According to CVE descriptions, Bugzilla in FE-4 and later is vulnerable to: CVE-2006-5453 (unauthorized write access) CVE-2006-5454 (unauthorized information access) CVE-2006-5455 (unauthorized write access)
ping
Sorry, haven't had time to look at this with my travel schedule. I'll try to get it taken care of soon.
Hm, I see devel was updated to 2.22.1. But FC-5 and FC-6 were patched with a patch that is the complete diff between 2.22 and 2.22.1 except for some CVS cruft in the tarball and a PDF doc - yet they're labeled as 2.22. Was that on purpose?
Yes. I'm trying to follow the RHEL example of keeping versions the same and backporting patches for any distros already released. FE-4 is also about to get the same treatment as 5 and 6.
Yes, I understand that part of the intention. But the patch contains *everything* between 2.22 and 2.22.1, not just a subset of selected fixes, eg. security ones. So, the patched version is actually 2.22.1, but its Version tag says 2.22 - the same effect would have been achieved by using the upstream 2.22.1 tarball and labeling it as 2.22.