From bugzilla at redhat.com Fri Nov 12 17:03:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 12 Nov 2004 12:03 -0500 Subject: [RHSA-2004:562-01] Updated httpd packages fix a security issue and bugs Message-ID: <200411121703.iACH3ma10950@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated httpd packages fix a security issue and bugs Advisory ID: RHSA-2004:562-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2004-562.html Issue date: 2004-11-12 Updated on: 2004-11-12 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0885 CAN-2004-0942 - --------------------------------------------------------------------- 1. Summary: Updated httpd packages that include fixes for two security issues, as well as other bugs, are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0885 to this issue. An issue has been discovered in the handling of white space in request header lines using MIME folding. A malicious client could send a carefully crafted request, forcing the server to consume large amounts of memory, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue. Several minor bugs were also discovered, including: - - In the mod_cgi module, problems that arise when CGI scripts are invoked from SSI pages by mod_include using the "#include virtual" syntax have been fixed. - - In the mod_dav_fs module, problems with the handling of indirect locks on the S/390x platform have been fixed. Users of the Apache HTTP server who are affected by these issues should upgrade to these updated packages, which contain backported patches. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 132593 - mod_dav_fs: indirect lock refresh broken on s390x 134825 - CAN-2004-0885 SSLCipherSuite bypass 138064 - CAN-2004-0942 Memory consumption DoS 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-44.ent.src.rpm 118f06e0317eb7d5735990049199b354 httpd-2.0.46-44.ent.src.rpm i386: 07294bc2ae372ae2c033f6c97a425371 httpd-2.0.46-44.ent.i386.rpm f97f7661878d345e35e49ee5b903ee97 httpd-devel-2.0.46-44.ent.i386.rpm 7ff1d8de6d421d62b5f7c35df785304e mod_ssl-2.0.46-44.ent.i386.rpm ia64: 731331f101efda7820988a76265d5b29 httpd-2.0.46-44.ent.ia64.rpm 95451f6b0aaffbccffb8e77c88d36cc1 httpd-devel-2.0.46-44.ent.ia64.rpm badd71a4a010b5b96d854de8b4ab14c5 mod_ssl-2.0.46-44.ent.ia64.rpm ppc: d399d5cbffd283d3e155a2e301542e6f httpd-2.0.46-44.ent.ppc.rpm ded92081a835c8e53ccbf6e8f47f244d httpd-devel-2.0.46-44.ent.ppc.rpm 4a2a5d60a34a09550910738fde57f518 mod_ssl-2.0.46-44.ent.ppc.rpm s390: 806ff06977f721712068a621c3981f7c httpd-2.0.46-44.ent.s390.rpm 5912d5b3eb7d18071825ef4bfe3b139b httpd-devel-2.0.46-44.ent.s390.rpm 6d2866cab66c09694ba6c98b39d3e52b mod_ssl-2.0.46-44.ent.s390.rpm s390x: 17bd982545f3e25953a4d3aff7d9ea22 httpd-2.0.46-44.ent.s390x.rpm 2299bd3c8d7a0a5ab525840fc453f1e1 httpd-devel-2.0.46-44.ent.s390x.rpm 51cc33598d9d4559f0daf860396e5ae5 mod_ssl-2.0.46-44.ent.s390x.rpm x86_64: 1b8bce6493ff433f4fe8361b897d841e httpd-2.0.46-44.ent.x86_64.rpm 7ce1eb8feef44ffdb30563484f214a61 httpd-devel-2.0.46-44.ent.x86_64.rpm fc576fed7de6149c17d5158e87ec600c mod_ssl-2.0.46-44.ent.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-44.ent.src.rpm 118f06e0317eb7d5735990049199b354 httpd-2.0.46-44.ent.src.rpm i386: 07294bc2ae372ae2c033f6c97a425371 httpd-2.0.46-44.ent.i386.rpm f97f7661878d345e35e49ee5b903ee97 httpd-devel-2.0.46-44.ent.i386.rpm 7ff1d8de6d421d62b5f7c35df785304e mod_ssl-2.0.46-44.ent.i386.rpm x86_64: 1b8bce6493ff433f4fe8361b897d841e httpd-2.0.46-44.ent.x86_64.rpm 7ce1eb8feef44ffdb30563484f214a61 httpd-devel-2.0.46-44.ent.x86_64.rpm fc576fed7de6149c17d5158e87ec600c mod_ssl-2.0.46-44.ent.