Summary of FC4 vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quick Summary:
For 20030101-20050607 there are a potential 863 CVE named vulnerabilities that could have affected FC4 packages. 759 (88%) of those are fixed because FC4 includes an upstream version that includes a fix, 10 (1%) are still outstanding, and 94 (11%) are fixed with a backported patch. 

Method:
Near the release time of each new distribution the Red Hat security team go through the packages to ensure that everything is up to date with security patches.
The method used changed slightly from previous releases, this time for completeness:
1. we went through each CVE name for 2003, 2004, and 2005 (up to date as of 20050612) ignoring those that didn't affect Linux or were in packages not in FC4.
2. Then for each CVE issue left we look to see which upstream version (if any) the vulnerability is fixed in. Sometimes the CVE data gives us this information, but many times it doesn't or it's wrong and we have to investigate for ourselves which upstream verisons fix the issues (and we've reported our many investigations to Mitre for updates to the CVE entries). If we write "at least" we mean that we looked inside the source for that version and checked to see if the fix existed, but it may well have been fixed upstream prior to that version.
3. Where FC4 contains a upstream version greater or equal to the upstream version containing a fix, we mark it as not vulnerable due to "version".
4. Remaining CVE names are checked to see if FC4 contains a backported patch in the package. We trust changelog entries (since these will have already been audited us by use when FC3/2/1 or a RHEL advisory came out).
5. For anything that looked like it wasn't fixed we talked to the package owner to get a fix into FC4 final
So this table gives the CVE name, the reason why FC4 isn't vulnerable and optional comments showing the package name, version it was fixed in, or method used to verify the details.
This is based on FC4 gold. Corrections or missed issues (ones showing in CVE) appreciated to secalert@xxxxxxxxxxx We'll keep this up to date - probably on the wiki or somewhere. 

[content chopped; just over 40kb limit.  Full message at
http://people.redhat.com/mjc/20050505-fc4
]

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux