On Tue, 4 Jan 2011 19:11:16 +1100 Silvio Cesare wrote:
I think RHEL maintains security tracking but I do not know the
There are per-product errata listing pages available on Red Hat Network
and can be accessed without having to log in via:
You can also list all errata for specific CVE id by accessing URL as:
CVE pages aim to combine released errata info with additional info (bug
link, impact rating and scoring, possible statements) at the single
Fedora as far as I know do not publicly and actively maintain
security tracking once an advisory is released.
Bodhi search can be used to locate updates referencing specific CVE id,
assuming it was assigned at the time update was released. E.g. example
for CVE-2010-4221 that Paul used:
Update system does not allow changing CVE list for update requests.
All info about released updates is usually removed form Bodhi shortly
after Fedora version EOL. So unlike RHN, you won't find there info on
A simple report I generated last year was tracking of packages and
the CVEs that they reference in an advisory. I did that by scraping
the public mailing list archive of advisories/updates and grepping
for CVE references. I have made a report from last year publicly
I suspect this list is likely to be affected by this issue:
Update system allows referencing multiple builds in one update request,
but when such request to turned to email notifications, there's
separate mail sent for each build. Firefox updates are good example,
as they usually contain half dozen of builds or more (firefox +
xulrunner, and bunch of apps using gecko libs that required rebuild).
This might be useful on the Fedora wiki.
Such list is going to get outdated soon. Tools that can be used to
re-generate the list may be more useful to those that want to do
Another report I made which may or may not be useful to the security
team is a list of packages between Debian and Fedora that are roughly
equivalent, irrespective of what the package names are
Out of curiosity, how should Similarity number be interpreted?
Tomas Hoger / Red Hat Security Response Team