-lib) #438671 [since xine-lib-1.1.11.1-1.fc9] +CVE-2008-1475 VULNERABLE (roundup, fixed 1.4.5) CVE-2008-1474 version (roundup) #436549 [since roundup-1.4.4-1.fc9] CVE-2008-1468 version (namazu, fixed 2.0.18) #438668 [since namazu-2.0.18-1.fc9] CVE-2008-1467 fixed (centerim) #438871 @@ -102,7 +107,7 @@ CVE-2008-1394 ignore (plone) CVE-2008-1390 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9] CVE-2008-1387 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] -CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used +CVE-2008-1382 fixed (libpng, fixed 1.2.27) [since FEDORA-2008-4910] CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3683] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444437 [since FEDORA-2008-3601] CVE-2008-1380 version (firefox, fixed 2.0.0.14) @@ -111,6 +116,7 @@ CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 backport (cups) #440041 [since cups-1.3.6-9.fc9] CVE-2008-1372 version (bzip2, fixed 1.0.5) [since bzip2-1.0.5-1.fc9] +CVE-2008-1364 ignore (dhcp) not affected CVE-2008-1360 version (nagios, fixed 2.11) #437852 [since nagios-2.11-3.fc9] CVE-2008-1353 ignore (zabbix) #437848 Needs authorization CVE-2008-1333 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9] @@ -156,7 +162,9 @@ CVE-2008-1131 version (drupal, fixed 6.1) #435817 [since drupal-6.1-1.fc9] CVE-2008-1111 backport (lighttpd) #435809 [since lighttpd-1.4.18-6.fc9] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since xine-lib-1.1.10-2.fc9] -CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.2.0-1.rc1.14.fc9] +CVE-2008-1109 fixed (evolution) #449924 [since FEDORA-2008-4990] +CVE-2008-1108 fixed (evolution) #449924 [since FEDORA-2008-4990] +CVE-2008-1105 fixed (samba, fixed 3.0.30) [since FEDORA-2008-4724] CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 backport (blender) #443937 [since blender-2.45-12.fc9] CVE-2008-1100 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] @@ -169,6 +177,7 @@ CVE-2008-1066 version (php-Smarty) #435813 [since php-Smarty-2.6.19-1.fc9] CVE-2008-1066 fixed (gallery2) #438060 [since gallery2-2.2.4-3.fc9] CVE-2008-1066 fixed (php-pear-PhpDocumentor) #438064 [since php-pear-PhpDocumentor-1.4.1-2.fc9] +CVE-2008-1033 version (cups, fixed 1.3.7) [since cups-1.3.7-1.fc9] CVE-2008-1026 version (WebKit, fixed r31388) [since WebKit-1.0.0-0.8.svn31787.fc9] CVE-2008-1025 version (WebKit, fixed r31438) [since WebKit-1.0.0-0.8.svn31787.fc9] CVE-2008-1011 version (WebKit) [since WebKit-1.0.0-0.8.svn31787.fc9] @@ -179,7 +188,7 @@ CVE-2008-0928 backport (qemu) #433563 [since qemu-0.9.1-3.fc9] CVE-2008-0928 backport (kvm) #433566 [since kvm-61-2.fc9] CVE-2008-0928 backport (xen) [since xen-3.2.0-8.fc9] -CVE-2008-0891 VULNERABLE (openssl, fixed 0.9.8h) #448690 +CVE-2008-0891 fixed (openssl, fixed 0.9.8h) #448690 [since FEDORA-2008-4723] CVE-2008-0888 backport (unzip) #437927 [since unzip-5.52-9.fc9] CVE-2008-0887 version (gnome-screensaver, fixed 2.22.1) #440257 [since gnome-screensaver-2.22.1-1.fc9] CVE-2008-0882 version (cups, fixed 1.3.6) [since cups-1.3.6-1.fc9] @@ -509,6 +518,9 @@ CVE-2007-0537 version (kdebase, fixed 3.5.6) #225420 CVE-2007-0235 version (libgtop2, fixed 2.14.6) #222637 not sure, will triage CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since phpMyAdmin-2.11.3-1.fc9] +CVE-2007-0063 ignore (dhcp) duplicate of CVE-2007-5365 +CVE-2007-0062 version (dhcp, fixed 4.0.0) +CVE-2007-0061 ignore (dhcp) not affected CVE-2006-7232 version (mysql, fixed 5.0.32) CVE-2006-6698 ignore (GConf2) #219280 minimal impact, let upstream deal with it if they care CVE-2006-6698 fixed (GConf2) Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.378 retrieving revision 1.379 diff -u -r1.378 -r1.379 --- fc7 30 May 2008 15:18:25 -0000 1.378 +++ fc7 6 Jun 2008 19:59:59 -0000 1.379 @@ -7,9 +7,10 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] -CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.3.0-4.fc7] +CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4950] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4606] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2363 VULNERABLE (pan) CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 fixed (Django, fixed 0.96.2) #447257 [since FEDORA-2008-4191] @@ -17,6 +18,7 @@ CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache CVE-2008-2146 version (wordpress, fixed 2.2.3) +CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2109 fixed (libid3tag) #445813 [since FEDORA-2008-3874] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445821 [since FEDORA-2008-3488] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora @@ -37,6 +39,7 @@ CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] +CVE-2008-1947 VULNERABLE (tomcat5, fixed 5.5.27) CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc7] CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc7] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only @@ -53,7 +56,7 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442362 [since FEDORA-2008-3358] -CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1) +CVE-2008-1804 fixed (snort, fixed 2.8.1) [since FEDORA-2008-5045] CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] @@ -94,6 +97,7 @@ CVE-2008-1488 VULNERABLE (php-pecl-apc) #438846 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 fixed (xine-lib) #438669 [since FEDORA-2008-2945] +CVE-2008-1475 VULNERABLE (roundup, fixed 1.4.5) CVE-2008-1474 fixed (roundup) #436548 [since FEDORA-2008-2471] CVE-2008-1468 fixed (namazu, fixed 2.0.18) #438666 [since FEDORA-2008-2678] CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] @@ -103,8 +107,8 @@ CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438132 [since FEDORA-2008-2620] CVE-2008-1387 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] -CVE-2008-1382 ignore (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 ignore (libpng10) [since libpng10-1.0.33-1.fc7] +CVE-2008-1382 fixed (libpng, fixed 1.2.27) [since FEDORA-2008-4947] +CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc7] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444435 [since FEDORA-2008-3516] CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442850 [since FEDORA-2008-3231] @@ -112,6 +116,7 @@ CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 fixed (cups) #440042 [since FEDORA-2008-2897] CVE-2008-1372 fixed (bzip2, fixed 1.0.5) #439855 [since FEDORA-2008-2970] +CVE-2008-1364 ignore (dhcp) not affected CVE-2008-1360 VULNERABLE (nagios, fixed 2.11) #437851 CVE-2008-1353 ignore (zabbix) #437848 Needs authorization CVE-2008-1333 ignore (asterisk) not affected @@ -159,7 +164,9 @@ CVE-2008-1131 ignore (drupal) #435815 drupal 6.x only CVE-2008-1111 fixed (lighttpd) #435808 [since FEDORA-2008-2278] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1047] -CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.0.28a-1.fc7] +CVE-2008-1109 fixed (evolution) #449922 [since FEDORA-2008-5018] +CVE-2008-1108 fixed (evolution) #449922 [since FEDORA-2008-5018] +CVE-2008-1105 fixed (samba, fixed 3.0.30) [since FEDORA-2008-4797] CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 fixed (blender) #443935 [since FEDORA-2008-3862] CVE-2008-1100 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] @@ -172,6 +179,7 @@ CVE-2008-1066 version (php-Smarty, fixed 2.6.19) #435812 [since FEDORA-2008-1928] CVE-2008-1066 fixed (gallery2) #438059 [since FEDORA-2008-2650] CVE-2008-1066 fixed (php-pear-PhpDocumentor) #438063 [since FEDORA-2008-2656] +CVE-2008-1033 ignore (cups) only affected 1.3.6 CVE-2008-1026 fixed (WebKit, fixed r31388) [since FEDORA-2008-3415] CVE-2008-1025 fixed (WebKit, fixed r31438) [since FEDORA-2008-3415] CVE-2008-1011 fixed (WebKit) [since FEDORA-2008-3415] @@ -1002,6 +1010,9 @@ CVE-2007-0095 backport (phpMyAdmin) #221694 [since FEDORA-2007-4298] CVE-2007-0086 ignore (apache) not a security issue *CVE-2007-0080 ** (freeradius) +CVE-2007-0063 ignore (dhcp) duplicate of CVE-2007-5365 +CVE-2007-0062 ignore (dhcp, fixed 3.0.7) +CVE-2007-0061 ignore (dhcp) not affected *CVE-2007-0010 ** (gtk2) CVE-2007-0009 version (nss, fixed 3.11.5) (nspr, fixed 4.6.5) [since FEDORA-2007-279] CVE-2007-0008 version (nss, fixed 3.11.5) (nspr, fixed 4.6.5) [since FEDORA-2007-279] From fedora-security-commits at redhat.com Fri Jun 13 18:29:42 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 13 Jun 2008 18:29:42 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.5, 1.6 f8, 1.223, 1.224 f9, 1.213, 1.214 fc7, 1.379, 1.380 Message-ID: <200806131829.m5DITgNk014401@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14360/audit Modified Files: f10 f8 f9 fc7 Log Message: another week of issues Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- f10 6 Jun 2008 19:59:59 -0000 1.5 +++ f10 13 Jun 2008 18:29:09 -0000 1.6 @@ -4,19 +4,28 @@ # *CVE are items that need verification for Fedora 10 # (mozilla) = (gecko-libs dependent stuff) +CVE-2008-2575 version (cbrpager) [since cbrpager-0.9.17-2.fc10] CVE-2008-2426 backport (imlib2) [since imlib2-1.4.0-7.fc10] CVE-2008-2420 version (stunnel, fixed 4.24) [since stunnel-4.24-2] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default CVE-2008-2363 VULNERABLE (pan) #449335 +CVE-2008-2362 VULNERABLE (xorg-x11-server) #450927 +CVE-2008-2361 VULNERABLE (xorg-x11-server) #450927 +CVE-2008-2360 VULNERABLE (xorg-x11-server) #450927 CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 version (Django, fixed 0.96.2) #447260 [since Django-0.96.2-1.fc10] +CVE-2008-2292 backport (net-snmp, fixed 5.4.2.pre1) [since net-snmp-5.4.1-19.fc10] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache +CVE-2008-2152 version (openoffice.org, fixed 2.4.1) [since openoffice.org-3.0.0-0.0.17.1.fc10] CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x +CVE-2008-2108 VULNERABLE (php, fixed 5.2.6) +CVE-2008-2107 VULNERABLE (php, fixed 5.2.6) CVE-2008-2085 VULNERABLE (sipp) #446222 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 +CVE-2008-2051 VULNERABLE (php, fixed 5.2.6) CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc10] CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes CVE-2008-2004 VULNERABLE (kvm) fix mostly useless without libvirt changes @@ -31,6 +40,9 @@ CVE-2008-1928 version (perl-Imager, fixed 0.64) [since perl-Imager-0.64-2.fc10] CVE-2008-1926 backport (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9] CVE-2008-1836 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] +CVE-2008-1808 version (freetype, fixed 2.3.6) [since freetype-2.3.6-1.fc10] +CVE-2008-1807 version (freetype, fixed 2.3.6) [since freetype-2.3.6-1.fc10] +CVE-2008-1806 version (freetype, fixed 2.3.6) [since freetype-2.3.6-1.fc10] CVE-2008-1804 version (snort, fixed 2.8.1) [since snort-2.8.1-3.fc10] CVE-2008-1803 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] CVE-2008-1802 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] @@ -49,26 +61,30 @@ CVE-2008-1387 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-1382 version (libpng, fixed 1.2.27) [since libpng-1.2.29-1.fc10] CVE-2008-1382 version (libpng10) [since libpng10-1.0.37-1.fc10] +CVE-2008-1379 VULNERABLE (xorg-x11-server) #450927 +CVE-2008-1377 VULNERABLE (xorg-x11-server) #450927 CVE-2008-1360 version (nagios) #437852 [since nagios-2.11-3.fc9] CVE-2008-1109 backport (evolution) #449925 [since evolution-2.23.3.1-2.fc10] CVE-2008-1108 backport (evolution) #449925 [since evolution-2.23.3.1-2.fc10] -CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) +CVE-2008-1105 version (samba, fixed 3.0.30) [since samba-3.2.0-1.rc2.16.fc10] CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1100 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-1078 backport (am-utils) #437746 [since am-utils-6.1.5-10.fc10] CVE-2008-1033 version (cups, fixed 1.3.7) [since cups-1.3.7-1.fc9] +CVE-2008-0960 backport (net-snmp, fixed 5.4.1.1) [since net-snmp-5.4.1-19.fc10] CVE-2008-0891 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10] +CVE-2008-0599 VULNERABLE (php, fixed 5.2.6) CVE-2008-0553 version (tkimg) [since tkimg-1.3-0.10.20080505svn.fc10] CVE-2008-0314 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-0166 ignore (openssl) Debian specific CVE-2007-6714 version (dbmail, fixed 2.2.9) [since dbmail-2.2.9-1.fc9] -CVE-2007-6321 VULNERABLE (roundcubemail) #423301 +CVE-2007-6321 version (roundcubemail) #423301 [since roundcubemail-0.2-0.alpha.fc10] CVE-2007-6318 VULNERABLE (wordpress) #426434 CVE-2007-6131 VULNERABLE (scanbuttond) CVE-2007-5962 fixed (vsftpd) [since vsftpd-2.0.6-4.fc10] CVE-2007-5907 VULNERABLE (xen) #390121 CVE-2007-5906 VULNERABLE (xen) #390121 -CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #446383 +CVE-2007-5803 version (nagios, fixed 2.12) #446383 [since nagios-2.12-3.fc10] CVE-2007-5079 VULNERABLE (gdm) #363041 Red Hat specific problem CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 perl-Archive-Tar directory traversal CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code. Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.223 retrieving revision 1.224 diff -u -r1.223 -r1.224 --- f8 6 Jun 2008 19:59:59 -0000 1.223 +++ f8 13 Jun 2008 18:29:09 -0000 1.224 @@ -6,25 +6,35 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2575 fixed (cbrpager) [since FEDORA-2008-4528] CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4842] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4579] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default CVE-2008-2363 VULNERABLE (pan) #449333 +CVE-2008-2362 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] +CVE-2008-2361 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] +CVE-2008-2360 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-2359 fixed (system-config-network) [since FEDORA-2008-4633] CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 fixed (Django, fixed 0.96.2) #447258 [since FEDORA-2008-4248] +CVE-2008-2292 fixed (net-snmp, fixed 5.4.2.pre1) [since FEDORA-2008-5218] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache +CVE-2008-2152 fixed (openoffice.org, fixed 2.4.1) #450650 [since FEDORA-2008-5247] CVE-2008-2146 version (wordpress, fixed 2.2.3) CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2109 fixed (libid3tag) #445814 [since FEDORA-2008-3976] +CVE-2008-2108 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3864] +CVE-2008-2107 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3864] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] CVE-2008-2085 VULNERABLE (sipp) #446220 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445805 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3397] +CVE-2008-2051 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3864] +CVE-2008-2050 ignore (php, fixed 5.2.6) CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.1.2-3.fc8] CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes @@ -32,7 +42,7 @@ CVE-2008-2000 ignore (WebKit) browser DoS CVE-2008-1999 VULNERABLE (WebKit) CVE-2008-1996 fixed (licq, fixed 1.3.6) #445238 [since FEDORA-2008-3969] -CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 [since FEDORA-2008-3543] +CVE-2008-1974 fixed (kronolith, fixed 3.1.8) #444404 [since FEDORA-2008-3543] CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3501] CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] @@ -55,6 +65,9 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442363 [since FEDORA-2008-3420] +CVE-2008-1808 VULNERABLE (freetype, fixed 2.3.6) #451212 +CVE-2008-1807 VULNERABLE (freetype, fixed 2.3.6) #451212 +CVE-2008-1806 VULNERABLE (freetype, fixed 2.3.6) #451212 CVE-2008-1804 fixed (snort, fixed 2.8.1) [since FEDORA-2008-5001] CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] @@ -106,12 +119,15 @@ CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554] CVE-2008-1387 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] +CVE-2008-1384 ignore (php, fixed 5.2.6) CVE-2008-1382 fixed (libpng, fixed 1.2.27) [since FEDORA-2008-4847] CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3937] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444436 [since FEDORA-2008-3462] CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442851 [since FEDORA-2008-3264] CVE-2008-1380 fixed (thunderbird, fixed 2.0.0.14) #442856 [since FEDORA-2008-3557] +CVE-2008-1379 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] +CVE-2008-1377 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 fixed (cups) #440040 [since FEDORA-2008-2131] CVE-2008-1372 fixed (bzip2, fixed 1.0.5) #439855 [since FEDORA-2008-2970] @@ -184,6 +200,7 @@ CVE-2008-1011 version (WebKit) [since FEDORA-2008-3229] CVE-2008-1010 version (WebKit) [since FEDORA-2008-3229] CVE-2008-0983 fixed (lighttpd) #435807 [since FEDORA-2008-2262] +CVE-2008-0960 fixed (net-snmp, fixed 5.4.1.1) [since FEDORA-2008-5218] CVE-2008-0947 fixed (krb5, fixed 1.6.4) #438023 [since FEDORA-2008-2647] CVE-2008-0932 fixed (sword) #433724 [since FEDORA-2008-1922] why? diatheke.pl is not shipped... CVE-2008-0928 fixed (qemu) #433561 [since FEDORA-2008-2001] @@ -210,6 +227,7 @@ CVE-2008-0658 fixed (openldap) #432012 [since FEDORA-2008-1616] CVE-2008-0646 fixed (deluge, fixed 0.5.8.3) [since FEDORA-2008-1287] CVE-2008-0646 fixed (rb_libtorrent) [since FEDORA-2008-1198] +CVE-2008-0599 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3864] CVE-2008-0597 version (cups) only old CUPS versions affected CVE-2008-0596 version (cups) only old CUPS versions affected CVE-2008-0595 backport (dbus, fixed 1.1.20) [since FEDORA-2008-2070] @@ -417,11 +435,14 @@ CVE-2007-5906 VULNERABLE (xen) #390111 CVE-2007-5902 ignore (krb5, fixed 1.6.4) not exploitable CVE-2007-5901 fixed (krb5, fixed 1.6.4) #438023 [since FEDORA-2008-2647] +CVE-2007-5900 ignore (php, fixed 5.2.5) +CVE-2007-5899 VULNERABLE (php, fixed 5.2.5) [since FEDORA-2008-3864] +CVE-2007-5898 VULNERABLE (php, fixed 5.2.5) [since FEDORA-2008-3864] CVE-2007-5894 ignore (krb5, fixed 1.6.4) not exploitable CVE-2007-5849 ignore (cups, fixed 1.3.5) minimal impact, see #415131 CVE-2007-5848 version (cups, fixed 1.2.0) CVE-2007-5846 version (net-snmp, fixed 5.4.1) -CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #446381 +CVE-2007-5803 VULNERABLE (nagios, fixed 2.12) #446381 CVE-2007-5795 backport (emacs) #367591 [since FEDORA-2007-2946] CVE-2007-5770 backport (ruby) #373391 [since FEDORA-2007-2812] CVE-2007-5760 fixed (xorg-x11-server, fixed 1.4.1) #429126 [since FEDORA-2008-0760] @@ -474,10 +495,17 @@ CVE-2007-5000 fixed (httpd, fixed 2.2.8) #427982 [since FEDORA-2008-1711] CVE-2007-4999 version (pidgin, fixed 2.2.2) CVE-2007-4990 version (xorg-x11-xfs, fixed 1.0.5) +CVE-2007-4887 ignore (php, fixed 5.2.5) CVE-2007-4879 version (firefox, fixed 2.0.0.13) CVE-2007-4879 version (seamonkey, fixed 1.1.9) +CVE-2007-4850 ignore (php, fixed 5.2.6) CVE-2007-4841 version (thunderbird) [since FEDORA-2007-3414] windows only anyway +CVE-2007-4840 ignore (php, fixed 5.2.5) CVE-2007-4829 VULNERABLE (perl-Archive-Tar, not fixed upstream) #364281 +CVE-2007-4825 ignore (php, fixed 5.2.5) +CVE-2007-4784 ignore (php, fixed 5.2.5) +CVE-2007-4783 ignore (php, fixed 5.2.5) +CVE-2007-4782 VULNERABLE (php, fixed 5.2.5) [since FEDORA-2008-3864] CVE-2007-4772 fixed (postgresql, fixed 8.2.6) #427773 [since FEDORA-2008-0478] CVE-2007-4771 fixed (icu) #430233 [since FEDORA-2008-1036] CVE-2007-4770 fixed (icu) #430233 [since FEDORA-2008-1036] Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.213 retrieving revision 1.214 diff -u -r1.213 -r1.214 --- f9 6 Jun 2008 19:59:59 -0000 1.213 +++ f9 13 Jun 2008 18:29:10 -0000 1.214 @@ -5,25 +5,35 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2575 fixed (cbrpager) [since FEDORA-2008-4501] CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4871] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4531] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default CVE-2008-2363 VULNERABLE (pan) #449334 +CVE-2008-2362 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] +CVE-2008-2361 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] +CVE-2008-2360 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 fixed (Django, fixed 0.96.2) #447259 [since FEDORA-2008-4267] +CVE-2008-2292 fixed (net-snmp, fixed 5.4.2.pre1) [since FEDORA-2008-5215] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache +CVE-2008-2152 fixed (openoffice.org, fixed 2.4.1) [since FEDORA-2008-5143] CVE-2008-2146 version (wordpress, fixed 2.2.3) CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2109 fixed (libid3tag) #445815 [since FEDORA-2008-3757] +CVE-2008-2108 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3606] +CVE-2008-2107 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3606] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445823 [since FEDORA-2008-3668] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445823 [since FEDORA-2008-3668] CVE-2008-2085 VULNERABLE (sipp) #446221 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445806 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc9] +CVE-2008-2051 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3606] +CVE-2008-2050 ignore (php, fixed 5.2.6) CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc9] CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes @@ -56,6 +66,9 @@ CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1834 version (swfdec, fixed 0.6.4) [since swfdec-0.6.4-1.fc9] CVE-2008-1833 version (clamav, fixed 0.93-rc1) [since clamav-0.93-0.0.rc1.fc9] +CVE-2008-1808 VULNERABLE (freetype, fixed 2.3.6) #451213 +CVE-2008-1807 VULNERABLE (freetype, fixed 2.3.6) #451213 +CVE-2008-1806 VULNERABLE (freetype, fixed 2.3.6) #451213 CVE-2008-1804 fixed (snort, fixed 2.8.1) [since FEDORA-2008-5045] CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] @@ -107,12 +120,15 @@ CVE-2008-1394 ignore (plone) CVE-2008-1390 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9] CVE-2008-1387 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] +CVE-2008-1384 ignore (php, fixed 5.2.6) CVE-2008-1382 fixed (libpng, fixed 1.2.27) [since FEDORA-2008-4910] CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3683] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444437 [since FEDORA-2008-3601] CVE-2008-1380 version (firefox, fixed 2.0.0.14) CVE-2008-1380 backport (seamonkey, fixed 1.1.10) #442852 [since seamonkey-1.1.9-3.fc9] CVE-2008-1380 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] +CVE-2008-1379 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] +CVE-2008-1377 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 backport (cups) #440041 [since cups-1.3.6-9.fc9] CVE-2008-1372 version (bzip2, fixed 1.0.5) [since bzip2-1.0.5-1.fc9] @@ -183,6 +199,7 @@ CVE-2008-1011 version (WebKit) [since WebKit-1.0.0-0.8.svn31787.fc9] CVE-2008-1010 version (WebKit) [since WebKit-1.0.0-0.8.svn31787.fc9] CVE-2008-0983 backport (lighttpd) #435809 [since lighttpd-1.4.18-6.fc9] +CVE-2008-0960 fixed (net-snmp, fixed 5.4.1.1) [since FEDORA-2008-5215] CVE-2008-0947 backport (krb5, fixed 1.6.4) [since krb5-1.6.3-10.fc9] CVE-2008-0932 backport (sword) #433726 [since sword-1.5.10-3.fc9] why? diatheke.pl is not shipped... CVE-2008-0928 backport (qemu) #433563 [since qemu-0.9.1-3.fc9] @@ -207,6 +224,7 @@ CVE-2008-0658 backport (openldap) #432014 [since openldap-2.4.7-7.fc9] CVE-2008-0646 version (deluge, fixed 0.5.8.3) [since deluge-0.5.8.3-1.fc9] CVE-2008-0646 backport (rb_libtorrent) [since rb_libtorrent-0.12-3.fc9] +CVE-2008-0599 VULNERABLE (php, fixed 5.2.6) [since FEDORA-2008-3606] CVE-2008-0597 version (cups) only old CUPS versions affected CVE-2008-0596 version (cups) only old CUPS versions affected CVE-2008-0595 version (dbus, fixed 1.1.20) [since dbus-1.1.20-1.fc9] @@ -224,7 +242,7 @@ CVE-2008-0554 version (netpbm, fixed 10.27) CVE-2008-0553 backport (perl-Tk) #431529 [since perl-Tk-804.028-3.fc9] CVE-2008-0553 backport (tk, fixed 8.5.1) [since tk-8.5.0-4.fc9] -CVE-2008-0553 VULNERABLE (tkimg) #444872 +CVE-2008-0553 fixed (tkimg) #444872 [since FEDORA-2008-3621] CVE-2008-0544 backport (SDL_image) #430696 ILBM overflow [since SDL_image-1.2.6-5.fc9] CVE-2008-0486 version (xine-lib, fixed 1.1.10.1) #431544 [since xine-lib-1.1.10.1-1.fc9] CVE-2008-0460 version (mediawiki) #430289 [since mediawiki-1.10.4-38.fc9] @@ -413,11 +431,12 @@ CVE-2007-5906 VULNERABLE (xen) #390121 CVE-2007-5902 ignore (krb5, fixed 1.6.4) not exploitable CVE-2007-5901 backport (krb5, fixed 1.6.4) [since krb5-1.6.3-10.fc9] +CVE-2007-5900 ignore (php, fixed 5.2.5) CVE-2007-5894 ignore (krb5, fixed 1.6.4) not exploitable CVE-2007-5849 version (cups, fixed 1.3.5) [since cups-1.3.5-1.fc9] CVE-2007-5848 version (cups, fixed 1.2.0) CVE-2007-5846 version (net-snmp, fixed 5.4.1) -CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #446382 +CVE-2007-5803 VULNERABLE (nagios, fixed 2.12) #446382 CVE-2007-5795 backport (emacs) #367601 [since emacs-22.1-8.fc9] CVE-2007-5770 backport (ruby) #373401 [since ruby-1.8.6.111-1] CVE-2007-5760 backport (xorg-x11-server, fixed 1.4.1) #429127 [since xorg-x11-server-1.4.99.1-0.17.20080107.fc9] @@ -464,9 +483,15 @@ CVE-2007-5000 version (httpd, fixed 2.2.8) #427984 [since httpd-2.2.8-2] CVE-2007-4999 version (pidgin, fixed 2.2.2) CVE-2007-4990 version (xorg-x11-xfs, fixed 1.0.5) +CVE-2007-4887 ignore (php, fixed 5.2.5) CVE-2007-4879 version (firefox, fixed 2.0.0.13) CVE-2007-4879 version (seamonkey, fixed 1.1.9) +CVE-2007-4850 ignore (php, fixed 5.2.6) +CVE-2007-4840 ignore (php, fixed 5.2.5) CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 perl-Archive-Tar directory traversal +CVE-2007-4825 ignore (php, fixed 5.2.5) +CVE-2007-4784 ignore (php, fixed 5.2.5) +CVE-2007-4783 ignore (php, fixed 5.2.5) CVE-2007-4772 version (postgresql, fixed 8.2.6) #427774 [since postgresql-8.2.6-1.fc9] CVE-2007-4771 backport (icu) [since icu-3.8.1-3.fc9] CVE-2007-4770 backport (icu) [since icu-3.8.1-3.fc9] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.379 retrieving revision 1.380 diff -u -r1.379 -r1.380 --- fc7 6 Jun 2008 19:59:59 -0000 1.379 +++ fc7 13 Jun 2008 18:29:10 -0000 1.380 @@ -7,25 +7,35 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] +CVE-2008-2575 fixed (cbrpager) [since FEDORA-2008-4440] CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4950] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4606] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default CVE-2008-2363 VULNERABLE (pan) +CVE-2008-2362 fixed (xorg-x11-server) #450924 [since FEDORA-2008-5285] +CVE-2008-2361 fixed (xorg-x11-server) #450924 [since FEDORA-2008-5285] +CVE-2008-2360 fixed (xorg-x11-server) #450924 [since FEDORA-2008-5285] CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 fixed (Django, fixed 0.96.2) #447257 [since FEDORA-2008-4191] +CVE-2008-2292 fixed (net-snmp, fixed 5.4.2.pre1) [since FEDORA-2008-5224] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache +CVE-2008-2152 fixed (openoffice.org, fixed 2.4.1) #450649 [since FEDORA-2008-5239] CVE-2008-2146 version (wordpress, fixed 2.2.3) CVE-2008-2119 ignore (asterisk, fixed 1.2.29) AST-2008-008, only for 1.0.x and 1.2.x CVE-2008-2109 fixed (libid3tag) #445813 [since FEDORA-2008-3874] +CVE-2008-2108 fixed (php, fixed 5.2.6) [since FEDORA-2008-1734] +CVE-2008-2107 fixed (php, fixed 5.2.6) [since FEDORA-2008-1734] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445821 [since FEDORA-2008-3488] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445821 [since FEDORA-2008-3488] CVE-2008-2085 VULNERABLE (sipp) #446219 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3319] +CVE-2008-2051 fixed (php, fixed 5.2.6) [since FEDORA-2008-1734] +CVE-2008-2050 ignore (php, fixed 5.2.6) CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.1.2-3.fc7] CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes @@ -33,7 +43,7 @@ CVE-2008-2000 ignore (WebKit) browser DoS CVE-2008-1999 VULNERABLE (WebKit) CVE-2008-1996 fixed (licq, fixed 1.3.6) #445237 [since FEDORA-2008-3909] -CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 [since FEDORA-2008-3460] +CVE-2008-1974 fixed (kronolith, fixed 3.1.8) #444403 [since FEDORA-2008-3460] CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3508] CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] @@ -56,6 +66,9 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442362 [since FEDORA-2008-3358] +CVE-2008-1808 VULNERABLE (freetype, fixed 2.3.6) +CVE-2008-1807 VULNERABLE (freetype, fixed 2.3.6) +CVE-2008-1806 VULNERABLE (freetype, fixed 2.3.6) CVE-2008-1804 fixed (snort, fixed 2.8.1) [since FEDORA-2008-5045] CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] @@ -107,12 +120,15 @@ CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438132 [since FEDORA-2008-2620] CVE-2008-1387 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] +CVE-2008-1384 ignore (php, fixed 5.2.6) CVE-2008-1382 fixed (libpng, fixed 1.2.27) [since FEDORA-2008-4947] -CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc7] +CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3979] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444435 [since FEDORA-2008-3516] CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442850 [since FEDORA-2008-3231] CVE-2008-1380 fixed (thunderbird, fixed 2.0.0.14) #442855 [since FEDORA-2008-3519] +CVE-2008-1379 fixed (xorg-x11-server) #450924 [since FEDORA-2008-5285] +CVE-2008-1377 fixed (xorg-x11-server) #450924 [since FEDORA-2008-5285] CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 fixed (cups) #440042 [since FEDORA-2008-2897] CVE-2008-1372 fixed (bzip2, fixed 1.0.5) #439855 [since FEDORA-2008-2970] @@ -185,6 +201,7 @@ CVE-2008-1011 fixed (WebKit) [since FEDORA-2008-3415] CVE-2008-1010 fixed (WebKit) [since FEDORA-2008-3415] CVE-2008-0983 fixed (lighttpd) #435808 [since FEDORA-2008-2278] +CVE-2008-0960 fixed (net-snmp, fixed 5.4.1.1) [since FEDORA-2008-5224] CVE-2008-0947 fixed (krb5, fixed 1.6.4) #438022 [since FEDORA-2008-2637] CVE-2008-0932 fixed (sword) #433725 [since FEDORA-2008-1951] why? diatheke.pl is not shipped... CVE-2008-0928 fixed (qemu) #433562 [since FEDORA-2008-1995] @@ -210,6 +227,7 @@ CVE-2008-0658 fixed (openldap) #432013 [since FEDORA-2008-1568] CVE-2008-0646 fixed (deluge, fixed 0.5.8.3) [since FEDORA-2008-1198] CVE-2008-0646 fixed (rb_libtorrent) [since FEDORA-2008-1245] +CVE-2008-0599 fixed (php, fixed 5.2.6) [since FEDORA-2008-1734] CVE-2008-0597 version (cups) only old CUPS versions affected CVE-2008-0596 version (cups) only old CUPS versions affected CVE-2008-0595 backport (dbus, fixed 1.1.20) [since FEDORA-2008-2043] @@ -416,11 +434,14 @@ CVE-2007-5906 VULNERABLE (xen) #390101 CVE-2007-5902 ignore (krb5, fixed 1.6.4) not exploitable CVE-2007-5901 fixed (krb5, fixed 1.6.4) #438022 [since FEDORA-2008-2637] +CVE-2007-5900 ignore (php, fixed 5.2.5) +CVE-2007-5899 fixed (php, fixed 5.2.5) [since FEDORA-2008-1734] +CVE-2007-5898 fixed (php, fixed 5.2.5) [since FEDORA-2008-1734] CVE-2007-5894 ignore (krb5, fixed 1.6.4) not exploitable CVE-2007-5849 ignore (cups, fixed 1.3.5) minimal impact, see #415131 CVE-2007-5848 version (cups, fixed 1.2.0) CVE-2007-5846 backport (net-snmp) [since FEDORA-2007-3019] -CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #437851 +CVE-2007-5803 VULNERABLE (nagios, fixed 2.12) #437851 CVE-2007-5795 backport (emacs) #367581 [since FEDORA-2007-3056] CVE-2007-5770 backport (ruby) #373381 [since FEDORA-2007-2685] CVE-2007-5760 fixed (xorg-x11-server, fixed 1.4.1) #429125 [since FEDORA-2008-0831] @@ -514,15 +535,21 @@ CVE-2007-4897 version (opal, fixed 2.2.9) CVE-2007-4894 version (wordpress, fixed 2.2.3) [since FEDORA-2007-2143] CVE-2007-4893 version (wordpress, fixed 2.2.3) [since FEDORA-2007-2143] +CVE-2007-4887 ignore (php, fixed 5.2.5) CVE-2007-4879 version (firefox, fixed 2.0.0.13) CVE-2007-4879 version (seamonkey, fixed 1.1.9) CVE-2007-4851 ignore (tk) duplicate of CVE-2007-5137 +CVE-2007-4850 ignore (php, fixed 5.2.6) CVE-2007-4841 ignore (mozilla) Windows only CVE-2007-4841 version (thunderbird) [since FEDORA-2007-3431] windows only anyway -CVE-2007-4840 ignore (php) +CVE-2007-4840 ignore (php, fixed 5.2.5) CVE-2007-4829 VULNERABLE (perl-Archive-Tar) #315321 