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-44.ent.src.rpm 118f06e0317eb7d5735990049199b354 httpd-2.0.46-44.ent.src.rpm i386: 07294bc2ae372ae2c033f6c97a425371 httpd-2.0.46-44.ent.i386.rpm f97f7661878d345e35e49ee5b903ee97 httpd-devel-2.0.46-44.ent.i386.rpm 7ff1d8de6d421d62b5f7c35df785304e mod_ssl-2.0.46-44.ent.i386.rpm ia64: 731331f101efda7820988a76265d5b29 httpd-2.0.46-44.ent.ia64.rpm 95451f6b0aaffbccffb8e77c88d36cc1 httpd-devel-2.0.46-44.ent.ia64.rpm badd71a4a010b5b96d854de8b4ab14c5 mod_ssl-2.0.46-44.ent.ia64.rpm x86_64: 1b8bce6493ff433f4fe8361b897d841e httpd-2.0.46-44.ent.x86_64.rpm 7ce1eb8feef44ffdb30563484f214a61 httpd-devel-2.0.46-44.ent.x86_64.rpm fc576fed7de6149c17d5158e87ec600c mod_ssl-2.0.46-44.ent.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-44.ent.src.rpm 118f06e0317eb7d5735990049199b354 httpd-2.0.46-44.ent.src.rpm i386: 07294bc2ae372ae2c033f6c97a425371 httpd-2.0.46-44.ent.i386.rpm f97f7661878d345e35e49ee5b903ee97 httpd-devel-2.0.46-44.ent.i386.rpm 7ff1d8de6d421d62b5f7c35df785304e mod_ssl-2.0.46-44.ent.i386.rpm ia64: 731331f101efda7820988a76265d5b29 httpd-2.0.46-44.ent.ia64.rpm 95451f6b0aaffbccffb8e77c88d36cc1 httpd-devel-2.0.46-44.ent.ia64.rpm badd71a4a010b5b96d854de8b4ab14c5 mod_ssl-2.0.46-44.ent.ia64.rpm x86_64: 1b8bce6493ff433f4fe8361b897d841e httpd-2.0.46-44.ent.x86_64.rpm 7ce1eb8feef44ffdb30563484f214a61 httpd-devel-2.0.46-44.ent.x86_64.rpm fc576fed7de6149c17d5158e87ec600c mod_ssl-2.0.46-44.ent.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://www.apacheweek.com/features/security-20 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBlOzSXlSAg2UNWIIRAv86AJ9x979dRjuv17HCCbnwE8bfCqnldwCeIslT Ti3dLL7B4Y35loJaYQe/yNQ= =OaFC -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Nov 12 17:04:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 12 Nov 2004 12:04 -0500 Subject: [RHSA-2004:609-01] Updated freeradius packages fix security flaws Message-ID: <200411121704.iACH4ha10986@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated freeradius packages fix security flaws Advisory ID: RHSA-2004:609-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2004-609.html Issue date: 2004-11-12 Updated on: 2004-11-12 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0938 CAN-2004-0960 CAN-2004-0961 - --------------------------------------------------------------------- 1. Summary: Updated freeradius packages that fix a number of denial of service vulnerabilities as well as minor bugs are now available for Red Hat Enterprise Linux 3. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 3. Problem description: FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A number of flaws were found in FreeRADIUS versions prior to 1.0.1. An attacker who is able to send packets to the server could construct carefully constructed packets in such a way as to cause the server to consume memory or crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0938, CAN-2004-0960, and CAN-2004-0961 to these issues. Users of FreeRADIUS should update to these erratum packages that contain FreeRADIUS 1.0.1, which is not vulnerable to these issues and also corrects a number of bugs. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 127168 - rebuilding freeradius picks up system libeap rather than package libeap 127162 - zlib-devel is missing from BuildRequires in spec file 130606 - Missing buildrequires in freediag 130613 - radiusd.conf specifies other pam-auth than file installed in /etc/pam.d 135825 - CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961) 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/freeradius-1.0.1-1.RHEL3.src.rpm 621656bce9be62e733c090dd0bc81059 freeradius-1.0.1-1.RHEL3.src.rpm i386: d455913a52551fff9996afe88d80f938 freeradius-1.0.1-1.RHEL3.i386.rpm ia64: f7ee2516c9be633615450308ed855ac3 freeradius-1.0.1-1.RHEL3.ia64.rpm ppc: 5acba566ecb5a125c39348d7d7055115 freeradius-1.0.1-1.RHEL3.ppc.rpm s390: 9f5b97aeb4e992d5dcba4af94e2b1cc0 freeradius-1.0.1-1.RHEL3.s390.rpm s390x: 48c5fded9dee50eba358a0656f424ba4 freeradius-1.0.1-1.RHEL3.s390x.rpm x86_64: c21c18f9eb81bf3c875f0f9ee7b11e64 freeradius-1.0.1-1.RHEL3.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/freeradius-1.0.1-1.RHEL3.src.rpm 621656bce9be62e733c090dd0bc81059 freeradius-1.0.1-1.RHEL3.src.rpm i386: d455913a52551fff9996afe88d80f938 freeradius-1.0.1-1.RHEL3.i386.rpm ia64: f7ee2516c9be633615450308ed855ac3 freeradius-1.0.1-1.RHEL3.ia64.rpm x86_64: c21c18f9eb81bf3c875f0f9ee7b11e64 freeradius-1.0.1-1.RHEL3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0961 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBlO0LXlSAg2UNWIIRAvWJAJ98QJSH+nBu0iJgrMescjXmsOXkVQCdEHFC o3z0NqmIzLOmdA3VVULKMdE= =zp1s -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Nov 12 17:06:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 12 Nov 2004 12:06 -0500 Subject: [RHSA-2004:615-01] Updated libxml2 package fixes security vulnerabilities Message-ID: <200411121706.iACH67a11088@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated libxml2 package fixes security vulnerabilities Advisory ID: RHSA-2004:615-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2004-615.html Issue date: 2004-11-12 Updated on: 2004-11-12 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0989 - --------------------------------------------------------------------- 1. Summary: An updated libxml2 package that fixes multiple buffer overflows is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: libxml2 is a library for manipulating XML files. Multiple buffer overflow bugs have been found in libxml2 versions prior to 2.6.14. If an attacker can trick a user into passing a specially crafted FTP URL or FTP proxy URL to an application that uses the vulnerable functions of libxml2, it could be possible to execute arbitrary code. Additionally, if an attacker can return a specially crafted DNS request to libxml2, it could be possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0989 to this issue. All users are advised to upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 137264 - CAN-2004-0989 multiple buffer overflows 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/libxml2-2.4.19-6.ent.src.rpm 70a6392620837d0f90f134409a14a600 libxml2-2.4.19-6.ent.src.rpm i386: 41b2bc4d0ea5158e8428367cfdd3173a libxml2-2.4.19-6.ent.i386.rpm a6e5a78367c0fd6cee03d70300f47869 libxml2-devel-2.4.19-6.ent.i386.rpm 6ccec5236ec52d2af4b9b320eeb67795 libxml2-python-2.4.19-6.ent.i386.rpm ia64: a431799a54a9007b590bf6c79c298c8a libxml2-2.4.19-6.ent.ia64.rpm 839a442adbceaab846e8c05bcd7b819d libxml2-devel-2.4.19-6.ent.ia64.rpm 906b8ed8888f217056758a875275e7ef libxml2-python-2.4.19-6.ent.