Summary of vulnerabilities with FC3
Mark J Cox
mjc at redhat.com
Tue Nov 9 12:20:58 UTC 2004
Near the release time of each new distribution the Red Hat security team
go through all the security advisories for the past few years as well as
issues that affected others but not Red Hat to ensure that the new
distribution is up to date with security patches. We did this with FC3 a
few weeks ago and corrected most of the issues we found that were unfixed.
So this email is just really a FYI so we have the details stored for
future reference.
(The method is to collect a list of all possible vulnerabilities that
could affect the FC3 package set, by CVE name. This list comes from all
RHEL3 advisories to date, all FC1 and FC2 update notifications, our
internal list of issues that didn't need fixing for whatever reason, the
CVE named issues in Bugzilla, and finally looking at new packages in FC3
that were not previously in another release). Then for each CVE issue we
look to see which upstream version (if any) the vulnerability is fixed in,
and if FC3 contains that (or a better) upstream version. If not, we check
to see if the FC3 package contains a backported fix for the issue. For
this audit we trust changelog entries that say that a backported fix is
included since these will have already been audited by us when the
relevant FC2/1 or RHEL advisory came out. We also trust upstream
announcements that state which versions have fixed particular
vulnerabilities.)
So this table gives the CVE name, the reason why FC3 isn't vulnerable
(either it has an upstream version that isn't vulnerable, or it contains a
backported security fix), and optional comments showing the package name,
version it was fixed in, or method used to verify the details.
Corrections or missed issues appreciated to secalert at redhat.com (although
now FC3 is out we track all new issues in a different way, so we won't do
new versions of this table).
CAN-2003-0328 backport (epic, changelog)
CAN-2003-0542 version (httpd, fixed 2.0.48)
CAN-2003-0564 version (Mozilla, ICAT)
CAN-2003-0594 version (Mozilla, ICAT)
CAN-2003-0789 version (httpd, fixed 2.0.48)
CAN-2003-0848 backport (slocate, changelog)
CAN-2003-0853 version (coreutils, fixed 5.1.3)
CAN-2003-0856 version (iproute)
CAN-2003-0858 version (quagga, fixed 0.95)
CAN-2003-0859 version (glibc, checked source)
CAN-2003-0925 version (ethereal, fixed 0.9.16)
CAN-2003-0926 version (ethereal, fixed 0.9.16)
CAN-2003-0927 version (ethereal, fixed 0.9.16)
CAN-2003-0935 version (Net-SNMP, fixed 5.0.9)
CAN-2003-0962 version (rsync, fixed 2.5.7)
CAN-2003-0963 version (lftp, fixed after 2.6.9)
CAN-2003-0967 version (FreeRADIUS, fixed after 0.9.2)
CAN-2003-0971 version (GnuPG, fixed after 1.0.2)
CAN-2003-0973 version (mod_python, fixed 3.0.4)
CAN-2003-0977 version (CVS, fixed 1.11.10)
CAN-2003-0989 version (tcpdump, fixed 3.8.1)
CAN-2003-0992 version (mailman, fixed 2.1.4)
CAN-2003-1012 version (ethereal, fixed 0.10.0)
CAN-2003-1013 version (ethereal, fixed 0.10.0)
CAN-2003-1023 version (mc, 4.6.1)
CAN-2004-0006 version (Gaim, fixed 0.76)
CAN-2004-0007 version (Gaim, fixed 0.75)
