Bug 589808 (CVE_legacy, CVE-old-statements) - CVE legacy statements
Summary: CVE legacy statements
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE_legacy, CVE-old-statements
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-06 23:17 UTC by Vincent Danen
Modified: 2019-05-28 22:34 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-28 22:34:46 UTC


Attachments (Terms of Use)

Description Vincent Danen 2010-05-06 23:17:09 UTC
This bug is to collect statements for CVE's that don't have their own top level CVE SRT bug due to being older than when we started using CVE SRT top level bugs.  These statements were also referred to as NVD statements and are noted on the NVD web site.

Do not change the bug alias, it needs to have "CVE" in the title.  You can add extra statements in new comments or editing existing comments and they will be picked up correctly.

Comment 1 Vincent Danen 2010-05-06 23:18:00 UTC
Statement CVE-1999-0523:

Red Hat Enterprise Linux by default does respond to ICMP echo requests, although it's likely that in a production environment those would be filtered by some firewall on entry to your network.  However you can happily block ICMP ping responses using iptables if you so wish, but note that there is no known vulnerability in allowing them.

For more details, please see:
http://kbase.redhat.com/faq/FAQ_43_4304.shtm

Statement CVE-1999-0524:

Red Hat Enterprise Linux is configured by default to respond to all ICMP requests. Users may configure the firewall to prevent a system from responding to certain ICMP requests.

Statement CVE-1999-0997:

Red Hat does not consider CVE-1999-0997 to be a security vulnerability.  The wu-ftpd process chroots itself into the target ftp directory and will only run external commands as the user logged into the ftp server.  Because the process chroots itself, an attacker needs a valid login with write access to the ftp server, and even then they could only potentially execute commands as themselves.

Statement CVE-1999-1572:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Comment 2 Vincent Danen 2010-05-06 23:19:03 UTC
Statement CVE-2000-1137:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2000-1199:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Comment 3 Vincent Danen 2010-05-06 23:19:23 UTC
Statement CVE-2001-0187:

Red Hat Enterprise Linux 2.1 ships with wu-ftp version 2.6.2 which is not vulnerable to this issue.

Statement CVE-2001-0935:

CVE-2001-0935 refers to vulnerabilities found when SUSE did a code audit of the wu-ftpd glob.c file in wu-ftpd 2.6.0. They shared these details with the wu-ftpd upstream authors who clarified that some of the issues did not apply, and all were addressed by the version of glob.c in upstream wu-ftpd 2.6.1. Therefore we believe that the issues labelled as CVE-2001-0935 do not affect wu-ftpd 2.6.1 or later versions and therefore do not affect Red Hat Enterprise Linux 2.1.

Statement CVE-2001-1507:

Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2001-1534:

This is not a security issue.  The mod_usertrack cookies are not designed to be used for authentication.

Statement CVE-2001-1556:

This is a duplicate CVE name and is a combination of CVE-2003-0020 and CVE-2003-0083.

Comment 4 Vincent Danen 2010-05-06 23:21:25 UTC
Statement CVE-2002-0004:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2002-0389:

Red Hat does not intend to take any action on this issue. This is the expected behavior of Mailman and is not considered to be a security flaw by upstream.  If Mailman upstream addresses this issue in a future update, we may revisit our decision.

Statement CVE-2002-0497:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2002-0510:

Red Hat do not consider this to be a security issue and there are many ways that you can identify or fingerprint a Linux machine.  Users that wish to block fingerprinting can use various techniques to disguise their operating system, for example see
http://www.infosecwriters.com/text_resources/pdf/nmap.pdf

Statement CVE-2002-0639:

Not vulnerable.  This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 3 or later.

This issue did not affect the OpenSSL packages as shipped with Red Hat Enterprise Linux 2.1 as they were not compiled with S/Key or BSD_AUTH support.  The upstream patch for this issue and CVE-2002-0640 was included in an errata so that users recompiling OpenSSL with support for those authentication methods would also be protected:
https://rhn.redhat.com/errata/RHSA-2002-131.html 

Statement CVE-2002-1642:

Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2002-1648:

Not vulnerable. This issue did not affect the versions of SquirrelMail as shipped with Red Hat Enterprise Linux 3 or 4.

Statement CVE-2002-1649:

Not vulnerable. This issue did not affect the versions of SquirrelMail as shipped with Red Hat Enterprise Linux 3 or 4.

Statement CVE-2002-1650:

Not vulnerable. This issue did not affect the versions of SquirrelMail as shipped with Red Hat Enterprise Linux 3 or 4.

Statement CVE-2002-1850:

Not vulnerable. This issue did not affect the versions of Apache HTTP server as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2002-1903:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162899

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2002-2013:

Not vulnerable. This issue did not affect the versions of Mozilla as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2002-2043:

Not vulnerable. This issue only affects a third-party patch to Cyrus SASL, not distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2002-2061:

Not vulnerable. This issue did not affect the versions of Mozilla as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2002-2103:

Not vulnerable. This issue did not affect the versions of Apache HTTP server as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2002-2196:

This issue did not affect the versions of Samba as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2002-2204:

We do not believe this is a security vulnerability.  This is the documented and expected behaviour of rpm.

Statement CVE-2002-2210:

Not vulnerable.  This issue did not affect the RPM packages of OpenOffice as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Comment 5 Vincent Danen 2010-05-06 23:22:31 UTC
Statement CVE-2003-0131:

Red Hat Enterprise Linux 4 and 5 are not vulnerable to this issue as they both contain a backported patch.

Statement CVE-2003-0147:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2003-0192:

This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:
http://rhn.redhat.com/errata/RHSA-2003-244.html

Red Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.

Statement CVE-2003-0367:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2003-0427:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2003-0543:

For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.

The OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.

The OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).

Statement CVE-2003-0544:

For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.

The OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.

The OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).

Statement CVE-2003-0545:

Not vulnerable.  The OpenSSL packages in Red Hat Enterprise Linux 2.1 were not affected by this issue.

The OpenSSL packages in Red Hat Enterprise Linux 3 and 4 contain a backported patch since their initial release (openssl), or were not affected by this issue (openssl096b).

The OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).

Statement CVE-2003-0618:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=114923

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

This issue does not affect Red Hat Enterprise Linux 4.

Statement CVE-2003-0682:

Not vulnerable.

This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280.

This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch.  The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA.

This flaw does not affect any subsequent versions of Red Hat Enterprise Linux.

Statement CVE-2003-0693:

Not vulnerable.

This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280.

This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch.  The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA.

This flaw does not affect any subsequent versions of Red Hat Enterprise Linux.

Statement CVE-2003-0695:

Not vulnerable.

This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280.

This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch.  The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA.

This flaw does not affect any subsequent versions of Red Hat Enterprise Linux.

Statement CVE-2003-0857:

Not affected.  Red Hat did not ship iptables-devel or anything else that used these vulnerable functions with Red Hat Enterprise Linux 2.1 or 3.  Red Hat Enterprise Linux 4 and 5 contained a backported patch to correct this issue.

Statement CVE-2003-0860:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2003-0861:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2003-0863:

Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1.  The PHP packages in Red Hat Enterprise Linux 3 contain a backported patch to address this issue since release.  

The issue was fixed upstream in PHP 4.3.3.  The PHP packages in Red Hat Enterprise Linux 4 and 5 are based on fixed upstream versions.

Statement CVE-2003-0885:

This issue did not affect the versions of Xscreensaver as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2003-1138:

Red Hat Enterprise Linux 5 is not vulnerable to this issue.

Statement CVE-2003-1307:

This is not a vulnerability.  When PHP scripts are interpreted using the dynamically loaded mod_php DSO, the PHP interpreter executes with the privileges of the httpd child process. The PHP intepreter does not "sandbox" PHP scripts from the environment in which they run.  

On any modern Unix system a process can easily obtain access to all the parent file descriptors anyway, even if they have been closed.

Statement CVE-2003-1308:

Not vulnerable. Red Hat Enterprise Linux 2.1 shipped with fvwm, however this issue does not affect the included version of fvwm.

Statement CVE-2003-1331:

Red Hat does not consider this issue to be a security vulnerability since no trust boundary is crossed. The user must voluntarily interact with the attack mechanism to exploit this flaw, with the result being the ability to run code as themselves.

Statement CVE-2003-1557:

Not vulnerable. This issue did not affect the versions of SpamAssassin as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2003-1562:

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which is in maintenance mode.

Comment 6 Vincent Danen 2010-05-06 23:24:51 UTC
Statement CVE-2004-0079:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0112:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0174:

Not vulnerable.  This issue did not affect Linux.

Statement CVE-2004-0175:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0230:

The DHS advisory is a good source of background information about the
issue: http://www.us-cert.gov/cas/techalerts/TA04-111A.html

It is important to note that the issue described is a known function of TCP. In order to perform a connection reset an attacker would need to know the source and destination ip address and ports as well as being able to guess the sequence number within the window. These requirements seriously reduce the ability to trigger a connection reset on normal TCP connections. The DHS advisory explains that BGP routing is a specific case where being able to trigger a reset is easier than expected as the end points can be easily determined and large window sizes are used. BGP routing is also signficantly affected by having its connections terminated. The major BGP peers have recently switched to requiring md5 signatures which mitigates against this attack.

The following article from Linux Weekly News also puts the flaw into context and shows why it does not pose a significant threat:
http://lwn.net/Articles/81560/

Red Hat does not have any plans for action regarding this issue.

Statement CVE-2004-0603:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0687:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0688:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0806:

Not vulnerable.  cdrecord is not shipped setuid and does not need to be made setuid with Red Hat Enterprise Linux 2.1, 3, or 4 packages.

Statement CVE-2004-0811:

Not Vulnerable.  This issue only affected Apache 2.0.51, which was not shipped in any version of Red Hat Enterprise Linux.

Statement CVE-2004-0829:

We do not class this as a security issue; this can only cause a denial of service for the attacker.

Statement CVE-2004-0914:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0941:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0967:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140074

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.

Statement CVE-2004-0971:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0975:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0976:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140058

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-0996:

Not vulnerable. cscope packages shipped with Red Hat Enterprise Linux 3, 4, and 5 contain a backported patch since their first release.

Statement CVE-2004-1002:

This issue is only will only cause a denial of service on the connection the attacker is using.  It therefore is not a security issue.

Statement CVE-2004-1020:

Red Hat does not consider this issue to be a security vulnerability since no trust boundary is crossed.  There are no known uses of this function which could allow a remote attacker to execute arbitrary code.

Statement CVE-2004-1051:

We do not consider this to be a security issue:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139478#c1

Statement CVE-2004-1063:

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2004-1064:

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2004-1170:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-1177:

This issue did not affect the versions of mailman shipped with Red Hat Enterprise Linux 2.1, 3, or 4.  In addition, we believe this issue does not apply to the 2.0.x versions of mailman due to setting of STEALTH_MODE

Statement CVE-2004-1185:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-1186:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-1287:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-1296:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-1307:

This issue was resolved in all affected libtiff versions as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 via a patch for CVE-2004-0886.  For updates containing patches for CVE-2004-0886, see: https://rhn.redhat.com/errata/CVE-2004-0886.html

Statement CVE-2004-1377:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2004-1392:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2004-1392:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2004-1653:

Permitting TCP forwarding is the expected and known default configuration. If it is not desired, it can disabled using the AllowTcpForwarding option in the /etc/ssh/sshd_config configuration file. However, only disabling TCP forwarding does not improve security unless users are also denied shell access. For more information, see man sshd_config.

Statement CVE-2004-1717:

This CVE is a duplicate (rediscovery) of CVE-2002-0838

Statement CVE-2004-1808:

The Red Hat Security Response Team rated this issue as having low security impact. This issue affected Red Hat Enterprise Linux 2.1 but due to the low severity will not be fixed.  metamail was not shipped in Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2004-1880:

Not vulnerable. These issues did not affect the versions of OpenLDAP as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2004-2300:

Not vulnerable. We did not ship snmpd setuid root in Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2004-2320:

The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required.

For more information please see:
http://www.apacheweek.com/issues/03-01-24#news

Statement CVE-2004-2343:

Red Hat does not consider this to be a security  issue.

Statement CVE-2004-2546:

Not vulnerable.  This issue did not affect the versions of Samba as distributed with Red Hat Enterprise Linux 3, or 4.  Red Hat Enterprise Linux 2.1 shipped with a version of Samba prior to 3.0.6, but we verified by code audit that it is not affected by this issue.

Statement CVE-2004-2654:

Not vulnerable.  This issue only affected 2.5 STABLE4 and 2.5 STABLE5 versions of Squid and does not affect the versions of Squid distributed with Red Hat Enterprise Linux.

Statement CVE-2004-2731:

Not vulnerable. The Linux kernel as shipped with with Red Hat Enterprise Linux 2.1, 3, 4 and 5 did not include the Sbus PROM module and therefore are not affected by this issue.

Statement CVE-2004-2760:

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.

Statement CVE-2004-2761:

Please see http://kbase.redhat.com/faq/docs/DOC-15379

Comment 7 Vincent Danen 2010-05-06 23:32:07 UTC
Statement CVE-2005-0085:

Not vulnerable. These issues did not affect the versions of htdig as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144263

Statement CVE-2005-0109:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-0256:

Not vulnerable.  Red Hat Enterprise Linux 2.1 shipped with wu-ftpd, however we were unable to reproduce this issue.  Additionally, a code analysis showed that attempts to exploit this issue would be caught in the versions we shipped.
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=149720

Statement CVE-2005-0373:

Not vulnerable. This issue did not affect the versions of Cyrus SASL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2005-0468:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-0469:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-0488:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-0602:

We do not consider this a security vulnerability; this is the expected behaviour.

Statement CVE-2005-0605:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-0758:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-0953:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-0988:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-1038:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-1111:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-1119:

We do not consider this a security issue, the bug can only manifest if the software is invoked on a sudoers file that is contained in a world writable directory.

Statement CVE-2005-1194:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-1228:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-1229:

This is defined and documented behaviour:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156313

Statement CVE-2005-1306:

Not vulnerable.  Adobe told us this issue did not affect the Linux version of Adobe Reader.

Statement CVE-2005-1344:

Red Hat does not consider this to be a vulnerability.  htdigest is not supplied setuid or setgid and should not be run from a CGI program.

Statement CVE-2005-1544:

Not vulnerable. This issue did not affect the versions of libtiff as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2005-1704:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-1705:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-1730:

Based on our research we believe that the "OpenSSL ASN.1 brute forcer." is actually exploiting flaws CVE-2003-0543, CVE-2003-0544, CVE-2003-0545.  Those issues are all addressed in Red Hat Enterprise Linux and therefore CVE-2005-1730 is a duplicate assignment.

Statement CVE-2005-1751:

(none)

Statement CVE-2005-1753:

We do not believe this is a security issue; this is a deliberate circumvention of the Javamail API. The Javamail API provides a comprehensive and secure method to retrieve mail. In this example, the author retreives the message directly from the mail directory on the filesystem.  Even if the user insists on using this incorrect way of accessing mail, then the permissions set by the dovecot and tomcat packages are enough to protect against direct access to most of the files listed in the bug report.

Statement CVE-2005-1797:

The OpenSSL Team do not consider this issue to be a practical threat. Conducting an attack such as this has shown to be impractical outside of a controlled lab environment. If the OpenSSL Team decide to produce an update to correct this issue, we will consider including it in a future security update.

Statement CVE-2005-2069:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-2096:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-2475:

This issue was addressed in unzip packages as shipped with Red Hat Enterprise Linux 3 and 4 via RHBA-2007:0418 and RHSA-2007:0203 respectively.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-2541:

This is the documented and expected behaviour of tar.

Statement CVE-2005-2547:

Not vulnerable. These issues did not affect the version of BlueZ as shipped with Red Hat Enterprise Linux 4.

Statement CVE-2005-2642:

Not vulnerable.  This issue did not affect the Linux versions of Mutt.

Statement CVE-2005-2666:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162681

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2005-2693:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-2797:

Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3 or 4.

Statement CVE-2005-2798:

This issue does not affect Red Hat Enterprise Linux 2.1 and 3.

This flaw was fixed in Red Hat Enterprise Linux 4 via errata RHSA-2005:527:
http://rhn.redhat.com/errata/RHSA-2005-527.html

Statement CVE-2005-2929:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-2946:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169803

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2005-2959:

We do not consider this to be a security issue:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139478#c1

Statement CVE-2005-2968:

Not vulnerable. These issues did not affect the versions of Mozilla and Firefox as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2005-2969:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-2975:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-2976:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-2991:

Not vulnerable.  This issue did not affect the ncompress packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2005-3011:

Updated packages to correct this issue are available along with our advisory:
http://rhn.redhat.com/errata/CVE-2005-3011.html

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3054:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2005-3120:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3183:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170518

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode.

Statement CVE-2005-3186:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3191:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3192:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3193:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3258:

Not vulnerable. These issues do not affect the versions of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2005-3319:

We do not class this as a security issue as it only allows local users who have the privileges to create .htaccess files the ability to cause a denial of service. Untrusted users should never be given the ability to create .htaccess files.

Statement CVE-2005-3391:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2005-3392:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2005-3582:

Not vulnerable.  This issue is caused by the way ImageMagick was packaged by Gentoo and does not affect Red Hat Enterprise Linux packages.

Statement CVE-2005-3624:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3625:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3626:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3627:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3628:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-3964:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-4158:

We do not consider this to be a security issue.
https://bugzilla.redhat.com/show_bug.cgi?id=139478#c1

Statement CVE-2005-4268:

This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2007-0245.html and in Red Hat Enterprise Linux 3 via https://rhn.redhat.com/errata/RHSA-2010-0145.html. 

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2005-4348:

The Red Hat Security Response Team has rated this issue as having low security impact.  An update is available for Red Hat Enterprise Linux 4 to correct this issue:
http://rhn.redhat.com/errata/RHSA-2007-0018.html

This issue did not affect Red Hat Enterprise Linux 2.1 and 3.

Statement CVE-2005-4442:

This issue did not affect the versions of OpenLDAP as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2005-4636:

This issue did not affect the versions of OpenOffice.org as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2005-4667:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178960

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.

Statement CVE-2005-4745:

Not vulnerable.  This issue did not affect the FreeRADIUS packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2005-4746:

Not vulnerable.  This issue did not affect the FreeRADIUS packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2005-4784:

This issue did not affect the Linux glibc.

Statement CVE-2005-4807:

gas (and gcc) make no promise that they are fault tolerant to bad input.  We do not plan on producing security updates for Red Hat Enterprise Linux to correct these bugs.

Statement CVE-2005-4808:

gas (and gcc) make no promise that they are fault tolerant to bad input.  We do not plan on producing security updates for Red Hat Enterprise Linux to correct these bugs.

Statement CVE-2005-4835:

Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2005-4881:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2005-4881

This issue has been rated as having moderate security impact. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5, and Red Hat Enterprise MRG. It affects Red Hat Enterprise Linux 3, and 4.

It was addressed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2009-1522.html

This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed.

For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Comment 8 Vincent Danen 2010-05-06 23:40:44 UTC
Statement CVE-2006-0043:

This issue did not affect Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-0097:

Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2006-0151:

We do not consider this to be a security issue.
https://bugzilla.redhat.com/show_bug.cgi?id=139478#c1

Statement CVE-2006-0225:

This issue was addressed in Red Hat Enterprise Linux 2.1, 3 and 4:

https://rhn.redhat.com/errata/CVE-2006-0225.html
https://www.redhat.com/security/data/cve/CVE-2006-0225.html

Issue was fixed upstream in version 4.3.  The openssh packages in Red Hat Enterprise Linux 5 are based on the fixed upstream version and were not affected by this flaw.

