From bugzilla at redhat.com Tue Aug 3 21:51:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 3 Aug 2004 17:51 -0400 Subject: [RHSA-2004:418-01] Updated kernel packages fix security issues Message-ID: <200408032151.i73Lp5F18895@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated kernel packages fix security issues Advisory ID: RHSA-2004:418-01 Issue date: 2004-08-03 Updated on: 2004-08-03 Product: Red Hat Enterprise Linux Obsoletes: RHSA-2004:354 CVE Names: CAN-2004-0415 CAN-2004-0535 CAN-2004-0587 - --------------------------------------------------------------------- 1. Summary: Updated kernel packages that fix potential information leaks and a incorrect driver permission for Red Hat Enterprise Linux 2.1 are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - athlon, i386, i686 Red Hat Enterprise Linux ES version 2.1 - athlon, i386, i686 Red Hat Enterprise Linux WS version 2.1 - athlon, i386, i686 3. Problem description: The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct two minor issues: An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CAN-2004-0535). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CAN-2004-0587). All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to these erratum packages which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 125170 - CAN-2004-0535 e100e1000 kernel memory leak (x86) 126400 - CAN-2004-0587 Bad permissions on qla* drivers 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kernel-2.4.9-e.48.src.rpm 4d90231c550b10a94c3e612fc86bfac4 kernel-2.4.9-e.48.src.rpm athlon: 32482bbacba7aed44aea420da0ef1418 kernel-2.4.9-e.48.athlon.rpm 675a499b8c0225f35660ef9f0a72ec3d kernel-smp-2.4.9-e.48.athlon.rpm i386: e1b4abb4e387ef87f2ba6428783973f5 kernel-BOOT-2.4.9-e.48.i386.rpm 8c7745b52ed0732e3347a1beb3365cce kernel-doc-2.4.9-e.48.i386.rpm 1b3c3dab9a7a935c731fd38401ec2a2f kernel-headers-2.4.9-e.48.i386.rpm 34961632e9384621acd93e6a66d3731a kernel-source-2.4.9-e.48.i386.rpm i686: a3e6271399611b981291df8bcd992717 kernel-2.4.9-e.48.i686.rpm 3383e7a871f2ca6bf291efc571c9f159 kernel-debug-2.4.9-e.48.i686.rpm 5d08fb530d37c1e4bec8222fc6e8430b kernel-enterprise-2.4.9-e.48.i686.rpm 71a58c709571f8ae8d313cf89d800c03 kernel-smp-2.4.9-e.48.i686.rpm aa870614772046934a1872fc89908a4b kernel-summit-2.4.9-e.48.i686.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kernel-2.4.9-e.48.src.rpm 4d90231c550b10a94c3e612fc86bfac4 kernel-2.4.9-e.48.src.rpm athlon: 32482bbacba7aed44aea420da0ef1418 kernel-2.4.9-e.48.athlon.rpm 675a499b8c0225f35660ef9f0a72ec3d kernel-smp-2.4.9-e.48.athlon.rpm i386: e1b4abb4e387ef87f2ba6428783973f5 kernel-BOOT-2.4.9-e.48.i386.rpm 8c7745b52ed0732e3347a1beb3365cce kernel-doc-2.4.9-e.48.i386.rpm 1b3c3dab9a7a935c731fd38401ec2a2f kernel-headers-2.4.9-e.48.i386.rpm 34961632e9384621acd93e6a66d3731a kernel-source-2.4.9-e.48.i386.rpm i686: a3e6271399611b981291df8bcd992717 kernel-2.4.9-e.48.i686.rpm 3383e7a871f2ca6bf291efc571c9f159 kernel-debug-2.4.9-e.48.i686.rpm 71a58c709571f8ae8d313cf89d800c03 kernel-smp-2.4.9-e.48.i686.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kernel-2.4.9-e.48.src.rpm 4d90231c550b10a94c3e612fc86bfac4 kernel-2.4.9-e.48.src.rpm athlon: 32482bbacba7aed44aea420da0ef1418 kernel-2.4.9-e.48.athlon.rpm 675a499b8c0225f35660ef9f0a72ec3d kernel-smp-2.4.9-e.48.athlon.rpm i386: e1b4abb4e387ef87f2ba6428783973f5 kernel-BOOT-2.4.9-e.48.i386.rpm 8c7745b52ed0732e3347a1beb3365cce kernel-doc-2.4.9-e.48.i386.rpm 1b3c3dab9a7a935c731fd38401ec2a2f kernel-headers-2.4.9-e.48.i386.rpm 34961632e9384621acd93e6a66d3731a kernel-source-2.4.9-e.48.i386.rpm i686: a3e6271399611b981291df8bcd992717 kernel-2.4.9-e.48.i686.rpm 3383e7a871f2ca6bf291efc571c9f159 kernel-debug-2.4.9-e.48.i686.rpm 5d08fb530d37c1e4bec8222fc6e8430b kernel-enterprise-2.4.9-e.48.i686.rpm 71a58c709571f8ae8d313cf89d800c03 kernel-smp-2.4.9-e.48.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0587 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBEAizXlSAg2UNWIIRAlyjAKCeXPS5K2ZegECyN21VgVDoqhz4bwCgsWL0 wOToQ66JFcgSHgUN25e/T70= =td70 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 3 22:41:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 3 Aug 2004 18:41 -0400 Subject: [RHSA-2004:413-01] Updated kernel packages fix security vulnerabilities Message-ID: <200408032241.i73Mf8F22114@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated kernel packages fix security vulnerabilities Advisory ID: RHSA-2004:413-01 Issue date: 2004-08-03 Updated on: 2004-08-03 Product: Red Hat Enterprise Linux Keywords: taroon kernel security errata Obsoletes: RHSA-2004:360 CVE Names: CAN-2004-0178 CAN-2004-0415 CAN-2004-0447 CAN-2004-0535 CAN-2004-0587 - --------------------------------------------------------------------- 1. Summary: Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - athlon, i386, i686, ia32e, ia64, ppc64, ppc64iseries, ppc64pseries, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 - athlon, i386, i686, ia32e, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - athlon, i386, i686, ia32e, ia64, x86_64 3. Problem description: The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct a number of minor security issues: An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CAN-2004-0535). A bug in the SoundBlaster 16 code which does not properly handle certain sample sizes. This flaw could be used by local users to crash a system (CAN-2004-0178). A possible NULL-pointer dereference in the Linux kernel prior to 2.4.26 on the Itanium platform could allow a local user to crash a system (CAN-2004-0447). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CAN-2004-0587). All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 120527 - CAN-2004-0447 [PATCH] IPF kernel crashes under gdb 121045 - CAN-2004-0178 Soundblaster 16 local DoS 125168 - CAN-2004-0535 e1000 kernel memory information leak 126396 - CAN-2004-0587 Bad permissions on qla* drivers 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kernel-2.4.21-15.0.4.EL.src.rpm 9f04fbd5d2b5182bfe7fa0242b4fd0a3 kernel-2.4.21-15.0.4.EL.src.rpm athlon: 25e7d097ccf85396dfdc53c6b03d83ea kernel-2.4.21-15.0.4.EL.athlon.rpm d619cffe546f2f41e9259ac437f07d44 kernel-smp-2.4.21-15.0.4.EL.athlon.rpm 06ef0da24796cc19d9c492e8ab638a29 kernel-smp-unsupported-2.4.21-15.0.4.EL.athlon.rpm 388a7af25fbefd195f9ab59922cca912 kernel-unsupported-2.4.21-15.0.4.EL.athlon.rpm i386: 6741173959e3e0686c080f2313ec7d5d kernel-BOOT-2.4.21-15.0.4.EL.i386.rpm 938fabc770ac041b44d4c99bfa90709a kernel-doc-2.4.21-15.0.4.EL.i386.rpm d106990663a3d5ad735a47a86830940c kernel-source-2.4.21-15.0.4.EL.i386.rpm i686: 2269c8e5bab350ac6e5f7252430dfd0f kernel-2.4.21-15.0.4.EL.i686.rpm fa6a5940751cbbb60236c88f58e8cc31 kernel-hugemem-2.4.21-15.0.4.EL.i686.rpm 40f3c5f256246fda87d9ddd3cb6791a5 kernel-hugemem-unsupported-2.4.21-15.0.4.EL.i686.rpm 3d106ae97cca1fcba8a3de8a5866b88b kernel-smp-2.4.21-15.0.4.EL.i686.rpm 8590ac5bbca153e1948f48f101bddcb6 kernel-smp-unsupported-2.4.21-15.0.4.EL.i686.rpm 04197afa144f4c7874b01c50fc027d5d kernel-unsupported-2.4.21-15.0.4.EL.i686.rpm ia32e: 80869adc4ed80a1c035ddaef69e2aa10 kernel-2.4.21-15.0.4.EL.ia32e.rpm 5dd0f98110e54e64ebfb934a2bb9629f kernel-unsupported-2.4.21-15.0.4.EL.ia32e.rpm ia64: d9d9873b1a03437ce9a660d5498e6acc kernel-2.4.21-15.0.4.EL.ia64.rpm 87c9d3baf789371a88c2078f1bf9cd2a kernel-doc-2.4.21-15.0.4.EL.ia64.rpm d1280df50b401a4ab1fe3630fef1a4b0 kernel-source-2.4.21-15.0.4.EL.ia64.rpm d07a66ca6e06045842c863be96729733 kernel-unsupported-2.4.21-15.0.4.EL.ia64.rpm ppc64: 21628655b2e3bd052b9393e8eac6ebd1 kernel-doc-2.4.21-15.0.4.EL.ppc64.rpm 86f1ad447a3023b3a6614c750271d155 kernel-source-2.4.21-15.0.4.EL.ppc64.rpm ppc64iseries: 1c929592946473d5fe73c71354846313 kernel-2.4.21-15.0.4.EL.ppc64iseries.rpm f8d2585dbf7adea54df19fdfd63a2eb7 kernel-unsupported-2.4.21-15.0.4.EL.ppc64iseries.rpm ppc64pseries: 01d9b20c6c4c45276195104bc6984224 kernel-2.4.21-15.0.4.EL.ppc64pseries.rpm 48bef493baacda16294ba973404d6587 kernel-unsupported-2.4.21-15.0.4.EL.ppc64pseries.rpm s390: 4ba1d35ff61699b9f3757941eef9623d kernel-2.4.21-15.0.4.EL.s390.rpm 9cb546f7b760a62baf3e198ed7591a1a kernel-doc-2.4.21-15.0.4.EL.s390.rpm d88eac17c9376f415351eb103a429ca0 kernel-source-2.4.21-15.0.4.EL.s390.rpm 757875de32469823e2578a088c655925 kernel-unsupported-2.4.21-15.0.4.EL.s390.rpm s390x: 125b33d2f4d7558bfda6397540e7976b kernel-2.4.21-15.0.4.EL.s390x.rpm e02ad38774bd83672d0f8bdeadb6f0f8 kernel-doc-2.4.21-15.0.4.EL.s390x.rpm 25bea5095bcac052ae3897c026f218bd kernel-source-2.4.21-15.0.4.EL.s390x.rpm f756be2685a447f6f19458c1aa75e2be kernel-unsupported-2.4.21-15.0.4.EL.s390x.rpm x86_64: 499203e60c5c0294fd2a41bbd9306b03 kernel-2.4.21-15.0.4.EL.x86_64.rpm 007a0353e8c76dd40424909844f6705e kernel-doc-2.4.21-15.0.4.EL.x86_64.rpm 33ade25b9b682f514f9523ec977a2c09 kernel-smp-2.4.21-15.0.4.EL.x86_64.rpm 3171661c4c24e3dcbf8970c8094e5851 kernel-smp-unsupported-2.4.21-15.0.4.EL.x86_64.rpm f33e51c95e59d8379d5dc4817ee13ce7 kernel-source-2.4.21-15.0.4.EL.x86_64.rpm eea5cbda95fb75f0f9c40e6cd3260efe kernel-unsupported-2.4.21-15.0.4.EL.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kernel-2.4.21-15.0.4.EL.src.rpm 9f04fbd5d2b5182bfe7fa0242b4fd0a3 kernel-2.4.21-15.0.4.EL.src.rpm athlon: 25e7d097ccf85396dfdc53c6b03d83ea kernel-2.4.21-15.0.4.EL.athlon.rpm d619cffe546f2f41e9259ac437f07d44 kernel-smp-2.4.21-15.0.4.EL.athlon.rpm 06ef0da24796cc19d9c492e8ab638a29 kernel-smp-unsupported-2.4.21-15.0.4.EL.athlon.rpm 388a7af25fbefd195f9ab59922cca912 kernel-unsupported-2.4.21-15.0.4.EL.athlon.rpm i386: 6741173959e3e0686c080f2313ec7d5d kernel-BOOT-2.4.21-15.0.4.EL.i386.rpm 938fabc770ac041b44d4c99bfa90709a kernel-doc-2.4.21-15.0.4.EL.i386.rpm d106990663a3d5ad735a47a86830940c kernel-source-2.4.21-15.0.4.EL.i386.rpm i686: 2269c8e5bab350ac6e5f7252430dfd0f kernel-2.4.21-15.0.4.EL.i686.rpm fa6a5940751cbbb60236c88f58e8cc31 kernel-hugemem-2.4.21-15.0.4.EL.i686.rpm 40f3c5f256246fda87d9ddd3cb6791a5 kernel-hugemem-unsupported-2.4.21-15.0.4.EL.i686.rpm 3d106ae97cca1fcba8a3de8a5866b88b kernel-smp-2.4.21-15.0.4.EL.i686.rpm 8590ac5bbca153e1948f48f101bddcb6 kernel-smp-unsupported-2.4.21-15.0.4.EL.i686.rpm 04197afa144f4c7874b01c50fc027d5d kernel-unsupported-2.4.21-15.0.4.EL.i686.rpm ia32e: 80869adc4ed80a1c035ddaef69e2aa10 kernel-2.4.21-15.0.4.EL.ia32e.rpm 5dd0f98110e54e64ebfb934a2bb9629f kernel-unsupported-2.4.21-15.0.4.EL.ia32e.rpm ia64: d9d9873b1a03437ce9a660d5498e6acc kernel-2.4.21-15.0.4.EL.ia64.rpm 87c9d3baf789371a88c2078f1bf9cd2a kernel-doc-2.4.21-15.0.4.EL.ia64.rpm d1280df50b401a4ab1fe3630fef1a4b0 kernel-source-2.4.21-15.0.4.EL.ia64.rpm d07a66ca6e06045842c863be96729733 kernel-unsupported-2.4.21-15.0.4.EL.ia64.rpm x86_64: 499203e60c5c0294fd2a41bbd9306b03 kernel-2.4.21-15.0.4.EL.x86_64.rpm 007a0353e8c76dd40424909844f6705e kernel-doc-2.4.21-15.0.4.EL.x86_64.rpm 33ade25b9b682f514f9523ec977a2c09 kernel-smp-2.4.21-15.0.4.EL.x86_64.rpm 3171661c4c24e3dcbf8970c8094e5851 kernel-smp-unsupported-2.4.21-15.0.4.EL.x86_64.rpm f33e51c95e59d8379d5dc4817ee13ce7 kernel-source-2.4.21-15.0.4.EL.x86_64.rpm eea5cbda95fb75f0f9c40e6cd3260efe kernel-unsupported-2.4.21-15.0.4.EL.