CVE-2007-4828 version (mediawiki, fixed 1.11.0, 1.10.2, 1.9.4) #287881 [since FEDORA-2007-2189] CVE-2007-4826 version (quagga, fixed 0.99.9) [since FEDORA-2007-2196] +CVE-2007-4825 ignore (php, fixed 5.2.5) +CVE-2007-4784 ignore (php, fixed 5.2.5) +CVE-2007-4783 ignore (php, fixed 5.2.5) +CVE-2007-4782 fixed (php, fixed 5.2.5) [since FEDORA-2008-1734] CVE-2007-4772 fixed (postgresql, fixed 8.2.6) #427772 [since FEDORA-2008-0552] CVE-2007-4771 fixed (icu) #430232 [since FEDORA-2008-1076] CVE-2007-4770 fixed (icu) #430232 [since FEDORA-2008-1076] From fedora-security-commits at redhat.com Thu Jun 19 13:25:00 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Thu, 19 Jun 2008 13:25:00 GMT Subject: [Fedora-security-commits] fedora-security/tools/lib/Libexig Fedora.pm, 1.5, 1.6 Message-ID: <200806191325.m5JDP0rd018896@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/tools/lib/Libexig In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18754/lib/Libexig Modified Files: Fedora.pm Log Message: F7 reached EOL last Friday, removing from the tools Index: Fedora.pm =================================================================== RCS file: /cvs/fedora/fedora-security/tools/lib/Libexig/Fedora.pm,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- Fedora.pm 13 May 2008 15:56:19 -0000 1.5 +++ Fedora.pm 19 Jun 2008 13:24:29 -0000 1.6 @@ -121,9 +121,6 @@ # Valid versions my %versions = ( - '7', => '7', - 'f7', => '7', - 'fc7', => '7', '8', => '8', 'f8', => '8', 'fc8', => '8', From fedora-security-commits at redhat.com Thu Jun 19 13:25:00 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Thu, 19 Jun 2008 13:25:00 GMT Subject: [Fedora-security-commits] fedora-security/tools/scripts add-issue, 1.8, 1.9 Message-ID: <200806191325.m5JDP0DZ018902@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/tools/scripts In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18754/scripts Modified Files: add-issue Log Message: F7 reached EOL last Friday, removing from the tools Index: add-issue =================================================================== RCS file: /cvs/fedora/fedora-security/tools/scripts/add-issue,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- add-issue 26 May 2008 08:59:36 -0000 1.8 +++ add-issue 19 Jun 2008 13:24:30 -0000 1.9 @@ -24,7 +24,6 @@ use strict; my %versions = ( - '7' => 'audit/fc7', '8' => 'audit/f8', '9' => 'audit/f9', '10' => 'audit/f10', From fedora-security-commits at redhat.com Fri Jun 20 08:51:15 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 20 Jun 2008 08:51:15 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.6, 1.7 f8, 1.224, 1.225 f9, 1.214, 1.215 fc7, 1.380, 1.381 Message-ID: <200806200851.m5K8pFlk028981@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28928/audit Modified Files: f10 f8 f9 fc7 Log Message: another week of issues last update of fc7 file Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- f10 13 Jun 2008 18:29:09 -0000 1.6 +++ f10 20 Jun 2008 08:50:45 -0000 1.7 @@ -4,6 +4,13 @@ # *CVE are items that need verification for Fedora 10 # (mozilla) = (gecko-libs dependent stuff) +CVE-2008-2724 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] +CVE-2008-2723 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] +CVE-2008-2722 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] +CVE-2008-2721 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] +CVE-2008-2720 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] +CVE-2008-2713 version (clamav, fixed 0.93.1) [since clamav-0.93.1-1.fc10] +CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) CVE-2008-2575 version (cbrpager) [since cbrpager-0.9.17-2.fc10] CVE-2008-2426 backport (imlib2) [since imlib2-1.4.0-7.fc10] CVE-2008-2420 version (stunnel, fixed 4.24) [since stunnel-4.24-2] Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.224 retrieving revision 1.225 diff -u -r1.224 -r1.225 --- f8 13 Jun 2008 18:29:09 -0000 1.224 +++ f8 20 Jun 2008 08:50:45 -0000 1.225 @@ -6,14 +6,22 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2783 VULNERABLE (kronolith) +CVE-2008-2724 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] +CVE-2008-2723 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] +CVE-2008-2722 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] +CVE-2008-2721 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] +CVE-2008-2720 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] +CVE-2008-2713 VULNERABLE (clamav, fixed 0.93.1) +CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) CVE-2008-2575 fixed (cbrpager) [since FEDORA-2008-4528] CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4842] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4579] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default CVE-2008-2363 VULNERABLE (pan) #449333 -CVE-2008-2362 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] -CVE-2008-2361 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] -CVE-2008-2360 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] +CVE-2008-2362 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] +CVE-2008-2361 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] +CVE-2008-2360 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-2359 fixed (system-config-network) [since FEDORA-2008-4633] CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 fixed (Django, fixed 0.96.2) #447258 [since FEDORA-2008-4248] @@ -65,9 +73,12 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442363 [since FEDORA-2008-3420] -CVE-2008-1808 VULNERABLE (freetype, fixed 2.3.6) #451212 -CVE-2008-1807 VULNERABLE (freetype, fixed 2.3.6) #451212 -CVE-2008-1806 VULNERABLE (freetype, fixed 2.3.6) #451212 +CVE-2008-1808 fixed (freetype, fixed 2.3.6) #451212 [since FEDORA-2008-5430] +CVE-2008-1808 ignore (freetype1) PFB not supported, TTF BCI not enabled +CVE-2008-1807 fixed (freetype, fixed 2.3.6) #451212 [since FEDORA-2008-5430] +CVE-2008-1807 ignore (freetype1) PFB font fromat not supported +CVE-2008-1806 fixed (freetype, fixed 2.3.6) #451212 [since FEDORA-2008-5430] +CVE-2008-1806 ignore (freetype1) PFB font fromat not supported CVE-2008-1804 fixed (snort, fixed 2.8.1) [since FEDORA-2008-5001] CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] @@ -126,8 +137,8 @@ CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442851 [since FEDORA-2008-3264] CVE-2008-1380 fixed (thunderbird, fixed 2.0.0.14) #442856 [since FEDORA-2008-3557] -CVE-2008-1379 