Well, for starters, CAN-2004-0414/0416/0417/0418 haven't been published yet. CAN-2004-0396 is the most serious as it allows remote users to attack cvs servers. CAN-2004-0180 is the reverse, it allows a malicious server to attack a user. RedHat's response to CAN-2004-0396 http://rhn.redhat.com/errata/RHSA-2004-190.html RedHat's response to CAN-2004-0180 (which also mentions CAN-2004-0405) http://rhn.redhat.com/errata/RHSA-2004-154.html CAN-2004-0405(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405) is probably just as bad as CAN-2004-0396 and therefore both fixes need to be implemented in legacy. So, according to Comment #19 (Daniel Drown) 2004-05-21, for bug 1620, cvs-1.11.1p1-9.7.legacy.src.rpm includes fixes for both CAN-2004-0396 and CVE-2004-0180 (although Daniels' comments should be CAN-2004-0180 not CVE-2004-0180). Presumably this was carried forward into the cvs-1.11.1p1-14.legacy.3.i386.rpm that exists in testing. ;) hth, -Jim P. On Tue, 2004-06-01 at 14:47, Jesse Keating wrote: > There is a sudden influx of CVS issues, and I'm not sure what all CVEs > our packages address. Can some of you check > https://bugzilla.fedora.us/show_bug.cgi?id=1620 for the following CVE > coverage: > > CAN-2004-0180 CAN-2004-0396 CAN-2004-0414 CAN-2004-0416 CAN-2004-0417 > CAN-2004-0418 > > Thanks. -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