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kernel-2.4.21-15.0.4.EL.src.rpm 9f04fbd5d2b5182bfe7fa0242b4fd0a3 kernel-2.4.21-15.0.4.EL.src.rpm athlon: 25e7d097ccf85396dfdc53c6b03d83ea kernel-2.4.21-15.0.4.EL.athlon.rpm d619cffe546f2f41e9259ac437f07d44 kernel-smp-2.4.21-15.0.4.EL.athlon.rpm 06ef0da24796cc19d9c492e8ab638a29 kernel-smp-unsupported-2.4.21-15.0.4.EL.athlon.rpm 388a7af25fbefd195f9ab59922cca912 kernel-unsupported-2.4.21-15.0.4.EL.athlon.rpm i386: 6741173959e3e0686c080f2313ec7d5d kernel-BOOT-2.4.21-15.0.4.EL.i386.rpm 938fabc770ac041b44d4c99bfa90709a kernel-doc-2.4.21-15.0.4.EL.i386.rpm d106990663a3d5ad735a47a86830940c kernel-source-2.4.21-15.0.4.EL.i386.rpm i686: 2269c8e5bab350ac6e5f7252430dfd0f kernel-2.4.21-15.0.4.EL.i686.rpm fa6a5940751cbbb60236c88f58e8cc31 kernel-hugemem-2.4.21-15.0.4.EL.i686.rpm 40f3c5f256246fda87d9ddd3cb6791a5 kernel-hugemem-unsupported-2.4.21-15.0.4.EL.i686.rpm 3d106ae97cca1fcba8a3de8a5866b88b kernel-smp-2.4.21-15.0.4.EL.i686.rpm 8590ac5bbca153e1948f48f101bddcb6 kernel-smp-unsupported-2.4.21-15.0.4.EL.i686.rpm 04197afa144f4c7874b01c50fc027d5d kernel-unsupported-2.4.21-15.0.4.EL.i686.rpm ia32e: 80869adc4ed80a1c035ddaef69e2aa10 kernel-2.4.21-15.0.4.EL.ia32e.rpm 5dd0f98110e54e64ebfb934a2bb9629f kernel-unsupported-2.4.21-15.0.4.EL.ia32e.rpm ia64: d9d9873b1a03437ce9a660d5498e6acc kernel-2.4.21-15.0.4.EL.ia64.rpm 87c9d3baf789371a88c2078f1bf9cd2a kernel-doc-2.4.21-15.0.4.EL.ia64.rpm d1280df50b401a4ab1fe3630fef1a4b0 kernel-source-2.4.21-15.0.4.EL.ia64.rpm d07a66ca6e06045842c863be96729733 kernel-unsupported-2.4.21-15.0.4.EL.ia64.rpm x86_64: 499203e60c5c0294fd2a41bbd9306b03 kernel-2.4.21-15.0.4.EL.x86_64.rpm 007a0353e8c76dd40424909844f6705e kernel-doc-2.4.21-15.0.4.EL.x86_64.rpm 33ade25b9b682f514f9523ec977a2c09 kernel-smp-2.4.21-15.0.4.EL.x86_64.rpm 3171661c4c24e3dcbf8970c8094e5851 kernel-smp-unsupported-2.4.21-15.0.4.EL.x86_64.rpm f33e51c95e59d8379d5dc4817ee13ce7 kernel-source-2.4.21-15.0.4.EL.x86_64.rpm eea5cbda95fb75f0f9c40e6cd3260efe kernel-unsupported-2.4.21-15.0.4.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0587 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBEBR0XlSAg2UNWIIRAi4TAKC92sg9D0p887sezLysDDPOwwzKFACgjMMu 7cdO/0ay3eojc35QMGHGMaM= =9p29 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 4 13:47:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Aug 2004 09:47 -0400 Subject: [RHSA-2004:402-01] Updated libpng packages fix security issues Message-ID: <200408041347.i74DlLF14869@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated libpng packages fix security issues Advisory ID: RHSA-2004:402-01 Issue date: 2004-08-04 Updated on: 2004-08-04 Product: Red Hat Enterprise Linux Obsoletes: RHSA-2004:249 CVE Names: CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 - --------------------------------------------------------------------- 1. Summary: Updated libpng packages that fix several issues are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. During a source code audit, Chris Evans discovered several buffer overflows in libpng. An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0597 to these issues. In addition, this audit discovered a potential NULL pointer dereference in libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599). An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to crash when the file was opened by the victim. Red Hat would like to thank Chris Evans for discovering these issues. For users of Red Hat Enterprise Linux 2.1 these patches also include a more complete fix for the out of bounds memory access flaw (CAN-2002-1363). All users are advised to update to the updated libpng packages which contain backported security patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/libpng-1.0.14-7.src.rpm 69bba6610f415bd0f21f815db1effbf2 libpng-1.0.14-7.src.rpm i386: c660a4e7c583306a46a0134ab104f346 libpng-1.0.14-7.i386.rpm 7b2588d5cc492eb84a1c73729303ca4e libpng-devel-1.0.14-7.i386.rpm ia64: 86e364114c5dedb33c5252b9a3fe6211 libpng-1.0.14-7.ia64.rpm 5201c1e26319d34fb8efa09256007152 libpng-devel-1.0.14-7.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/libpng-1.0.14-7.src.rpm 69bba6610f415bd0f21f815db1effbf2 libpng-1.0.14-7.src.rpm ia64: 86e364114c5dedb33c5252b9a3fe6211 libpng-1.0.14-7.ia64.rpm 5201c1e26319d34fb8efa09256007152 libpng-devel-1.0.14-7.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/libpng-1.0.14-7.src.rpm 69bba6610f415bd0f21f815db1effbf2 libpng-1.0.14-7.src.rpm i386: c660a4e7c583306a46a0134ab104f346 libpng-1.0.14-7.i386.rpm 7b2588d5cc492eb84a1c73729303ca4e libpng-devel-1.0.14-7.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/libpng-1.0.14-7.src.rpm 69bba6610f415bd0f21f815db1effbf2 libpng-1.0.14-7.src.rpm i386: c660a4e7c583306a46a0134ab104f346 libpng-1.0.14-7.i386.rpm 7b2588d5cc492eb84a1c73729303ca4e libpng-devel-1.0.14-7.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/libpng-1.2.2-25.src.rpm 1555047a805d476f63b705865ec6b1a1 libpng-1.2.2-25.src.rpm ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/libpng10-1.0.13-15.src.rpm 1a1c918f5d8054158036ff82bd6c8bc2 libpng10-1.0.13-15.src.rpm i386: 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm a79e3d8aac72561af368e5655c9dcb13 libpng-devel-1.2.2-25.i386.rpm 12464295e19c16d1474d1132bc90216e libpng10-1.0.13-15.i386.rpm 347af31b8620742e5e6b18de0c300d62 libpng10-devel-1.0.13-15.i386.rpm ia64: 85c1fa0360af727b4b427aaac90861b7 libpng-1.2.2-25.ia64.rpm 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm 5800ad160885273f270a6b8ecd0b9373 libpng-devel-1.2.2-25.ia64.rpm 811109452021a7f0bc9d25437caeab97 libpng10-1.0.13-15.ia64.rpm ba359cdb3db036a5b5b45c1a01b21791 libpng10-devel-1.0.13-15.ia64.rpm ppc: cbf5617d15939c413b520fcbe0594485 libpng-1.2.2-25.ppc.rpm ddd78dd4e3439cb6cb28e5215e029a81 libpng-devel-1.2.2-25.ppc.rpm b0810e3f95590836652144165cd7e0cc libpng10-1.0.13-15.ppc.rpm d073fbeeef6874e0ae2238c6ef44ed6e libpng10-devel-1.0.13-15.ppc.rpm ppc64: 5c7387ae952fcc1d4637e2655c9370a3 libpng-1.2.2-25.ppc64.rpm s390: 0f621fbc3de1d8e4c4490e2baf2f30ef libpng-1.2.2-25.s390.rpm aec3463a236eac2d6d6576120f92eb55 libpng-devel-1.2.2-25.s390.rpm b4c3c6ee6d699fd51baf9f06f9275443 libpng10-1.0.13-15.s390.rpm afb0ebe6e191e7f71929d30788a11708 libpng10-devel-1.0.13-15.s390.rpm s390x: f218fb58aee3535f3f0280c6c6a78dfa libpng-1.2.2-25.s390x.rpm 0f621fbc3de1d8e4c4490e2baf2f30ef libpng-1.2.2-25.s390.rpm 50d5ecfe73aa1f3a7ef0c41fb8fb79c6 libpng-devel-1.2.2-25.s390x.rpm 4b2733ffcb3d84295dcfecc36e69faaa libpng10-1.0.13-15.s390x.rpm edf03becdf0b2a6044c85896a005e1c3 libpng10-devel-1.0.13-15.s390x.rpm x86_64: 80265ad8a377cf67f2906994e7b763af libpng-1.2.2-25.x86_64.rpm 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm 188fec715d9a2129f28c775ad3917f7a libpng-devel-1.2.2-25.x86_64.rpm 006b451f489d3ec09ad39d23099ea0fb libpng10-1.0.13-15.x86_64.rpm e9a385e6c6c14d7575d84f045b01c054 libpng10-devel-1.0.13-15.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/libpng-1.2.2-25.src.rpm 1555047a805d476f63b705865ec6b1a1 libpng-1.2.2-25.src.rpm ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/libpng10-1.0.13-15.src.rpm 1a1c918f5d8054158036ff82bd6c8bc2 libpng10-1.0.13-15.src.rpm i386: 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm a79e3d8aac72561af368e5655c9dcb13 libpng-devel-1.2.2-25.i386.rpm 12464295e19c16d1474d1132bc90216e libpng10-1.0.13-15.i386.rpm 347af31b8620742e5e6b18de0c300d62 libpng10-devel-1.0.13-15.i386.rpm x86_64: 80265ad8a377cf67f2906994e7b763af libpng-1.2.2-25.x86_64.rpm 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm 188fec715d9a2129f28c775ad3917f7a libpng-devel-1.2.2-25.x86_64.rpm 006b451f489d3ec09ad39d23099ea0fb libpng10-1.0.13-15.x86_64.rpm e9a385e6c6c14d7575d84f045b01c054 libpng10-devel-1.0.13-15.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/libpng-1.2.2-25.src.rpm 1555047a805d476f63b705865ec6b1a1 libpng-1.2.2-25.src.rpm ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/libpng10-1.0.13-15.src.rpm 1a1c918f5d8054158036ff82bd6c8bc2 libpng10-1.0.13-15.src.rpm i386: 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm a79e3d8aac72561af368e5655c9dcb13 libpng-devel-1.2.2-25.i386.rpm 12464295e19c16d1474d1132bc90216e libpng10-1.0.13-15.i386.rpm 347af31b8620742e5e6b18de0c300d62 libpng10-devel-1.0.13-15.i386.rpm ia64: 85c1fa0360af727b4b427aaac90861b7 libpng-1.2.2-25.ia64.rpm 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm 5800ad160885273f270a6b8ecd0b9373 libpng-devel-1.2.2-25.ia64.rpm 811109452021a7f0bc9d25437caeab97 libpng10-1.0.13-15.ia64.rpm ba359cdb3db036a5b5b45c1a01b21791 libpng10-devel-1.0.13-15.ia64.rpm x86_64: 80265ad8a377cf67f2906994e7b763af libpng-1.2.2-25.x86_64.rpm 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm 188fec715d9a2129f28c775ad3917f7a libpng-devel-1.2.2-25.x86_64.rpm 006b451f489d3ec09ad39d23099ea0fb libpng10-1.0.13-15.x86_64.rpm e9a385e6c6c14d7575d84f045b01c054 libpng10-devel-1.0.13-15.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/libpng-1.2.2-25.src.rpm 1555047a805d476f63b705865ec6b1a1 libpng-1.2.2-25.src.rpm ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/libpng10-1.0.13-15.src.rpm 1a1c918f5d8054158036ff82bd6c8bc2 libpng10-1.0.13-15.src.rpm i386: 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm a79e3d8aac72561af368e5655c9dcb13 libpng-devel-1.2.2-25.i386.rpm 12464295e19c16d1474d1132bc90216e libpng10-1.0.13-15.i386.rpm 347af31b8620742e5e6b18de0c300d62 libpng10-devel-1.0.13-15.i386.rpm ia64: 85c1fa0360af727b4b427aaac90861b7 libpng-1.2.2-25.ia64.rpm 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm 5800ad160885273f270a6b8ecd0b9373 libpng-devel-1.2.2-25.ia64.rpm 811109452021a7f0bc9d25437caeab97 libpng10-1.0.13-15.ia64.rpm ba359cdb3db036a5b5b45c1a01b21791 libpng10-devel-1.0.13-15.ia64.rpm x86_64: 80265ad8a377cf67f2906994e7b763af libpng-1.2.2-25.x86_64.rpm 63095ed0286c8978349ae94621887651 libpng-1.2.2-25.i386.rpm 188fec715d9a2129f28c775ad3917f7a libpng-devel-1.2.2-25.x86_64.rpm 006b451f489d3ec09ad39d23099ea0fb libpng10-1.0.13-15.x86_64.rpm e9a385e6c6c14d7575d84f045b01c054 libpng10-devel-1.0.13-15.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBEOjnXlSAg2UNWIIRAkaoAKCnVO218uzOGKX5JZOhfoSlXu8p1wCgqY+O mrwAzaIpPvgcrMQRn35R7g4= =Y8GO -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 4 13:47:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Aug 2004 09:47 -0400 Subject: [RHSA-2004:373-01] GNOME VFS updates address extfs vulnerability Message-ID: <200408041347.i74DlXF14888@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: GNOME VFS updates address extfs vulnerability Advisory ID: RHSA-2004:373-01 Issue date: 2004-08-04 Updated on: 2004-08-04 Product: Red Hat Enterprise Linux Keywords: gnome-vfs gnome-vfs2 extfs CVE Names: CAN-2004-0494 - --------------------------------------------------------------------- 1. Summary: Updated GNOME VFS packages that remove potential extfs-related vulnerabilities are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: GNOME VFS is the GNOME virtual file system. It provides a modular architecture and ships with several modules that implement support for file systems, HTTP, FTP, and others. The extfs backends make it possible to implement file systems for GNOME VFS using scripts. Flaws have been found in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. An attacker who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0494 to this issue. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/gnome-vfs-1.0.1-18.1.src.rpm a4cf8f82b440789276f366536e852588 gnome-vfs-1.0.1-18.1.src.rpm i386: 0d23312d359424e46b0fcb713b0eab85 gnome-vfs-1.0.1-18.1.i386.rpm c7e27477bc25189730309ad69bee1b00 gnome-vfs-devel-1.0.1-18.1.i386.rpm ia64: dc0ed88d802874697908d2b02f83a24c gnome-vfs-1.0.1-18.1.ia64.rpm c9c83b9b1ce79fa7bfdbdf1cdd0c4fb5 gnome-vfs-devel-1.0.1-18.1.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/gnome-vfs-1.0.1-18.1.src.rpm a4cf8f82b440789276f366536e852588 gnome-vfs-1.0.1-18.1.src.rpm ia64: dc0ed88d802874697908d2b02f83a24c gnome-vfs-1.0.1-18.1.ia64.rpm c9c83b9b1ce79fa7bfdbdf1cdd0c4fb5 gnome-vfs-devel-1.0.1-18.1.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/gnome-vfs-1.0.1-18.1.src.rpm a4cf8f82b440789276f366536e852588 gnome-vfs-1.0.1-18.1.src.rpm i386: 0d23312d359424e46b0fcb713b0eab85 gnome-vfs-1.0.1-18.1.i386.rpm c7e27477bc25189730309ad69bee1b00 gnome-vfs-devel-1.0.1-18.1.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/gnome-vfs-1.0.1-18.1.src.rpm a4cf8f82b440789276f366536e852588 gnome-vfs-1.0.1-18.1.src.rpm i386: 0d23312d359424e46b0fcb713b0eab85 gnome-vfs-1.0.1-18.1.i386.rpm c7e27477bc25189730309ad69bee1b00 gnome-vfs-devel-1.0.1-18.1.