[Fedora-security-commits] fedora-security/audit f10, 1.3, 1.4 f8, 1.221, 1.222 f9, 1.211, 1.212 fc7, 1.377, 1.378

fedora-security-commits at redhat.com fedora-security-commits at redhat.com
Fri May 30 15:18:56 UTC 2008 

Author: thoger

Update of /cvs/fedora/fedora-security/audit
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14130/audit

Modified Files:
	f10 f8 f9 fc7 
Log Message:
lots of stuff from last 2 weeks



Index: f10
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/f10,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- f10	16 May 2008 18:59:18 -0000	1.3
+++ f10	30 May 2008 15:18:25 -0000	1.4
@@ -4,25 +4,38 @@
 # *CVE are items that need verification for Fedora 10
 # (mozilla) = (gecko-libs dependent stuff)
 
+CVE-2008-2426 backport (imlib2) [since imlib2-1.4.0-7.fc10] 
+CVE-2008-2420 version (stunnel, fixed 4.24) [since stunnel-4.24-2] 
+CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default
+CVE-2008-2359 ignore (system-config-network) F8 specific issue
+CVE-2008-2357 fixed (mtr, fixed 0.73) 
+CVE-2008-2302 version (Django, fixed 0.96.2) #447260 [since Django-0.96.2-1.fc10]
 CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless
 CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp
 CVE-2008-2168 ignore (httpd) browser issue, not apache
 CVE-2008-2085 VULNERABLE (sipp) #446222 
-CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445806 
+CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804 
 CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since xen-3.2.0-11.fc10]
 CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes
 CVE-2008-2004 VULNERABLE (kvm) fix mostly useless without libvirt changes
 CVE-2008-1999 VULNERABLE (WebKit) 
+CVE-2008-1950 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10]
+CVE-2008-1949 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10]
+CVE-2008-1948 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10]
 CVE-2008-1944 version (xen, fixed 3.2) 
 CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc10]
 CVE-2008-1928 version (perl-Imager, fixed 0.64) [since perl-Imager-0.64-2.fc10]
 CVE-2008-1926 backport (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9] 
 CVE-2008-1836 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9]
+CVE-2008-1804 version (snort, fixed 2.8.1) [since snort-2.8.1-3.fc10] 
 CVE-2008-1803 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] 
 CVE-2008-1802 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] 
 CVE-2008-1801 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10] 
 CVE-2008-1771 version (mt-daapd) [since mt-daapd-0.2.4.2-2.fc10]
+CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc10] 
+CVE-2008-1678 VULNERABLE (httpd) #447312 only affects systems with openssl >= 0.9.8e
 CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810 
+CVE-2008-1672 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10]
 CVE-2008-1531 backport (lighttpd) [since lighttpd-1.4.19-4.fc10]
 CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 
 CVE-2008-1423 backport (libvorbis) #446344  [since libvorbis-1.2.0-4.fc10]
@@ -32,9 +45,11 @@
 CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used
 CVE-2008-1382 version (libpng10) [since libpng10-1.0.37-1.fc10] 
 CVE-2008-1360 version (nagios) #437852 [since nagios-2.11-3.fc9]
+CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) 
 CVE-2008-1103 VULNERABLE (blender) not fixed upstream
 CVE-2008-1100 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9]
-CVE-2008-1078 VULNERABLE (am-utils) #437746
+CVE-2008-1078 backport (am-utils) #437746 [since am-utils-6.1.5-10.fc10]
+CVE-2008-0891 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10]
 CVE-2008-0553 version (tkimg) [since tkimg-1.3-0.10.20080505svn.fc10]
 CVE-2008-0314 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9]
 CVE-2008-0166 ignore (openssl) Debian specific
@@ -42,11 +57,15 @@
 CVE-2007-6321 VULNERABLE (roundcubemail) #423301
 CVE-2007-6318 VULNERABLE (wordpress) #426434
 CVE-2007-6131 VULNERABLE (scanbuttond) 
+CVE-2007-5962 fixed (vsftpd) [since vsftpd-2.0.6-4.fc10] 
 CVE-2007-5907 VULNERABLE (xen) #390121
 CVE-2007-5906 VULNERABLE (xen) #390121
 CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #446383 
 CVE-2007-5079 VULNERABLE (gdm) #363041 Red Hat specific problem
 CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 perl-Archive-Tar directory traversal
 CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code.