Statement CVE-2006-0236:

Not vulnerable.  We verified that this issue does not affect Linux versions of Thunderbird.

Statement CVE-2006-0321:

This issue did not affect the versions of Fetchmail as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-0405:

This issue did not affect the versions of libtiff as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-0454:

Not vulnerable.  This vulnerability was introduced into the Linux kernel in version 2.6.12 and therefore does not affect users of Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-0459:

This issue only affects parsers which are generated by grammars which either use REJECT or rules with a variable trailing context (in these rules the parser has to keep all backtracking paths).  The Red Hat Security Response Team analysed all packages that include flex generated parsers in Red Hat Enterprise Linux (2.1, 3, and 4) and found none were vulnerable.

Statement CVE-2006-0553:

This issue did not affect the versions of PostgreSQL as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-0576:

Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 3
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207347

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

This issue was fixed for Red Hat Enterprise Linux 4 in the following errata:
http://rhn.redhat.com/errata/RHEA-2006-0355.html

This issue does not affect Red Hat Enterprise Linux 2

Statement CVE-2006-0670:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187945

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

This issue does not affect Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2006-0730:

This issue only affected Dovecot versions 1.0beta1 and 1.0beta2.  Red Hat Enterprise Linux 4 shipped with an earlier version of Dovecot and is therefore not vulnerable to this issue.

Statement CVE-2006-0743:

Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include log4net.

Statement CVE-2006-0883:

This issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-0903:

Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 2.1 and 3:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194613

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

This issue has been fixed for Red Hat Enterprise Linux 4 in RHSA-2006:0544.

Statement CVE-2006-1014:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2006-1015:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2006-1017:

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2006-1057:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188302

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

This issue does not affect Red Hat Enterprise Linux 2.1 and 3.

Statement CVE-2006-1058:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187385

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

This issue does not affect Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2006-1095:

This issue did not affect the versions of mod_python as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-1168:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-1174:

Red Hat is aware of this issue and is tracking it via the following bugs:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193053
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229194

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.

Statement CVE-2006-1251:

Not vulnerable.  greylistclean.cron is not supplied in the exim packages as distributed with Red Hat Enterprise Linux.

Statement CVE-2006-1494:

This issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-1542:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187900

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-1549:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2006-1608:

We do not consider these to be security issues:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1

Statement CVE-2006-1624:

Red Hat does not consider this to be a security issue. Enabling the -r option is not suggested without the -x option which is clearly documented in the /etc/sysconfig/syslog configuration file.

Statement CVE-2006-2050:

Red Hat does not consider this to be a security issue. The FastCGI server is local trusted code and not under the control of an attacker, no trust boundary is crossed.

For more information please see:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2050

Statement CVE-2006-2073:

This issue did not affect the version of bind as shipped with Red Hat Enterprise Linux 5.  We do not believe this issue has a security consequence for earlier versions of Red Hat Enterprise Linux.  For details please see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192192

Statement CVE-2006-2083:

Not vulnerable.  This issue does not affect the versions of rsync distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-2193:

This issue does not affect Red Hat Enterprise Linux 2.1 and 3

This issue was addressed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0848.html

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-2194:

Not vulnerable.  The winbind plugin is not shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-2369:

This issue only affected version 4.1.1 and not the versions distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-2414:

Not vulnerable.  This issue does not affect the versions of Dovecot distributed with Red Hat Enterprise Linux. 

Statement CVE-2006-2440:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192278

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

This issue does not affect Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2006-2450:

Not vulnerable.  This issue does not affect the versions of LibVNCServer as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-2502:

Not vulnerable.  This issue does not affect the versions of cyrus-imapd distributed with Red Hat Enterprise Linux. 

Statement CVE-2006-2563:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1
and http://www.php.net/security-note.php

Statement CVE-2006-2607:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-2656:

This issue was addressed in libtiff packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 via: https://rhn.redhat.com/errata/RHSA-2006-0603.html

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-2660:

This is not an issue that affects users of Red Hat Enterprise Linux.  
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196255

Statement CVE-2006-2754:

This issue is not exploitable as the status file is only written to and read by the slurpd process.  Therefore this is not a vulnerability that affects Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-2789:

Not vulnerable.  This issue does not affect the versions of Evolution as distributed with Red Hat Enterprise Linux.

Statement CVE-2006-2906:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-2916:

Not vulnerable.  We do not ship aRts as setuid root on Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-2937:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-2940:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3005:

Red Hat does not consider this a security issue.  It is expected behavior that a large input file will cause the processing program to use a large amount of memory.

Statement CVE-2006-3011:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1
and http://www.php.net/security-note.php

Statement CVE-2006-3018:

Unknown: CVE-2006-3018 has been assigned to an issue in PHP where the cause and fix are unknown, and the impact cannot be verified. The source of the CVE assignment was a single line statement in the PHP 5.1.3 release announcement, http://www.php.net/release_5_1_3.php, reading: "Fixed a heap corruption inside the session extension."  Of the changes made to the session extension between releases 5.1.2 and 5.1.3, none would fix a bug matching this description by our analysis.

Statement CVE-2006-3083:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3093:

Not vulnerable.  Adobe told us that this issue does not affect the Linux versions of Adobe Acrobat Reader.

Statement CVE-2006-3145:

This issue did not affect the versions of NetPBM distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-3174:

This issue has not been able to be reproduced by upstream or after a Red Hat code review.  We therefore do not believe this is a security vulnerability. 

Statement CVE-2006-3334:

On Red Hat Enterprise Linux 2.1, 3, 4, and 5 this is a two-byte overflow into the middle of the stack and is not exploitable.

Statement CVE-2006-3376:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3378:

This issue affects the version of the passwd command from the shadow-utils package.  Red Hat Enterprise Linux 2.1, 3, and 4 are not vulnerable to this issue.

Statement CVE-2006-3459:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3460:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3461:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3462:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3463:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3464:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3465:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3467:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3469:

This issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 4 via:

https://rhn.redhat.com/errata/RHSA-2008-0768.html

This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1, 3, or 5, and Red Hat Application Stack v1 and v2.

Statement CVE-2006-3486:

We do not consider this issue to have security implications, and therefore have no plans to issue MySQL updates for Red Hat Enterprise Linux 2.1, 3, or 4 to correct this issue.

Statement CVE-2006-3587:

Adobe gave a statement that these issues do not affect the Linux versions of Macromedia Flash Player.

Statement CVE-2006-3588:

Adobe gave a statement that these issues do not affect the Linux versions of Macromedia Flash Player.

Statement CVE-2006-3619:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198912

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2006-3626:

This vulnerability does not affect Red Hat Enterprise Linux 2.1 or 3 as they are based on 2.4 kernels.

The exploit relies on the kernel supporting the a.out binary format.  Red Hat Enterprise Linux 4, Fedora Core 4, and Fedora Core 5 do not support the a.out binary format, causing the exploit to fail.  We are not currently aware of any way to exploit this vulnerability if a.out binary format is not enabled.  In addition, a default installation of these OS enables SELinux in enforcing mode.  SELinux also completely blocks attempts to exploit this issue.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198973#c10

Statement CVE-2006-3672:

We do not consider a crash of a client application such as Konqueror to be a security issue.

Statement CVE-2006-3731:

We do not consider a user-assisted crash of a client application such as Firefox to be a security issue.

Statement CVE-2006-3738:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3742:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3743:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3744:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-3747:

The ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler has added padding to the stack immediately after the buffer being overwritten, this issue can not be exploited, and Apache httpd will continue operating normally.

The Red Hat Security Response Team analyzed Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4 binaries for all architectures as shipped by Red Hat and determined that these versions cannot be exploited.  This issue does not affect the version of Apache httpd as supplied with Red Hat Enterprise Linux 2.1

Statement CVE-2006-3835:

This issue is not a security issue in Tomcat itself, but is caused when directory listings are enabled.

Details on how to disable directory listings are available at: http://tomcat.apache.org/faq/misc.html#listing

Statement CVE-2006-3879:

This issue does not affect versions of Mikmod 3.2.0-beta2 or prior.  Versions of Mikmod distributed with Red Hat Enterprise Linux 2.1, 3, and 4 are based on version 3.1.11 and are therefore not vulnerable to this issue.

Statement CVE-2006-4031:

This issue was corrected in all affected mysql packages versions as shipped in Red Hat Enterprise Linux or Red Hat Application Stack via:

https://rhn.redhat.com/errata/CVE-2006-4031.html

This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1 or 3

Statement CVE-2006-4095:

Not Vulnerable.  The version of BIND that ships with Red Hat Enterprise Linux is not vulnerable to this issue as it does not handle signed RR records.

Statement CVE-2006-4096:

Not Vulnerable.  This issue was found and fixed as part of Red Hat Enterprise Linux 4 update 4:
http://rhn.redhat.com/errata/RHBA-2006-0288.html

and Red Hat Enterprise Linux 3 update 8:
http://rhn.redhat.com/errata/RHBA-2006-0287.html

This issue does not affect Red Hat Enterprise Linux 2.1

Statement CVE-2006-4124:

LessTif is shipped with Red Hat Enterprise Linux 2.1 but not 3 or 4.  On Enterprise Linux 2.1 we build LessTif with debugging disabled, so the DEBUG_FILE environment variable is ignored and this issue cannot be exploited.

Statement CVE-2006-4144:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4146:

Updates to address this issue are available for Red Hat Enterprise Linux 3 and 4:
https://rhn.redhat.com/cve/CVE-2006-4146.html

Red Hat Enterprise Linux 5 was not vulnerable to this issue as it contained a backported patch.

Statement CVE-2006-4181:

Not Vulnerable.  Red Hat does not ship GNU Radius in Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-4226:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203426

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

This issue does not affect Red Hat Enterprise Linux 2.1 or 3

Statement CVE-2006-4227:

This issue did not affect the versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Issue was addressed in MySQL packages as shipped in Red Hat Enterprise Linux 5 via:

https://rhn.redhat.com/errata/RHSA-2008-0364.html

Statement CVE-2006-4262:

Red Hat Enterprise Linux 5 was not vulnerable to this issue as it contained a backported patch since its first release.

In Red Hat Enterprise Linux 3 and 4, this issue was addressed via: https://rhn.redhat.com/errata/RHSA-2009-1101.html

Statement CVE-2006-4310:

Red Hat does not consider this flaw a security issue.  This flaw is the result of a NULL pointer dereference, which is not exploitable and can only cause a client crash.

Statement CVE-2006-4334:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4335:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220595

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4336:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4337:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220595

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4338:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220595

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4339:

Vulnerable.  This issue affects OpenSSL and OpenSSL compatibility packages in Red Hat Enterprise Linux 2.1, 3, and 4.  Updates, along with our advisory are available at the URL below.
http://rhn.redhat.com/errata/RHSA-2006-0661.html

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4343:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4433:

We do not consider this to be a PHP flaw.  The problem is caused by the insufficient input validation performed by Zend platform.

Statement CVE-2006-4434:

This flaw causes a crash but does not result in a denial of service against Sendmail and is therefore not a security issue.

Statement CVE-2006-4447:

Not Vulnerable. This issue does not exist in Red Hat Enterprise Linux 2.1 or 3.  This issue not exploitable in Red Hat Enterprise Linux 4.  A detailed analysis of this issue can be found in the Red Hat Bug Tracking System:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195555

Statement CVE-2006-4481:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2006-4513:

Not vulnerable.  This issue did not affect versions of wvWare library included in koffice packages as shipped with Red Hat Enterprise Linux 2.1

Statement CVE-2006-4514:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4572:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4600:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205826

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.

Statement CVE-2006-4623:

Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 4:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204912

This issue does not affect Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2006-4624:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205651

The Red Hat Security Response Team has rated this issue as having low security impact and expects to release a future update to address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode.

This bug will be addressed in a future update of Red Hat Enterprise Linux 4.

Statement CVE-2006-4625:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2006-4790:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4806:

Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2.

Statement CVE-2006-4807:

Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2.

Statement CVE-2006-4808:

Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2.

Statement CVE-2006-4809:

Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2.

Statement CVE-2006-4810:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4811:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4812:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, and 4.

Statement CVE-2006-4814:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4842:

This issue also affects other OS that use NSPR.  However, Red Hat does not ship any application linked setuid or setgid against NSPR and therefore is not vulnerable to this issue.

Statement CVE-2006-4924:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-4925:

Red Hat does not consider this flaw a security issue. This flaw can cause an OpenSSH client to crash when connecting to a malicious server, which does not result in a denial of service condition.

Statement CVE-2006-4980:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5051:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5052:

This issue did not affect Red Hat Enterprise Linux 2.1 and 3.

This issue was addressed in Red Hat Enterprise Linux 4 and 5 via
https://rhn.redhat.com/errata/RHSA-2007-0703.html and https://rhn.redhat.com/errata/RHSA-2007-0540.html respectively.

Statement CVE-2006-5158:

Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 4:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210128

This issue does not affect Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2006-5159:

Red Hat does not consider this issue to be a security vulnerability.  We have been in contact with the upstream project regarding this problem and agree that this issue currently poses no security threat.  In the event more information becomes available, we will revisit this issue in the future.

Statement CVE-2006-5160:

Red Hat does not consider this issue to be a security vulnerability.  We have been in contact with the upstream project regarding this problem and agree that this issue currently poses no security threat.  In the event more information becomes available, we will revisit this issue in the future.

Statement CVE-2006-5173:

Not Vulnerable.  This flaw only affects kernel versions 2.6.14 to 2.6.18.  Red Hat Enterprise Linux 2.1, 3, and 4 does not ship with a vulnerable kernel version.

Statement CVE-2006-5178:

We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2006-5214:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5215:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5229:

Red Hat has been unable to reproduce this flaw and believes that the reporter was experiencing behavior specific to his environment.  We will not be releasing update to address this issue.

Statement CVE-2006-5297:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211085

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.

Statement CVE-2006-5298:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211085

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.

Statement CVE-2006-5397:

Not vulnerable. These issues did not affect the versions of libX11 as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5456:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5465:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5466:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213515

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5467:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5619:

Red Hat is aware of this issue and are tracking it via bug 213214 for Red Hat Enterprise Linux 4:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213214

This issue does not affect Red Hat Enterprise Linux 2.1 or 3

Statement CVE-2006-5633:

Red Hat does not consider a user-assisted crash of a client application such as Firefox to be a security issue.

Statement CVE-2006-5649:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, or 5.  Red Hat Enterprise Linux 2.1 did not ship for PowerPC architecture.

Statement CVE-2006-5701:

Not Vulnerable.  The squashfs module is not distributed as part of Red Hat Enterprise Linux 2.1, 3, or 4.  Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5706:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2006-5749:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5751:

This flaw does not affect the Linux kernel shipped with Red Hat Enterprise Linux 2.1 or 3.

This flaw affects the Linux kernel shipped with Red Hat Enterprise Linux 4.  We are tracking this flaw via bug 216452:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216452

Statement CVE-2006-5753:

Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it only affects x86_64 architectures.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch at release. 

Statement CVE-2006-5757:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5779:

Not Vulnerable.  The OpenLDAP versions shipped with Red Hat Enterprise Linux 4 and earlier do not contain the vulnerable code in question.  Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5794:

This issue did not affect Red Hat Enterprise Linux 2.1.

This issue was addressed in Red Hat Enterprise Linux 3 and 4 via
https://rhn.redhat.com/errata/RHSA-2006-0738.html .

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5823:

The CVE-2006-5823 is about a corrupted cramfs (MOKB-07-11-2006) that can cause a memory corruption and so crash the machine.

For Red Hat Enterpise Linux 3 this issue is tracked via Bugzilla #216960 and for Red Hat Enterprise Linux 4 it is tracked via Bugzilla #216958.

Red Hat Enterprise Linux 2.1 is not vulnerable to this issue.

This issue has been rated as having low impact, because root privileges or physical access to the machine are needed to mount a corrupted filesystem and crash the machine.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5864:

Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 2.1.  This issue did not affect Red Hat Enterprise Linux 3 or 4.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215593     

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.

Statement CVE-2006-5868:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5870:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5876:

Not vulnerable. The vulnerable code is not used by any application likned with libsoup shipped with Red Hat Enterprise Linux 2.1, 3, and 4.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-5969:

Not vulnerable. Red Hat Enterprise Linux 2.1 shipped with fvwm, however this issue does not affect the included version of fvwm.

Statement CVE-2006-5974:

Not vulnerable.  This issue does not affect the versions of fetchmail distributed with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-5989:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6015:

Red Hat does not consider unexploitable client application crashes to be security flaws. This bug causes a stack recursion crash which is not exploitable.

Statement CVE-2006-6027:

Not vulnerable.  This issue did not affect Linux versions of Adobe Reader.

Statement CVE-2006-6053:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6054:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6056:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6057:

Not Vulnerable.  The kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 do not contain gfs2 filesystem support.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6097:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6101:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6102:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6103:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6105:

Not vulnerable.  This flaw was first introduced in gdm version 2.14.  Therefore these issues did not affect the earlier versions of gdm as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6106:

Red Hat is aware of this issue and is tracking it for Red Hat Enterprise Linux 4 via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218602

This issue does not affect the version of the Linux kernel shipped with Red Hat Enterprise Linux 2.1 or 3.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6107:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6142:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6143:

Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 ship with versions of Kerberos 5 prior to version 1.4 and are therefore not affected by these vulnerabilities.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6144:

Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 ship with versions of Kerberos 5 prior to version 1.4 and are therefore not affected by these vulnerabilities.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6169:

Red Hat does not consider this bug to be a security flaw.  In order for this flaw to be exploited, a user would be required to enter shellcode into an interactive GnuPG session. Red Hat considers this to be an unlikely scenario.

Red Hat Enterprise Linux 5 contains a backported patch to address this issue.

Statement CVE-2006-6235:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6236:

Not vulnerable.  This issue does not affect the Linux version of Adobe Reader.

Statement CVE-2006-6297:

We do not consider a crash of a client application such as Konqueror or other KFile users to be a security issue.

Statement CVE-2006-6303:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.  For other versions of Red Hat Enterprise Linux see http://rhn.redhat.com/cve/CVE-2006-6303.html

Statement CVE-2006-6304:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit d025c9db that introduced the problem.

This upstream commit was backported in Red Hat Enterprise Linux 5 via RHSA-2009:0225. It was later reported and addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html

Statement CVE-2006-6305:

Not vulnerable. This issue does not affect the versions of net-smtp as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6332:

Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2006-6383:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1
and http://www.php.net/security-note.php

Statement CVE-2006-6385:

Not Vulnerable. eEye Research advisory AD20061207 (Intel Network Adapter Driver Local Privilege  Escalation) describes a flaw in the Linux Kernel drivers for the e100, e1000, and ixgb Intel network cards. The flaw affects the NDIS miniport drivers and its OID support. The Linux Kernel drivers do not support the NDIS API and the OID concept from Microsoft Windows.

Statement CVE-2006-6493:

Not vulnerable. OpenLDAP as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 does not support the LDAP_AUTH_KRBV41 authentication method.

Statement CVE-2006-6628:

Red Hat does not consider this flaw a security issue.  This flaw will only crash OpenOffice.org and presents no possibility for arbitrary code execution.

Statement CVE-2006-6660:

Not vulnerable. This issue did not affect the versions of KDE as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-6698:

The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2006-6719:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221459

We do not consider a crash of a client application such as wget to be a security issue.

This flaw was fixed in wget shipped in Red Hat Enterprise Linux 5 before the initial release of the product. Version of wget shipped in Red Hat Enterprise Linux 3 and 4 are affected by this bug.

Statement CVE-2006-6772:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2006-6811:

We do not consider a crash of a client application such as KsIRC to be a security issue.

Statement CVE-2006-6921:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2006-6939:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223072

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Statement CVE-2006-7051:

This issue can only be exploited if pending signals (ulimit -i) is set to "unlimited". In case of Red Hat Enterprise Linux version 2.1, 3 and 4 this is not the case and therefore they are not vulnerable to this issue.

Statement CVE-2006-7098:

Not vulnerable. This issue was specific to a Debian patch to Apache HTTP Server.

Statement CVE-2006-7108:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

This flaw has been rated as having a low  severity by the Red Hat Security Response Team.  More information about this rating can be found here:
http://www.redhat.com/security/updates/classification/

This flaw is currently being tracked via the following bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=231449
https://bugzilla.redhat.com/show_bug.cgi?id=231448

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode.

Statement CVE-2006-7139:

Not vulnerable. Our testing found that this issue did not affect the versions of Kmail as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2006-7175:

** DISPUTED ** Sendmail classes the CipherList directive as "for future release"; currently unsupported and undocumented. Therefore the lack of support for the CipherList directive in various Red Hat products is not a vulnerability.

Statement CVE-2006-7177:

Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2006-7178:

Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2006-7179:

Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2006-7180:

Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2006-7204:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1
and http://www.php.net/security-note.php

Statement CVE-2006-7205:

The memory_limit configuration option is used to constrain the amount of memory which a script can consume during execution.  If this setting is disabled (or set unreasonably high), it is expected behaviour that scripts will be able to consume large amounts of memory during script execution.

The memory_limit setting is enabled by default in all versions of PHP distributed in Red Hat Enterprise Linux and Application Stack.


Statement CVE-2006-7221:

Red Hat does not consider a user assisted client crash such as this to be a security flaw.

Statement CVE-2006-7232:

This issue did not affect the MySQL packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 as they did not support INFORMATION_SCHEMA, introduced in MySQL version 5.

MySQL packages as shipped in Red Hat Enterprise Linux 5 were fixed via:

https://rhn.redhat.com/errata/RHSA-2008-0364.html

The MySQL packages as shipped in Red Hat Application Stack v1 and v2 are based on upstream version which has the fix included.

Statement CVE-2006-7236:

Not vulnerable. This issue did not affect the versions of the xterm package, as shipped with Red Hat Enterprise Linux 3, 4, and 5, and the version of the XFree86 (providing xterm) and hanterm-xf packages, as shipped with Red Hat Enterprise Linux 2.1.

Comment 9 Vincent Danen 2010-05-06 23:58:05 UTC
Statement CVE-2007-0003:

Not vulnerable. These issues did not affect the versions of pam as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-0010:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Statement CVE-2007-0061:

Not vulnerable. This issue did not affect the versions of dhcp as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-0062:

The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1, 3, 4, or 5:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-0062

Statement CVE-2007-0063:

This issue is the same as CVE-2007-5365.  The affected dhcp versions were fixed via: https://rhn.redhat.com/errata/RHSA-2007-0970.html

Statement CVE-2007-0080:

Not vulnerable.  The affected code is in an optional module that is not shipped in Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-0086:

Red Hat does not consider this issue to be a security vulnerability.  The pottential attacker has to send acknowledgement packets periodically to make server generate traffic.  Exactly the same effect could be achieved by simply downloading the file.  The statement that setting the TCP window size to arbitrarily high value would permit the attacker to disconnect and stop sending ACKs is false, because Red Hat Enterprise Linux limits the size of the TCP send buffer to 4MB by default.

Statement CVE-2007-0103:

Some implementations of the PDF specification erroneously allow page tree objects that refer back to themselves. As a result, an infinite loop could be created.  We believe this could only result in a denial of service against the application.  We do not consider a user-assisted DoS of a client application to be a security issue.

Statement CVE-2007-0104:

Not Vulnerable.  This flaw is the result of an infinite recursion flaw in xpdf, which cannot result in arbitrary code execution.

Statement CVE-2007-0157:

Not vulnerable.  This issue does not affect the older versions of neon as shipped with Red Hat Enterprise Linux 2.1, 3, and 4.  This issue also does not affect the older versions of neon included in the cadaver package.

Statement CVE-2007-0227:

Not vulnerable. This issue did not affect the versions of slocate as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-0235:

Not vulnerable. This issue did not affect the versions of libgtop as shipped with Red Hat Enterprise Linux 2.1 or 3.

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

This flaw affects Red Hat Enterprise Linux 4 and is being tracked via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249884

Statement CVE-2007-0240:

Not vulnerable. This issue did not affect Zope included within the conga package shipped with Red Hat Enterprise Linux 5.

Statement CVE-2007-0247:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-0248:

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

This issue did not affect the versions of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-0448:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-0453:

Not vulnerable. These issues did not affect Linux versions of Samba.

Statement CVE-2007-0454:

Not vulnerable. These issues affect the AFS ACL module which is not distributed with Samba in Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-0455:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=234312

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2007-0493:

Not vulnerable. This issue did not affect the versions of ISC BIND as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-0537:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225414

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2007-0650:

Red Hat does not consider this issue to be a security vulnerability.  The user would have to voluntarily interact with the attack mechanism to exploit the flaw, and the result would be the ability to run code as themselves.

Statement CVE-2007-0653:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228013

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  

Statement CVE-2007-0654:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228013

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  

Statement CVE-2007-0770:

Not vulnerable.  Red Hat did not ship the incomplete patch for CVE-2006-5456 and is therefore not affected by this issue.

Statement CVE-2007-0822:

Red Hat does not consider this issue to be a security vulnerability.  On Red Hat Enterprise Linux  processes that change their effective UID do not dump core by default when they receive a fatal signal.  Therefore the NULL pointer dereference does not lead to an information leak.

Statement CVE-2007-0823:

Red Hat does not consider this issue to be a security vulnerability. It is correct and expected behavior for xterm not to zero-fill its scrollback buffer upon reception of terminal clear excape sequence. 

Statement CVE-2007-0905:

We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1
and http://www.php.net/security-note.php

Statement CVE-2007-0911:

Not vulnerable.  This flaw is a regression of the fix for CVE-2007-0906 affecting PHP version 5.2.1 only which results in any use of str_replace() causing a crash regardless of user input.  These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-1001:

This issue was fixed in php package updates for Red Hat Enterprise Linux and Red Hat Application Stack:
http://rhn.redhat.com/cve/CVE-2007-1001.html

This issue did not affect the versions of gd as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-1030:

Not vulnerable. This issue did not affect versions of libevent as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2007-1036:

The JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually:
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss

Statement CVE-2007-1199:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-1199

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Statement CVE-2007-1218:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232347

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2007-1287:

The phpinfo function should not be used in publically-accessible PHP scripts.

Statement CVE-2007-1322:

Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2007-1366:

Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2007-1375:

We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed.

This flaw exists in versions of PHP as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack 1.

These issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, Stronghold 4.0, or Red Hat Application Stack 2.

Statement CVE-2007-1376:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1378:

Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1379:

Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1380:

Our previous fixes for CVE-2007-0906 included a patch that also addressed the issue now given CVE name CVE-2007-1380.  For a full list of versions that contained a fix for this issue please see: https://rhn.redhat.com/cve/CVE-2007-1380.html

Statement CVE-2007-1381:

Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1383:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1396:

Red Hat does not consider this to be a security vulnerability.  Using import_request_variables() is generally a discouraged practice and it is improper use that can lead to security problems, not flaw of PHP itself.

Statement CVE-2007-1399:

Not vulnerable. The zip extension was not shipped in versions of PHP  provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1401:

Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include Cracklib support.

Statement CVE-2007-1411:

Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include mssql support.

Statement CVE-2007-1412:

Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include ClibPDF support.

Statement CVE-2007-1413:

Not vulnerable. The php-snmp package as shipped with Red Hat Enterprise Linux 4 and 5 use net-snmp which is not vulnerable to this issue.

Statement CVE-2007-1420:

This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4.

Issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 5 via:

https://rhn.redhat.com/errata/RHSA-2008-0364.html

Statement CVE-2007-1452:

Not vulnerable. The filter extension was not shipped in versions of PHP  provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1453:

Not vulnerable. The filter extension was not shipped in versions of PHP  provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1454:

Not vulnerable. The filter extension was not shipped in versions of PHP  provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1460:

Not vulnerable. The zip extension was not shipped in versions of PHP  provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1461:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1475:

Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include ibase support.

Statement CVE-2007-1484:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1521:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1522:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1564:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233592

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2007-1565:

We do not consider a crash of a client application such as Konqueror to be a security issue.

Statement CVE-2007-1581:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1582:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1584:

This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0907.

Statement CVE-2007-1649:

Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1700:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1701:

This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0910.

Statement CVE-2007-1709:

Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack, and Stronghold 4.0 do not include PHPDoc support.

Statement CVE-2007-1710:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-1716:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233581

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2007-1717:

This issue has no security impact.

Statement CVE-2007-1730:

Not vulnerable. This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-1734:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-1741:

These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration

Statement CVE-2007-1742:

These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration

Statement CVE-2007-1743:

These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration

Statement CVE-2007-1777:

Not vulnerable. The zip extension was not distributed with PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1824:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1825:

This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0906.

Statement CVE-2007-1835:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1862:

Not vulnerable. This issue was specific to httpd version 2.2.4 and did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5.

Statement CVE-2007-1883:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1884:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1885:

This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0906.

Statement CVE-2007-1886:

We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed.

For more information please see:
https://bugzilla.redhat.com/show_bug.cgi?id=mopb#c37

Statement CVE-2007-1887:

Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1888:

Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1889:

Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-1890:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-1900:

Not vulnerable. The filter extension was not shipped in the versions of PHP supplied for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1.

Statement CVE-2007-2026:

Not vulnerable. These issues did not affect the versions of file as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-2027:

This issue affected Red Hat Enterprise Linux 4 and 5.  Update packages were released to correct it via: http://rhn.redhat.com/errata/RHSA-2009-1471.html

Statement CVE-2007-2030:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236585

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2007-2052:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235093

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2007-2176:

Not vulnerable.  This issue is a flaw in the way Java and Quicktime interact.  

Statement CVE-2007-2231:

This issue did not affect Red Hat Enterprise Linux prior to version 5.  An update to Red Hat Enterprise Linux 5 was released to correct this issue:
https://rhn.redhat.com/errata/RHSA-2008-0297.html

Statement CVE-2007-2241:

Not vulnerable. These issues did not affect the versions of BIND as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-2243:

Not vulnerable. The OpenSSH packages as shipped with Red Hat Enterprise Linux do not contain S/KEY support.

Statement CVE-2007-2263:

This issue was fixed in RealPlayer for Red Hat Enterprise Linux 3 Extras, 4 Extras, 5 Supplementary by RHSA-2007:0841 on 17th August 2007:
https://rhn.redhat.com/errata/RHSA-2007-0841.html

(Our original advisory did not mention this issue was fixed as the details of the issue were not made public by RealNetworks until 25th October 2007)

Statement CVE-2007-2264:

This issue was fixed in RealPlayer for Red Hat Enterprise Linux 3 Extras, 4 Extras, 5 Supplementary by RHSA-2007:0841 on 17th August 2007:
https://rhn.redhat.com/errata/RHSA-2007-0841.html

(Our original advisory did not mention this issue was fixed as the details of the issue were not made public by RealNetworks until 25th October 2007)

Statement CVE-2007-2348:

This issue does not affect lftp as supplied with Red Hat Enterprise Linux 3.

This issue was addressed for Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1278.html

The Red Hat Security Response Team has rated this issue as having low security impact, a future update to Red Hat Enterprise Linux 4 may address this flaw.  

Statement CVE-2007-2353:

Red Hat ship Axis in a number of products; however the installation path of Axis is fixed and deterministic, so this flaw does not disclose otherwise unknown information.  We do not plan on issuing updates to fix this issue.

Statement CVE-2007-2407:

Not vulnerable.  This flaw is specific to Mac OS X and does not affect any version of Red Hat Enterprise Linux.

Statement CVE-2007-2437:

Red Hat does not consider a user assisted client crash such as this to be a security flaw.

Statement CVE-2007-2444:

Not vulnerable. These issues did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-2448:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-2448

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-2452:

Not vulnerable.  Red Hat did not ship GNU locate in Red Hat Enterprise Linux 2.1, 3, 4, or 5.  This issue does not affect the mlocate or slocate packages that are supplied with Red Hat Enterprise Linux.

Statement CVE-2007-2453:

This issue did not affect the versions of the the Linux kernel supplied with Red Hat Enterprise Linux 2.1, 3, or 4.

For systems based on Red Hat Enterprise Linux 5, this is only an issue for systems without a real time clock, harddrive activity, or user input during boot time.  Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241718

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2007-2510:

This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or Red Hat Application Stack v2.  Updates to correct this issue for Red Hat Enterprise Linux 5, and Red Hat Application Stack v1 are available at http://rhn.redhat.com/cve/CVE-2007-2510.html

Statement CVE-2007-2511:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  This bug described in CVE-2007-2511 can only be triggered by a script author since no trust boundary is crossed, this issue is not treated as security-sensitive.

Statement CVE-2007-2519:

Installation of a PEAR package from an untrusted source could allow malicious code to be installed and potentially executed by the root user.  This is true regardless of the existence of this particular bug in the PEAR installer, so the bug would not be treated as security-sensitive.  As when handling system RPM packages, the root user must always ensure that any packages installed are from a trusted source and have been packaged correctly.

Statement CVE-2007-2583:

This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4.

Issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 5 via:

https://rhn.redhat.com/errata/RHSA-2008-0364.html

Statement CVE-2007-2645:

Red Hat does not consider this flaw to have security consequences.  For more details please see the following:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240055

Statement CVE-2007-2683:

Updates for Red Hat Enterprise Linux are available from
http://rhn.redhat.com/errata/RHSA-2007-0386.html

Statement CVE-2007-2691:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-2691

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2007-2692:

This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3 and 4.

Affected mysql packages as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack were fixed via:

https://rhn.redhat.com/errata/CVE-2007-2692.html

Statement CVE-2007-2693:

Not vulnerable. These issues did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-2721:

Not vulnerable.  This issue did not affect versions of ghostscript as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5 as they do not include a bundled JasPer library.

Statement CVE-2007-2727:

Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat
Application Stack 1, or 2, as the packages shipped are not compiled with the mcrypt extension affected by this issue.

Statement CVE-2007-2741:

Not vulnerable. This issue did not affect the versions of lcms as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2007-2748:

We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed.

This flaw exists in versions of PHP as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack 1.

These issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or Red Hat Application Stack 2.

Statement CVE-2007-2756:

Red Hat does not consider this flaw to be a security vulnerability.  We are not aware of any long running processes using libgd which could not recover from this condition.

Statement CVE-2007-2768:

Not vulnerable. OPIE for PAM is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, 6, or 7.

Statement CVE-2007-2833:

Red Hat does not consider a user-assisted crash of a user application such as Emacs to be a security issue.

Statement CVE-2007-2844:

Not vulnerable.  PHP is not built or supported in a multi-threaded environment in the packages distributed in Red Hat Enterprise Linux or Application Stack.

Statement CVE-2007-2872:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-2872

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. 

Statement CVE-2007-2878:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2007-2893:

Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2007-2925:

Not vulnerable. This issu did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-2926:

Updates are available for Red Hat Enterprise Linux 2.1, 3, 4, and 5 to correct this issue:
http://rhn.redhat.com/errata/RHSA-2007-0740.html

Statement CVE-2007-2930:

Not vulnerable. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-2953:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248542

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2007-2958:

Not vulnerable.  This issue did not affect version of Sylpheed as shipped with Red Hat Enterprise Linux 2.1.  Sylpheed and claws-mail are not shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2007-3007:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-3008:

The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required.

For more information please see:
http://www.apacheweek.com/issues/03-01-24#news

Statement CVE-2007-3104:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2007-3105:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2007-3126:

Red Hat does not consider a user-assisted crash of a user application such as GIMP to be a security issue.

Statement CVE-2007-3143:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=252169

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  

Statement CVE-2007-3144:

Not vulnerable.  Mozilla is no longer shipped as part of any version of Red Hat Enterprise Linux.  Mozilla was replaced by SeaMonkey in Red Hat Enterprise Linux by SeaMonkey which is not affected by this issue.

Statement CVE-2007-3149:

Not vulnerable.  Versions of sudo package shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5 are linked with PAM support and never use libkrb5 authentication.

Statement CVE-2007-3205:

This is not a security vulnerability: it is the expected behaviour of parse_str when used without a second parameter.

Statement CVE-2007-3278:

Red Hat does not consider this do be a security issue.  dblink is disabled in default configuration of PostgreSQL packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5, and it is a configuration decision whether to grant local users arbitrary access.

Fixes to correct this bug were included in PostgreSQL updates:
https://rhn.redhat.com/cve/CVE-2007-3278.html

Statement CVE-2007-3279:

Red Hat does not consider this do be a security issue. Creating functions is intended feature of the PL/pgSQL language and is definitely not a security problem. Weak passwords are generally more likely to be guessed with brute force attacks and choosing a strong password according to good practices is considered to be a sufficent protection against this kind of attack.

Statement CVE-2007-3280:

Red Hat does not consider this do be a security issue.  The ability of the superuser to execute code on behalf of the database server is an intended feature and imposes no security threat as the superuser account is restricted to the database administrator.

Statement CVE-2007-3294:

Not vulnerable. PHP is not complied with the tidy library as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack v1 or v2.

Statement CVE-2007-3303:

Not a vulnerability.  In the security model used by Apache httpd, the less-privileged child processes (running as the "apache" user) completely handle the servicing of new connections. Any local user who is able to run arbitrary code in those children is therefore able to prevent new requests from being serviced, by design.  Such users will also be able to "simulate" server load and force the parent to create children up to the configured limits, by design.

Statement CVE-2007-3372:

Not vulnerable. This issue did not affect the versions of avahi as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2007-3375:

Not vulnerable, Red Hat do not ship the Lhaca file archiver.  Note that an identical flaw was found affecting the lha file archiver in 2004, CVE-2004-0234.  This issue was corrected by security update RHSA-2004:178 for Red Hat Enterprise Linux 2.1 and 3.  Red Hat Enterprise Linux 4 was not vulnerable as it contained a backported patch to correct this issue from release.
http://rhn.redhat.com/errata/RHSA-2004-178.html

Statement CVE-2007-3378:

We do not consider this to be security issues.  For more details see: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-3380:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2007-3472:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3472

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-3473:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3473

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-3474:

This issue did not affect the versions of gd as shipped with Red Hat Enterprise Linux 2.1 or 3 as they did not offer GIF image support.

We do not plan to backport a fix for this issue to the gd packages as shipped in Red Hat Enterprise Linux 4 and 5 due to the low likelihood of an application affected by this problem being exposed in a way that would allow a trust boundary to be crossed.

Comment 10 Vincent Danen 2010-05-06 23:58:49 UTC
Statement CVE-2007-3475:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3475

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-3476:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3476

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-3477:

Due to the minimal impact of this flaw (temporary DoS by high CPU usage) and low likelihood of this problem being exposed in a way that would allow trust boundary crossing, we currently do not plan to backport a fix for this issue to the versions of gd as shipped in Red Hat Enterprise Linux 2.1, 3, 4 or 5.

Statement CVE-2007-3478:

We currently do not plan to backport a fix for this issue to gd packages in current versions of Red Hat Enterprise Linux 2.1, 3, 4, and 5 due to the low likelihood of and application affected by this problem being exposed in a way that would allow trust boundary to be crossed.