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gnome-vfs2-2.2.5-2E.1.src.rpm fbcb6e48b0e04a54383894867a79057d gnome-vfs2-2.2.5-2E.1.src.rpm i386: bf38b8427b6c60a93169a266cca8e8f1 gnome-vfs2-2.2.5-2E.1.i386.rpm f7f903cc6b74cb22153e25c9f78f4311 gnome-vfs2-devel-2.2.5-2E.1.i386.rpm ia64: 9ec0d04f82412d17c699793367a7b980 gnome-vfs2-2.2.5-2E.1.ia64.rpm a0241d4990bbb961452ada3d4aacaceb gnome-vfs2-devel-2.2.5-2E.1.ia64.rpm ppc: 4a471457ca073a26c762cca8fcd3ad88 gnome-vfs2-2.2.5-2E.1.ppc.rpm 1f57211bf9d472e0e5ae6f6b9c1dad26 gnome-vfs2-devel-2.2.5-2E.1.ppc.rpm s390: 14dfeb34e2193f74ae2598511e593ffd gnome-vfs2-2.2.5-2E.1.s390.rpm d11d79d93d7a54a365400f81bf15c522 gnome-vfs2-devel-2.2.5-2E.1.s390.rpm s390x: 177418bc2e61fc5b0f72d08c6c8dcade gnome-vfs2-2.2.5-2E.1.s390x.rpm f70f90a1c8d47770441bcf09330809d1 gnome-vfs2-devel-2.2.5-2E.1.s390x.rpm x86_64: 06271691a5533316f595d9d136204d15 gnome-vfs2-2.2.5-2E.1.x86_64.rpm fba4ca47955f92be0b082c6fa587b14a gnome-vfs2-devel-2.2.5-2E.1.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/gnome-vfs2-2.2.5-2E.1.src.rpm fbcb6e48b0e04a54383894867a79057d gnome-vfs2-2.2.5-2E.1.src.rpm i386: bf38b8427b6c60a93169a266cca8e8f1 gnome-vfs2-2.2.5-2E.1.i386.rpm f7f903cc6b74cb22153e25c9f78f4311 gnome-vfs2-devel-2.2.5-2E.1.i386.rpm x86_64: 06271691a5533316f595d9d136204d15 gnome-vfs2-2.2.5-2E.1.x86_64.rpm fba4ca47955f92be0b082c6fa587b14a gnome-vfs2-devel-2.2.5-2E.1.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gnome-vfs2-2.2.5-2E.1.src.rpm fbcb6e48b0e04a54383894867a79057d gnome-vfs2-2.2.5-2E.1.src.rpm i386: bf38b8427b6c60a93169a266cca8e8f1 gnome-vfs2-2.2.5-2E.1.i386.rpm f7f903cc6b74cb22153e25c9f78f4311 gnome-vfs2-devel-2.2.5-2E.1.i386.rpm ia64: 9ec0d04f82412d17c699793367a7b980 gnome-vfs2-2.2.5-2E.1.ia64.rpm a0241d4990bbb961452ada3d4aacaceb gnome-vfs2-devel-2.2.5-2E.1.ia64.rpm x86_64: 06271691a5533316f595d9d136204d15 gnome-vfs2-2.2.5-2E.1.x86_64.rpm fba4ca47955f92be0b082c6fa587b14a gnome-vfs2-devel-2.2.5-2E.1.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gnome-vfs2-2.2.5-2E.1.src.rpm fbcb6e48b0e04a54383894867a79057d gnome-vfs2-2.2.5-2E.1.src.rpm i386: bf38b8427b6c60a93169a266cca8e8f1 gnome-vfs2-2.2.5-2E.1.i386.rpm f7f903cc6b74cb22153e25c9f78f4311 gnome-vfs2-devel-2.2.5-2E.1.i386.rpm ia64: 9ec0d04f82412d17c699793367a7b980 gnome-vfs2-2.2.5-2E.1.ia64.rpm a0241d4990bbb961452ada3d4aacaceb gnome-vfs2-devel-2.2.5-2E.1.ia64.rpm x86_64: 06271691a5533316f595d9d136204d15 gnome-vfs2-2.2.5-2E.1.x86_64.rpm fba4ca47955f92be0b082c6fa587b14a gnome-vfs2-devel-2.2.5-2E.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0494 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBEOjzXlSAg2UNWIIRAsCDAKCmn0iysJ9i9rSM0UcRfgUlqo9BJwCfR+gS 482AiXYUgTE0sfqVj0cYBXY= =vy3s -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 4 21:37:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Aug 2004 17:37 -0400 Subject: [RHSA-2004:383-01] Updated glibc packages fix flaws Message-ID: <200408042137.i74LbQF17980@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated glibc packages fix flaws Advisory ID: RHSA-2004:383-01 Issue date: 2004-08-04 Updated on: 2004-08-04 Product: Red Hat Enterprise Linux Keywords: glibc libdl ld.so dlclose umount CVE Names: CAN-2002-0029 - --------------------------------------------------------------------- 1. Summary: Updated glibc packages that fix a security flaw in the resolver as well as dlclose handling are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, i686, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386, i686 Red Hat Enterprise Linux WS version 2.1 - i386, i686 3. Problem description: The GNU libc packages (known as glibc) contain the standard C libraries used by applications. A security audit of the glibc packages in Red Hat Enterprise Linux 2.1 found a flaw in the resolver library which was originally reported as affecting versions of ISC BIND 4.9. This flaw also applied to glibc versions before 2.3.2. An attacker who is able to send DNS responses (perhaps by creating a malicious DNS server) could remotely exploit this vulnerability to execute arbitrary code or cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0029 to this issue. These updated packages also fix a dlclose function bug on certain shared libraries, which caused program crashes. All users of glibc should upgrade to these updated packages, which resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 120907 - umount passes randmon flags to sys_umount in kernel 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/glibc-2.2.4-32.17.src.rpm b4d2a8e68ab0c47b20a3e8f28c388011 glibc-2.2.4-32.17.src.rpm i386: 7089eff3f030f73c37b16691a34a2b97 glibc-2.2.4-32.17.i386.rpm fb411e71f3ba6fe81f46fa4acbde876f glibc-common-2.2.4-32.17.i386.rpm 93003bc237e963643e84c6b7d63cc97f glibc-devel-2.2.4-32.17.i386.rpm a3bd7862248bcd16dce99aee952bf68b glibc-profile-2.2.4-32.17.i386.rpm acd91794ce623d27a77522bd5c750d21 nscd-2.2.4-32.17.i386.rpm i686: 3759263848efde88bcecb0eb404772ab glibc-2.2.4-32.17.i686.rpm ia64: d08bed26e615ddf28be28dbda0ec9d39 glibc-2.2.4-32.17.ia64.rpm db4c6bf46928d2df68a19ce16e4f2a46 glibc-common-2.2.4-32.17.ia64.rpm a86dc32711365bfbf1b46e7218b2a413 glibc-devel-2.2.4-32.17.ia64.rpm 8ed7e292bf7d08d2c7a94e48ce6a3bec glibc-profile-2.2.4-32.17.ia64.rpm 0f898c80d110feaebbf115bd3a73a546 nscd-2.2.4-32.17.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/glibc-2.2.4-32.17.src.rpm b4d2a8e68ab0c47b20a3e8f28c388011 glibc-2.2.4-32.17.src.rpm ia64: d08bed26e615ddf28be28dbda0ec9d39 glibc-2.2.4-32.17.ia64.rpm db4c6bf46928d2df68a19ce16e4f2a46 glibc-common-2.2.4-32.17.ia64.rpm a86dc32711365bfbf1b46e7218b2a413 glibc-devel-2.2.4-32.17.ia64.rpm 8ed7e292bf7d08d2c7a94e48ce6a3bec glibc-profile-2.2.4-32.17.ia64.rpm 0f898c80d110feaebbf115bd3a73a546 nscd-2.2.4-32.17.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/glibc-2.2.4-32.17.src.rpm b4d2a8e68ab0c47b20a3e8f28c388011 glibc-2.2.4-32.17.src.rpm i386: 7089eff3f030f73c37b16691a34a2b97 glibc-2.2.4-32.17.i386.rpm fb411e71f3ba6fe81f46fa4acbde876f glibc-common-2.2.4-32.17.i386.rpm 93003bc237e963643e84c6b7d63cc97f glibc-devel-2.2.4-32.17.i386.rpm a3bd7862248bcd16dce99aee952bf68b glibc-profile-2.2.4-32.17.i386.rpm acd91794ce623d27a77522bd5c750d21 nscd-2.2.4-32.17.i386.rpm i686: 3759263848efde88bcecb0eb404772ab glibc-2.2.4-32.17.i686.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/glibc-2.2.4-32.17.src.rpm b4d2a8e68ab0c47b20a3e8f28c388011 glibc-2.2.4-32.17.src.rpm i386: 7089eff3f030f73c37b16691a34a2b97 glibc-2.2.4-32.17.i386.rpm fb411e71f3ba6fe81f46fa4acbde876f glibc-common-2.2.4-32.17.i386.rpm 93003bc237e963643e84c6b7d63cc97f glibc-devel-2.2.4-32.17.i386.rpm a3bd7862248bcd16dce99aee952bf68b glibc-profile-2.2.4-32.17.i386.rpm acd91794ce623d27a77522bd5c750d21 nscd-2.2.4-32.17.i386.rpm i686: 3759263848efde88bcecb0eb404772ab glibc-2.2.4-32.17.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://www.kb.cert.org/vuls/id/844360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0029 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBEVb2XlSAg2UNWIIRAiS/AKDBwOb/Q7KzFz8jqof0Sx/azM4PtwCcDncQ i+I1R5FA/vaMW9rPN8OvqSM= =WMRy -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 4 21:52:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Aug 2004 17:52 -0400 Subject: [RHSA-2004:421-01] Updated mozilla packages fix security issues Message-ID: <200408042152.i74LqmF19025@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated mozilla packages fix security issues Advisory ID: RHSA-2004:421-01 Issue date: 2004-08-04 Updated on: 2004-08-04 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0597 CAN-2004-0599 CAN-2004-0718 CAN-2004-0722 CAN-2004-0757 CAN-2004-0758 CAN-2004-0759 CAN-2004-0760 CAN-2004-0761 CAN-2004-0762 CAN-2004-0763 CAN-2004-0764 CAN-2004-0765 - --------------------------------------------------------------------- 1. Summary: Updated mozilla packages based on version 1.4.3 that fix a number of security issues for Red Hat Enterprise Linux are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A number of flaws have been found in Mozilla 1.4 that have been fixed in the Mozilla 1.4.3 release: Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilize this flaw and could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0722 to this issue. During a source code audit, Chris Evans discovered a buffer overflow and integer overflows which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed. (CAN-2004-0597, CAN-2004-0599) Zen Parse reported a flaw in the POP3 capability. A malicious POP3 server could send a carefully crafted response that would cause a heap overflow and potentially allow execution of arbitrary code as the user running Mozilla. (CAN-2004-0757) Marcel Boesch found a flaw that allows a CA certificate to be imported with a DN the same as that of the built-in CA root certificates, which can cause a denial of service to SSL pages, as the malicious certificate is treated as invalid. (CAN-2004-0758) Met - Martin Hassman reported a flaw in Mozilla that could allow malicious Javascript code to upload local files from a users machine without requiring confirmation. (CAN-2004-0759) Mindlock Security reported a flaw in ftp URI handling. By using a NULL character (%00) in a ftp URI, Mozilla can be confused into opening a resource as a different MIME type. (CAN-2004-0760) Mozilla does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates website spoofing and other attacks, also known as the frame injection vulnerability. (CAN-2004-0718) Tolga Tarhan reported a flaw that can allow a malicious webpage to use a redirect sequence to spoof the security lock icon that makes a webpage appear to be encrypted. (CAN-2004-0761) Jesse Ruderman reported a security issue that affects a number of browsers including Mozilla that could allow malicious websites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. (CAN-2004-0762) Emmanouel Kellinis discovered a caching flaw in Mozilla which allows malicious websites to spoof certificates of trusted websites via redirects and Javascript that uses the "onunload" method. (CAN-2004-0763) Mozilla allowed malicious websites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. (CAN-2004-0764) The cert_TestHostName function in Mozilla only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN). This flaw could be used for spoofing if an attacker had control of machines on a default DNS search path. (CAN-2004-0765) All users are advised to update to these erratum packages which contain a snapshot of Mozilla 1.4.3 including backported fixes and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 127338 - CAN-2004-0718 frame injection (spoofing) vuln in Mozilla before 1.7 127186 - CAN-2004-0758 Overriding built-in certificate leading to error -8182 (DoS), especially exploitable by email 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/galeon-1.2.13-3.2.1.src.rpm 7e094aa0324b56f4fba3ede27ae1b19b galeon-1.2.13-3.