+CVE-2007-1320 VULNERABLE (qemu) 
+CVE-2007-1320 VULNERABLE (kvm) 
+CVE-2006-6698 fixed (GConf2) 
 CVE-2006-1390 VULNERABLE (nethack) bz#187353, but requires other access to games group
 


Index: f8
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/f8,v
retrieving revision 1.221
retrieving revision 1.222
diff -u -r1.221 -r1.222
--- f8	16 May 2008 18:59:18 -0000	1.221
+++ f8	30 May 2008 15:18:25 -0000	1.222
@@ -6,6 +6,12 @@
 
 rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] 
 rhbz249840 version (tor, fixed 0.1.2.15) 
+CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.4.0-7.fc8] 
+CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4579] 
+CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default
+CVE-2008-2359 fixed (system-config-network) [since FEDORA-2008-4633] 
+CVE-2008-2357 fixed (mtr, fixed 0.73) 
+CVE-2008-2302 fixed (Django, fixed 0.96.2) #447258 [since FEDORA-2008-4248] 
 CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless
 CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp
 CVE-2008-2168 ignore (httpd) browser issue, not apache
@@ -27,6 +33,9 @@
 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 [since FEDORA-2008-3543] 
 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report
 CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3501] 
+CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] 
+CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] 
+CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183] 
 CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc8]
 CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc8]
 CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only
@@ -34,7 +43,7 @@
 CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443940 [since FEDORA-2008-3352] 
 CVE-2008-1927 fixed (perl) [since FEDORA-2008-3392] 
 CVE-2008-1926 fixed (util-linux-ng) [since FEDORA-2008-3419] 
-CVE-2008-1924 VULNERABLE (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc8] PMASA-2008-3
+CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since FEDORA-2008-3461] PMASA-2008-3
 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897
 CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3390] 
 CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443055 [since FEDORA-2008-3353] nsf demuxer overflow
@@ -43,10 +52,12 @@
 CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1
 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped
 CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442363 [since FEDORA-2008-3420] 
+CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1) 
 CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] 
 CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] 
 CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917] 
 CVE-2008-1796 fixed (comix) [since FEDORA-2008-2981] 
+CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc8] 
 CVE-2008-1729 ignore (drupal) 6.x only
 CVE-2008-1722 fixed (cups) #445802 [since FEDORA-2008-3586] 
 CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441690 [since FEDORA-2008-3047] 
@@ -58,7 +69,9 @@
 CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue
 CVE-2008-1686 fixed (libfishsound, fixed 0.9.1) #441247 [since FEDORA-2008-3059] 
 CVE-2008-1686 fixed (speex) #442572 [since FEDORA-2008-3103] 
+CVE-2008-1678 ignore (httpd) only affects systems with openssl >= 0.9.8e