CAN-2004-0008 version (Gaim, fixed 0.75)
CAN-2004-0055 version (tcpdump, fixed 3.8.2)
CAN-2004-0057 version (tcpdump, fixed 3.8.2)
CAN-2004-0079 backport (OpenSSL, changelog)
CAN-2004-0081 VULNERABLE (openssl096b only, see bug 138365)
CAN-2004-0083 version (XFree86)
CAN-2004-0084 version (XFree86)
CAN-2004-0097 version (PWLib, fixed 1.6.0)
CAN-2004-0098 version (php)
CAN-2004-0106 version (XFree86)
CAN-2004-0107 version (sysstat, fixed after 4.0.7)
CAN-2004-0110 version (libxml2, fixed 2.6.6)
CAN-2004-0112 backport (OpenSSL, changelog)
CAN-2004-0150 version (python, fixed 2.2.2)
CAN-2004-0155 version (Racoon)
CAN-2004-0164 version (Racoon)
CAN-2004-0174 version (httpd, fixed 2.0.49)
CAN-2004-0176 version (ethereal, fixed 0.10.3)
CAN-2004-0179 version (neon, fixed 0.24.5)
CAN-2004-0179 version (openoffice.org)
CAN-2004-0180 version (cvs, fixed 1.11.15)
CAN-2004-0182 version (mailman, only affected RH packages)
CAN-2004-0183 version (tcpdump, fixed 3.8.2)
CAN-2004-0184 version (tcpdump, fixed 3.8.2)
CAN-2004-0186 version (samba, not 3.0.2a)
CAN-2004-0226 version (mc, fixed 4.6.0)
CAN-2004-0231 version (mc, fixed 4.6.0)
CAN-2004-0232 version (mc, fixed 4.6.0)
CAN-2004-0233 backport (utempter, changelog)
CAN-2004-0234 backport (lha, changelog)
CAN-2004-0235 backport (lha, changelog)
CAN-2004-0256 version (libtool, fixed 1.5.2)
CAN-2004-0365 version (ethereal, fixed 0.10.3)
CAN-2004-0367 version (ethereal, fixed 0.10.3)
CAN-2004-0381 backport (mysql, changelog)
CAN-2004-0388 backport (mysql, changelog)
CAN-2004-0396 version (cvs, fixed 1.12.8)
CAN-2004-0397 version (subversion, fixed 1.0.1)
CAN-2004-0398 version (neon, fixed 0.24.6)
CAN-2004-0403 version (racoon, fixed 20040408a)
CAN-2004-0405 version (cvs, fixed 1.11)
CAN-2004-0409 version (xchat, fixed after 2.0.8)
CAN-2004-0411 version (kde, fixed 3.3*)
CAN-2004-0412 version (mailman, fixed 2.1.5)
CAN-2004-0413 version (subversion, fixed 1.0.5)
CAN-2004-0414 version (cvs, fixed 1.11.17)
CAN-2004-0416 version (cvs, fixed 1.11.17)
CAN-2004-0417 version (cvs, fixed 1.11.17)
CAN-2004-0418 version (cvs, fixed 1.11.17)
CAN-2004-0419 version (xorg-x11)
CAN-2004-0421 version (libpng, fixed 1.0.16)
CAN-2004-0422 version (flim, fixed 1.14.3)
CAN-2004-0426 version (rsync, fixed 2.6.1)
CAN-2004-0457 backport (mysql, changelog)
CAN-2004-0460 version (dhcp, fixed after 3.0.1rc13)
CAN-2004-0461 version (dhcp, fixed after 3.0.1rc13)
CAN-2004-0488 version (httpd, fixed 2.0.50)
CAN-2004-0493 version (httpd, fixed 2.0.50)
CAN-2004-0494 version (mc, fixed 4.6.1)
CAN-2004-0500 version (gaim, fixed 0.82)
CAN-2004-0504 version (ethereal, fixed 0.10.4)
CAN-2004-0505 version (ethereal, fixed 0.10.4)
CAN-2004-0506 version (ethereal, fixed 0.10.4)
CAN-2004-0507 version (ethereal, fixed 0.10.4)
CAN-2004-0519 version (squirrelmail, fixed 1.4.3a)
CAN-2004-0520 version (squirrelmail, fixed 1.4.3a)
CAN-2004-0521 version (squirrelmail, fixed 1.4.3a)
CAN-2004-0523 version (krb5, fixed 1.3.4)
CAN-2004-0541 version (squid)
CAN-2004-0557 version (sox, fixed after 12.17.4)
CAN-2004-0558 version (cups, fixed 1.1.21)
CAN-2004-0594 version (php, fixed 4.3.8)
CAN-2004-0595 version (php, fixed 4.3.8)
