Great message--thanks for sending! M On Tue, 2004-11-09 at 07:20, Mark J Cox wrote: > Near the release time of each new distribution the Red Hat security team > go through all the security advisories for the past few years as well as > issues that affected others but not Red Hat to ensure that the new > distribution is up to date with security patches. We did this with FC3 a > few weeks ago and corrected most of the issues we found that were unfixed. > So this email is just really a FYI so we have the details stored for > future reference. > > (The method is to collect a list of all possible vulnerabilities that > could affect the FC3 package set, by CVE name. This list comes from all > RHEL3 advisories to date, all FC1 and FC2 update notifications, our > internal list of issues that didn't need fixing for whatever reason, the > CVE named issues in Bugzilla, and finally looking at new packages in FC3 > that were not previously in another release). Then for each CVE issue we > look to see which upstream version (if any) the vulnerability is fixed in, > and if FC3 contains that (or a better) upstream version. If not, we check > to see if the FC3 package contains a backported fix for the issue. For > this audit we trust changelog entries that say that a backported fix is > included since these will have already been audited by us when the > relevant FC2/1 or RHEL advisory came out. We also trust upstream > announcements that state which versions have fixed particular > vulnerabilities.) > > So this table gives the CVE name, the reason why FC3 isn't vulnerable > (either it has an upstream version that isn't vulnerable, or it contains a > backported security fix), and optional comments showing the package name, > version it was fixed in, or method used to verify the details. > > Corrections or missed issues appreciated to secalert@xxxxxxxxxx (although > now FC3 is out we track all new issues in a different way, so we won't do > new versions of this table). > > CAN-2003-0328 backport (epic, changelog) > CAN-2003-0542 version (httpd, fixed 2.0.48) > CAN-2003-0564 version (Mozilla, ICAT) > CAN-2003-0594 version (Mozilla, ICAT) > CAN-2003-0789 version (httpd, fixed 2.0.48) > CAN-2003-0848 backport (slocate, changelog) > CAN-2003-0853 version (coreutils, fixed 5.1.3) > CAN-2003-0856 version (iproute) > CAN-2003-0858 version (quagga, fixed 0.95) > CAN-2003-0859 version (glibc, checked source) > CAN-2003-0925 version (ethereal, fixed 0.9.16) > CAN-2003-0926 version (ethereal, fixed 0.9.16) > CAN-2003-0927 version (ethereal, fixed 0.9.16) > CAN-2003-0935 version (Net-SNMP, fixed 5.0.9) > CAN-2003-0962 version (rsync, fixed 2.5.7) > CAN-2003-0963 version (lftp, fixed after 2.6.9) > CAN-2003-0967 version (FreeRADIUS, fixed after 0.9.2) > CAN-2003-0971 version (GnuPG, fixed after 1.0.2) > CAN-2003-0973 version (mod_python, fixed 3.0.4) > CAN-2003-0977 version (CVS, fixed 1.11.10) > CAN-2003-0989 version (tcpdump, fixed 3.8.1) > CAN-2003-0992 version (mailman, fixed 2.1.4) > CAN-2003-1012 version (ethereal, fixed 0.10.0) > CAN-2003-1013 version (ethereal, fixed 0.10.0) > CAN-2003-1023 version (mc, 4.6.1) > CAN-2004-0006 version (Gaim, fixed 0.76) > CAN-2004-0007 version (Gaim, fixed 0.75) > CAN-2004-0008 version (Gaim, fixed 0.75) > CAN-2004-0055 version (tcpdump, fixed 3.8.2) > CAN-2004-0057 version (tcpdump, fixed 3.8.2) > CAN-2004-0079 backport (OpenSSL, changelog) > CAN-2004-0081 VULNERABLE (openssl096b only, see bug 138365) > CAN-2004-0083 version (XFree86) > CAN-2004-0084 version (XFree86) > CAN-2004-0097 version (PWLib, fixed 1.6.0) > CAN-2004-0098 version (php) > CAN-2004-0106 version (XFree86) > CAN-2004-0107 version (sysstat, fixed after 4.0.7) > CAN-2004-0110 version (libxml2, fixed 2.6.6) > CAN-2004-0112 backport (OpenSSL, changelog) > CAN-2004-0150 version (python, fixed 2.2.2) > CAN-2004-0155 version (Racoon) > CAN-2004-0164 version (Racoon) > CAN-2004-0174 version (httpd, fixed 2.0.49) > CAN-2004-0176 version (ethereal, fixed 0.10.3) > CAN-2004-0179 version (neon, fixed 0.24.5) > CAN-2004-0179 version (openoffice.org) > CAN-2004-0180 version (cvs, fixed 1.11.15) > CAN-2004-0182 version (mailman, only affected RH packages) > CAN-2004-0183 version (tcpdump, fixed 3.8.2) > CAN-2004-0184 version (tcpdump, fixed 3.8.2) > CAN-2004-0186 version (samba, not 3.0.2a) > CAN-2004-0226 version (mc, fixed 4.6.0) > CAN-2004-0231 version (mc, fixed 4.6.0) > CAN-2004-0232 version (mc, fixed 4.6.0) > CAN-2004-0233 backport (utempter, changelog) > CAN-2004-0234 backport (lha, changelog) > CAN-2004-0235 backport (lha, changelog) > CAN-2004-0256 version (libtool, fixed 1.5.2) > CAN-2004-0365 version (ethereal, fixed 0.10.3) > CAN-2004-0367 version (ethereal, fixed 0.10.3) > CAN-2004-0381 backport (mysql, changelog) > CAN-2004-0388 backport (mysql, changelog) > CAN-2004-0396 version (cvs, fixed 1.12.8) > CAN-2004-0397 version (subversion, fixed 1.0.1) > CAN-2004-0398 version (neon, fixed 0.24.6) > CAN-2004-0403 version (racoon, fixed 20040408a) > CAN-2004-0405 version (cvs, fixed 1.11) > CAN-2004-0409 version (xchat, fixed after 2.0.8) > CAN-2004-0411 version (kde, fixed 3.3*) > CAN-2004-0412 version (mailman, fixed 2.1.5) > CAN-2004-0413 version (subversion, fixed 1.0.5) > CAN-2004-0414 version (cvs, fixed 1.11.17) > CAN-2004-0416 version (cvs, fixed 1.11.17) > CAN-2004-0417 version (cvs, fixed 1.11.17) > CAN-2004-0418 version (cvs, fixed 1.11.17) > CAN-2004-0419 version (xorg-x11) > CAN-2004-0421 version (libpng, fixed 1.0.16) > CAN-2004-0422 version (flim, fixed 1.14.3) > CAN-2004-0426 version (rsync, fixed 2.6.1) > CAN-2004-0457 backport (mysql, changelog) > CAN-2004-0460 version (dhcp, fixed after 3.0.1rc13) > CAN-2004-0461 version (dhcp, fixed after 3.0.1rc13) > CAN-2004-0488 version (httpd, fixed 2.0.50) > CAN-2004-0493 version (httpd, fixed 2.0.50) > CAN-2004-0494 version (mc, fixed 4.6.1) > CAN-2004-0500 version (gaim, fixed 0.82) > CAN-2004-0504 version (ethereal, fixed 0.10.4) > CAN-2004-0505 version (ethereal, fixed 0.10.4) > CAN-2004-0506 version (ethereal, fixed 0.10.4) > CAN-2004-0507 version (ethereal, fixed 0.10.4) > CAN-2004-0519 version (squirrelmail, fixed 1.4.3a) > CAN-2004-0520 version (squirrelmail, fixed 1.4.3a) > CAN-2004-0521 version (squirrelmail, fixed 1.4.3a) > CAN-2004-0523 version (krb5, fixed 1.3.4) > CAN-2004-0541 version (squid) > CAN-2004-0557 version (sox, fixed after 12.17.4) > CAN-2004-0558 version (cups, fixed 1.1.21) > CAN-2004-0594 version (php, fixed 4.3.8) > CAN-2004-0595 