At last - meat! Thank you, Guest, for raising the level of the discussion. Reading vague worries about security (especially the assumption that security level=x number of patches per month) is getting pretty old.
Folks, the babysitters have gone on to the rest of their lives - it's all up to us. Of course every update should be applied, and the latest most secure version used, but who is going to do it? If no one posts it for everyone to use, then we are each going to need to apply the ones we think necessary to our own boxes.
Should contribs ignore these? IMO, no: patches or updated packages (as deemed appropriate) should be part of the next release. In particular, a kernel update will become necessary sooner or later - IMS, the idea was (as Jeff stated in the beginning) to let the Red Hat distro drop "settle out", so the community could choose its course wisely. In the meantime, folks would try to patch or fix critical issues.
My take is: none of the issues listed (that I can find) are a critical threat to users of 'stock' SME installed and configured as suggested in the manual (the rsync server issue might be of some concern to contribs.org admins). Mostly this is because SME doesn't use the specific functionality mentioned, or because it is so restrictive about what it lets ordinary users do.
But don't take _my_ word for it! (What do I know I only deliver 4 emails a day
) I've made a list of links to info about each of the suggested issues; each contains links to more spots. Research them for yourself. Check to make sure SME actually uses the item in question. If you feel any are necessary to fix for the core distro, send an email to security@lists.contribs.org. Bring known issues up in the forum (please be specific). Volunteer to help out. And, Thanks! to all who have.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
CVS
e-smith: 1.11.1p1-7es02
Red Hat: 1.11.1p1-9.7
Vulnerability: CAN 2003-0977
Google search on CAN#
http://www.google.com/search?q=CAN+2003-0977&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977BugTraq Vulnerability page
http://www.securityfocus.com/bid/9178/info/RedHat Advisory Link
http://www.securityfocus.com/advisories/6282KERNEL
e-smith: 2.4.20-18.7
Red Hat: 2.4.20-30.7
Vulnerability: CAN-2003-0984 Local user can be root
CAN-2004-0010 Idem, local user can scale to root
Google search on CAN#
http://www.google.com/search?q=+CAN-2003-0984&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0984BugTraq Vulnerability page
http://www.securityfocus.com/bid/9154/info/RedHat Advisory Link
http://www.securityfocus.com/advisories/6195OPENSSL
e-smith: 0.9.6b-35.7
Red Hat: 0.9.6b-36.7
Vulnerability: CAN-2004-0081 - Denial of Service
Google search on CAN#
http://www.google.com/search?q=CAN-2004-0081&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081BugTraq Vulnerability page
http://www.securityfocus.com/bid/9899/info/RedHat Advisory Link
http://www.securityfocus.com/advisories/6459MC
e-smith: 4.5.55-5
Red Hat: 4.5.55-6
Vulnerability: CAN-2003-1023 - Execution of remote code
Google search on CAN#
http://www.google.com/search?q=CAN-2003-1023&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023BugTraq Vulnerability page
http://www.securityfocus.com/bid/8658/info/RedHat Advisory Link
http://www.securityfocus.com/advisories/6259APACHE
e-smith: 1.3.27-2
Red Hat: 1.3.27-4
Vulnerability: CAN-2003-0542 - Explotaible buffer overflow
Google search on CAN#
http://www.google.com/search?q=CAN-2003-0542&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542BugTraq Vulnerability page
http://www.securityfocus.com/bid/8911/info/RedHat Advisory Link
http://www.securityfocus.com/advisories/6174RSYNC
e-smith: 2.5.4
Red Hat: 2.5.7-0.7
Vulnerability: CAN-2003-0962 - Heap overflow
Google search on CAN#
http://www.google.com/search?q=CAN-2003-0962&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962BugTraq Vulnerability page
http://www.securityfocus.com/bid/9153/info/RedHat Advisory Link
http://www.securityfocus.com/advisories/6145MYSQL
e-smith: 3.23.56
Red Hat: 3.23.58-1.73
Vulnerability: CAN-2003-10-09 - Buffer overflow
I cn't seem to find this one. Heres a list of all CVE entries on MySQL
http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql