fedora-security/audit fc5,1.81,1.82

Mark Cox (mjc) fedora-extras-commits at redhat.com
Mon Mar 20 09:36:31 UTC 2006 

Author: mjc

Update of /cvs/fedora/fedora-security/audit
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18615

Modified Files:
	fc5 
Log Message:
Bring up to date with GOLD FC5
For each vuln marked backport or VULNERABLE
	look to see if fc5-gold version has changed from fc5-test3
	if not, keep the same marking as before
	if it has, see if we've changed major version
		if we have not then keep backport marking, but check vuln
		check code to see if we've fixed this by version or backport
Add missing new vulns



Index: fc5
===================================================================
RCS file: /cvs/fedora/fedora-security/audit/fc5,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -r1.81 -r1.82
--- fc5	14 Mar 2006 12:47:06 -0000	1.81
+++ fc5	20 Mar 2006 09:36:13 -0000	1.82
@@ -1,25 +1,17 @@
-Up to date CVE as of CVE email 20060313
-Up to date FC5 as of FC5-Test3
-
-1. Removed packages with security issues that are no longer in FC5 
-(iiimf, libungif, slocate)
-2. Verified all marked as 'version', inc tricky packages like openssl 
-and httpd
-3. Looked at those marked backport where we ship a newer version, manually
-looked at rest marked backport
-4. Looked at CVE for any new packages added to FC5
-5. Filed tracking bugs for vulnerable issues
-6. Looked at extra packages in test2 which have had security issues
-(mono, nss, php-pear)
-7. Double check vulnerables and file fc5test2 bugs
-8. Deal with new/removed packages in fc5test3
-9. Check all marked as backport/vulnerable to see what changed in test3
+Up to date CVE as of CVE email 20060319
+Up to date FC5 as of 20060320
 