version (php, fixed 4.3.8) > CAN-2004-0597 version (libpng, fixed 1.2.6) > CAN-2004-0597 version (mozilla, fixed 1.7.2) > CAN-2004-0598 version (libpng, fixed 1.2.6) > CAN-2004-0599 version (libpng, fixed 1.2.6) > CAN-2004-0599 version (mozilla, fixed 1.7.2) > CAN-2004-0600 version (samba, fixed 3.0.6) > CAN-2004-0607 version (racoon, note RHSA-2004:308 has wrong text) > CAN-2004-0633 version (ethereal, fixed 0.10.5) > CAN-2004-0634 version (ethereal, fixed 0.10.5) > CAN-2004-0635 version (ethereal, fixed 0.10.5) > CAN-2004-0642 backport (krb5, changelog) > CAN-2004-0644 backport (krb5, changelog) > CAN-2004-0645 version (abiword, fixed 2.0.9) > CAN-2004-0686 version (samba, fixed 3.0.6) > CAN-2004-0687 version (OpenMotif libxpm) > CAN-2004-0687 VULNERABLE (lesstif libxpm, see bug 135080) > CAN-2004-0688 version (OpenMotif libxpm) > CAN-2004-0687 VULNERABLE (lesstif libxpm, see bug 135081) > CAN-2004-0689 version (kde, fixed 3.3.0) > CAN-2004-0691 version (gdk-pixbuf; qt, fixed 3.3.3) > CAN-2004-0692 version (qt, fixed 3.3.3) > CAN-2004-0693 version (qt, fixed 3.3.3) > CAN-2004-0694 backport (lha, changelog) > CAN-2004-0718 version (mozilla #246448, fixed 1.7) > CAN-2004-0721 version (kde, fixed 3.3*) > CAN-2004-0722 version (mozilla #236618, fixed 1.7) > CAN-2004-0745 backport (lha, changelog) > CAN-2004-0746 version (kde, fixed 3.3*) > CAN-2004-0747 version (httpd, fixed 2.0.51) > CAN-2004-0748 version (httpd, fixed 2.0.51) > CAN-2004-0749 version (subversion, fixed 1.0.8) > CAN-2004-0750 version (redhat-config-nfs, fixed 1.0.13) > CAN-2004-0751 version (httpd, fixed 2.0.51) > CAN-2004-0752 backport (openoffice.org, in ooo-build-cvs) > CAN-2004-0753 backport (gtk2; gdk-pixbuf, changelog) > CAN-2004-0753 version (gdk-pixbuf, fixed 0.22) > CAN-2004-0754 version (gaim, fixed 0.82) > CAN-2004-0755 version (ruby, fixed 1.8.1) > CAN-2004-0757 version (mozilla #229374, fixed 1.7) > CAN-2004-0758 version (mozilla, fixed 1.7.2) > CAN-2004-0759 version (mozilla #241924, fixed 1.7) > CAN-2004-0760 version (mozilla #250906, fixed 1.7.2) > CAN-2004-0761 version (mozilla #240053, fixed 1.7) > CAN-2004-0762 version (mozilla #162020, fixed 1.7) > CAN-2004-0763 version (mozilla #253121, fixed 1.7.2) > CAN-2004-0764 version (mozilla #244965, fixed 1.7) > CAN-2004-0765 version (mozilla #234058, fixed 1.7) > CAN-2004-0769 backport (lha, changelog) > CAN-2004-0771 backport (lha, changelog) > CAN-2004-0772 backport (krb5, changelog) > CAN-2004-0778 version (cvs, fixed 1.11.17) > CAN-2004-0782 backport (gtk2; gdk-pixbuf, patch) > CAN-2004-0782 version (gtk;gdk-pixbuf, fixed 0.22) > CAN-2004-0783 backport (gtk2; gdk-pixbuf, patch) > CAN-2004-0783 version (gtk;gdk-pixbuf, fixed 0.22) > CAN-2004-0784 version (gaim, fixed 0.82) > CAN-2004-0785 version (gaim, fixed 0.82) > CAN-2004-0786 backport (apr-util, changelog) > CAN-2004-0788 backport (gtk2; gdk-pixbuf, patch) > CAN-2004-0788 version (gtk;gdk-pixbuf, fixed 0.22) > CAN-2004-0792 version (rsync) > CAN-2004-0796 version (spamassassin, fixed 2.64) > CAN-2004-0797 version (zlib) > CAN-2004-0801 version (foomatic, fixed 3.0.2) > CAN-2004-0803 backport (libtiff, changelog) > CAN-2004-0803 version (kdegraphics, fixed by Update on 20041109) > CAN-2004-0804 backport (libtiff, changelog) > CAN-2004-0804 version (kdegraphics, fixed by Update on 20041109) > CAN-2004-0806 version (cdrecord, fixed 2.0.1) > CAN-2004-0807 version (samba, fixed 3.0.7) > CAN-2004-0808 version (samba, fixed 3.0.7) > CAN-2004-0809 version (httpd, fixed 2.0.51) > CAN-2004-0811 version (httpd, fixed 2.0.52) > CAN-2004-0817 backport (imlib, changelog) > CAN-2004-0827 version (ImageMagick, fixed 6.0.6.2) > CAN-2004-0829 (not a security issue) > CAN-2004-0832 version (squid, fixed 2.5.7) > CAN-2004-0835 backport (mysql, changelog) > CAN-2004-0836 backport (mysql, changelog) > CAN-2004-0837 backport (mysql, changelog) > CAN-2003-0860 version (php, fixed 4.3.3) > CAN-2003-0861 version (php, fixed 4.3.3) > CAN-2004-0884 backport (cyrus-sasl, changelog) > CAN-2004-0885 backport (httpd, changelog) > CAN-2004-0886 backport (libtiff, changelog) > CAN-2004-0886 version (kdegraphics, fixed by Update on 20041109) > CAN-2004-0888 backport (xpdf, changelog) > CAN-2004-0888 backport (cups, **since 1.1.22-0.rc1.8** FC3-3.3) > CAN-2004-0888 backport (gpdf, **since 2.8.0-5** FC3-3.4) > CAN-2004-0888 VULNERABLE (tetex, see bug 137476) > CAN-2004-0889 backport (xpdf, changelog) > CAN-2004-0891 backport (gaim, changelog) > CAN-2004-0902 version (mozilla #133023, fixed 1.7.3) > CAN-2004-0903 version (mozilla #133016, fixed 1.7.3) > CAN-2004-0904 version (mozilla #133014, fixed 1.7.3) > CAN-2004-0905 version (mozilla #133012, fixed 1.7.3) > CAN-2004-0908 version (mozilla #133021, fixed 1.7.3) > CAN-2004-0918 backport (squid, changelog) > CAN-2004-0923 backport (cups, changelog) > CAN-2004-0930 VULNERABLE (Samba, see bug 138326) > CAN-2004-0938 version (freeradius, fixed 1.0.1) > CAN-2004-0942 VULNERABLE (httpd, see bug 138065) > CAN-2004-0957 backport (mysql, changelog) > CAN-2004-0958 version (php, fixed 4.3.9) > CAN-2004-0959 version (php, fixed 4.3.9) > CAN-2004-0960 version (freeradius, fixed 1.0.1) > CAN-2004-0961 version (freeradius, fixed 1.0.1) > CAN-2004-0966 backport (gettext, **since 0.14.1-12** FC3-3.8) > CAN-2004-0967 backport (ghostscript, changelog) > CAN-2004-0968 backport (glibc, changelog) > CAN-2004-0969 backport (groff, changelog) > CAN-2004-0971 VULNERABLE (krb5, see bug 136307) > CAN-2004-0972 VULNERABLE (lvm, see bug 136309) > CAN-2004-0974 VULNERABLE (tetex, see bug 137966) > CAN-2004-0975 VULNERABLE (openssl, see bug 136303) > CAN-2004-0976 version (perl, since 5.8.4) > CAN-2004-0977 backport (postgresql, **since 7.4.5-4** FC3-3.2) > CAN-2004-0981 VULNERABLE (ImakeMagick, see bug 138385) > CAN-2004-0983 VULNERABLE (Ruby, see bug 138366) > CAN-2004-0989 backport (libxml2, **since 2.6.14-2** FC3-3.3) > CAN-2004-0990 VULNERABLE (gd, see bug 137247) > CVE-2002-1363 version (libpng, fixed 1.2.6) > CVE-2003-0020 version (httpd, fixed 2.0.49) > CVE-2003-0924 version (netpbm, fixed 9.26) > CVE-2003-0988 version (kde, fixed 3.1.5) > CVE-2004-0078 backport (mutt, changelog) > CVE-2004-0082 version (samba, fixed 3.0.2) > CVE-2004-0096 version (mod_python, fixed after 2.7.9) > CVE-2004-0108 version (sysstat) > CVE-2004-0111 version (gdk-pixbuf, fixed 0.20) > CVE-2004-0113 version (httpd, fixed 2.0.49) > CVE-2004-0189 version (squid, fixed 2.5stable5) > CVE-2004-0191 version (Mozilla, fixed 1.4.2) >