 CVE-2008-1677 VULNERABLE (fedora-ds-base) #445809 
+CVE-2008-1672 ignore (openssl, fixed 0.9.8h) not affected
 CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid
 CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only
 CVE-2008-1670 fixed (kdelibs4) #444399 [since FEDORA-2008-3412] kdelibs 4.x only
@@ -90,7 +103,7 @@
 CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554] 
 CVE-2008-1387 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] 
 CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used
-CVE-2008-1382 VULNERABLE (libpng10) [since FEDORA-2008-3937] 
+CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3937] 
 CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444436 [since FEDORA-2008-3462] 
 CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14) 
 CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442851 [since FEDORA-2008-3264] 
@@ -145,6 +158,7 @@
 CVE-2008-1131 ignore (drupal) #435816 drupal 6.x only
 CVE-2008-1111 fixed (lighttpd) #435807 [since FEDORA-2008-2262] 
 CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1043]
+CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.0.30-0.fc8] 
 CVE-2008-1103 VULNERABLE (blender) not fixed upstream
 CVE-2008-1102 fixed (blender) #443936 [since FEDORA-2008-3875] 
 CVE-2008-1100 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420] 
@@ -167,6 +181,7 @@
 CVE-2008-0928 fixed (qemu) #433561 [since FEDORA-2008-2001] 
 CVE-2008-0928 fixed (kvm) #433564 [since FEDORA-2008-1973] 
 CVE-2008-0928 fixed (xen) #434639 [since FEDORA-2008-2057] 
+CVE-2008-0891 ignore (openssl, fixed 0.9.8h) not affected
 CVE-2008-0888 ignore (unzip) caught by glibc malloc checks
 CVE-2008-0887 fixed (gnome-screensaver) #440256 [since FEDORA-2008-3017] 
 CVE-2008-0882 fixed (cups, fixed 1.3.6) #433803 [since FEDORA-2008-1901] 
@@ -377,6 +392,7 @@
 CVE-2007-5965 version (qt4, fixed 4.3.3) [since FEDORA-2007-4285]
 CVE-2007-5964 backport (autofs) #409701 [since FEDORA-2007-4532]
 CVE-2007-5963 backport (kdebase) [since FEDORA-2008-1283] 
+CVE-2007-5962 fixed (vsftpd) [since FEDORA-2008-4347] 
 CVE-2007-5960 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3962]
 CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3962]
 CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429126 [since FEDORA-2008-0760] 
@@ -418,6 +434,8 @@
 CVE-2007-5501 version (kernel) [since FEDORA-2007-3837]
 CVE-2007-5500 version (kernel) [since FEDORA-2007-3837]
 CVE-2007-5497 fixed (e2fsprogs) #414581 [since FEDORA-2007-4447] 
+CVE-2007-5496 version (setroubleshoot, fixed 2.0) 
+CVE-2007-5495 version (setroubleshoot, fixed 1.9.4) 
 CVE-2007-5461 version (tomcat5) #363001 [since FEDORA-2007-3474]
 CVE-2007-5398 version (samba) [since FEDORA-2007-3403]
 CVE-2007-5395 version (link-grammar) #372351 [since FEDORA-2007-3235]
@@ -506,6 +524,8 @@
 CVE-2007-1355 version (tomcat5) [since FEDORA-2007-3474]
 CVE-2007-1352 version (libXfont, fixed 1.2.8) #235265
 CVE-2007-1351 version (libXfont, fixed 1.2.8) #235265
+CVE-2007-1320 VULNERABLE (qemu) 
+CVE-2007-1320 fixed (kvm) #448524 [since FEDORA-2008-4604] 
 CVE-2007-1103 ignore (tor) #230927 CANTFIX really
 CVE-2007-1004 version (mozilla) https://bugzilla.mozilla.org/show_bug.cgi?id=402060
 CVE-2007-1003 version (xorg-x11-server, fixed 1.2.1) #235263
@@ -517,6 +537,7 @@
 CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since FEDORA-2007-4334]
 CVE-2006-7232 version (mysql, fixed 5.0.32) 
