From fedora-security-commits at redhat.com Fri May 2 16:13:05 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 2 May 2008 16:13:05 GMT Subject: [Fedora-security-commits] fedora-security/audit f8, 1.213, 1.214 f9, 1.203, 1.204 fc7, 1.369, 1.370 Message-ID: <200805021613.m42GD5qS027521@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27473/audit Modified Files: f8 f9 fc7 Log Message: add tkimg, sipp, zoneminder dupe update on libpng10 Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.213 retrieving revision 1.214 diff -u -r1.213 -r1.214 --- f8 29 Apr 2008 08:26:54 -0000 1.213 +++ f8 2 May 2008 16:12:35 -0000 1.214 @@ -6,8 +6,10 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 VULNERABLE (tor) +CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report +CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc8] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only CVE-2008-1930 ignore (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc8] only for wp 2.5.0 CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443940 @@ -61,7 +63,7 @@ CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554] CVE-2008-1387 VULNERABLE (clamav, fixed 0.93) #442363 CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 VULNERABLE (libpng10) minimal impact, affected api rarely used +CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc8] CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444436 CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442851 [since FEDORA-2008-3264] @@ -174,6 +176,7 @@ CVE-2008-0554 version (netpbm, fixed 10.27) CVE-2008-0553 fixed (perl-Tk) #431532 [since FEDORA-2008-1323] CVE-2008-0553 backport (tk, fixed 8.5.1) [since FEDORA-2008-1122] +CVE-2008-0553 VULNERABLE (tkimg) #444951 CVE-2008-0544 fixed (SDL_image) #430694 [since FEDORA-2008-1208] ILBM overflow CVE-2008-0486 fixed (xine-lib, fixed 1.1.10.1) #431543 [since FEDORA-2008-1543] CVE-2008-0460 fixed (mediawiki) #430288 [since FEDORA-2008-2288] Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.203 retrieving revision 1.204 diff -u -r1.203 -r1.204 --- f9 29 Apr 2008 08:26:54 -0000 1.203 +++ f9 2 May 2008 16:12:35 -0000 1.204 @@ -5,8 +5,10 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 VULNERABLE (tor) +CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444405 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report +CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc9] CVE-2008-1937 VULNERABLE (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9] CVE-2008-1930 ignore (wordpress, fixed 2.5.1) only for wp 2.5.0 CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443941 @@ -60,7 +62,7 @@ CVE-2008-1390 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9] CVE-2008-1387 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 VULNERABLE (libpng10) minimal impact, affected api rarely used +CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc9] CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444437 CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 VULNERABLE (seamonkey, fixed 1.1.10) #442852 @@ -169,6 +171,7 @@ CVE-2008-0554 version (netpbm, fixed 10.27) CVE-2008-0553 backport (perl-Tk) #431529 [since perl-Tk-804.028-3.fc9] CVE-2008-0553 backport (tk, fixed 8.5.1) [since tk-8.5.0-4.fc9] +CVE-2008-0553 VULNERABLE (tkimg) #444872 CVE-2008-0544 backport (SDL_image) #430696 ILBM overflow [since SDL_image-1.2.6-5.fc9] CVE-2008-0486 version (xine-lib, fixed 1.1.10.1) #431544 [since xine-lib-1.1.10.1-1.fc9] CVE-2008-0460 version (mediawiki) #430289 [since mediawiki-1.10.4-38.fc9] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.369 retrieving revision 1.370 diff -u -r1.369 -r1.370 --- fc7 29 Apr 2008 08:26:54 -0000 1.369 +++ fc7 2 May 2008 16:12:35 -0000 1.370 @@ -7,8 +7,10 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] +CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report +CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc7] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only CVE-2008-1930 ignore (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc7] only for wp 2.5.0 CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443939 @@ -62,7 +64,7 @@ CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438132 [since FEDORA-2008-2620] CVE-2008-1387 VULNERABLE (clamav, fixed 0.93) #442362 CVE-2008-1382 ignore (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 ignore (libpng10) minimal impact, affected api rarely used +CVE-2008-1382 ignore (libpng10) [since libpng10-1.0.33-1.fc7] CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444435 CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442850 [since FEDORA-2008-3231] @@ -174,6 +176,7 @@ CVE-2008-0554 version (netpbm, fixed 10.27) CVE-2008-0553 fixed (perl-Tk) #431531 [since FEDORA-2008-1384] CVE-2008-0553 backport (tk, fixed 8.5.1) [since FEDORA-2008-1131] +CVE-2008-0553 VULNERABLE (tkimg) #444950 CVE-2008-0544 fixed (SDL_image) #430695 [since FEDORA-2008-1208] ILBM overflow CVE-2008-0486 fixed (xine-lib, fixed 1.1.10.1) #431542 [since FEDORA-2008-1581] CVE-2008-0460 fixed (mediawiki) #430287 [since FEDORA-2008-2245] From fedora-security-commits at redhat.com Mon May 5 08:38:07 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Mon, 5 May 2008 08:38:07 GMT Subject: [Fedora-security-commits] fedora-security/audit f8, 1.214, 1.215 f9, 1.204, 1.205 fc7, 1.370, 1.371 Message-ID: <200805050838.m458c7ng009770@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9744/audit Modified Files: f8 f9 fc7 Log Message: note wordpress CVE id check updates Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.214 retrieving revision 1.215 diff -u -r1.214 -r1.215 --- f8 2 May 2008 16:12:35 -0000 1.214 +++ f8 5 May 2008 08:37:37 -0000 1.215 @@ -6,24 +6,25 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 VULNERABLE (tor) +CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3397] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc8] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only CVE-2008-1930 ignore (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc8] only for wp 2.5.0 -CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443940 -CVE-2008-1927 VULNERABLE (perl) [since perl-5.8.8-39.fc8] -CVE-2008-1926 VULNERABLE (util-linux-ng) [since util-linux-ng-2.13.1-2.fc8] +CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443940 [since FEDORA-2008-3352] +CVE-2008-1927 fixed (perl) [since FEDORA-2008-3392] +CVE-2008-1926 fixed (util-linux-ng) [since FEDORA-2008-3419] CVE-2008-1924 VULNERABLE (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc8] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 -CVE-2008-1897 VULNERABLE (asterisk, fixed 1.4.19.1) [since asterisk-1.4.19.1-1.fc8] -CVE-2008-1878 VULNERABLE (xine-lib, fixed 1.1.12.1) #443055 nsf demuxer overflow +CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3390] +CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443055 [since FEDORA-2008-3353] nsf demuxer overflow CVE-2008-1845 version (mksh, fixed 33d) [since FEDORA-2008-3174] CVE-2008-1837 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped -CVE-2008-1833 VULNERABLE (clamav, fixed 0.93-rc1) #442363 +CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442363 [since FEDORA-2008-3420] CVE-2008-1796 fixed (comix) [since FEDORA-2008-2981] CVE-2008-1729 ignore (drupal) 6.x only CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441690 [since FEDORA-2008-3047] @@ -37,14 +38,14 @@ CVE-2008-1686 fixed (speex) #442572 [since FEDORA-2008-3103] CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only -CVE-2008-1670 VULNERABLE (kdelibs4) #444399 kdelibs 4.x only +CVE-2008-1670 fixed (kdelibs4) #444399 [since FEDORA-2008-3412] kdelibs 4.x only CVE-2008-1658 fixed (PolicyKit) #439995 [since FEDORA-2008-2987] CVE-2008-1657 VULNERABLE (openssh, fixed 4.9) #440375 CVE-2008-1652 version (Perlbal, fixed 1.70) [since FEDORA-2008-2778] CVE-2008-1637 fixed (pdns-recursor, fixed 3.1.5) #440249 [since FEDORA-2008-3036] CVE-2008-1628 fixed (audit) [since FEDORA-2008-3012] CVE-2008-1614 version (mod_suphp, fixed 0.6.3) [since FEDORA-2008-2868] -CVE-2008-1612 VULNERABLE (squid, fixed 2.6.STABLE19) [since FEDORA-2008-2740] +CVE-2008-1612 fixed (squid, fixed 2.6.STABLE19) [since FEDORA-2008-2740] CVE-2008-1568 fixed (comix) improper shell escaping, bz#430635 [since FEDORA-2008-2981] CVE-2008-1567 fixed (phpMyAdmin, fixed 2.11.5.1) [since FEDORA-2008-2825] CVE-2008-1563 fixed (wireshark, fixed 1.0) #435487 [since FEDORA-2008-3040] @@ -52,7 +53,7 @@ CVE-2008-1561 fixed (wireshark, fixed 1.0) #435487 [since FEDORA-2008-3040] CVE-2008-1552 fixed (libsilc, fixed 1.1.7) #438382 [since FEDORA-2008-2641] CVE-2008-1532 version (Perlbal, fixed 1.70) #439056 [since FEDORA-2008-2778] -CVE-2008-1531 VULNERABLE (lighttpd) #439068 +CVE-2008-1531 fixed (lighttpd) #439068 [since FEDORA-2008-3376] CVE-2008-1488 VULNERABLE (php-pecl-apc) #438847 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 fixed (xine-lib) #438670 [since FEDORA-2008-2849] @@ -61,9 +62,9 @@ CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554] -CVE-2008-1387 VULNERABLE (clamav, fixed 0.93) #442363 +CVE-2008-1387 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc8] +CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc8] CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444436 CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442851 [since FEDORA-2008-3264] @@ -119,9 +120,9 @@ CVE-2008-1111 fixed (lighttpd) #435807 [since FEDORA-2008-2262] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1043] CVE-2008-1102 VULNERABLE (blender) #443936 -CVE-2008-1100 VULNERABLE (clamav, fixed 0.93) #442363 -CVE-2008-1099 VULNERABLE (moin) #438673 -CVE-2008-1098 VULNERABLE (moin) #438673 +CVE-2008-1100 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] +CVE-2008-1099 fixed (moin) #438673 [since FEDORA-2008-3301] +CVE-2008-1098 fixed (moin) #438673 [since FEDORA-2008-3301] CVE-2008-1078 ignore (am-utils) does not seem used by any other Fedora package CVE-2008-1072 fixed (wireshark, fixed 0.99.8) #435487 [since FEDORA-2008-3040] CVE-2008-1071 fixed (wireshark, fixed 0.99.8) #435487 [since FEDORA-2008-3040] @@ -211,7 +212,7 @@ CVE-2008-0364 ignore (bittorrent) Windows only CVE-2008-0320 fixed (openoffice.org, fixed 2.4) #442846 [since FEDORA-2008-3251] CVE-2008-0318 fixed (clamav, fixed 0.92.1) [since FEDORA-2008-1625] -CVE-2008-0314 VULNERABLE (clamav, fixed 0.93) #442363 +CVE-2008-0314 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] CVE-2008-0304 version (seamonkey, fixed 1.1.8) [since FEDORA-2008-1459] CVE-2008-0304 fixed (thunderbird, fixed 2.0.0.12) #432048 [since FEDORA-2008-2060] CVE-2008-0299 fixed (python-paramiko) #428728 [since FEDORA-2008-0722] @@ -245,7 +246,7 @@ CVE-2008-0005 fixed (httpd, fixed 2.2.8) #427982 [since FEDORA-2008-1711] CVE-2008-0003 fixed (tog-pegasus, fixed 2.7.0) #427829 [since FEDORA-2008-0572] CVE-2008-0002 fixed (tomcat5) #432474 [since FEDORA-2008-1467] -CVE-2007-6714 VULNERABLE (dbmail, fixed 2.2.9) #443021 +CVE-2007-6714 fixed (dbmail, fixed 2.2.9) #443021 [since FEDORA-2008-3333] CVE-2007-6703 fixed (vdccm, fixed 0.10.1) #436026 [since FEDORA-2008-0680] CVE-2007-6698 version (openldap, fixed 2.3.36) CVE-2007-6697 fixed (SDL_image, fixed 1.2.7) #430241 [since FEDORA-2008-1208] @@ -330,7 +331,7 @@ CVE-2007-6110 backport (htdig) [since FEDORA-2007-3958] CVE-2007-6100 version (phpMyAdmin, fixed 2.11.2.2) [since FEDORA-2007-3639] CVE-2007-6067 fixed (postgresql, fixed 8.2.6) #427773 [since FEDORA-2008-0478] -CVE-2007-6061 VULNERABLE (audacity) #393251 +CVE-2007-6061 VULNERABLE (audacity) #393251 CVE-2007-6029 ignore (clamav) insufficient information about the issue CVE-2007-6018 fixed (horde) #428628 [since FEDORA-2008-2040] CVE-2007-6018 fixed (imp) #428632 [since FEDORA-2008-2040] Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.204 retrieving revision 1.205 diff -u -r1.204 -r1.205 --- f9 2 May 2008 16:12:35 -0000 1.204 +++ f9 5 May 2008 08:37:37 -0000 1.205 @@ -5,6 +5,7 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 VULNERABLE (tor) +CVE-2008-2068 version (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc9] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444405 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.370 retrieving revision 1.371 diff -u -r1.370 -r1.371 --- fc7 2 May 2008 16:12:35 -0000 1.370 +++ fc7 5 May 2008 08:37:37 -0000 1.371 @@ -7,6 +7,7 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] +CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3319] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report @@ -14,31 +15,31 @@ CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only CVE-2008-1930 ignore (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc7] only for wp 2.5.0 CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443939 -CVE-2008-1927 VULNERABLE (perl) [since perl-5.8.8-29.fc7] +CVE-2008-1927 fixed (perl) [since FEDORA-2008-3399] CVE-2008-1926 VULNERABLE (util-linux) CVE-2008-1924 VULNERABLE (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc7] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 -CVE-2008-1897 VULNERABLE (asterisk, fixed 1.4.19.1) [since asterisk-1.4.19.1-1.fc7] -CVE-2008-1878 VULNERABLE (xine-lib, fixed 1.1.12.1) #443054 nsf demuxer overflow +CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3365] +CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443054 [since FEDORA-2008-3326] nsf demuxer overflow CVE-2008-1845 version (mksh, fixed 33d) [since FEDORA-2008-3070] CVE-2008-1837 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped -CVE-2008-1833 VULNERABLE (clamav, fixed 0.93-rc1) #442362 +CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442362 [since FEDORA-2008-3358] CVE-2008-1796 fixed (comix) [since FEDORA-2008-2993] CVE-2008-1729 ignore (drupal) 6.x only CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441689 [since FEDORA-2008-3060] CVE-2008-1693 version (xpdf, fixed 3.02) CVE-2008-1693 ignore (kdegraphics) not affected CVE-2008-1693 ignore (koffice) not affected -CVE-2008-1693 VULNERABLE (poppler, fixed 0.6.2) #443026 +CVE-2008-1693 fixed (poppler, fixed 0.6.2) #443026 [since FEDORA-2008-3312] CVE-2008-1688 ignore (m4, fixed 1.4.11) not really a security issue CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue CVE-2008-1686 VULNERABLE (libfishsound, fixed 0.9.1) #441246 [since FEDORA-2008-3117] CVE-2008-1686 fixed (speex) #442571 [since FEDORA-2008-3191] CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only -CVE-2008-1670 VULNERABLE (kdelibs4) #444398 kdelibs 4.x only +CVE-2008-1670 fixed (kdelibs4) #444398 [since FEDORA-2008-3379] kdelibs 4.x only CVE-2008-1657 VULNERABLE (openssh, fixed 4.9) #280461 CVE-2008-1652 version (Perlbal, fixed 1.70) [since FEDORA-2008-2788] CVE-2008-1637 fixed (pdns-recursor, fixed 3.1.5) #440248 [since FEDORA-2008-3010] @@ -52,7 +53,7 @@ CVE-2008-1561 fixed (wireshark, fixed 1.0) #435485 [since FEDORA-2008-2941] CVE-2008-1552 fixed (libsilc, fixed 1.1.7) #438382 [since FEDORA-2008-2641] CVE-2008-1532 version (Perlbal, fixed 1.70) #439055 [since FEDORA-2008-2788] -CVE-2008-1531 VULNERABLE (lighttpd) #439067 +CVE-2008-1531 fixed (lighttpd) #439067 [since FEDORA-2008-3343] CVE-2008-1515 VULNERABLE (otrs) #439723 CVE-2008-1488 VULNERABLE (php-pecl-apc) #438846 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch @@ -62,7 +63,7 @@ CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438132 [since FEDORA-2008-2620] -CVE-2008-1387 VULNERABLE (clamav, fixed 0.93) #442362 +CVE-2008-1387 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] CVE-2008-1382 ignore (libpng, fixed 1.2.27) minimal impact, affected api rarely used CVE-2008-1382 ignore (libpng10) [since libpng10-1.0.33-1.fc7] CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444435 @@ -120,9 +121,9 @@ CVE-2008-1111 fixed (lighttpd) #435808 [since FEDORA-2008-2278] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1047] CVE-2008-1102 VULNERABLE (blender) #443935 -CVE-2008-1100 VULNERABLE (clamav, fixed 0.93) #442362 -CVE-2008-1099 VULNERABLE (moin) #438672 -CVE-2008-1098 VULNERABLE (moin) #438672 +CVE-2008-1100 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] +CVE-2008-1099 fixed (moin) #438672 [since FEDORA-2008-3328] +CVE-2008-1098 fixed (moin) #438672 [since FEDORA-2008-3328] CVE-2008-1078 ignore (am-utils) does not seem used by any other Fedora package CVE-2008-1072 fixed (wireshark, fixed 0.99.8) #435485 [since FEDORA-2008-2941] CVE-2008-1071 fixed (wireshark, fixed 0.99.8) #435485 [since FEDORA-2008-2941] @@ -130,10 +131,10 @@ CVE-2008-1066 version (php-Smarty, fixed 2.6.19) #435812 [since FEDORA-2008-1928] CVE-2008-1066 fixed (gallery2) #438059 [since FEDORA-2008-2650] CVE-2008-1066 fixed (php-pear-PhpDocumentor) #438063 [since FEDORA-2008-2656] -CVE-2008-1026 VULNERABLE (WebKit, fixed r31388) [since WebKit-1.0.0-0.8.svn31787.fc7] -CVE-2008-1025 VULNERABLE (WebKit, fixed r31438) [since WebKit-1.0.0-0.8.svn31787.fc7] -CVE-2008-1011 VULNERABLE (WebKit) [since WebKit-1.0.0-0.8.svn31787.fc7] -CVE-2008-1010 VULNERABLE (WebKit) [since WebKit-1.0.0-0.8.svn31787.fc7] +CVE-2008-1026 fixed (WebKit, fixed r31388) [since FEDORA-2008-3415] +CVE-2008-1025 fixed (WebKit, fixed r31438) [since FEDORA-2008-3415] +CVE-2008-1011 fixed (WebKit) [since FEDORA-2008-3415] +CVE-2008-1010 fixed (WebKit) [since FEDORA-2008-3415] CVE-2008-0983 fixed (lighttpd) #435808 [since FEDORA-2008-2278] CVE-2008-0947 fixed (krb5, fixed 1.6.4) #438022 [since FEDORA-2008-2637] CVE-2008-0932 fixed (sword) #433725 [since FEDORA-2008-1951] why? diatheke.pl is not shipped... @@ -211,7 +212,7 @@ CVE-2008-0364 ignore (bittorrent) Windows only CVE-2008-0320 VULNERABLE (openoffice.org, fixed 2.4) #442845 CVE-2008-0318 fixed (clamav, fixed 0.92.1) [since FEDORA-2008-1608] -CVE-2008-0314 VULNERABLE (clamav, fixed 0.93) #442362 +CVE-2008-0314 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] CVE-2008-0304 version (seamonkey, fixed 1.1.8) [since FEDORA-2008-1669] CVE-2008-0304 fixed (thunderbird, fixed 2.0.0.12) #432047 [since FEDORA-2008-2118] CVE-2008-0299 fixed (python-paramiko) #428729 [since FEDORA-2008-0644] @@ -245,7 +246,7 @@ CVE-2008-0005 fixed (httpd, fixed 2.2.8) #427983 [since FEDORA-2008-1695] CVE-2008-0003 fixed (tog-pegasus, fixed 2.7.0) #427828 [since FEDORA-2008-0506] CVE-2008-0002 fixed (tomcat5) #432475 [since FEDORA-2008-1603] -CVE-2007-6714 VULNERABLE (dbmail, fixed 2.2.9) #443020 +CVE-2007-6714 fixed (dbmail, fixed 2.2.9) #443020 [since FEDORA-2008-3371] CVE-2007-6703 VULNERABLE (vdccm, fixed 0.10.1) #436025 CVE-2007-6698 fixed (openldap, fixed 2.3.36) #431409 [since FEDORA-2008-1307] CVE-2007-6697 fixed (SDL_image, fixed 1.2.7) #430239 [since FEDORA-2008-1231] @@ -329,7 +330,7 @@ CVE-2007-6110 backport (htdig) [since FEDORA-2007-3907] CVE-2007-6100 version (phpMyAdmin, fixed 2.11.2.2) [since FEDORA-2007-3666] CVE-2007-6067 fixed (postgresql, fixed 8.2.6) #427772 [since FEDORA-2008-0552] -CVE-2007-6061 VULNERABLE (audacity) #393251 +CVE-2007-6061 VULNERABLE (audacity) #393251 CVE-2007-6035 version (cacti, fixed 0.8.7a) #391981 [since FEDORA-2007-3683] CVE-2007-6029 ignore (clamav) insufficient information about the issue CVE-2007-6018 fixed (horde) #428629 [since FEDORA-2008-2087] @@ -497,7 +498,7 @@ CVE-2007-4568 version (xorg-x11-xfs, fixed 1.0.5) #373261 [since FEDORA-2007-4263] CVE-2007-4565 backport (fetchmail) #260861 [since FEDORA-2007-1983] CVE-2007-4560 version (clamav) #260583 [since FEDORA-2007-2050] -CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code. +CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315281 Upstream WONTFIX. See where we use the code. CVE-2007-4558 ignore (star, fixed 1.5a84) duplicate of CVE-2007-4134 CVE-2007-4543 version (bugzilla, fixed 3.0.1) #256021 [since FEDORA-2007-1853] CVE-2007-4542 version (mapserver, fixed 4.10.3) #256561 [since FEDORA-2007-2018] From fedora-security-commits at redhat.com Tue May 6 16:55:24 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Tue, 6 May 2008 16:55:24 GMT Subject: [Fedora-security-commits] fedora-security/audit f8, 1.215, 1.216 f9, 1.205, 1.206 fc7, 1.371, 1.372 Message-ID: <200805061655.m46GtO81014816@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14762/audit Modified Files: f8 f9 fc7 Log Message: note WebKit, licq major pre-F9 cleanup Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.215 retrieving revision 1.216 diff -u -r1.215 -r1.216 --- f8 5 May 2008 08:37:37 -0000 1.215 +++ f8 6 May 2008 16:54:54 -0000 1.216 @@ -8,6 +8,9 @@ rhbz249840 VULNERABLE (tor) CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3397] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 +CVE-2008-2000 ignore (WebKit) browser DoS +CVE-2008-1999 VULNERABLE (WebKit) +CVE-2008-1996 VULNERABLE (licq, fixed 1.3.6) #445238 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc8] @@ -58,7 +61,7 @@ CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 fixed (xine-lib) #438670 [since FEDORA-2008-2849] CVE-2008-1474 fixed (roundup) #436547 [since FEDORA-2008-2370] -CVE-2008-1468 fixed (namazu) #438667 [since FEDORA-2008-2767] +CVE-2008-1468 fixed (namazu, fixed 2.0.18) #438667 [since FEDORA-2008-2767] CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554] @@ -259,7 +262,7 @@ CVE-2007-6687 version (gallery2, fixed 2.2.4) [since FEDORA-2007-4778] CVE-2007-6686 version (gallery2, fixed 2.2.4) [since FEDORA-2007-4778] CVE-2007-6685 version (gallery2, fixed 2.2.4) [since FEDORA-2007-4778] -CVE-2007-6672 VULNERABLE (jetty) #428017 +CVE-2007-6672 ingore (jetty) #428017 jetty 6.x only CVE-2007-6613 fixed (libcdio) #427199 [since FEDORA-2008-0136] CVE-2007-6612 ignore (rubygem-mongrel, only affects 1.0.4) affected version was not shipped CVE-2007-6611 fixed (mantis) #427278 [since FEDORA-2008-0282] @@ -298,7 +301,7 @@ CVE-2007-6350 fixed (scponly) #429731 [since FEDORA-2008-1728] rsync vector only CVE-2007-6348 ignore (squirrelmail) trojaned version was not shipped CVE-2007-6328 ignore (dosbox) design decision -CVE-2007-6321 VULNERABLE (roundcubemail) #423291 [since FEDORA-2008-2962] +CVE-2007-6321 VULNERABLE (roundcubemail) #423291 CVE-2007-6318 VULNERABLE (wordpress) CVE-2007-6313 ignore (mysql) 5.1+ only CVE-2007-6304 ignore (mysql, fixed 5.0.52) federated engine not built @@ -312,8 +315,8 @@ CVE-2007-6210 backport (zabbix) #407181 [since FEDORA-2007-4176] CVE-2007-6209 ignore (zsh) #409871 We don't ship the script CVE-2007-6208 ignore (claws) We don't ship the script -CVE-2007-6207 VULNERABLE (kernel) Xen cross-domain memory read -CVE-2007-6206 VULNERABLE (kernel) Core dump owner issue +CVE-2007-6207 ignore (kernel-xen) Xen cross-domain memory read, ia64 only +CVE-2007-6206 version (kernel, fixed 2.6.22.17) Core dump owner issue CVE-2007-6203 ignore (httpd) #409831 User can't unput garbage before method name CVE-2007-6201 version (wesnoth, fixed 1.2.8) [since FEDORA-2007-3989] CVE-2007-6183 backport (ruby-gnome2) #405601 [since FEDORA-2007-4216] @@ -486,11 +489,11 @@ CVE-2007-0235 version (libgtop2, fixed 2.14.6) #222637 not sure, will triage CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since FEDORA-2007-4334] CVE-2006-7232 version (mysql, fixed 5.0.32) -CVE-2006-6698 VULNERABLE (GConf2) #219280 +CVE-2006-6698 ignore (GConf2) #219280 minimal impact CVE-2006-6128 version (kernel, fixed 2.6.19-1.2911.fc6) #250625 ReiserFS MOKB CVE-2006-6107 version (dbus, fixed 1.0.2) #219665 CVE-2006-6077 version (firefox, fixed 1.5.0.10) -CVE-2006-6058 VULNERABLE (kernel) #250623 Minix MOKB. In stable tree, should be fixed in 2.6.24 +CVE-2006-6058 version (kernel, fixed 2.6.23.7) #250623 Minix MOKB. In stable tree, should be fixed in 2.6.24 CVE-2006-6057 version (kernel, fixed 2_6_20-1_2924_fc6) GFS2 MOKB. CVE-2006-5868 version (ImageMagick, fixed 6.2.9.1) #217560 CVE-2006-5864 version (evince, fixed 0.6.3) #217672 @@ -514,6 +517,6 @@ CVE-2005-4791 version (liferea, fixed 1.4.8) #393301 [since FEDORA-2007-3701] CVE-2005-4790 backport (blam, fixed 1.8.4) #395761 [since FEDORA-2007-3798] CVE-2005-4790 backport (tomboy) #362951 [since FEDORA-2007-3253] -CVE-2005-3675 VULNERABLE (kernel) optack, no upstream fix -- TCP protocol weakness +CVE-2005-3675 ignore (kernel) optack, no upstream fix -- TCP protocol weakness CVE-2003-1265 ignore (thunderbird) Stuff deleted from userspace is not guarranteed to go away physically moz#198442 CVE-2003-1265 ignore (seamonkey) Stuff deleted from userspace is not guarranteed to go away physically moz#198442 Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.205 retrieving revision 1.206 diff -u -r1.205 -r1.206 --- f9 5 May 2008 08:37:37 -0000 1.205 +++ f9 6 May 2008 16:54:54 -0000 1.206 @@ -7,17 +7,20 @@ rhbz249840 VULNERABLE (tor) CVE-2008-2068 version (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc9] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 +CVE-2008-2000 ignore (WebKit) browser DoS +CVE-2008-1999 VULNERABLE (WebKit) +CVE-2008-1996 VULNERABLE (licq, fixed 1.3.6) #445239 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444405 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc9] -CVE-2008-1937 VULNERABLE (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9] +CVE-2008-1937 version (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9] CVE-2008-1930 ignore (wordpress, fixed 2.5.1) only for wp 2.5.0 CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443941 CVE-2008-1926 VULNERABLE (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9] CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc9] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 CVE-2008-1897 version (asterisk, fixed 1.6.0.beta3) [since asterisk-1.6.0-0.13.beta8.fc9] -CVE-2008-1878 VULNERABLE (xine-lib, fixed 1.1.12.1) #443056 nsf demuxer overflow [since xine-lib-1.1.12-2.fc9] +CVE-2008-1878 backport (xine-lib, fixed 1.1.12.1) #443056 nsf demuxer overflow [since xine-lib-1.1.12-2.fc9] CVE-2008-1845 version (mksh, fixed 33d) [since mksh-33d-1.fc9] what is real impact on fedora? CVE-2008-1837 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1836 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] @@ -37,7 +40,7 @@ CVE-2008-1686 version (libfishsound, fixed 0.9.1) #441248 [since libfishsound-0.9.1-1.fc9] CVE-2008-1686 backport (speex) [since speex-1.2-0.7.beta3] CVE-2008-1671 ignore (kdelibs) start_kdeinit not shipped -CVE-2008-1670 VULNERABLE (kdelibs) [since kdelibs-4.0.3-7.fc9] +CVE-2008-1670 backport (kdelibs) [since kdelibs-4.0.3-7.fc9] CVE-2008-1658 backport (PolicyKit) #439996 [since PolicyKit-0.7-7.fc9] CVE-2008-1657 version (openssh, fixed 4.9) #440376 [since openssh-5.0p1-1.fc9] CVE-2008-1652 version (Perlbal, fixed 1.70) [since Perlbal-1.70-1.fc9] @@ -57,7 +60,7 @@ CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 version (xine-lib) #438671 [since xine-lib-1.1.11.1-1.fc9] CVE-2008-1474 version (roundup) #436549 [since roundup-1.4.4-1.fc9] -CVE-2008-1468 VULNERABLE (namazu) #438668 +CVE-2008-1468 version (namazu, fixed 2.0.18) #438668 [since namazu-2.0.18-1.fc9] CVE-2008-1467 fixed (centerim) #438871 CVE-2008-1394 ignore (plone) CVE-2008-1390 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9] @@ -65,11 +68,11 @@ CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc9] CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444437 -CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) -CVE-2008-1380 VULNERABLE (seamonkey, fixed 1.1.10) #442852 -CVE-2008-1380 VULNERABLE (thunderbird, fixed 2.0.0.14) #442857 +CVE-2008-1380 version (firefox, fixed 2.0.0.14) +CVE-2008-1380 backport (seamonkey, fixed 1.1.10) #442852 [since seamonkey-1.1.9-3.fc9] +CVE-2008-1380 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL -CVE-2008-1373 VULNERABLE (cups) #440041 [since cups-1.3.6-9.fc9] +CVE-2008-1373 backport (cups) #440041 [since cups-1.3.6-9.fc9] CVE-2008-1372 version (bzip2, fixed 1.0.5) [since bzip2-1.0.5-1.fc9] CVE-2008-1360 VULNERABLE (nagios) #437852 CVE-2008-1353 ignore (zabbix) #437848 Needs authorization @@ -88,19 +91,19 @@ CVE-2008-1238 version (seamonkey, fixed 1.1.9) CVE-2008-1237 version (firefox, fixed 2.0.0.13) CVE-2008-1237 version (seamonkey, fixed 1.1.9) -CVE-2008-1237 VULNERABLE (thunderbird, fixed 2.0.0.14) #442857 +CVE-2008-1237 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] CVE-2008-1236 version (firefox, fixed 2.0.0.13) CVE-2008-1236 version (seamonkey, fixed 1.1.9) -CVE-2008-1236 VULNERABLE (thunderbird, fixed 2.0.0.14) #442857 +CVE-2008-1236 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] CVE-2008-1235 version (firefox, fixed 2.0.0.13) CVE-2008-1235 version (seamonkey, fixed 1.1.9) -CVE-2008-1235 VULNERABLE (thunderbird, fixed 2.0.0.14) #442857 +CVE-2008-1235 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] CVE-2008-1234 version (firefox, fixed 2.0.0.13) CVE-2008-1234 version (seamonkey, fixed 1.1.9) -CVE-2008-1234 VULNERABLE (thunderbird, fixed 2.0.0.14) #442857 +CVE-2008-1234 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] CVE-2008-1233 version (firefox, fixed 2.0.0.13) CVE-2008-1233 version (seamonkey, fixed 1.1.9) -CVE-2008-1233 VULNERABLE (thunderbird, fixed 2.0.0.14) #442857 +CVE-2008-1233 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] **CVE-2008-1227 fixed (libsilc) We updated this as non-security CVE-2008-1218 version (dovecot, fixed 1.0.13) [since dovecot-1.0.13-6.fc9] marginally affected CVE-2008-1199 version (dovecot, fixed 1.0.11) [since dovecot-1.0.13-6.fc9] not in default config @@ -116,7 +119,7 @@ CVE-2008-1131 version (drupal, fixed 6.1) #435817 [since drupal-6.1-1.fc9] CVE-2008-1111 backport (lighttpd) #435809 [since lighttpd-1.4.18-6.fc9] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since xine-lib-1.1.10-2.fc9] -CVE-2008-1102 VULNERABLE (blender) #443937 [since blender-2.45-12.fc9] +CVE-2008-1102 backport (blender) #443937 [since blender-2.45-12.fc9] CVE-2008-1100 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] CVE-2008-1099 version (moin, fixed 1.5.9) #438674 CVE-2008-1098 version (moin, fixed 1.5.9) #438674 @@ -125,8 +128,8 @@ CVE-2008-1071 version (wireshark, fixed 0.99.8) #435488 [since wireshark-1.0.0-2.fc9] CVE-2008-1070 version (wireshark, fixed 0.99.8) #435488 [since wireshark-1.0.0-2.fc9] CVE-2008-1066 version (php-Smarty) #435813 [since php-Smarty-2.6.19-1.fc9] -CVE-2008-1066 VULNERABLE (gallery2) #438060 -CVE-2008-1066 VULNERABLE (php-pear-PhpDocumentor) #438064 +CVE-2008-1066 fixed (gallery2) #438060 [since gallery2-2.2.4-3.fc9] +CVE-2008-1066 fixed (php-pear-PhpDocumentor) #438064 [since php-pear-PhpDocumentor-1.4.1-2.fc9] CVE-2008-1026 version (WebKit, fixed r31388) [since WebKit-1.0.0-0.8.svn31787.fc9] CVE-2008-1025 version (WebKit, fixed r31438) [since WebKit-1.0.0-0.8.svn31787.fc9] CVE-2008-1011 version (WebKit) [since WebKit-1.0.0-0.8.svn31787.fc9] @@ -138,10 +141,10 @@ CVE-2008-0928 backport (kvm) #433566 [since kvm-61-2.fc9] CVE-2008-0928 backport (xen) [since xen-3.2.0-8.fc9] CVE-2008-0888 backport (unzip) #437927 [since unzip-5.52-9.fc9] -CVE-2008-0887 VULNERABLE (gnome-screensaver) #440257 +CVE-2008-0887 version (gnome-screensaver, fixed 2.22.1) #440257 [since gnome-screensaver-2.22.1-1.fc9] CVE-2008-0882 version (cups, fixed 1.3.6) [since cups-1.3.6-1.fc9] CVE-2008-0807 version (turba, fixed 2.1.7) #433318 [since turba-2.1.7-1.fc9] -CVE-2008-0806 VULNERABLE (wyrd) #433722 +CVE-2008-0806 fixed (wyrd) #433722 [since wyrd-1.4.3b-1.fc9] CVE-2008-0786 version (cacti, fixed 0.8.7b) #432761 [since cacti-0.8.7b-1.fc9] CVE-2008-0785 version (cacti, fixed 0.8.7b) #432761 [since cacti-0.8.7b-1.fc9] CVE-2008-0784 version (cacti, fixed 0.8.7b) #432761 [since cacti-0.8.7b-1.fc9] @@ -226,16 +229,16 @@ CVE-2008-0191 ignore (wordpress) File path is not a sensitive information CVE-2008-0172 backport (boost) #428976 [since boost-1.34.1-7.fc9] CVE-2008-0171 backport (boost) #428976 [since boost-1.34.1-7.fc9] -CVE-2008-0128 VULNERABLE (tomcat5) #429905 +CVE-2008-0128 version (tomcat5, fixed 5.5.21) #429905 CVE-2008-0123 fixed (moodle) #428731 [since moodle-1.8.4-1.fc9] CVE-2008-0122 backport (bind) #429534 [since bind-9.5.0-24.b1.fc9] CVE-2008-0095 version (asterisk, fixed 1.4.17) AST-2008-001 [since asterisk-1.4.17-1.fc9] -CVE-2008-0073 VULNERABLE (xine-lib, fixed 1.1.11) #438193 +CVE-2008-0073 version (xine-lib, fixed 1.1.11) #438193 [since xine-lib-1.1.11-1.fc9] CVE-2008-0072 backport (evolution) #436082 [evolution-2.21.92-2.fc9] CVE-2008-0063 backport (krb5, fixed 1.6.4) [since krb5-1.6.3-10.fc9] CVE-2008-0062 backport (krb5, fixed 1.6.4) [since krb5-1.6.3-10.fc9] CVE-2008-0053 version (cups, fixed 1.3.6) [since cups-1.3.6-1.fc9] -CVE-2008-0047 VULNERABLE (cups) #440041 +CVE-2008-0047 backport (cups) #440041 [since cups-1.3.6-9.fc9] CVE-2008-0008 backport (pulseaudio) #425481 [since pulseaudio-0.9.8-5.fc9] CVE-2008-0006 backport (libXfont) #429133 [since libXfont-1.3.1-3.fc9] CVE-2008-0005 version (httpd, fixed 2.2.8) #427984 [since httpd-2.2.8-2] @@ -254,7 +257,7 @@ CVE-2007-6687 version (gallery2, fixed 2.2.4) [since gallery2-2.2.4-1] CVE-2007-6686 version (gallery2, fixed 2.2.4) [since gallery2-2.2.4-1] CVE-2007-6685 version (gallery2, fixed 2.2.4) [since gallery2-2.2.4-1] -CVE-2007-6672 VULNERABLE (jetty) #428018 +CVE-2007-6672 ignore (jetty) #428018 jetty 6.x only CVE-2007-6631 fixed (libnemesi, not fixed 0.6.4-rc1) #426910 [since libnemesi-0.6.4-0.1.rc2.fc9] This wasn't released yet CVE-2007-6630 version (netembryo, fixed 0.0.5) #427470 There was not release in stable branches yet [since netembryo-0.0.5-1.fc9] CVE-2007-6613 version (libcdio) #427200 [since libcdio-0.79-2.fc9] @@ -286,7 +289,7 @@ CVE-2007-6335 version (clamav, fixed 0.92) #426213 [since clamav-0.92-3.fc9] CVE-2007-6437 version (syslog-ng, fixed 2.0.6) #426307 [since syslog-ng-2.0.7-1.fc9] CVE-2007-6430 version (asterisk, fixed 1.4.16) [since asterisk-1.4.16.1-1.fc9] -CVE-2007-6389 VULNERABLE (gnome-screensaver) #426171 +CVE-2007-6389 version (gnome-screensaver) #426171 CVE-2007-6353 backport (exiv2) #425924 [since exiv2-0.16-0.3.pre1.fc9] CVE-2007-6352 backport (libexif) #425641 [since libexif-0.6.15-5.fc9] CVE-2007-6351 backport (libexif) #425641 [since libexif-0.6.15-5.fc9] @@ -299,7 +302,7 @@ CVE-2007-6304 ignore (mysql, fixed 5.0.52) federated engine not built CVE-2007-6303 backport (mysql, fixed 5.0.52) [since mysql-5.0.45-6.fc9] CVE-2007-6299 version (drupal, fixed 5.4) [since drupal-5.4-1.fc9] SA-2007-031 -CVE-2007-6286 VULNERABLE (tomcat5) #432476 +CVE-2007-6286 version (tomcat5, fixed 5.5.26) #432476 [since tomcat5-5.5.26-1jpp.1.fc9] CVE-2007-6285 backport (autofs) #426401 [since autofs-5.0.2-25] CVE-2007-6284 version (libxml2, fixed 2.6.31) [since libxml2-2.6.31-1] CVE-2007-6283 backport (bind) #423081 [since bind-9.5.0-21.b1.fc9] @@ -307,8 +310,8 @@ CVE-2007-6210 backport (zabbix) #407181 [since zabbix-1.4.2-4.fc9] CVE-2007-6209 ignore (zsh) #409871 We don't ship the script CVE-2007-6208 ignore (claws) We don't ship the script -CVE-2007-6207 VULNERABLE (kernel) Xen cross-domain memory read -CVE-2007-6206 VULNERABLE (kernel) Core dump owner issue +CVE-2007-6207 ignore (kernel-xen) Xen cross-domain memory read, ia64 only +CVE-2007-6206 version (kernel, fixed 2.6.22.17) Core dump owner issue CVE-2007-6203 ignore (httpd) #409831 User can't unput garbage before method name CVE-2007-6201 version (wesnoth, fixed 1.2.8) [since wesnoth-1.2.8-3.fc9] CVE-2007-6183 backport (ruby-gnome2) #405611 [since ruby-gnome2-0.16.0-22.fc9] @@ -332,7 +335,7 @@ CVE-2007-6018 version (horde, fixed 3.1.6) #428630 [since horde-3.1.6-1.fc9] CVE-2007-6018 version (imp, fixed 4.1.6) #428634 [since imp-4.1.6-1.fc9] CVE-2007-6018 VULNERABLE (wordpress) #426434 -CVE-2007-6015 VULNERABLE (samba, fixed 3.0.28) #433622 +CVE-2007-6015 version (samba, fixed 3.0.28) #433622 [since samba-3.2.0-1.pre2.5.fc9] CVE-2007-6013 VULNERABLE (wordpress) #426434 CVE-2007-5977 version (phpMyAdmin) #385911 [since phpMyAdmin-2.11.2.2-1.fc9] CVE-2007-5976 version (phpMyAdmin) #385911 [since phpMyAdmin-2.11.2.2-1.fc9] @@ -380,23 +383,23 @@ CVE-2007-5589 version (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6 CVE-2007-5503 version (cairo, fixed 1.4.12) [since cairo-1.5.4-1.fc9] CVE-2007-5497 backport (e2fsprogs) #414591 [since e2fsprogs-1.40.2-14.fc9] -CVE-2007-5461 VULNERABLE (tomcat5, not fixed 5.5.25) #334531 +CVE-2007-5461 version (tomcat5, fixed 5.5.26) #334531 [since tomcat5-5.5.26-1jpp.1.fc9] CVE-2007-5395 version (link-grammar) #372361 [since link-grammar-4.2.5-1.fc9] CVE-2007-5393 backport (xpdf) #372481 [since xpdf-3.02-4.fc9] CVE-2007-5393 backport (cups) CVE-2007-5393 version (poppler, fixed 0.6.2) #372521 [since poppler-0.6.2-1.fc9] -CVE-2007-5393 VULNERABLE (kdegraphics) #372581 -CVE-2007-5393 VULNERABLE (koffice) #372611 +CVE-2007-5393 fixed (kdegraphics) #372581 kde4 kdegraphics now use poppler +CVE-2007-5393 backport (koffice) #372611 [since koffice-1.6.3-15.fc9] CVE-2007-5393 version (tetex) #372671 [since tetex-3.0-48.fc9] CVE-2007-5392 backport (xpdf) #372481 [since xpdf-3.02-4.fc9] CVE-2007-5392 backport (cups) CVE-2007-5392 version (poppler, fixed 0.6.2) #372521 [since poppler-0.6.2-1.fc9] -CVE-2007-5392 VULNERABLE (kdegraphics) #372581 -CVE-2007-5392 VULNERABLE (koffice) #372611 +CVE-2007-5392 fixed (kdegraphics) #372581 kde4 kdegraphics now use poppler +CVE-2007-5392 backport (koffice) #372611 [since koffice-1.6.3-15.fc9] CVE-2007-5392 version (tetex) #372671 [since tetex-3.0-48.fc9] CVE-2007-5386 version (phpmyadmin, fixed 2.11.1.1) #333661 PMASA-2007-5 -CVE-2007-5333 VULNERABLE (tomcat5) #428257 -CVE-2007-5201 VULNERABLE (duplicity, no upstream fix) #362841 +CVE-2007-5333 version (tomcat5, fixed 5.5.26) #428257 [since tomcat5-5.5.26-1jpp.1.fc9] +CVE-2007-5201 version (duplicity, fixed 0.4.9?) #362841 [since duplicity-0.4.9-1.fc9] CVE-2007-5200 version (hugin) #362871 [since hugin-0.6.1-11.fc9] CVE-2007-5198 VULNERABLE (nagios-plugins, fixed 1.4.10) #362901 CVE-2007-5197 version (mono, fixed 1.2.5.1) #367551 [since mono-1.2.5.1-3.fc9] @@ -409,7 +412,7 @@ CVE-2007-4990 version (xorg-x11-xfs, fixed 1.0.5) CVE-2007-4879 version (firefox, fixed 2.0.0.13) CVE-2007-4879 version (seamonkey, fixed 1.1.9) -CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 +CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 perl-Archive-Tar directory traversal CVE-2007-4772 version (postgresql, fixed 8.2.6) #427774 [since postgresql-8.2.6-1.fc9] CVE-2007-4771 backport (icu) [since icu-3.8.1-3.fc9] CVE-2007-4770 backport (icu) [since icu-3.8.1-3.fc9] @@ -424,8 +427,8 @@ CVE-2007-4352 backport (xpdf) #372481 [since xpdf-3.02-4.fc9] CVE-2007-4352 backport (cups) CVE-2007-4352 version (poppler, fixed 0.6.2) #372521 [since poppler-0.6.2-1.fc9] -CVE-2007-4352 VULNERABLE (kdegraphics) #372581 -CVE-2007-4352 VULNERABLE (koffice) #372611 +CVE-2007-4352 fixed (kdegraphics) #372581 kde4 kdegraphics now use poppler +CVE-2007-4352 backport (koffice) #372611 [since koffice-1.6.3-15.fc9] CVE-2007-4352 version (tetex) #372671 [since tetex-3.0-48.fc9] CVE-2007-4351 version (cups) #361681 CVE-2007-3999 VULNERABLE (nfs-utils-lib) #362101 @@ -441,8 +444,8 @@ CVE-2007-3279 ignore (postgresql) bogus CVE assignment CVE-2007-3278 version (postgresql, fixed 8.2.5) CVE-2007-3145 ignore (galeon) in 2.0.3 the truncation still occurs, but at reasonable length -CVE-2007-2450 VULNERABLE (tomcat5, not fixed 5.5.24) #244812 -CVE-2007-2449 VULNERABLE (tomcat5, not fixed 5.5.24) #244812 +CVE-2007-2450 version (tomcat5, fixed 5.5.25) #244812 [since tomcat5-5.5.25-1jpp.1.fc9] +CVE-2007-2449 version (tomcat5, fixed 5.5.25) #244812 [since tomcat5-5.5.25-1jpp.1.fc9] CVE-2007-2245 version (phpMyAdmin, fixed 2.10.1) #237882 CVE-2007-2165 version (proftpd, fixed 1.3.1rc3) #237533 CVE-2007-1841 version (ipsec-tools, fixed 0.6.7) #238052 @@ -460,11 +463,11 @@ CVE-2007-0235 version (libgtop2, fixed 2.14.6) #222637 not sure, will triage CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since phpMyAdmin-2.11.3-1.fc9] CVE-2006-7232 version (mysql, fixed 5.0.32) -CVE-2006-6698 VULNERABLE (GConf2) #219280 -CVE-2006-6128 version (kernel, fixed 2.6.19-1.2911.fc6) #250625 ReiserFS MOKB +CVE-2006-6698 ignore (GConf2) #219280 minimal impact, let upstream deal with it if they care +CVE-2006-6128 version (kernel, fixed 2.6.19) #250625 ReiserFS MOKB CVE-2006-6107 version (dbus, fixed 1.0.2) #219665 CVE-2006-6077 version (firefox, fixed 1.5.0.10) -CVE-2006-6058 VULNERABLE (kernel) #250623 Minix MOKB. In stable tree, should be fixed in 2.6.24 +CVE-2006-6058 version (kernel, fixed 2.6.23.7) #250623 Minix MOKB. In stable tree, should be fixed in 2.6.24 CVE-2006-6057 version (kernel, fixed 2_6_20-1_2924_fc6) GFS2 MOKB. CVE-2006-5868 version (ImageMagick, fixed 6.2.9.1) #217560 CVE-2006-5864 version (evince, fixed 0.6.3) #217672 @@ -488,6 +491,6 @@ CVE-2005-4791 version (liferea, fixed 1.4.8) #393311 [since liferea-1.4.8-1.fc9] CVE-2005-4790 backport (blam, fixed 1.8.4) #395771 [since blam-1.8.3-11.fc9] CVE-2005-4790 backport (tomboy) #362961 [since tomboy-0.8.1-2.fc9] -CVE-2005-3675 VULNERABLE (kernel) optack, no upstream fix -- TCP protocol weakness +CVE-2005-3675 ignore (kernel) optack, no upstream fix -- TCP protocol weakness CVE-2003-1265 ignore (thunderbird) Stuff deleted from userspace is not guarranteed to go away physically moz#198442 CVE-2003-1265 ignore (seamonkey) Stuff deleted from userspace is not guarranteed to go away physically moz#198442 Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.371 retrieving revision 1.372 diff -u -r1.371 -r1.372 --- fc7 5 May 2008 08:37:37 -0000 1.371 +++ fc7 6 May 2008 16:54:54 -0000 1.372 @@ -9,6 +9,9 @@ rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3319] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 +CVE-2008-2000 ignore (WebKit) browser DoS +CVE-2008-1999 VULNERABLE (WebKit) +CVE-2008-1996 VULNERABLE (licq, fixed 1.3.6) #445237 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc7] @@ -59,7 +62,7 @@ CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 fixed (xine-lib) #438669 [since FEDORA-2008-2945] CVE-2008-1474 fixed (roundup) #436548 [since FEDORA-2008-2471] -CVE-2008-1468 fixed (namazu) #438666 [since FEDORA-2008-2678] +CVE-2008-1468 fixed (namazu, fixed 2.0.18) #438666 [since FEDORA-2008-2678] CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438132 [since FEDORA-2008-2620] @@ -297,7 +300,7 @@ CVE-2007-6350 fixed (scponly) #429731 [since FEDORA-2008-1728] rsync vector only CVE-2007-6348 ignore (squirrelmail) trojaned version was not shipped CVE-2007-6328 ignore (dosbox) design decision -CVE-2007-6321 VULNERABLE (roundcubemail) #423281 [since FEDORA-2008-3019] +CVE-2007-6321 VULNERABLE (roundcubemail) #423281 CVE-2007-6318 VULNERABLE (wordpress) CVE-2007-6313 ignore (mysql) 5.1+ only CVE-2007-6304 ignore (mysql, fixed 5.0.52) federated engine not built @@ -311,8 +314,8 @@ CVE-2007-6210 backport (zabbix) #407181 [since FEDORA-2007-4160] CVE-2007-6209 ignore (zsh) #409871 We don't ship the script CVE-2007-6208 ignore (claws) We don't ship the script -CVE-2007-6207 VULNERABLE (kernel) Xen cross-domain memory read -CVE-2007-6206 VULNERABLE (kernel) Core dump owner issue +CVE-2007-6207 ignore (kernel-xen) Xen cross-domain memory read, ia64 only +CVE-2007-6206 version (kernel, fixed 2.6.22.17) Core dump owner issue CVE-2007-6203 ignore (httpd) #409831 User can't unput garbage before method name CVE-2007-6201 version (wesnoth, fixed 1.2.8) [since FEDORA-2007-3986] CVE-2007-6183 version (ruby-gnome2) #405591 [since FEDORA-2007-4229] @@ -994,7 +997,7 @@ *CVE-2006-6736 ** (java-ibm) *CVE-2006-6731 ** (java-ibm) *CVE-2006-6719 backport (wget) #221469 [since FEDORA-2007-043] -*CVE-2006-6698 VULNERABLE (GConf2) #219280 +*CVE-2006-6698 ignore (GConf2) #219280 minimal impact CVE-2006-6693 ignore (zabbix, fixed 1.1.3, < 1.1.4 not shipped) CVE-2006-6692 ignore (zabbix, fixed 1.1.3, < 1.1.4 not shipped) CVE-2006-6660 ignore (kdelibs) client Dos only, not reproducible @@ -1054,7 +1057,7 @@ CVE-2006-6085 version (kile, fixed 1.9.3) #217238 CVE-2006-6077 version (firefox, fixed 1.5.0.10) CVE-2006-6060 ignore (kernel, fixed 2.6.19-rc2) no NTFS support -CVE-2006-6058 VULNERABLE (kernel, fixed 2.6.24) 250623 +CVE-2006-6058 version (kernel, fixed 2.6.23.7) 250623 CVE-2006-6057 version (kernel, fixed **) CVE-2006-6056 version (kernel, fixed 2.6.19) [since FEDORA-2007-058] was backport since FEDORA-2006-1471 CVE-2006-6054 version (kernel, fixed fixed 2.6.19.2) [since FEDORA-2007-058] @@ -1820,7 +1823,7 @@ CVE-2005-3753 version (kernel, fixed 2.6.14) CVE-2005-3745 ignore (struts, fixed 1.2.8) but not through tomcat CVE-2005-3732 version (ipsec-tools, fixed 0.6.3) -*CVE-2005-3675 VULNERABLE (kernel) optack, no upstream fix +CVE-2005-3675 ignore (kernel) optack, no upstream fix, wontfix upstream CVE-2005-3671 version (openswan, fixed 2.4.4) *CVE-2005-3662 version (netpbm) CVE-2005-3656 version (mod_auth_pgsql, fixed 2.0.3) From fedora-security-commits at redhat.com Wed May 7 16:48:38 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Wed, 7 May 2008 16:48:38 GMT Subject: [Fedora-security-commits] fedora-security/audit f8, 1.216, 1.217 f9, 1.206, 1.207 fc7, 1.372, 1.373 Message-ID: <200805071648.m47GmcAG006790@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6726/audit Modified Files: f8 f9 fc7 Log Message: more pre-f9 cleanups Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.216 retrieving revision 1.217 diff -u -r1.216 -r1.217 --- f8 6 May 2008 16:54:54 -0000 1.216 +++ f8 7 May 2008 16:48:08 -0000 1.217 @@ -5,7 +5,7 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] -rhbz249840 VULNERABLE (tor) +rhbz249840 version (tor, fixed 0.1.2.15) CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3397] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2000 ignore (WebKit) browser DoS @@ -122,6 +122,7 @@ CVE-2008-1131 ignore (drupal) #435816 drupal 6.x only CVE-2008-1111 fixed (lighttpd) #435807 [since FEDORA-2008-2262] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1043] +CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 VULNERABLE (blender) #443936 CVE-2008-1100 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] CVE-2008-1099 fixed (moin) #438673 [since FEDORA-2008-3301] @@ -262,7 +263,7 @@ CVE-2007-6687 version (gallery2, fixed 2.2.4) [since FEDORA-2007-4778] CVE-2007-6686 version (gallery2, fixed 2.2.4) [since FEDORA-2007-4778] CVE-2007-6685 version (gallery2, fixed 2.2.4) [since FEDORA-2007-4778] -CVE-2007-6672 ingore (jetty) #428017 jetty 6.x only +CVE-2007-6672 ignore (jetty) #428017 jetty 6.x only CVE-2007-6613 fixed (libcdio) #427199 [since FEDORA-2008-0136] CVE-2007-6612 ignore (rubygem-mongrel, only affects 1.0.4) affected version was not shipped CVE-2007-6611 fixed (mantis) #427278 [since FEDORA-2008-0282] @@ -341,7 +342,7 @@ CVE-2007-6018 fixed (wordpress) #426433 [since FEDORA-2008-0103] CVE-2007-6015 version (samba, fixed 3.0.28) [since FEDORA-2007-4275] CVE-2007-6035 version (cacti, fixed 0.8.7a) #391991 [since FEDORA-2007-3667] -CVE-2007-6013 fixed (wordpress) #426433 [since FEDORA-2008-0103] +CVE-2007-6013 fixed (wordpress) [since wordpress-2.5.1-1.fc8] CVE-2007-5977 version (phpMyAdmin, fixed 2.11.2.1) #385901 [since FEDORA-2007-3636] CVE-2007-5976 version (phpMyAdmin, fixed 2.11.2.1) #385901 [since FEDORA-2007-3636] CVE-2007-5972 ignore (krb5, fixed 1.6.4) not exploitable @@ -355,7 +356,7 @@ CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3962] CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429126 [since FEDORA-2008-0760] CVE-2007-5947 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3962] -CVE-2007-5938 VULNERABLE (kernel) #385861 iwlwifi +CVE-2007-5938 fixed (kernel) #385861 iwlwifi [since kernel-2.6.23.9-67.fc8] CVE-2007-5937 backport (tetex) #379861 [since FEDORA-2007-3308] Multiple dviljk buffer overflows CVE-2007-5936 backport (tetex) #379861 [since FEDORA-2007-3308] dviljk uses insecure temporary file CVE-2007-5935 backport (tetex) #379861 [since FEDORA-2007-3308] dvips -z buffer overflow with long href @@ -449,9 +450,9 @@ CVE-2007-4129 backport (coolkey) [since coolkey-1.1.0-5.fc8] CVE-2007-4045 backport (cups) [since FEDORA-2007-2982] CVE-2007-4033 backport (tetex) [since FEDORA-2007-3308] -CVE-2007-3999 VULNERABLE (nfs-utils-lib) #362091 +CVE-2007-3999 fixed (nfs-utils-lib) #362091 [since FEDORA-2008-1102] CVE-2007-3999 fixed (libtirpc) #362111 [since FEDORA-2008-1017] -CVE-2007-3920 VULNERABLE (compiz, not fixed upstream) #363061 +CVE-2007-3920 fixed (compiz, not fixed upstream) #363061 [since xorg-x11-server-1.3.0.0-40.fc8] CVE-2007-3919 backport (xen, fixed 3.1.0-13) #361991 CVE-2007-3844 version (firefox, fixed 2.0.0.6) CVE-2007-3843 version (kernel) #246595 No idea which version fixed this Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.206 retrieving revision 1.207 diff -u -r1.206 -r1.207 --- f9 6 May 2008 16:54:54 -0000 1.206 +++ f9 7 May 2008 16:48:08 -0000 1.207 @@ -4,13 +4,13 @@ # *CVE are items that need verification for Fedora 9 # (mozilla) = (gecko-libs dependent stuff) -rhbz249840 VULNERABLE (tor) +rhbz249840 version (tor, fixed 0.1.2.15) CVE-2008-2068 version (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc9] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2000 ignore (WebKit) browser DoS CVE-2008-1999 VULNERABLE (WebKit) CVE-2008-1996 VULNERABLE (licq, fixed 1.3.6) #445239 -CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444405 +CVE-2008-1974 ignore (kronolith, fixed 3.1.8) #444405 package removed from f9 and rawhide CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc9] CVE-2008-1937 version (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9] @@ -67,7 +67,7 @@ CVE-2008-1387 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc9] -CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444437 +CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444437 [since zoneminder-1.22.3-14.fc9] CVE-2008-1380 version (firefox, fixed 2.0.0.14) CVE-2008-1380 backport (seamonkey, fixed 1.1.10) #442852 [since seamonkey-1.1.9-3.fc9] CVE-2008-1380 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] @@ -119,6 +119,7 @@ CVE-2008-1131 version (drupal, fixed 6.1) #435817 [since drupal-6.1-1.fc9] CVE-2008-1111 backport (lighttpd) #435809 [since lighttpd-1.4.18-6.fc9] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since xine-lib-1.1.10-2.fc9] +CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 backport (blender) #443937 [since blender-2.45-12.fc9] CVE-2008-1100 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] CVE-2008-1099 version (moin, fixed 1.5.9) #438674 @@ -329,14 +330,13 @@ CVE-2007-6110 version (htdig) [since htdig-3.2.0b6-13.fc9] CVE-2007-6100 version (phpMyAdmin, fixed 2.11.2.2) CVE-2007-6067 version (postgresql, fixed 8.2.6) #427774 [since postgresql-8.2.6-1.fc9] -CVE-2007-6061 VULNERABLE (audacity) #393251 +CVE-2007-6061 backport (audacity) #393251 [since audacity-1.3.2-21.fc9] CVE-2007-6035 version (cacti, fixed 0.8.7a) #392001 [since cacti-0.8.7a-1.fc9] CVE-2007-6029 ignore (clamav) insufficient information about the issue CVE-2007-6018 version (horde, fixed 3.1.6) #428630 [since horde-3.1.6-1.fc9] CVE-2007-6018 version (imp, fixed 4.1.6) #428634 [since imp-4.1.6-1.fc9] -CVE-2007-6018 VULNERABLE (wordpress) #426434 CVE-2007-6015 version (samba, fixed 3.0.28) #433622 [since samba-3.2.0-1.pre2.5.fc9] -CVE-2007-6013 VULNERABLE (wordpress) #426434 +CVE-2007-6013 version (wordpress, fixed 2.5) [since wordpress-2.5.1-1.fc9] CVE-2007-5977 version (phpMyAdmin) #385911 [since phpMyAdmin-2.11.2.2-1.fc9] CVE-2007-5976 version (phpMyAdmin) #385911 [since phpMyAdmin-2.11.2.2-1.fc9] CVE-2007-5972 ignore (krb5, fixed 1.6.4) not exploitable @@ -350,7 +350,7 @@ CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429127 [since xorg-x11-server-1.4.99.1-0.17.20080107.fc9] code removed upstream CVE-2007-5947 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) -CVE-2007-5938 VULNERABLE (kernel) #385861 iwlwifi +CVE-2007-5938 fixed (kernel) #385861 iwlwifi [since kernel-2.6.24-0.47.rc3.git2.fc9] CVE-2007-5937 backport (tetex) #379851 Multiple dviljk buffer overflows [since tetex-3.0-48.fc9] CVE-2007-5936 backport (tetex) #379851 dviljk uses insecure temporary file [since tetex-3.0-48.fc9] CVE-2007-5935 backport (tetex) #379851 dvips -z buffer overflow with long href [since tetex-3.0-48.fc9] @@ -401,7 +401,7 @@ CVE-2007-5333 version (tomcat5, fixed 5.5.26) #428257 [since tomcat5-5.5.26-1jpp.1.fc9] CVE-2007-5201 version (duplicity, fixed 0.4.9?) #362841 [since duplicity-0.4.9-1.fc9] CVE-2007-5200 version (hugin) #362871 [since hugin-0.6.1-11.fc9] -CVE-2007-5198 VULNERABLE (nagios-plugins, fixed 1.4.10) #362901 +CVE-2007-5198 version (nagios-plugins, fixed 1.4.10) #362901 [since nagios-plugins-1.4.11-4.fc9] CVE-2007-5197 version (mono, fixed 1.2.5.1) #367551 [since mono-1.2.5.1-3.fc9] CVE-2007-5116 backport (perl) #378151 [since perl-5.8.8-31.fc9] CVE-2007-5079 VULNERABLE (gdm) #363041 Red Hat specific problem @@ -423,7 +423,7 @@ CVE-2007-4568 version (xorg-x11-xfs, fixed 1.0.5) CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code. CVE-2007-4476 backport (cpio, not fixed 2.9) #339691 [since cpio-2.9-5.fc9] -CVE-2007-4400 VULNERABLE (konversation) #362931 Remove media script? +CVE-2007-4400 backport (konversation) #362931 Remove media script? [since konversation-1.0.1-6.fc9] CVE-2007-4352 backport (xpdf) #372481 [since xpdf-3.02-4.fc9] CVE-2007-4352 backport (cups) CVE-2007-4352 version (poppler, fixed 0.6.2) #372521 [since poppler-0.6.2-1.fc9] @@ -431,14 +431,14 @@ CVE-2007-4352 backport (koffice) #372611 [since koffice-1.6.3-15.fc9] CVE-2007-4352 version (tetex) #372671 [since tetex-3.0-48.fc9] CVE-2007-4351 version (cups) #361681 -CVE-2007-3999 VULNERABLE (nfs-utils-lib) #362101 -CVE-2007-3999 VULNERABLE (libtirpc) #362121 -CVE-2007-3920 VULNERABLE (compiz, not fixed upstream) #357091 +CVE-2007-3999 version (nfs-utils-lib) #362101 [since nfs-utils-lib-1.1.0-4.fc9] +CVE-2007-3999 backport (libtirpc) #362121 [since libtirpc-0.1.7-15.fc9] +CVE-2007-3920 fixed (compiz, not fixed upstream) #357091 CVE-2007-3919 backport (xen, fixed 3.1.0-13) #362011 CVE-2007-3844 version (firefox, fixed 2.0.0.6) CVE-2007-3843 version (kernel) #246595 No idea which version fixed this CVE-2007-3568 backport (imlib) [since imlib-1.9.15-6.fc9] -CVE-2007-3544 VULNERABLE (wordpress, NOT fixed 2.2.1) #245211 Incomplete fix for CVE-2007-3543 +CVE-2007-3544 version (wordpress, fixed 2.2.1) #245211 Incomplete fix for CVE-2007-3543, insufficient info CVE-2007-3387 version (poppler, fixed 0.5.91) #251512 CVE-2007-3280 ignore (postgresql) bogus CVE assignment CVE-2007-3279 ignore (postgresql) bogus CVE assignment Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.372 retrieving revision 1.373 diff -u -r1.372 -r1.373 --- fc7 6 May 2008 16:54:54 -0000 1.372 +++ fc7 7 May 2008 16:48:08 -0000 1.373 @@ -123,6 +123,7 @@ CVE-2008-1131 ignore (drupal) #435815 drupal 6.x only CVE-2008-1111 fixed (lighttpd) #435808 [since FEDORA-2008-2278] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1047] +CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 VULNERABLE (blender) #443935 CVE-2008-1100 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] CVE-2008-1099 fixed (moin) #438672 [since FEDORA-2008-3328] @@ -340,7 +341,7 @@ CVE-2007-6018 fixed (imp) #428633 [since FEDORA-2008-2087] CVE-2007-6018 fixed (wordpress) #426432 [since FEDORA-2008-0126] CVE-2007-6015 version (samba, fixed 3.0.28) [since FEDORA-2007-4269] -CVE-2007-6013 fixed (wordpress) #426432 [since FEDORA-2008-0126] +CVE-2007-6013 fixed (wordpress, fixed 2.5) [since wordpress-2.5.1-1.fc7] CVE-2007-5977 version (phpMyAdmin, fixed 2.11.2.1) #385891 [since FEDORA-2007-3627] CVE-2007-5976 version (phpMyAdmin, fixed 2.11.2.1) #385891 [since FEDORA-2007-3627] CVE-2007-5972 ignore (krb5, fixed 1.6.4) not exploitable @@ -354,7 +355,7 @@ CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3952] CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429125 [since FEDORA-2008-0831] CVE-2007-5947 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3952] -CVE-2007-5938 VULNERABLE (kernel) #385861 iwlwifi +CVE-2007-5938 fixed (kernel) #385861 iwlwifi [since kernel-2.6.23.9-39.fc7] CVE-2007-5937 backport (tetex) #379831 [since FEDORA-2007-3390] Multiple dviljk buffer overflows CVE-2007-5936 backport (tetex) #379831 [since FEDORA-2007-3390] dviljk uses insecure temporary file CVE-2007-5935 backport (tetex) #379831 [since FEDORA-2007-3390] dvips -z buffer overflow with long href @@ -557,7 +558,7 @@ CVE-2007-3999 VULNERABLE (libtirpc) #294921 CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib -CVE-2007-3920 VULNERABLE (compiz) #357071 +CVE-2007-3920 fixed (compiz) #357071 [since xorg-x11-server-1.3.0.0-16.fc7] CVE-2007-3852 backport (sysstat) #252295 [since FEDORA-2007-1697] CVE-2007-3950 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3949 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] From fedora-security-commits at redhat.com Fri May 9 09:25:29 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 9 May 2008 09:25:29 GMT Subject: [Fedora-security-commits] fedora-security/tools/scripts add-issue, 1.5, 1.6 Message-ID: <200805090925.m499PT2B001351@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/tools/scripts In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1333/tools/scripts Modified Files: add-issue Log Message: change path to audit files as I hate having to cd to tools every time Index: add-issue =================================================================== RCS file: /cvs/fedora/fedora-security/tools/scripts/add-issue,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- add-issue 19 Mar 2008 17:01:39 -0000 1.5 +++ add-issue 9 May 2008 09:24:59 -0000 1.6 @@ -24,9 +24,9 @@ use strict; my %versions = ( - '7' => '../audit/fc7', - '8' => '../audit/f8', - '9' => '../audit/f9', + '7' => 'audit/fc7', + '8' => 'audit/f8', + '9' => 'audit/f9', ); # Command line options From fedora-security-commits at redhat.com Fri May 9 09:26:46 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 9 May 2008 09:26:46 GMT Subject: [Fedora-security-commits] fedora-security/tools/lib/Libexig Fedora.pm, 1.3, 1.4 Message-ID: <200805090926.m499Qk65001398@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/tools/lib/Libexig In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1357/tools/lib/Libexig Modified Files: Fedora.pm Log Message: F9 is almost out but still no F9 component, hence change wording of rawhide bugs (temporarily) Index: Fedora.pm =================================================================== RCS file: /cvs/fedora/fedora-security/tools/lib/Libexig/Fedora.pm,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- Fedora.pm 14 Jan 2008 16:33:12 -0000 1.3 +++ Fedora.pm 9 May 2008 09:26:15 -0000 1.4 @@ -104,8 +104,10 @@ my $comment_rawhide = "\n". - 'Please close this bug with RAWHIDE (referencing appropriate N-V-R in '. - 'Fixed In field if possible) once is it fixed in devel branch. '. +# 'Please close this bug with RAWHIDE (referencing appropriate N-V-R in '. +# 'Fixed In field if possible) once is it fixed in devel branch. '. + 'Please note it\'s currently not possible to file bugs against F9, '. + 'so please make sure to fix in both rawhide and upcoming F9. '. 'Do *not* include the bug id of this bug in the RPM changelog and the '. 'commit message.'. "\n\n"; @@ -113,7 +115,7 @@ my %priorities = ( 'urgent', => 4, 'high', => 3, - 'medium', => 2, + 'medium', => 2, 'low' => 1, ); @@ -242,6 +244,23 @@ $bugzilla->add_comment ($bug_id, $tr_comment); } + # XXX temporary until F9 BZ component is created + else { + my $tr_comment = + 'You can eventually use the following link to '. + 'create the update request for upcoming Fedora 9: '."\n". + 'https://admin.fedoraproject.org/updates/new/'. + '?request=Stable'. + '&type=security'. + '&release=Fedora%209'. + '&bugs='.$bug_id; + + foreach my $bug (@{$parent_bugs}) { + $tr_comment .= ','.$bug; + } + + $bugzilla->add_comment ($bug_id, $tr_comment); + } $bugzilla->add_blockers ($bug_id, $parent_bugs); $comment .= $bug->{'version'}.": bug #$bug_id\n"; From fedora-security-commits at redhat.com Fri May 9 18:59:37 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 9 May 2008 18:59:37 GMT Subject: [Fedora-security-commits] fedora-security/audit f8, 1.217, 1.218 f9, 1.207, 1.208 fc7, 1.373, 1.374 Message-ID: <200805091859.m49Ixbsq015478@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15451/audit Modified Files: f8 f9 fc7 Log Message: bunch of new CVE ids... Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.217 retrieving revision 1.218 diff -u -r1.217 -r1.218 --- f8 7 May 2008 16:48:08 -0000 1.217 +++ f8 9 May 2008 18:59:07 -0000 1.218 @@ -6,6 +6,11 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2109 VULNERABLE (libid3tag) #445814 +CVE-2008-2105 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445822 +CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora +CVE-2008-2103 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445822 +CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445805 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3397] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2000 ignore (WebKit) browser DoS @@ -28,8 +33,12 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442363 [since FEDORA-2008-3420] +CVE-2008-1803 VULNERABLE (rdesktop) #445842 +CVE-2008-1802 VULNERABLE (rdesktop) #445842 +CVE-2008-1801 VULNERABLE (rdesktop) #445842 CVE-2008-1796 fixed (comix) [since FEDORA-2008-2981] CVE-2008-1729 ignore (drupal) 6.x only +CVE-2008-1722 VULNERABLE (cups) #445802 CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441690 [since FEDORA-2008-3047] CVE-2008-1693 version (xpdf, fixed 3.02) CVE-2008-1693 version (poppler, fixed 0.6.2) @@ -39,6 +48,7 @@ CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue CVE-2008-1686 fixed (libfishsound, fixed 0.9.1) #441247 [since FEDORA-2008-3059] CVE-2008-1686 fixed (speex) #442572 [since FEDORA-2008-3103] +CVE-2008-1677 VULNERABLE (fedora-ds-base) #445809 CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only CVE-2008-1670 fixed (kdelibs4) #444399 [since FEDORA-2008-3412] kdelibs 4.x only Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.207 retrieving revision 1.208 diff -u -r1.207 -r1.208 --- f9 7 May 2008 16:48:08 -0000 1.207 +++ f9 9 May 2008 18:59:07 -0000 1.208 @@ -5,6 +5,11 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2109 VULNERABLE (libid3tag) #445815 +CVE-2008-2105 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445823 +CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora +CVE-2008-2103 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445823 +CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445806 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc9] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2000 ignore (WebKit) browser DoS @@ -27,9 +32,13 @@ CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1834 version (swfdec, fixed 0.6.4) [since swfdec-0.6.4-1.fc9] CVE-2008-1833 version (clamav, fixed 0.93-rc1) [since clamav-0.93-0.0.rc1.fc9] +CVE-2008-1803 VULNERABLE (rdesktop) #445843 +CVE-2008-1802 VULNERABLE (rdesktop) #445843 +CVE-2008-1801 VULNERABLE (rdesktop) #445843 CVE-2008-1796 fixed (comix) [since comix-3.6.4-6.fc9] CVE-2008-1771 VULNERABLE (mt-daapd) [since mt-daapd-0.9-0.2.1696.fc9] CVE-2008-1729 version (drupal, fixed 6.2) [since drupal-6.2-1.fc9] +CVE-2008-1722 VULNERABLE (cups) #445803 CVE-2008-1720 version (rsync, fixed 3.0.2) [since rsync-3.0.2-0.fc9] CVE-2008-1693 version (xpdf, fixed 3.02) CVE-2008-1693 version (poppler, fixed 0.6.2) @@ -39,6 +48,7 @@ CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue CVE-2008-1686 version (libfishsound, fixed 0.9.1) #441248 [since libfishsound-0.9.1-1.fc9] CVE-2008-1686 backport (speex) [since speex-1.2-0.7.beta3] +CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810 CVE-2008-1671 ignore (kdelibs) start_kdeinit not shipped CVE-2008-1670 backport (kdelibs) [since kdelibs-4.0.3-7.fc9] CVE-2008-1658 backport (PolicyKit) #439996 [since PolicyKit-0.7-7.fc9] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.373 retrieving revision 1.374 diff -u -r1.373 -r1.374 --- fc7 7 May 2008 16:48:08 -0000 1.373 +++ fc7 9 May 2008 18:59:07 -0000 1.374 @@ -7,6 +7,11 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] +CVE-2008-2109 VULNERABLE (libid3tag) #445813 +CVE-2008-2105 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445821 +CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora +CVE-2008-2103 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445821 +CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3319] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2000 ignore (WebKit) browser DoS @@ -29,8 +34,12 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442362 [since FEDORA-2008-3358] +CVE-2008-1803 VULNERABLE (rdesktop) #445841 +CVE-2008-1802 VULNERABLE (rdesktop) #445841 +CVE-2008-1801 VULNERABLE (rdesktop) #445841 CVE-2008-1796 fixed (comix) [since FEDORA-2008-2993] CVE-2008-1729 ignore (drupal) 6.x only +CVE-2008-1722 VULNERABLE (cups) #445801 CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441689 [since FEDORA-2008-3060] CVE-2008-1693 version (xpdf, fixed 3.02) CVE-2008-1693 ignore (kdegraphics) not affected @@ -40,6 +49,7 @@ CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue CVE-2008-1686 VULNERABLE (libfishsound, fixed 0.9.1) #441246 [since FEDORA-2008-3117] CVE-2008-1686 fixed (speex) #442571 [since FEDORA-2008-3191] +CVE-2008-1677 VULNERABLE (fedora-ds-base) #445808 CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only CVE-2008-1670 fixed (kdelibs4) #444398 [since FEDORA-2008-3379] kdelibs 4.x only From fedora-security-commits at redhat.com Tue May 13 15:47:28 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Tue, 13 May 2008 15:47:28 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, NONE, 1.1 f8, 1.218, 1.219 f9, 1.208, 1.209 fc7, 1.374, 1.375 Message-ID: <200805131547.m4DFlSBf028481@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28447/audit Modified Files: f8 f9 fc7 Added Files: f10 Log Message: check updates create f10 tracking file based on f9 unfixed issues ***** Error reading new file: [Errno 2] No such file or directory: 'f10' Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.218 retrieving revision 1.219 diff -u -r1.218 -r1.219 --- f8 9 May 2008 18:59:07 -0000 1.218 +++ f8 13 May 2008 15:46:58 -0000 1.219 @@ -6,19 +6,21 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2146 version (wordpress, fixed 2.2.3) CVE-2008-2109 VULNERABLE (libid3tag) #445814 -CVE-2008-2105 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445822 +CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora -CVE-2008-2103 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445822 +CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] +CVE-2008-2085 VULNERABLE (sipp) #446220 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445805 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3397] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2000 ignore (WebKit) browser DoS CVE-2008-1999 VULNERABLE (WebKit) CVE-2008-1996 VULNERABLE (licq, fixed 1.3.6) #445238 -CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 +CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 [since FEDORA-2008-3543] CVE-2008-1964 ignore (xine-lib) bogus vulnerability report -CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc8] +CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3501] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only CVE-2008-1930 ignore (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc8] only for wp 2.5.0 CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443940 [since FEDORA-2008-3352] @@ -38,7 +40,7 @@ CVE-2008-1801 VULNERABLE (rdesktop) #445842 CVE-2008-1796 fixed (comix) [since FEDORA-2008-2981] CVE-2008-1729 ignore (drupal) 6.x only -CVE-2008-1722 VULNERABLE (cups) #445802 +CVE-2008-1722 fixed (cups) #445802 [since FEDORA-2008-3586] CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441690 [since FEDORA-2008-3047] CVE-2008-1693 version (xpdf, fixed 3.02) CVE-2008-1693 version (poppler, fixed 0.6.2) @@ -77,11 +79,11 @@ CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554] CVE-2008-1387 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc8] -CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444436 +CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.37-1.fc8] +CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444436 [since FEDORA-2008-3462] CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442851 [since FEDORA-2008-3264] -CVE-2008-1380 VULNERABLE (thunderbird, fixed 2.0.0.14) #442856 +CVE-2008-1380 fixed (thunderbird, fixed 2.0.0.14) #442856 [since FEDORA-2008-3557] CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 fixed (cups) #440040 [since FEDORA-2008-2131] CVE-2008-1372 fixed (bzip2, fixed 1.0.5) #439855 [since FEDORA-2008-2970] @@ -105,19 +107,19 @@ CVE-2008-1238 version (seamonkey, fixed 1.1.9) CVE-2008-1237 version (firefox, fixed 2.0.0.13) CVE-2008-1237 version (seamonkey, fixed 1.1.9) -CVE-2008-1237 VULNERABLE (thunderbird, fixed 2.0.0.14) #442856 +CVE-2008-1237 fixed (thunderbird, fixed 2.0.0.14) #442856 [since FEDORA-2008-3557] CVE-2008-1236 version (firefox, fixed 2.0.0.13) CVE-2008-1236 version (seamonkey, fixed 1.1.9) -CVE-2008-1236 VULNERABLE (thunderbird, fixed 2.0.0.14) #442856 +CVE-2008-1236 fixed (thunderbird, fixed 2.0.0.14) #442856 [since FEDORA-2008-3557] CVE-2008-1235 version (firefox, fixed 2.0.0.13) CVE-2008-1235 version (seamonkey, fixed 1.1.9) -CVE-2008-1235 VULNERABLE (thunderbird, fixed 2.0.0.14) #442856 +CVE-2008-1235 fixed (thunderbird, fixed 2.0.0.14) #442856 [since FEDORA-2008-3557] CVE-2008-1234 version (firefox, fixed 2.0.0.13) CVE-2008-1234 version (seamonkey, fixed 1.1.9) -CVE-2008-1234 VULNERABLE (thunderbird, fixed 2.0.0.14) #442856 +CVE-2008-1234 fixed (thunderbird, fixed 2.0.0.14) #442856 [since FEDORA-2008-3557] CVE-2008-1233 version (firefox, fixed 2.0.0.13) CVE-2008-1233 version (seamonkey, fixed 1.1.9) -CVE-2008-1233 VULNERABLE (thunderbird, fixed 2.0.0.14) #442856 +CVE-2008-1233 fixed (thunderbird, fixed 2.0.0.14) #442856 [since FEDORA-2008-3557] **CVE-2008-1227 fixed (libsilc) We updated this as non-security CVE-2008-1218 version (dovecot, fixed 1.0.13) [since FEDORA-2008-2464] marginally affected CVE-2008-1199 version (dovecot, fixed 1.0.11) [since FEDORA-2008-2464] not in default config @@ -191,7 +193,7 @@ CVE-2008-0554 version (netpbm, fixed 10.27) CVE-2008-0553 fixed (perl-Tk) #431532 [since FEDORA-2008-1323] CVE-2008-0553 backport (tk, fixed 8.5.1) [since FEDORA-2008-1122] -CVE-2008-0553 VULNERABLE (tkimg) #444951 +CVE-2008-0553 fixed (tkimg) #444951 [since FEDORA-2008-3514] CVE-2008-0544 fixed (SDL_image) #430694 [since FEDORA-2008-1208] ILBM overflow CVE-2008-0486 fixed (xine-lib, fixed 1.1.10.1) #431543 [since FEDORA-2008-1543] CVE-2008-0460 fixed (mediawiki) #430288 [since FEDORA-2008-2288] @@ -259,7 +261,7 @@ CVE-2008-0006 fixed (libXfont) #429132 [since FEDORA-2008-0794] CVE-2008-0005 fixed (httpd, fixed 2.2.8) #427982 [since FEDORA-2008-1711] CVE-2008-0003 fixed (tog-pegasus, fixed 2.7.0) #427829 [since FEDORA-2008-0572] -CVE-2008-0002 fixed (tomcat5) #432474 [since FEDORA-2008-1467] +CVE-2008-0002 ignore (tomcat5) #432474 tomcat 6.x only CVE-2007-6714 fixed (dbmail, fixed 2.2.9) #443021 [since FEDORA-2008-3333] CVE-2007-6703 fixed (vdccm, fixed 0.10.1) #436026 [since FEDORA-2008-0680] CVE-2007-6698 version (openldap, fixed 2.3.36) @@ -345,7 +347,7 @@ CVE-2007-6110 backport (htdig) [since FEDORA-2007-3958] CVE-2007-6100 version (phpMyAdmin, fixed 2.11.2.2) [since FEDORA-2007-3639] CVE-2007-6067 fixed (postgresql, fixed 8.2.6) #427773 [since FEDORA-2008-0478] -CVE-2007-6061 VULNERABLE (audacity) #393251 +CVE-2007-6061 fixed (audacity) #393251 [since FEDORA-2008-3456] CVE-2007-6029 ignore (clamav) insufficient information about the issue CVE-2007-6018 fixed (horde) #428628 [since FEDORA-2008-2040] CVE-2007-6018 fixed (imp) #428632 [since FEDORA-2008-2040] Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.208 retrieving revision 1.209 diff -u -r1.208 -r1.209 --- f9 9 May 2008 18:59:07 -0000 1.208 +++ f9 13 May 2008 15:46:58 -0000 1.209 @@ -5,19 +5,21 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) -CVE-2008-2109 VULNERABLE (libid3tag) #445815 -CVE-2008-2105 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445823 +CVE-2008-2146 version (wordpress, fixed 2.2.3) +CVE-2008-2109 fixed (libid3tag) #445815 [since FEDORA-2008-3757] +CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445823 [since FEDORA-2008-3668] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora -CVE-2008-2103 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445823 +CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445823 [since FEDORA-2008-3668] +CVE-2008-2085 VULNERABLE (sipp) #446221 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445806 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc9] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2000 ignore (WebKit) browser DoS CVE-2008-1999 VULNERABLE (WebKit) -CVE-2008-1996 VULNERABLE (licq, fixed 1.3.6) #445239 +CVE-2008-1996 fixed (licq, fixed 1.3.6) #445239 [since FEDORA-2008-3812] CVE-2008-1974 ignore (kronolith, fixed 3.1.8) #444405 package removed from f9 and rawhide CVE-2008-1964 ignore (xine-lib) bogus vulnerability report -CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc9] +CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3690] CVE-2008-1937 version (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9] CVE-2008-1930 ignore (wordpress, fixed 2.5.1) only for wp 2.5.0 CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443941 @@ -38,7 +40,7 @@ CVE-2008-1796 fixed (comix) [since comix-3.6.4-6.fc9] CVE-2008-1771 VULNERABLE (mt-daapd) [since mt-daapd-0.9-0.2.1696.fc9] CVE-2008-1729 version (drupal, fixed 6.2) [since drupal-6.2-1.fc9] -CVE-2008-1722 VULNERABLE (cups) #445803 +CVE-2008-1722 fixed (cups) #445803 [since FEDORA-2008-3756] CVE-2008-1720 version (rsync, fixed 3.0.2) [since rsync-3.0.2-0.fc9] CVE-2008-1693 version (xpdf, fixed 3.02) CVE-2008-1693 version (poppler, fixed 0.6.2) @@ -76,8 +78,8 @@ CVE-2008-1390 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9] CVE-2008-1387 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.33-1.fc9] -CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444437 [since zoneminder-1.22.3-14.fc9] +CVE-2008-1382 VULNERABLE (libpng10) [since FEDORA-2008-3683] +CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444437 [since FEDORA-2008-3601] CVE-2008-1380 version (firefox, fixed 2.0.0.14) CVE-2008-1380 backport (seamonkey, fixed 1.1.10) #442852 [since seamonkey-1.1.9-3.fc9] CVE-2008-1380 version (thunderbird, fixed 2.0.0.14) #442857 [since thunderbird-2.0.0.14-1.fc9] @@ -134,7 +136,7 @@ CVE-2008-1100 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] CVE-2008-1099 version (moin, fixed 1.5.9) #438674 CVE-2008-1098 version (moin, fixed 1.5.9) #438674 -CVE-2008-1078 VULNERABLE (am-utils) #437746 +CVE-2008-1078 ignore (am-utils) minimal impact CVE-2008-1072 version (wireshark, fixed 0.99.8) #435488 [since wireshark-1.0.0-2.fc9] CVE-2008-1071 version (wireshark, fixed 0.99.8) #435488 [since wireshark-1.0.0-2.fc9] CVE-2008-1070 version (wireshark, fixed 0.99.8) #435488 [since wireshark-1.0.0-2.fc9] @@ -254,7 +256,7 @@ CVE-2008-0006 backport (libXfont) #429133 [since libXfont-1.3.1-3.fc9] CVE-2008-0005 version (httpd, fixed 2.2.8) #427984 [since httpd-2.2.8-2] CVE-2008-0003 version (tog-pegasus, fixed 2.7.0) -CVE-2008-0002 VULNERABLE (tomcat5) #432476 +CVE-2008-0002 ignore (tomcat5) #432476 tomcat 6.x only CVE-2007-6714 VULNERABLE (dbmail, fixed 2.2.9) #443022 [since dbmail-2.2.9-1.fc9] CVE-2007-6703 version (vdccm, fixed 0.10.1) #436027 CVE-2007-6698 version (openldap, fixed 2.3.36) Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.374 retrieving revision 1.375 diff -u -r1.374 -r1.375 --- fc7 9 May 2008 18:59:07 -0000 1.374 +++ fc7 13 May 2008 15:46:58 -0000 1.375 @@ -7,19 +7,21 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] +CVE-2008-2146 version (wordpress, fixed 2.2.3) CVE-2008-2109 VULNERABLE (libid3tag) #445813 -CVE-2008-2105 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445821 +CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445821 [since FEDORA-2008-3488] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora -CVE-2008-2103 VULNERABLE (bugzilla, fixed 3.0.4, 3.1.4) #445821 +CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445821 [since FEDORA-2008-3488] +CVE-2008-2085 VULNERABLE (sipp) #446219 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3319] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 CVE-2008-2000 ignore (WebKit) browser DoS CVE-2008-1999 VULNERABLE (WebKit) CVE-2008-1996 VULNERABLE (licq, fixed 1.3.6) #445237 -CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 +CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 [since FEDORA-2008-3460] CVE-2008-1964 ignore (xine-lib) bogus vulnerability report -CVE-2008-1959 VULNERABLE (sipp, fixed 3.1) [since sipp-3.1-1.fc7] +CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3508] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only CVE-2008-1930 ignore (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc7] only for wp 2.5.0 CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443939 @@ -39,7 +41,7 @@ CVE-2008-1801 VULNERABLE (rdesktop) #445841 CVE-2008-1796 fixed (comix) [since FEDORA-2008-2993] CVE-2008-1729 ignore (drupal) 6.x only -CVE-2008-1722 VULNERABLE (cups) #445801 +CVE-2008-1722 fixed (cups) #445801 [since FEDORA-2008-3449] CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441689 [since FEDORA-2008-3060] CVE-2008-1693 version (xpdf, fixed 3.02) CVE-2008-1693 ignore (kdegraphics) not affected @@ -79,10 +81,10 @@ CVE-2008-1387 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] CVE-2008-1382 ignore (libpng, fixed 1.2.27) minimal impact, affected api rarely used CVE-2008-1382 ignore (libpng10) [since libpng10-1.0.33-1.fc7] -CVE-2008-1381 VULNERABLE (zoneminder, fixed 1.23.3) #444435 +CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444435 [since FEDORA-2008-3516] CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442850 [since FEDORA-2008-3231] -CVE-2008-1380 VULNERABLE (thunderbird, fixed 2.0.0.14) #442855 +CVE-2008-1380 fixed (thunderbird, fixed 2.0.0.14) #442855 [since FEDORA-2008-3519] CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 fixed (cups) #440042 [since FEDORA-2008-2897] CVE-2008-1372 fixed (bzip2, fixed 1.0.5) #439855 [since FEDORA-2008-2970] @@ -106,19 +108,19 @@ CVE-2008-1238 version (seamonkey, fixed 1.1.9) CVE-2008-1237 version (firefox, fixed 2.0.0.13) CVE-2008-1237 version (seamonkey, fixed 1.1.9) -CVE-2008-1237 VULNERABLE (thunderbird, fixed 2.0.0.14) #442855 +CVE-2008-1237 fixed (thunderbird, fixed 2.0.0.14) #442855 [since FEDORA-2008-3519] CVE-2008-1236 version (firefox, fixed 2.0.0.13) CVE-2008-1236 version (seamonkey, fixed 1.1.9) -CVE-2008-1236 VULNERABLE (thunderbird, fixed 2.0.0.14) #442855 +CVE-2008-1236 fixed (thunderbird, fixed 2.0.0.14) #442855 [since FEDORA-2008-3519] CVE-2008-1235 version (firefox, fixed 2.0.0.13) CVE-2008-1235 version (seamonkey, fixed 1.1.9) -CVE-2008-1235 VULNERABLE (thunderbird, fixed 2.0.0.14) #442855 +CVE-2008-1235 fixed (thunderbird, fixed 2.0.0.14) #442855 [since FEDORA-2008-3519] CVE-2008-1234 version (firefox, fixed 2.0.0.13) CVE-2008-1234 version (seamonkey, fixed 1.1.9) -CVE-2008-1234 VULNERABLE (thunderbird, fixed 2.0.0.14) #442855 +CVE-2008-1234 fixed (thunderbird, fixed 2.0.0.14) #442855 [since FEDORA-2008-3519] CVE-2008-1233 version (firefox, fixed 2.0.0.13) CVE-2008-1233 version (seamonkey, fixed 1.1.9) -CVE-2008-1233 VULNERABLE (thunderbird, fixed 2.0.0.14) #442855 +CVE-2008-1233 fixed (thunderbird, fixed 2.0.0.14) #442855 [since FEDORA-2008-3519] **CVE-2008-1227 fixed (libsilc) We updated this as non-security CVE-2008-1218 version (dovecot, fixed 1.0.13) [since FEDORA-2008-2475] marginally affected CVE-2008-1199 version (dovecot, fixed 1.0.11) [since FEDORA-2008-2475] not in default config @@ -191,7 +193,7 @@ CVE-2008-0554 version (netpbm, fixed 10.27) CVE-2008-0553 fixed (perl-Tk) #431531 [since FEDORA-2008-1384] CVE-2008-0553 backport (tk, fixed 8.5.1) [since FEDORA-2008-1131] -CVE-2008-0553 VULNERABLE (tkimg) #444950 +CVE-2008-0553 fixed (tkimg) #444950 [since FEDORA-2008-3545] CVE-2008-0544 fixed (SDL_image) #430695 [since FEDORA-2008-1208] ILBM overflow CVE-2008-0486 fixed (xine-lib, fixed 1.1.10.1) #431542 [since FEDORA-2008-1581] CVE-2008-0460 fixed (mediawiki) #430287 [since FEDORA-2008-2245] @@ -259,7 +261,7 @@ CVE-2008-0006 fixed (libXfont) #429131 [since FEDORA-2008-0891] CVE-2008-0005 fixed (httpd, fixed 2.2.8) #427983 [since FEDORA-2008-1695] CVE-2008-0003 fixed (tog-pegasus, fixed 2.7.0) #427828 [since FEDORA-2008-0506] -CVE-2008-0002 fixed (tomcat5) #432475 [since FEDORA-2008-1603] +CVE-2008-0002 ignore (tomcat5) #432475 tomcat 6.x only CVE-2007-6714 fixed (dbmail, fixed 2.2.9) #443020 [since FEDORA-2008-3371] CVE-2007-6703 VULNERABLE (vdccm, fixed 0.10.1) #436025 CVE-2007-6698 fixed (openldap, fixed 2.3.36) #431409 [since FEDORA-2008-1307] @@ -344,7 +346,7 @@ CVE-2007-6110 backport (htdig) [since FEDORA-2007-3907] CVE-2007-6100 version (phpMyAdmin, fixed 2.11.2.2) [since FEDORA-2007-3666] CVE-2007-6067 fixed (postgresql, fixed 8.2.6) #427772 [since FEDORA-2008-0552] -CVE-2007-6061 VULNERABLE (audacity) #393251 +CVE-2007-6061 fixed (audacity) #393251 [since FEDORA-2008-3456] CVE-2007-6035 version (cacti, fixed 0.8.7a) #391981 [since FEDORA-2007-3683] CVE-2007-6029 ignore (clamav) insufficient information about the issue CVE-2007-6018 fixed (horde) #428629 [since FEDORA-2008-2087] From fedora-security-commits at redhat.com Tue May 13 15:56:50 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Tue, 13 May 2008 15:56:50 GMT Subject: [Fedora-security-commits] fedora-security/tools/scripts add-issue, 1.6, 1.7 Message-ID: <200805131556.m4DFuov5029114@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/tools/scripts In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29041/tools/scripts Modified Files: add-issue Log Message: f9 is out -> update tools Index: add-issue =================================================================== RCS file: /cvs/fedora/fedora-security/tools/scripts/add-issue,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- add-issue 9 May 2008 09:24:59 -0000 1.6 +++ add-issue 13 May 2008 15:56:20 -0000 1.7 @@ -27,6 +27,7 @@ '7' => 'audit/fc7', '8' => 'audit/f8', '9' => 'audit/f9', + '10' => 'audit/f10', ); # Command line options From fedora-security-commits at redhat.com Tue May 13 15:56:50 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Tue, 13 May 2008 15:56:50 GMT Subject: [Fedora-security-commits] fedora-security/tools/lib/Libexig Fedora.pm, 1.4, 1.5 Message-ID: <200805131556.m4DFuoHg029111@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/tools/lib/Libexig In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29041/tools/lib/Libexig Modified Files: Fedora.pm Log Message: f9 is out -> update tools Index: Fedora.pm =================================================================== RCS file: /cvs/fedora/fedora-security/tools/lib/Libexig/Fedora.pm,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- Fedora.pm 9 May 2008 09:26:15 -0000 1.4 +++ Fedora.pm 13 May 2008 15:56:19 -0000 1.5 @@ -104,10 +104,10 @@ my $comment_rawhide = "\n". -# 'Please close this bug with RAWHIDE (referencing appropriate N-V-R in '. -# 'Fixed In field if possible) once is it fixed in devel branch. '. - 'Please note it\'s currently not possible to file bugs against F9, '. - 'so please make sure to fix in both rawhide and upcoming F9. '. + 'Please close this bug with RAWHIDE (referencing appropriate N-V-R in '. + 'Fixed In field if possible) once is it fixed in devel branch. '. +# 'Please note it\'s currently not possible to file bugs against F9, '. +# 'so please make sure to fix in both rawhide and upcoming F9. '. 'Do *not* include the bug id of this bug in the RPM changelog and the '. 'commit message.'. "\n\n"; @@ -121,18 +121,18 @@ # Valid versions my %versions = ( - '6', => '6', - 'f6', => '6', - 'fc6', => '6', '7', => '7', 'f7', => '7', 'fc7', => '7', '8', => '8', 'f8', => '8', 'fc8', => '8', - '9', => 'rawhide', - 'f9', => 'rawhide', - 'fc9', => 'rawhide', + '9', => '9', + 'f9', => '9', + 'fc9', => '9', + '10', => 'rawhide', + 'f10', => 'rawhide', + 'fc10', => 'rawhide', 'devel', => 'rawhide', ); @@ -244,23 +244,23 @@ $bugzilla->add_comment ($bug_id, $tr_comment); } - # XXX temporary until F9 BZ component is created - else { - my $tr_comment = - 'You can eventually use the following link to '. - 'create the update request for upcoming Fedora 9: '."\n". - 'https://admin.fedoraproject.org/updates/new/'. - '?request=Stable'. - '&type=security'. - '&release=Fedora%209'. - '&bugs='.