Red Hat Bugzilla – Bug 212355
CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities
Last modified: 2007-11-30 17:11:46 EST
According to CVE descriptions, Bugzilla in FE-4 and later is vulnerable to:
CVE-2006-5453 (unauthorized write access)
CVE-2006-5454 (unauthorized information access)
CVE-2006-5455 (unauthorized write access)
Sorry, haven't had time to look at this with my travel schedule. I'll try to
get it taken care of soon.
Hm, I see devel was updated to 2.22.1. But FC-5 and FC-6 were patched with a
patch that is the complete diff between 2.22 and 2.22.1 except for some CVS
cruft in the tarball and a PDF doc - yet they're labeled as 2.22. Was that on
Yes. I'm trying to follow the RHEL example of keeping versions the same and
backporting patches for any distros already released. FE-4 is also about to get
the same treatment as 5 and 6.
Yes, I understand that part of the intention.
But the patch contains *everything* between 2.22 and 2.22.1, not just a subset
of selected fixes, eg. security ones. So, the patched version is actually
2.22.1, but its Version tag says 2.22 - the same effect would have been achieved
by using the upstream 2.22.1 tarball and labeling it as 2.22.