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] -CVE-2008-1377 VULNERABLE (xorg-x11-server) #450925 [since FEDORA-2008-5279] +CVE-2008-1379 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] +CVE-2008-1377 fixed (xorg-x11-server) #450925 [since FEDORA-2008-5279] CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 fixed (cups) #440040 [since FEDORA-2008-2131] CVE-2008-1372 fixed (bzip2, fixed 1.0.5) #439855 [since FEDORA-2008-2970] @@ -351,7 +362,7 @@ CVE-2007-6423 ignore (httpd) can not be reproduced by upstream CVE-2007-6422 fixed (httpd, fixed 2.2.8) #427982 [since FEDORA-2008-1711] CVE-2007-6421 fixed (httpd, fixed 2.2.8) #427982 [since FEDORA-2008-1711] -CVE-2007-6420 ignore (httpd) wontfix by upstream +CVE-2007-6420 ignore (httpd, fixed 2.2.9) wontfix by upstream CVE-2007-6415 fixed (scponly, fixed 4.8) #429732 [since FEDORA-2008-1743] CVE-2007-6388 fixed (httpd, fixed 2.2.8) #427982 [since FEDORA-2008-1711] CVE-2007-6341 ignore (perl-Net-DNS) no impact @@ -367,7 +378,7 @@ CVE-2007-6350 fixed (scponly) #429731 [since FEDORA-2008-1728] rsync vector only CVE-2007-6348 ignore (squirrelmail) trojaned version was not shipped CVE-2007-6328 ignore (dosbox) design decision -CVE-2007-6321 VULNERABLE (roundcubemail) #423291 +CVE-2007-6321 fixed (roundcubemail) #423291 [since FEDORA-2008-5342] CVE-2007-6318 VULNERABLE (wordpress) CVE-2007-6313 ignore (mysql) 5.1+ only CVE-2007-6304 ignore (mysql, fixed 5.0.52) federated engine not built Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.214 retrieving revision 1.215 diff -u -r1.214 -r1.215 --- f9 13 Jun 2008 18:29:10 -0000 1.214 +++ f9 20 Jun 2008 08:50:45 -0000 1.215 @@ -5,14 +5,21 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2724 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] +CVE-2008-2723 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] +CVE-2008-2722 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] +CVE-2008-2721 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] +CVE-2008-2720 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] +CVE-2008-2713 VULNERABLE (clamav, fixed 0.93.1) [since clamav-0.93.1-1.fc9] +CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) CVE-2008-2575 fixed (cbrpager) [since FEDORA-2008-4501] CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4871] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4531] CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default CVE-2008-2363 VULNERABLE (pan) #449334 -CVE-2008-2362 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] -CVE-2008-2361 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] -CVE-2008-2360 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] +CVE-2008-2362 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] +CVE-2008-2361 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] +CVE-2008-2360 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-2359 ignore (system-config-network) F8 specific issue CVE-2008-2357 fixed (mtr, fixed 0.73) CVE-2008-2302 fixed (Django, fixed 0.96.2) #447259 [since FEDORA-2008-4267] @@ -66,9 +73,12 @@ CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1834 version (swfdec, fixed 0.6.4) [since swfdec-0.6.4-1.fc9] CVE-2008-1833 version (clamav, fixed 0.93-rc1) [since clamav-0.93-0.0.rc1.fc9] -CVE-2008-1808 VULNERABLE (freetype, fixed 2.3.6) #451213 -CVE-2008-1807 VULNERABLE (freetype, fixed 2.3.6) #451213 -CVE-2008-1806 VULNERABLE (freetype, fixed 2.3.6) #451213 +CVE-2008-1808 fixed (freetype, fixed 2.3.6) #451213 [since FEDORA-2008-5425] +CVE-2008-1808 ignore (freetype1) PFB not supported, TTF BCI not enabled +CVE-2008-1807 fixed (freetype, fixed 2.3.6) #451213 [since FEDORA-2008-5425] +CVE-2008-1807 ignore (freetype1) PFB font fromat not supported +CVE-2008-1806 fixed (freetype, fixed 2.3.6) #451213 [since FEDORA-2008-5425] +CVE-2008-1806 ignore (freetype1) PFB font fromat not supported CVE-2008-1804 fixed (snort, fixed 2.8.1) [since FEDORA-2008-5045] CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] @@ -127,8 +137,8 @@ CVE-2008-1380 version (firefox, fixed 2.0.0.14) CVE-2008-1380 backport (seamonkey, fixed 1.1.10) #442852 [since seamonkey-1.1.9-3.fc9] CVE-2008-1380 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] -CVE-2008-1379 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] -CVE-2008-1377 VULNERABLE (xorg-x11-server) #450926 [since FEDORA-2008-5254] +CVE-2008-1379 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] +CVE-2008-1377 fixed (xorg-x11-server) #450926 [since FEDORA-2008-5254] CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 backport (cups) #440041 [since cups-1.3.6-9.fc9] CVE-2008-1372 version (bzip2, fixed 1.0.5) [since bzip2-1.0.5-1.fc9] @@ -348,7 +358,7 @@ CVE-2007-6423 ignore (httpd) can not be reproduced by upstream CVE-2007-6422 version (httpd, fixed 2.2.8) #427984 [since httpd-2.2.8-2] CVE-2007-6421 version (httpd, fixed 2.2.8) #427984 [since httpd-2.2.8-2] -CVE-2007-6420 ignore (httpd) wontfix by upstream +CVE-2007-6420 ignore (httpd, fixed 2.2.9) wontfix by upstream CVE-2007-6415 backport (scponly, fixed 4.8) [since scponly-4.6-10.fc9] CVE-2007-6388 version (httpd, fixed 2.2.8) #427984 [since httpd-2.2.8-2] CVE-2007-6341 version (perl-Net-DNS) [since perl-Net-DNS-0.63-1.fc9] @@ -364,7 +374,7 @@ CVE-2007-6350 backport (scponly) [since scponly-4.6-8.fc9] rsync support disabled CVE-2007-6348 ignore (squirrelmail) trojaned version was not shipped CVE-2007-6328 ignore (dosbox) design decision -CVE-2007-6321 VULNERABLE (roundcubemail) #423301 +CVE-2007-6321 fixed (roundcubemail) #423301 [since FEDORA-2008-5333] CVE-2007-6318 VULNERABLE (wordpress) #426434 CVE-2007-6313 ignore (mysql) 5.1+ only CVE-2007-6304 ignore (mysql, fixed 5.0.52) federated engine not built Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.380 retrieving revision 1.381 diff -u -r1.380 -r1.381 --- fc7 13 Jun 2008 18:29:10 -0000 1.380 +++ fc7 20 Jun 2008 08:50:45 -0000 1.381 @@ -350,7 +350,7 @@ CVE-2007-6423 ignore (httpd) can not be reproduced by upstream CVE-2007-6422 fixed (httpd, fixed 2.2.8) #427983 [since FEDORA-2008-1695] CVE-2007-6421 fixed (httpd, fixed 2.2.8) #427983 [since FEDORA-2008-1695] -CVE-2007-6420 ignore (httpd) wontfix by upstream +CVE-2007-6420 ignore (httpd, fixed 2.2.9) wontfix by upstream CVE-2007-6415 fixed (scponly, fixed 4.8) #429731 [since FEDORA-2008-1728] CVE-2007-6388 fixed (httpd, fixed 2.2.8) #427983 [since