Author: thoger
Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3063/audit
Modified Files: f8 fc6 fc7 Log Message: add pcre flaws process large pile of fedora updates
Index: f8 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/f8,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- f8 12 Nov 2007 16:11:24 -0000 1.13 +++ f8 12 Nov 2007 19:07:43 -0000 1.14 @@ -8,34 +8,35 @@ # Up to date F8 as of 20071029
CVE-2007-5795 VULNERABLE (emacs) #367591 -CVE-2007-5770 backport (ruby) #373391 really? +CVE-2007-5770 backport (ruby) #373391 [since FEDORA-2007-2812] GENERIC-MAP-NOMATCH VULNERABLE (nx) #293031 -CVE-2007-5751 backport (liferea, fixed 1.4.6) #360641 [since liferea-1.2.23-5.fc8] -CVE-2007-5712 VULNERABLE (Django, fixed 0.96.1) #362771 version, 20071106 Testing -CVE-2007-5708 VULNERABLE (openldap, fixed 2.3.39) #362991 version, 20071106 Testing -CVE-2007-5707 VULNERABLE (openldap, fixed 2.3.39) #362991 version, 20071106 Testing +CVE-2007-5751 backport (liferea, fixed 1.4.6) #360641 [since FEDORA-2007-2853] +CVE-2007-5712 version (Django, fixed 0.96.1) #362771 [since FEDORA-2007-2788] +CVE-2007-5708 version (openldap, fixed 2.3.39) #362991 [since FEDORA-2007-2796] +CVE-2007-5707 version (openldap, fixed 2.3.39) #362991 [since FEDORA-2007-2796] CVE-2007-5624 VULNERABLE (nagios, fixed 2.10) #362801 CVE-2007-5623 backport (nagios-plugins, not fixed 1.4.10) #348731 [since FEDORA-2007-2876] nagios-plugins-1.4.8-9.fc8 CVE-2007-5589 VULNERABLE (phpMyAdmin, fixed 2.11.1.2) #333661 PMASA-2007-6 CVE-2007-5461 VULNERABLE (tomcat5, not fixed 5.5.25) #363001 CVE-2007-5395 VULNERABLE (link-grammar) #372351 -CVE-2007-5393 VULNERABLE (xpdf) #372471 +CVE-2007-5393 backport (xpdf) #372471 [since FEDORA-2007-3014] CVE-2007-5393 backport (cups) [since FEDORA-2007-2982] CVE-2007-5393 VULNERABLE (poppler) #372511 -CVE-2007-5393 VULNERABLE (kdegraphics) #372571 -CVE-2007-5393 VULNERABLE (koffice) #372601 +CVE-2007-5393 backport (kdegraphics) #372571 [since FEDORA-2007-3001] +CVE-2007-5393 backport (koffice) #372601 [since FEDORA-2007-3093] CVE-2007-5393 VULNERABLE (tetex) #372661 -CVE-2007-5392 VULNERABLE (xpdf) #372471 +CVE-2007-5392 backport (xpdf) #372471 [since FEDORA-2007-3014] CVE-2007-5392 backport (cups) [since FEDORA-2007-2982] CVE-2007-5392 VULNERABLE (poppler) #372511 -CVE-2007-5392 VULNERABLE (kdegraphics) #372571 -CVE-2007-5392 VULNERABLE (koffice) #372601 +CVE-2007-5392 backport (kdegraphics) #372571 [since FEDORA-2007-3001] +CVE-2007-5392 backport (koffice) #372601 [since FEDORA-2007-3093] CVE-2007-5392 VULNERABLE (tetex) #372661 CVE-2007-5386 version (phpmyadmin, fixed 2.11.1.1) #333661 PMASA-2007-5 CVE-2007-5201 VULNERABLE (duplicity, no upstream fix) #362831 CVE-2007-5200 version (hugin) #362861 [since FEDORA-2007-2807] hugin-0.6.1-11.fc8 CVE-2007-5198 VULNERABLE (nagios-plugins, fixed 1.4.10) #362891 -CVE-2007-5197 version (mono, fixed 1.2.5.1) #367541 [since mono-1.2.5.1-2.fc8] +CVE-2007-5197 version (mono, fixed 1.2.5.1) #367541 [since FEDORA-2007-2969] +CVE-2007-5162 version (ruby) [since FEDORA-2007-2812] CVE-2007-5116 VULNERABLE (perl) #378141 CVE-2007-5079 VULNERABLE (gdm) #363021 Red Hat specific problem CVE-2007-5037 version (inotify-tools, fixed 3.11) #299771 @@ -50,14 +51,15 @@ CVE-2007-4476 backport (tar) #280961 [since FEDORA-2007-2800] tar-1.17-4.fc8 CVE-2007-4476 backport (cpio, not fixed 2.9) #363891 [since FEDORA-2007-2827] cpio-2.9-5.fc8 CVE-2007-4400 VULNERABLE (konversation) #362921 Remove media script? -CVE-2007-4351 version (cups) #362971 [since cups-1.3.4-2.fc8] -CVE-2007-4352 VULNERABLE (xpdf) #372471 +CVE-2007-4351 version (cups) #362971 [since FEDORA-2007-2982] +CVE-2007-4352 backport (xpdf) #372471 [since FEDORA-2007-3014] CVE-2007-4352 backport (cups) [since FEDORA-2007-2982] CVE-2007-4352 VULNERABLE (poppler) #372511 -CVE-2007-4352 VULNERABLE (kdegraphics) #372571 -CVE-2007-4352 VULNERABLE (koffice) #372601 +CVE-2007-4352 backport (kdegraphics) #372571 [since FEDORA-2007-3001] +CVE-2007-4352 backport (koffice) #372601 [since FEDORA-2007-3093] CVE-2007-4352 VULNERABLE (tetex) #372661 -CVE-2007-4351 VULNERABLE (cups) #362971 +CVE-2007-4351 version (cups) #362971 [since FEDORA-2007-2982] +CVE-2007-4045 backport (cups) [since FEDORA-2007-2982] CVE-2007-3999 VULNERABLE (nfs-utils-lib) #362091 CVE-2007-3999 VULNERABLE (libtirpc) #362111 CVE-2007-3920 VULNERABLE (compiz, not fixed upstream) #363061
Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.295 retrieving revision 1.296 diff -u -r1.295 -r1.296 --- fc6 12 Nov 2007 16:11:24 -0000 1.295 +++ fc6 12 Nov 2007 19:07:43 -0000 1.296 @@ -8,7 +8,7 @@ # Up to date FC6 as of 20071029
CVE-2007-5795 version (emacs, only 21) -CVE-2007-5770 VULNERABLE (ruby) #373371 +CVE-2007-5770 backport (ruby) #373371 [since FEDORA-2007-738] CVE-2007-5461 VULNERABLE (tomcat5) #334521 CVE-2007-5393 VULNERABLE (cups) CVE-2007-5393 VULNERABLE (poppler) #372491 @@ -22,7 +22,7 @@ CVE-2007-5337 version (mozilla) ff 2.0.0.8, tb 2.0.0.6, sm 1.1.5 CVE-2007-5335 ignore (mozilla) ff2 only CVE-2007-5334 version (mozilla) ff 2.0.0.8, tb 2.0.0.6, sm 1.1.5 -CVE-2007-5269 VULNERABLE (libpng, fixed 1.2.21) #337471 +CVE-2007-5269 backport (libpng, fixed 1.2.21) #337471 [since FEDORA-2007-734] CVE-2007-5268 ignore (libpng) shipped version too old and not affected CVE-2007-5267 ignore (libpng) shipped version too old and not affected CVE-2007-5266 ignore (libpng) shipped version too old and not affected @@ -57,19 +57,21 @@ CVE-2007-4659 ignore (php, fixed 5.2.4) #276531 (FC7/php-5.2 only) CVE-2007-4658 backport (php, fixed 5.2.4) #278011 [since FEDORA-2007-709] CVE-2007-4657 ignore (php, fixed 5.2.4) arbitrary read not remotely triggerable -CVE-2007-4619 backport (flac, fixed 1.2) #332581 [since flac-1.1.2-28] +CVE-2007-4619 backport (flac, fixed 1.2) #332581 [since FEDORA-2007-730] CVE-2007-4571 version (kernel) [since FEDORA-2007-714] CVE-2007-4569 backport (kdebase) #299741 [since FEDORA-2007-716] CVE-2007-4568 VULNERABLE (xorg-x11-xfs, fixed 1.0.5) #373251 CVE-2007-4565 backport (fetchmail) #260881 [since FEDORA-2007-689] CVE-2007-4559 VULNERABLE (python, not fixed upstream) #315291 Upstream WONTFIX. See where we use the code. CVE-2007-4558 ignore (star, fixed 1.5a84) duplicate of CVE-2007-4134 +CVE-2007-4476 