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/libxml2-2.4.19-6.ent.src.rpm 70a6392620837d0f90f134409a14a600 libxml2-2.4.19-6.ent.src.rpm ia64: a431799a54a9007b590bf6c79c298c8a libxml2-2.4.19-6.ent.ia64.rpm 839a442adbceaab846e8c05bcd7b819d libxml2-devel-2.4.19-6.ent.ia64.rpm 906b8ed8888f217056758a875275e7ef libxml2-python-2.4.19-6.ent.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/libxml2-2.4.19-6.ent.src.rpm 70a6392620837d0f90f134409a14a600 libxml2-2.4.19-6.ent.src.rpm i386: 41b2bc4d0ea5158e8428367cfdd3173a libxml2-2.4.19-6.ent.i386.rpm a6e5a78367c0fd6cee03d70300f47869 libxml2-devel-2.4.19-6.ent.i386.rpm 6ccec5236ec52d2af4b9b320eeb67795 libxml2-python-2.4.19-6.ent.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/libxml2-2.4.19-6.ent.src.rpm 70a6392620837d0f90f134409a14a600 libxml2-2.4.19-6.ent.src.rpm i386: 41b2bc4d0ea5158e8428367cfdd3173a libxml2-2.4.19-6.ent.i386.rpm a6e5a78367c0fd6cee03d70300f47869 libxml2-devel-2.4.19-6.ent.i386.rpm 6ccec5236ec52d2af4b9b320eeb67795 libxml2-python-2.4.19-6.ent.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/libxml2-2.5.10-7.src.rpm 6fa09ee8498feca89d074f2520f838e7 libxml2-2.5.10-7.src.rpm i386: a4728e78eb8f4ef0de08ed56603190d9 libxml2-2.5.10-7.i386.rpm b8dc36e2705dcd52c43cab58f47ce80c libxml2-devel-2.5.10-7.i386.rpm 940def8cd5897ada260211f8feec5782 libxml2-python-2.5.10-7.i386.rpm ia64: 90fe90652b6b9b7136d1d9a46f10bcb4 libxml2-2.5.10-7.ia64.rpm 99338cce66957593a07ab826b17c9786 libxml2-devel-2.5.10-7.ia64.rpm 3af2d80b7cc1924e087ae4e33a95008b libxml2-python-2.5.10-7.ia64.rpm ppc: fea5ce4cf6bf3808f199e147b2d17c00 libxml2-2.5.10-7.ppc.rpm bdb2639136c3d1c3faff6bff7116c2e5 libxml2-devel-2.5.10-7.ppc.rpm 852fca338e84047f0e34f27cbf9f6e5d libxml2-python-2.5.10-7.ppc.rpm s390: a0f13283433d0c0f388a8166f6aa7ce6 libxml2-2.5.10-7.s390.rpm 60632559a055597438d999d15ce74e33 libxml2-devel-2.5.10-7.s390.rpm a3564845c635dd62a36e67d3deebeec7 libxml2-python-2.5.10-7.s390.rpm s390x: 61750334b52f18046f31ba9e2138364d libxml2-2.5.10-7.s390x.rpm 357695ac14f87be1c6334184e847df53 libxml2-devel-2.5.10-7.s390x.rpm cabdafa60379423292d926999ab5ba3f libxml2-python-2.5.10-7.s390x.rpm x86_64: 7e31b4b6e35f49f829e41e6af1ad582e libxml2-2.5.10-7.x86_64.rpm 55d7a38b9ac300d0569838f527c07b5b libxml2-devel-2.5.10-7.x86_64.rpm 9777f3c6ef99ac74b3a541440d6c9ee5 libxml2-python-2.5.10-7.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/libxml2-2.5.10-7.src.rpm 6fa09ee8498feca89d074f2520f838e7 libxml2-2.5.10-7.src.rpm i386: a4728e78eb8f4ef0de08ed56603190d9 libxml2-2.5.10-7.i386.rpm b8dc36e2705dcd52c43cab58f47ce80c libxml2-devel-2.5.10-7.i386.rpm 940def8cd5897ada260211f8feec5782 libxml2-python-2.5.10-7.i386.rpm x86_64: 7e31b4b6e35f49f829e41e6af1ad582e libxml2-2.5.10-7.x86_64.rpm 55d7a38b9ac300d0569838f527c07b5b libxml2-devel-2.5.10-7.x86_64.rpm 9777f3c6ef99ac74b3a541440d6c9ee5 libxml2-python-2.5.10-7.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/libxml2-2.5.10-7.src.rpm 6fa09ee8498feca89d074f2520f838e7 libxml2-2.5.10-7.src.rpm i386: a4728e78eb8f4ef0de08ed56603190d9 libxml2-2.5.10-7.i386.rpm b8dc36e2705dcd52c43cab58f47ce80c libxml2-devel-2.5.10-7.i386.rpm 940def8cd5897ada260211f8feec5782 libxml2-python-2.5.10-7.i386.rpm ia64: 90fe90652b6b9b7136d1d9a46f10bcb4 libxml2-2.5.10-7.ia64.rpm 99338cce66957593a07ab826b17c9786 libxml2-devel-2.5.10-7.ia64.rpm 3af2d80b7cc1924e087ae4e33a95008b libxml2-python-2.5.10-7.ia64.rpm x86_64: 7e31b4b6e35f49f829e41e6af1ad582e libxml2-2.5.10-7.x86_64.rpm 55d7a38b9ac300d0569838f527c07b5b libxml2-devel-2.5.10-7.x86_64.rpm 9777f3c6ef99ac74b3a541440d6c9ee5 libxml2-python-2.5.10-7.