$bug_id; - - foreach my $bug (@{$parent_bugs}) { - $tr_comment .= ','.$bug; - } - - $bugzilla->add_comment ($bug_id, $tr_comment); - } +# # XXX temporary until F9 BZ component is created +# else { +# my $tr_comment = +# 'You can eventually use the following link to '. +# 'create the update request for upcoming Fedora 9: '."\n". +# 'https://admin.fedoraproject.org/updates/new/'. +# '?request=Stable'. +# '&type=security'. +# '&release=Fedora%209'. +# '&bugs='.$bug_id; +# +# foreach my $bug (@{$parent_bugs}) { +# $tr_comment .= ','.$bug; +# } +# +# $bugzilla->add_comment ($bug_id, $tr_comment); +# } $bugzilla->add_blockers ($bug_id, $parent_bugs); $comment .= $bug->{'version'}.": bug #$bug_id\n"; From fedora-security-commits at redhat.com Tue May 13 16:32:52 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Tue, 13 May 2008 16:32:52 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.1, 1.2 f8, 1.219, 1.220 f9, 1.209, 1.210 fc7, 1.375, 1.376 Message-ID: <200805131632.m4DGWq5H004087@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4056/audit Modified Files: f10 f8 f9 fc7 Log Message: debian openssl issue Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- f10 13 May 2008 15:46:58 -0000 1.1 +++ f10 13 May 2008 16:32:22 -0000 1.2 @@ -26,6 +26,7 @@ CVE-2008-1078 VULNERABLE (am-utils) #437746 CVE-2008-0553 version (tkimg) [since tkimg-1.3-0.10.20080505svn.fc10] CVE-2008-0314 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] +CVE-2008-0166 ignore (openssl) Debian specific CVE-2007-6714 version (dbmail, fixed 2.2.9) [since dbmail-2.2.9-1.fc9] CVE-2007-6321 VULNERABLE (roundcubemail) #423301 CVE-2007-6318 VULNERABLE (wordpress) #426434 Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.219 retrieving revision 1.220 diff -u -r1.219 -r1.220 --- f8 13 May 2008 15:46:58 -0000 1.219 +++ f8 13 May 2008 16:32:22 -0000 1.220 @@ -247,6 +247,7 @@ CVE-2008-0191 ignore (wordpress) File path is not a sensitive information CVE-2008-0172 fixed (boost) #428975 [since FEDORA-2008-0754] CVE-2008-0171 fixed (boost) #428975 [since FEDORA-2008-0754] +CVE-2008-0166 ignore (openssl) Debian specific CVE-2008-0128 VULNERABLE (tomcat5) #429904 CVE-2008-0123 fixed (moodle) #428731 [since FEDORA-2008-0610] CVE-2008-0122 fixed (bind) #429149 [since FEDORA-2008-0904] Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.209 retrieving revision 1.210 diff -u -r1.209 -r1.210 --- f9 13 May 2008 15:46:58 -0000 1.209 +++ f9 13 May 2008 16:32:22 -0000 1.210 @@ -242,6 +242,7 @@ CVE-2008-0191 ignore (wordpress) File path is not a sensitive information CVE-2008-0172 backport (boost) #428976 [since boost-1.34.1-7.fc9] CVE-2008-0171 backport (boost) #428976 [since boost-1.34.1-7.fc9] +CVE-2008-0166 ignore (openssl) Debian specific CVE-2008-0128 version (tomcat5, fixed 5.5.21) #429905 CVE-2008-0123 fixed (moodle) #428731 [since moodle-1.8.4-1.fc9] CVE-2008-0122 backport (bind) #429534 [since bind-9.5.0-24.b1.fc9] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.375 retrieving revision 1.376 diff -u -r1.375 -r1.376 --- fc7 13 May 2008 15:46:58 -0000 1.375 +++ fc7 13 May 2008 16:32:22 -0000 1.376 @@ -247,6 +247,7 @@ CVE-2008-0191 ignore (wordpress) File path is not a sensitive information CVE-2008-0172 fixed (boost) #428974 [since FEDORA-2008-0880] CVE-2008-0171 fixed (boost) #428974 [since FEDORA-2008-0880] +CVE-2008-0166 ignore (openssl) Debian specific CVE-2008-0128 VULNERABLE (tomcat5) #429903 CVE-2008-0123 fixed (moodle) #428731 [since FEDORA-2008-0610] CVE-2008-0122 fixed (bind) #429149 [since FEDORA-2008-0904] From fedora-security-commits at redhat.com Fri May 16 18:59:48 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 16 May 2008 18:59:48 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.2, 1.3 f8, 1.220, 1.221 f9, 1.210, 1.211 fc7, 1.376, 1.377 Message-ID: <200805161859.m4GIxm5T007249@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7191/audit Modified Files: f10 f8 f9 fc7 Log Message: lots of issue from last 3 days Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- f10 13 May 2008 16:32:22 -0000 1.2 +++ f10 16 May 2008 18:59:18 -0000 1.3 @@ -4,23 +4,34 @@ # *CVE are items that need verification for Fedora 10 # (mozilla) = (gecko-libs dependent stuff) +CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless +CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp +CVE-2008-2168 ignore (httpd) browser issue, not apache CVE-2008-2085 VULNERABLE (sipp) #446222 CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445806 +CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc10] +CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes +CVE-2008-2004 VULNERABLE (kvm) fix mostly useless without libvirt changes CVE-2008-1999 VULNERABLE (WebKit) +CVE-2008-1944 version (xen, fixed 3.2) +CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc10] CVE-2008-1928 version (perl-Imager, fixed 0.64) [since perl-Imager-0.64-2.fc10] CVE-2008-1926 backport (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9] CVE-2008-1836 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] -CVE-2008-1803 VULNERABLE (rdesktop) #445843 -CVE-2008-1802 VULNERABLE (rdesktop) #445843 -CVE-2008-1801 VULNERABLE (rdesktop) #445843 -CVE-2008-1771 VULNERABLE (mt-daapd) [since mt-daapd-0.9-0.2.1696.fc9] +CVE-2008-1803 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] +CVE-2008-1802 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] +CVE-2008-1801 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] +CVE-2008-1771 version (mt-daapd) [since mt-daapd-0.2.4.2-2.fc10] CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810 CVE-2008-1531 backport (lighttpd) [since lighttpd-1.4.19-4.fc10] CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 +CVE-2008-1423 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] +CVE-2008-1420 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] +CVE-2008-1419 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] CVE-2008-1387 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used CVE-2008-1382 version (libpng10) [since libpng10-1.0.37-1.fc10] -CVE-2008-1360 VULNERABLE (nagios) #437852 +CVE-2008-1360 version (nagios) #437852 [since nagios-2.11-3.fc9] CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1100 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-1078 VULNERABLE (am-utils) #437746 @@ -30,8 +41,10 @@ CVE-2007-6714 version (dbmail, fixed 2.2.9) [since dbmail-2.2.9-1.fc9] CVE-2007-6321 VULNERABLE (roundcubemail) #423301 CVE-2007-6318 VULNERABLE (wordpress) #426434 +CVE-2007-6131 VULNERABLE (scanbuttond) CVE-2007-5907 VULNERABLE (xen) #390121 CVE-2007-5906 VULNERABLE (xen) #390121 +CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #446383 CVE-2007-5079 VULNERABLE (gdm) #363041 Red Hat specific problem CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 perl-Archive-Tar directory traversal CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code. Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.220 retrieving revision 1.221 diff -u -r1.220 -r1.221 --- f8 13 May 2008 16:32:22 -0000 1.220 +++ f8 16 May 2008 18:59:18 -0000 1.221 @@ -6,8 +6,11 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless +CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp +CVE-2008-2168 ignore (httpd) browser issue, not apache CVE-2008-2146 version (wordpress, fixed 2.2.3) -CVE-2008-2109 VULNERABLE (libid3tag) #445814 +CVE-2008-2109 fixed (libid3tag) #445814 [since FEDORA-2008-3976] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445822 [since FEDORA-2008-3442] @@ -15,12 +18,17 @@ CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445805 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3397] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 +CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.1.2-3.fc8] +CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes +CVE-2008-2004 VULNERABLE (kvm) fix mostly useless without libvirt changes CVE-2008-2000 ignore (WebKit) browser DoS CVE-2008-1999 VULNERABLE (WebKit) -CVE-2008-1996 VULNERABLE (licq, fixed 1.3.6) #445238 +CVE-2008-1996 fixed (licq, fixed 1.3.6) #445238 [since FEDORA-2008-3969] CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 [since FEDORA-2008-3543] CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3501] +CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc8] +CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc8] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only CVE-2008-1930 ignore (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc8] only for wp 2.5.0 CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443940 [since FEDORA-2008-3352] @@ -35,9 +43,9 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442363 [since FEDORA-2008-3420] -CVE-2008-1803 VULNERABLE (rdesktop) #445842 -CVE-2008-1802 VULNERABLE (rdesktop) #445842 -CVE-2008-1801 VULNERABLE (rdesktop) #445842 +CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] +CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] +CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] CVE-2008-1796 fixed (comix) [since FEDORA-2008-2981] CVE-2008-1729 ignore (drupal) 6.x only CVE-2008-1722 fixed (cups) #445802 [since FEDORA-2008-3586] @@ -75,11 +83,14 @@ CVE-2008-1474 fixed (roundup) #436547 [since FEDORA-2008-2370] CVE-2008-1468 fixed (namazu, fixed 2.0.18) #438667 [since FEDORA-2008-2767] CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] +CVE-2008-1423 fixed (libvorbis) #446342 [since FEDORA-2008-3934] +CVE-2008-1420 fixed (libvorbis) #446342 [since FEDORA-2008-3934] +CVE-2008-1419 fixed (libvorbis) #446342 [since FEDORA-2008-3934] CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554] CVE-2008-1387 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 VULNERABLE (libpng10) [since libpng10-1.0.37-1.fc8] +CVE-2008-1382 VULNERABLE (libpng10) [since FEDORA-2008-3937] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444436 [since FEDORA-2008-3462] CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442851 [since FEDORA-2008-3264] @@ -87,7 +98,7 @@ CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 fixed (cups) #440040 [since FEDORA-2008-2131] CVE-2008-1372 fixed (bzip2, fixed 1.0.5) #439855 [since FEDORA-2008-2970] -CVE-2008-1360 VULNERABLE (nagios) #437850 +CVE-2008-1360 fixed (nagios, fixed 2.11) #437850 [since FEDORA-2008-3098] CVE-2008-1353 ignore (zabbix) #437848 Needs authorization CVE-2008-1333 ignore (asterisk) not affected CVE-2008-1332 fixed (asterisk, fixed 1.4.18.1) #438133 [since FEDORA-2008-2554] @@ -135,7 +146,7 @@ CVE-2008-1111 fixed (lighttpd) #435807 [since FEDORA-2008-2262] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1043] CVE-2008-1103 VULNERABLE (blender) not fixed upstream -CVE-2008-1102 VULNERABLE (blender) #443936 +CVE-2008-1102 fixed (blender) #443936 [since FEDORA-2008-3875] CVE-2008-1100 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] CVE-2008-1099 fixed (moin) #438673 [since FEDORA-2008-3301] CVE-2008-1098 fixed (moin) #438673 [since FEDORA-2008-3301] @@ -334,6 +345,7 @@ CVE-2007-6203 ignore (httpd) #409831 User can't unput garbage before method name CVE-2007-6201 version (wesnoth, fixed 1.2.8) [since FEDORA-2007-3989] CVE-2007-6183 backport (ruby-gnome2) #405601 [since FEDORA-2007-4216] +CVE-2007-6131 VULNERABLE (scanbuttond) CVE-2007-6121 version (wireshark, fixed 0.99.7) [since FEDORA-2007-4590] CVE-2007-6120 version (wireshark, fixed 0.99.7) [since FEDORA-2007-4590] CVE-2007-6119 version (wireshark, fixed 0.99.7) [since FEDORA-2007-4590] @@ -385,6 +397,7 @@ CVE-2007-5849 ignore (cups, fixed 1.3.5) minimal impact, see #415131 CVE-2007-5848 version (cups, fixed 1.2.0) CVE-2007-5846 version (net-snmp, fixed 5.4.1) +CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #446381 CVE-2007-5795 backport (emacs) #367591 [since FEDORA-2007-2946] CVE-2007-5770 backport (ruby) #373391 [since FEDORA-2007-2812] CVE-2007-5760 fixed (xorg-x11-server, fixed 1.4.1) #429126 [since FEDORA-2008-0760] Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.210 retrieving revision 1.211 diff -u -r1.210 -r1.211 --- f9 13 May 2008 16:32:22 -0000 1.210 +++ f9 16 May 2008 18:59:18 -0000 1.211 @@ -5,6 +5,9 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless +CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp +CVE-2008-2168 ignore (httpd) browser issue, not apache CVE-2008-2146 version (wordpress, fixed 2.2.3) CVE-2008-2109 fixed (libid3tag) #445815 [since FEDORA-2008-3757] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445823 [since FEDORA-2008-3668] @@ -14,12 +17,17 @@ CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445806 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc9] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 +CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc9] +CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes +CVE-2008-2004 VULNERABLE (kvm) fix mostly useless without libvirt changes CVE-2008-2000 ignore (WebKit) browser DoS CVE-2008-1999 VULNERABLE (WebKit) CVE-2008-1996 fixed (licq, fixed 1.3.6) #445239 [since FEDORA-2008-3812] CVE-2008-1974 ignore (kronolith, fixed 3.1.8) #444405 package removed from f9 and rawhide CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3690] +CVE-2008-1944 version (xen, fixed 3.2) +CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc9] CVE-2008-1937 version (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9] CVE-2008-1930 ignore (wordpress, fixed 2.5.1) only for wp 2.5.0 CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443941 @@ -30,15 +38,15 @@ CVE-2008-1878 backport (xine-lib, fixed 1.1.12.1) #443056 nsf demuxer overflow [since xine-lib-1.1.12-2.fc9] CVE-2008-1845 version (mksh, fixed 33d) [since mksh-33d-1.fc9] what is real impact on fedora? CVE-2008-1837 ignore (clamav, fixed 0.93) unrar code not shipped -CVE-2008-1836 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] +CVE-2008-1836 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1834 version (swfdec, fixed 0.6.4) [since swfdec-0.6.4-1.fc9] CVE-2008-1833 version (clamav, fixed 0.93-rc1) [since clamav-0.93-0.0.rc1.fc9] -CVE-2008-1803 VULNERABLE (rdesktop) #445843 -CVE-2008-1802 VULNERABLE (rdesktop) #445843 -CVE-2008-1801 VULNERABLE (rdesktop) #445843 +CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] +CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] +CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] CVE-2008-1796 fixed (comix) [since comix-3.6.4-6.fc9] -CVE-2008-1771 VULNERABLE (mt-daapd) [since mt-daapd-0.9-0.2.1696.fc9] +CVE-2008-1771 VULNERABLE (mt-daapd) [since mt-daapd-0.2.4.2-2.fc9] CVE-2008-1729 version (drupal, fixed 6.2) [since drupal-6.2-1.fc9] CVE-2008-1722 fixed (cups) #445803 [since FEDORA-2008-3756] CVE-2008-1720 version (rsync, fixed 3.0.2) [since rsync-3.0.2-0.fc9] @@ -74,9 +82,12 @@ CVE-2008-1474 version (roundup) #436549 [since roundup-1.4.4-1.fc9] CVE-2008-1468 version (namazu, fixed 2.0.18) #438668 [since namazu-2.0.18-1.fc9] CVE-2008-1467 fixed (centerim) #438871 +CVE-2008-1423 fixed (libvorbis) #446343 [since FEDORA-2008-3910] +CVE-2008-1420 fixed (libvorbis) #446343 [since FEDORA-2008-3910] +CVE-2008-1419 fixed (libvorbis) #446343 [since FEDORA-2008-3910] CVE-2008-1394 ignore (plone) CVE-2008-1390 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9] -CVE-2008-1387 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] +CVE-2008-1387 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used CVE-2008-1382 VULNERABLE (libpng10) [since FEDORA-2008-3683] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444437 [since FEDORA-2008-3601] @@ -86,7 +97,7 @@ CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 backport (cups) #440041 [since cups-1.3.6-9.fc9] CVE-2008-1372 version (bzip2, fixed 1.0.5) [since bzip2-1.0.5-1.fc9] -CVE-2008-1360 VULNERABLE (nagios) #437852 +CVE-2008-1360 version (nagios, fixed 2.11) #437852 [since nagios-2.11-3.fc9] CVE-2008-1353 ignore (zabbix) #437848 Needs authorization CVE-2008-1333 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9] CVE-2008-1332 ignore (asterisk) not affected according to upstream advisory @@ -133,7 +144,7 @@ CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since xine-lib-1.1.10-2.fc9] CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 backport (blender) #443937 [since blender-2.45-12.fc9] -CVE-2008-1100 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] +CVE-2008-1100 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] CVE-2008-1099 version (moin, fixed 1.5.9) #438674 CVE-2008-1098 version (moin, fixed 1.5.9) #438674 CVE-2008-1078 ignore (am-utils) minimal impact @@ -223,7 +234,7 @@ CVE-2008-0364 ignore (bittorrent) Windows only CVE-2008-0320 version (openoffice.org, fixed 2.4) CVE-2008-0318 fixed (clamav, fixed 0.92.1) -CVE-2008-0314 VULNERABLE (clamav, fixed 0.93) #442364 [since clamav-0.93-1.fc9] +CVE-2008-0314 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] CVE-2008-0304 version (seamonkey, fixed 1.1.8) [since seamonkey-1.1.8-3.fc9] CVE-2008-0304 version (thuderbird, fixed 2.0.0.12) [since thunderbird-2.0.0.12-1.fc9] CVE-2008-0299 