Author: thoger
Update of /cvs/fedora/fedora-security/audit
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14130/audit
Modified Files:
f10 f8 f9 fc7
Log Message:
lots of stuff from last 2 weeks
Index: f10
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/f10,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- f10 16 May 2008 18:59:18 -0000 1.3
+++ f10 30 May 2008 15:18:25 -0000 1.4
@@ -4,25 +4,38 @@
# *CVE are items that need verification for Fedora 10
# (mozilla) = (gecko-libs dependent stuff)
+CVE-2008-2426 backport (imlib2) [since imlib2-1.4.0-7.fc10]
+CVE-2008-2420 version (stunnel, fixed 4.24) [since stunnel-4.24-2]
+CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by
default
+CVE-2008-2359 ignore (system-config-network) F8 specific issue
+CVE-2008-2357 fixed (mtr, fixed 0.73)
+CVE-2008-2302 version (Django, fixed 0.96.2) #447260 [since Django-0.96.2-1.fc10]
CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless
CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp
CVE-2008-2168 ignore (httpd) browser issue, not apache
CVE-2008-2085 VULNERABLE (sipp) #446222
-CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445806
+CVE-2008-2079 VULNERABLE (mysql, fixed 5.0.60) #445804
CVE-2008-2004 VULNERABLE (xen) disables format autodetection by default [since
xen-3.2.0-11.fc10]
CVE-2008-2004 VULNERABLE (qemu) fix mostly useless without libvirt changes
CVE-2008-2004 VULNERABLE (kvm) fix mostly useless without libvirt changes
CVE-2008-1999 VULNERABLE (WebKit)
+CVE-2008-1950 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10]
+CVE-2008-1949 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10]
+CVE-2008-1948 backport (gnutls, fixed 2.2.4) #447512 [since gnutls-2.0.4-3.fc10]
CVE-2008-1944 version (xen, fixed 3.2)
CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc10]
CVE-2008-1928 version (perl-Imager, fixed 0.64) [since perl-Imager-0.64-2.fc10]
CVE-2008-1926 backport (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9]
CVE-2008-1836 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9]
+CVE-2008-1804 version (snort, fixed 2.8.1) [since snort-2.8.1-3.fc10]
CVE-2008-1803 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10]
CVE-2008-1802 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10]
CVE-2008-1801 version (rdesktop, fixed 1.6.0) [since rdesktop-1.6.0-1.fc10]
CVE-2008-1771 version (mt-daapd) [since mt-daapd-0.2.4.2-2.fc10]
+CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc10]
+CVE-2008-1678 VULNERABLE (httpd) #447312 only affects systems with openssl >= 0.9.8e
CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810
+CVE-2008-1672 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10]
CVE-2008-1531 backport (lighttpd) [since lighttpd-1.4.19-4.fc10]
CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848
CVE-2008-1423 backport (libvorbis) #446344 [since libvorbis-1.2.0-4.fc10]
@@ -32,9 +45,11 @@
CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used
CVE-2008-1382 version (libpng10) [since libpng10-1.0.37-1.fc10]
CVE-2008-1360 version (nagios) #437852 [since nagios-2.11-3.fc9]
+CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30)
CVE-2008-1103 VULNERABLE (blender) not fixed upstream
CVE-2008-1100 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9]
-CVE-2008-1078 VULNERABLE (am-utils) #437746
+CVE-2008-1078 backport (am-utils) #437746 [since am-utils-6.1.5-10.fc10]
+CVE-2008-0891 backport (openssl, fixed 0.9.8h) #448691 [since openssl-0.9.8g-9.fc10]
CVE-2008-0553 version (tkimg) [since tkimg-1.3-0.10.20080505svn.fc10]
CVE-2008-0314 version (clamav, fixed 0.93) [since clamav-0.93-1.fc9]
CVE-2008-0166 ignore (openssl) Debian specific
@@ -42,11 +57,15 @@
CVE-2007-6321 VULNERABLE (roundcubemail) #423301
CVE-2007-6318 VULNERABLE (wordpress) #426434
CVE-2007-6131 VULNERABLE (scanbuttond)
+CVE-2007-5962 fixed (vsftpd) [since vsftpd-2.0.6-4.fc10]
CVE-2007-5907 VULNERABLE (xen) #390121
CVE-2007-5906 VULNERABLE (xen) #390121
CVE-2007-5803 VULNERABLE (nagios, not fixed 2.11) #446383
CVE-2007-5079 VULNERABLE (gdm) #363041 Red Hat specific problem
CVE-2007-4829 VULNERABLE (perl, not fixed upstream) #364291 perl-Archive-Tar directory
traversal
CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where
we use the code.