backport (cpio) [since FEDORA-2007-742] +CVE-2007-4476 backport (tar) [since FEDORA-2007-735] CVE-2007-4465 version (httpd) [since FEDORA-2007-707] CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4352 VULNERABLE (cups) CVE-2007-4352 VULNERABLE (poppler) #372491 CVE-2007-4352 VULNERABLE (kdegraphics) #372551 -CVE-2007-4351 VULNERABLE (cups) #361671 +CVE-2007-4351 backport (cups) #361671 [since FEDORA-2007-740] CVE-2007-4255 ignore (php) msql extension not shipped CVE-2007-4251 ignore (openoffice.org) just a crash CVE-2007-4229 ignore (kdebase) just an ASSERT fail @@ -90,7 +92,7 @@ CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib CVE-2007-3920 VULNERABLE (compiz) #350271 -CVE-2007-3919 backport (xen) #362001 [since xen-3.0.3-13.fc6] +CVE-2007-3919 backport (xen) #362001 [since FEDORA-2007-737] CVE-2007-3852 backport (sysstat) #252296 [since FEDORA-2007-675] CVE-2007-3848 version (kernel) [since FEDORA-2007-679] CVE-2007-3847 version (httpd) #250756 [since FEDORA-2007-707] @@ -168,6 +170,8 @@ CVE-2007-1841 backport (ipsec-tools) #238052 [since FEDORA-2007-665] CVE-2007-1797 backport (ImageMagick) #235075 [since FEDORA-2007-413] CVE-2007-1667 backport (libX11) [since FEDORA-2007-426] +CVE-2007-1660 VULNERABLE (pcre, fixed 7.3) #378401 +CVE-2007-1659 VULNERABLE (pcre, fixed 7.3) #378401 CVE-2007-1565 ignore (kdebase) client crash CVE-2007-1564 ignore (kdebase) Correct behavior according to RFC CVE-2007-1562 version (mozilla) #241840 [since FEDORA-2007-549] @@ -228,6 +232,7 @@ CVE-2007-0006 backport (kernel, fixed in -mm) [since FEDORA-2007-226] CVE-2007-0005 version (kernel, fixed 2.6.20) [since FEDORA-2007-335] CVE-2007-0002 version (libwpd, fixed 0.8.9) #222808 [since FEDORA-2007-351] +CVE-2006-7224 VULNERABLE (pcre, fixed 6.7) #378401 CVE-2006-7221 ignore (gftp) single zero byte overflow in fsplib CVE-2006-6939 version (ed, fixed 0.3) #223075 [since FEDORA-2007-100] CVE-2006-6899 version (bluez-utils, fixed 2.23)
Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.170 retrieving revision 1.171 diff -u -r1.170 -r1.171 --- fc7 12 Nov 2007 16:11:24 -0000 1.170 +++ fc7 12 Nov 2007 19:07:43 -0000 1.171 @@ -13,7 +13,7 @@ CVE-2007-5751 backport (liferea, fixed 1.4.6) #360641 [since FEDORA-2007-2725] CVE-2007-5728 version (phpPgAdmin) seems to be fixed for some time CVE-2007-5715 backport (denyhosts) fixed long ago -CVE-2007-5712 VULNERABLE (Django, fixed 0.96.1) #362761 +CVE-2007-5712 version (Django, fixed 0.96.1) #362761 [since FEDORA-2007-3157] CVE-2007-5708 VULNERABLE (openldap, fixed 2.3.39) #360081 CVE-2007-5707 VULNERABLE (openldap, fixed 2.3.39) #360081 CVE-2007-5626 ignore (bacula) known, documented limitation @@ -30,17 +30,17 @@ CVE-2007-5461 VULNERABLE (tomcat5) #334511 CVE-2007-5416 ignore (drupal) Vulnerability in PHP<5.1.3, we're safe CVE-2007-5395 VULNERABLE (link-grammar) #372341 -CVE-2007-5393 VULNERABLE (xpdf) #372461 -CVE-2007-5393 VULNERABLE (cups) +CVE-2007-5393 backport (xpdf) #372461 [since FEDORA-2007-3031] +CVE-2007-5393 backport (cups) [since FEDORA-2007-3100] CVE-2007-5393 VULNERABLE (poppler) #372501 CVE-2007-5393 VULNERABLE (kdegraphics) #372561 -CVE-2007-5393 VULNERABLE (koffice) #372591 +CVE-2007-5393 backport (koffice) #372591 [since FEDORA-2007-3059] CVE-2007-5393 VULNERABLE (tetex) #372651 -CVE-2007-5392 VULNERABLE (xpdf) #372461 -CVE-2007-5392 VULNERABLE (cups) +CVE-2007-5392 backport (xpdf) #372461 [since FEDORA-2007-3031] +CVE-2007-5392 backport (cups) [since FEDORA-2007-3100] CVE-2007-5392 VULNERABLE (poppler) #372501 CVE-2007-5392 VULNERABLE (kdegraphics) #372561 -CVE-2007-5392 VULNERABLE (koffice) #372591 +CVE-2007-5392 backport (koffice) #372591 [since FEDORA-2007-3059] CVE-2007-5392 VULNERABLE (tetex) #372651 CVE-2007-5386 version (phpmyadmin, fixed 2.11.1.1) #333661 PMASA-2007-5 [since FEDORA-2007-2738] CVE-2007-5340 version (mozilla) ff 2.0.0.8, tb 2.0.0.6, sm 1.1.5 [since FEDORA-2007-2664] @@ -57,9 +57,9 @@ CVE-2007-5226 backport (dircproxy) #319301 [since FEDORA-2007-2419] CVE-2007-5208 backport (hplip) #329111 [since FEDORA-2007-2527] CVE-2007-5201 VULNERABLE (duplicity) #362821 -CVE-2007-5200 VULNERABLE (hugin) #362851 +CVE-2007-5200 backport (hugin) #362851 [since FEDORA-2007-2989] CVE-2007-5198 VULNERABLE (nagios-plugins, fixed 1.4.10) #362881 -CVE-2007-5197 VULNERABLE (mono, fixed 1.2.5.1) #367531 +CVE-2007-5197 backport (mono, fixed 1.2.5.1) #367531 [since FEDORA-2007-3130] CVE-2007-5191 backport (util-linux) #320141 [since FEDORA-2007-2462] CVE-2007-5162 version (ruby) #313801 [since FEDORA-2007-2406] CVE-2007-5159 backport (ntfs-3g) #298651 [since FEDORA-2007-2295] @@ -70,7 +70,7 @@ CVE-2007-5105 ignore (wordpress) affects old 2.0.x versions CVE-2007-5079 VULNERABLE (gdm) #363011 CVE-2007-5038 version (bugzilla, fixed 3.0.2, 3.1.2) #299981 [since FEDORA-2007-2299] -CVE-2007-5037 VULNERABLE (inotify-tools) #299771 +CVE-2007-5037 version (inotify-tools) #299771 [since FEDORA-2007-3074] CVE-2007-5034 version (elinks) #297981 [since FEDORA-2007-2224] CVE-2007-5007 version (balsa) #297601 [since FEDORA-2007-2302] GENERIC-MAP-NOMATCH VULNERABLE (nx) #293031 @@ -91,6 +91,9 @@ CVE-2007-4829 VULNERABLE (perl-Archive-Tar) #315321 CVE-2007-4828 version (mediawiki, fixed 1.11.0, 1.10.2, 1.9.4) #287881 [since FEDORA-2007-2189] CVE-2007-4826 version (quagga, fixed 0.99.9) [since FEDORA-2007-2196] +CVE-2007-4768 VULNERABLE (pcre, fixed 7.3) #378411 +CVE-2007-4767 VULNERABLE (pcre, fixed 7.3) #378411 +CVE-2007-4766 VULNERABLE (pcre, fixed 7.3) #378411 CVE-2007-4752 VULNERABLE (openssh) #280461 CVE-2007-4743 backport (krb5) incomplete CVE-2007-3999 fix [since FEDORA-2007-2066] CVE-2007-4730 ignore (xorg-x11) #286051 ajax says F7 is not vulnerable @@ -106,7 +109,7 @@ CVE-2007-4650 version (gallery2) #267421 [since FEDORA-2007-2020] CVE-2007-4629 version (mapserver, fixed 4.10.3) #272081 [since FEDORA-2007-2018] CVE-2007-4631 version (qgit) #268381 [since FEDORA-2007-2108] -CVE-2007-4619 version (flac, fixed 1.2) #332571 [since flac-1.2.1-1.fc7] +CVE-2007-4619 version (flac, fixed 1.2) #332571 [since FEDORA-2007-2596] CVE-2007-4573 version (kernel) [since FEDORA-2007-2298] CVE-2007-4571 version (kernel) [since FEDORA-2007-2349] CVE-2007-4569 backport (kdebase) #299731 [since FEDORA-2007-2361] @@ -123,18 +126,18 @@ CVE-2007-4533 backport (vavoom) #256621 [since FEDORA-2007-1977] CVE-2007-4532 backport (vavoom) #256621 [since FEDORA-2007-1977] CVE-2007-4510 version (clamav, fixed 0.91.2) #253780 [since FEDORA-2007-2050] -CVE-2007-4476 VULNERABLE (cpio) +CVE-2007-4476 backport (cpio) [since FEDORA-2007-2744] CVE-2007-4476 backport (tar) [since FEDORA-2007-2673] CVE-2007-4465 version (httpd) [since FEDORA-2007-2214] CVE-2007-4462 version (po4a) #253541 [since FEDORA-2007-1763] CVE-2007-4460 backport (id3lib) #253553 [since FEDORA-2007-1774] CVE-2007-4400 VULNERABLE (konversation) #362911 CVE-2007-4357 ignore (firefox) status bar can be overwrittten -CVE-2007-4352 VULNERABLE (xpdf) #372461 -CVE-2007-4352 VULNERABLE (cups) +CVE-2007-4352 backport (xpdf) #372461 [since FEDORA-2007-3031] +CVE-2007-4352 backport (cups) [since FEDORA-2007-3100] CVE-2007-4352 VULNERABLE (poppler) #372501 CVE-2007-4352 VULNERABLE (kdegraphics) #372561 -CVE-2007-4352 VULNERABLE (koffice) #372591 +CVE-2007-4352 backport (koffice) #372591 [since FEDORA-2007-3059] CVE-2007-4352 VULNERABLE (tetex) #372651 CVE-2007-4351 backport (cups) #361661 [since FEDORA-2007-2715] CVE-2007-4323 backport (denyhosts) #252291 [since FEDORA-2007-0589] @@ -159,6 +162,7 @@ CVE-2007-4131 backport (tar) #253684 [since FEDORA-2007-1890] CVE-2007-4066 backport (libvorbis) #245991 [since FEDORA-2007-1765] CVE-2007-4065 backport (libvorbis) #245991 [since FEDORA-2007-1765] +CVE-2007-4045 backport (cups) [since FEDORA-2007-3100] CVE-2007-4033 backport (t1lib) #303021 [since FEDORA-2007-2343] CVE-2007-4029 backport (libvorbis) #245991 [since FEDORA-2007-1765] CVE-2007-4000 backport (krb5) [since FEDORA-2007-2017] @@ -369,6 +373,10 @@ CVE-2007-1665 version (ekg) #246034 [since FEDORA-2007-0791] CVE-2007-1664 version (ekg) #246034 [since FEDORA-2007-0791] CVE-2007-1663 version (ekg) #246034 [since FEDORA-2007-0791] +CVE-2007-1662 VULNERABLE (pcre, fixed 7.3) #378411 +CVE-2007-1661 VULNERABLE (pcre, fixed 7.3) #378411 +CVE-2007-1660 VULNERABLE (pcre, fixed 7.3) #378411 +CVE-2007-1659 VULNERABLE (pcre, fixed 7.3) #378411 CVE-2007-1649 version (php, fixed 5.2.2) CVE-2007-1622 version (wordpress, fixed 2.1.3-0.rc2) #233703 CVE-2007-1614 version (zziplib, fixed 0.13.49) #233700 @@ -556,6 +564,7 @@ CVE-2007-0005 version (kernel, fixed 2.6.20) [since FEDORA-2007-335] CVE-2007-0002 version (libwpd, fixed 0.8.9) #222808 [since FEDORA-2007-351] CVE-2007-0001 ignore (kernel) rhel4 2.6.9 only known affected +CVE-2006-7224 VULNERABLE (pcre, fixed 6.7) #378411 CVE-2006-7221 ignore (gftp) single zero byte overflow in fsplib CVE-2006-7205 ignore (php) See NVD CVE-2006-7204 ignore (php) See NVD @@ -1361,7 +1370,7 @@ CVE-2005-4807 ignore (binutils, gas fixed 20050721) this is a bug CVE-2005-4803 version (graphviz, fixed 2.2.1) CVE-2005-4798 version (kernel, not 2.6) -CVE-2005-4790 VULNERABLE (tomboy) #362941 +CVE-2005-4790 backport (tomboy) #362941 [since FEDORA-2007-3011] CVE-2005-4784 ignore (glibc) struct dirent is big enough CVE-2005-4746 version (freeradius, fixed 1.0.5) CVE-2005-4745 version (freeradius, fixed 1.0.5)
security-commits@lists.fedoraproject.org