fixed (python-paramiko) #428730 [since python-paramiko-1.7.1-3.fc9] @@ -329,6 +340,7 @@ CVE-2007-6203 ignore (httpd) #409831 User can't unput garbage before method name CVE-2007-6201 version (wesnoth, fixed 1.2.8) [since wesnoth-1.2.8-3.fc9] CVE-2007-6183 backport (ruby-gnome2) #405611 [since ruby-gnome2-0.16.0-22.fc9] +CVE-2007-6131 VULNERABLE (scanbuttond) CVE-2007-6121 version (wireshark, fixed 0.99.7) [since wireshark-0.99.7-1.fc9] CVE-2007-6120 version (wireshark, fixed 0.99.7) [since wireshark-0.99.7-1.fc9] CVE-2007-6119 version (wireshark, fixed 0.99.7) [since wireshark-0.99.7-1.fc9] @@ -379,6 +391,7 @@ CVE-2007-5849 version (cups, fixed 1.3.5) [since cups-1.3.5-1.fc9] CVE-2007-5848 version (cups, fixed 1.2.0) CVE-2007-5846 version (net-snmp, fixed 5.4.1) +CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #446382 CVE-2007-5795 backport (emacs) #367601 [since emacs-22.1-8.fc9] CVE-2007-5770 backport (ruby) #373401 [since ruby-1.8.6.111-1] CVE-2007-5760 backport (xorg-x11-server, fixed 1.4.1) #429127 [since xorg-x11-server-1.4.99.1-0.17.20080107.fc9] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.376 retrieving revision 1.377 diff -u -r1.376 -r1.377 --- fc7 13 May 2008 16:32:22 -0000 1.376 +++ fc7 16 May 2008 18:59:18 -0000 1.377 @@ -7,8 +7,11 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] +CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless +CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp +CVE-2008-2168 ignore (httpd) browser issue, not apache CVE-2008-2146 version (wordpress, fixed 2.2.3) -CVE-2008-2109 VULNERABLE (libid3tag) #445813 +CVE-2008-2109 fixed (libid3tag) #445813 [since FEDORA-2008-3874] CVE-2008-2105 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445821 [since FEDORA-2008-3488] CVE-2008-2104 ignore (bugzilla, fixed 3.1.4) only affects 3.1.3, not in Fedora CVE-2008-2103 fixed (bugzilla, fixed 3.0.4, 3.1.4) #445821 [since FEDORA-2008-3488] @@ -16,15 +19,20 @@ CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 CVE-2008-2068 version (wordpress, fixed 2.5.1) [since FEDORA-2008-3319] CVE-2008-2033 ignore (zoneminder) duplicate of CVE-2008-1381 +CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.1.2-3.fc7] +CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes +CVE-2008-2004 VULNERABLE (kvm) fix mostly useless without libvirt changes CVE-2008-2000 ignore (WebKit) browser DoS CVE-2008-1999 VULNERABLE (WebKit) -CVE-2008-1996 VULNERABLE (licq, fixed 1.3.6) #445237 +CVE-2008-1996 fixed (licq, fixed 1.3.6) #445237 [since FEDORA-2008-3909] CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 [since FEDORA-2008-3460] CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3508] +CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc7] +CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc7] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only CVE-2008-1930 ignore (wordpress, fixed 2.5.1) [since wordpress-2.5.1-1.fc7] only for wp 2.5.0 -CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443939 +CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443939 [since FEDORA-2008-3920] CVE-2008-1927 fixed (perl) [since FEDORA-2008-3399] CVE-2008-1926 VULNERABLE (util-linux) CVE-2008-1924 VULNERABLE (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc7] PMASA-2008-3 @@ -36,9 +44,9 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442362 [since FEDORA-2008-3358] -CVE-2008-1803 VULNERABLE (rdesktop) #445841 -CVE-2008-1802 VULNERABLE (rdesktop) #445841 -CVE-2008-1801 VULNERABLE (rdesktop) #445841 +CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] +CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] +CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] CVE-2008-1796 fixed (comix) [since FEDORA-2008-2993] CVE-2008-1729 ignore (drupal) 6.x only CVE-2008-1722 fixed (cups) #445801 [since FEDORA-2008-3449] @@ -76,6 +84,9 @@ CVE-2008-1474 fixed (roundup) #436548 [since FEDORA-2008-2471] CVE-2008-1468 fixed (namazu, fixed 2.0.18) #438666 [since FEDORA-2008-2678] CVE-2008-1467 fixed (centerim) #438871 [since FEDORA-2008-2869] +CVE-2008-1423 fixed (libvorbis) #446341 [since FEDORA-2008-3898] +CVE-2008-1420 fixed (libvorbis) #446341 [since FEDORA-2008-3898] +CVE-2008-1419 fixed (libvorbis) #446341 [since FEDORA-2008-3898] CVE-2008-1394 ignore (plone) CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438132 [since FEDORA-2008-2620] CVE-2008-1387 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] @@ -88,7 +99,7 @@ CVE-2008-1374 ignore (cups) only affects old cups versions in RHEL CVE-2008-1373 fixed (cups) #440042 [since FEDORA-2008-2897] CVE-2008-1372 fixed (bzip2, fixed 1.0.5) #439855 [since FEDORA-2008-2970] -CVE-2008-1360 VULNERABLE (nagios) #437851 +CVE-2008-1360 VULNERABLE (nagios, fixed 2.11) #437851 CVE-2008-1353 ignore (zabbix) #437848 Needs authorization CVE-2008-1333 ignore (asterisk) not affected CVE-2008-1332 fixed (asterisk, fixed 1.4.18.1) #438132 [since FEDORA-2008-2620] @@ -136,7 +147,7 @@ CVE-2008-1111 fixed (lighttpd) #435808 [since FEDORA-2008-2278] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1047] CVE-2008-1103 VULNERABLE (blender) not fixed upstream -CVE-2008-1102 VULNERABLE (blender) #443935 +CVE-2008-1102 fixed (blender) #443935 [since FEDORA-2008-3862] CVE-2008-1100 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] CVE-2008-1099 fixed (moin) #438672 [since FEDORA-2008-3328] CVE-2008-1098 fixed (moin) #438672 [since FEDORA-2008-3328] @@ -333,6 +344,7 @@ CVE-2007-6203 ignore (httpd) #409831 User can't unput garbage before method name CVE-2007-6201 version (wesnoth, fixed 1.2.8) [since FEDORA-2007-3986] CVE-2007-6183 version (ruby-gnome2) #405591 [since FEDORA-2007-4229] +CVE-2007-6131 VULNERABLE (scanbuttond) CVE-2007-6121 version (wireshark, fixed 0.99.7) [since FEDORA-2007-4690] CVE-2007-6120 version (wireshark, fixed 0.99.7) [since FEDORA-2007-4690] CVE-2007-6119 version (wireshark, fixed 0.99.7) [since FEDORA-2007-4690] @@ -384,6 +396,7 @@ CVE-2007-5849 ignore (cups, fixed 1.3.5) minimal impact, see #415131 CVE-2007-5848 version (cups, fixed 1.2.0) CVE-2007-5846 backport (net-snmp) [since FEDORA-2007-3019] +CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #437851 CVE-2007-5795 backport (emacs) #367581 [since FEDORA-2007-3056] CVE-2007-5770 backport (ruby) #373381 [since FEDORA-2007-2685] CVE-2007-5760 fixed (xorg-x11-server, fixed 1.4.1) #429125 [since FEDORA-2008-0831] From fedora-security-commits at redhat.com Mon May 26 09:00:06 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Mon, 26 May 2008 09:00:06 GMT Subject: [Fedora-security-commits] fedora-security/tools/scripts add-issue, 1.7, 1.8 Message-ID: <200805260900.m4Q906Gx004402@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/tools/scripts In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4367/tools/scripts Modified Files: add-issue Log Message: handle --since as mutli-value option, same as --bugs Index: add-issue =================================================================== RCS file: /cvs/fedora/fedora-security/tools/scripts/add-issue,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- add-issue 13 May 2008 15:56:20 -0000 1.7 +++ add-issue 26 May 2008 08:59:36 -0000 1.8 @@ -7,13 +7,13 @@ # XXX: debug, dryrun my $usage = 'add-issue [options...] --versions=[,...] Affected Fedora versions - --bugs=[,...]] Tracking bugs for respective versions + --bugs=[,...] Tracking bugs for respective versions --need_verif Needs verification (**) --cve= CVE name --status= Either "fixed" or "ignore" or implied "VULNERABLE" --component= Affected package, to find owner to CC (mandatory) --fixed= "fixed ..." or "not fixed ..." - --since= Fedora update or NVR this was fixed in + --since=[,...] Fedora update or NVR this was fixed in --comment= Free-form comment string '; @@ -32,7 +32,7 @@ # Command line options my (@versions, @bugs, $need_verif, $cve, $status, $component, - $fixed, $since, $comment); + $fixed, @since, $comment); # Parse command line options @@ -63,12 +63,15 @@ ? split (/,/, $options{bugs}) : (); + at since = $options{since} + ? split (/,/, $options{since}) + : (); + $need_verif = ($options{need_verif} ? '**' : ''); $cve = ($options{cve} or 'GENERIC-MAP-NOMATCH'); $status = ($options{status} or 'VULNERABLE'); $component = ($options{component}) or die 'component argument is mandatory'; $fixed = ($options{fixed} or ''); -$since = ($options{since} or ''); $comment = ($options{comment} or ''); # Add a line for each version @@ -81,7 +84,7 @@ component => $component, fixed => $fixed, bug => shift @bugs, - since => $since, + since => shift @since, comment => $comment, }; From fedora-security-commits at redhat.com Fri May 30 15:18:56 2008 From: fedora-security-commits at redhat.com (fedora-security-commits at redhat.com) Date: Fri, 30 May 2008 15:18:56 GMT Subject: [Fedora-security-commits] fedora-security/audit f10, 1.3, 1.4 f8, 1.221, 1.222 f9, 1.211, 1.212 fc7, 1.377, 1.378 Message-ID: <200805301518.m4UFIuqm014189@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14130/audit Modified Files: f10 f8 f9 fc7 Log Message: lots of stuff from last 2 weeks Index: f10 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f10,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- f10 16 May 2008 18:59:18 -0000 1.3 +++ f10 30 May 2008 15:18:25 -0000 1.4 @@ -4,25 +4,38 @@ # *CVE are items that need verification for Fedora 10 # (mozilla) = (gecko-libs dependent stuff) +CVE-2008-2426 backport (imlib2) [since imlib2-1.4.0-7.fc10] +CVE-2008-2420 version (stunnel, fixed 4.24) [since stunnel-4.24-2] +CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2359 ignore (system-config-network) F8 specific issue +CVE-2008-2357 fixed (mtr, fixed 0.73) +CVE-2008-2302 version (Django, fixed 0.96.2) #447260 [since Django-0.96.2-1.fc10] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache CVE-2008-2085 VULNERABLE (sipp) #446222 -CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445806 +CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc10] CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes CVE-2008-2004 VULNERABLE (kvm) fix mostly useless without libvirt changes CVE-2008-1999 VULNERABLE (WebKit) +CVE-2008-1950 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10] +CVE-2008-1949 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10] +CVE-2008-1948 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10] CVE-2008-1944 version (xen, fixed 3.2) CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc10] CVE-2008-1928 version (perl-Imager, fixed 0.64) [since perl-Imager-0.64-2.fc10] CVE-2008-1926 backport (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9] CVE-2008-1836 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] +CVE-2008-1804 version (snort, fixed 2.8.1) [since snort-2.8.1-3.fc10] CVE-2008-1803 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] CVE-2008-1802 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] CVE-2008-1801 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] CVE-2008-1771 version (mt-daapd) [since mt-daapd-0.2.4.2-2.fc10] +CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc10] +CVE-2008-1678 VULNERABLE (httpd) #447312 only affects systems with openssl >= 0.9.8e CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810 +CVE-2008-1672 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10] CVE-2008-1531 backport (lighttpd) [since lighttpd-1.4.19-4.fc10] CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 CVE-2008-1423 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10] @@ -32,9 +45,11 @@ CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used CVE-2008-1382 version (libpng10) [since libpng10-1.0.37-1.fc10] CVE-2008-1360 version (nagios) #437852 [since nagios-2.11-3.fc9] +CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1100 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] -CVE-2008-1078 VULNERABLE (am-utils) #437746 +CVE-2008-1078 backport (am-utils) #437746 [since am-utils-6.1.5-10.fc10] +CVE-2008-0891 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10] CVE-2008-0553 version (tkimg) [since tkimg-1.3-0.10.20080505svn.fc10] CVE-2008-0314 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9] CVE-2008-0166 ignore (openssl) Debian specific @@ -42,11 +57,15 @@ CVE-2007-6321 VULNERABLE (roundcubemail) #423301 CVE-2007-6318 VULNERABLE (wordpress) #426434 CVE-2007-6131 VULNERABLE (scanbuttond) +CVE-2007-5962 fixed (vsftpd) [since vsftpd-2.0.6-4.fc10] CVE-2007-5907 VULNERABLE (xen) #390121 CVE-2007-5906 VULNERABLE (xen) #390121 CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #446383 CVE-2007-5079 VULNERABLE (gdm) #363041 Red Hat specific problem CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 perl-Archive-Tar directory traversal CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code. +CVE-2007-1320 VULNERABLE (qemu) +CVE-2007-1320 VULNERABLE (kvm) +CVE-2006-6698 fixed (GConf2) CVE-2006-1390 VULNERABLE (nethack) bz#187353, but requires other access to games group Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.221 retrieving revision 1.222 diff -u -r1.221 -r1.222 --- f8 16 May 2008 18:59:18 -0000 1.221 +++ f8 30 May 2008 15:18:25 -0000 1.222 @@ -6,6 +6,12 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.4.0-7.fc8] +CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4579] +CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2359 fixed (system-config-network) [since FEDORA-2008-4633] +CVE-2008-2357 fixed (mtr, fixed 0.73) +CVE-2008-2302 fixed (Django, fixed 0.96.2) #447258 [since FEDORA-2008-4248] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache @@ -27,6 +33,9 @@ CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 [since FEDORA-2008-3543] CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3501] +CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] +CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] +CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc8] CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc8] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only @@ -34,7 +43,7 @@ CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443940 [since FEDORA-2008-3352] CVE-2008-1927 fixed (perl) [since FEDORA-2008-3392] CVE-2008-1926 fixed (util-linux-ng) [since FEDORA-2008-3419] -CVE-2008-1924 VULNERABLE (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc8] PMASA-2008-3 +CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since FEDORA-2008-3461] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3390] CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443055 [since FEDORA-2008-3353] nsf demuxer overflow @@ -43,10 +52,12 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442363 [since FEDORA-2008-3420] +CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1) CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] CVE-2008-1796 fixed (comix) [since FEDORA-2008-2981] +CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc8] CVE-2008-1729 ignore (drupal) 6.x only CVE-2008-1722 fixed (cups) #445802 [since FEDORA-2008-3586] CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441690 [since FEDORA-2008-3047] @@ -58,7 +69,9 @@ CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue CVE-2008-1686 fixed (libfishsound, fixed 0.9.1) #441247 [since FEDORA-2008-3059] CVE-2008-1686 fixed (speex) #442572 [since FEDORA-2008-3103] +CVE-2008-1678 ignore (httpd) only affects systems with openssl >= 0.9.8e CVE-2008-1677 VULNERABLE (fedora-ds-base) #445809 +CVE-2008-1672 ignore (openssl, fixed 0.9.8h) not affected CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only CVE-2008-1670 fixed (kdelibs4) #444399 [since FEDORA-2008-3412] kdelibs 4.x only @@ -90,7 +103,7 @@ CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554] CVE-2008-1387 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 VULNERABLE (libpng10) [since FEDORA-2008-3937] +CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3937] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444436 [since FEDORA-2008-3462] CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442851 [since FEDORA-2008-3264] @@ -145,6 +158,7 @@ CVE-2008-1131 ignore (drupal) #435816 drupal 6.x only CVE-2008-1111 fixed (lighttpd) #435807 [since FEDORA-2008-2262] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1043] +CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.0.30-0.fc8] CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 fixed (blender) #443936 [since FEDORA-2008-3875] CVE-2008-1100 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] @@ -167,6 +181,7 @@ CVE-2008-0928 fixed (qemu) #433561 [since FEDORA-2008-2001] CVE-2008-0928 fixed (kvm) #433564 [since FEDORA-2008-1973] CVE-2008-0928 fixed (xen) #434639 [since FEDORA-2008-2057] +CVE-2008-0891 ignore (openssl, fixed 0.9.8h) not affected CVE-2008-0888 ignore (unzip) caught by glibc malloc checks CVE-2008-0887 fixed (gnome-screensaver) #440256 [since FEDORA-2008-3017] CVE-2008-0882 fixed (cups, fixed 1.3.6) #433803 [since FEDORA-2008-1901] @@ -377,6 +392,7 @@ CVE-2007-5965 version (qt4, fixed 4.3.3) [since FEDORA-2007-4285] CVE-2007-5964 backport (autofs) #409701 [since FEDORA-2007-4532] CVE-2007-5963 backport (kdebase) [since FEDORA-2008-1283] +CVE-2007-5962 fixed (vsftpd) [since FEDORA-2008-4347] CVE-2007-5960 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3962] CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3962] CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429126 [since FEDORA-2008-0760] @@ -418,6 +434,8 @@ CVE-2007-5501 version (kernel) [since FEDORA-2007-3837] CVE-2007-5500 version (kernel) [since FEDORA-2007-3837] CVE-2007-5497 fixed (e2fsprogs) #414581 [since FEDORA-2007-4447] +CVE-2007-5496 version (setroubleshoot, fixed 2.0) +CVE-2007-5495 version (setroubleshoot, fixed 1.9.4) CVE-2007-5461 version (tomcat5) #363001 [since FEDORA-2007-3474] CVE-2007-5398 version (samba) [since FEDORA-2007-3403] CVE-2007-5395 version (link-grammar) #372351 [since FEDORA-2007-3235] @@ -506,6 +524,8 @@ CVE-2007-1355 version (tomcat5) [since FEDORA-2007-3474] CVE-2007-1352 version (libXfont, fixed 1.2.8) #235265 CVE-2007-1351 version (libXfont, fixed 1.2.8) #235265 +CVE-2007-1320 VULNERABLE (qemu) +CVE-2007-1320 fixed (kvm) #448524 [since FEDORA-2008-4604] CVE-2007-1103 ignore (tor) #230927 CANTFIX really CVE-2007-1004 version (mozilla) https://bugzilla.mozilla.org/show_bug.cgi?id=402060 CVE-2007-1003 version (xorg-x11-server, fixed 1.2.1) #235263 @@ -517,6 +537,7 @@ CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since FEDORA-2007-4334] CVE-2006-7232 version (mysql, fixed 5.0.32) CVE-2006-6698 ignore (GConf2) #219280 minimal impact +CVE-2006-6698 fixed (GConf2) CVE-2006-6128 version (kernel, fixed 2.6.19-1.2911.fc6) #250625 ReiserFS MOKB CVE-2006-6107 version (dbus, fixed 1.0.2) #219665 CVE-2006-6077 version (firefox, fixed 1.5.0.10) Index: f9 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f9,v retrieving revision 1.211 retrieving revision 1.212 diff -u -r1.211 -r1.212 --- f9 16 May 2008 18:59:18 -0000 1.211 +++ f9 30 May 2008 15:18:25 -0000 1.212 @@ -5,6 +5,12 @@ # (mozilla) = (gecko-libs dependent stuff) rhbz249840 version (tor, fixed 0.1.2.15) +CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.4.0-7.fc9] +CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4531] +CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2359 ignore (system-config-network) F8 specific issue +CVE-2008-2357 fixed (mtr, fixed 0.73) +CVE-2008-2302 fixed (Django, fixed 0.96.2) #447259 [since FEDORA-2008-4267] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache @@ -26,11 +32,15 @@ CVE-2008-1974 ignore (kronolith, fixed 3.1.8) #444405 package removed from f9 and rawhide CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3690] +CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259] +CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259] +CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259] CVE-2008-1944 version (xen, fixed 3.2) CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc9] CVE-2008-1937 version (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9] CVE-2008-1930 ignore (wordpress, fixed 2.5.1) only for wp 2.5.0 -CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443941 +CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443941 [since FEDORA-2008-4003] +CVE-2008-1927 fixed (perl, fixed 5.10) CVE-2008-1926 VULNERABLE (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9] CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc9] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 @@ -42,11 +52,13 @@ CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1834 version (swfdec, fixed 0.6.4) [since swfdec-0.6.4-1.fc9] CVE-2008-1833 version (clamav, fixed 0.93-rc1) [since clamav-0.93-0.0.rc1.fc9] +CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1) CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] CVE-2008-1796 fixed (comix) [since comix-3.6.4-6.fc9] -CVE-2008-1771 VULNERABLE (mt-daapd) [since mt-daapd-0.2.4.2-2.fc9] +CVE-2008-1771 fixed (mt-daapd) [since FEDORA-2008-4126] +CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc9] CVE-2008-1729 version (drupal, fixed 6.2) [since drupal-6.2-1.fc9] CVE-2008-1722 fixed (cups) #445803 [since FEDORA-2008-3756] CVE-2008-1720 version (rsync, fixed 3.0.2) [since rsync-3.0.2-0.fc9] @@ -58,7 +70,9 @@ CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue CVE-2008-1686 version (libfishsound, fixed 0.9.1) #441248 [since libfishsound-0.9.1-1.fc9] CVE-2008-1686 backport (speex) [since speex-1.2-0.7.beta3] +CVE-2008-1678 VULNERABLE (httpd) #447311 only affects systems with openssl >= 0.9.8e CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810 +CVE-2008-1672 VULNERABLE (openssl, fixed 0.9.8h) #448690 CVE-2008-1671 ignore (kdelibs) start_kdeinit not shipped CVE-2008-1670 backport (kdelibs) [since kdelibs-4.0.3-7.fc9] CVE-2008-1658 backport (PolicyKit) #439996 [since PolicyKit-0.7-7.fc9] @@ -75,7 +89,7 @@ CVE-2008-1561 version (wireshark, fixed 1.0) #435488 [since wireshark-1.0.0-2.fc9] CVE-2008-1552 version (libsilc, fixed 1.1.7) #438382 [since libsilc-1.1.7-1.fc9] CVE-2008-1532 version (Perlbal, fixed 1.70) [since Perlbal-1.70-1.fc9] -CVE-2008-1531 VULNERABLE (lighttpd) #439069 +CVE-2008-1531 fixed (lighttpd) #439069 [since FEDORA-2008-4119] CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 version (xine-lib) #438671 [since xine-lib-1.1.11.1-1.fc9] @@ -89,7 +103,7 @@ CVE-2008-1390 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9] CVE-2008-1387 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used -CVE-2008-1382 VULNERABLE (libpng10) [since FEDORA-2008-3683] +CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3683] CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444437 [since FEDORA-2008-3601] CVE-2008-1380 version (firefox, fixed 2.0.0.14) CVE-2008-1380 backport (seamonkey, fixed 1.1.10) #442852 [since seamonkey-1.1.9-3.fc9] @@ -142,6 +156,7 @@ CVE-2008-1131 version (drupal, fixed 6.1) #435817 [since drupal-6.1-1.fc9] CVE-2008-1111 backport (lighttpd) #435809 [since lighttpd-1.4.18-6.fc9] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since xine-lib-1.1.10-2.fc9] +CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.2.0-1.rc1.14.fc9] CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 backport (blender) #443937 [since blender-2.45-12.fc9] CVE-2008-1100 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] @@ -164,6 +179,7 @@ CVE-2008-0928 backport (qemu) #433563 [since qemu-0.9.1-3.fc9] CVE-2008-0928 backport (kvm) #433566 [since kvm-61-2.fc9] CVE-2008-0928 backport (xen) [since xen-3.2.0-8.fc9] +CVE-2008-0891 VULNERABLE (openssl, fixed 0.9.8h) #448690 CVE-2008-0888 backport (unzip) #437927 [since unzip-5.52-9.fc9] CVE-2008-0887 version (gnome-screensaver, fixed 2.22.1) #440257 [since gnome-screensaver-2.22.1-1.fc9] CVE-2008-0882 version (cups, fixed 1.3.6) [since cups-1.3.6-1.fc9] @@ -269,7 +285,7 @@ CVE-2008-0005 version (httpd, fixed 2.2.8) #427984 [since httpd-2.2.8-2] CVE-2008-0003 version (tog-pegasus, fixed 2.7.0) CVE-2008-0002 ignore (tomcat5) #432476 tomcat 6.x only -CVE-2007-6714 VULNERABLE (dbmail, fixed 2.2.9) #443022 [since dbmail-2.2.9-1.fc9] +CVE-2007-6714 fixed (dbmail, fixed 2.2.9) #443022 [since FEDORA-2008-4245] CVE-2007-6703 version (vdccm, fixed 0.10.1) #436027 CVE-2007-6698 version (openldap, fixed 2.3.36) CVE-2007-6697 backport (SDL_image, fixed 1.2.7) #430238 [since SDL_image-1.2.6-4.fc9] @@ -371,6 +387,7 @@ CVE-2007-5965 version (qt4, fixed 4.3.3) [since qt4-4.3.3-1.fc9] CVE-2007-5964 backport (autofs) #421371 [since autofs-5.0.2-21] CVE-2007-5963 version (kdebase) +CVE-2007-5962 fixed (vsftpd) [since FEDORA-2008-4362] CVE-2007-5960 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429127 [since xorg-x11-server-1.4.99.1-0.17.20080107.fc9] code removed upstream @@ -409,6 +426,8 @@ CVE-2007-5589 version (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6 CVE-2007-5503 version (cairo, fixed 1.4.12) [since cairo-1.5.4-1.fc9] CVE-2007-5497 backport (e2fsprogs) #414591 [since e2fsprogs-1.40.2-14.fc9] +CVE-2007-5496 version (setroubleshoot, fixed 2.0) +CVE-2007-5495 version (setroubleshoot, fixed 1.9.4) CVE-2007-5461 version (tomcat5, fixed 5.5.26) #334531 [since tomcat5-5.5.26-1jpp.1.fc9] CVE-2007-5395 version (link-grammar) #372361 [since link-grammar-4.2.5-1.fc9] CVE-2007-5393 backport (xpdf) #372481 [since xpdf-3.02-4.fc9] @@ -479,6 +498,8 @@ CVE-2007-1558 version (evolution, fixed 1.8.3-5) CVE-2007-1352 version (libXfont, fixed 1.2.8) #235265 CVE-2007-1351 version (libXfont, fixed 1.2.8) #235265 +CVE-2007-1320 VULNERABLE (qemu) +CVE-2007-1320 fixed (kvm) #448525 [since FEDORA-2008-4386] CVE-2007-1103 ignore (tor) #230927 CANTFIX really CVE-2007-1004 version (mozilla) https://bugzilla.mozilla.org/show_bug.cgi?id=402060 CVE-2007-1003 version (xorg-x11-server, fixed 1.2.1) #235263 @@ -490,6 +511,7 @@ CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since phpMyAdmin-2.11.3-1.fc9] CVE-2006-7232 version (mysql, fixed 5.0.32) CVE-2006-6698 ignore (GConf2) #219280 minimal impact, let upstream deal with it if they care +CVE-2006-6698 fixed (GConf2) CVE-2006-6128 version (kernel, fixed 2.6.19) #250625 ReiserFS MOKB CVE-2006-6107 version (dbus, fixed 1.0.2) #219665 CVE-2006-6077 version (firefox, fixed 1.5.0.10) Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.377 retrieving revision 1.378 diff -u -r1.377 -r1.378 --- fc7 16 May 2008 18:59:18 -0000 1.377 +++ fc7 30 May 2008 15:18:25 -0000 1.378 @@ -7,6 +7,12 @@ rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] +CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.3.0-4.fc7] +CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4606] +CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default +CVE-2008-2359 ignore (system-config-network) F8 specific issue +CVE-2008-2357 fixed (mtr, fixed 0.73) +CVE-2008-2302 fixed (Django, fixed 0.96.2) #447257 [since FEDORA-2008-4191] CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp CVE-2008-2168 ignore (httpd) browser issue, not apache @@ -28,6 +34,9 @@ CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 [since FEDORA-2008-3460] CVE-2008-1964 ignore (xine-lib) bogus vulnerability report CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3508] +CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] +CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] +CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc7] CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc7] CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only @@ -35,7 +44,7 @@ CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443939 [since FEDORA-2008-3920] CVE-2008-1927 fixed (perl) [since FEDORA-2008-3399] CVE-2008-1926 VULNERABLE (util-linux) -CVE-2008-1924 VULNERABLE (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc7] PMASA-2008-3 +CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since FEDORA-2008-3560] PMASA-2008-3 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897 CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3365] CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443054 [since FEDORA-2008-3326] nsf demuxer overflow @@ -44,10 +53,12 @@ CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442362 [since FEDORA-2008-3358] +CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1) CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] CVE-2008-1796 fixed (comix) [since FEDORA-2008-2993] +CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc7] CVE-2008-1729 ignore (drupal) 6.x only CVE-2008-1722 fixed (cups) #445801 [since FEDORA-2008-3449] CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441689 [since FEDORA-2008-3060] @@ -57,9 +68,11 @@ CVE-2008-1693 fixed (poppler, fixed 0.6.2) #443026 [since FEDORA-2008-3312] CVE-2008-1688 ignore (m4, fixed 1.4.11) not really a security issue CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue -CVE-2008-1686 VULNERABLE (libfishsound, fixed 0.9.1) #441246 [since FEDORA-2008-3117] +CVE-2008-1686 fixed (libfishsound, fixed 0.9.1) #441246 [since FEDORA-2008-3117] CVE-2008-1686 fixed (speex) #442571 [since FEDORA-2008-3191] +CVE-2008-1678 ignore (httpd) only affects systems with openssl >= 0.9.8e CVE-2008-1677 VULNERABLE (fedora-ds-base) #445808 +CVE-2008-1672 ignore (openssl, fixed 0.9.8h) not affected CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only CVE-2008-1670 fixed (kdelibs4) #444398 [since FEDORA-2008-3379] kdelibs 4.x only @@ -77,7 +90,7 @@ CVE-2008-1552 fixed (libsilc, fixed 1.1.7) #438382 [since FEDORA-2008-2641] CVE-2008-1532 version (Perlbal, fixed 1.70) #439055 [since FEDORA-2008-2788] CVE-2008-1531 fixed (lighttpd) #439067 [since FEDORA-2008-3343] -CVE-2008-1515 VULNERABLE (otrs) #439723 +CVE-2008-1515 fixed (otrs) #439933 [since FEDORA-2008-3100] CVE-2008-1488 VULNERABLE (php-pecl-apc) #438846 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch CVE-2008-1482 fixed (xine-lib) #438669 [since FEDORA-2008-2945] @@ -146,6 +159,7 @@ CVE-2008-1131 ignore (drupal) #435815 drupal 6.x only CVE-2008-1111 fixed (lighttpd) #435808 [since FEDORA-2008-2278] CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1047] +CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.0.28a-1.fc7] CVE-2008-1103 VULNERABLE (blender) not fixed upstream CVE-2008-1102 fixed (blender) #443935 [since FEDORA-2008-3862] CVE-2008-1100 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] @@ -168,6 +182,7 @@ CVE-2008-0928 fixed (qemu) #433562 [since FEDORA-2008-1995] CVE-2008-0928 fixed (kvm) #433565 [since FEDORA-2008-1993] CVE-2008-0928 fixed (xen) #434638 [since FEDORA-2008-2083] +CVE-2008-0891 ignore (openssl, fixed 0.9.8h) not affected CVE-2008-0888 ignore (unzip) caught by glibc malloc checks CVE-2008-0887 fixed (gnome-screensaver) #440255 [since FEDORA-2008-2967] CVE-2008-0806 fixed (wyrd) #433721 [since FEDORA-2008-1986] @@ -237,7 +252,7 @@ CVE-2008-0404 fixed (mantis) #429552 [since FEDORA-2008-0796] CVE-2008-0386 fixed (xdg-utils) #429513 [since FEDORA-2008-1015] CVE-2008-0364 ignore (bittorrent) Windows only -CVE-2008-0320 VULNERABLE (openoffice.org, fixed 2.4) #442845 +CVE-2008-0320 fixed (openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104] CVE-2008-0318 fixed (clamav, fixed 0.92.1) [since FEDORA-2008-1608] CVE-2008-0314 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] CVE-2008-0304 version (seamonkey, fixed 1.1.8) [since FEDORA-2008-1669] @@ -376,6 +391,7 @@ CVE-2007-5965 version (qt4, fixed 4.3.3) [since FEDORA-2007-4354] CVE-2007-5964 backport (autofs) #421351 [since FEDORA-2007-4469] CVE-2007-5963 backport (kdebase) [since FEDORA-2008-1264] +CVE-2007-5962 fixed (vsftpd) [since FEDORA-2008-4373] CVE-2007-5960 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3952] CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3952] CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429125 [since FEDORA-2008-0831] @@ -402,9 +418,9 @@ CVE-2007-5760 fixed (xorg-x11-server, fixed 1.4.1) #429125 [since FEDORA-2008-0831] CVE-2007-5759 ignore (clamav, fixed 0.92) duplicate of CVE-2007-6335 CVE-2007-5751 backport (liferea, fixed 1.4.6) #360641 [since FEDORA-2007-2725] -CVE-2007-5747 VULNERABLE (openoffice.org, fixed 2.4) #442845 -CVE-2007-5746 VULNERABLE (openoffice.org, fixed 2.4) #442845 -CVE-2007-5745 VULNERABLE (openoffice.org, fixed 2.4) #442845 +CVE-2007-5747 fixed (openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104] +CVE-2007-5746 fixed (openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104] +CVE-2007-5745 fixed (openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104] CVE-2007-5742 version (wesnoth, fixed 1.2.8) [since FEDORA-2007-3986] CVE-2007-5728 version (phpPgAdmin) seems to be fixed for some time CVE-2007-5715 backport (denyhosts) fixed long ago @@ -427,6 +443,8 @@ CVE-2007-5501 version (kernel) [since FEDORA-2007-3751] CVE-2007-5500 version (kernel) [since FEDORA-2007-3751] CVE-2007-5497 fixed (e2fsprogs) #414571 [since FEDORA-2007-4461] +CVE-2007-5496 ignore (setroubleshoot, fixed 2.0) +CVE-2007-5495 version (setroubleshoot, fixed 1.9.4) CVE-2007-5461 version (tomcat5) #334511 [since FEDORA-2007-3456] CVE-2007-5416 ignore (drupal) Vulnerability in PHP<5.1.3, we're safe CVE-2007-5398 version (samba) [since FEDORA-2007-3402] @@ -863,7 +881,8 @@ *CVE-2007-1322 ** (qemu) #238723 *CVE-2007-1321 ** (qemu) #238723 CVE-2007-1321 backport (xen) [since FEDORA-2007-2270] -*CVE-2007-1320 ** (qemu) #238723 +CVE-2007-1320 VULNERABLE (qemu) +CVE-2007-1320 VULNERABLE (kvm) CVE-2007-1308 version (kdelibs) CVE-2007-1287 ignore (php) See NVD CVE-2007-1286 version (php, PHP4 only) @@ -1025,6 +1044,7 @@ *CVE-2006-6731 ** (java-ibm) *CVE-2006-6719 backport (wget) #221469 [since FEDORA-2007-043] *CVE-2006-6698 ignore (GConf2) #219280 minimal impact +CVE-2006-6698 fixed (GConf2) [since GConf2-2.22.0-5.fc10] CVE-2006-6693 ignore (zabbix, fixed 1.1.3, < 1.1.4 not shipped) CVE-2006-6692 ignore (zabbix, fixed 1.1.3, < 1.1.4 not shipped) CVE-2006-6660 ignore (kdelibs) client Dos only, not reproducible