fedora-security/audit fc5,1.5,1.6

Mark Cox (mjc) fedora-extras-commits at redhat.com
Wed Nov 23 16:36:01 UTC 2005 

Author: mjc

Update of /cvs/fedora/fedora-security/audit
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30252

Modified Files:
	fc5 
Log Message:
Backport manual checking complete



Index: fc5
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/fc5,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- fc5	23 Nov 2005 14:14:09 -0000	1.5
+++ fc5	23 Nov 2005 16:35:59 -0000	1.6
@@ -1,4 +1,4 @@
-Up to date CVE as of CVE email 20051121
+Up to date CVE as of CVE email 20051122
 Up to date FC5 as of FC5-Test1-RC
 
 1. Removed packages with security issues that are no longer in FC5 
@@ -7,27 +7,26 @@
 and httpd
 3. Looked at those marked backport where we ship a newer version, manually
 looked at rest marked backport
-[todo: finish this, 19 CVE left]
 [todo: CVE from new packages added to FC5]
 [todo: file bugs for anything vulnerable]
 
 ** are items that need attention
 
-CVE-2005-3745 ** struts
-CVE-2005-3732 ** ipsec-tools
-CVE-2005-3662 version (netpbm)
-CVE-2005-3632 version (netpbm)
+CVE-2005-3745 ignore (struts, fixed 1.2.8) but not through tomcat
+CVE-2005-3732 VULNERABLE (ipsec-tools, fixed 0.6.3) fc4:bz#173842
 CVE-2005-3675 VULNERABLE (kernel) optack
 CVE-2005-3671 VULNERABLE (openswan, fixed 2.4.4)
+CVE-2005-3662 version (netpbm)
+CVE-2005-3632 version (netpbm)
 CVE-2005-3582 version (ImageMagick) gentoo only
-**CVE-2005-3573 VULNERABLE (mailman)
+CVE-2005-3573 VULNERABLE (mailman) not fixed 2.1.6
 CVE-2005-3527 version (kernel, fixed 2.6.14 at least)
 CVE-2005-3402 ignore (thunderbird) mozilla say by design
 CVE-2005-3392 version (php, not 5.0)
 CVE-2005-3391 version (php, not 5.0)
-**CVE-2005-3390 backport (php)
-**CVE-2005-3389 backport (php)
-**CVE-2005-3388 backport (php)
+CVE-2005-3390 VULNERABLE (php)
+CVE-2005-3389 VULNERABLE (php)
+CVE-2005-3388 VULNERABLE (php)
 CVE-2005-3353 version (php, not 5.0)
 CVE-2005-3351 version (spamassassin, fixed 3.1.0)
 CVE-2005-3322 version (squid) not upstream, SUSE only
@@ -51,9 +50,9 @@
 CVE-2005-3242 version (ethereal, fixed 0.10.13)
 CVE-2005-3241 version (ethereal, fixed 0.10.13)
 CVE-2005-3186 backport (gdk-pixbuf)
-**CVE-2005-3186 backport (gtk2)
+CVE-2005-3186 version (gtk2, fixed 2.8.7 at least)
 CVE-2005-3185 version (curl, fixed 7.15)
-**CVE-2005-3185 blocked (wget) by FORTIFY_SOURCE
+CVE-2005-3185 version (wget, fixed 1.10.2 at least)
 CVE-2005-3184 version (ethereal, fixed 0.10.13)
 CVE-2005-3181 version (kernel, fixed 2.6.13.4 at least)
 CVE-2005-3180 version (kernel, fixed 2.6.13.4 at least)
@@ -79,7 +78,7 @@
 CVE-2005-2977 backport (pam)
 CVE-2005-2976 backport (gdk-pixbuf)
 CVE-2005-2975 backport (gdk-pixbuf)
-**CVE-2005-2975 backport (gtk2)
+CVE-2005-2975 version (gtk2, fixed 2.8.7)
 CVE-2005-2973 version (kernel, fixed 2.6.14 at least)
 CVE-2005-2970 VULNERABLE (httpd, fixed 2.0.55)
 CVE-2005-2969 version (openssl, fixed 0.9.8a)
@@ -132,13 +131,13 @@
 CVE-2005-2700 backport (httpd, fixed 2.0.55) 
 CVE-2005-2693 backport (cvs) cvs-1.11.19-tmp.patch
 CVE-2005-2672 backport (lm_sensors)
-**CVE-2005-2666 VULNERABLE (openssh) see bz#162681
