Jesse Keating noticed that CAN-2002-1363 was not included in Red Hat Linux packages since 9.0 - which therefore affects RHEL3, FC1, and FC2 packages.
Pushed RHSA-2004:249
At current, there are no updated (or testing) packages for FC1 and FC2 available, which are also affected by the vulnerability. The patch from RHEL3 also applies to FC1, FC2 and Fedora Development's libpng.
Updates for FC should be out later today.