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/libxml2-2.5.10-7.src.rpm 6fa09ee8498feca89d074f2520f838e7 libxml2-2.5.10-7.src.rpm i386: a4728e78eb8f4ef0de08ed56603190d9 libxml2-2.5.10-7.i386.rpm b8dc36e2705dcd52c43cab58f47ce80c libxml2-devel-2.5.10-7.i386.rpm 940def8cd5897ada260211f8feec5782 libxml2-python-2.5.10-7.i386.rpm ia64: 90fe90652b6b9b7136d1d9a46f10bcb4 libxml2-2.5.10-7.ia64.rpm 99338cce66957593a07ab826b17c9786 libxml2-devel-2.5.10-7.ia64.rpm 3af2d80b7cc1924e087ae4e33a95008b libxml2-python-2.5.10-7.ia64.rpm x86_64: 7e31b4b6e35f49f829e41e6af1ad582e libxml2-2.5.10-7.x86_64.rpm 55d7a38b9ac300d0569838f527c07b5b libxml2-devel-2.5.10-7.x86_64.rpm 9777f3c6ef99ac74b3a541440d6c9ee5 libxml2-python-2.5.10-7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://www.securityfocus.com/archive/1/379383/2004-10-24/2004-10-30/0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0989 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBlO1jXlSAg2UNWIIRAoQVAJ9mt+ZhTbWWIDrCga622iO60XzAlQCeKTcz LCVxCXA/Pz/ixkfSG1Up/Mk= =s9OV -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Nov 16 17:45:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 16 Nov 2004 12:45 -0500 Subject: [RHSA-2004:632-01] Updated samba packages fix security issues Message-ID: <200411161745.iAGHjZa27753@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated samba packages fix security issues Advisory ID: RHSA-2004:632-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2004-632.html Issue date: 2004-11-16 Updated on: 2004-11-16 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0882 CAN-2004-0930 - --------------------------------------------------------------------- 1. Summary: Updated samba packages that fix various security vulnerabilities are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Samba provides file and printer sharing services to SMB/CIFS clients. During a code audit, Stefan Esser discovered a buffer overflow in Samba versions prior to 3.0.8 when handling unicode filenames. An authenticated remote user could exploit this bug which may lead to arbitrary code execution on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0882 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit this vulnerability on x86 architectures. Additionally, a bug was found in the input validation routines in versions of Samba prior to 3.0.8 that caused the smbd process to consume abnormal amounts of system memory. An authenticated remote user could exploit this bug to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0930 to this issue. Users of Samba should upgrade to these updated packages, which contain backported security patches, and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 138325 - CAN-2004-0930 wildcard remote DoS 134640 - CAN-2004-0882 unicode parsing overflow 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/samba-2.2.12-1.21as.1.src.rpm e1220dc76372c90c46faa649cbba1ee6 samba-2.2.12-1.21as.1.src.rpm i386: 6f81c1ecf8b0b0355ce70502e9a85326 samba-2.2.12-1.21as.1.i386.rpm 350ef1e72e4743b0be11603ee1f42cca samba-client-2.2.12-1.21as.1.i386.rpm ac6ae17ef6870ebbabd4817f1f90fcd9 samba-common-2.2.12-1.21as.1.i386.rpm 9988653768e2c954a9ccbe73ff67ed75 samba-swat-2.2.12-1.21as.1.i386.rpm ia64: a96f03101ea7bd41d886fa95bf9f4308 samba-2.2.12-1.21as.1.ia64.rpm 2a4452ec646410dccdd0c23e53203b69 samba-client-2.2.12-1.21as.1.ia64.rpm 31daf4320431b9ff26e51d63e58785f0 samba-common-2.2.12-1.21as.1.ia64.rpm 06a17eba99c63289a22ea54e6ade8b64 samba-swat-2.2.12-1.21as.1.