Statement CVE-2007-3506:

Not vulnerable. These issues did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-3508:

After careful analysis by Red Hat and several Glibc developers, it has been determined that this bug is not exploitable.

For more information please see Red Hat Bugzilla bug #247208
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=247208

Statement CVE-2007-3513:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-3564:

Not vulnerable.  The curl packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5 are not linked against the gnutls library.

Statement CVE-2007-3568:

Red Hat does not consider bugs which result in  a user-assisted crash of end user application to be a security issue.

Statement CVE-2007-3634:

Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux.

Statement CVE-2007-3635:

Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux.

Statement CVE-2007-3636:

Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux.

Statement CVE-2007-3642:

Not vulnerable. These issues did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-3728:

Not vulnerable.  libsilc was not shipped with Enterprise Linux 2.1 or 3.  This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4 or 5.  

Statement CVE-2007-3731:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-3739:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1.

Statement CVE-2007-3740:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2007-3781:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248553

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-3782:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248553

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-3790:

Not vulnerable.  This flaw is specific to PHP on Windows.

Statement CVE-2007-3798:

This issue does not affect the version of tcpdump shipped in Red Hat Enterprise Linux 2.1 or 3.

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250275

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2007-3799:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3799

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-3806:

Not vulnerable.  This issue only affected PHP on Windows platforms.

Statement CVE-2007-3820:

This issue did not affect Red Hat Enterprise Linux 2.1 or 3.  For Red Hat Enterprise Linux 4 and 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248537

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Statement CVE-2007-3843:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2007-3844:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250648

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. 

Statement CVE-2007-3845:

Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux.

Statement CVE-2007-3852:

This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

For Red Hat Enterprise Linux 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=251200

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Statement CVE-2007-3919:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3919

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-3920:

This issue affected Red Hat Enterprise Linux 5 with a low security impact.  An update to the compiz package was released to correct this issue: 
https://rhn.redhat.com/errata/RHSA-2008-0485.html

Statement CVE-2007-3961:

Red Hat does not consider a user assisted client crash such as this to be a security flaw.

Statement CVE-2007-3962:

Not vulnerable.  fsplib is part of gftp in Red Hat Enterprise Linux 5, but this issue does not affect Linux.

Statement CVE-2007-3997:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-3998:

This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1.

Statement CVE-2007-4033:

Not vulnerable.  Versions of PHP packages as shipped with current Red Hat products are not linked with t1lib.

Statement CVE-2007-4038:

Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux.

Statement CVE-2007-4039:

Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux.

Statement CVE-2007-4044:

The CVE description for this bug is incorrect.    The backported patch for CVE-2007-2447 missed the character c in the shell escaping whitelist of allowed characters, therefore not allowing commands with a c in them to be executed.  This is therefore a regression bug and not a security vulnerability.

Statement CVE-2007-4045:

The Red Hat Security Response Team has rated this issue as having low security impact.  Updates to correct this are available:
https://rhn.redhat.com/cve/CVE-2007-4045.html

Statement CVE-2007-4049:

Not vulnerable.  This is a rediscovery and therefore a duplicate of CVE-2000-1205 which was corrected in upstream Apache httpd 1.3.11.

Statement CVE-2007-4091:

Not vulnerable.  This flaw did not affect Red Hat Enterprise Linux 2.1, 3, or 4 due to the version of rsync.

This flaw does exist in Red Hat Enterprise Linux 5, but due to the nature of the flaw it is not exploitable with any security consequence due to stack-protector.

Statement CVE-2007-4133:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2007-4138:

Not vulnerable. These issues did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-4211:

These issues did not affect the dovecot versions as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.  An update to Red Hat Enterprise Linux 5 was released to correct this issue:
https://rhn.redhat.com/errata/RHSA-2008-0297.html

Statement CVE-2007-4224:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=251708

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-4225:

Not vulnerable.  Not vulnerable. These issues did not affect the versions of konqueror as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-4229:

Red Hat does not consider a crash of a client application such as Konqueror to be a security flaw.

Statement CVE-2007-4251:

Red Hat does not consider this flaw a security issue. This flaw will only crash OpenOffice.org if a victim opens a malicious document.

Statement CVE-2007-4255:

Not vulnerable.  PHP packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4, and 5 are not compiled with msql library and are not vulnerable to this issue.

Statement CVE-2007-4351:

Vulnerable.  This issue affected the CUPS packages in Red Hat Enterprise Linux 5.

This issue also affected the versions of CUPS packages in Red Hat Enterprise Linux 3 and 4, but exploitation would only lead to a possible denial of service.  Updates are available from

https://rhn.redhat.com/cve/CVE-2007-4351.html

Statement CVE-2007-4465:

This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the "AddDefaultCharset" directive and are using directory indexes.  The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4465

Statement CVE-2007-4476:

This issue was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0141.html for tar.  It did not affect the version of tar as shipped with Red Hat Enterprise Linux 3. This issue was also addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0144.html for cpio.  It did not affect the version of cpio as shipped with Red Hat Enterprise Linux 3 and 4. 

Statement CVE-2007-4507:

Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack 1.

Statement CVE-2007-4559:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=263261

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2007-4565:

This issue was addressed in fetchmail packages as shipped in Red Hat Enterprise Linux 3, 4, and 5 via:

https://rhn.redhat.com/errata/RHSA-2009-1427.html

Statement CVE-2007-4567:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit a11d206d that introduced the problem.

This upstream commit was backported in Red Hat Enterprise Linux 5 via RHBA-2008:0314. It was reported and addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0019.html

Statement CVE-2007-4568:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4568

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-4571:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.

Statement CVE-2007-4573:

This issue affected users who were running 64-bit versions of Red Hat Enterprise Linux 3, 4, or 5 on x86_64 architecture.  It did not affect users of Red Hat Enterprise Linux 2.1. 

Updates are available for Red Hat Enterprise Linux 3, 4, and 5 to correct this issue.  New kernel packages along with our advisory are available at the URL below as well as via the Red Hat Network. http://rhn.redhat.com/errata/CVE-2007-4573.html

Statement CVE-2007-4584:

Not vulnerable. This issue did not affect the version of IrcII as shipped with Red Hat Enterprise Linux 2.1.  IrcII was not shipped in Enterprise Linux 3, 4, or 5. 

Statement CVE-2007-4599:

Not vulnerable. This issue did not affect the versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary.

Statement CVE-2007-4601:

Not vulnerable. This issue was specific to a patch from Debian project and did not affect versions of tcp_wrappers packages as shipped with Red Hat Enterprise Linux.

Statement CVE-2007-4652:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-4657:

The only effect of this bug is to cause the process to read from a random segment of memory, if a large "length" parameter is passed to the strspn/strcspn function, which is under the control of the script author.  This bug has no security impact.

Statement CVE-2007-4658:

This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1.

Statement CVE-2007-4659:

Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Application Stack v1.

Statement CVE-2007-4660:

Not vulnerable. Red Hat did not include an incomplete fix for CVE-2007-2872 for PHP in Red Hat Enterprise Linux or Red Hat Application Stack.

For more details, see: https://bugzilla.redhat.com/show_bug.cgi?id=278161#c5

Statement CVE-2007-4661:

Not vulnerable.  Red Hat did not include an incomplete fix for CVE-2007-2872 for PHP in Red Hat Enterprise Linux or Red Hat Application Stack.

Statement CVE-2007-4662:

This bug can only be triggered by supplying a non-default openssl.conf configuration file, which is entirely under the control of the script author or server administrator, and hence is not a security issue.

Statement CVE-2007-4663:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-4721:

Duplicate of CVE-2007-6113.

Statement CVE-2007-4730:

This flaw was fixed for Red Hat Enterprise Linux 4 in RHSA-2007-0898:
https://rhn.redhat.com/errata/RHSA-2007-0898.html

Red Hat Enterprise Linux 5 is not affected by this flaw.  More information can be found here:
https://bugzilla.redhat.com/show_bug.cgi?id=285991

Red Hat Enterprise Linux 2.1 and 3 do not support the composite extension and are not vulnerable to this flaw.

Statement CVE-2007-4752:

This issue did not affect the OpenSSH packages as distributed with Red Hat Enterprise Linux 2.1 or 3, as they do not support Trusted X11 forwarding.

For Red Hat Enterprise Linux 4 and 5, this issue was addressed via: https://rhn.redhat.com/errata/RHSA-2008-0855.html

Statement CVE-2007-4782:

We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-4783:

We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-4784:

We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-4825:

We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-4826:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=285691

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  

Statement CVE-2007-4829:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4829

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2007-4840:

We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-4841:

Not vulnerable.  This flaw does not affect the Linux version of Firefox.

Statement CVE-2007-4849:

Not vulnerable.  There is no support for jffs2 in the Linux kernel as distributed with Red Hat Enterprise Linux 2.1 or 3.  There is no ACL support for jffs2 in the Linux kernel as distributed with Red Hat Enterprise Linux 4 or 5.

Statement CVE-2007-4850:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-4887:

The argument passed to the dl() function must always be under the control of the script author.  We therefore do not consider this to be a security issue.

Statement CVE-2007-4889:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2007-4904:

We do not consider a crash of a client application such as RealPlayer or Helix Player to be a security issue.

Statement CVE-2007-4965:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=295971

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2007-4987:

Note: As the address of the overwritten byte is not under attackers control, the worst impact his bug could have is an application crash. It can not be exploited to execute arbitrary code.

Statement CVE-2007-4990:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4990

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  

Statement CVE-2007-4995:

This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.  An update to correct this issue for Enterprise Linux 5 is available.
http://rhn.redhat.com/cve/CVE-2007-4995.html

Please note that the CVE description is incorrect, this issue did not affect upstream versions of OpenSSL prior to 0.9.8.

Statement CVE-2007-4996:

Not vulnerable. These issues did not affect the versions of Pidgin or Gaim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-4998:

This issue affects the busybox package in Red Hat Enterprise Linux 2.1, 3, 4, and 5,

This issue affects the fileutils package in Red Hat Enterprise Linux 2.1.

This issue affects the coreutils package in Red Hat Enterprise Linux 3.

The coreutils package in Red Hat Enterprise Linux 4 and 5 are not vulnerable to this issue.

Given this issue has minimal risk we do not intend to issues updates to correct this issue in affected versions of Red Hat Enterprise Linux.

For more information please see:
https://bugzilla.redhat.com/show_bug.cgi?id=356471

Statement CVE-2007-4999:

Not vulnerable. This issue did not affect the versions of Pidgin or Gaim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5007:

Not vulnerable. This issue did not affect version of balsa as shipped with Red Hat Enterprise Linux 2.1.

Statement CVE-2007-5020:

According to Abobe this issue affects only the Windows platform and therefore does not affect Adobe Acrobat Reader as distributed with Red Hat Enterprise Linux Extras.  
http://www.adobe.com/support/security/advisories/apsa07-04.html

Statement CVE-2007-5045:

Not vulnerable. These issues did not affect the versions of Firefox as shipped with Red Hat Enterprise Linux.

Statement CVE-2007-5079:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181302

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2007-5080:

Not vulnerable. This issue did not affect the versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary.

Statement CVE-2007-5081:

This issue was fixed in RealPlayer for Red Hat Enterprise Linux 3 Extras, 4 Extras, 5 Supplementary by RHSA-2007:0841 on 17th August 2007:
https://rhn.redhat.com/errata/RHSA-2007-0841.html

(Our original advisory did not mention this issue was fixed as the details of the issue were not made public by RealNetworks until 25th October 2007)

Statement CVE-2007-5087:

Not vulnerable. These issues did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5137:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5137

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-5191:

Updates are available to address this issue:
https://rhn.redhat.com/errata/RHSA-2007-0969.html

Statement CVE-2007-5236:

Not vulnerable. These issues do not affect Linux versions of Sun JDK or JRE.

Statement CVE-2007-5237:

Not vulnerable. These issues did not affect the versions of Sun JDK as shipped with Red Hat Enterprise Linux Extras 4 or 5.

Statement CVE-2007-5266:

Not vulnerable. This issue did not affect the versions of libpng and libpng10 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5267:

Not vulnerable. This issue did not affect the versions of libpng and libpng10 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5268:

Not vulnerable. This issue did not affect the versions of libpng and libpng10 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5333:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5333

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-5360:

Not vulnerable. This issue did not affect versions of tog-pegasus as shipped with Red Hat Enterprise Linux 4, or 5.  For more details see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360

Statement CVE-2007-5377:

Not vulnerable.  Red Hat Enterprise Linux 2.1, 3, and 4 did not include the Tramp extension with Emacs.  The version of Tramp included with Emacs in Red Hat Enterprise Linux 5 was not vulnerable to this issue.

Statement CVE-2007-5378:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5378

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Statement CVE-2007-5424:

Red Hat does not consider this to be a security issue. The function behaves as documented. Furthermore, the function shouldnt be considered a security feature, for reasons described at https://bugzilla.redhat.com/show_bug.cgi?id=332451#c3 and http://www.php.net/security-note.php

Statement CVE-2007-5471:

Not vulnerable. The versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 do not support GSS-TSIG and are not linked with libgssapi library.

Statement CVE-2007-5501:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5502:

Not vulnerable. This vulnerability only affected the OpenSSL FIPS Object Module which is not enabled or used by OpenSSL in Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5601:

Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 and 4 Extras or with Red Hat Enterprise Linux 5 Supplementary.

Statement CVE-2007-5653:

Not vulnerable. These issues did not affect PHP on Linux.

Statement CVE-2007-5708:

Not vulnerable. This issue did not affect the versions of OpenLDAP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5729:

Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2007-5730:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5729

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  

Statement CVE-2007-5741:

Not vulnerable. This issue did not affect versions of plone included in conga/luci packages as shipped with Red Hat Enterprise Linux 5 or Red Hat Cluster Suite for Red Hat Enterprise Linux 4.

Statement CVE-2007-5769:

Red Hat does not consider a user assisted client crash such as this to be a security flaw.

Statement CVE-2007-5795:

Not vulnerable. This issue did not affect versions of Emacs as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5797:

Not vulnerable. This issue did not affect versions of geronimo-specs packages as shipped Red Hat Enterprise Linux 5, Red Hat Application Stack, Red Hat Application Server, Red Hat Directory Server and Red Hat Certificate System, as the geronimo-specs package only contains the specification of the Apache Geronimo Servers services and interfaces and not the vulnerable J2EE server classes.

Statement CVE-2007-5848:

Not vulnerable.

After a detailed analysis of this flaw, it has been determined that it is not exploitable on Red Hat Enterprise Linux 3, 4, or 5.  For more information please see:
https://bugzilla.redhat.com/show_bug.cgi?id=415141

Statement CVE-2007-5849:

Not vulnerable.

This flaw does not affect the version of CUPS shipped in Red Hat Enterprise Linux 3 or 4.

After a detailed analysis of this flaw, it has been determined it does not pose a security threat on Red Hat Enterprise Linux 5.  For more details regarding this analysis, please see:
https://bugzilla.redhat.com/show_bug.cgi?id=415131

Statement CVE-2007-5894:

This issue is not a vulnerability, for more information see http://marc.info/?m=119743235325151

Statement CVE-2007-5896:

Red Hat does not consider this flaw a security issue. This flaw is not exploitable and can only cause a client to stop responding or crash.

Statement CVE-2007-5898:

This issue was fixed in all affected PHP versions shipped in Red Hat products.  For list of security advisories, visit: https://rhn.redhat.com/errata/CVE-2007-5898.html

Statement CVE-2007-5900:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2007-5901:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5901

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-5902:

This issue is not a practical vulnerability, for more information see http://marc.info/?m=119743235325151

Statement CVE-2007-5935:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5935

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Statement CVE-2007-5963:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5963

The Red Hat Security Response Team has rated this issue as having low security impact, at this time Red Hat does not intend to address this flaw in a future update.

Statement CVE-2007-5965:

Not vulnerable. This issue did not affect versions of qt or qt4 packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-5966:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and 4.

It was addressed in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1193.html, and https://rhn.redhat.com/errata/RHSA-2008-0585.html respectively.

Statement CVE-2007-5970:

Not vulnerable.  This issue did not affect the mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as the versions shipped do not support table partitioning. The partitioning feature was introduced in development MySQL version 5.1.

Statement CVE-2007-5971:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5971

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  See http://marc.info/?m=119743235325151

Statement CVE-2007-5972:

This issue is not a vulnerability, for more information see http://marc.info/?m=119743235325151

Statement CVE-2007-6025:

Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 4 and 5.

Statement CVE-2007-6039:

Red Hat doesnt consider this a security issue. The arguments to the functions in question should always be under the control of the script author, rather than untrusted script input, so these issues would not be treated as security-sensitive.

Statement CVE-2007-6109:

Red Hat does not consider this issue to be a security vulnerability since no trust boundary is crossed. The user must voluntarily interact with the attack mechanism to exploit this flaw, with the result being the ability to run code as themselves.

Statement CVE-2007-6113:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6113

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2007-6199:

Red Hat does not consider this to be a security issue. Versions of rsync as shipped with Red Hat Enterprise Linux 2.1, 3, 4 and 5 behave as expected and that behavior was well documented. 

Statement CVE-2007-6209:

Not vulnerable. These issues did not affect the versions of the zsh package as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-6227:

Xen and KVM, as shipped with Red Hat Enterprise Linux 5 by default use only peripheral device emulation of QEMU and are therefore not vulnerable to this issue.  

Statement CVE-2007-6278:

Red Hat does not consider this a security issue. The downloading of arbitrary files will be harmless unless there is a vulnerability in the application handling these other filetypes.

Statement CVE-2007-6279:

This flaw is not exploitable to run arbitrary code and can only cause an application crash. Red Hat does not consider a crash of the flac application or applications that use flac libraries such as media players to be a security issue.

Statement CVE-2007-6283:

An update to Red Hat Enterprise Linux 5 was released to correct this issue:
https://rhn.redhat.com/errata/RHSA-2008-0300.html

Statement CVE-2007-6286:

Not Vulnerable.  Red Hat does not ship a version of Apache Tomcat that enables the native APR connector.

Statement CVE-2007-6303:

This issue did not affect the mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5.

This issue affected the mysql packages as shipped in Red Hat Application Stack v1 and v2 and was addressed by RHSA-2007:1157:
http://rhn.redhat.com/errata/RHSA-2007-1157.html

Statement CVE-2007-6304:

Not vulnerable. The MySQL versions as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 do not support federated storage engine. The MySQL package as shipped in Red Hat Enterprise Linux 5, Red Hat Application Stack v1, and Red Hat Application Stack v2 are not compiled with support for federated storage engine.

Statement CVE-2007-6313:

Not vulnerable. This issue did not affect the versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2007-6341:

Red Hat does not consider this flaw to be a security issue. For more information please see:
https://bugzilla.redhat.com/show_bug.cgi?id=426437

Statement CVE-2007-6348:

The versions of SquirrelMail packages shipped in Red Hat Enterprise Linux 3, 4, and 5 were not affected by this issue.  In addition, the Red Hat Security Response Team have verified that the malicious code is not part of released Red Hat Enterprise Linux squirrelmail packages.

Statement CVE-2007-6358:

Not vulnerable. Red Hat Enterprise Linux versions 2.1, 3, 4 and 5 do not ship with the alternate pdftops.pl CUPS printing filter that is affected by this flaw.