+CVE-2007-1320 VULNERABLE (qemu)
+CVE-2007-1320 VULNERABLE (kvm)
+CVE-2006-6698 fixed (GConf2)
CVE-2006-1390 VULNERABLE (nethack) bz#187353, but requires other access to games group
Index: f8
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/f8,v
retrieving revision 1.221
retrieving revision 1.222
diff -u -r1.221 -r1.222
--- f8 16 May 2008 18:59:18 -0000 1.221
+++ f8 30 May 2008 15:18:25 -0000 1.222
@@ -6,6 +6,12 @@
rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258]
rhbz249840 version (tor, fixed 0.1.2.15)
+CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.4.0-7.fc8]
+CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4579]
+CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by
default
+CVE-2008-2359 fixed (system-config-network) [since FEDORA-2008-4633]
+CVE-2008-2357 fixed (mtr, fixed 0.73)
+CVE-2008-2302 fixed (Django, fixed 0.96.2) #447258 [since FEDORA-2008-4248]
CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless
CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp
CVE-2008-2168 ignore (httpd) browser issue, not apache
@@ -27,6 +33,9 @@
CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444404 [since FEDORA-2008-3543]
CVE-2008-1964 ignore (xine-lib) bogus vulnerability report
CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3501]
+CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183]
+CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183]
+CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447510 [since FEDORA-2008-4183]
CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc8]
CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc8]
CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only
@@ -34,7 +43,7 @@
CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443940 [since FEDORA-2008-3352]
CVE-2008-1927 fixed (perl) [since FEDORA-2008-3392]
CVE-2008-1926 fixed (util-linux-ng) [since FEDORA-2008-3419]
-CVE-2008-1924 VULNERABLE (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc8]
PMASA-2008-3
+CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since FEDORA-2008-3461] PMASA-2008-3
CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897
CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3390]
CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443055 [since FEDORA-2008-3353] nsf
demuxer overflow
@@ -43,10 +52,12 @@
CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1
CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped
CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442363 [since FEDORA-2008-3420]
+CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1)
CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917]
CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917]
CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445842 [since FEDORA-2008-3917]
CVE-2008-1796 fixed (comix) [since FEDORA-2008-2981]
+CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc8]
CVE-2008-1729 ignore (drupal) 6.x only
CVE-2008-1722 fixed (cups) #445802 [since FEDORA-2008-3586]
CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441690 [since FEDORA-2008-3047]
@@ -58,7 +69,9 @@
CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue
CVE-2008-1686 fixed (libfishsound, fixed 0.9.1) #441247 [since FEDORA-2008-3059]
CVE-2008-1686 fixed (speex) #442572 [since FEDORA-2008-3103]
+CVE-2008-1678 ignore (httpd) only affects systems with openssl >= 0.9.8e