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/samba-2.2.12-1.21as.1.src.rpm e1220dc76372c90c46faa649cbba1ee6 samba-2.2.12-1.21as.1.src.rpm ia64: a96f03101ea7bd41d886fa95bf9f4308 samba-2.2.12-1.21as.1.ia64.rpm 2a4452ec646410dccdd0c23e53203b69 samba-client-2.2.12-1.21as.1.ia64.rpm 31daf4320431b9ff26e51d63e58785f0 samba-common-2.2.12-1.21as.1.ia64.rpm 06a17eba99c63289a22ea54e6ade8b64 samba-swat-2.2.12-1.21as.1.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/samba-2.2.12-1.21as.1.src.rpm e1220dc76372c90c46faa649cbba1ee6 samba-2.2.12-1.21as.1.src.rpm i386: 6f81c1ecf8b0b0355ce70502e9a85326 samba-2.2.12-1.21as.1.i386.rpm 350ef1e72e4743b0be11603ee1f42cca samba-client-2.2.12-1.21as.1.i386.rpm ac6ae17ef6870ebbabd4817f1f90fcd9 samba-common-2.2.12-1.21as.1.i386.rpm 9988653768e2c954a9ccbe73ff67ed75 samba-swat-2.2.12-1.21as.1.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/samba-2.2.12-1.21as.1.src.rpm e1220dc76372c90c46faa649cbba1ee6 samba-2.2.12-1.21as.1.src.rpm i386: 6f81c1ecf8b0b0355ce70502e9a85326 samba-2.2.12-1.21as.1.i386.rpm 350ef1e72e4743b0be11603ee1f42cca samba-client-2.2.12-1.21as.1.i386.rpm ac6ae17ef6870ebbabd4817f1f90fcd9 samba-common-2.2.12-1.21as.1.i386.rpm 9988653768e2c954a9ccbe73ff67ed75 samba-swat-2.2.12-1.21as.1.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/samba-3.0.7-1.3E.1.src.rpm 122c0bb27aac341fc37156dc94fc522e samba-3.0.7-1.3E.1.src.rpm i386: 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm bfbacd051ca80500a34991d3dc9ca3ce samba-client-3.0.7-1.3E.1.i386.rpm 370cf89a18b670160f51608041812c24 samba-common-3.0.7-1.3E.1.i386.rpm f89375430ce2785a01cc4586d9689f5a samba-swat-3.0.7-1.3E.1.i386.rpm ia64: e733b35d09659e19a1afcf10ab1ab7dc samba-3.0.7-1.3E.1.ia64.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm c02426d44e8bbdf625c6baa3b63f7f6c samba-client-3.0.7-1.3E.1.ia64.rpm 0a37cd8c24c6f69bb1df0aab93467670 samba-common-3.0.7-1.3E.1.ia64.rpm bf2bfb26e2bb0ccd7c66841214465655 samba-swat-3.0.7-1.3E.1.ia64.rpm ppc: 0c2696dce74d906545781ecdeca858c7 samba-3.0.7-1.3E.1.ppc.rpm 585752b05ad3796f7fa614c06aed33c6 samba-client-3.0.7-1.3E.1.ppc.rpm f75539c9db2405597957edf1b219a158 samba-common-3.0.7-1.3E.1.ppc.rpm 2318bcd405d8a884e437d905a31b2fc1 samba-swat-3.0.7-1.3E.1.ppc.rpm ppc64: e52f8991a6c1e6acb03a567f988019d7 samba-3.0.7-1.3E.1.ppc64.rpm s390: 9da990f973c4b9cdf5c2ba67e571492f samba-3.0.7-1.3E.1.s390.rpm 6c5535ee6419de2597e90d4b67651342 samba-client-3.0.7-1.3E.1.s390.rpm 58560ac1022642fcde78b34d9b765bd0 samba-common-3.0.7-1.3E.1.s390.rpm 70c2f0e373c3f3364420d413524bf18c samba-swat-3.0.7-1.3E.1.s390.rpm s390x: a2d13a8f4ca6eefaa52cf69abb23223c samba-3.0.7-1.3E.1.s390x.rpm 9da990f973c4b9cdf5c2ba67e571492f samba-3.0.7-1.3E.1.s390.rpm b0390f7081498b6f9a3570c3362de11f samba-client-3.0.7-1.3E.1.s390x.rpm 23da9fd92b3c59c1e318a2a701494785 samba-common-3.0.7-1.3E.1.s390x.rpm 802db132f4ec3fe57a42884c1f20c487 samba-swat-3.0.7-1.3E.1.s390x.rpm x86_64: 440a9ae7f707066f28f66b127f1b564c samba-3.0.7-1.3E.1.x86_64.