Statement CVE-2007-6417:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0885.html

Statement CVE-2007-6420:

mod_proxy_balancer is shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack v2.  We do not plan on correcting this issue as it poses a very low security risk:  The balancer manager is not enabled by default, the user targeted by the CSRF would need to be authenticated, and the consequences of an exploit would be limited to a web server denial of service.

Statement CVE-2007-6423:

mod_proxy_balancer is included in the version of Apache HTTP Server as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack v2.  Red Hat was unable to reproduce this issue.

Statement CVE-2007-6434:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2007-6514:

Old versions of the Linux 2.4 kernel allowed the lookup of names containing backslashes over smbfs -- so there were multiple names which would reference any particular file, allowing the bypass of Apache controls such as AddType.  

Not vulnerable.  This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, or 5.  This issue was corrected with a backported patch for Red Hat Enterprise Linux 2.1 by RHSA-2007:0672.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6514

Statement CVE-2007-6591:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6591

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/#low

Statement CVE-2007-6598:

This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux before version 5.  An update to Red Hat Enterprise Linux 5 was released to correct this issue:
https://rhn.redhat.com/errata/RHSA-2008-0297.html

Statement CVE-2007-6715:

Red Hat does not consider this flaw a security issue. This flaw is not exploitable beyond causing the web browser to crash.

Statement CVE-2007-6720:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6720

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Comment 11 Vincent Danen 2010-05-07 00:13:08 UTC
Statement CVE-2008-0009:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-0010:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-0053:

NVD clarification:

To exploit this flaw an attacker needs to print a malicious file through the vulnerable filter (either themselves or by convincing a victim to do so), it should therefore be AC:M

In CUPS, print filters run as an unprivileged user no superuser (root), therefore this should be scored C:P, I:P, A:P

Statement CVE-2008-0122:

This issue did not affect the versions of GNU libc as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

This issue affects the versions of libbind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5, however the vulnerable function is not used by any shipped applications.  The Red Hat Security Response Team has therefore rated this issue as having low security impact, a future update may address this flaw. 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0122

An update to Red Hat Enterprise Linux 5 was released to correct this issue:
https://rhn.redhat.com/errata/RHSA-2008-0300.html

Statement CVE-2008-0145:

Red Hat does not consider this to be a security issue. Regression introduced break glob() functionality, but does not bypass security restrictions.

Furthermore, "open_basedir" bypass issues are not treated as security sensitive as described at https://bugzilla.redhat.com/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2008-0163:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-0166:

Not vulnerable.  This flaw was caused by a third-party vendor patch to the OpenSSL library.  This patch has never been used by Red Hat, and this issue therefore does not affect any Fedora, Red Hat, or upstream supplied OpenSSL packages.

Statement CVE-2008-0226:

Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support.

Statement CVE-2008-0227:

Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support.

Statement CVE-2008-0352:

Not vulnerable. These issues did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-0414:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0414

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future updates will address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2008-0495:

We believe this issue is a duplicate of CVE-2007-5360.  Not vulnerable. This issue did not affect versions of tog-pegasus as shipped with Red Hat Enterprise Linux 4, or 5. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360

Statement CVE-2008-0564:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=431526

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-0594:

Not vulnerable.

This does not affect the versions of Firefox or SeaMonkey shipped in Red Hat Enterprise Linux.

Statement CVE-2008-0599:

Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, and Red Hat Application Stack v1.

For Red Hat Application Stack v2, issue was addressed via: https://rhn.redhat.com/errata/RHSA-2008-0505.html

Statement CVE-2008-0600:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4.  Updated kernel packages are available to correct this issue for Red Hat Enterprise Linux 5:
https://rhn.redhat.com/errata/RHSA-2008-0129.html

Statement CVE-2008-0674:

Not vulnerable. This issue did not affect the versions of PCRE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-0883:

Red Hat is aware of this issue and is tracking it via the following bug: 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0883

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2008-0891:

Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-0992:

Not vulnerable. This issue did not affect versions of pax as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1026:

Not vulnerable. This issue did not affect versions of pcre as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1033:

Not vulnerable. This issue did not affect the versions of cups as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2008-1070:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Statement CVE-2008-1071:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Statement CVE-2008-1072:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Statement CVE-2008-1078:

The risks associated with fixing this bug are greater than the low severity security risk.We therefore currently have no plans to fix this flaw in Red HatEnterprise Linux.

For more information please see the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=435420

Statement CVE-2008-1142:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1142

This issue does not affect Red Hat Enterprise Linux 3, 4, or 5.

The Red Hat Security Response Team has rated this issue as having low security impact.  Due to the minimal security consequences of this issue, we do not intend to fix this in Red Hat Enterprise Linux 2.1.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-1145:

This issue was addressed in affected versions of Ruby as shipped in Red Hat Enterprise Linux 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2008-0897.html

Statement CVE-2008-1198:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1198

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2008-1199:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199

This issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. 

An update to Red Hat Enterprise Linux 5 was released to correct this issue:
https://rhn.redhat.com/errata/RHSA-2008-0297.html

Statement CVE-2008-1218:

Not vulnerable. This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux 4 or 5.

Statement CVE-2008-1294:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0612.html

Statement CVE-2008-1309:

Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary.

Statement CVE-2008-1364:

Not vulnerable. This issue did not affect the versions of dhcp as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1372:

Red Hat has re-evaluated the potential impact of this flaw and has released an update which corrects this behavior:
http://rhn.redhat.com/errata/RHSA-2008-0893.html

Statement CVE-2008-1384:

Red Hat do not consider this to be a security vulnerability:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1384

Statement CVE-2008-1447:

http://rhn.redhat.com/errata/RHSA-2008-0533.html

Statement CVE-2008-1483:

All openssh versions shipped in Red Hat Enterprise Linux 5 include the patch for this issue.

This issue was fixed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2005-527.html

Red Hat Enterprise Linux 3 is affected by this issue. The Red Hat Security Response Team has rated this issue as having low security impact. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1483

Statement CVE-2008-1514:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 5, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0972.html

Statement CVE-2008-1530:

Not vulnerable. This issue does not affect the versions of gnupg packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 or 5.

Statement CVE-2008-1552:

Red Hat does not consider this issue to be a security flaw as SILC is not used in a vulnerable manner in Red Hat Enterprise Linux 4 and 5.

More information can be found here:
https://bugzilla.redhat.com/show_bug.cgi?id=440049

Statement CVE-2008-1561:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Statement CVE-2008-1562:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Statement CVE-2008-1563:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Statement CVE-2008-1586:

Red Hat does not consider this libTIFF bug to be a security issue.

Statement CVE-2008-1628:

This issue did not affect the audit packages as shipped with Red Hat Enterprise Linux 4.

Red Hat is not treating this issue as a security vulnerability for Red Hat Enterprise Linux 5 as no application used the affected interface, and the only result is a controlled application termination as the overflow is detected by the FORTIFY_SOURCE protection mechanism.  We plan to address this as non-security bug fix in updated audit packages for Red Hat Enterprise Linux 5.2.

For further details, please see:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1628

Statement CVE-2008-1657:

Not vulnerable. These issues did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1668:

Not vulnerable.  This flaw does not affect teh version of wu-ftpd as shipped in Red Hat Enterprise Linux 2.1.

Statement CVE-2008-1670:

Not vulnerable. This issue did not affect versions of KDE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1671:

Not vulnerable. This issue did not affect versions of KDE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1672:

Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1673:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2, 3, 4, 5 or Red Hat Enterprise MRG.

The but existed on Red Hat Enterprise Linux 3, 4, and 5. However, this is only a security issue if the SLOB or SLUB memory allocators were used (introduced in Linux kernel versions 2.6.16 and 2.6.22, respectively). All Red Hat Enterprise Linux and Red Hat Enterprise MRG kernels use the SLAB memory allocator, which in this case, cannot be exploited to allow arbitrary code execution. As a preventive measure, the underlying bug was addressed in Red Hat Enterprise Linux 3, 4, and 5, via the advisories RHSA-2008:0973, RHSA-2008:0508, and RHSA-2008:0519, respectively.

Statement CVE-2008-1675:

Not vulnerable. This issue did not affect versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1678:

Not vulnerable. This issue did not affect the versions of mod_ssl or httpd as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 prior to 5.3.

In Red Hat Enterprise Linux 5.3, OpenSSL packages were rebased to upstream version 0.9.8e via RHBA-2009:0181 (https://rhn.redhat.com/errata/RHBA-2009-0181.html), introducing this problem in Red Hat Enterprise Linux 5.  Updated httpd packages were released via: https://rhn.redhat.com/errata/RHSA-2009-1075.html

Statement CVE-2008-1679:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1679

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-1685:

The Red Hat Security Response Team is aware of this new gcc behavior and is currently working to determine what impact these changes will have on the source code processed by the compiler. These changes do not affect Red Hat Enterprise Linux 2, 3, 4, or 5.

Statement CVE-2008-1687:

Red Hat does not consider this to be a security issue.  After careful analysis of this issue the Red Hat Security Response Team has determined that this bug has no security impact outside of expected m4 behavior.

Statement CVE-2008-1688:

Red Hat does not consider this to be a security issue.  After careful analysis of this issue the Red Hat Security Response Team has determined that this bug has no security impact outside of expected m4 behavior.

Statement CVE-2008-1694:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1694

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-1720:

Not vulnerable. This issue did not affect versions of rsync as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1721:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=442005

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-1802:

Not vulnerable. This issue did not affect the versions of rdesktop as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-1891:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1891

The risks associated with fixing this flaw outweigh the benefits of the fix. Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux.

Statement CVE-2008-1926:

Red Hat is aware of this issue affecting Red Hat Enterprise Linux 5 and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1926

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

This issue has been addressed in Red Hat Enterprise Linux 4 with the following update:
https://rhn.redhat.com/errata/RHSA-2009-0981.html

Statement CVE-2008-2025:

This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values. If user inputs need to be used as part of the tag attributes, the JSP page needs to perform filtering explicitly. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025

Statement CVE-2008-2050:

This issue does not affect the version of PHP shipped in Red Hat Enterprise Linux 2.1, 3, or 4.

We do not consider this issue to be a security flaw for Red Hat Enterprise Linux 5 since no trust boundary is crossed.  More information can be found here:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2050

Statement CVE-2008-2079:

This issue did not affect MySQL as supplied with Red Hat Enterprise Linux 3.

This issue was addressed for Red Hat Enterprise Linux 4, 5, and Red Hat Application Stack v1, v2:
https://rhn.redhat.com/cve/CVE-2008-2079.html

Statement CVE-2008-2137:

Not vulnerable. Red Hat Enterprise Linux 2.1, 3, 4, and 5 do not ship for the SPARC architecture.

Statement CVE-2008-2168:

This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the "AddDefaultCharset" directive. 
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2168

Statement CVE-2008-2310:

Not vulnerable.  This issue does not affect the version of c++filt as shipped with binutils in Red Hat Enterprise Linux 3 or 4.  Although this bug is present in the version of c++filt as shipped with binutils in Red Hat Enterprise Linux 5, the format string protection from FORTIFY_SOURCE makes this unexploitable.

Statement CVE-2008-2316:

Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.  Affected module was only introduced upstream in python 2.5.

Statement CVE-2008-2357:

This issue does not affect the versions of mtr as shipped with Red Hat Enterprise Linux 4 or 5.

For Red Hat Enterprise Linux 2.1 and 3, this issue can only be exploited if an attacker can convince victim to use mtr to trace path to or via the IP, for which an attacker controls PTR DNS records. Additionally, the victim must run mtr in "split mode" by providing -p or --split command line options.  The Red Hat Security Response Team has therefore rated this issue as having low security impact, a future update may address this flaw.

Statement CVE-2008-2358:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0519.html

Statement CVE-2008-2363:

Not vulnerable. This issue did not affect the versions of pan as shipped with Red Hat Enterprise Linux 2.1.  No other versions of Red Hat Enterprise Linux have shipped Pan.

Statement CVE-2008-2364:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2364

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-2371:

Not vulnerable. This issue did not affect the versions of PCRE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-2377:

Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2008-2382:

Not vulnerable. This issue did not affect the version of the Xen package as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2008-2420:

Not vulnerable. OCSP protocol support was only implemented in upstream stunnel version 4.16.  Therefore OCSP protocol is not available in the versions of stunnel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-2476:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2008-2665:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2008-2666:

We do not consider these to be security issues.  For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2008-2711:

This issue was addressed in fetchmail packages as shipped in Red Hat Enterprise Linux 3, 4, and 5 via:

https://rhn.redhat.com/errata/RHSA-2009-1427.html

Statement CVE-2008-2719:

Not vulnerable. These issues did not affect the versions of NASM as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-2750:

Not vulnerable. This issue did not affect versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-2827:

Not vulnerable. This issue did not affect the versions of perl as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, Red Hat Application Stack 1, or Solaris versions of Red Hat Directory Server 7.1 and 8, Certificate System 7.x.

Statement CVE-2008-2829:

Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.  For more details see:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2829

Statement CVE-2008-2841:

Not vulnerable. This issue did not affect the versions of XChat as shipped with Red Hat Enterprise Linux.

Statement CVE-2008-2931:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0885.html

Statement CVE-2008-2934:

Not vulnerable. This issue did not affect the versions of firefox as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2008-2937:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456347

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-2939:

These issue was addressed in all affected httpd versions as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0967.html

This issue is tracked via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2939

The Red Hat Security Response Team has rated this issue as having low security impact, future updates may address this flaw in other affected products (such as Red Hat Application Stack).

Statement CVE-2008-2950:

Not vulnerable. This issue did not affect the versions of poppler as shipped with Red Hat Enterprise Linux 5, or other PDF parsing applications derived from the xpdf code as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-3064:

According to RealNetworks this flaw does not affect the Linux version of RealPlayer.

Statement CVE-2008-3066:

According to RealNetworks this issue does not affect the Linux version of RealPlayer.

Statement CVE-2008-3067:

Not vulnerable. This issue did not affect the versions of sudo as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-3076:

Not vulnerable. This issue did not affect the versions of the Vim packages, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

Note: This CVE is mentioned in the text of RHSA-2008:0580 (https://rhn.redhat.com/errata/RHSA-2008-0580.html), as it was originally used to track multiple issues.  Issues that affected Vim packages in Red Hat Enterprise Linux 5 were later assigned separate CVE identifier - CVE-2008-6235.  Neither of issues currently covered by CVE-2008-3076 (insufficient shell escaping in mz and mc commands) affected Vim packages shipped with Red Hat Enterprise Linux 5.

Statement CVE-2008-3077:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-3137:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Comment 12 Vincent Danen 2010-05-07 00:13:47 UTC
Statement CVE-2008-3138:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Statement CVE-2008-3139:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-3140:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5

Statement CVE-2008-3141:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Statement CVE-2008-3145:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html

Statement CVE-2008-3196:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-3196

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2008-3214:

Not vulnerable. This issue did not affect the version of dnsmasq as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2008-3234:

Upon investigating this issue, the Red Hat Security Response Team has determined that this is not a vulnerability.  The ability to specify a desired role when connecting to OpenSSH is a feature of how OpenSSH interacts with SELinux.  Users can only assign themselves SELinux roles which they have permission to access.  They cannot assign themselves arbitrary roles.

Statement CVE-2008-3247:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2008-3259:

Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-3294:

This issue can only be exploited during the package build and it does not affect users of pre-built packages distributed with Red Hat Enterprise Linux. Therefore, we do not plan to backport a fix for this issue to already released version of Red Hat Enterprise Linux 2.1, 3, 4, and 5.

Statement CVE-2008-3329:

Not vulnerable. This issue did not affect the versions of links as shipped with Red Hat Enterprise Linux 2.1, and versions of elinks as shipped with Red Hat Enterprise Linux 3, 4, or 5. Versions of links / elinks shipped do not support "only proxies" feature.

Statement CVE-2008-3350:

Not vulnerable. These issues did not affect the version of dnsmasq as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2008-3437:

Not vulnerable. This issue did not affect the versions of OpenOffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5. The updated Red Hat Enterprise Linux packages are not distributed via the openoffice.org update service, but rather via Red Hat Network, using the package manager capabilities to verify authenticity of updates.

Statement CVE-2008-3440:

Not vulnerable. This issue did not affect the versions of Sun Java packages as shipped with Red Hat Enterprise Linux 4 Extras, or 5 Supplementary. The updated Red Hat Enterprise Linux packages are not distributed via the java.sun.com update service (which is only used for Windows version of Sun Java), but rather via Red Hat Network, using the package manager capabilities to verify authenticity of updates.

Statement CVE-2008-3444:

Red Hat does not consider this flaw a security issue. This flaw is not exploitable beyond causing the web browser to crash.

Statement CVE-2008-3493:

This flaw does not affect the Linux version of RealVNC as shipped in Red Hat Enterprise Linux.

Statement CVE-2008-3496:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

The uvcvideo driver was first added in kernel packages update RHSA-2009:0225 in Red Hat Enterprise Linux 5.3, and it already contained a fix for this flaw.

Statement CVE-2008-3526:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html

Statement CVE-2008-3527:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html

Statement CVE-2008-3533:

This issue does not affect the versions of the yelp package, as shipped with Red Hat Enterprise Linux 3, 4 and 5.

Statement CVE-2008-3534:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html

Statement CVE-2008-3535:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html

Statement CVE-2008-3658:

This issue has been addressed in the affected versions of PHP packages shipped in Red Hat Enterprise Linux via advisories listed on the following page: https://rhn.redhat.com/errata/CVE-2008-3658.html

Statement CVE-2008-3659:

The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself.  We therefore do not classify this issue as security-sensitive since no trust boundary is crossed.

Statement CVE-2008-3663:

This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html

Statement CVE-2008-3686:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2008-3687:

Not vulnerable. This issue did not affect the version of Xen hypervisor as shipped with Red Hat Enterprise Linux 5, as it does not support XSM.

Statement CVE-2008-3746:

Not vulnerable. This issue did not affect the versions of neon as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2008-3789:

Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-3792:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html

Statement CVE-2008-3825:

This issue did not affect the version of pam_krb5 shipped in Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2008-3832:

Not vulnerable. This issue did not affect the version of utrace as shipped with the Red Hat Enterprise Linux 5 kernel.

Statement CVE-2008-3833:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html

Statement CVE-2008-3889:

Not vulnerable. This issue did not affect the versions Postfix as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2008-3895:

Red Hat does not consider this to be a security issue.  Since these operations can only be executed by root, no trust boundary is crossed as a result of this behaviour.

Statement CVE-2008-3896:

Red Hat does not consider this to be a security issue.  Since these operations can only be executed by root, no trust boundary is crossed as a result of this behaviour.

Statement CVE-2008-3911:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2008-3915:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html

Statement CVE-2008-3949:

Not vulnerable. This issue did not affect the versions of the emacs package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-3963:

This issue did not affect MySQL as supplied with Red Hat Enterprise Linux 3 or 4.

This issue was addressed for Red Hat Enterprise Linux 5 and Red Hat Application Stack v2
https://rhn.redhat.com/cve/CVE-2008-3963.html

Statement CVE-2008-3964:

Not vulnerable. These issues did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-4098:

This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0110.html and in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1067.html .

In Red Hat Enterprise Linux 5, issue CVE-2008-2079 was fixed without introducing CVE-2008-4098 in https://rhn.redhat.com/errata/RHSA-2009-1289.html .

Statement CVE-2008-4107:

The risks associated with fixing this bug are greater than the security risk. We therefore currently have no plans to fix this flaw in Red HatEnterprise Linux 2.1, 3, 4, or 5.

For more information please see our bug for this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=462772

Statement CVE-2008-4108:

Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-4109:

Not vulnerable.  The patch used to fix CVE-2006-5051 in Red Hat Enterprise Linux 2.1, 3, 4, and 5 was complete and does not suffer from this problem.