CVE-2008-1677 VULNERABLE (fedora-ds-base) #445809
+CVE-2008-1672 ignore (openssl, fixed 0.9.8h) not affected
CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid
CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only
CVE-2008-1670 fixed (kdelibs4) #444399 [since FEDORA-2008-3412] kdelibs 4.x only
@@ -90,7 +103,7 @@
CVE-2008-1390 fixed (asterisk, fixed 1.4.19-rc3) #438133 [since FEDORA-2008-2554]
CVE-2008-1387 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420]
CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used
-CVE-2008-1382 VULNERABLE (libpng10) [since FEDORA-2008-3937]
+CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3937]
CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444436 [since FEDORA-2008-3462]
CVE-2008-1380 VULNERABLE (firefox, fixed 2.0.0.14)
CVE-2008-1380 fixed (seamonkey, fixed 1.1.10) #442851 [since FEDORA-2008-3264]
@@ -145,6 +158,7 @@
CVE-2008-1131 ignore (drupal) #435816 drupal 6.x only
CVE-2008-1111 fixed (lighttpd) #435807 [since FEDORA-2008-2262]
CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1043]
+CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.0.30-0.fc8]
CVE-2008-1103 VULNERABLE (blender) not fixed upstream
CVE-2008-1102 fixed (blender) #443936 [since FEDORA-2008-3875]
CVE-2008-1100 fixed (clamav, fixed 0.93) #442363 [since FEDORA-2008-3420]
@@ -167,6 +181,7 @@
CVE-2008-0928 fixed (qemu) #433561 [since FEDORA-2008-2001]
CVE-2008-0928 fixed (kvm) #433564 [since FEDORA-2008-1973]
CVE-2008-0928 fixed (xen) #434639 [since FEDORA-2008-2057]
+CVE-2008-0891 ignore (openssl, fixed 0.9.8h) not affected
CVE-2008-0888 ignore (unzip) caught by glibc malloc checks
CVE-2008-0887 fixed (gnome-screensaver) #440256 [since FEDORA-2008-3017]
CVE-2008-0882 fixed (cups, fixed 1.3.6) #433803 [since FEDORA-2008-1901]
@@ -377,6 +392,7 @@
CVE-2007-5965 version (qt4, fixed 4.3.3) [since FEDORA-2007-4285]
CVE-2007-5964 backport (autofs) #409701 [since FEDORA-2007-4532]
CVE-2007-5963 backport (kdebase) [since FEDORA-2008-1283]
+CVE-2007-5962 fixed (vsftpd) [since FEDORA-2008-4347]
CVE-2007-5960 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3962]
CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3962]
CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429126 [since FEDORA-2008-0760]
@@ -418,6 +434,8 @@
CVE-2007-5501 version (kernel) [since FEDORA-2007-3837]
CVE-2007-5500 version (kernel) [since FEDORA-2007-3837]
CVE-2007-5497 fixed (e2fsprogs) #414581 [since FEDORA-2007-4447]
+CVE-2007-5496 version (setroubleshoot, fixed 2.0)
+CVE-2007-5495 version (setroubleshoot, fixed 1.9.4)
CVE-2007-5461 version (tomcat5) #363001 [since FEDORA-2007-3474]
CVE-2007-5398 version (samba) [since FEDORA-2007-3403]
CVE-2007-5395 version (link-grammar) #372351 [since FEDORA-2007-3235]
@@ -506,6 +524,8 @@
CVE-2007-1355 version (tomcat5) [since FEDORA-2007-3474]
CVE-2007-1352 version (libXfont, fixed 1.2.8) #235265
CVE-2007-1351 version (libXfont, fixed 1.2.8) #235265
+CVE-2007-1320 VULNERABLE (qemu)
+CVE-2007-1320 fixed (kvm) #448524 [since FEDORA-2008-4604]
CVE-2007-1103 ignore (tor) #230927 CANTFIX really
CVE-2007-1004 version (mozilla)
https://bugzilla.mozilla.org/show_bug.cgi?id=402060
CVE-2007-1003 version (xorg-x11-server, fixed 1.2.1) #235263
@@ -517,6 +537,7 @@
CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since
FEDORA-2007-4334]
CVE-2006-7232 version (mysql, fixed 5.0.32)