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/mozilla-1.4.3-2.1.2.src.rpm 66fcc1e820208b3024de369469250df5 mozilla-1.4.3-2.1.2.src.rpm i386: d170284b6a6d01f85ee974bb6c984390 galeon-1.2.13-3.2.1.i386.rpm 57a81a30a9d79e77adec334f96e7cea9 mozilla-1.4.3-2.1.2.i386.rpm fa6d63828129887e1cc3c42df47e4190 mozilla-chat-1.4.3-2.1.2.i386.rpm b13cb1114fa16a75fd81c6cb504db17e mozilla-devel-1.4.3-2.1.2.i386.rpm 9d4714cbd6c2077efa557430b8b89b63 mozilla-dom-inspector-1.4.3-2.1.2.i386.rpm 01686edf59fa5945b8f9ae69fa4ac5c0 mozilla-js-debugger-1.4.3-2.1.2.i386.rpm 623213465b181f6fb14698e73f9a6a89 mozilla-mail-1.4.3-2.1.2.i386.rpm 68cb569585436ce430c4aee335c01d4e mozilla-nspr-1.4.3-2.1.2.i386.rpm 3c4e08b8106d4718c30fcf06e7633abc mozilla-nspr-devel-1.4.3-2.1.2.i386.rpm 494563d83a7b6a77642c73986d50092c mozilla-nss-1.4.3-2.1.2.i386.rpm fb6f0a11c5312f7822055f45c35435f2 mozilla-nss-devel-1.4.3-2.1.2.i386.rpm ia64: e13f36d06fa5714337e074fca3a7a211 galeon-1.2.13-3.2.1.ia64.rpm 7841dd11df85a69d6e03a3c4730e987c mozilla-1.4.3-2.1.2.ia64.rpm b022a33b0ad1715f363b8e2be245e704 mozilla-chat-1.4.3-2.1.2.ia64.rpm 73599c671b8d07d86a82ae4006aeb184 mozilla-devel-1.4.3-2.1.2.ia64.rpm bb57be095e37a959e8a9216820dd2fd9 mozilla-dom-inspector-1.4.3-2.1.2.ia64.rpm 0879b99da78ee8393577ca3b17c3c95c mozilla-js-debugger-1.4.3-2.1.2.ia64.rpm c018093969ef4ae1e26f203a67e74d87 mozilla-mail-1.4.3-2.1.2.ia64.rpm e1fe8f1eeff222e7d1cd35d305a20e4d mozilla-nspr-1.4.3-2.1.2.ia64.rpm 93e2cac5380515450b5201ef082fe427 mozilla-nspr-devel-1.4.3-2.1.2.ia64.rpm afe930bc2c9d6174754b79d9119bc77d mozilla-nss-1.4.3-2.1.2.ia64.rpm 1413ffceb82030a07863e79917c8d3ea mozilla-nss-devel-1.4.3-2.1.2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/galeon-1.2.13-3.2.1.src.rpm 7e094aa0324b56f4fba3ede27ae1b19b galeon-1.2.13-3.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/mozilla-1.4.3-2.1.2.src.rpm 66fcc1e820208b3024de369469250df5 mozilla-1.4.3-2.1.2.src.rpm ia64: e13f36d06fa5714337e074fca3a7a211 galeon-1.2.13-3.2.1.ia64.rpm 7841dd11df85a69d6e03a3c4730e987c mozilla-1.4.3-2.1.2.ia64.rpm b022a33b0ad1715f363b8e2be245e704 mozilla-chat-1.4.3-2.1.2.ia64.rpm 73599c671b8d07d86a82ae4006aeb184 mozilla-devel-1.4.3-2.1.2.ia64.rpm bb57be095e37a959e8a9216820dd2fd9 mozilla-dom-inspector-1.4.3-2.1.2.ia64.rpm 0879b99da78ee8393577ca3b17c3c95c mozilla-js-debugger-1.4.3-2.1.2.ia64.rpm c018093969ef4ae1e26f203a67e74d87 mozilla-mail-1.4.3-2.1.2.ia64.rpm e1fe8f1eeff222e7d1cd35d305a20e4d mozilla-nspr-1.4.3-2.1.2.ia64.rpm 93e2cac5380515450b5201ef082fe427 mozilla-nspr-devel-1.4.3-2.1.2.ia64.rpm afe930bc2c9d6174754b79d9119bc77d mozilla-nss-1.4.3-2.1.2.ia64.rpm 1413ffceb82030a07863e79917c8d3ea mozilla-nss-devel-1.4.3-2.1.2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/galeon-1.2.13-3.2.1.src.rpm 7e094aa0324b56f4fba3ede27ae1b19b galeon-1.2.13-3.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/mozilla-1.4.3-2.1.2.src.rpm 66fcc1e820208b3024de369469250df5 mozilla-1.4.3-2.1.2.src.rpm i386: d170284b6a6d01f85ee974bb6c984390 galeon-1.2.13-3.2.1.i386.rpm 57a81a30a9d79e77adec334f96e7cea9 mozilla-1.4.3-2.1.2.i386.rpm fa6d63828129887e1cc3c42df47e4190 mozilla-chat-1.4.3-2.1.2.i386.rpm b13cb1114fa16a75fd81c6cb504db17e mozilla-devel-1.4.3-2.1.2.i386.rpm 9d4714cbd6c2077efa557430b8b89b63 mozilla-dom-inspector-1.4.3-2.1.2.i386.rpm 01686edf59fa5945b8f9ae69fa4ac5c0 mozilla-js-debugger-1.4.3-2.1.2.i386.rpm 623213465b181f6fb14698e73f9a6a89 mozilla-mail-1.4.3-2.1.2.i386.rpm 68cb569585436ce430c4aee335c01d4e mozilla-nspr-1.4.3-2.1.2.i386.rpm 3c4e08b8106d4718c30fcf06e7633abc mozilla-nspr-devel-1.4.3-2.1.2.i386.rpm 494563d83a7b6a77642c73986d50092c mozilla-nss-1.4.3-2.1.2.i386.rpm fb6f0a11c5312f7822055f45c35435f2 mozilla-nss-devel-1.4.3-2.1.2.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/galeon-1.2.13-3.2.1.src.rpm 7e094aa0324b56f4fba3ede27ae1b19b galeon-1.2.13-3.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/mozilla-1.4.3-2.1.2.src.rpm 66fcc1e820208b3024de369469250df5 mozilla-1.4.3-2.1.2.src.rpm i386: d170284b6a6d01f85ee974bb6c984390 galeon-1.2.13-3.2.1.i386.rpm 57a81a30a9d79e77adec334f96e7cea9 mozilla-1.4.3-2.1.2.i386.rpm fa6d63828129887e1cc3c42df47e4190 mozilla-chat-1.4.3-2.1.2.i386.rpm b13cb1114fa16a75fd81c6cb504db17e mozilla-devel-1.4.3-2.1.2.i386.rpm 9d4714cbd6c2077efa557430b8b89b63 mozilla-dom-inspector-1.4.3-2.1.2.i386.rpm 01686edf59fa5945b8f9ae69fa4ac5c0 mozilla-js-debugger-1.4.3-2.1.2.i386.rpm 623213465b181f6fb14698e73f9a6a89 mozilla-mail-1.4.3-2.1.2.i386.rpm 68cb569585436ce430c4aee335c01d4e mozilla-nspr-1.4.3-2.1.2.i386.rpm 3c4e08b8106d4718c30fcf06e7633abc mozilla-nspr-devel-1.4.3-2.1.2.i386.rpm 494563d83a7b6a77642c73986d50092c mozilla-nss-1.4.3-2.1.2.i386.rpm fb6f0a11c5312f7822055f45c35435f2 mozilla-nss-devel-1.4.3-2.1.2.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/mozilla-1.4.3-3.0.2.src.rpm a8fef126836c7ea73c80ac7e2792e142 mozilla-1.4.3-3.0.2.src.rpm i386: 76e94d5ea03f131a723c97207297ee1b mozilla-1.4.3-3.0.2.i386.rpm 75c2959a065a6b6ae8c90b56165e43a6 mozilla-chat-1.4.3-3.0.2.i386.rpm 6c90c0a77bdbee2cb0d84be83fead1b1 mozilla-devel-1.4.3-3.0.2.i386.rpm 58b9cfad95dfc69d1e0d80a23f383ad4 mozilla-dom-inspector-1.4.3-3.0.2.i386.rpm 431ed1323ae5217a0b31dc1f1bcca1bd mozilla-js-debugger-1.4.3-3.0.2.i386.rpm 3a95aa702f1cc2205c10b957c3fd452e mozilla-mail-1.4.3-3.0.2.i386.rpm 2877a54a8c7a2de5fe58b39ee626d214 mozilla-nspr-1.4.3-3.0.2.i386.rpm 46ccae94f0269a2b92d2b4a5d5dcd480 mozilla-nspr-devel-1.4.3-3.0.2.i386.rpm 545d3867e6077c15f64aa5ee192c8d43 mozilla-nss-1.4.3-3.0.2.i386.rpm f3fccea16c2bed1be5038399d0c42bad mozilla-nss-devel-1.4.3-3.0.2.i386.rpm ia64: 7493acb019f4cc706b6cf952444a975a mozilla-1.4.3-3.0.2.ia64.rpm 542bb7e67ff4eba5ed228e5db5a78f25 mozilla-chat-1.4.3-3.0.2.ia64.rpm d5cbf0f7c03d71ed0c51a27430fe7f60 mozilla-devel-1.4.3-3.0.2.ia64.rpm 049bbde10a886f65d539579a311a24af mozilla-dom-inspector-1.4.3-3.0.2.ia64.rpm 1c96bbc0bbbf649e3a851b0295694847 mozilla-js-debugger-1.4.3-3.0.2.ia64.rpm cea7a67877727f4436ac554408db7832 mozilla-mail-1.4.3-3.0.2.ia64.rpm 28047d1dd3264f882f9c4f8a7b628910 mozilla-nspr-1.4.3-3.0.2.ia64.rpm a903c680602a74dd0feaeb12b6cc32ec mozilla-nspr-devel-1.4.3-3.0.2.ia64.rpm d3ff697bca53a52fe164614d77432046 mozilla-nss-1.4.3-3.0.2.ia64.rpm 7cd4e05706eb4b4b57f5eca3f1bc470f mozilla-nss-devel-1.4.3-3.0.2.ia64.rpm ppc: e2d78f6aac22bfbcb825867dbac82ebb mozilla-1.4.3-3.0.2.ppc.rpm b61167a98f8673f8f3f03ae28a50bc92 mozilla-chat-1.4.3-3.0.2.ppc.rpm d0fb8b199c689e7c8b214f3e0ec962c3 mozilla-devel-1.4.3-3.0.2.ppc.rpm 53a571868dad0c9d3672013fb406570a mozilla-dom-inspector-1.4.3-3.0.2.ppc.rpm 734e3f74f8592e2fd94e2dd257e01095 mozilla-js-debugger-1.4.3-3.0.2.ppc.rpm 82ac07ab7ef497194c65f7251cb62e33 mozilla-mail-1.4.3-3.0.2.ppc.rpm 398540c49c50030cbad5b4b9e96c783b mozilla-nspr-1.4.3-3.0.2.ppc.rpm d022b91ac348e6077625be5dc83b35dc mozilla-nspr-devel-1.4.3-3.0.2.ppc.rpm 271be6a6ba49964733a28e0dc9f07378 mozilla-nss-1.4.3-3.0.2.ppc.rpm ce1b77ddb74d136ec38330cc11b7f54d mozilla-nss-devel-1.4.3-3.0.2.ppc.rpm s390: 19ad37a2396c2776175d0e59662a7652 mozilla-1.4.3-3.0.2.s390.rpm 4baac171cf9ba457f1c3faf8f03b88cf mozilla-chat-1.4.3-3.0.2.s390.rpm 2ec9bd8e61073a3f6056e9cecc419ba3 mozilla-devel-1.4.3-3.0.2.s390.rpm 32a1d2e1c29ea3b094f35164710cfc0e mozilla-dom-inspector-1.4.3-3.0.2.s390.rpm 8e977a243825a35ee77e22ed651bd499 mozilla-js-debugger-1.4.3-3.0.2.s390.rpm e4afa3661f104caa24079761af089dbb mozilla-mail-1.4.3-3.0.2.s390.rpm 18f0e4b19190656df0eab0c98121a067 mozilla-nspr-1.4.3-3.0.2.s390.rpm cf3ac9649c38000fca54d319d546e298 mozilla-nspr-devel-1.4.3-3.0.2.s390.rpm 695903fa5cbe21f7aa7e54fca237bcc0 mozilla-nss-1.4.3-3.0.2.s390.rpm 3d50c59229138d886971374d92d2927c mozilla-nss-devel-1.4.3-3.0.2.s390.rpm s390x: d7b8a517df946cc4e1872468882eb28d mozilla-1.4.3-3.0.2.s390x.rpm 79bf2338e9d3c6e3835137ba58db84b8 mozilla-chat-1.4.3-3.0.2.s390x.rpm c88a798cf6b3143d98e7ea35d7e4c463 mozilla-devel-1.4.3-3.0.2.s390x.rpm b76f9cc6c0c17568799c06630b6b66c9 mozilla-dom-inspector-1.4.3-3.0.2.s390x.rpm ced9955739e509de217dab3e193b603d mozilla-js-debugger-1.4.3-3.0.2.s390x.rpm a360c8ef42f27b4b19cd4447833cd6a7 mozilla-mail-1.4.3-3.0.2.s390x.rpm 8bba98c72a31e16541f9a34b6cfd4f8c mozilla-nspr-1.4.3-3.0.2.s390x.rpm 0870ce645aab9d015c68921ebee5fa1a mozilla-nspr-devel-1.4.3-3.0.2.s390x.rpm 82f324eb81988b15db97cc44bcc187f8 mozilla-nss-1.4.3-3.0.2.s390x.rpm e95e7faa635d02ce0be4f3b019dc106a mozilla-nss-devel-1.4.3-3.0.2.s390x.rpm x86_64: 809d992f5b8de1d8d2929d853b01069a mozilla-1.4.3-3.0.2.x86_64.rpm 0c4b1fd1560188277950e7df67e0c1a5 mozilla-chat-1.4.3-3.0.2.x86_64.rpm 353be79ae25e35d1768f98c21fba07b0 mozilla-devel-1.4.3-3.0.2.x86_64.rpm 6f29bdc0c13bdf52db9103d979eb0a19 mozilla-dom-inspector-1.4.3-3.0.2.x86_64.rpm ea25530cfeb09b9ddb2fdcd4f270b9b4 mozilla-js-debugger-1.4.3-3.0.2.x86_64.rpm 86ed3c2207a0745275720a87520cf249 mozilla-mail-1.4.3-3.0.2.x86_64.rpm caf8df9aa11bf0eed5d3ca3ee4d4c3fe mozilla-nspr-1.4.3-3.0.2.x86_64.rpm a061fd746ad180573d640051e2cf0f92 mozilla-nspr-devel-1.4.3-3.0.2.x86_64.rpm 4139bc49b0a141edac659b62a27c7322 mozilla-nss-1.4.3-3.0.2.x86_64.rpm 9df3f9b35276f8c0bb54f3a45a994668 mozilla-nss-devel-1.4.3-3.0.2.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/mozilla-1.4.3-3.0.2.src.rpm a8fef126836c7ea73c80ac7e2792e142 mozilla-1.4.3-3.0.2.src.rpm i386: 76e94d5ea03f131a723c97207297ee1b mozilla-1.4.3-3.0.2.i386.rpm 75c2959a065a6b6ae8c90b56165e43a6 mozilla-chat-1.4.3-3.0.2.i386.rpm 6c90c0a77bdbee2cb0d84be83fead1b1 mozilla-devel-1.4.3-3.0.2.i386.rpm 58b9cfad95dfc69d1e0d80a23f383ad4 mozilla-dom-inspector-1.4.3-3.0.2.i386.rpm 431ed1323ae5217a0b31dc1f1bcca1bd mozilla-js-debugger-1.4.3-3.0.2.i386.rpm 3a95aa702f1cc2205c10b957c3fd452e mozilla-mail-1.4.3-3.0.2.i386.rpm 2877a54a8c7a2de5fe58b39ee626d214 mozilla-nspr-1.4.3-3.0.2.i386.rpm 46ccae94f0269a2b92d2b4a5d5dcd480 mozilla-nspr-devel-1.4.3-3.0.2.i386.rpm 545d3867e6077c15f64aa5ee192c8d43 mozilla-nss-1.4.3-3.0.2.i386.rpm f3fccea16c2bed1be5038399d0c42bad mozilla-nss-devel-1.4.3-3.0.2.i386.rpm x86_64: 809d992f5b8de1d8d2929d853b01069a mozilla-1.4.3-3.0.2.x86_64.rpm 0c4b1fd1560188277950e7df67e0c1a5 mozilla-chat-1.4.3-3.0.2.x86_64.rpm 353be79ae25e35d1768f98c21fba07b0 mozilla-devel-1.4.3-3.0.2.x86_64.rpm 6f29bdc0c13bdf52db9103d979eb0a19 mozilla-dom-inspector-1.4.3-3.0.2.x86_64.rpm ea25530cfeb09b9ddb2fdcd4f270b9b4 mozilla-js-debugger-1.4.3-3.0.2.x86_64.rpm 86ed3c2207a0745275720a87520cf249 mozilla-mail-1.4.3-3.0.2.x86_64.rpm caf8df9aa11bf0eed5d3ca3ee4d4c3fe mozilla-nspr-1.4.3-3.0.2.x86_64.rpm a061fd746ad180573d640051e2cf0f92 mozilla-nspr-devel-1.4.3-3.0.2.x86_64.rpm 4139bc49b0a141edac659b62a27c7322 mozilla-nss-1.4.3-3.0.2.x86_64.rpm 9df3f9b35276f8c0bb54f3a45a994668 mozilla-nss-devel-1.4.3-3.0.2.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/mozilla-1.4.3-3.0.2.src.rpm a8fef126836c7ea73c80ac7e2792e142 mozilla-1.4.3-3.0.2.src.rpm i386: 76e94d5ea03f131a723c97207297ee1b mozilla-1.4.3-3.0.2.i386.rpm 75c2959a065a6b6ae8c90b56165e43a6 mozilla-chat-1.4.3-3.0.2.i386.rpm 6c90c0a77bdbee2cb0d84be83fead1b1 mozilla-devel-1.4.3-3.0.2.i386.rpm 58b9cfad95dfc69d1e0d80a23f383ad4 mozilla-dom-inspector-1.4.3-3.0.2.i386.rpm 431ed1323ae5217a0b31dc1f1bcca1bd mozilla-js-debugger-1.4.3-3.0.2.i386.rpm 3a95aa702f1cc2205c10b957c3fd452e mozilla-mail-1.4.3-3.0.2.i386.rpm 2877a54a8c7a2de5fe58b39ee626d214 mozilla-nspr-1.4.3-3.0.2.i386.rpm 46ccae94f0269a2b92d2b4a5d5dcd480 mozilla-nspr-devel-1.4.3-3.0.2.i386.rpm 545d3867e6077c15f64aa5ee192c8d43 mozilla-nss-1.4.3-3.0.2.i386.rpm f3fccea16c2bed1be5038399d0c42bad mozilla-nss-devel-1.4.3-3.0.2.i386.rpm ia64: 7493acb019f4cc706b6cf952444a975a mozilla-1.4.3-3.0.2.ia64.rpm 542bb7e67ff4eba5ed228e5db5a78f25 mozilla-chat-1.4.3-3.0.2.ia64.rpm d5cbf0f7c03d71ed0c51a27430fe7f60 mozilla-devel-1.4.3-3.0.2.ia64.rpm 049bbde10a886f65d539579a311a24af mozilla-dom-inspector-1.4.3-3.0.2.ia64.rpm 1c96bbc0bbbf649e3a851b0295694847 mozilla-js-debugger-1.4.3-3.0.2.ia64.rpm cea7a67877727f4436ac554408db7832 mozilla-mail-1.4.3-3.0.2.ia64.rpm 28047d1dd3264f882f9c4f8a7b628910 mozilla-nspr-1.4.3-3.0.2.ia64.rpm a903c680602a74dd0feaeb12b6cc32ec mozilla-nspr-devel-1.4.3-3.0.2.ia64.rpm d3ff697bca53a52fe164614d77432046 mozilla-nss-1.4.3-3.0.2.ia64.rpm 7cd4e05706eb4b4b57f5eca3f1bc470f mozilla-nss-devel-1.4.3-3.0.2.ia64.rpm x86_64: 809d992f5b8de1d8d2929d853b01069a mozilla-1.4.3-3.0.2.x86_64.rpm 0c4b1fd1560188277950e7df67e0c1a5 mozilla-chat-1.4.3-3.0.2.x86_64.rpm 353be79ae25e35d1768f98c21fba07b0 mozilla-devel-1.4.3-3.0.2.x86_64.rpm 6f29bdc0c13bdf52db9103d979eb0a19 mozilla-dom-inspector-1.4.3-3.0.2.x86_64.rpm ea25530cfeb09b9ddb2fdcd4f270b9b4 mozilla-js-debugger-1.4.3-3.0.2.x86_64.rpm 86ed3c2207a0745275720a87520cf249 mozilla-mail-1.4.3-3.0.2.x86_64.rpm caf8df9aa11bf0eed5d3ca3ee4d4c3fe mozilla-nspr-1.4.3-3.0.2.x86_64.rpm a061fd746ad180573d640051e2cf0f92 mozilla-nspr-devel-1.4.3-3.0.2.x86_64.rpm 4139bc49b0a141edac659b62a27c7322 mozilla-nss-1.4.3-3.0.2.x86_64.rpm 9df3f9b35276f8c0bb54f3a45a994668 mozilla-nss-devel-1.4.3-3.0.2.