 CVE-2006-6698 ignore (GConf2) #219280 minimal impact
+CVE-2006-6698 fixed (GConf2) 
 CVE-2006-6128 version (kernel, fixed 2.6.19-1.2911.fc6) #250625 ReiserFS MOKB
 CVE-2006-6107 version (dbus, fixed 1.0.2) #219665
 CVE-2006-6077 version (firefox, fixed 1.5.0.10)


Index: f9
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/f9,v
retrieving revision 1.211
retrieving revision 1.212
diff -u -r1.211 -r1.212
--- f9	16 May 2008 18:59:18 -0000	1.211
+++ f9	30 May 2008 15:18:25 -0000	1.212
@@ -5,6 +5,12 @@
 # (mozilla) = (gecko-libs dependent stuff)
 
 rhbz249840 version (tor, fixed 0.1.2.15)
+CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.4.0-7.fc9] 
+CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4531] 
+CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default
+CVE-2008-2359 ignore (system-config-network) F8 specific issue
+CVE-2008-2357 fixed (mtr, fixed 0.73) 
+CVE-2008-2302 fixed (Django, fixed 0.96.2) #447259 [since FEDORA-2008-4267] 
 CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless
 CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp
 CVE-2008-2168 ignore (httpd) browser issue, not apache
@@ -26,11 +32,15 @@
 CVE-2008-1974 ignore (kronolith, fixed 3.1.8) #444405 package removed from f9 and rawhide
 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report
 CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3690] 
+CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259] 
+CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259] 
+CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259] 
 CVE-2008-1944 version (xen, fixed 3.2) 
 CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc9]
 CVE-2008-1937 version (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9] 
 CVE-2008-1930 ignore (wordpress, fixed 2.5.1) only for wp 2.5.0
-CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443941 
+CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443941 [since FEDORA-2008-4003] 
+CVE-2008-1927 fixed (perl, fixed 5.10) 
 CVE-2008-1926 VULNERABLE (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9] 
 CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc9] PMASA-2008-3
 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897
@@ -42,11 +52,13 @@
 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped
 CVE-2008-1834 version (swfdec, fixed 0.6.4) [since swfdec-0.6.4-1.fc9]
 CVE-2008-1833 version (clamav, fixed 0.93-rc1) [since clamav-0.93-0.0.rc1.fc9] 
+CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1) 
 CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] 
 CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] 
 CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886] 
 CVE-2008-1796 fixed (comix) [since comix-3.6.4-6.fc9] 
-CVE-2008-1771 VULNERABLE (mt-daapd) [since mt-daapd-0.2.4.2-2.fc9]
+CVE-2008-1771 fixed (mt-daapd) [since FEDORA-2008-4126] 
+CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc9] 
 CVE-2008-1729 version (drupal, fixed 6.2) [since drupal-6.2-1.fc9]
 CVE-2008-1722 fixed (cups) #445803 [since FEDORA-2008-3756] 
 CVE-2008-1720 version (rsync, fixed 3.0.2) [since rsync-3.0.2-0.fc9]
@@ -58,7 +70,9 @@
 CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue
 CVE-2008-1686 version (libfishsound, fixed 0.9.1) #441248 [since libfishsound-0.9.1-1.fc9]
 CVE-2008-1686 backport (speex) [since speex-1.2-0.7.beta3]
+CVE-2008-1678 VULNERABLE (httpd) #447311 only affects systems with openssl >= 0.9.8e
 CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810 
+CVE-2008-1672 VULNERABLE (openssl, fixed 0.9.8h) #448690 
 CVE-2008-1671 ignore (kdelibs) start_kdeinit not shipped
 CVE-2008-1670 backport (kdelibs) [since kdelibs-4.0.3-7.fc9] 
 CVE-2008-1658 backport (PolicyKit) #439996 [since PolicyKit-0.7-7.fc9]
@@ -75,7 +89,7 @@
 CVE-2008-1561 version (wireshark, fixed 1.0) #435488 [since wireshark-1.0.0-2.fc9]
 CVE-2008-1552 version (libsilc, fixed 1.1.7) #438382 [since libsilc-1.1.7-1.fc9]
 CVE-2008-1532 version (Perlbal, fixed 1.70) [since Perlbal-1.70-1.fc9]
-CVE-2008-1531 VULNERABLE (lighttpd) #439069 
+CVE-2008-1531 fixed (lighttpd) #439069 [since FEDORA-2008-4119] 
 CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848 
 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch
 CVE-2008-1482 version (xine-lib) #438671 [since xine-lib-1.1.11.1-1.fc9]
@@ -89,7 +103,7 @@
 CVE-2008-1390 version (asterisk, fixed 1.6.0-beta6) #438134 [since asterisk-1.6.0-0.6.beta6.fc9]
 CVE-2008-1387 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] 
 CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used
-CVE-2008-1382 VULNERABLE (libpng10) [since FEDORA-2008-3683] 
+CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3683] 
 CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444437 [since FEDORA-2008-3601] 
 CVE-2008-1380 version (firefox, fixed 2.0.0.14) 
 CVE-2008-1380 backport (seamonkey, fixed 1.1.10) #442852 [since seamonkey-1.1.9-3.fc9]
@@ -142,6 +156,7 @@
 CVE-2008-1131 version (drupal, fixed 6.1) #435817 [since drupal-6.1-1.fc9]
 CVE-2008-1111 backport (lighttpd) #435809 [since lighttpd-1.4.18-6.fc9]
 CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since xine-lib-1.1.10-2.fc9]
+CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.2.0-1.rc1.14.fc9] 
 CVE-2008-1103 VULNERABLE (blender) not fixed upstream
 CVE-2008-1102 backport (blender) #443937 [since blender-2.45-12.fc9] 
 CVE-2008-1100 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900] 
@@ -164,6 +179,7 @@
 CVE-2008-0928 backport (qemu) #433563 [since qemu-0.9.1-3.fc9]
 CVE-2008-0928 backport (kvm) #433566 [since kvm-61-2.fc9]
 CVE-2008-0928 backport (xen) [since xen-3.2.0-8.fc9]
+CVE-2008-0891 VULNERABLE (openssl, fixed 0.9.8h) #448690 
 CVE-2008-0888 backport (unzip) #437927 [since unzip-5.52-9.fc9]
 CVE-2008-0887 version (gnome-screensaver, fixed 2.22.1) #440257 [since gnome-screensaver-2.22.1-1.fc9]
 CVE-2008-0882 version (cups, fixed 1.3.6) [since cups-1.3.6-1.fc9]
@@ -269,7 +285,7 @@
 CVE-2008-0005 version (httpd, fixed 2.2.8) #427984 [since httpd-2.2.8-2]
 CVE-2008-0003 version (tog-pegasus, fixed 2.7.0) 
 CVE-2008-0002 ignore (tomcat5) #432476 tomcat 6.x only
-CVE-2007-6714 VULNERABLE (dbmail, fixed 2.2.9) #443022 [since dbmail-2.2.9-1.fc9] 
+CVE-2007-6714 fixed (dbmail, fixed 2.2.9) #443022 [since FEDORA-2008-4245] 
 CVE-2007-6703 version (vdccm, fixed 0.10.1) #436027 
 CVE-2007-6698 version (openldap, fixed 2.3.36) 
 CVE-2007-6697 backport (SDL_image, fixed 1.2.7) #430238 [since SDL_image-1.2.6-4.fc9]
@@ -371,6 +387,7 @@
 CVE-2007-5965 version (qt4, fixed 4.3.3) [since qt4-4.3.3-1.fc9]
 CVE-2007-5964 backport (autofs) #421371 [since autofs-5.0.2-21]
 CVE-2007-5963 version (kdebase)
+CVE-2007-5962 fixed (vsftpd) [since FEDORA-2008-4362] 
 CVE-2007-5960 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7)
 CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7)
 CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429127 [since xorg-x11-server-1.4.99.1-0.17.20080107.fc9] code removed upstream
@@ -409,6 +426,8 @@
 CVE-2007-5589 version (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6
 CVE-2007-5503 version (cairo, fixed 1.4.12) [since cairo-1.5.4-1.fc9] 
 CVE-2007-5497 backport (e2fsprogs) #414591 [since e2fsprogs-1.40.2-14.fc9]
+CVE-2007-5496 version (setroubleshoot, fixed 2.0) 
+CVE-2007-5495 version (setroubleshoot, fixed 1.9.4) 
 CVE-2007-5461 version (tomcat5, fixed 5.5.26) #334531 [since tomcat5-5.5.26-1jpp.1.fc9]
 CVE-2007-5395 version (link-grammar) #372361 [since link-grammar-4.2.5-1.fc9]
 CVE-2007-5393 backport (xpdf) #372481 [since xpdf-3.02-4.fc9]
@@ -479,6 +498,8 @@
 CVE-2007-1558 version (evolution, fixed 1.8.3-5)
 CVE-2007-1352 version (libXfont, fixed 1.2.8) #235265
 CVE-2007-1351 version (libXfont, fixed 1.2.8) #235265
+CVE-2007-1320 VULNERABLE (qemu) 
+CVE-2007-1320 fixed (kvm) #448525 [since FEDORA-2008-4386] 
 CVE-2007-1103 ignore (tor) #230927 CANTFIX really
 CVE-2007-1004 version (mozilla) https://bugzilla.mozilla.org/show_bug.cgi?id=402060
 CVE-2007-1003 version (xorg-x11-server, fixed 1.2.1) #235263
@@ -490,6 +511,7 @@
 CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since phpMyAdmin-2.11.3-1.fc9]
 CVE-2006-7232 version (mysql, fixed 5.0.32) 
 CVE-2006-6698 ignore (GConf2) #219280 minimal impact, let upstream deal with it if they care
+CVE-2006-6698 fixed (GConf2) 
 CVE-2006-6128 version (kernel, fixed 2.6.19) #250625 ReiserFS MOKB
 CVE-2006-6107 version (dbus, fixed 1.0.2) #219665
 CVE-2006-6077 version (firefox, fixed 1.5.0.10)


Index: fc7
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/fc7,v
retrieving revision 1.377
retrieving revision 1.378
diff -u -r1.377 -r1.378
--- fc7	16 May 2008 18:59:18 -0000	1.377
+++ fc7	30 May 2008 15:18:25 -0000	1.378
@@ -7,6 +7,12 @@
 
 rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258] 
 rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] 
+CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.3.0-4.fc7] 
+CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4606] 
+CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by default
+CVE-2008-2359 ignore (system-config-network) F8 specific issue
+CVE-2008-2357 fixed (mtr, fixed 0.73) 
+CVE-2008-2302 fixed (Django, fixed 0.96.2) #447257 [since FEDORA-2008-4191] 
 CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless
 CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp
 CVE-2008-2168 ignore (httpd) browser issue, not apache
@@ -28,6 +34,9 @@
 CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 [since FEDORA-2008-3460] 
 CVE-2008-1964 ignore (xine-lib) bogus vulnerability report
 CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3508] 
+CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] 
+CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] 
+CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274] 
 CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc7]
 CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc7]
 CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only
@@ -35,7 +44,7 @@
 CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443939 [since FEDORA-2008-3920] 
 CVE-2008-1927 fixed (perl) [since FEDORA-2008-3399] 