 ** are items that need attention
 
+CVE-2006-1296 ** beagle
+CVE-2006-1273 ** firefox (prob win only, vague)
+CVE-2006-1251 ** exim
+CVE-2006-1244 ignore (xpdf) duplicate of other cve named issues
+CVE-2006-1242 ** kernel
 CVE-2006-1095 ignore (mod_python, 3.2.7 only)
 CVE-2006-1079 ignore (httpd) not a vulnerability
 CVE-2006-1078 ignore (httpd) not a vulnerability
+CVE-2006-1052 backport (kernel) patch-2.6.16-rc6
 CVE-2006-1045 VULNERABLE (thunderbird)
 CVE-2006-1015 ignore (php) safe mode isn't safe
 CVE-2006-1014 ignore (php) safe mode isn't safe
@@ -27,23 +19,27 @@
 CVE-2006-0884 VULNERABLE (thunderbird)
 CVE-2006-0836 VULNERABLE (thunderbird)
 CVE-2006-0746 version (kdegraphics, fixed 3.4)
-CVE-2006-0742 VULNERABLE (kernel) [fixed rawhide 1.2045]
-CVE-2006-0741 VULNERABLE (kernel, fixed 2.6.15.5) [fixed rawhide 1.2045]
+CVE-2006-0744 ** kernel
+CVE-2006-0742 backport (kernel) patch-2.6.16-rc6
+CVE-2006-0741 backport (kernel, fixed 2.6.15.5) patch-2.6.16-rc6
 CVE-2006-0730 version (dovecot, 1.0beta[12] only)
 CVE-2006-0678 ignore (postgresql) we don't build --enable-cassert
 CVE-2006-0645 version (gnutls, fixed 1.2.10)
 CVE-2006-0591 version (postgresql, fixed 8.0.6)
 CVE-2006-0576 backport (oprofile) oprofile_opcontrol.patch
-CVE-2006-0557 VULNERABLE (kernel, fixed 2.6.15.6) [fixed rawhide 1.2045]
+CVE-2006-0557 backport (kernel, fixed 2.6.15.6) patch-2.6.16-rc6
+CVE-2006-0555 backport (kernel) patch-2.6.16-rc6-git3
+CVE-2006-0554 backport (kernel) patch-2.6.16-rc6
 CVE-2006-0553 version (postgresql, only 8.1, fixed 8.1.3)
-CVE-2006-0528 VULNERABLE (cairo) bz#182416 [fixed rawhide cairo-1.0.2-chunk-glyphs-CVE-2006-0528.patch]
+CVE-2006-0528 backport (cairo) cairo-1.0.2-chunk-glyphs-CVE-2006-0528.patch
 CVE-2006-0496 VULNERABLE (mozilla) not fixed upstream
 CVE-2006-0496 VULNERABLE (firefox) not fixed upstream
 CVE-2006-0482 ignore (kernel) sparc only
 CVE-2006-0481 version (libpng, 1.2.7 only)
 CVE-2006-0459 version (flex) by inspection
+CVE-2006-0457 backport (kernel) patch-2.6.16-rc6
 CVE-2006-0455 version (gnupg, fixed 1.4.2.1)
-CVE-2006-0454 backport (kernel, fixed 2.6.15.3) patch-2.6.16-rc3
+CVE-2006-0454 backport (kernel, fixed 2.6.15.3) patch-2.6.16-rc6
 CVE-2006-0405 version (libtiff, 3.8.0 only)
 CVE-2006-0377 version (squirrelmail, fixed 1.4.6)
 CVE-2006-0369 ignore (mysql) this is not a security issue
@@ -76,7 +72,7 @@
 CVE-2006-0292 version (firefox, fixed 1.5.1)
 CVE-2006-0292 backport (mozilla) mozilla-1.7.12-CVE-2006-0292-javascript-unrooted.patch
 CVE-2006-0292 version (thunderbird, fixed 1.5)
-CVE-2006-0254 backport (tomcat5, fixed 5.5.16)
+CVE-2006-0254 backport (tomcat5, fixed 5.5.16) **check this**
 CVE-2006-0236 ignore (thunderbird) windows only
 CVE-2006-0225 version (openssh, fixed 4.3p2)
 CVE-2006-0208 version (php, fixed 5.1.2)
@@ -88,21 +84,21 @@
 CVE-2006-0144 version (php-pear, not 1.4.4)
 CVE-2006-0097 ignore (php) Windows only
 CVE-2006-0096 ignore (kernel) minor and requires root
-CVE-2006-0095 backport (kernel) patch-2.6.16-rc3
+CVE-2006-0095 backport (kernel) patch-2.6.16-rc6
 CVE-2006-0082 version (ImageMagick, not 6.2.5.4)
-CVE-2006-0049 VULNERABLE (gnupg, fixed 1.4.2.2)
+CVE-2006-0049 version (gnupg, fixed 1.4.2.2)
 CVE-2006-0040 VULNERABLE (gtkhtml) no upstream fix
-CVE-2006-0037 backport (kernel, only 2.6.14 and 2.6.15) patch-2.6.16-rc3
-CVE-2006-0036 backport (kernel, only 2.6.14 and 2.6.15) patch-2.6.16-rc3
-CVE-2006-0035 backport (kernel, only 2.6.14 and 2.6.15) patch-2.6.16-rc3
+CVE-2006-0037 backport (kernel, only 2.6.14 and 2.6.15) patch-2.6.16-rc6
+CVE-2006-0036 backport (kernel, only 2.6.14 and 2.6.15) patch-2.6.16-rc6
+CVE-2006-0035 backport (kernel, only 2.6.14 and 2.6.15) patch-2.6.16-rc6
 CVE-2006-0019 version (kdelibs, fixed 3.5.1)
 CVE-2005-4703 ignore (tomcat) windows only
 CVE-2005-4720 VULNERABLE (mozilla) not fixed upstream plus only DoS
 CVE-2005-4720 version (firefox, fixed 1.5)
-CVE-2005-4720 versoin (thunderbird, fixed 1.5)
+CVE-2005-4720 version (thunderbird, fixed 1.5)
 CVE-2005-4685 VULNERABLE (mozilla) not fixed upstream
 CVE-2005-4685 VULNERABLE (firefox) not fixed upstream
-CVE-2005-4684 VULNERABLE (kdebase) not fixed upstream
+CVE-2005-4684 ignore (kdebase) not fixed upstream, low, can't fix
 CVE-2005-4667 backport (unzip)
 CVE-2005-4639 version (kernel, fixed 2.6.15)
 CVE-2005-4636 version (openoffice.org, fixed 2.0.1)
@@ -186,7 +182,7 @@
 CVE-2005-3359 version (kernel, fixed 2.6.14)
 CVE-2005-3358 version (kernel, fixed 2.6.11)
 CVE-2005-3357 backport (httpd, affects 2.2.0)
-CVE-2005-3356 backport (kernel) patch-2.6.16-rc3
+CVE-2005-3356 backport (kernel) patch-2.6.16-rc6
 CVE-2005-3353 version (php, not 5.0)
 CVE-2005-3352 backport (httpd, fixed 2.2.1)
 CVE-2005-3351 version (spamassassin, fixed 3.1.0)
@@ -269,7 +265,7 @@
 CVE-2005-2917 version (squid, fixed 2.5.STABLE11)
 CVE-2005-2876 version (util-linux, fixed 2.13-pre3)
 CVE-2005-2874 version (cups, fixed 1.1.23)
-CVE-2005-2873 VULNERABLE (kernel) not fixed upstream 
+CVE-2005-2873 VULNERABLE (kernel) not fixed upstream
 CVE-2005-2872 version (kernel, fixed 2.6.12)
 CVE-2005-2871 version (thunderbird)
 CVE-2005-2871 version (mozilla, fixed 1.7.12)
@@ -1386,7 +1382,7 @@
 CVE-2003-0133 version (evolution, fixed 1.2.4)
 CVE-2003-0132 version (httpd, fixed 2.0.45)
 CVE-2003-0131 version (openssl, not 0.9.8)
-CVE-2003-0131 backport (openssl097a, fixed 0.9.7b) 
+CVE-2003-0131 backport (openssl097a, fixed 0.9.7b)
 CVE-2003-0130 version (evolution, fixed 1.2.3)
 CVE-2003-0129 version (evolution, fixed 1.2.3)
 CVE-2003-0128 version (evolution, fixed 1.2.3)

More information about the scm-commits mailing list