Statement CVE-2008-4113:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

It was addressed in Red Hat Enterprise MRG for RHEL-5 via:  https://rhn.redhat.com/errata/RHSA-2008-0857.html

Statement CVE-2008-4163:

Not vulnerable.  This flaw does not affect the version of BIND as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-4190:

This issue has been addressed via: https://rhn.redhat.com/errata/RHSA-2009-0402.html

Statement CVE-2008-4191:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=460435

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-4192:

(none)

Statement CVE-2008-4212:

Not vulnerable. This issue did not affect the versions of rsh-server packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

The glibcs ruserok function is used to check users authorization against rhosts files.  That implementation of ruserok never opens /etc/hosts.equiv for superuser.

Statement CVE-2008-4302:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html

Statement CVE-2008-4314:

Not vulnerable. This issue did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-4382:

We do not consider a crash of a client application such as Konqueror to be a security issue.

Statement CVE-2008-4395:

Not vulnerable. ndiswrapper is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2008-4409:

Not vulnerable. This issue did not affect the versions of libxml2 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-4410:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2008-4445:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html

Statement CVE-2008-4456:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-4456

This issue was addressed for Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1289.html and Red Hat Enterprise Linux 4 by https://rhn.redhat.com/errata/RHSA-2010-0110.html .

The Red Hat Security Response Team has rated this issue as having low security impact, future MySQL package updates may address this flaw for Red Hat Enterprise Linux 3, and Red Hat Application Stack 2.

Statement CVE-2008-4474:

Not vulnerable. This issue did not affect the versions of freeradius as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2008-4482:

Not Vulnerable. Red Hat Enterprise MRG does not use Xerces-C++ in a manner that is vulnerable to this flaw.

Statement CVE-2008-4514:

We do not consider a crash of a client application such as Konqueror to be a security issue.

Statement CVE-2008-4552:

This issue affected Red Hat Enterprise Linux 5 and was addressed by
https://rhn.redhat.com/errata/RHSA-2009-1321.html

Statement CVE-2008-4578:

The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 5.

Statement CVE-2008-4580:

Manual fencing agent is documented to only be provided for testing purposes and should not be used in production environments. Therefore, there is no plan to fix this flaw in Red Hat Cluster Suite for Red Hat Enterprise Linux 4, and in Red Hat Enterprise Linux 5.

Statement CVE-2008-4609:

The attacks reported by Outpost24 AB target the design limitations of the TCP protocol. Due to upstreams decision not to release updates, Red Hat do not plan to release updates to resolve these issues however, the effects of these attacks can be reduced via the mitigation methods as written in http://kbase.redhat.com/faq/docs/DOC-18730.

Statement CVE-2008-4618:

The versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 were not affected by this issue.

This issue only affected the version of Linux kernel as shipped with Red Hat Enterprise MRG and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-0009.html

Statement CVE-2008-4677:

Not vulnerable. This issue did not affect the versions of vim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2008-4680:

This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html

Statement CVE-2008-4681:

This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html

Statement CVE-2008-4682:

This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html

Statement CVE-2008-4683:

This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html

Statement CVE-2008-4684:

This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html

Statement CVE-2008-4685:

This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html

Statement CVE-2008-4723:

Red Hat does not consider this to be a security flaw.  Firefox is handling the ftp:// URL as expected.

Statement CVE-2008-4799:

This issue can only cause pamperspective to crash when used on specially crafted messages.  We do not consider this to be a security issue.

Statement CVE-2008-4865:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4865

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-4907:

Not vulnerable. This issue did not affect the versions of the dovecot package, as shipped with Red Hat Enterprise Linux 4 or 5.

Statement CVE-2008-4936:

Not vulnerable. This issue did not affect the versions of mgetty as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, as they include patch that resolves this issue.

Statement CVE-2008-4937:

Not vulnerable. This issue did not affect the versions of OpenOffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2008-4977:

Not vulnerable. This issue did not affect the versions of postfix as shipped with Red Hat Enterprise Linux 3, 4, or 5. Mentioned script is not part of the official postfix distribution and is not included in Red Hat Enterprise Linux postfix packages.

Statement CVE-2008-5006:

The affected code is not used by any application shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5.  The impact of this flaw is limited to a crash of the applications connecting to a misbehaving SMTP server.  Due to those reasons, theres currently no plan to include the fix in the imap packages as shipped in Red Hat Enterprise Linux 2.1 and 3, and the libc-client packages as shipped in Red Hat Enterprise Linux 4 and 5.

Statement CVE-2008-5033:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2008-5134:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

The issue was addressed in the Linux kernel packages as shipped with Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-0053.html

Statement CVE-2008-5161:

This issue was addressed for Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1287.html

After reviewing the upstream fix for this issue, Red Hat does not intend to address this flaw in Red Hat Enterprise Linux 3 or 4 at this time. 

Statement CVE-2008-5184:

Not vulnerable. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3, 4, or 5. Versions shipped do not support RSS subscriptions.

Statement CVE-2008-5187:

Not vulnerable. This issue does not affect the versions of imlib as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.

Statement CVE-2008-5285:

This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html

Statement CVE-2008-5301:

Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 4, or 5.  Those packages do not include ManageSieve server.

Statement CVE-2008-5302:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-5302

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ 

Statement CVE-2008-5303:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-5303

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ 

Statement CVE-2008-5374:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-5374

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2008-5377:

Not vulnerable. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Affected script is not part of the upstream CUPS distribution, but rather an addition used by Debian-based distributions (and possibly others).

CUPS packages as shipped in Red Hat Enterprise Linux 5 also provide pstopdf filter.  However, that filter is different from the one used in Debian-based distributions, and is unaffected by this flaw.

Additionally, all filters used by CUPS on all versions of Red Hat Enterprise Linux are run under an unprivileged "lp" user, making the root privilege escalation mentioned in the published exploit impossible.

Statement CVE-2008-5393:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. It only affected the Ubuntu Privacy Remix (UPR) kernel.

Statement CVE-2008-5394:

Not vulnerable. This issue did not affect the versions of the util-linux packages (providing /bin/login), as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5.

Statement CVE-2008-5395:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the PA-RISC architecture.

Statement CVE-2008-5514:

Not vulnerable. This issue did not affect the versions of imap as shipped with Red Hat Enterprise Linux 2.1 and 3, and the versions of libc-client as shipped with Red Hat Enterprise Linux 4 and 5.

Statement CVE-2008-5617:

Not vulnerable. This issue did not affect the version of the rsyslog package, as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2008-5618:

Not vulnerable. This issue did not affect the version of the rsyslog package, as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2008-5624:

We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2008-5625:

We do not consider this to be a security issue. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2008-5658:

This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1. PHP version in Red Hat Application Stack v2 was fixed via: https://rhn.redhat.com/errata/RHSA-2009-0350.html

Statement CVE-2008-5698:

Red Hat does not consider a crash of a client application such as Konqueror to be a security issue.

Statement CVE-2008-5701:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the MIPS architecture.

Statement CVE-2008-5712:

Red Hat does not consider a crash of a client application such as Konqueror to be a security issue.

Statement CVE-2008-5713:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.  It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-0264.html

Statement CVE-2008-5714:

Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2008-5715:

Red Hat does not consider a crash of a client application such as Firefox to be a security issue.

Statement CVE-2008-5716:

Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5.  Security update released to address CVE-2008-4405 - https://rhn.redhat.com/errata/RHSA-2009-0003.html - contained correct patch which did not introduce this problem and resolved the original issue.

Statement CVE-2008-5822:

Red Hat does not consider a crash of a client application such as Firefox to be a security issue.

Statement CVE-2008-5824:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=479966

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2008-5844:

Not vulnerable.  This issue did not affect the versions of the php package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, and with Red Hat Application Stack v1 and v2.  Only PHP version 5.2.7 was affected by this flaw.

Statement CVE-2008-5907:

Red Hat does not consider this bug to be a security issue. For a more detailed explanation, please see the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5907

Statement CVE-2008-6107:

Not vulnerable. Red Hat Enterprise Linux 2.1, 3, 4, and 5 do not ship for the SPARC architecture.

Statement CVE-2008-6560:

Red Hat does not consider this to be a security issue. The misbehaviour of CMAN is triggered by corrupted / specially crafted cluster.conf configuration file. Ability to edit this file is restricted to system administrator, therefore no privilege boundary is crossed.

Statement CVE-2008-7002:

This is not a security issue.  For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-7002#c7

Statement CVE-2008-7068:

This is not a security issue. A user with read and write access to a file can reasonably be expected to manipulate the contents of the file, including truncating it. Instead of using dba_replace(), a user could simply fopen() the file in write mode, which provides the same end-result.

Statement CVE-2008-7159:

Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2008-7160:

Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2008-7177:

Not vulnerable. This issue did not affect the versions of nasm as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2008-7247:

Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Comment 13 Vincent Danen 2010-05-07 05:20:53 UTC
Statement CVE-2009-0022:

Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2009-0024:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 and Red Hat Enterprise MRG.

Statement CVE-2009-0029:

This flaw affects most 64-bit architectures, including IBM S/390 and 64-bit PowerPC, but it does not affect x86_64 or Intel Itanium. The risks associated with fixing this flaw are greater than the security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5. Red Hat Enterprise MRG is not affected as it is not supported on 64-bit architectures other than x86_64.

Statement CVE-2009-0032:

Not vulnerable. Red Hat does not ship the vulnerable backend that causes this flaw.

Statement CVE-2009-0071:

Red Hat does not consider a crash of a client application such as Firefox to be a security issue.

Statement CVE-2009-0122:

Not vulnerable. This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2009-0127:

Red Hat does not consider this to be a security issue.  M2Crypto provides python interfaces to multiple OpenSSL functions.  Neither of those interfaces is further used by M2Crypto in an insecure way.  Additionally, no application shipped in Red Hat Enterprise Linux is known to use affected interfaces provided by M2Crypto.

Further details can be found in the following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127#c1

Statement CVE-2009-0179:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0179

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Statement CVE-2009-0241:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0241

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update of Red Hat HPC Solution may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2009-0242:

Red Hat does not consider this to be a security issue.  For more information, please see the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0242

Statement CVE-2009-0259:

This issue can only result in an OpenOffice.org crash, not allowing arbitrary code execution.  Red Hat does not consider a crash of a client application such as OpenOffice.org to be a security issue.

Statement CVE-2009-0265:

Not vulnerable. This issue did not affect the versions of BIND as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2009-0282:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, and Red Hat Enterprise MRG.

Statement CVE-2009-0360:

Not vulnerable. This issue did not affect the versions of the pam_krb5 package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2009-0361:

Not vulnerable. This issue did not affect the versions of the pam_krb5 package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2009-0478:

Not vulnerable. This issue did not affect the version of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2009-0579:

Not vulnerable. This issue did not affect the versions of pam as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.  Only PAM versions 1.x were affected.

Statement CVE-2009-0590:

This issue was fixed in openssl packages in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1335.html

This issue was fixed in openssl packages in Red Hat Enterprise Linux 3 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0163.html

Statement CVE-2009-0591:

Not vulnerable. This issue affected OpenSSL CMS functionality which is not present in the openssl packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. 

Statement CVE-2009-0601:

Red Hat does not consider this to be a security issue.  For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0601#c3

Statement CVE-2009-0605:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5, or Red Hat Enterprise MRG.

Statement CVE-2009-0653:

Not vulnerable. This issue was addressed in upstream OpenSSL prior to 0.9.6 and therefore does not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2009-0671:

Disputed: The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional.

Statement CVE-2009-0675:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as the affected driver is not enabled in these kernels by default. The affected driver is enabled by default in Red Hat Enterprise Linux 2.1, 3, 5, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2009-0326.html and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-0360.html .

As Red Hat Enterprise Linux 2.1 and 3 are now in Production 3 of their maintenance life-cycle, http://www.redhat.com/security/updates/errata, and this issue has been rated as having moderate impact, the fix for this issue is not currently planned to be included in the future updates.

Statement CVE-2009-0688:

The upstream fix for this issue is not backwards compatible and introduces an ABI change not allowed in Red Hat Enterprise Linux.  Therefore, there is no plan to address this problem directly in cyrus-sasl packages.

All applications shipped in Red Hat Enterprise Linux and using affected sasl_encode64() function were investigated and patched if their use of the function could have security consequences.  See following bug report for further details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0688#c20

Statement CVE-2009-0692:

This issue affected the dhcp packages as shipped with Red Hat Enterprise Linux 3 and 4. Updated packages to correct this issue are available via Red Hat Network:

https://rhn.redhat.com/errata/CVE-2009-0692.html

This issue did not affect the dhcp packages as shipped with Red Hat Enterprise Linux 5 due to the use of FORTIFY_SOURCE protection mechanism that changes the exploitability of the issue into a controlled application termination.

Statement CVE-2009-0745:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. 

This issue was addressed in Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1243.html

Statement CVE-2009-0746:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. 

This issue was addressed in Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1243.html

Statement CVE-2009-0747:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. 

This issue was addressed in Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1243.html

Statement CVE-2009-0748:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

This issue was addressed in Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1243.html

Statement CVE-2009-0755:

Not vulnerable.  This issue did not affect the versions of poppler, xpdf, gpdf and kdegraphics as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-0756:

This issue is a duplicate of CVE-2009-0166, which was addressed in affected products via following updates: https://rhn.redhat.com/errata/CVE-2009-0166.html

Statement CVE-2009-0778:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-0326.html .

Statement CVE-2009-0781:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0781

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2009-0787:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-0473.html .

Statement CVE-2009-0789:

Not vulnerable. This issue only affects a small number of operating systems and does not affect the openssl packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5.

Statement CVE-2009-0796:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0796

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future mod_perl package update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ 

Statement CVE-2009-0819:

Not vulnerable. This issue did not affect the versions of mysql packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.

Statement CVE-2009-0835:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-0451.html .

Statement CVE-2009-0847:

Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2009-0859:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG.

Statement CVE-2009-0922:

This issue has been addressed in Red Hat Enterprise Linux 4 and 5 via:
https://rhn.redhat.com/errata/RHSA-2009-1484.html
and in Red Hat Application Stack v2 via:
https://rhn.redhat.com/errata/RHSA-2009-1067.html

Statement CVE-2009-0935:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG.

Statement CVE-2009-1046:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.  It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-0451.html .

Statement CVE-2009-1072:

This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG, via https://rhn.redhat.com/errata/RHSA-2009-1132.html , https://rhn.redhat.com/errata/RHSA-2009-1106.html , and https://rhn.redhat.com/errata/RHSA-2009-1081.html .

This issue is not planned to be fixed in Red Hat Enterprise Linux 2.1 and 3, due to these products being in Production 3 of their maintenance life-cycles, where only qualified security errata of important or critical impact are addressed.

Statement CVE-2009-1185:

This issue has been fixed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2009-0427.html .  udev packages as shipped in Red Hat Enterprise Linux 4 were not affected by this flaw, as they do not use netlink sockets for communication.  udev is not shipped in Red Hat Enterprise Linux 2.1 and 3.

Statement CVE-2009-1186:

Not vulnerable. This issue did not affect the versions of udev as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2009-1214:

Red Hat does not consider this to be a security issue.  Affected file is supposed to be used to exchange information between local system users, therefore open permissions are intentional.

Statement CVE-2009-1215:

Red Hat does not consider this to be a security issue.  The checks implemented by screen to protect against race condition attacks on /tmp/screen-exchange file provide sufficient protection for this rarely-used buffer exchange feature.  For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=492104

Statement CVE-2009-1232:

https://bugzilla.mozilla.org/show_bug.cgi?id=485941
Red Hat does not consider a user-assisted crash of a client application such as Firefox to be a security issue.

Statement CVE-2009-1242:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2009-1243:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2009-1265:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 4, 5, or Red Hat Enterprise MRG, as the affected driver is not enabled in these kernels.

The affected driver is available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed.

This issue has been rated as having moderate security impact as it does not lead to a denial of service or privilege escalation. As Red Hat Enterprise Linux 3 is now in Production 3 of its maintenance life-cycle, http://www.redhat.com/security/updates/errata, and the affected driver can only be enabled when using the unsupported kernel-unsupported package, a fix for this issue is not currently planned to be included in the future updates.

Statement CVE-2009-1267:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Statement CVE-2009-1271:

This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1. PHP version in Red Hat Application Stack v2 was fixed via: https://rhn.redhat.com/errata/RHSA-2009-0350.html

Statement CVE-2009-1272:

Not vulnerable. This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1 and v2. This problem was introduced in the fix for CVE-2008-5658. Patch for CVE-2008-5658 as used in Red Hat Application Stack v2 also includes the fix for this crash too.

Statement CVE-2009-1284:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1284

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. 

Statement CVE-2009-1296:

Not vulnerable. This issue did not affect the versions of ecryptfs-utils as shipped with Red Hat Enterprise Linux 5.  eCryptfs encrypted home directories are not set up during the system installation, so theres no possibility for leaking encryption passwords to the installation log file.

Statement CVE-2009-1298:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include upstream commit 7c73a6fa that introduced the problem.

Statement CVE-2009-1338:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1081.html .

Statement CVE-2009-1349:

This flaw was caused by a C2Net specific patch added to Apache http_log.c in Stronghold 2.3.

C2Net Stronghold 2.3 reached end of life for updates on October 31st 2000. 
http://www.awe.com/mark/history/stronghold.html

Statement CVE-2009-1360:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG.

Statement CVE-2009-1377:

This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 
by http://rhn.redhat.com/errata/RHSA-2009-1335.html

Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments.  There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl.

Statement CVE-2009-1378:

This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 
by http://rhn.redhat.com/errata/RHSA-2009-1335.html

Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments.  There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl.

Statement CVE-2009-1379:

This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 
by http://rhn.redhat.com/errata/RHSA-2009-1335.html

Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments.  There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl.

Statement CVE-2009-1381:

Not vulnerable. This issue did not affect the versions of squirrelmail as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Updates for squirrelmail released via RHSA-2009:1066 (https://rhn.redhat.com/errata/RHSA-2009-1066.html) fixed original flaw CVE-2009-1579 without introducing CVE-2009-1381. 

Statement CVE-2009-1384:

This issue did not affect the versions of the pam_krb5 packages, as shipped with Red Hat Enterprise Linux 3 and 4. The issue was addressed in the pam_krb5 packages as shipped with Red Hat Enterprise Linux 5 via:
https://rhn.redhat.com/errata/RHSA-2010-0258.html

Statement CVE-2009-1388:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise 5 via: https://rhn.redhat.com/errata/RHSA-2009-1193.html

Statement CVE-2009-1390:

Not vulnerable. This issue did not affect the versions of mutt as shipped with Red Hat Enterprise Linux 3, 4, or 5.  Only mutt version 1.5.19 was affected by this flaw.

Statement CVE-2009-1415:

Not vulnerable. This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5 as it only affected gnutls 2.6.x versions.

Statement CVE-2009-1416:

Not vulnerable. This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5 as it only affected gnutls 2.6.x versions.

Statement CVE-2009-1417:

The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 4, or 5.

For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1417

Statement CVE-2009-1438:

The impact of this flaw is limited to application crash, not allowing code execution.  Red Hat does not consider a user-assisted crash of a client application such as media players using GStreamer framework to be a security issue.

For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1438

Statement CVE-2009-1490:

Based on our analysis this issue does not have a security consequence and does not lead to a buffer overflow or denial of service.  For more details of our technical evaluation see https://bugzilla.redhat.com/show_bug.cgi?id=499252#c18

Statement CVE-2009-1513:

Not vulnerable. This issue did not affect the versions of libmodplug embedded in gstreamer-plugins as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for the PAT file type.