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/mozilla-1.4.3-3.0.2.src.rpm a8fef126836c7ea73c80ac7e2792e142 mozilla-1.4.3-3.0.2.src.rpm i386: 76e94d5ea03f131a723c97207297ee1b mozilla-1.4.3-3.0.2.i386.rpm 75c2959a065a6b6ae8c90b56165e43a6 mozilla-chat-1.4.3-3.0.2.i386.rpm 6c90c0a77bdbee2cb0d84be83fead1b1 mozilla-devel-1.4.3-3.0.2.i386.rpm 58b9cfad95dfc69d1e0d80a23f383ad4 mozilla-dom-inspector-1.4.3-3.0.2.i386.rpm 431ed1323ae5217a0b31dc1f1bcca1bd mozilla-js-debugger-1.4.3-3.0.2.i386.rpm 3a95aa702f1cc2205c10b957c3fd452e mozilla-mail-1.4.3-3.0.2.i386.rpm 2877a54a8c7a2de5fe58b39ee626d214 mozilla-nspr-1.4.3-3.0.2.i386.rpm 46ccae94f0269a2b92d2b4a5d5dcd480 mozilla-nspr-devel-1.4.3-3.0.2.i386.rpm 545d3867e6077c15f64aa5ee192c8d43 mozilla-nss-1.4.3-3.0.2.i386.rpm f3fccea16c2bed1be5038399d0c42bad mozilla-nss-devel-1.4.3-3.0.2.i386.rpm ia64: 7493acb019f4cc706b6cf952444a975a mozilla-1.4.3-3.0.2.ia64.rpm 542bb7e67ff4eba5ed228e5db5a78f25 mozilla-chat-1.4.3-3.0.2.ia64.rpm d5cbf0f7c03d71ed0c51a27430fe7f60 mozilla-devel-1.4.3-3.0.2.ia64.rpm 049bbde10a886f65d539579a311a24af mozilla-dom-inspector-1.4.3-3.0.2.ia64.rpm 1c96bbc0bbbf649e3a851b0295694847 mozilla-js-debugger-1.4.3-3.0.2.ia64.rpm cea7a67877727f4436ac554408db7832 mozilla-mail-1.4.3-3.0.2.ia64.rpm 28047d1dd3264f882f9c4f8a7b628910 mozilla-nspr-1.4.3-3.0.2.ia64.rpm a903c680602a74dd0feaeb12b6cc32ec mozilla-nspr-devel-1.4.3-3.0.2.ia64.rpm d3ff697bca53a52fe164614d77432046 mozilla-nss-1.4.3-3.0.2.ia64.rpm 7cd4e05706eb4b4b57f5eca3f1bc470f mozilla-nss-devel-1.4.3-3.0.2.ia64.rpm x86_64: 809d992f5b8de1d8d2929d853b01069a mozilla-1.4.3-3.0.2.x86_64.rpm 0c4b1fd1560188277950e7df67e0c1a5 mozilla-chat-1.4.3-3.0.2.x86_64.rpm 353be79ae25e35d1768f98c21fba07b0 mozilla-devel-1.4.3-3.0.2.x86_64.rpm 6f29bdc0c13bdf52db9103d979eb0a19 mozilla-dom-inspector-1.4.3-3.0.2.x86_64.rpm ea25530cfeb09b9ddb2fdcd4f270b9b4 mozilla-js-debugger-1.4.3-3.0.2.x86_64.rpm 86ed3c2207a0745275720a87520cf249 mozilla-mail-1.4.3-3.0.2.x86_64.rpm caf8df9aa11bf0eed5d3ca3ee4d4c3fe mozilla-nspr-1.4.3-3.0.2.x86_64.rpm a061fd746ad180573d640051e2cf0f92 mozilla-nspr-devel-1.4.3-3.0.2.x86_64.rpm 4139bc49b0a141edac659b62a27c7322 mozilla-nss-1.4.3-3.0.2.x86_64.rpm 9df3f9b35276f8c0bb54f3a45a994668 mozilla-nss-devel-1.4.3-3.0.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://bugzilla.mozilla.org/show_bug.cgi?id=236618 http://bugzilla.mozilla.org/show_bug.cgi?id=251381 http://bugzilla.mozilla.org/show_bug.cgi?id=229374 http://bugzilla.mozilla.org/show_bug.cgi?id=249004 http://bugzilla.mozilla.org/show_bug.cgi?id=241924 http://bugzilla.mozilla.org/show_bug.cgi?id=250906 http://bugzilla.mozilla.org/show_bug.cgi?id=246448 http://bugzilla.mozilla.org/show_bug.cgi?id=240053 http://bugzilla.mozilla.org/show_bug.cgi?id=162020 http://bugzilla.mozilla.org/show_bug.cgi?id=253121 http://bugzilla.mozilla.org/show_bug.cgi?id=244965 http://bugzilla.mozilla.org/show_bug.cgi?id=234058 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0757 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0759 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0760 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0765 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBEVqpXlSAg2UNWIIRAkVlAJ9RLthGcfCHAkfyu+sUPQVTX3Q3sQCdGxe8 06T2QwRetPvndKsrPREuckA= =8ODv -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 5 16:39:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Aug 2004 12:39 -0400 Subject: [RHSA-2004:378-01] Updated Ethereal packages fix security issues Message-ID: <200408051639.i75GdEF28409@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated Ethereal packages fix security issues Advisory ID: RHSA-2004:378-01 Issue date: 2004-08-05 Updated on: 2004-08-05 Product: Red Hat Enterprise Linux Obsoletes: RHSA-2004:234 CVE Names: CAN-2004-0633 CAN-2004-0634 CAN-2004-0635 - --------------------------------------------------------------------- 1. Summary: Updated Ethereal packages that fix various security vulnerabilities are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Ethereal is a program for monitoring network traffic. The SNMP dissector in Ethereal releases 0.8.15 through 0.10.4 contained a memory read flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0635 to this issue. The SMB dissector in Ethereal releases 0.9.15 through 0.10.4 contained a null pointer flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0634 to this issue. The iSNS dissector in Ethereal releases 0.10.3 through 0.10.4 contained an integer overflow flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0633 to this issue. Users of Ethereal should upgrade to these updated packages, which contain a version that is not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 127381 - CAN-2004-0633/34/35 Multiple problems in Ethereal 0.10.4 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ethereal-0.10.5-0.AS21.2.src.rpm 60215293034749ae22e909ed60eaee06 ethereal-0.10.5-0.AS21.2.src.rpm i386: 25857a9921162aa88bfc920e94fb20e5 ethereal-0.10.5-0.AS21.2.i386.rpm 3c9f8e3c28a714cefd97b8ef350269e7 ethereal-gnome-0.10.5-0.AS21.2.i386.rpm ia64: 67c86c33f2f5052b695fb5308eb9ef37 ethereal-0.10.5-0.AS21.2.ia64.rpm 2b75b683911859104439b62c18465600 ethereal-gnome-0.10.5-0.AS21.2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/ethereal-0.10.5-0.AS21.2.src.rpm 60215293034749ae22e909ed60eaee06 ethereal-0.10.5-0.AS21.2.src.rpm ia64: 67c86c33f2f5052b695fb5308eb9ef37 ethereal-0.10.5-0.AS21.2.ia64.rpm 2b75b683911859104439b62c18465600 ethereal-gnome-0.10.5-0.AS21.2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ethereal-0.10.5-0.AS21.2.src.rpm 60215293034749ae22e909ed60eaee06 ethereal-0.10.5-0.AS21.2.src.rpm i386: 25857a9921162aa88bfc920e94fb20e5 ethereal-0.10.5-0.AS21.2.i386.rpm 3c9f8e3c28a714cefd97b8ef350269e7 ethereal-gnome-0.10.5-0.AS21.2.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/ethereal-0.10.5-0.AS21.2.src.rpm 60215293034749ae22e909ed60eaee06 ethereal-0.10.5-0.AS21.2.src.rpm i386: 25857a9921162aa88bfc920e94fb20e5 ethereal-0.10.5-0.AS21.2.i386.rpm 3c9f8e3c28a714cefd97b8ef350269e7 ethereal-gnome-0.10.5-0.AS21.2.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ethereal-0.10.5-0.30E.2.src.rpm 5104f1cd2dea35fd3fdf79337a76783b ethereal-0.10.5-0.30E.2.src.rpm i386: 16e8b243835adf2d389847b83012476d ethereal-0.10.5-0.30E.2.i386.rpm c994b6a92771d734260c850e530b638c ethereal-gnome-0.10.5-0.30E.2.i386.rpm ia64: ec1027f7961c9109a7f29888805b6b4d ethereal-0.10.5-0.30E.2.ia64.rpm 2e66c5f80398fdda9ad4d1dbc44bcb29 ethereal-gnome-0.10.5-0.30E.2.ia64.rpm ppc: 337260b85f120ac6c5c86e016c72f883 ethereal-0.10.5-0.30E.2.ppc.rpm c320f1e59876983c783ee89190dbfa34 ethereal-gnome-0.10.5-0.30E.2.ppc.rpm s390: de6dcfb5cc97d4f60b76a8c5f785b5cd ethereal-0.10.5-0.30E.2.s390.rpm cb2b66afaeac23cea5570e3d63639e67 ethereal-gnome-0.10.5-0.30E.2.s390.rpm s390x: 3a58d3ce6c36a8ed26acaf7d87ae99a3 ethereal-0.10.5-0.30E.2.s390x.rpm 5996b8a24b8a1fe531902caa66512a3f ethereal-gnome-0.10.5-0.30E.2.s390x.rpm x86_64: 0167f986d80088b4118b563fe06a62b3 ethereal-0.10.5-0.30E.2.x86_64.rpm 98448ea99dc58ab55072961508c7305e ethereal-gnome-0.10.5-0.30E.2.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/ethereal-0.10.5-0.30E.2.src.rpm 5104f1cd2dea35fd3fdf79337a76783b ethereal-0.10.5-0.30E.2.src.rpm i386: 16e8b243835adf2d389847b83012476d ethereal-0.10.5-0.30E.2.i386.rpm c994b6a92771d734260c850e530b638c ethereal-gnome-0.10.5-0.30E.2.i386.rpm ia64: ec1027f7961c9109a7f29888805b6b4d ethereal-0.10.5-0.30E.2.ia64.rpm 2e66c5f80398fdda9ad4d1dbc44bcb29 ethereal-gnome-0.10.5-0.30E.2.ia64.rpm x86_64: 0167f986d80088b4118b563fe06a62b3 ethereal-0.10.5-0.30E.2.x86_64.rpm 98448ea99dc58ab55072961508c7305e ethereal-gnome-0.10.5-0.30E.2.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ethereal-0.10.5-0.30E.2.src.rpm 5104f1cd2dea35fd3fdf79337a76783b ethereal-0.10.5-0.30E.2.src.rpm i386: 16e8b243835adf2d389847b83012476d ethereal-0.10.5-0.30E.2.i386.rpm c994b6a92771d734260c850e530b638c ethereal-gnome-0.10.5-0.30E.2.i386.rpm ia64: ec1027f7961c9109a7f29888805b6b4d ethereal-0.10.5-0.30E.2.ia64.rpm 2e66c5f80398fdda9ad4d1dbc44bcb29 ethereal-gnome-0.10.5-0.30E.2.ia64.rpm x86_64: 0167f986d80088b4118b563fe06a62b3 ethereal-0.10.5-0.30E.2.x86_64.rpm 98448ea99dc58ab55072961508c7305e ethereal-gnome-0.10.5-0.30E.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://www.ethereal.com/appnotes/enpa-sa-00015.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0633 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0635 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBEmKsXlSAg2UNWIIRAvoMAKCs2vJUbX+cWSM94cJdpbryiw3LDgCgstOG 9jnGk4Fcu0pz7dhR9k2U1AQ= =XUSM -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 18 15:34:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Aug 2004 11:34 -0400 Subject: [RHSA-2004:304-01] Updated pam packages Message-ID: <200408181534.i7IFYOr24035@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated pam packages Advisory ID: RHSA-2004:304-01 Issue date: 2004-08-18 Updated on: 2004-08-18 Product: Red Hat Enterprise Linux Keywords: pam pam_wheel pam_lastlog CVE Names: CAN-2003-0388 - --------------------------------------------------------------------- 1. Summary: Updated pam packages that fix a security vulnerability are now available for Red Hat Enterprise Linux 2.1. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 3. Problem description: PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set an authentication policy without having to recompile programs that handle authentication. These updates fix a potential security problem present in the pam_wheel module. These updates correct a bug in the pam_lastlog module which prevented it from properly manipulating the /var/log/lastlog entry for users with very high user IDs. The pam_wheel module is used to restrict access to a particular service based on group membership. If the pam_wheel module was used with the "trust" option enabled, but without the "use_uid" option, any local user would be able to spoof the username returned by getlogin(). The user could therefore gain access to a superuser account without supplying a password. In Red Hat Enterprise Linux 2.1, pam_wheel is not used by default. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0388 to this issue. When manipulating the entry in /var/log/lastlog, which corresponds to a given user, the pam_lastlog module calculates the location of the entry by multiplying the UID and the length of an entry in the file. On some systems, the result of this calculation would mistakenly be truncated to 32 bits for users with sufficiently high UIDs. All users of pam should upgrade to these updated packages, which resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 98826 - CAN-2003-0388 pam_wheel uses getlogin in insecure fashion 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/pam-0.75-46.9.src.rpm 5c78062a595e3443d22ca145b774cd34 pam-0.75-46.9.src.rpm i386: 1a72acefcb8b2c7bfb875f9024ae818b pam-0.75-46.9.i386.rpm e129fb8519d309ab26d3045bd91bb2e3 pam-devel-0.75-46.9.i386.rpm ia64: 851a5e5a7f78b4a4cbde060c62ab1e7d pam-0.75-46.9.ia64.rpm 3b23b14f7cfbcf2a73d21fd3a0b18bda pam-devel-0.75-46.9.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/pam-0.75-46.9.src.rpm 5c78062a595e3443d22ca145b774cd34 pam-0.75-46.9.src.rpm ia64: 851a5e5a7f78b4a4cbde060c62ab1e7d pam-0.75-46.9.ia64.rpm 3b23b14f7cfbcf2a73d21fd3a0b18bda pam-devel-0.75-46.9.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/pam-0.75-46.9.src.rpm 5c78062a595e3443d22ca145b774cd34 pam-0.75-46.9.src.rpm i386: 1a72acefcb8b2c7bfb875f9024ae818b pam-0.75-46.9.i386.rpm e129fb8519d309ab26d3045bd91bb2e3 pam-devel-0.75-46.9.