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm fffa29e5873d2c188b34a720c8e73929 samba-client-3.0.7-1.3E.1.x86_64.rpm 26543f2db62357e8a9aebdbf1acf3274 samba-common-3.0.7-1.3E.1.x86_64.rpm a699adf4b14ee22dea0d6a4d84e66f24 samba-swat-3.0.7-1.3E.1.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/samba-3.0.7-1.3E.1.src.rpm 122c0bb27aac341fc37156dc94fc522e samba-3.0.7-1.3E.1.src.rpm i386: 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm bfbacd051ca80500a34991d3dc9ca3ce samba-client-3.0.7-1.3E.1.i386.rpm 370cf89a18b670160f51608041812c24 samba-common-3.0.7-1.3E.1.i386.rpm f89375430ce2785a01cc4586d9689f5a samba-swat-3.0.7-1.3E.1.i386.rpm x86_64: 440a9ae7f707066f28f66b127f1b564c samba-3.0.7-1.3E.1.x86_64.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm fffa29e5873d2c188b34a720c8e73929 samba-client-3.0.7-1.3E.1.x86_64.rpm 26543f2db62357e8a9aebdbf1acf3274 samba-common-3.0.7-1.3E.1.x86_64.rpm a699adf4b14ee22dea0d6a4d84e66f24 samba-swat-3.0.7-1.3E.1.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/samba-3.0.7-1.3E.1.src.rpm 122c0bb27aac341fc37156dc94fc522e samba-3.0.7-1.3E.1.src.rpm i386: 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm bfbacd051ca80500a34991d3dc9ca3ce samba-client-3.0.7-1.3E.1.i386.rpm 370cf89a18b670160f51608041812c24 samba-common-3.0.7-1.3E.1.i386.rpm f89375430ce2785a01cc4586d9689f5a samba-swat-3.0.7-1.3E.1.i386.rpm ia64: e733b35d09659e19a1afcf10ab1ab7dc samba-3.0.7-1.3E.1.ia64.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm c02426d44e8bbdf625c6baa3b63f7f6c samba-client-3.0.7-1.3E.1.ia64.rpm 0a37cd8c24c6f69bb1df0aab93467670 samba-common-3.0.7-1.3E.1.ia64.rpm bf2bfb26e2bb0ccd7c66841214465655 samba-swat-3.0.7-1.3E.1.ia64.rpm x86_64: 440a9ae7f707066f28f66b127f1b564c samba-3.0.7-1.3E.1.x86_64.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm fffa29e5873d2c188b34a720c8e73929 samba-client-3.0.7-1.3E.1.x86_64.rpm 26543f2db62357e8a9aebdbf1acf3274 samba-common-3.0.7-1.3E.1.x86_64.rpm a699adf4b14ee22dea0d6a4d84e66f24 samba-swat-3.0.7-1.3E.1.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/samba-3.0.7-1.3E.1.src.rpm 122c0bb27aac341fc37156dc94fc522e samba-3.0.7-1.3E.1.src.rpm i386: 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm bfbacd051ca80500a34991d3dc9ca3ce samba-client-3.0.7-1.3E.1.i386.rpm 370cf89a18b670160f51608041812c24 samba-common-3.0.7-1.3E.1.i386.rpm f89375430ce2785a01cc4586d9689f5a samba-swat-3.0.7-1.3E.1.i386.rpm ia64: e733b35d09659e19a1afcf10ab1ab7dc samba-3.0.7-1.3E.1.ia64.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm c02426d44e8bbdf625c6baa3b63f7f6c samba-client-3.0.7-1.3E.1.ia64.rpm 0a37cd8c24c6f69bb1df0aab93467670 samba-common-3.0.7-1.3E.1.ia64.rpm bf2bfb26e2bb0ccd7c66841214465655 samba-swat-3.0.7-1.3E.1.ia64.rpm x86_64: 440a9ae7f707066f28f66b127f1b564c samba-3.0.7-1.3E.1.x86_64.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm fffa29e5873d2c188b34a720c8e73929 samba-client-3.0.7-1.3E.1.x86_64.rpm 26543f2db62357e8a9aebdbf1acf3274 samba-common-3.0.7-1.3E.1.x86_64.rpm a699adf4b14ee22dea0d6a4d84e66f24 samba-swat-3.0.7-1.3E.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://www.samba.org/samba/history/samba-3.0.9.html http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0930 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD4DBQFBmjyQXlSAg2UNWIIRAjTjAJ9gxGmxk1Sl5CK8mD5e9bZ8hGut4QCXXAom Ixd6MJT0aGqbMTB+Qd7d0Q== =HYSg -----END PGP SIGNATURE-----