Statement CVE-2009-1527:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG.

Statement CVE-2009-1572:

Not vulnerable. This issue did not affect the versions of zebra as shipped with Red Hat Enterprise Linux 2.1, and the versions of quagga as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-1630:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, and 3.

It was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1132.html , https://rhn.redhat.com/errata/RHSA-2009-1106.html , and https://rhn.redhat.com/errata/RHSA-2009-1157.html .

Statement CVE-2009-1631:

Red Hat does not consider this to be a security issue. By default, user home directories are created with mode 0700 permissions, which would not expose the ~/.evolution/ directory regardless of its own permissions.

If a user intentionally relaxes permissions on their home directory, they should be auditing all files and directories in order to not expose unwanted files to other local users.

Statement CVE-2009-1633:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, and 3.

It was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1211.html , https://rhn.redhat.com/errata/RHSA-2009-1106.html , and https://rhn.redhat.com/errata/RHSA-2009-1157.html .

Statement CVE-2009-1724:

Not vulnerable. This issue did not affect the versions of the kdelibs packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-1725:

Not vulnerable. This issue did not affect the versions of the kdelibs packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-1758:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2009-1132.html and https://rhn.redhat.com/errata/RHSA-2009-1106.html .

Statement CVE-2009-1883:

This issue did not affect kernel packages as shipped in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 1.

It was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2009-1438.html .

This issue has been rated as having moderate security impact.

It is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed.

For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Statement CVE-2009-1885:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1885

The Red Hat Security Response Team has rated this issue as having low security impact, a future xerces-c packages update in Red Hat Enterprise MRG 1.1 may address this flaw. 

Statement CVE-2009-1886:

Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-1888:

This issue did not affect Red Hat Enterprise Linux 3.

It was addressed in Red Hat Enterprise Linux 4 and 5 via RHSA-2009:1529:
https://rhn.redhat.com/errata/RHSA-2009-1529.html

Statement CVE-2009-1892:

Not vulnerable.  Red Hat Enterprise Linux 3, 4, and 5 provide earlier versions of ISC DHCP which are not vulnerable to this issue.

Statement CVE-2009-1897:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1897

The flaw only affects the Red Hat Enterprise Linux 5.4 beta kernel, which includes a backport of the upstream bug fix introducing this flaw (git commit 33dccbb0). This issue did not affect the final released Red Hat Enterprise Linux 5.4 kernel.  It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only.

This issue does not affect any other released kernel in any Red Hat product.

Statement CVE-2009-1914:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the SPARC64 architecture.

Statement CVE-2009-1961:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1157.html

Statement CVE-2009-2042:

This issue has been addressed in Red Hat Enterprise Linux 3, 4, and 5 via https://rhn.redhat.com/errata/RHSA-2010-0534.html.

Statement CVE-2009-2139:

Not vulnerable. This issue did not affect the versions of openoffice.org and openoffice.org2 packages as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-2260:

Not vulnerable. This issue did not affect the versions of stardict as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2009-2287:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise MRG.

Statement CVE-2009-2406:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG did not include support for eCryptfs, and therefore are not affected by this issue.

Red Hat Enterprise Linux 5 was vulnerable to this issue and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-1193.html

Statement CVE-2009-2407:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG did not include support for eCryptfs, and therefore are not affected by this issue.

Red Hat Enterprise Linux 5 was vulnerable to this issue and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-1193.html

Statement CVE-2009-2446:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2446

This issue was addressed for Red hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1289.html and Red Hat Enterprise Linux 4 by https://rhn.redhat.com/errata/RHSA-2010-0110.html .

The Red Hat Security Response Team has rated this issue as having low security impact, future MySQL package updates may address this flaw for Red Hat Enterprise Linux 3 and Red Hat Application Stack 2.

Statement CVE-2009-2473:

(none)

Statement CVE-2009-2537:

Red Hat does not consider a user-assisted crash of a client application such as Konqueror to be a security issue.

Statement CVE-2009-2559:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-2560:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html

Vectors (1) Bluetooth L2CAP and (3) MIOP did not affect the versions of the Wireshark package, as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-2561:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-2562:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html

Statement CVE-2009-2563:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html

Statement CVE-2009-2584:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2009-2621:

Not vulnerable. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-2622:

Not vulnerable. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-2626:

Red Hat does not consider this flaw to be a security issue. The bug can only be triggered by the PHP script author, which does not cross trust boundary.

Statement CVE-2009-2687:

This issue was addressed in php packages shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2010-0040.html

Statement CVE-2009-2688:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-2688

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2009-2691:

The Red Hat Security Response Team has rated this issue as having moderate security impact.

We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, and 5 as it is not possible to trigger the information leak if the suid_dumpable tunable is set to zero (which is the default).

It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1540.html

Statement CVE-2009-2692:

Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-18065.

Updates for Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2692.html

Comment 14 Vincent Danen 2010-05-07 05:21:23 UTC
Statement CVE-2009-2693:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2693

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

This issue has been addressed in JBoss Enterprise Web Server 1.0.1: https://rhn.redhat.com/errata/RHSA-2010-0119.html

Statement CVE-2009-2698:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise MRG. Updates for Red Hat Enterprise Linux 3, 4 and 5 to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2698.html

Statement CVE-2009-2699:

This flaw does not affect the version of APR shipped in Red Hat Enterprise Linux.

This flaw affected JBoss Enterprise Web Server running on the Solaris platform. Updated httpd packages are available for download from Customer Support Portal.

Statement CVE-2009-2700:

Not vulnerable. This issue did not affect the versions of qt and qt4 as shipped with Red Hat Enterprise Linux 3, 4, or 5.  Affected code was introduced upstream in version 4.3.

Statement CVE-2009-2702:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2702

This issue did not affect kdelibs packages as shipped in Red Hat Enterprise Linux 3 and 4.

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw in Red Hat Enterprise Linux 5.

Statement CVE-2009-2707:

Not vulnerable. This issue did not affect the versions of ia32el as shipped with Red Hat Enterprise Linux 3, 4 or 5.

Statement CVE-2009-2767:

Not vulnerable. This issue only affected kernels version 2.6.28-rc1 and later.
Therefore this issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG.. 

Statement CVE-2009-2768:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for flat binary support, and additionally this issue only affected kernels version 2.6.29-rc1 and later.

Statement CVE-2009-2844:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG.

Please note this issue only affected Linux kernel versions after v2.6.30-rc1 and was fixed in v2.6.31-rc6.

Statement CVE-2009-2846:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the PA-RISC architecture.

Statement CVE-2009-2847:

This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG:
http://rhn.redhat.com/cve/CVE-2009-2847.html

This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed.  For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Statement CVE-2009-2849:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2849

The flaw was introduced in kernel version 2.6.17-rc1. The Linux kernel as shipped with Red Hat Enterprise Linux 3, and 4 are not affected by this issue.

It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1540.html

A future kernel update for Red Hat Enterprise Linux 5 will address this flaw.

Statement CVE-2009-2855:

This issue did not affect the versions of the squid packages, as shipped with Red Hat Enterprise Linux 3 and 4.

The issue was addressed in the squid packages as shipped with Red Hat Enterprise Linux 5 via:
https://rhn.redhat.com/errata/RHSA-2010-0221.html

Statement CVE-2009-2901:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2901

This issue did not affect Tomcat versions running on Linux or Solaris systems.

This issue is fixed in the tomcat5 and tomcat6 packages released with JBoss Enterprise Web Server 1.0.1 for Windows.

Statement CVE-2009-2902:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2902

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

This issue has been addressed in JBoss Enterprise Web Server 1.0.1: https://rhn.redhat.com/errata/RHSA-2010-0119.html

Statement CVE-2009-2903:

Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-19077

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise MRG. It is also available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. Future kernel updates in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG will address this issue.

Statement CVE-2009-2908:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG do not include support for eCryptfs, and therefore are not affected by this issue.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1548.html

Statement CVE-2009-2909:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, or Red Hat Enterprise MRG, as the affected driver is not enabled in these kernels.

The affected driver is available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed.

Future kernel update in Red Hat Enterprise Linux 3 may address this flaw.

Statement CVE-2009-2910:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-2910

It has been rated as having moderate security impact.

It was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1671.html , https://rhn.redhat.com/errata/RHSA-2010-0046.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively.

This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed.

For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Statement CVE-2009-3001:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for PF_LLC sockets in the Linux kernels.

Statement CVE-2009-3002:

CVE-2009-3002 describes a collection of similar information leaks that affect numerous networking protocols.

The Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 did not enable support for the AppleTalk DDP protocol, and therefore were not affected by issue (1). It was addressed in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1550.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively.

The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG did not enable support for IrDA sockets, and therefore were not affected by issue (2). It was addressed in Red Hat Enterprise Linux 3 via: https://rhn.redhat.com/errata/RHSA-2009-1550.html

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not enable support for the Acorn Econet and AUN protocols, and therefore were not affected by issue (3).

The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG did not enable support for the NET/ROM and ROSE protocols, and therefore were not affected by issues (4) and (5). They were addressed in Red Hat Enterprise Linux 3 via: https://rhn.redhat.com/errata/RHSA-2009-1550.html

The raw_getname() leak was introduced in the Linux kernel version 2.6.25-rc1. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG  therefore were not affected by issue (6).

Statement CVE-2009-3025:

Not vulnerable. This issue did not affect the versions of pidgin as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3026:

Red Hat has released updates to correct this issue:
https://rhn.redhat.com/errata/RHSA-2009-1453.html

Statement CVE-2009-3043:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG, as they do not contain a backport of the tty ldisc rewrite (upstream commits 65b770468e98 and cbe9352fa08f).

Statement CVE-2009-3051:

Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2009-3084:

Not vulnerable. This issue did not affect the versions of Pidgin packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3094:

List of the errata fixing this flaw in affected products can be found at:
https://www.redhat.com/security/data/cve/CVE-2009-3094.html

Statement CVE-2009-3095:

List of the errata fixing this flaw in affected products can be found at:
https://www.redhat.com/security/data/cve/CVE-2009-3095.html

Statement CVE-2009-3163:

Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2009-3228:

This issue was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1522.html , https://rhn.redhat.com/errata/RHSA-2009-1548 and https://rhn.redhat.com/errata/RHSA-2009-1540 respectively.

It has been rated as having moderate security impact and is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed.

For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Statement CVE-2009-3229:

Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 3, 4, or 5.

In PostgreSQL versions prior to 8.2, only database administrator was able to LOAD additional plugins and use it to cause server crash.  However, this does not bypass trust boundary, so its not a security flaw for older PostgreSQL versions.  Additionally, no plugins are shipped in Red Hat PostgreSQL packages by default.

This issue was addressed in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1461.html .

Statement CVE-2009-3231:

Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 3, 4, or 5, as they do not support LDAP authentication, which was introduced upstream in version 8.2.

This issue was addressed in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1461.html .

Statement CVE-2009-3234:

Not vulnerable. This issue only affected kernels version v2.6.31-rc1 and later. Therefore this issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG.

Statement CVE-2009-3241:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3242:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3243:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3280:

Not vulnerable. This vulnerability was introduced into the Linux kernel in version 2.6.30-rc1 via upstream commit 2a519311, and therefore does not affect users of Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG.

Statement CVE-2009-3286:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG.

It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1548.html

Statement CVE-2009-3288:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. This issue was introduced by upstream commit 10db10d1, and only affected kernels version 2.6.28-rc1 and later.

Statement CVE-2009-3289:

Not vulnerable. This issue does not affect the versions of glib2 as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3290:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-3290

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG as KVM (Kernel-based Virtual Machine) is only supported in Red Hat Enterprise Linux 5. A future kernel update in Red Hat Enterprise Linux 5 will address this flaw.

Statement CVE-2009-3293:

This problem is not a security flaw in the PHP versions 4.3.5 and later. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3293

PHP versions shipped in Red Hat Enterprise Linux 4 and 5 do not need this fix. We do not plan to address this flaw in Red Hat Enterprise Linux 3.

Statement CVE-2009-3294:

Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.

Statement CVE-2009-3295:

Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3389:

Not vulnerable. This issue did not affect the versions of libtheora as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2009-3549:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3550:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html

Statement CVE-2009-3551:

Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3555:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555

Additional information can be found in the Red Hat Knowledgebase article:
http://kbase.redhat.com/faq/docs/DOC-20491

Statement CVE-2009-3556:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit d025c9db that introduced the problem.

This upstream commit was backported in Red Hat Enterprise Linux 5 via RHBA-2008:0314 update. Issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html

Statement CVE-2009-3557:

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2009-3558:

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2009-3607:

Not vulnerable. This issue did not affect the version of poppler as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2009-3612:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2009-3612

This issue has been rated as having moderate security impact.

It was addressed in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1670.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively.

A future kernel update in Red Hat Enterprise Linux 4 will address this flaw.

This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed.

For further information about the Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Statement CVE-2009-3621:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3621

This issue has been rated as having moderate security impact.

It was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1671.html , https://rhn.redhat.com/errata/RHSA-2009-1670.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively.

This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed.

For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Statement CVE-2009-3623:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, or Red Hat Enterprise MRG. Those versions do not include the upstream patch that introduced this vulnerability.

Statement CVE-2009-3624:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, or Red Hat Enterprise MRG. Those versions do not include the upstream patch that introduced this vulnerability.

Statement CVE-2009-3626:

Not vulnerable. This issue did not affect the versions of perl as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3627:

This issue does not affect Red Hat Enterprise Linux 3, 4, or 5.

This flaw can only lead to a denial of service if perl-HTML-Parser is used in conjunction with perl 5.10.1. If perl-HTML-Parser is used with earlier versions of perl, this flaw does not lead to a denial of service.

Statement CVE-2009-3638:

Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5. KVM is only supported on AMD64/x86_64 architecture on Red Hat Enterprise Linux 5.

Statement CVE-2009-3640:

Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability (upstream commit f0a3602c).

Statement CVE-2009-3720:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

The Red Hat Security Response Team has rated this issue as having moderate security impact in Python, a future update may address this flaw. If a system has PyXML installed, Python will use PyXML for expat-related functions and is then not vulnerable to the issue.

Statement CVE-2009-3722:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3722

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update will address this flaw.

Statement CVE-2009-3725:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG, as they do not include the upstream change introducing this flaw.

Statement CVE-2009-3765:

Not vulnerable. This issue did not affect the versions of mutt as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-3829:

The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2010-0360.html

Statement CVE-2009-3888:

Not vulnerable. The Linux kernels as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not have MMU disabled, and therefore are not affected by this issue.

Statement CVE-2009-3889:

This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 3, as it does not implement the sysfs file system ("/sys/"), through which dbg_lvl file is exposed by the megaraid_sas driver.

Issue was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2010-0076.html , https://rhn.redhat.com/errata/RHSA-2010-0046.html and https://rhn.redhat.com/errata/RHSA-2009-1635.html respectively.

Statement CVE-2009-3895:

Not vulnerable. This issue did not affect the versions of libexif as shipped with Red Hat Enterprise Linux 4, or 5.

Statement CVE-2009-3938:

Not vulnerable. This issue did not affect the versions of poppler as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2009-3939:

This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 3, as it does not implement the sysfs file system ("/sys/"), through which poll_mode_io file is exposed by the megaraid_sas driver.

Issue was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2010-0076.html , https://rhn.redhat.com/errata/RHSA-2010-0046.html and https://rhn.redhat.com/errata/RHSA-2009-1635.html respectively.

Statement CVE-2009-4004:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG as KVM (Kernel-based Virtual Machine) is only supported in Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is not vulnerable to this issue because it does not include the change that introduced this buffer overflow vulnerability.

Statement CVE-2009-4005:

The Linux kernel as shipped with Red Hat Enterprise Linux 3, 5, and Red Hat Enterprise MRG did not include support for the HiSax ISDN driver for Colognechip HFC-S USB chip, and therefore were not affected by this issue.

Issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0076.html

Statement CVE-2009-4018:

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2009-4020:

This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise MRG as the affected driver is not enabled in this kernel.

It was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0076.html and https://rhn.redhat.com/errata/RHSA-2010-0046.html respectively.

Red Hat Enterprise Linux 3 is now in Production 3 of the maintenance life-cycle, http://www.redhat.com/security/updates/errata, and this issue is rated as having low impact, therefore the fix for this issue is not currently planned to be included in the future updates.

Statement CVE-2009-4021:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4021

The Linux kernel packages as shipped with Red Hat Enterprise Linux 3 and 4 do not include support for FUSE, and therefore are not affected by this issue.

It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html

A future kernel update for Red Hat Enterprise MRG will address this flaw.

Statement CVE-2009-4026:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commits d75636ef and d92684e6 that introduced the problem.

Statement CVE-2009-4027:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2009-4027.

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4 as they do not have support for the mac80211 framework.

It did not affect the version of the Linux kernel as shipped with Red Hat Enterprise MRG as they do not include the upstream patch that introduced this vulnerability.

A future update will address this flaw in Red Hat Enterprise Linux 5.

Statement CVE-2009-4029:

Red Hat is aware of this issue and is tracking it via the following
bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4029

This issue was addressed in the automake, automake14, automake15, automake16 and automake17 packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0321.html

The Red Hat Security Response Team has rated this issue as having low security impact, theres no plan to address this flaw in automake packages in Red Hat Enterprise Linux 3 and 4.

Statement CVE-2009-4034:

This issue is only security-relevant in PostgreSQL versions 8.4 and later as previous versions did not compare the connection host name with the certificate CommonName at all. Client certificate authentication was introduced in version 8.4. Red Hat Enterprise Linux 5 and earlier provided PostgreSQL versions 8.1.x and earlier, and are thus not affected by this issue.

Statement CVE-2009-4131:

Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG. Those versions do not include the upstream patch that introduced this vulnerability.

Statement CVE-2009-4135:

This issue does not affect users using coreutils binary RPMs, or rebuilding source RPMs. Therefore, we do not plan to release updates addressing this flaw on Red Hat Enterprise Linux 3, 4 and 5.

For additional details, refer to the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4135

Statement CVE-2009-4136:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-4136

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Statement CVE-2009-4138:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4138

The Linux kernel packages as shipped with Red Hat Enterprise Linux 3 and 4 have a different (and older) implementation of the driver for OHCI 1394 controllers, which is not affected by this issue.

It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html

A future kernel update for Red Hat Enterprise MRG will address this flaw.

Statement CVE-2009-4141:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit 233e70f4 that introduced the problem.

It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html

Statement CVE-2009-4143:

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php

Statement CVE-2009-4227:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-4227

The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2009-4228:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-4228

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2009-4235:

Red Hat considers this to be a duplicate of the CVE-2009-4033, rather than a separate issue. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=542926#c10

Statement CVE-2009-4270:

Not vulnerable. This issue did not affect the versions of ghostscript as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-4271:

This security issue did not affect the Linux kernels as shipped with Red Hat Enterprise Linux 3, 5 and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0146.html.

Statement CVE-2009-4272:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commits c6153b5b and 1080d709 that introduced the problem.

It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html

Statement CVE-2009-4307:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2009-4307

The Linux kernel packages as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG do not include support for EXT4, and therefore are not affected by this issue.

A future kernel update for Red Hat Enterprise Linux 5 will address this flaw.

Statement CVE-2009-4308:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2009-4308

The Linux kernel packages as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG do not include support for EXT4, and therefore are not affected by this issue. This issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0147.html.

Statement CVE-2009-4410:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit 59efec7b that introduced the problem.