CVE-2006-6698 ignore (GConf2) #219280 minimal impact
+CVE-2006-6698 fixed (GConf2)
CVE-2006-6128 version (kernel, fixed 2.6.19-1.2911.fc6) #250625 ReiserFS MOKB
CVE-2006-6107 version (dbus, fixed 1.0.2) #219665
CVE-2006-6077 version (firefox, fixed 1.5.0.10)
Index: f9
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/f9,v
retrieving revision 1.211
retrieving revision 1.212
diff -u -r1.211 -r1.212
--- f9 16 May 2008 18:59:18 -0000 1.211
+++ f9 30 May 2008 15:18:25 -0000 1.212
@@ -5,6 +5,12 @@
# (mozilla) = (gecko-libs dependent stuff)
rhbz249840 version (tor, fixed 0.1.2.15)
+CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.4.0-7.fc9]
+CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4531]
+CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by
default
+CVE-2008-2359 ignore (system-config-network) F8 specific issue
+CVE-2008-2357 fixed (mtr, fixed 0.73)
+CVE-2008-2302 fixed (Django, fixed 0.96.2) #447259 [since FEDORA-2008-4267]
CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless
CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp
CVE-2008-2168 ignore (httpd) browser issue, not apache
@@ -26,11 +32,15 @@
CVE-2008-1974 ignore (kronolith, fixed 3.1.8) #444405 package removed from f9 and
rawhide
CVE-2008-1964 ignore (xine-lib) bogus vulnerability report
CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3690]
+CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259]
+CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259]
+CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447511 [since FEDORA-2008-4259]
CVE-2008-1944 version (xen, fixed 3.2)
CVE-2008-1943 VULNERABLE (xen) [since xen-3.2.0-11.fc9]
CVE-2008-1937 version (moin, fixed 1.6.3) [since moin-1.6.3-1.fc9]
CVE-2008-1930 ignore (wordpress, fixed 2.5.1) only for wp 2.5.0
-CVE-2008-1928 VULNERABLE (perl-Imager, fixed 0.64) #443941
+CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443941 [since FEDORA-2008-4003]
+CVE-2008-1927 fixed (perl, fixed 5.10)
CVE-2008-1926 VULNERABLE (util-linux-ng) [since util-linux-ng-2.13.1-8.1.fc9]
CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc9]
PMASA-2008-3
CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897
@@ -42,11 +52,13 @@
CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped
CVE-2008-1834 version (swfdec, fixed 0.6.4) [since swfdec-0.6.4-1.fc9]
CVE-2008-1833 version (clamav, fixed 0.93-rc1) [since clamav-0.93-0.0.rc1.fc9]
+CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1)
CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886]
CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886]
CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445843 [since FEDORA-2008-3886]
CVE-2008-1796 fixed (comix) [since comix-3.6.4-6.fc9]
-CVE-2008-1771 VULNERABLE (mt-daapd) [since mt-daapd-0.2.4.2-2.fc9]
+CVE-2008-1771 fixed (mt-daapd) [since FEDORA-2008-4126]
+CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc9]
CVE-2008-1729 version (drupal, fixed 6.2) [since drupal-6.2-1.fc9]
CVE-2008-1722 fixed (cups) #445803 [since FEDORA-2008-3756]
CVE-2008-1720 version (rsync, fixed 3.0.2) [since rsync-3.0.2-0.fc9]
@@ -58,7 +70,9 @@
CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue
CVE-2008-1686 version (libfishsound, fixed 0.9.1) #441248 [since
libfishsound-0.9.1-1.fc9]
CVE-2008-1686 backport (speex) [since speex-1.2-0.7.beta3]
+CVE-2008-1678 VULNERABLE (httpd) #447311 only affects systems with openssl >= 0.9.8e
