Summary of FC4 vulnerabilities

Mark J Cox mjc at redhat.com
Mon Jun 13 16:50:12 UTC 2005 

Quick Summary:

For 20030101-20050607 there are a potential 863 CVE named vulnerabilities that 
could have affected FC4 packages.  759 (88%) of those are fixed because FC4 
includes an upstream version that includes a fix, 10 (1%) are still 
outstanding, and 94 (11%) are fixed with a backported patch.

Method:

Near the release time of each new distribution the Red Hat security team go 
through the packages to ensure that everything is up to date with security 
patches.

The method used changed slightly from previous releases, this time for 
completeness:

1. we went through each CVE name for 2003, 2004, and 2005 (up to date as of 
20050612) ignoring those that didn't affect Linux or were in packages not in 
FC4.

2. Then for each CVE issue left we look to see which upstream version (if any) 
the vulnerability is fixed in.  Sometimes the CVE data gives us this 
information, but many times it doesn't or it's wrong and we have to investigate 
for ourselves which upstream verisons fix the issues (and we've reported our 
many investigations to Mitre for updates to the CVE entries).  If we write "at 
least" we mean that we looked inside the source for that version and checked to 
see if the fix existed, but it may well have been fixed upstream prior to that 
version.

3. Where FC4 contains a upstream version greater or equal to the upstream 
version containing a fix, we mark it as not vulnerable due to "version".

4. Remaining CVE names are checked to see if FC4 contains a backported patch in 
the package.  We trust changelog entries (since these will have already been 
audited us by use when FC3/2/1 or a RHEL advisory came out).

5. For anything that looked like it wasn't fixed we talked to the package owner 
to get a fix into FC4 final

So this table gives the CVE name, the reason why FC4 isn't vulnerable and 
optional comments showing the package name, version it was fixed in, or method 
used to verify the details.

This is based on FC4 gold.  Corrections or missed issues (ones showing in CVE) 
appreciated to secalert at redhat.com.  We'll keep this up to date - probably on 
the wiki or somewhere.

[content chopped; just over 40kb limit.  Full message at
http://people.redhat.com/mjc/20050505-fc4
]

More information about the devel mailing list