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/pam-0.75-46.9.src.rpm 5c78062a595e3443d22ca145b774cd34 pam-0.75-46.9.src.rpm i386: 1a72acefcb8b2c7bfb875f9024ae818b pam-0.75-46.9.i386.rpm e129fb8519d309ab26d3045bd91bb2e3 pam-devel-0.75-46.9.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0388 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBI3b5XlSAg2UNWIIRAgqDAJ0ZiQBQrEnBQmVbGYccs+GoNSJHrACggz20 K4KiRT8dwdkOwsMQ4U6Nen8= =G3lR -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 18 15:34:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Aug 2004 11:34 -0400 Subject: [RHSA-2004:327-01] Updated Itanium kernel packages resolve security issues Message-ID: <200408181534.i7IFYkr24043@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated Itanium kernel packages resolve security issues Advisory ID: RHSA-2004:327-01 Issue date: 2004-08-18 Updated on: 2004-08-18 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0415 CAN-2004-0427 CAN-2004-0495 CAN-2004-0497 CAN-2004-0535 CAN-2004-0587 - --------------------------------------------------------------------- 1. Summary: Updated Itanium kernel packages that fix a number of security issues are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 3. Problem description: The Linux kernel handles the basic functions of the operating system. This kernel updates several important drivers and fixes a number of bugs including potential security vulnerabilities. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0415 to this issue. A flaw was discovered in an error path supporting the clone() system call that allowed local users to cause a denial of service (memory leak) by passing invalid arguments to clone() running in an infinite loop of a user's program (CAN-2004-0427). Enhancements were committed to the 2.6 kernel by Al Viro which enabled the Sparse source code checking tool to check for a certain class of kernel bugs. A subset of these fixes also applies to various drivers in the 2.4 kernel. Although the majority of these resides in drivers unsupported in Red Hat Enterprise Linux 3, the flaws could lead to privilege escalation or access to kernel memory (CAN-2004-0495). During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances. In the 2.4 kernel, as shipped with Red Hat Enterprise Linux, the only way this could happen is through the kernel NFS server. A user on a system that mounted a remote file system from a vulnerable machine may be able to make unauthorized changes to the group ID of exported files (CAN-2004-0497). A bug in the e1000 network driver has been addressed. This bug could be used by local users to leak small amounts of kernel memory (CAN-2004-0535). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CAN-2004-0587). The following drivers have also been updated: fusion to 2.05.16 ips to 7.00.15 cciss to 2.4.52 e1000 to v. 5.2.52-k1 e100 to v. 2.3.43-k1 All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 113603 - CAN-2004-0003 r128 DRI ipf 125171 - CAN-2004-0535 e1000 kernel memory leak (ia64) 126401 - CAN-2004-0587 Bad permissions on qla* drivers (ipf) 126404 - CAN-2004-0427 do_fork DoS (ipf) 126410 - CAN-2004-0495 Sparse security fixes backported for 2.4 kernel (ipf) 126416 - CAN-2004-0415 file offset pointer signedness issues (ipf) 126718 - CAN-2004-0497 inode_change_ok missing checks allows GID changes (ipf) 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kernel-2.4.18-e.47.src.rpm 682a3c9374c1cf61576eb4b70317306c kernel-2.4.18-e.47.src.rpm ia64: 7e17c71d9a048d95f685ba8060cd3aa0 kernel-2.4.18-e.47.ia64.rpm 71642540490c1e1a1804b157b9524e6a kernel-doc-2.4.18-e.47.ia64.rpm 6389fb4721a265849d41719fb4dbe098 kernel-smp-2.4.18-e.47.ia64.rpm b465602af3916a886f55b8b902666553 kernel-source-2.4.18-e.47.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/kernel-2.4.18-e.47.src.rpm 682a3c9374c1cf61576eb4b70317306c kernel-2.4.18-e.47.src.rpm ia64: 7e17c71d9a048d95f685ba8060cd3aa0 kernel-2.4.18-e.47.ia64.rpm 71642540490c1e1a1804b157b9524e6a kernel-doc-2.4.18-e.47.ia64.rpm 6389fb4721a265849d41719fb4dbe098 kernel-smp-2.4.18-e.47.ia64.rpm b465602af3916a886f55b8b902666553 kernel-source-2.4.18-e.47.ia64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0495 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0587 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBI3cPXlSAg2UNWIIRAontAJ9NbULQJVSpvY9t/M0hUXDvVWOeXACggla/ WEMj7Ts/nSXjk718RnMM2DQ= =zwzC -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 18 15:39:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Aug 2004 11:39 -0400 Subject: [RHSA-2004:344-01] Updated semi packages fix flim vulnerability Message-ID: <200408181539.i7IFdUr24443@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated semi packages fix flim vulnerability Advisory ID: RHSA-2004:344-01 Issue date: 2004-08-18 Updated on: 2004-08-18 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0422 - --------------------------------------------------------------------- 1. Summary: Updated semi packages that fix vulnerabilities in flim temporary file handling are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - noarch Red Hat Linux Advanced Workstation 2.1 - noarch Red Hat Enterprise Linux ES version 2.1 - noarch Red Hat Enterprise Linux WS version 2.1 - noarch 3. Problem description: The semi package includes a MIME library for GNU Emacs and XEmacs used by the wl mail package. Tatsuya Kinoshita discovered a vulnerability in flim, an emacs library for working with Internet messages included in the semi package. Temporary files were being created without taking adequate precautions, and therefore a local user could potentially overwrite files with the privileges of the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0422 to this issue. Users of semi are advised to upgrade to these packages, which contain a backported patch fixing this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 124396 - CAN-2004-0422 flim temporary file vulnerability affects semi packages 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/semi-1.14.3-8.72.EL.1.src.rpm dfcfc66f790902402b72eedd3a806284 semi-1.14.3-8.72.EL.1.src.rpm noarch: 23c1b96f8d9fc3d3aefa21812adbd5a1 semi-1.14.3-8.72.EL.1.noarch.rpm 2e5dc06d5aadf594ae7222706e230e0e semi-xemacs-1.14.3-8.72.EL.1.noarch.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/semi-1.14.3-8.72.EL.1.src.rpm dfcfc66f790902402b72eedd3a806284 semi-1.14.3-8.72.EL.1.src.rpm noarch: 23c1b96f8d9fc3d3aefa21812adbd5a1 semi-1.14.3-8.72.EL.1.noarch.rpm 2e5dc06d5aadf594ae7222706e230e0e semi-xemacs-1.14.3-8.72.EL.1.noarch.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/semi-1.14.3-8.72.EL.1.src.rpm dfcfc66f790902402b72eedd3a806284 semi-1.14.3-8.72.EL.1.src.rpm noarch: 23c1b96f8d9fc3d3aefa21812adbd5a1 semi-1.14.3-8.72.EL.1.noarch.rpm 2e5dc06d5aadf594ae7222706e230e0e semi-xemacs-1.14.3-8.72.EL.1.noarch.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/semi-1.14.3-8.72.EL.1.src.rpm dfcfc66f790902402b72eedd3a806284 semi-1.14.3-8.72.EL.1.src.rpm noarch: 23c1b96f8d9fc3d3aefa21812adbd5a1 semi-1.14.3-8.72.EL.1.noarch.rpm 2e5dc06d5aadf594ae7222706e230e0e semi-xemacs-1.14.3-8.72.EL.1.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://www.debian.org/security/2004/dsa-500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0422 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBI3gtXlSAg2UNWIIRAnN+AKC487DeVPq9+AWecE+laJLZIMcu2ACgiTtZ ECgnZ7wpQkHixcgJoaSIaZc= =j0Ei -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 18 15:40:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Aug 2004 11:40 -0400 Subject: [RHSA-2004:429-01] Netscape 4.8 contains security flaws Message-ID: <200408181540.i7IFeFr24573@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Netscape 4.8 contains security flaws Advisory ID: RHSA-2004:429-01 Issue date: 2004-08-18 Updated on: 2004-08-18 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 - --------------------------------------------------------------------- 1. Summary: Netscape Navigator and Netscape Communicator 4.8 as distributed with Red Hat Enterprise Linux 2.1 contain security flaws and should not be used. 2. Problem description: Netscape Navigator and Netscape Communicator have been removed from the Red Hat Enterprise Linux 2.1 CD-ROM distribution as part of Update 5. These packages were based on Netscape 4.8, which is known to be vulnerable to recent critical security issues, such as CAN-2004-0597, CAN-2004-0598, and CAN-2004-0599. Netscape 7.2 contains fixes for these issues and is available from http://www.netscape.com/. Netscape 4.8 packages will also remain available via Red Hat Network for those who choose to use them despite their known security vulnerabilities. Users of Netscape 4.8 are advised to switch to Mozilla, which is included and supported in Red Hat Enterprise Linux 2.1, and offers comparable functionality. 3. Solution: Red Hat Enterprise 2.1 users who do not need the functionality of Netscape 4.8 should uninstall the netscape packages. 4. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 5. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBI3hCXlSAg2UNWIIRAiL5AKCUnrKuVqngBE/e0EFiALh6bgNOFQCcDYan Su5PyPkP0gtCB+wT2whAFMw= =uMrU -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 18 15:40:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Aug 2004 11:40 -0400 Subject: [RHSA-2004:437-01] Updated kernel packages fix security vulnerability Message-ID: <200408181540.i7IFeWr24597@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated kernel packages fix security vulnerability Advisory ID: RHSA-2004:437-01 Issue date: 2004-08-18 Updated on: 2004-08-18 Product: Red Hat Enterprise Linux Keywords: kernel update Obsoletes: RHSA-2004:044 CVE Names: CAN-2004-0178 - --------------------------------------------------------------------- 1. Summary: Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 2.1. This is the fifth regular update. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - athlon, i386, i686 Red Hat Enterprise Linux ES version 2.1 - athlon, i386, i686 Red Hat Enterprise Linux WS version 2.1 - athlon, i386, i686 3. Problem description: The Linux kernel handles the basic functions of the operating system. This is the fifth regular kernel update to Red Hat Enterprise Linux version 2.1. It contains one minor security fix, many bug fixes, and updates a number of device drivers. A bug in the SoundBlaster 16 code which did not properly handle certain sample sizes has been fixed. This flaw could be used by local users to crash a system. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0178 to this issue. The following drivers have also been updated: * cciss v2.4.52 * e1000 v5252k1 * e100 v2.3.43-k1 * fusion v2.05.16 * ips v7.00.15 * aacraid v1.1.5 * megaraid2 v2.10.6 All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 117902 - kswapd consumes a large amount of CPU for an extended period of time 117460 - SSH fails in various contexts with ENOBUFS error 121046 - CAN-2004-0178 Soundblaster 16 local DoS 114960 - nfs layer livelocks after after using up all of the kmap space 97868 - RFE: Via VT8233A chipset support 102749 - Kernel 2.4.9-e.25 does not support AMD VIPER 7441 ide chipset 109881 - RHEL2.1 U5: BLKSSZGET ioctl support for raw devices. 125281 - Cluster manager detects false failures under heavy system load 124716 - [PATCH] NFS Uncached IO logic error when mouting with noac and not specifying the rsize/wsize 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kernel-2.4.9-e.49.src.rpm 90e81ad53fbd763b08744fb10d1b7a09 kernel-2.4.9-e.49.src.rpm athlon: 187da57ef1034930bd18d7110a2aa522 kernel-2.4.9-e.49.athlon.rpm a24ef35b3182cc2c903576256da09b66 kernel-smp-2.4.9-e.49.athlon.rpm i386: e4c51c2881cae114319771b44ba46875 kernel-BOOT-2.4.9-e.49.i386.rpm 19f6d4d07036ef6cd2a0ec48309d8b58 kernel-doc-2.4.9-e.49.i386.rpm c850508fb6b7839f029b8e814322d0f1 kernel-headers-2.4.9-e.49.i386.rpm 4d9f52af152f2dc3c54513f789abe7b2 kernel-source-2.4.9-e.49.i386.rpm i686: 9af120eae67eeff866368168a38ff809 kernel-2.4.9-e.49.i686.rpm 416e2f3f933bf0b210362d4592854d65 kernel-debug-2.4.9-e.49.i686.rpm 4aebb75ad8fb467539d395c576c49e05 kernel-enterprise-2.4.9-e.49.i686.rpm d32ee8bfdd1f34cc4c391e809199855e kernel-smp-2.4.9-e.49.i686.rpm 03f4fd713ad46842a45a8d7c1d6a008f kernel-summit-2.4.9-e.49.i686.