CVE-2008-1677 VULNERABLE (fedora-ds-base) #445810
+CVE-2008-1672 VULNERABLE (openssl, fixed 0.9.8h) #448690
CVE-2008-1671 ignore (kdelibs) start_kdeinit not shipped
CVE-2008-1670 backport (kdelibs) [since kdelibs-4.0.3-7.fc9]
CVE-2008-1658 backport (PolicyKit) #439996 [since PolicyKit-0.7-7.fc9]
@@ -75,7 +89,7 @@
CVE-2008-1561 version (wireshark, fixed 1.0) #435488 [since wireshark-1.0.0-2.fc9]
CVE-2008-1552 version (libsilc, fixed 1.1.7) #438382 [since libsilc-1.1.7-1.fc9]
CVE-2008-1532 version (Perlbal, fixed 1.70) [since Perlbal-1.70-1.fc9]
-CVE-2008-1531 VULNERABLE (lighttpd) #439069
+CVE-2008-1531 fixed (lighttpd) #439069 [since FEDORA-2008-4119]
CVE-2008-1488 VULNERABLE (php-pecl-apc) #438848
CVE-2008-1483 ignore (openssh) was alrady fixed by another patch
CVE-2008-1482 version (xine-lib) #438671 [since xine-lib-1.1.11.1-1.fc9]
@@ -89,7 +103,7 @@
CVE-2008-1390 version (asterisk, fixed 1.6.0-beta6) #438134 [since
asterisk-1.6.0-0.6.beta6.fc9]
CVE-2008-1387 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900]
CVE-2008-1382 VULNERABLE (libpng, fixed 1.2.27) minimal impact, affected api rarely used
-CVE-2008-1382 VULNERABLE (libpng10) [since FEDORA-2008-3683]
+CVE-2008-1382 fixed (libpng10) [since FEDORA-2008-3683]
CVE-2008-1381 fixed (zoneminder, fixed 1.23.3) #444437 [since FEDORA-2008-3601]
CVE-2008-1380 version (firefox, fixed 2.0.0.14)
CVE-2008-1380 backport (seamonkey, fixed 1.1.10) #442852 [since seamonkey-1.1.9-3.fc9]
@@ -142,6 +156,7 @@
CVE-2008-1131 version (drupal, fixed 6.1) #435817 [since drupal-6.1-1.fc9]
CVE-2008-1111 backport (lighttpd) #435809 [since lighttpd-1.4.18-6.fc9]
CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since xine-lib-1.1.10-2.fc9]
+CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.2.0-1.rc1.14.fc9]
CVE-2008-1103 VULNERABLE (blender) not fixed upstream
CVE-2008-1102 backport (blender) #443937 [since blender-2.45-12.fc9]
CVE-2008-1100 fixed (clamav, fixed 0.93) #442364 [since FEDORA-2008-3900]
@@ -164,6 +179,7 @@
CVE-2008-0928 backport (qemu) #433563 [since qemu-0.9.1-3.fc9]
CVE-2008-0928 backport (kvm) #433566 [since kvm-61-2.fc9]
CVE-2008-0928 backport (xen) [since xen-3.2.0-8.fc9]
+CVE-2008-0891 VULNERABLE (openssl, fixed 0.9.8h) #448690
CVE-2008-0888 backport (unzip) #437927 [since unzip-5.52-9.fc9]
CVE-2008-0887 version (gnome-screensaver, fixed 2.22.1) #440257 [since
gnome-screensaver-2.22.1-1.fc9]
CVE-2008-0882 version (cups, fixed 1.3.6) [since cups-1.3.6-1.fc9]
@@ -269,7 +285,7 @@
CVE-2008-0005 version (httpd, fixed 2.2.8) #427984 [since httpd-2.2.8-2]
CVE-2008-0003 version (tog-pegasus, fixed 2.7.0)
CVE-2008-0002 ignore (tomcat5) #432476 tomcat 6.x only
-CVE-2007-6714 VULNERABLE (dbmail, fixed 2.2.9) #443022 [since dbmail-2.2.9-1.fc9]
+CVE-2007-6714 fixed (dbmail, fixed 2.2.9) #443022 [since FEDORA-2008-4245]
CVE-2007-6703 version (vdccm, fixed 0.10.1) #436027
CVE-2007-6698 version (openldap, fixed 2.3.36)
CVE-2007-6697 backport (SDL_image, fixed 1.2.7) #430238 [since SDL_image-1.2.6-4.fc9]
@@ -371,6 +387,7 @@
CVE-2007-5965 version (qt4, fixed 4.3.3) [since qt4-4.3.3-1.fc9]
CVE-2007-5964 backport (autofs) #421371 [since autofs-5.0.2-21]
CVE-2007-5963 version (kdebase)
+CVE-2007-5962 fixed (vsftpd) [since FEDORA-2008-4362]
CVE-2007-5960 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7)
CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7)
CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429127 [since
xorg-x11-server-1.4.99.1-0.17.20080107.fc9] code removed upstream
@@ -409,6 +426,8 @@
CVE-2007-5589 version (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6
CVE-2007-5503 version (cairo, fixed 1.4.12) [since cairo-1.5.4-1.fc9]
CVE-2007-5497 backport (e2fsprogs) #414591 [since e2fsprogs-1.40.2-14.fc9]
+CVE-2007-5496 version (setroubleshoot, fixed 2.0)
+CVE-2007-5495 version (setroubleshoot, fixed 1.9.4)
CVE-2007-5461 version (tomcat5, fixed 5.5.26) #334531 [since tomcat5-5.5.26-1jpp.1.fc9]
CVE-2007-5395 version (link-grammar) #372361 [since link-grammar-4.2.5-1.fc9]
CVE-2007-5393 backport (xpdf) #372481 [since xpdf-3.02-4.fc9]
@@ -479,6 +498,8 @@
CVE-2007-1558 version (evolution, fixed 1.8.3-5)
CVE-2007-1352 version (libXfont, fixed 1.2.8) #235265
CVE-2007-1351 version (libXfont, fixed 1.2.8) #235265
+CVE-2007-1320 VULNERABLE (qemu)
+CVE-2007-1320 fixed (kvm) #448525 [since FEDORA-2008-4386]
CVE-2007-1103 ignore (tor) #230927 CANTFIX really
CVE-2007-1004 version (mozilla)
https://bugzilla.mozilla.org/show_bug.cgi?id=402060
CVE-2007-1003 version (xorg-x11-server, fixed 1.2.1) #235263
@@ -490,6 +511,7 @@
CVE-2007-0095 backport (phpMyAdmin) #221694 "Reveals path" [since
phpMyAdmin-2.11.3-1.fc9]
CVE-2006-7232 version (mysql, fixed 5.0.32)
CVE-2006-6698 ignore (GConf2) #219280 minimal impact, let upstream deal with it if they
care
+CVE-2006-6698 fixed (GConf2)
CVE-2006-6128 version (kernel, fixed 2.6.19) #250625 ReiserFS MOKB
CVE-2006-6107 version (dbus, fixed 1.0.2) #219665
CVE-2006-6077 version (firefox, fixed 1.5.0.10)
Index: fc7
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/fc7,v
retrieving revision 1.377
retrieving revision 1.378
diff -u -r1.377 -r1.378
--- fc7 16 May 2008 18:59:18 -0000 1.377
+++ fc7 30 May 2008 15:18:25 -0000 1.378
@@ -7,6 +7,12 @@
rhbz293031 fixed (nx) #293031 [since FEDORA-2008-2258]
rhbz249840 version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674]
+CVE-2008-2426 VULNERABLE (imlib2) [since imlib2-1.3.0-4.fc7]
+CVE-2008-2420 fixed (stunnel, fixed 4.24) [since FEDORA-2008-4606]
+CVE-2008-2392 ignore (wordpress) issue only in certain deployments, not affected by
default
+CVE-2008-2359 ignore (system-config-network) F8 specific issue
+CVE-2008-2357 fixed (mtr, fixed 0.73)
+CVE-2008-2302 fixed (Django, fixed 0.96.2) #447257 [since FEDORA-2008-4191]
CVE-2008-2276 VULNERABLE (mantis) upstream fix in 1.2.0a1 seems useless
CVE-2008-2266 ignore (perl-Convert-UUlib) embedded uulib copy uses mkstemp
CVE-2008-2168 ignore (httpd) browser issue, not apache
@@ -28,6 +34,9 @@
CVE-2008-1974 VULNERABLE (kronolith, fixed 3.1.8) #444403 [since FEDORA-2008-3460]
CVE-2008-1964 ignore (xine-lib) bogus vulnerability report
CVE-2008-1959 fixed (sipp, fixed 3.1) [since FEDORA-2008-3508]
+CVE-2008-1950 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274]
+CVE-2008-1949 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274]
+CVE-2008-1948 fixed (gnutls, fixed 2.2.4) #447509 [since FEDORA-2008-4274]
CVE-2008-1944 VULNERABLE (xen, fixed 3.2) [since xen-3.1.2-3.fc7]
CVE-2008-1943 VULNERABLE (xen) [since xen-3.1.2-3.fc7]
CVE-2008-1937 ignore (moin, fixed 1.6.3) 1.6.x only
@@ -35,7 +44,7 @@
CVE-2008-1928 fixed (perl-Imager, fixed 0.64) #443939 [since FEDORA-2008-3920]
CVE-2008-1927 fixed (perl) [since FEDORA-2008-3399]