 CVE-2008-1926 VULNERABLE (util-linux) 
-CVE-2008-1924 VULNERABLE (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc7] PMASA-2008-3
+CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since FEDORA-2008-3560] PMASA-2008-3
 CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897
 CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3365] 
 CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443054 [since FEDORA-2008-3326] nsf demuxer overflow
@@ -44,10 +53,12 @@
 CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1
 CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped
 CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442362 [since FEDORA-2008-3358] 
+CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1) 
 CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] 
 CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] 
 CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985] 
 CVE-2008-1796 fixed (comix) [since FEDORA-2008-2993] 
+CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc7] 
 CVE-2008-1729 ignore (drupal) 6.x only
 CVE-2008-1722 fixed (cups) #445801 [since FEDORA-2008-3449] 
 CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441689 [since FEDORA-2008-3060] 
@@ -57,9 +68,11 @@
 CVE-2008-1693 fixed (poppler, fixed 0.6.2) #443026 [since FEDORA-2008-3312] 
 CVE-2008-1688 ignore (m4, fixed 1.4.11) not really a security issue
 CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue
-CVE-2008-1686 VULNERABLE (libfishsound, fixed 0.9.1) #441246 [since FEDORA-2008-3117] 
+CVE-2008-1686 fixed (libfishsound, fixed 0.9.1) #441246 [since FEDORA-2008-3117] 
 CVE-2008-1686 fixed (speex) #442571 [since FEDORA-2008-3191] 
+CVE-2008-1678 ignore (httpd) only affects systems with openssl >= 0.9.8e
 CVE-2008-1677 VULNERABLE (fedora-ds-base) #445808 
+CVE-2008-1672 ignore (openssl, fixed 0.9.8h) not affected
 CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid
 CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only
 CVE-2008-1670 fixed (kdelibs4) #444398 [since FEDORA-2008-3379] kdelibs 4.x only
@@ -77,7 +90,7 @@
 CVE-2008-1552 fixed (libsilc, fixed 1.1.7) #438382 [since FEDORA-2008-2641] 
 CVE-2008-1532 version (Perlbal, fixed 1.70) #439055 [since FEDORA-2008-2788] 
 CVE-2008-1531 fixed (lighttpd) #439067 [since FEDORA-2008-3343] 
-CVE-2008-1515 VULNERABLE (otrs) #439723
+CVE-2008-1515 fixed (otrs) #439933 [since FEDORA-2008-3100] 
 CVE-2008-1488 VULNERABLE (php-pecl-apc) #438846 
 CVE-2008-1483 ignore (openssh) was alrady fixed by another patch
 CVE-2008-1482 fixed (xine-lib) #438669 [since FEDORA-2008-2945] 
@@ -146,6 +159,7 @@
 CVE-2008-1131 ignore (drupal) #435815 drupal 6.x only
 CVE-2008-1111 fixed (lighttpd) #435808 [since FEDORA-2008-2278] 
 CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1047]
+CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.0.28a-1.fc7] 
 CVE-2008-1103 VULNERABLE (blender) not fixed upstream
 CVE-2008-1102 fixed (blender) #443935 [since FEDORA-2008-3862] 
 CVE-2008-1100 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] 
@@ -168,6 +182,7 @@
 CVE-2008-0928 fixed (qemu) #433562 [since FEDORA-2008-1995] 
 CVE-2008-0928 fixed (kvm) #433565 [since FEDORA-2008-1993] 
 CVE-2008-0928 fixed (xen) #434638 [since FEDORA-2008-2083] 
+CVE-2008-0891 ignore (openssl, fixed 0.9.8h) not affected
 CVE-2008-0888 ignore (unzip) caught by glibc malloc checks