Statement CVE-2009-4411:

Not vulnerable. This issue did not affect the versions of acl as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-4418:

Red Hat does not consider this to be a security flaw. For further details, see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4418

Statement CVE-2009-4484:

Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5. The packages use OpenSSL and not yaSSL.

Statement CVE-2009-4492:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4492

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Statement CVE-2009-4565:

(none)

Statement CVE-2009-4629:

Not vulnerable. This issue did not affect the versions of Thunderbird as shipped with Red Hat Enterprise Linux 4 and 5, and Seamonkey as shipped with Red Hat Enterprise Linux 3 and 4.

Statement CVE-2009-4630:

Not vulnerable. This issue did not affect the versions of Firefox, Thunderbird, or Seamonkey as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2009-4641:

Not vulnerable. This issue did not affect the versions of gnome-screensaver as shipped with Red Hat Enterprise Linux 5.

Comment 15 Vincent Danen 2010-05-07 05:33:16 UTC
Statement CVE-2010-0003:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-0003.

This issue has been rated as having moderate security impact.

A future update in Red Hat Enterprise MRG may address this flaw. This issue was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0146.html and https://rhn.redhat.com/errata/RHSA-2010-0147.html respectively.

This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed.

For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Statement CVE-2010-0006:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not have support for network namespaces, and did not include upstream commit 483a47d2 that introduced the problem.

Statement CVE-2010-0007:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-0007.

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, as it did not include support for ebtables. This issue was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0146.html and https://rhn.redhat.com/errata/RHSA-2010-0147.html respectively. A futur e update in Red Hat Enterprise MRG may address this flaw.

Statement CVE-2010-0008:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. It did not affect the version of Linux kernel as shipped with Red Hat Enterprise MRG as it has already had the fix to this issue. This was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0146.html and https://rhn.redhat.com/errata/RHSA-2010-9419.html respectively.

Statement CVE-2010-0010:

This issue does not affect the Apache HTTP Server versions 2 and greater. This flaw does not affect any supported versions of Red Hat Enterprise Linux.

This flaw does affect Red Hat Network Proxy and Red Hat Network Satellite. While those products do not use this feature, we are tracking the issue with the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0010

Statement CVE-2010-0136:

Not vulnerable. This issue did not affect the versions of openoffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2010-0277:

This issue was addressed for Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0115.html

We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3 as the MSN protocol support in the provided version of Pidgin (1.5.1) is out-dated and no longer supported by MSN servers. There are no plans to backport MSN protocol changes for that version of Pidgin.

Statement CVE-2010-0283:

Not vulnerable. This issue did not affect the versions of MIT Kerberos 5 as shipped with Red Hat Enterprise Linux 3, 4 or 5. Those versions do not contain the vulnerable code that was introduced in krb5 1.7.

Statement CVE-2010-0299:

Not vulnerable. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG did not include support for Devtmpfs, and therefore are not affected by this issue.

Statement CVE-2010-0307:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-0307.

This issue has been rated as having moderate security impact.

This issue was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2010-0146.html. Future updates in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw.

This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed.

For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Statement CVE-2010-0308:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0308

This issue was addressed in the squid packages as shipped with Red Hat Enterprise Linux 5 via:
https://rhn.redhat.com/errata/RHSA-2010-0221.html

The Red Hat Security Response Team has rated this issue as having low security impact, a future squid update may address this flaw in Red Hat Enterprise Linux 3 and 4.

Statement CVE-2010-0393:

This issue did not affected Red Hat Enterprise Linux 3 and 4 due to the lack of localization in lppasswd as provided in those releases.

The affected code is present in Red Hat Enterprise Linux 5, however lppasswd is not shipped setuid so is not vulnerable to this issue. If a user were to enable the setuid bit on lppasswd, the impact would only be a crash of lppasswd due to use of FORTIFY_SOURCE protections. Therefore, there are no plans to correct this issue in Red Hat Enterprise Linux 5.

Statement CVE-2010-0410:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-0410.

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for kernel connectors. Future updates in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw.

Statement CVE-2010-0415:

This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4, as they do not include support for sys_move_pages. It
was only introduced in kernel version 2.6.18 onwards. This issue was addressed
in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG via
https://rhn.redhat.com/errata/RHSA-2010-0147.html and
https://rhn.redhat.com/errata/RHSA-2010-0161.html.

Statement CVE-2010-0423:

The Red Hat Security Response Team has rated this issue as having low security impact.

For Red Hat Enterprise Linux 4 and 5, this issue was addressed via https://rhn.redhat.com/errata/RHSA-2010-0115.html

We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3 as the issue only causes Pidgin client to become unresponsive or crash.

Statement CVE-2010-0426:

This issue was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0122.html

It did not affect the versions of the sudo package as shipped with Red Hat Enterprise Linux 3 and 4.

Statement CVE-2010-0427:

This issue was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0122.html

It did not affect the versions of the sudo packages as shipped with Red Hat Enterprise Linux 3 and 4.

Statement CVE-2010-0434:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0434

This issue was fixed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0168.html

This issue was fixed in Red Hat Enterprise
Linux 4 via: https://rhn.redhat.com/errata/RHSA-2010-0175.html

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw on Red Hat Enterprise Linux 3. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2010-0437:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-0437.

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for Optimistic Duplicate Address Detection (DAD) in IPv6. This was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-9419.html. A future update in Red Hat Enterprise MRG may address this flaw.

Statement CVE-2010-0562:

Not vulnerable. This issue did not affect the versions of fetchmail as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2010-0622:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-0622.

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for priority-inheriting futex. Future updates in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw.

Statement CVE-2010-0623:

Not vulnerable. This security issue did not affect the Linux kernels as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG, as they do not include the upstream change that introduced this flaw.

Statement CVE-2010-0628:

Not vulnerable. This flaw does not affect MIT krb5 as provided in Red Hat Enterprise Linux 3, 4, and 5.

Statement CVE-2010-0639:

Not vulnerable. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 3, 4, or 5. Those versions are not compiled with the support for HTCP protocol.

Statement CVE-2010-0727:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-0727.

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise MRG, as it did not include support for the GFS and GFS2 file systems.

For the GFS issue, it was addressed in Red Hat Enterprise Linux 3 in the gfs package, 4 in the GFS-kernel package, and 5 in the gfs-kmod package, via https://rhn.redhat.com/errata/RHSA-2010-9493.html, https://rhn.redhat.com/errata/RHSA-2010-9494.html, https://rhn.redhat.com/errata/RHSA-2010-0291.html respectively.

For the GFS2 issue, it was addressed in Red Hat Enterprise Linux 5 in the kernel package via https://rhn.redhat.com/errata/RHSA-2010-0178.html.

Statement CVE-2010-0728:

Not vulnerable.

This issue did not affect the versions of the samba package, as shipped with Red Hat Enterprise Linux 3, 4, or 5.

This issue did not affect the version of the samba3x package, as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2010-0729:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-0729.

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 5 or Red Hat Enterprise MRG, as they do not include the internal change introducing this flaw. A future update in Red Hat Enterprise Linux 4 may address this flaw.

Statement CVE-2010-0740:

Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2010-0789:

Red Hat is aware of this issue and is tracking it via the following bug: 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2010-0789

This issue affects Red Hat Enterprise Linux 5 because it ships fusermount suid root, however the impact of this flaw is minimized due to the fact that only members in group fuse may use it the executable is owned root:fuse and mode 4750.

Red Hat Enterprise Linux 3 and 4 do not provide the fuse package.

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:

http://www.redhat.com/security/updates/classification/

Statement CVE-2010-0825:

Not vulnerable. This issues does not affect the versions of emacs or xemacs as shipped with Red Hat Enterprise Linux. The movemail utility in Red Hat Enterprise Linux does not have the setgid bit set, which is required for this flaw to be exploitable.

Statement CVE-2010-0928:

CVE-2010-0928 describes a fault-based attack on OpenSSL where an attacker has precise control over the target system environment in order to be able to introduce faults through power supply manipulation.

The attack is not a viable threat to OpenSSL as used in Red Hat products. The Red Hat Security Response Team has rated this issue as having low security impact and we do not intend to issue updates to address it.

Statement CVE-2010-1083:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1083

This issue has been rated as having low security impact.

A future update in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG may address this flaw. This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed.

For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

Statement CVE-2010-1084:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1084

This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise 3 and 4, as it did not use sysfs files. A future update in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw.

Statement CVE-2010-1085:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1085

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG as they did not include the affected function. A future update in Red Hat Enterprise Linux 4 and 5 may address this flaw.

Statement CVE-2010-1086:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1086

This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for ULE (Unidirectional Lightweight Encapsulation). We have included a fix for this issue in Red Hat Enterprise Linux 4 and 5 however the affected module is not build by default. This issue was addressed in Red Hat Enterprise MRG via http://rhn.redhat.com/errata/RHSA-2010-0631.html.

Statement CVE-2011-0521:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2011-0521

This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for ULE (Unidirectional Lightweight Encapsulation). We have included a fix for this issue in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG however the affected module is not build by default.

Statement CVE-2010-1087:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1087

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4 as they did not include the upstream commit 150030b7 that had introduced the problem. A future update in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw.

Statement CVE-2010-1088:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1088

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4 as this issue only affects kernel version 2.6.18 and onwards. A future update in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG may address this flaw.

Statement CVE-2010-1128:

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=577582

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Statement CVE-2010-1129:

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php 

Statement CVE-2010-1130:

We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php 

Statement CVE-2010-1146:

Not vulnerable. The Linux kernel as shipped with with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG did not include support for reiserfs and therefore are not affected by this issue.

Statement CVE-2010-1148:

Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not include support for POSIX opens on lookup.

Statement CVE-2010-1158:

The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5.

Statement CVE-2010-1188:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1188

This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise MRG, as it was fixed since version v2.6.20-rc6. It was addressed in Red Hat Enterprise Linux 5 in the kernel package via https://rhn.redhat.com/errata/RHSA-2010-0178.html. A future update in Red Hat Enterprise Linux 3 and 4 may address this flaw.

Statement CVE-2010-1320:

Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Comment 16 Vincent Danen 2010-05-19 17:12:41 UTC
Statement CVE-2009-4136:

This issue was addressed in Red Hat Enterprise Linux 3 via
https://rhn.redhat.com/errata/RHSA-2010-0427.html

This issue was addressed in Red Hat Enterprise Linux 4 via
https://rhn.redhat.com/errata/RHSA-2010-0428.html

This issue was addressed in Red Hat Enterprise Linux 5 via
https://rhn.redhat.com/errata/RHSA-2010-0429.html and https://rhn.redhat.com/errata/RHSA-2010-0430.html

Comment 17 Vincent Danen 2010-06-07 22:35:24 UTC
Statement CVE-2008-5302:

This issue has been addressed in perl packages as shipped in Red Hat
Enterprise Linux 3 and 4 via https://rhn.redhat.com/errata/RHSA-2010-0457.html and Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0458.html.

Statement CVE-2008-5303:

This issue has been addressed in perl packages as shipped in Red Hat
Enterprise Linux 3 and 4 via https://rhn.redhat.com/errata/RHSA-2010-0457.html and Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0458.html.

Comment 18 Mark J. Cox 2010-06-25 13:25:53 UTC
Statement CVE-2002-0061:

Not vulnerable.  This flaw is specific to Apache HTTP server on Windows platforms.

Comment 19 Eugene Teo (Security Response) 2011-01-20 05:00:23 UTC
Statement CVE-1999-0002:

This issue has been addressed in nfs-server packages as shipped in Red Hat Linux since version nfs-server-2.2beta37.

Comment 21 Eugene Teo (Security Response) 2011-01-20 05:05:39 UTC
Statement CVE-2003-0252:

This issue has been addressed in nfs-utils packages as shipped in Red Hat
Enterprise Linux 2 via https://rhn.redhat.com/errata/RHSA-2003-207.html.

Comment 22 Eugene Teo (Security Response) 2011-01-20 05:17:16 UTC
Statement CVE-1999-0018:

Not vulnerable.  This flaw is specific to statd on Solaris, IRIX, Unixware and AIX platforms.

Statement CVE-1999-0019:

Not vulnerable. This flaw is specific to statd on Solaris platform.

Statement CVE-1999-0210:

Not vulnerable. This flaw is specific to automountd on Solaris platform.

Statement CVE-1999-0493:

Not vulnerable. This flaw is specific to statd on Solaris platform.

Statement CVE-2000-0666:

This issue has been addressed in nfs-utils packages as shipped in Red Hat Linux 6.2 via https://rhn.redhat.com/errata/RHSA-2000-043.html.

Comment 23 Vincent Danen 2011-05-05 19:56:03 UTC
Statement CVE-2009-3720:

(none)

Comment 24 Jan Lieskovsky 2011-06-02 15:47:07 UTC
Statement CVE-2011-1956:

Not vulnerable. This issue did not affect the versions of wireshark as shipped 
with Red Hat Enterprise Linux 4, 5, or 6. This flaw is specific to Wireshark
v1.4.5 version.

Comment 25 Vincent Danen 2011-06-29 14:32:40 UTC
Statement CVE-2009-4492:

(none)

Comment 26 Vincent Danen 2011-07-08 21:11:10 UTC
Statement CVE-2009-5079:

The Red Hat Security Response Team has rated this issue as having low security impact because it can only be exploited during package compilation. We do not currently plan to fix this flaw.

Statement CVE-2009-5082:

The Red Hat Security Response Team has rated this issue as having low security impact because it can only be exploited during package compilation. We do not currently plan to fix this flaw.

Comment 27 Vincent Danen 2011-07-11 22:35:40 UTC
Statement CVE-2011-2523:

Not vulnerable. This issue did not affect the versions of vsftpd as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6.

Comment 28 Tomas Hoger 2011-07-21 07:25:00 UTC
Statement CVE-2011-2702:

Not vulnerable. This issue did not affect the versions of glibc as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6.

Comment 29 David Jorm 2012-05-31 08:04:19 UTC
Statement CVE-2010-2076:

Not vulnerable. This issue does not affect the versions of Apache CXF shipped with any Red Hat products.

Comment 30 Jan Lieskovsky 2012-06-21 10:15:32 UTC
Statement CVE-2001-1473:

This issue affects the version of the openssh as shipped with Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future openssh updates for Red Hat Enterprise Linux 4. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 5 and 6, since it is SSH-1 protocol specific and those versions did not enable SSH-1 protocol support in the default configuration.

Comment 31 Jan Lieskovsky 2012-08-07 10:04:18 UTC
Statement CVE-2012-3452:

Not vulnerable. This issue did not affect the versions of gnome-screensaver as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include the upstream commit 43ee32edaddb9b9b9f4b43c47ca73d7b4eea9fae that introduced this issue.

Comment 32 Jan Lieskovsky 2012-11-19 15:21:36 UTC
Statement CVE-2011-4089:

Not vulnerable. This issue did not affect the versions of bzip2 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include the bzexe executable.

Comment 33 Jan Lieskovsky 2013-01-03 16:37:34 UTC
Statement CVE-2001-0514:

Not vulnerable. This issue did not affect the version of atmel-firmware as shipped with Red Hat Enterprise Linux 6 as it did not implement the SNMP protocol support.

Comment 34 Jan Lieskovsky 2013-01-04 11:34:03 UTC
Statement CVE-2012-6088:

Not vulnerable. This issue did not affect the versions of rpm as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include the upstream commit e8bc3ff5d780f4ee6656c24464402723e5fb04f4 that introduced this issue.

Comment 35 Jan Lieskovsky 2013-04-24 09:13:33 UTC
Statement CVE-2003-0787:

Not vulnerable. This issue did not affect the version of openssh as shipped with Red Hat Enterprise Linux 3 as it did not include the upstream PAM password authentication module reimplementation, introduced in OpenSSH 3.7. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, and 6.

Comment 36 Murray McAllister 2013-08-16 04:39:33 UTC
Statement CVE-2013-3240:

Not vulnerable. This issue did not affect the versions of phpMyAdmin as shipped with any Red Hat product or Fedora, as those products do not ship phpMyAdmin version 4.

Comment 37 Vincent Danen 2013-10-22 16:44:41 UTC
Statement CVE-2000-0800:

This issue is a duplicate of CVE-2000-0666, which has been corrected via RHSA-2000:043.

Comment 38 Vincent Danen 2013-11-01 20:19:06 UTC
Statement CVE-2013-1824:

Not vulnerable.  This issue did not affect any versions of PHP as shipped with any Red Hat product.  Please see https://bugzilla.redhat.com/show_bug.cgi?id=918187#c5 for further details.

Comment 40 Ratul Gupta 2014-01-09 03:53:05 UTC
Statement CVE-2007-4586:

Not vulnerable. This issue does not affect the versions of PHP shipped
with Red Hat Enterprise Linux. It only affects the PHP version for Windows.

Comment 41 Kurt Seifried 2014-02-13 06:22:22 UTC
Statement CVE-2014-0083:

Not vulnerable. This issue does not affect the versions of rubygem-net-ldap shipped with Red Hat Subscription Asset Manager, CloudForms, Satellite and Red Hat OpenStack.

Comment 42 Murray McAllister 2014-02-19 01:32:40 UTC
Statement CVE-2011-0528:

Not vulnerable. This issue did not affect the versions of Puppet in any Red Hat product.

Comment 43 Murray McAllister 2014-02-25 02:09:34 UTC
Statement CVE-2013-4577:

Not vulnerable. This issue did not affect the grub or grub2 packages shipped in Red Hat products.

Comment 44 Murray McAllister 2014-02-25 07:20:32 UTC
Statement CVE-2011-5271:

Not vulnerable. This issue did not affect the pacemaker packages shipped by Red Hat as the packages are not built in the /tmp/ directory.

Comment 45 Petr Matousek 2014-04-24 13:39:39 UTC
Statement CVE-2014-2986:

Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

Comment 46 Petr Matousek 2014-05-16 05:00:57 UTC
Statement CVE-2014-3714:

Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2014-3715:

Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2014-3716:

Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2014-3717:

Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

Comment 47 Petr Matousek 2014-06-04 15:50:41 UTC
Statement CVE-2014-3969:

Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

Comment 48 Murray McAllister 2014-06-23 04:45:46 UTC
Statement CVE-2014-4349:

Not vulnerable. This issue did not affect the versions of phpMyAdmin as shipped with any Red Hat product.

Comment 49 Murray McAllister 2014-06-25 06:25:44 UTC
Statement CVE-2014-4348:

Not vulnerable. This issue did not affect the versions of phpMyAdmin as shipped with any Red Hat product.

Comment 50 Vincent Danen 2014-07-24 20:07:32 UTC
Statement CVE-2008-4097:

Not vulnerable.  This issue did not affect the versions of MySQL as shipped with any Red Hat product as the improper fix for CVE-2008-2097 that led to the issuance of this CVE was never used.

Comment 51 Petr Matousek 2014-08-12 15:50:15 UTC
Statement CVE-2014-5147:

Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

Statement CVE-2014-5148:

Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.

Comment 52 Martin Prpič 2015-11-04 16:41:30 UTC
Statement CVE-2001-1013:

Red Hat does not consider this flaw to be a security issue. If UserDir is enabled, you can configure httpd to respond with a custom error page and a single error code whether the user exists or not.

The UserDir functionality is disabled by default in httpd on Red Hat Enterprise Linux 5, 6, and 7, and is thus not exposed on default installations.

Comment 53 Petr Matousek 2018-08-15 14:40:28 UTC
Statement CVE-2018-3615:

Not vulnerable. This issue did not affect the versions of kernel as shipped with any Red Hat product.


Note You need to log in before you can comment on or make changes to this bug.