CAN-2004-0597 version (libpng, fixed 1.2.6)
CAN-2004-0597 version (mozilla, fixed 1.7.2)
CAN-2004-0598 version (libpng, fixed 1.2.6)
CAN-2004-0599 version (libpng, fixed 1.2.6)
CAN-2004-0599 version (mozilla, fixed 1.7.2)
CAN-2004-0600 version (samba, fixed 3.0.6)
CAN-2004-0607 version (racoon, note RHSA-2004:308 has wrong text)
CAN-2004-0633 version (ethereal, fixed 0.10.5)
CAN-2004-0634 version (ethereal, fixed 0.10.5)
CAN-2004-0635 version (ethereal, fixed 0.10.5)
CAN-2004-0642 backport (krb5, changelog)
CAN-2004-0644 backport (krb5, changelog)
CAN-2004-0645 version (abiword, fixed 2.0.9)
CAN-2004-0686 version (samba, fixed 3.0.6)
CAN-2004-0687 version (OpenMotif libxpm)
CAN-2004-0687 VULNERABLE (lesstif libxpm, see bug 135080)
CAN-2004-0688 version (OpenMotif libxpm)
CAN-2004-0687 VULNERABLE (lesstif libxpm, see bug 135081)
CAN-2004-0689 version (kde, fixed 3.3.0)
CAN-2004-0691 version (gdk-pixbuf; qt, fixed 3.3.3)
CAN-2004-0692 version (qt, fixed 3.3.3)
CAN-2004-0693 version (qt, fixed 3.3.3)
CAN-2004-0694 backport (lha, changelog)
CAN-2004-0718 version (mozilla #246448, fixed 1.7)
CAN-2004-0721 version (kde, fixed 3.3*)
CAN-2004-0722 version (mozilla #236618, fixed 1.7)
CAN-2004-0745 backport (lha, changelog)
CAN-2004-0746 version (kde, fixed 3.3*)
CAN-2004-0747 version (httpd, fixed 2.0.51)
CAN-2004-0748 version (httpd, fixed 2.0.51)
CAN-2004-0749 version (subversion, fixed 1.0.8)
CAN-2004-0750 version (redhat-config-nfs, fixed 1.0.13)
CAN-2004-0751 version (httpd, fixed 2.0.51)
CAN-2004-0752 backport (openoffice.org, in ooo-build-cvs)
CAN-2004-0753 backport (gtk2; gdk-pixbuf, changelog)
CAN-2004-0753 version (gdk-pixbuf, fixed 0.22)
CAN-2004-0754 version (gaim, fixed 0.82)
CAN-2004-0755 version (ruby, fixed 1.8.1)
CAN-2004-0757 version (mozilla #229374, fixed 1.7)
CAN-2004-0758 version (mozilla, fixed 1.7.2)
CAN-2004-0759 version (mozilla #241924, fixed 1.7)
CAN-2004-0760 version (mozilla #250906, fixed 1.7.2)
CAN-2004-0761 version (mozilla #240053, fixed 1.7)
CAN-2004-0762 version (mozilla #162020, fixed 1.7)
CAN-2004-0763 version (mozilla #253121, fixed 1.7.2)
CAN-2004-0764 version (mozilla #244965, fixed 1.7)
CAN-2004-0765 version (mozilla #234058, fixed 1.7)
CAN-2004-0769 backport (lha, changelog)
CAN-2004-0771 backport (lha, changelog)
CAN-2004-0772 backport (krb5, changelog)
CAN-2004-0778 version (cvs, fixed 1.11.17)
CAN-2004-0782 backport (gtk2; gdk-pixbuf, patch)
CAN-2004-0782 version (gtk;gdk-pixbuf, fixed 0.22)
CAN-2004-0783 backport (gtk2; gdk-pixbuf, patch)
CAN-2004-0783 version (gtk;gdk-pixbuf, fixed 0.22)
CAN-2004-0784 version (gaim, fixed 0.82)
CAN-2004-0785 version (gaim, fixed 0.82)
CAN-2004-0786 backport (apr-util, changelog)
CAN-2004-0788 backport (gtk2; gdk-pixbuf, patch)
CAN-2004-0788 version (gtk;gdk-pixbuf, fixed 0.22)
CAN-2004-0792 version (rsync)
CAN-2004-0796 version (spamassassin, fixed 2.64)
CAN-2004-0797 version (zlib)
CAN-2004-0801 version (foomatic, fixed 3.0.2)
CAN-2004-0803 backport (libtiff, changelog)
CAN-2004-0803 version (kdegraphics, fixed by Update on 20041109)
CAN-2004-0804 backport (libtiff, changelog)