FEDORA-2008-1695] CVE-2007-6341 ignore (perl-Net-DNS) no impact @@ -366,7 +366,7 @@ CVE-2007-6350 fixed (scponly) #429731 [since FEDORA-2008-1728] rsync vector only CVE-2007-6348 ignore (squirrelmail) trojaned version was not shipped CVE-2007-6328 ignore (dosbox) design decision -CVE-2007-6321 VULNERABLE (roundcubemail) #423281 +CVE-2007-6321 fixed (roundcubemail) #423281 [since FEDORA-2008-5315] CVE-2007-6318 VULNERABLE (wordpress) CVE-2007-6313 ignore (mysql) 5.1+ only CVE-2007-6304 ignore (mysql, fixed 5.0.52) federated engine not built From fedora-security-commits at redhat.com Fri Jun 20 19:34:59 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 20 Jun 2008 19:34:59 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.7, 1.8 f8, 1.225, 1.226 f9, 1.215, 1.216 Message-ID: <200806201934.m5KJYx9t029675@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29644/audit Modified Files: f10 f8 f9 Log Message: ruby bugs Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- f10 20 Jun 2008 08:50:45 -0000 1.7 +++ f10 20 Jun 2008 19:34:29 -0000 1.8 @@ -4,6 +4,10 @@ # *CVE are items that need verification for Fedora 10 # (mozilla) = (gecko-libs dependent stuff) +CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 +CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 +CVE-2008-2726 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 +CVE-2008-2725 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 CVE-2008-2724 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2723 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2722 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] @@ -11,6 +15,9 @@ CVE-2008-2720 version (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc10] CVE-2008-2713 version (clamav, fixed 0.93.1) [since clamav-0.93.1-1.fc10] CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) +CVE-2008-2664 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 +CVE-2008-2663 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 +CVE-2008-2662 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 CVE-2008-2575 version (cbrpager) [since cbrpager-0.9.17-2.fc10] CVE-2008-2426 backport (imlib2) [since imlib2-1.4.0-7.fc10] CVE-2008-2420 version (stunnel, fixed 4.24) [since stunnel-4.24-2] @@ -46,6 +53,7 @@ CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc10] CVE-2008-1928 version (perl-Imager, fixed 0.64) [since perl-Imager-0.64-2.fc10] CVE-2008-1926 backport (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9] +CVE-2008-1891 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452295 CVE-2008-1836 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-1808 version (freetype, fixed 2.3.6) [since freetype-2.3.6-1.fc10] CVE-2008-1807 version (freetype, fixed 2.3.6) [since freetype-2.3.6-1.fc10] Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.225 retrieving revision 1.226 diff -u -r1.225 -r1.226 --- f8 20 Jun 2008 08:50:45 -0000 1.225 +++ f8 20 Jun 2008 19:34:29 -0000 1.226 @@ -7,6 +7,10 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) CVE-2008-2783 VULNERABLE (kronolith) +CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 +CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 +CVE-2008-2726 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 +CVE-2008-2725 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 CVE-2008-2724 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] CVE-2008-2723 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] CVE-2008-2722 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] @@ -14,6 +18,9 @@ CVE-2008-2720 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc8] CVE-2008-2713 VULNERABLE (clamav, fixed 0.93.1) CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) +CVE-2008-2664 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 +CVE-2008-2663 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 +CVE-2008-2662 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 CVE-2008-2575 fixed (cbrpager) [since FEDORA-2008-4528] CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4842] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4579] @@ -67,6 +74,7 @@ CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since FEDORA-2008-3461] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3390] +CVE-2008-1891 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452293 CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443055 [since FEDORA-2008-3353] nsf demuxer overflow CVE-2008-1845 version (mksh, fixed 33d) [since FEDORA-2008-3174] CVE-2008-1837 ignore (clamav, fixed 0.93) unrar code not shipped Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.215 retrieving revision 1.216 diff -u -r1.215 -r1.216 --- f9 20 Jun 2008 08:50:45 -0000 1.215 +++ f9 20 Jun 2008 19:34:29 -0000 1.216 @@ -5,6 +5,10 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2728 ignore (ruby) 1.6.x variant of CVE-2008-2726 +CVE-2008-2727 ignore (ruby) 1.6.x variant of CVE-2008-2725 +CVE-2008-2726 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 +CVE-2008-2725 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 CVE-2008-2724 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] CVE-2008-2723 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] CVE-2008-2722 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] @@ -12,6 +16,9 @@ CVE-2008-2720 VULNERABLE (gallery2, fixed 2.2.5) [since gallery2-2.2.5-1.fc9] CVE-2008-2713 VULNERABLE (clamav, fixed 0.93.1) [since clamav-0.93.1-1.fc9] CVE-2008-2696 VULNERABLE (exiv2, fixed 0.17) +CVE-2008-2664 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 +CVE-2008-2663 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 +CVE-2008-2662 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 CVE-2008-2575 fixed (cbrpager) [since FEDORA-2008-4501] CVE-2008-2426 fixed (imlib2) [since FEDORA-2008-4871] CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4531] @@ -66,6 +73,7 @@ CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc9] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 CVE-2008-1897 version (asterisk, fixed 1.6.0.beta3) [since asterisk-1.6.0-0.13.beta8.fc9] +CVE-2008-1891 VULNERABLE (ruby, fixed 1.8.6-p230, 1.8.7-p22) #452294 CVE-2008-1878 backport (xine-lib, fixed 1.1.12.1) #443056 nsf demuxer overflow [since xine-lib-1.1.12-2.fc9] CVE-2008-1845 version (mksh, fixed 33d) [since mksh-33d-1.fc9] what is real impact on fedora? CVE-2008-1837 ignore (clamav, fixed 0.93) unrar code not shipped