 CVE-2008-0887 fixed (gnome-screensaver) #440255 [since FEDORA-2008-2967] 
 CVE-2008-0806 fixed (wyrd) #433721 [since FEDORA-2008-1986] 
@@ -237,7 +252,7 @@
 CVE-2008-0404 fixed (mantis) #429552 [since FEDORA-2008-0796] 
 CVE-2008-0386 fixed (xdg-utils) #429513 [since FEDORA-2008-1015] 
 CVE-2008-0364 ignore (bittorrent) Windows only
-CVE-2008-0320 VULNERABLE (openoffice.org, fixed 2.4) #442845 
+CVE-2008-0320 fixed (openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104] 
 CVE-2008-0318 fixed (clamav, fixed 0.92.1) [since FEDORA-2008-1608] 
 CVE-2008-0314 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358] 
 CVE-2008-0304 version (seamonkey, fixed 1.1.8) [since FEDORA-2008-1669]
@@ -376,6 +391,7 @@
 CVE-2007-5965 version (qt4, fixed 4.3.3) [since FEDORA-2007-4354]
 CVE-2007-5964 backport (autofs) #421351 [since FEDORA-2007-4469]
 CVE-2007-5963 backport (kdebase) [since FEDORA-2008-1264] 
+CVE-2007-5962 fixed (vsftpd) [since FEDORA-2008-4373] 
 CVE-2007-5960 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3952]
 CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3952]
 CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429125 [since FEDORA-2008-0831] 
@@ -402,9 +418,9 @@
 CVE-2007-5760 fixed (xorg-x11-server, fixed 1.4.1) #429125 [since FEDORA-2008-0831] 
 CVE-2007-5759 ignore (clamav, fixed 0.92) duplicate of CVE-2007-6335
 CVE-2007-5751 backport (liferea, fixed 1.4.6) #360641 [since FEDORA-2007-2725]
-CVE-2007-5747 VULNERABLE (openoffice.org, fixed 2.4) #442845 
-CVE-2007-5746 VULNERABLE (openoffice.org, fixed 2.4) #442845 
-CVE-2007-5745 VULNERABLE (openoffice.org, fixed 2.4) #442845 
+CVE-2007-5747 fixed (openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104] 
+CVE-2007-5746 fixed (openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104] 
+CVE-2007-5745 fixed (openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104] 
 CVE-2007-5742 version (wesnoth, fixed 1.2.8) [since FEDORA-2007-3986]
 CVE-2007-5728 version (phpPgAdmin) seems to be fixed for some time
 CVE-2007-5715 backport (denyhosts) fixed long ago
@@ -427,6 +443,8 @@
 CVE-2007-5501 version (kernel) [since FEDORA-2007-3751]
 CVE-2007-5500 version (kernel) [since FEDORA-2007-3751]
 CVE-2007-5497 fixed (e2fsprogs) #414571 [since FEDORA-2007-4461] 
+CVE-2007-5496 ignore (setroubleshoot, fixed 2.0) 
+CVE-2007-5495 version (setroubleshoot, fixed 1.9.4) 
 CVE-2007-5461 version (tomcat5) #334511 [since FEDORA-2007-3456]
 CVE-2007-5416 ignore (drupal) Vulnerability in PHP<5.1.3, we're safe
 CVE-2007-5398 version (samba) [since FEDORA-2007-3402]
@@ -863,7 +881,8 @@
 *CVE-2007-1322 ** (qemu) #238723
 *CVE-2007-1321 ** (qemu) #238723
 CVE-2007-1321 backport (xen) [since FEDORA-2007-2270]
-*CVE-2007-1320 ** (qemu) #238723
+CVE-2007-1320 VULNERABLE (qemu) 
+CVE-2007-1320 VULNERABLE (kvm) 
 CVE-2007-1308 version (kdelibs)
 CVE-2007-1287 ignore (php) See NVD
 CVE-2007-1286 version (php, PHP4 only)
@@ -1025,6 +1044,7 @@
 *CVE-2006-6731 ** (java-ibm)
 *CVE-2006-6719 backport (wget) #221469 [since FEDORA-2007-043]
 *CVE-2006-6698 ignore (GConf2) #219280 minimal impact
+CVE-2006-6698 fixed (GConf2) [since GConf2-2.22.0-5.fc10] 
 CVE-2006-6693 ignore (zabbix, fixed 1.1.3, < 1.1.4 not shipped)
 CVE-2006-6692 ignore (zabbix, fixed 1.1.3, < 1.1.4 not shipped)
 CVE-2006-6660 ignore (kdelibs) client Dos only, not reproducible

More information about the Fedora-security-commits mailing list