CAN-2004-0804 version (kdegraphics, fixed by Update on 20041109)
CAN-2004-0806 version (cdrecord, fixed 2.0.1)
CAN-2004-0807 version (samba, fixed 3.0.7)
CAN-2004-0808 version (samba, fixed 3.0.7)
CAN-2004-0809 version (httpd, fixed 2.0.51)
CAN-2004-0811 version (httpd, fixed 2.0.52)
CAN-2004-0817 backport (imlib, changelog)
CAN-2004-0827 version (ImageMagick, fixed 6.0.6.2)
CAN-2004-0829 (not a security issue)
CAN-2004-0832 version (squid, fixed 2.5.7)
CAN-2004-0835 backport (mysql, changelog)
CAN-2004-0836 backport (mysql, changelog)
CAN-2004-0837 backport (mysql, changelog)
CAN-2003-0860 version (php, fixed 4.3.3)
CAN-2003-0861 version (php, fixed 4.3.3)
CAN-2004-0884 backport (cyrus-sasl, changelog)
CAN-2004-0885 backport (httpd, changelog)
CAN-2004-0886 backport (libtiff, changelog)
CAN-2004-0886 version (kdegraphics, fixed by Update on 20041109)
CAN-2004-0888 backport (xpdf, changelog)
CAN-2004-0888 backport (cups, **since 1.1.22-0.rc1.8** FC3-3.3)
CAN-2004-0888 backport (gpdf, **since 2.8.0-5** FC3-3.4)
CAN-2004-0888 VULNERABLE (tetex, see bug 137476)
CAN-2004-0889 backport (xpdf, changelog)
CAN-2004-0891 backport (gaim, changelog)
CAN-2004-0902 version (mozilla #133023, fixed 1.7.3)
CAN-2004-0903 version (mozilla #133016, fixed 1.7.3)
CAN-2004-0904 version (mozilla #133014, fixed 1.7.3)
CAN-2004-0905 version (mozilla #133012, fixed 1.7.3)
CAN-2004-0908 version (mozilla #133021, fixed 1.7.3)
CAN-2004-0918 backport (squid, changelog)
CAN-2004-0923 backport (cups, changelog)
CAN-2004-0930 VULNERABLE (Samba, see bug 138326)
CAN-2004-0938 version (freeradius, fixed 1.0.1)
CAN-2004-0942 VULNERABLE (httpd, see bug 138065)
CAN-2004-0957 backport (mysql, changelog)
CAN-2004-0958 version (php, fixed 4.3.9)
CAN-2004-0959 version (php, fixed 4.3.9)
CAN-2004-0960 version (freeradius, fixed 1.0.1)
CAN-2004-0961 version (freeradius, fixed 1.0.1)
CAN-2004-0966 backport (gettext, **since 0.14.1-12** FC3-3.8)
CAN-2004-0967 backport (ghostscript, changelog)
CAN-2004-0968 backport (glibc, changelog)
CAN-2004-0969 backport (groff, changelog)
CAN-2004-0971 VULNERABLE (krb5, see bug 136307)
CAN-2004-0972 VULNERABLE (lvm, see bug 136309)
CAN-2004-0974 VULNERABLE (tetex, see bug 137966)
CAN-2004-0975 VULNERABLE (openssl, see bug 136303)
CAN-2004-0976 version (perl, since 5.8.4)
CAN-2004-0977 backport (postgresql, **since 7.4.5-4** FC3-3.2)
CAN-2004-0981 VULNERABLE (ImakeMagick, see bug 138385)
CAN-2004-0983 VULNERABLE (Ruby, see bug 138366)
CAN-2004-0989 backport (libxml2, **since 2.6.14-2** FC3-3.3)
CAN-2004-0990 VULNERABLE (gd, see bug 137247)
CVE-2002-1363 version (libpng, fixed 1.2.6)
CVE-2003-0020 version (httpd, fixed 2.0.49)
CVE-2003-0924 version (netpbm, fixed 9.26)
CVE-2003-0988 version (kde, fixed 3.1.5)
CVE-2004-0078 backport (mutt, changelog)
CVE-2004-0082 version (samba, fixed 3.0.2)
CVE-2004-0096 version (mod_python, fixed after 2.7.9)
CVE-2004-0108 version (sysstat)
CVE-2004-0111 version (gdk-pixbuf, fixed 0.20)
CVE-2004-0113 version (httpd, fixed 2.0.49)
CVE-2004-0189 version (squid, fixed 2.5stable5)
CVE-2004-0191 version (Mozilla, fixed 1.4.2)
More information about the fedora-devel-list
mailing list