br0ken

Is there a way to see if a certain Linux distro release has fixed certain OSVDB id's? For example, I would like to see if CentOS 5.3 is vulernable to OSVDB 46085. and several others. I am considering CentOS for a webserver and have a few OSVDB id's I would like to check for before doing so. Thanks in advance.

unspawn

There are at least two obstacles along the road. First of all it's mostly CVE assignments that are used. This dumb shell function* will try to see if the OSVDB entry has a CAN-CVE and print the RH URI.
(Alternatively you could automate grepping the OSVDB Id from the http cve.mitre org/data/refs/refmap/source-OSVDB.html map and grep the resultant CVE from http cve.mitre org/data/refs/refmap/source-REDHAT.html.) Second hurdle: finding out who fixed what. Running 'rpm -q --changelog package|grep CVE' might yield results but I do not know if this is standardized in the RH packaging guidelines enough for it to be dependable. Searching RHSA for the CVE might yield some results but what if it is not mentioned? Executing the shell function as "OSVDB2RHCVE 46085" will yield https bugzilla redhat com/show_bug.cgi?id=CVE-2008-2364 which shows the bug was fixed in upstream, patched in F8 / F9 and no asynchronous RHSA will be issued. It is complete (vulnerability description, RH response, listing actions) and it provides alternatives (RPM-ize the tarball or rebuild the F9 .src.rpm).

* Connect the dots. I don't have enough mana according to this forums settings.

unspawn

Totally forgot to mention there's the "yum-security" plugin taking args like --cve, --bz and --advisory. Way easier.