-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Michal Jaegermann wrote: >On Wed, Nov 09, 2005 at 04:19:35PM -0500, James Kosin wrote: > >>>On Wed, Nov 09, 2005 at 11:22:28AM -0800, Jesse Keating wrote: >>> >>>>Does look like we need to patch this. RHEL issued an update, >>> >>> >>>Do you mean that one from August? >>>https://rhn.redhat.com/errata/RHSA-2005-748.html CAN ids between >>>that one and http://www.securityfocus.com/bid/14088/info do not >>>agree although the latest worm descriptions would suggest that >>>RHSA-2005:748-05 is the correct one. >>> >>>Michal >>> >>>-- fedora-legacy-list@xxxxxxxxxx >>>https://www.redhat.com/mailman/listinfo/fedora-legacy-list >> >>The CVE website states that CAN-2005-2498 is not the same as >>CAN-2005-1921; so, I think to reason; both need to be fixed if we are >>vulnerable. > > >Indeed. But sources referenced in RHSA-2005:564-15, where >CAN-2005-1751 and CAN-2005-1921 are mentioned, are explicitely >marked as outdated by RHSA-2005:748-05 (CAN-2005-2498) so the latest >presumably have fixes for all these. Source packages are somewhat >different for RHEL3 and RHEL4 so you possibly need a right fit for >FC1 and FC2. > >In my earlier remarks I meant that it does not look that any fix >is needed for RH7.3; simply because the code with problems is not >there. > >Yesterday updates for FC3 include also php-4.3.11-2.8.src.rpm >(and php-5.0.4-10.5.src.rpm for FC4). > > Michal > >-- > >fedora-legacy-list@xxxxxxxxxx >https://www.redhat.com/mailman/listinfo/fedora-legacy-list Yes, but the release for FC3 doesn't have a patch for 2005-2498... They have a newer XML_RPC.tgz file. They also address CVE-2005-3353, CVE-2005-3388, CVE-2005-3389 and CVE-2005-3390... do we need to concern ourselves with these? James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcnJrkNLDmnu1kSkRA+XmAJ9cRRmpSE6m+bjQWiZOdiYo0CmcHwCdF1VZ 1ZQ1/u9FymgE24ucvb596H0= =IX4H -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