CVE-2008-1926 VULNERABLE (util-linux)
-CVE-2008-1924 VULNERABLE (phpMyAdmin, fixed 2.11.5.2) [since phpMyAdmin-2.11.5.2-1.fc7]
PMASA-2008-3
+CVE-2008-1924 version (phpMyAdmin, fixed 2.11.5.2) [since FEDORA-2008-3560] PMASA-2008-3
CVE-2008-1923 version (asterisk) upstream fix incomplete, resulting in CVE-2008-1897
CVE-2008-1897 fixed (asterisk, fixed 1.4.19.1) [since FEDORA-2008-3365]
CVE-2008-1878 fixed (xine-lib, fixed 1.1.12.1) #443054 [since FEDORA-2008-3326] nsf
demuxer overflow
@@ -44,10 +53,12 @@
CVE-2008-1836 ignore (clamav, fixed 0.93) affected code introduced after 0.92.1
CVE-2008-1835 ignore (clamav, fixed 0.93) unrar code not shipped
CVE-2008-1833 fixed (clamav, fixed 0.93-rc1) #442362 [since FEDORA-2008-3358]
+CVE-2008-1804 VULNERABLE (snort, fixed 2.8.1)
CVE-2008-1803 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985]
CVE-2008-1802 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985]
CVE-2008-1801 fixed (rdesktop, fixed 1.6.0) #445841 [since FEDORA-2008-3985]
CVE-2008-1796 fixed (comix) [since FEDORA-2008-2993]
+CVE-2008-1767 version (libxslt, fixed 1.1.24) [since libxslt-1.1.24-1.fc7]
CVE-2008-1729 ignore (drupal) 6.x only
CVE-2008-1722 fixed (cups) #445801 [since FEDORA-2008-3449]
CVE-2008-1720 fixed (rsync, fixed 3.0.2) #441689 [since FEDORA-2008-3060]
@@ -57,9 +68,11 @@
CVE-2008-1693 fixed (poppler, fixed 0.6.2) #443026 [since FEDORA-2008-3312]
CVE-2008-1688 ignore (m4, fixed 1.4.11) not really a security issue
CVE-2008-1687 ignore (m4, fixed 1.4.11) not really a security issue
-CVE-2008-1686 VULNERABLE (libfishsound, fixed 0.9.1) #441246 [since FEDORA-2008-3117]
+CVE-2008-1686 fixed (libfishsound, fixed 0.9.1) #441246 [since FEDORA-2008-3117]
CVE-2008-1686 fixed (speex) #442571 [since FEDORA-2008-3191]
+CVE-2008-1678 ignore (httpd) only affects systems with openssl >= 0.9.8e
CVE-2008-1677 VULNERABLE (fedora-ds-base) #445808
+CVE-2008-1672 ignore (openssl, fixed 0.9.8h) not affected
CVE-2008-1671 ignore (kdelibs) start_kdeinit not setuid
CVE-2008-1670 ignore (kdelibs) kdelibs 4.x only
CVE-2008-1670 fixed (kdelibs4) #444398 [since FEDORA-2008-3379] kdelibs 4.x only
@@ -77,7 +90,7 @@
CVE-2008-1552 fixed (libsilc, fixed 1.1.7) #438382 [since FEDORA-2008-2641]
CVE-2008-1532 version (Perlbal, fixed 1.70) #439055 [since FEDORA-2008-2788]
CVE-2008-1531 fixed (lighttpd) #439067 [since FEDORA-2008-3343]
-CVE-2008-1515 VULNERABLE (otrs) #439723
+CVE-2008-1515 fixed (otrs) #439933 [since FEDORA-2008-3100]
CVE-2008-1488 VULNERABLE (php-pecl-apc) #438846
CVE-2008-1483 ignore (openssh) was alrady fixed by another patch
CVE-2008-1482 fixed (xine-lib) #438669 [since FEDORA-2008-2945]
@@ -146,6 +159,7 @@
CVE-2008-1131 ignore (drupal) #435815 drupal 6.x only
CVE-2008-1111 fixed (lighttpd) #435808 [since FEDORA-2008-2278]
CVE-2008-1110 version (xine-lib, fixed 1.1.10) [since FEDORA-2008-1047]
+CVE-2008-1105 VULNERABLE (samba, fixed 3.0.30) [since samba-3.0.28a-1.fc7]
CVE-2008-1103 VULNERABLE (blender) not fixed upstream
CVE-2008-1102 fixed (blender) #443935 [since FEDORA-2008-3862]
CVE-2008-1100 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358]
@@ -168,6 +182,7 @@
CVE-2008-0928 fixed (qemu) #433562 [since FEDORA-2008-1995]
CVE-2008-0928 fixed (kvm) #433565 [since FEDORA-2008-1993]
CVE-2008-0928 fixed (xen) #434638 [since FEDORA-2008-2083]
+CVE-2008-0891 ignore (openssl, fixed 0.9.8h) not affected
