http://seclists.org/lists/bugtraq/2005/Oct/0134.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2965 Haven't checked whether devel is affected, but earlier distro versions appear to be.
graphviz-2.4 and earlier contained this bug. We were sent a patch for this on August 8th and the fix is already in graphviz-2.6 on Fedora Extras.
But Fedora Extras for FC3 has unpatched version 2.2, and FC4 unpatched 2.2.1, so they'll need the fix (or an upgrade to 2.6), no?
I just wanted to wait a few weeks with upgrading graphviz in older FE releases - currently it's only commited, build for FEDevel. Until now I didn't receive any bugs for graphviz 2.6 release in -devel, so I'll update it in fe3 and fe4 soon.
I can generate a patch against graphviz-2.2.1 for just this security bug if you like?
Update for FC-* in progress... Merging with devel... I'll not update RHL-*, as I'm not supporting such *old* distros. :-P I would be interessted if there are any stats how many people do still use RHL-* (especially together with FE)... However..
FYI, I believe it's not possible to get anything older than FC3 built with the FE build system. If you insist, updates for earlier distro versions can be submitted to fedora.us.
Yes, Villea, you are correct, plague doesn't accept builds < FC3 and it does make sense. :-)