Bug 184234 - A way to check the CVE/CAN status of a currently installed package.
A way to check the CVE/CAN status of a currently installed package.
Product: Fedora Documentation
Classification: Fedora
Component: security-guide (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: eric@christensenplace.us
Scott Radvan
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2006-03-07 11:12 EST by Todd Denniston
Modified: 2015-04-06 23:19 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-07-07 18:52:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Original response to relicensing inquiry. (2.34 KB, text/plain)
2010-07-07 12:44 EDT, Steve Bonneville
no flags Details
Locating CVE information using YUM. (4.50 KB, patch)
2010-07-07 13:33 EDT, eric@christensenplace.us
no flags Details | Diff
Red Hat Legal approval to relicense the subject content to CC BY SA 3.0 (1.61 KB, application/x-mimearchive)
2010-07-07 13:41 EDT, Karsten Wade
no flags Details
Marked up chapter. (5.50 KB, patch)
2010-07-07 18:19 EDT, eric@christensenplace.us
no flags Details | Diff

  None (edit)
Description Todd Denniston 2006-03-07 11:12:29 EST
Description of problem:
System administrators often have to verify that versions of various products
installed on their systems have several CVE/CANs applied. With the current
configurations of the fedoraproject and fedoralegacy web sites, an administrator
has to search for every update that has occurred to a package to see all the CVE
fixes that have been applied to that package since it's upstream release.

for example, the current FC4 firefox (1.0.7) apparently only has fixes for:
CVE-2005-4134, CVE-2006-0292, CVE-2006-0296 (1.2.fc4)
CAN-2005-2701, CAN-2005-2702, CAN-2005-2703, CAN-2005-2704,
CAN-2005-2705, CAN-2005-2706, CAN-2005-2707, CAN-2005-2968, (1.1.fc4)

It would be nice if there was either:
a web page at redhat.com, fedoraproject.org and fedoralegacy.org, where an admin
could lookup the current (from yum/up2date) package revision and see all the
CVE/CANs that are covered by the patches fedora has applied to the base upstream
or in the SECURITY emails to the announce lists have a field that lists all the
CVE/CANs that are covered by the patches fedora has applied to the base upstream
package, i.e., not only have a field that lists the ones covered by this patch
set, but also have a field that lists all the others fixed since the upstream

seems a nice start but it is confusing as to which things are fixed, still
outstanding and which released packages are covered.
Comment 1 Todd Denniston 2006-03-07 11:20:57 EST
I was going to add this to the list on 
but I do not see how to edit the page, and that is where bug 129784
directed me to put things.
Comment 2 eric@christensenplace.us 2009-06-26 00:48:57 EDT
I think this is now provided by Red Hat.  I know you can check for IAVA compliance by checking CVEs using yum.  Is that satisfactory?
Comment 3 eric@christensenplace.us 2009-07-29 20:45:49 EDT
I'll write up CVE checking/validation procedures in the wiki.
Comment 4 eric@christensenplace.us 2009-08-05 13:05:25 EDT
Comment 5 eric@christensenplace.us 2009-11-14 12:28:24 EST
Reassigned for inclusion into the Security Guide.
Comment 6 eric@christensenplace.us 2009-11-14 12:31:01 EST
Karsten: Can you try to follow up on the licensing issues on the link in comment 4, please?  I never did get a response on if we could use the text or not.
Comment 7 eric@christensenplace.us 2010-07-06 22:38:48 EDT
Karsten: Have you heard anything back on this?
Comment 8 Karsten Wade 2010-07-06 23:28:57 EDT
OK, I found the original email thread where I dropped it and know where to pick this up.  I need to follow-up with someone from Red Hat Legal.

I'm adding Steve Bonneville, the original author, to this bug report so he can give his personal authorization for the relicensing.


I'll do the follow-up with Legal right now and return here when I get anything further.
Comment 9 Steve Bonneville 2010-07-07 12:41:47 EDT
I'll attach my response to the original e-mail from November to this bug.  Executive summary is that I have no problem with the relicensing, but I suspect you'll need to get internal clearance from whatever entity manages copyright on the Red Hat Magazine articles:

  (see "Submission Terms")
Comment 10 Steve Bonneville 2010-07-07 12:44:08 EDT
Created attachment 430113 [details]
Original response to relicensing inquiry.
Comment 11 eric@christensenplace.us 2010-07-07 13:33:34 EDT
Created attachment 430125 [details]
Locating CVE information using YUM.

Here is my proposed patch.  The DocBook XML needs to be improved but I think it will at least render appropriately.
Comment 12 eric@christensenplace.us 2010-07-07 13:34:27 EDT
(In reply to comment #9)
Thanks Steve, I appreciate it!
Comment 13 Karsten Wade 2010-07-07 13:41:35 EDT
Created attachment 430131 [details]
Red Hat Legal approval to relicense the subject content to CC BY SA 3.0

This email is from Richard Fontana giving explicit permission to relicense the work under question as CC BY SA 3.0.

It also notes that we can't apply this as a blanket policy to all RHM content.  I've looked at that situation a little bit, and it's going to take some effort to sort out what might be wanted and a relicensing process, possibly on an article by article basis.
Comment 14 eric@christensenplace.us 2010-07-07 18:19:40 EDT
Created attachment 430187 [details]
Marked up chapter.
Comment 15 eric@christensenplace.us 2010-07-07 18:20:16 EDT
Ready for QA.
Comment 16 Scott Radvan 2010-07-07 18:52:26 EDT
QA approval of this chapter confirmed. Document is submitted to source and changes will appear on next publish. Closing this bug.

Note You need to log in before you can comment on or make changes to this bug.