CVE-2008-0888 ignore (unzip) caught by glibc malloc checks
CVE-2008-0887 fixed (gnome-screensaver) #440255 [since FEDORA-2008-2967]
CVE-2008-0806 fixed (wyrd) #433721 [since FEDORA-2008-1986]
@@ -237,7 +252,7 @@
CVE-2008-0404 fixed (mantis) #429552 [since FEDORA-2008-0796]
CVE-2008-0386 fixed (xdg-utils) #429513 [since FEDORA-2008-1015]
CVE-2008-0364 ignore (bittorrent) Windows only
-CVE-2008-0320 VULNERABLE (
openoffice.org, fixed 2.4) #442845
+CVE-2008-0320 fixed (
openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104]
CVE-2008-0318 fixed (clamav, fixed 0.92.1) [since FEDORA-2008-1608]
CVE-2008-0314 fixed (clamav, fixed 0.93) #442362 [since FEDORA-2008-3358]
CVE-2008-0304 version (seamonkey, fixed 1.1.8) [since FEDORA-2008-1669]
@@ -376,6 +391,7 @@
CVE-2007-5965 version (qt4, fixed 4.3.3) [since FEDORA-2007-4354]
CVE-2007-5964 backport (autofs) #421351 [since FEDORA-2007-4469]
CVE-2007-5963 backport (kdebase) [since FEDORA-2008-1264]
+CVE-2007-5962 fixed (vsftpd) [since FEDORA-2008-4373]
CVE-2007-5960 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3952]
CVE-2007-5959 version (mozilla, fixed ff 2.0.0.10, sm 1.1.7) [since FEDORA-2007-3952]
CVE-2007-5958 fixed (xorg-x11-server, fixed 1.4.1) #429125 [since FEDORA-2008-0831]
@@ -402,9 +418,9 @@
CVE-2007-5760 fixed (xorg-x11-server, fixed 1.4.1) #429125 [since FEDORA-2008-0831]
CVE-2007-5759 ignore (clamav, fixed 0.92) duplicate of CVE-2007-6335
CVE-2007-5751 backport (liferea, fixed 1.4.6) #360641 [since FEDORA-2007-2725]
-CVE-2007-5747 VULNERABLE (
openoffice.org, fixed 2.4) #442845
-CVE-2007-5746 VULNERABLE (
openoffice.org, fixed 2.4) #442845
-CVE-2007-5745 VULNERABLE (
openoffice.org, fixed 2.4) #442845
+CVE-2007-5747 fixed (
openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104]
+CVE-2007-5746 fixed (
openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104]
+CVE-2007-5745 fixed (
openoffice.org, fixed 2.4) #442845 [since FEDORA-2008-4104]
CVE-2007-5742 version (wesnoth, fixed 1.2.8) [since FEDORA-2007-3986]
CVE-2007-5728 version (phpPgAdmin) seems to be fixed for some time
CVE-2007-5715 backport (denyhosts) fixed long ago
@@ -427,6 +443,8 @@
CVE-2007-5501 version (kernel) [since FEDORA-2007-3751]
CVE-2007-5500 version (kernel) [since FEDORA-2007-3751]
CVE-2007-5497 fixed (e2fsprogs) #414571 [since FEDORA-2007-4461]
+CVE-2007-5496 ignore (setroubleshoot, fixed 2.0)
+CVE-2007-5495 version (setroubleshoot, fixed 1.9.4)
CVE-2007-5461 version (tomcat5) #334511 [since FEDORA-2007-3456]
CVE-2007-5416 ignore (drupal) Vulnerability in PHP<5.1.3, we're safe
CVE-2007-5398 version (samba) [since FEDORA-2007-3402]
@@ -863,7 +881,8 @@
*CVE-2007-1322 ** (qemu) #238723
*CVE-2007-1321 ** (qemu) #238723
CVE-2007-1321 backport (xen) [since FEDORA-2007-2270]
-*CVE-2007-1320 ** (qemu) #238723
+CVE-2007-1320 VULNERABLE (qemu)
+CVE-2007-1320 VULNERABLE (kvm)
CVE-2007-1308 version (kdelibs)
CVE-2007-1287 ignore (php) See NVD
CVE-2007-1286 version (php, PHP4 only)
@@ -1025,6 +1044,7 @@
*CVE-2006-6731 ** (java-ibm)
*CVE-2006-6719 backport (wget) #221469 [since FEDORA-2007-043]
*CVE-2006-6698 ignore (GConf2) #219280 minimal impact
+CVE-2006-6698 fixed (GConf2) [since GConf2-2.22.0-5.fc10]
CVE-2006-6693 ignore (zabbix, fixed 1.1.3, < 1.1.4 not shipped)
CVE-2006-6692 ignore (zabbix, fixed 1.1.3, < 1.1.4 not shipped)
CVE-2006-6660 ignore (kdelibs) client Dos only, not reproducible