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kernel-2.4.9-e.49.src.rpm 90e81ad53fbd763b08744fb10d1b7a09 kernel-2.4.9-e.49.src.rpm athlon: 187da57ef1034930bd18d7110a2aa522 kernel-2.4.9-e.49.athlon.rpm a24ef35b3182cc2c903576256da09b66 kernel-smp-2.4.9-e.49.athlon.rpm i386: e4c51c2881cae114319771b44ba46875 kernel-BOOT-2.4.9-e.49.i386.rpm 19f6d4d07036ef6cd2a0ec48309d8b58 kernel-doc-2.4.9-e.49.i386.rpm c850508fb6b7839f029b8e814322d0f1 kernel-headers-2.4.9-e.49.i386.rpm 4d9f52af152f2dc3c54513f789abe7b2 kernel-source-2.4.9-e.49.i386.rpm i686: 9af120eae67eeff866368168a38ff809 kernel-2.4.9-e.49.i686.rpm 416e2f3f933bf0b210362d4592854d65 kernel-debug-2.4.9-e.49.i686.rpm d32ee8bfdd1f34cc4c391e809199855e kernel-smp-2.4.9-e.49.i686.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kernel-2.4.9-e.49.src.rpm 90e81ad53fbd763b08744fb10d1b7a09 kernel-2.4.9-e.49.src.rpm athlon: 187da57ef1034930bd18d7110a2aa522 kernel-2.4.9-e.49.athlon.rpm a24ef35b3182cc2c903576256da09b66 kernel-smp-2.4.9-e.49.athlon.rpm i386: e4c51c2881cae114319771b44ba46875 kernel-BOOT-2.4.9-e.49.i386.rpm 19f6d4d07036ef6cd2a0ec48309d8b58 kernel-doc-2.4.9-e.49.i386.rpm c850508fb6b7839f029b8e814322d0f1 kernel-headers-2.4.9-e.49.i386.rpm 4d9f52af152f2dc3c54513f789abe7b2 kernel-source-2.4.9-e.49.i386.rpm i686: 9af120eae67eeff866368168a38ff809 kernel-2.4.9-e.49.i686.rpm 416e2f3f933bf0b210362d4592854d65 kernel-debug-2.4.9-e.49.i686.rpm 4aebb75ad8fb467539d395c576c49e05 kernel-enterprise-2.4.9-e.49.i686.rpm d32ee8bfdd1f34cc4c391e809199855e kernel-smp-2.4.9-e.49.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0178 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBI3hsXlSAg2UNWIIRAuF2AJ0U0CFFY1czT5AHDVXYt4XRiQbE5ACfYobV vVwu64F/jPBodUWkCXDqkjE= =Z3kc -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Aug 20 20:51:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 20 Aug 2004 16:51 -0400 Subject: [RHSA-2004:414-01] Updated qt packages fix security issues Message-ID: <200408202051.i7KKpUr02991@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated qt packages fix security issues Advisory ID: RHSA-2004:414-01 Issue date: 2004-08-20 Updated on: 2004-08-20 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0691 CAN-2004-0692 CAN-2004-0693 - --------------------------------------------------------------------- 1. Summary: Updated qt packages that fix security issues in several of the image decoders are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. During a security audit, Chris Evans discovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with Qt to crash or possibly execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0691 to this issue. Additionally, various flaws were discovered in the GIF, XPM, and JPEG decoders in Qt versions prior to 3.3.3. An attacker could create carefully crafted image files in such a way that it could cause an application linked against Qt to crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0692 and CAN-2004-0693 to these issues. Users of Qt should update to these updated packages which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 128720 - CAN-2004-0691 BMP decoder heap overflow 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/qt-2.3.1-10.src.rpm 3b684906082e180dddd38404dca633f4 qt-2.3.1-10.src.rpm i386: 4abae89892524349c1413e9edfe1c580 qt-2.3.1-10.i386.rpm f8a7bc552d89a93c8de95d31bbf3fb6c qt-Xt-2.3.1-10.i386.rpm ba3283b0ecab676ca709746c7b9aad17 qt-designer-2.3.1-10.i386.rpm f9542947d96f0a40694026bddc6088b3 qt-devel-2.3.1-10.i386.rpm 08a3108d33c0391926515c8831e80e32 qt-static-2.3.1-10.i386.rpm ia64: 7a5212ecdd3bdfd6e7c22430cab707ca qt-2.3.1-10.ia64.rpm 163badec57860c0751ee49a74a863197 qt-Xt-2.3.1-10.ia64.rpm 62890a5783dea02beb1bd19e2c2b9476 qt-designer-2.3.1-10.ia64.rpm 4dc9f6a9177f16561371b41701cc8ca3 qt-devel-2.3.1-10.ia64.rpm f5bb921423a761d4412a45d8407960e9 qt-static-2.3.1-10.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/qt-2.3.1-10.src.rpm 3b684906082e180dddd38404dca633f4 qt-2.3.1-10.src.rpm ia64: 7a5212ecdd3bdfd6e7c22430cab707ca qt-2.3.1-10.ia64.rpm 163badec57860c0751ee49a74a863197 qt-Xt-2.3.1-10.ia64.rpm 62890a5783dea02beb1bd19e2c2b9476 qt-designer-2.3.1-10.ia64.rpm 4dc9f6a9177f16561371b41701cc8ca3 qt-devel-2.3.1-10.ia64.rpm f5bb921423a761d4412a45d8407960e9 qt-static-2.3.1-10.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/qt-2.3.1-10.src.rpm 3b684906082e180dddd38404dca633f4 qt-2.3.1-10.src.rpm i386: 4abae89892524349c1413e9edfe1c580 qt-2.3.1-10.i386.rpm f8a7bc552d89a93c8de95d31bbf3fb6c qt-Xt-2.3.1-10.i386.rpm ba3283b0ecab676ca709746c7b9aad17 qt-designer-2.3.1-10.i386.rpm f9542947d96f0a40694026bddc6088b3 qt-devel-2.3.1-10.i386.rpm 08a3108d33c0391926515c8831e80e32 qt-static-2.3.1-10.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/qt-2.3.1-10.src.rpm 3b684906082e180dddd38404dca633f4 qt-2.3.1-10.src.rpm i386: 4abae89892524349c1413e9edfe1c580 qt-2.3.1-10.i386.rpm f8a7bc552d89a93c8de95d31bbf3fb6c qt-Xt-2.3.1-10.i386.rpm ba3283b0ecab676ca709746c7b9aad17 qt-designer-2.3.1-10.i386.rpm f9542947d96f0a40694026bddc6088b3 qt-devel-2.3.1-10.i386.rpm 08a3108d33c0391926515c8831e80e32 qt-static-2.3.1-10.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/qt-3.1.2-13.4.src.rpm f798532e2259e3027eb64a86f471c989 qt-3.1.2-13.4.src.rpm i386: 171e31325a6974fe6b3161b0dd935e05 qt-3.1.2-13.4.i386.rpm 53450013bb108936c88d7a68797400b5 qt-MySQL-3.1.2-13.4.i386.rpm c5372ac10529b611504c48fd1876d32a qt-config-3.1.2-13.4.i386.rpm dde05008907a4402aeec64bd1fef25d8 qt-designer-3.1.2-13.4.i386.rpm 7e9621c8793aeece8c6697a301fdaf85 qt-devel-3.1.2-13.4.i386.rpm ia64: 0162f98d41303ed47435fd634a49aa16 qt-3.1.2-13.4.ia64.rpm 83f81146ad6ff84575f221104e109a10 qt-MySQL-3.1.2-13.4.ia64.rpm 0b81a3f2c8ab00775d533c30129fe314 qt-config-3.1.2-13.4.ia64.rpm d7ff6cb677ea02273909f44018a4de02 qt-designer-3.1.2-13.4.ia64.rpm c93acbc881f899cbd944f74c2710c1dd qt-devel-3.1.2-13.4.ia64.rpm ppc: 342ed7861c4723143f22841155837163 qt-3.1.2-13.4.ppc.rpm f95779e3c785a8ca620b795a50c3a2b7 qt-MySQL-3.1.2-13.4.ppc.rpm d89c0631d249d3596cb0b7f3715d8c71 qt-config-3.1.2-13.4.ppc.rpm b5c58797337ec1c953a127d145241d70 qt-designer-3.1.2-13.4.ppc.rpm 4138557b0f597ede980c64e4e74debd3 qt-devel-3.1.2-13.4.ppc.rpm s390: 57951d45d98f46fe6f2326b16f23ea1b qt-3.1.2-13.4.s390.rpm 98b7677e8b7fa4d84583cfe8e92a91f4 qt-MySQL-3.1.2-13.4.s390.rpm b9f50cd8f014e9e39249dbfbe17b1398 qt-config-3.1.2-13.4.s390.rpm 2c140a0776e2ce98c273b7e628d86d23 qt-designer-3.1.2-13.4.s390.rpm 5e23428d4621c10ca60bf29d7d2a6ed7 qt-devel-3.1.2-13.4.s390.rpm s390x: 8f95df939142d43f0078f5a770850bb2 qt-3.1.2-13.4.s390x.rpm 5cc08910b564eed93b3f78c05261a176 qt-MySQL-3.1.2-13.4.s390x.rpm 73c6e602b9a45864a82d16314deba9c0 qt-config-3.1.2-13.4.s390x.rpm eae10bfa4b34cfbfd29f09e4d7368728 qt-designer-3.1.2-13.4.s390x.rpm fff3b6f404743fa76b5ba21f3a18e20d qt-devel-3.1.2-13.4.s390x.rpm x86_64: 24fbbe3a8cc3a9636e64cbecb62c52c1 qt-3.1.2-13.4.x86_64.rpm b4ca1ae5a331c4d30d75d2dcd1e53280 qt-MySQL-3.1.2-13.4.x86_64.rpm a684d66936b37ed87281ce2f8a49448b qt-config-3.1.2-13.4.x86_64.rpm d945dc65e4120b87f0fa6c0a77c129ee qt-designer-3.1.2-13.4.x86_64.rpm 814f662f0561c1dc07cb60a287487494 qt-devel-3.1.2-13.4.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/qt-3.1.2-13.4.src.rpm f798532e2259e3027eb64a86f471c989 qt-3.1.2-13.4.src.rpm i386: 171e31325a6974fe6b3161b0dd935e05 qt-3.1.2-13.4.i386.rpm 53450013bb108936c88d7a68797400b5 qt-MySQL-3.1.2-13.4.i386.rpm c5372ac10529b611504c48fd1876d32a qt-config-3.1.2-13.4.i386.rpm dde05008907a4402aeec64bd1fef25d8 qt-designer-3.1.2-13.4.i386.rpm 7e9621c8793aeece8c6697a301fdaf85 qt-devel-3.1.2-13.4.i386.rpm x86_64: 24fbbe3a8cc3a9636e64cbecb62c52c1 qt-3.1.2-13.4.x86_64.rpm b4ca1ae5a331c4d30d75d2dcd1e53280 qt-MySQL-3.1.2-13.4.x86_64.rpm a684d66936b37ed87281ce2f8a49448b qt-config-3.1.2-13.4.x86_64.rpm d945dc65e4120b87f0fa6c0a77c129ee qt-designer-3.1.2-13.4.x86_64.rpm 814f662f0561c1dc07cb60a287487494 qt-devel-3.1.2-13.4.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/qt-3.1.2-13.4.src.rpm f798532e2259e3027eb64a86f471c989 qt-3.1.2-13.4.src.rpm i386: 171e31325a6974fe6b3161b0dd935e05 qt-3.1.2-13.4.i386.rpm 53450013bb108936c88d7a68797400b5 qt-MySQL-3.1.2-13.4.i386.rpm c5372ac10529b611504c48fd1876d32a qt-config-3.1.2-13.4.i386.rpm dde05008907a4402aeec64bd1fef25d8 qt-designer-3.1.2-13.4.i386.rpm 7e9621c8793aeece8c6697a301fdaf85 qt-devel-3.1.2-13.4.i386.rpm ia64: 0162f98d41303ed47435fd634a49aa16 qt-3.1.2-13.4.ia64.rpm 83f81146ad6ff84575f221104e109a10 qt-MySQL-3.1.2-13.4.ia64.rpm 0b81a3f2c8ab00775d533c30129fe314 qt-config-3.1.2-13.4.ia64.rpm d7ff6cb677ea02273909f44018a4de02 qt-designer-3.1.2-13.4.ia64.rpm c93acbc881f899cbd944f74c2710c1dd qt-devel-3.1.2-13.4.ia64.rpm x86_64: 24fbbe3a8cc3a9636e64cbecb62c52c1 qt-3.1.2-13.4.x86_64.rpm b4ca1ae5a331c4d30d75d2dcd1e53280 qt-MySQL-3.1.2-13.4.x86_64.rpm a684d66936b37ed87281ce2f8a49448b qt-config-3.1.2-13.4.x86_64.rpm d945dc65e4120b87f0fa6c0a77c129ee qt-designer-3.1.2-13.4.x86_64.rpm 814f662f0561c1dc07cb60a287487494 qt-devel-3.1.2-13.4.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/qt-3.1.2-13.4.src.rpm f798532e2259e3027eb64a86f471c989 qt-3.1.2-13.4.src.rpm i386: 171e31325a6974fe6b3161b0dd935e05 qt-3.1.2-13.4.i386.rpm 53450013bb108936c88d7a68797400b5 qt-MySQL-3.1.2-13.4.i386.rpm c5372ac10529b611504c48fd1876d32a qt-config-3.1.2-13.4.i386.rpm dde05008907a4402aeec64bd1fef25d8 qt-designer-3.1.2-13.4.i386.rpm 7e9621c8793aeece8c6697a301fdaf85 qt-devel-3.1.2-13.4.i386.rpm ia64: 0162f98d41303ed47435fd634a49aa16 qt-3.1.2-13.4.ia64.rpm 83f81146ad6ff84575f221104e109a10 qt-MySQL-3.1.2-13.4.ia64.rpm 0b81a3f2c8ab00775d533c30129fe314 qt-config-3.1.2-13.4.ia64.rpm d7ff6cb677ea02273909f44018a4de02 qt-designer-3.1.2-13.4.ia64.rpm c93acbc881f899cbd944f74c2710c1dd qt-devel-3.1.2-13.4.ia64.rpm x86_64: 24fbbe3a8cc3a9636e64cbecb62c52c1 qt-3.1.2-13.4.x86_64.rpm b4ca1ae5a331c4d30d75d2dcd1e53280 qt-MySQL-3.1.2-13.4.x86_64.rpm a684d66936b37ed87281ce2f8a49448b qt-config-3.1.2-13.4.x86_64.rpm d945dc65e4120b87f0fa6c0a77c129ee qt-designer-3.1.2-13.4.x86_64.rpm 814f662f0561c1dc07cb60a287487494 qt-devel-3.1.2-13.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://www.trolltech.com/developer/changes/changes-3.3.3.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBJmRMXlSAg2UNWIIRAgGuAJ47rSXO5ljKjG461jEUAjUr9ZHx2ACfQHpe Modu9FzeCeLUxURKIEw7nSc= =AEdV -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 26 16:31:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 26 Aug 2004 12:31 -0400 Subject: [RHSA-2004:432-01] Updated acrobat package fixes security issues Message-ID: <200408261631.i7QGVSr26631@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated acrobat package fixes security issues Advisory ID: RHSA-2004:432-01 Issue date: 2004-08-26 Updated on: 2004-08-26 Product: Red Hat Enterprise Linux LACD CVE Names: CAN-2004-0631 CAN-2004-0630 - --------------------------------------------------------------------- 1. Summary: An updated Adobe Acrobat Reader package that fixes multiple security issues is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux LACD 3AS - i386 Red Hat Enterprise Linux LACD 3Desktop - i386 Red Hat Enterprise Linux LACD 3ES - i386 Red Hat Enterprise Linux LACD 3WS - i386 3. Problem description: The Adobe Acrobat Reader browser allows for the viewing, distributing, and printing of documents in portable document format (PDF). iDEFENSE has reported that Adobe Acrobat Reader 5.0 contains a buffer overflow when decoding uuencoded documents. An attacker could execute arbitrary code on a victim's machine if a user opens a specially crafted uuencoded document. This issue poses the threat of remote execution, since Acrobat Reader may be the default handler for PDF files. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0631 to this issue. iDEFENSE also reported that Adobe Acrobat Reader 5.0 contains an input validation error in its uuencoding feature. An attacker could create a file with a specially crafted file name which could lead to arbitrary command execution on a victim's machine. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0630 to this issue. All users of Acrobat Reader are advised to upgrade to this updated package, which is not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. RPMs required: Red Hat Enterprise Linux LACD 3AS: i386: ab70943b0e7d266df504c7b66b5e5c26 acroread-5.09-1.i386.rpm a2bfb5fde963cc51804a18ea659a16e5 acroread-plugin-5.09-1.i386.rpm Red Hat Enterprise Linux LACD 3Desktop: i386: ab70943b0e7d266df504c7b66b5e5c26 acroread-5.09-1.i386.rpm a2bfb5fde963cc51804a18ea659a16e5 acroread-plugin-5.09-1.i386.rpm Red Hat Enterprise Linux LACD 3ES: i386: ab70943b0e7d266df504c7b66b5e5c26 acroread-5.09-1.i386.rpm a2bfb5fde963cc51804a18ea659a16e5 acroread-plugin-5.09-1.i386.rpm Red Hat Enterprise Linux LACD 3WS: i386: ab70943b0e7d266df504c7b66b5e5c26 acroread-5.09-1.i386.rpm a2bfb5fde963cc51804a18ea659a16e5 acroread-plugin-5.09-1.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 6. References: http://www.idefense.com/application/poi/display?id=125&type=vulnerabilities http://www.idefense.com/application/poi/display?id=124&type=vulnerabilities http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0631 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0630 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBLhBIXlSAg2UNWIIRAgCRAJ4kBFpRdO+jKEvcgZjc/Jw+zM0dkgCeJO7q JYhr6bDlXSJrQbLCRDn19n8= =1Q43 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 31 17:35:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 31 Aug 2004 13:35 -0400 Subject: [RHSA-2004:448-01] Updated krb5 packages fix security vulnerabilities Message-ID: <200408311735.i7VHZ0r07886@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated krb5 packages fix security vulnerabilities Advisory ID: RHSA-2004:448-01 Issue date: 2004-08-31 Updated on: 2004-08-31 Product: Red Hat Enterprise Linux Keywords: krb5 double-free asn.1 Obsoletes: RHSA-2004:236 CVE Names: CAN-2004-0642 CAN-2004-0643 CAN-2004-0644 - --------------------------------------------------------------------- 1. Summary: Updated Kerberos (krb5) packages that correct double-free and ASN.1 parsing bugs are now available for Red Hat Enterprise Linux. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 3. Problem description: Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CAN-2004-0772), however this issue was fixed for Red Hat Enterprise Linux 2.1 users by a previous erratum, RHSA-2003:052. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0644 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 129680 - Upgrading to krb5-libs 1.2.2-27 can cause undefined symbol __dn_expand 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/krb5-1.2.2-31.src.rpm 908bd9ee7963203d5c086e25b0849568 krb5-1.2.2-31.src.rpm i386: f5fc294848750e1186efd792aaca3fa1 krb5-devel-1.2.2-31.i386.rpm 1da2499c2aa50026be1eda1774cb8fc0 krb5-libs-1.2.2-31.i386.rpm 72749007a7033ff2a31dc4ee20a439c7 krb5-server-1.2.2-31.i386.rpm be44496d6d25c3e5c1754ce871b3de49 krb5-workstation-1.2.2-31.i386.rpm ia64: d81f70e064675a486c9a796fd1ea6297 krb5-devel-1.2.2-31.ia64.rpm bd5eeae1a8d4b97585bbe67b746edb1d krb5-libs-1.2.2-31.ia64.rpm bb30a6820d6c475452458a3cebca55b8 krb5-server-1.2.2-31.ia64.rpm c7b3177d7e82f890ef669196c2ff0f8f krb5-workstation-1.2.2-31.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/krb5-1.2.2-31.src.rpm 908bd9ee7963203d5c086e25b0849568 krb5-1.2.2-31.src.rpm ia64: d81f70e064675a486c9a796fd1ea6297 krb5-devel-1.2.2-31.ia64.rpm bd5eeae1a8d4b97585bbe67b746edb1d krb5-libs-1.2.2-31.ia64.rpm bb30a6820d6c475452458a3cebca55b8 krb5-server-1.2.2-31.ia64.rpm c7b3177d7e82f890ef669196c2ff0f8f krb5-workstation-1.2.2-31.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/krb5-1.2.2-31.src.rpm 908bd9ee7963203d5c086e25b0849568 krb5-1.2.2-31.src.rpm i386: f5fc294848750e1186efd792aaca3fa1 krb5-devel-1.2.2-31.i386.rpm 1da2499c2aa50026be1eda1774cb8fc0 krb5-libs-1.2.2-31.i386.rpm 72749007a7033ff2a31dc4ee20a439c7 krb5-server-1.2.2-31.i386.rpm be44496d6d25c3e5c1754ce871b3de49 krb5-workstation-1.2.2-31.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/krb5-1.2.2-31.src.rpm 908bd9ee7963203d5c086e25b0849568 krb5-1.2.2-31.src.rpm i386: f5fc294848750e1186efd792aaca3fa1 krb5-devel-1.2.2-31.i386.rpm 1da2499c2aa50026be1eda1774cb8fc0 krb5-libs-1.2.2-31.i386.rpm 72749007a7033ff2a31dc4ee20a439c7 krb5-server-1.2.2-31.i386.rpm be44496d6d25c3e5c1754ce871b3de49 krb5-workstation-1.2.2-31.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://web.mit.edu/kerberos/advisories/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBNLa8XlSAg2UNWIIRAg9CAJ9SK1zvvZ/iZufrqTpFE/bldet96gCeI9ID mrh2+P7CT/bdeFXfO5kk8xU= =6QY7 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 31 17:36:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 31 Aug 2004 13:36 -0400 Subject: [RHSA-2004:350-01] Updated krb5 packages fix security issues Message-ID: <200408311736.i7VHaCr07994@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated krb5 packages fix security issues Advisory ID: RHSA-2004:350-01 Issue date: 2004-08-31 Updated on: 2004-08-31 Product: Red Hat Enterprise Linux Keywords: krb5 client timeout Obsoletes: RHSA-2004:236 CVE Names: CAN-2004-0642 CAN-2004-0643 CAN-2004-0644 - --------------------------------------------------------------------- 1. Summary: Updated krb5 packages that improve client responsiveness and fix several security issues are now available for Red Hat Enterprise Linux 3. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execuate arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CAN-2004-0772), however this issue does not affect Red Hat Enterprise Linux 3 Kerberos packages. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0644 to this issue. When attempting to contact a KDC, the Kerberos libraries will iterate through the list of configured servers, attempting to contact each in turn. If one of the servers becomes unresponsive, the client will time out and contact the next configured server. When the library attempts to contact the next KDC, the entire process is repeated. For applications which must contact a KDC several times, the accumulated time spent waiting can become significant. This update modifies the libraries, notes which server for a given realm last responded to a request, and attempts to contact that server first before contacting any of the other configured servers. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt 5. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/krb5-1.2.7-28.src.rpm 3c91ce8bc77bd9bc5bf2f00c09d23cff krb5-1.2.7-28.src.rpm i386: 758976fe956ac98a73809b4cc716d4c5 krb5-devel-1.2.7-28.i386.rpm 6a5c52f4ec0a575ca3f22696c592ecc6 krb5-libs-1.2.7-28.i386.rpm d805a5ef4dc5c16f1a6957cd60769076 krb5-server-1.2.7-28.i386.rpm 2fee85ec1cc48fe67b90cd9954149321 krb5-workstation-1.2.7-28.i386.rpm ia64: 2d5b6ce0d861cb35c66e9ce11321ca09 krb5-devel-1.2.7-28.ia64.rpm dd27b1cfed80262c724f20400d174ae6 krb5-libs-1.2.7-28.ia64.rpm 0c0b19114325ab9b9798398009abc745 krb5-server-1.2.7-28.ia64.rpm b6d331840e0a625073c03f3629b71b6f krb5-workstation-1.2.7-28.ia64.rpm ppc: 548446398708f1ee3a1820be932c427c krb5-devel-1.2.7-28.ppc.rpm 32f8d495713aad38cf0961e7eab8146f krb5-libs-1.2.7-28.ppc.rpm 2805823ff0ceeb7fd084f4cd1322f180 krb5-server-1.2.7-28.ppc.rpm c896eb2e27858495ca85a7f4f60b7d9d krb5-workstation-1.2.7-28.ppc.rpm ppc64: 9571b0242acad9ec5601b941aa5cf93e krb5-devel-1.2.7-28.ppc64.rpm 8bba9563078f648f8399be16a4a52d2a krb5-libs-1.2.7-28.ppc64.rpm 48df8c1d94161a229cf5d52e0f2224ed krb5-server-1.2.7-28.ppc64.rpm 683c8c478512a0d2ef8d4b631e038501 krb5-workstation-1.2.7-28.ppc64.rpm s390: e1ab9eb4bef50ef7830e9504c988e4b8 krb5-devel-1.2.7-28.s390.rpm 4786e0ba3adbccca954fb2dee1034dd7 krb5-libs-1.2.7-28.s390.rpm 3b17e6311a345c13efa0322a6f47e08f krb5-server-1.2.7-28.s390.rpm ce72c91a8d4dd92969bc099866a693cd krb5-workstation-1.2.7-28.s390.rpm s390x: 9c3c9f758c4a619e852f5289f31614fd krb5-devel-1.2.7-28.s390x.rpm 94d14bb7d2e34140941c51839b4cf4f6 krb5-libs-1.2.7-28.s390x.rpm 9e11ac40de7e36037cc4da2346c5f64f krb5-server-1.2.7-28.s390x.rpm c2f65cd14134efa5794c732ed7e210df krb5-workstation-1.2.7-28.s390x.rpm x86_64: 4b5d4f9ec25bf69bf3d1632b8f9dfece krb5-devel-1.2.7-28.x86_64.rpm 3ba1a8cda52f4c5c4f235390b5ab231c krb5-libs-1.2.7-28.x86_64.rpm 4dae049940b908786c4c18ec2c4633e0 krb5-server-1.2.7-28.x86_64.rpm c68b7f6f4571165da841e89fb2de809d krb5-workstation-1.2.7-28.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/krb5-1.2.7-28.src.rpm 3c91ce8bc77bd9bc5bf2f00c09d23cff krb5-1.2.7-28.src.rpm i386: 758976fe956ac98a73809b4cc716d4c5 krb5-devel-1.2.7-28.i386.rpm 6a5c52f4ec0a575ca3f22696c592ecc6 krb5-libs-1.2.7-28.i386.rpm d805a5ef4dc5c16f1a6957cd60769076 krb5-server-1.2.7-28.i386.rpm 2fee85ec1cc48fe67b90cd9954149321 krb5-workstation-1.2.7-28.i386.rpm x86_64: 4b5d4f9ec25bf69bf3d1632b8f9dfece krb5-devel-1.2.7-28.x86_64.rpm 3ba1a8cda52f4c5c4f235390b5ab231c krb5-libs-1.2.7-28.x86_64.rpm 4dae049940b908786c4c18ec2c4633e0 krb5-server-1.2.7-28.x86_64.rpm c68b7f6f4571165da841e89fb2de809d krb5-workstation-1.2.7-28.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/krb5-1.2.7-28.src.rpm 3c91ce8bc77bd9bc5bf2f00c09d23cff krb5-1.2.7-28.src.rpm i386: 758976fe956ac98a73809b4cc716d4c5 krb5-devel-1.2.7-28.i386.rpm 6a5c52f4ec0a575ca3f22696c592ecc6 krb5-libs-1.2.7-28.i386.rpm d805a5ef4dc5c16f1a6957cd60769076 krb5-server-1.2.7-28.i386.rpm 2fee85ec1cc48fe67b90cd9954149321 krb5-workstation-1.2.7-28.i386.rpm ia64: 2d5b6ce0d861cb35c66e9ce11321ca09 krb5-devel-1.2.7-28.ia64.rpm dd27b1cfed80262c724f20400d174ae6 krb5-libs-1.2.7-28.ia64.rpm 0c0b19114325ab9b9798398009abc745 krb5-server-1.2.7-28.ia64.rpm b6d331840e0a625073c03f3629b71b6f krb5-workstation-1.2.7-28.ia64.rpm x86_64: 4b5d4f9ec25bf69bf3d1632b8f9dfece krb5-devel-1.2.7-28.x86_64.rpm 3ba1a8cda52f4c5c4f235390b5ab231c krb5-libs-1.2.7-28.x86_64.rpm 4dae049940b908786c4c18ec2c4633e0 krb5-server-1.2.7-28.x86_64.rpm c68b7f6f4571165da841e89fb2de809d krb5-workstation-1.2.7-28.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/krb5-1.2.7-28.src.rpm 3c91ce8bc77bd9bc5bf2f00c09d23cff krb5-1.2.7-28.src.rpm i386: 758976fe956ac98a73809b4cc716d4c5 krb5-devel-1.2.7-28.i386.rpm 6a5c52f4ec0a575ca3f22696c592ecc6 krb5-libs-1.2.7-28.i386.rpm d805a5ef4dc5c16f1a6957cd60769076 krb5-server-1.2.7-28.i386.rpm 2fee85ec1cc48fe67b90cd9954149321 krb5-workstation-1.2.7-28.i386.rpm ia64: 2d5b6ce0d861cb35c66e9ce11321ca09 krb5-devel-1.2.7-28.ia64.rpm dd27b1cfed80262c724f20400d174ae6 krb5-libs-1.2.7-28.ia64.rpm 0c0b19114325ab9b9798398009abc745 krb5-server-1.2.7-28.ia64.rpm b6d331840e0a625073c03f3629b71b6f krb5-workstation-1.2.7-28.ia64.rpm x86_64: 4b5d4f9ec25bf69bf3d1632b8f9dfece krb5-devel-1.2.7-28.x86_64.rpm 3ba1a8cda52f4c5c4f235390b5ab231c krb5-libs-1.2.7-28.x86_64.rpm 4dae049940b908786c4c18ec2c4633e0 krb5-server-1.2.7-28.x86_64.rpm c68b7f6f4571165da841e89fb2de809d krb5-workstation-1.2.7-28.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 6. References: http://web.mit.edu/kerberos/advisories/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBNLcKXlSAg2UNWIIRApNIAJ9SJ2in80S/y1NlfzQ1uPAcUBLU4QCglpf8 Ha3FN/wKEIr0xXMOeBWcLcw= =7Qjq -----END PGP SIGNATURE-----