+CVE-2005-2666 version (openssh, fixed 4.0p1)
 CVE-2005-2642 version (mutt) openbsd only
 CVE-2005-2641 version (nss_ldap, fixed pam_ldap:180)
 CVE-2005-2629 version (HelixPlayer, fixed 1.0.6)
 CVE-2005-2617 version (kernel, fixed 2.6.12.5)
-**CVE-2005-2602 VULNERABLE (firefox) probably
-**CVE-2005-2602 VULNERABLE (thunderbird) probably
+CVE-2005-2602 ignore (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=237085
+CVE-2005-2602 ignore (thunderbird) probably
 CVE-2005-2558 ignore (mysql) not an issue
 CVE-2005-2558 version (mysql, fixed 4.1.13)
 CVE-2005-2555 version (kernel, fixed 2.6.12.6pre)
@@ -151,7 +150,7 @@
 CVE-2005-2500 version (kernel, fixed 2.6.13)
 CVE-2005-2498 version (php, fixed xml_rpc:1.4.0)
 CVE-2005-2496 backport (ntp, fixed 4.2.0b) ...0a-20040617-ntpd_guid.patch
-**CVE-2005-2495 backport (xorg-x11) [since FEDORA-2005-894]
+CVE-2005-2495 version (xorg-x11-server, fixed 0.99.3 at least)
 CVE-2005-2494 version (kdebase, fixed after 3.4.2)
 CVE-2005-2491 ignore (python) fc4 python does not contain pcre
 CVE-2005-2491 version (pcre, fixed 6.2)
@@ -160,7 +159,7 @@
 CVE-2005-2492 version (kernel, fixed 2.6.13.1)
 CVE-2005-2490 version (kernel, fixed 2.6.13.1)
 CVE-2005-2475 backport (unzip)
-**CVE-2005-2471 backport (netpbm) [since FEDORA-2005-728]
+CVE-2005-2471 backport (netpbm) netpbm-10.28-CAN-2005-2471.patch
 CVE-2005-2459 ignore (kernel, fixed 2.6.12.5) dropped as code path not possible
 CVE-2005-2458 version (kernel, fixed 2.6.12.5)
 CVE-2005-2457 version (kernel, fixed 2.6.12.5)
@@ -169,7 +168,7 @@
 CVE-2005-2448 version (kdenetwork, fixed 3.4.2)
 CVE-2005-2414 ignore (mozilla) not being fixed upstream, just a crash
 CVE-2005-2410 version (NetworkManager, fixed 5.0)
-**CVE-2005-2395 VULNERABLE (firefox) not fixed upstream, maybe not security
+CVE-2005-2395 ignore (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=281851
 CVE-2005-2370 version (kdenetwork, fixed 3.4.2)
 CVE-2005-2370 version (gaim, fixed 1.5.0)
 CVE-2005-2369 version (kdenetwork, fixed 3.4.2)
@@ -216,17 +215,17 @@
 CVE-2005-2104 version (sysreport, fixed 1.4.1-5)
 CVE-2005-2103 version (gaim, fixed 1.5.0)
 CVE-2005-2102 version (gaim, fixed 1.5.0)
-**CVE-2005-2101 backport (kdeedu) [since FEDORA-2005-744]
+CVE-2005-2101 version (kdeedu, fixed after 3.4.2)
 CVE-2005-2100 version (kernel, not 2.6) not upstream only RHEL4
 CVE-2005-2099 version (kernel, fixed 2.6.12.5)
 CVE-2005-2098 version (kernel, fixed 2.6.12.5)
 CVE-2005-2097 backport (cups)
 CVE-2005-2097 version (xpdf, fixed 3.0.1)
-**CVE-2005-2096 backport (zlib) [since FEDORA-2005-523]
-**CVE-2005-2096 backport (rpm) [since FEDORA-2005-565]
+CVE-2005-2096 backport (zlib, fixed 1.2.2.4)
+CVE-2005-2096 version (rpm, fixed 4.4.2)
 CVE-2005-2095 version (squirrelmail, fixed 1.4.5)
 CVE-2005-2088 backport (httpd, fixed 2.0.55)
-**CVE-2005-2069 backport (openldap) [since FEDORA-2005-992]
+CVE-2005-2069 backport (openldap) openldap-2.2.13-tls-fix-connection-test.patch
 CVE-2005-2069 version (nss_ldap, fixed pam_ldap:180)
 CVE-2005-2023 version (gnupg, fixed 1.9.15)
 CVE-2005-1993 version (sudo, fixed 1.6.8p9)

More information about the fedora-extras-commits mailing list