Quick Summary (Fedora Core 4):
For 20030101-20050607 there are a potential 863 CVE named vulnerabilities that could have affected FC4 packages. 759 (88%) of those are fixed because FC4 includes an upstream version that includes a fix, 10 (1%) are still outstanding, and 94 (11%) are fixed with a backported patch.
Near the release time of each new distribution the Red Hat security team go through the packages to ensure that everything is up to date with security patches.
The method used changed slightly from previous releases, this time for completeness:
1. we go through each CVE name for 2003, 2004, and 2005 ignoring those that didn't affect Linux or were in packages not in Fedora Core.
2. Then for each CVE issue left we look to see which upstream version (if any) the vulnerability is fixed in. Sometimes the CVE data gives us this information, but many times it doesn't or it's wrong and we have to investigate for ourselves which upstream verisons fix the issues (and we've reported our many investigations to Mitre for updates to the CVE entries). If we write "at least" we mean that we looked inside the source for that version and checked to see if the fix existed, but it may well have been fixed upstream prior to that version.
3. Where Fedora Core contains a upstream version greater or equal to the upstream version containing a fix, we mark it as not vulnerable due to "version".
4. Remaining CVE names are checked to see if Fedora Core contains a backported patch in the package. We trust changelog entries (since these will have already been audited us by use when a Fedora Core or a Red Hat Enterprise Linux update came out).
5. For anything that looked like it wasn't fixed we talk to the package owner via bugzilla to get a fix into Fedora Core final
So the table we create gives the CVE name, the reason why the particular Fedora Core release isn't vulnerable and optional comments showing the package name, version it was fixed in, or method used to verify the details. We keep this up to date on a weekly basis through the security lifecycle of the Fedora Core release.
Corrections or missed issues (ones showing in CVE) appreciated to firstname.lastname@example.org
The latest version for Fedora 7 lives here: http://cvs.fedoraproject.org/viewcvs/fedora-security/audit/fc7?root=fedora&view=markup
The latest version for Fedora Core 6 lives here: http://cvs.fedoraproject.org/viewcvs/fedora-security/audit/fc6?root=fedora&view=markup
The latest version for Fedora Core 5 lives here: http://cvs.fedoraproject.org/viewcvs/fedora-security/audit/fc5?root=fedora&view=markup
The latest version for Fedora Core 4 lives here: http://cvs.fedoraproject.org/viewcvs/fedora-security/audit/fc4?root=fedora&view=markup