From bugzilla at redhat.com Wed Sep 1 20:25:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Sep 2004 16:25 -0400 Subject: [RHSA-2004:323-01] An updated lha package fixes security vulnerability Message-ID: <200409012025.i81KPgr18345@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: An updated lha package fixes security vulnerability Advisory ID: RHSA-2004:323-01 Issue date: 2004-09-01 Updated on: 2004-09-01 Product: Red Hat Enterprise Linux Obsoletes: RHSA-2004:178 CVE Names: CAN-2004-0769 CAN-2004-0771 CAN-2004-0694 CAN-2004-0745 - --------------------------------------------------------------------- 1. Summary: An updated lha package that fixes a buffer overflow is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: LHA is an archiving and compression utility for LHarc format archives. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to this issue. Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 126740 - Buffer overflow in lha 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/lha-1.14i-10.4.src.rpm 494aaceeb0afa3c661c6eb0981af1fd2 lha-1.14i-10.4.src.rpm i386: 1d4d09649c91c742be78422fa746d93a lha-1.14i-10.4.i386.rpm ia64: 3d6b75954662f94459e0025599a4b7b8 lha-1.14i-10.4.ia64.rpm ppc: 63a3f6ee8c97484d8c0f95423adcb74f lha-1.14i-10.4.ppc.rpm s390: 41c9148155410c09c6898cd971a873f8 lha-1.14i-10.4.s390.rpm s390x: 2a2cd9f9ece25a0d885fb5079c608d6f lha-1.14i-10.4.s390x.rpm x86_64: 36bb4dbf784b15b7355548582f42a009 lha-1.14i-10.4.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/lha-1.14i-10.4.src.rpm 494aaceeb0afa3c661c6eb0981af1fd2 lha-1.14i-10.4.src.rpm i386: 1d4d09649c91c742be78422fa746d93a lha-1.14i-10.4.i386.rpm x86_64: 36bb4dbf784b15b7355548582f42a009 lha-1.14i-10.4.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/lha-1.14i-10.4.src.rpm 494aaceeb0afa3c661c6eb0981af1fd2 lha-1.14i-10.4.src.rpm i386: 1d4d09649c91c742be78422fa746d93a lha-1.14i-10.4.i386.rpm ia64: 3d6b75954662f94459e0025599a4b7b8 lha-1.14i-10.4.ia64.rpm x86_64: 36bb4dbf784b15b7355548582f42a009 lha-1.14i-10.4.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/lha-1.14i-10.4.src.rpm 494aaceeb0afa3c661c6eb0981af1fd2 lha-1.14i-10.4.src.rpm i386: 1d4d09649c91c742be78422fa746d93a lha-1.14i-10.4.i386.rpm ia64: 3d6b75954662f94459e0025599a4b7b8 lha-1.14i-10.4.ia64.rpm x86_64: 36bb4dbf784b15b7355548582f42a009 lha-1.14i-10.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153 http://lw.ftw.zamosc.pl/lha-exploit.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0694 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0745 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBNjBDXlSAg2UNWIIRAv0OAKCvKE3Q3z16A9ZkAZkj65yC4KuPLQCdHXZd cVZ7N+eXuSnX1tlcB1agJac= =LBeY -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 1 20:25:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Sep 2004 16:25 -0400 Subject: [RHSA-2004:349-01] Updated httpd packages fix mod_ssl security flaw Message-ID: <200409012025.i81KPtr18350@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated httpd packages fix mod_ssl security flaw Advisory ID: RHSA-2004:349-01 Issue date: 2004-09-01 Updated on: 2004-09-01 Product: Red Hat Enterprise Linux Keywords: httpd CVE Names: CAN-2004-0748 - --------------------------------------------------------------------- 1. Summary: Updated httpd packages that include a security fix for mod_ssl and various enhancements are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. An input filter bug in mod_ssl was discovered in Apache httpd version 2.0.50 and earlier. A remote attacker could force an SSL connection to be aborted in a particular state and cause an Apache child process to enter an infinite loop, consuming CPU resources. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0748 to this issue. Additionally, this update includes the following enhancements and bug fixes: - - included an improved version of the mod_cgi module that correctly handles concurrent output on stderr and stdout - - included support for direct lookup of SSL variables using %{SSL:...} from mod_rewrite, or using %{...}s from mod_headers - - restored support for use of SHA1-encoded passwords - - added the mod_ext_filter module Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 112216 - 4097+ bytes of stderr from cgi script causes script to hang 117959 - Apache autoindex corrupt when > 2GB file in tree 119651 - HTTP authentication against password file with SHA1 password hashes fails 120072 - please enable mod_ext_filter 120096 - mod_ssl environment variables not available in mod_rewrite rules 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-38.ent.src.rpm 1988340a6e8be0c63b10c388b1243569 httpd-2.0.46-38.ent.src.rpm i386: a5b8f9a72302e14c0f410f7f83a39d32 httpd-2.0.46-38.ent.i386.rpm d8b74b3477300b5a4a156c59f5e0d4a5 httpd-devel-2.0.46-38.ent.i386.rpm 8f734e5757c8c897cf71a6109af7d632 mod_ssl-2.0.46-38.ent.i386.rpm ia64: d5ac022099d9b76006e823a3f9c07c69 httpd-2.0.46-38.ent.ia64.rpm 3a66d83595e19843fcf552fd07bcfe29 httpd-devel-2.0.46-38.ent.ia64.rpm 3c4d1bfb5b407da142c515d32782ec02 mod_ssl-2.0.46-38.ent.ia64.rpm ppc: bc92043b213069bcf78aad0dffad74b4 httpd-2.0.46-38.ent.ppc.rpm b9156531a43492b3a5504375104fa473 httpd-devel-2.0.46-38.ent.ppc.rpm 62593d85534ce48a38efa04fa7fa0b99 mod_ssl-2.0.46-38.ent.ppc.rpm s390: b8e7476c417c7eba2b46704fa446216c httpd-2.0.46-38.ent.s390.rpm 30f45622c9de74914983c0a31f638c16 httpd-devel-2.0.46-38.ent.s390.rpm 4d3abcba4b77985fcdb1ac78a844a5c4 mod_ssl-2.0.46-38.ent.s390.rpm s390x: 27ad42b7d9018420c725338622dfef35 httpd-2.0.46-38.ent.s390x.rpm 49511800564746aa927bf7f224f0598e httpd-devel-2.0.46-38.ent.s390x.rpm a22a2b21a0bdf04efec6ac07f2884ea9 mod_ssl-2.0.46-38.ent.s390x.rpm x86_64: ed7ec8f521a72ceb98e339f7ee667aeb httpd-2.0.46-38.ent.x86_64.rpm 6d3bd873b963a3ff1c40bef74e7e7566 httpd-devel-2.0.46-38.ent.x86_64.rpm c851e372161ce0262678158dd39d5191 mod_ssl-2.0.46-38.ent.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-38.ent.src.rpm 1988340a6e8be0c63b10c388b1243569 httpd-2.0.46-38.ent.src.rpm i386: a5b8f9a72302e14c0f410f7f83a39d32 httpd-2.0.46-38.ent.i386.rpm d8b74b3477300b5a4a156c59f5e0d4a5 httpd-devel-2.0.46-38.ent.i386.rpm 8f734e5757c8c897cf71a6109af7d632 mod_ssl-2.0.46-38.ent.i386.rpm x86_64: ed7ec8f521a72ceb98e339f7ee667aeb httpd-2.0.46-38.ent.x86_64.rpm 6d3bd873b963a3ff1c40bef74e7e7566 httpd-devel-2.0.46-38.ent.x86_64.rpm c851e372161ce0262678158dd39d5191 mod_ssl-2.0.46-38.ent.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-38.ent.src.rpm 1988340a6e8be0c63b10c388b1243569 httpd-2.0.46-38.ent.src.rpm i386: a5b8f9a72302e14c0f410f7f83a39d32 httpd-2.0.46-38.ent.i386.rpm d8b74b3477300b5a4a156c59f5e0d4a5 httpd-devel-2.0.46-38.ent.i386.rpm 8f734e5757c8c897cf71a6109af7d632 mod_ssl-2.0.46-38.ent.i386.rpm ia64: d5ac022099d9b76006e823a3f9c07c69 httpd-2.0.46-38.ent.ia64.rpm 3a66d83595e19843fcf552fd07bcfe29 httpd-devel-2.0.46-38.ent.ia64.rpm 3c4d1bfb5b407da142c515d32782ec02 mod_ssl-2.0.46-38.ent.ia64.rpm x86_64: ed7ec8f521a72ceb98e339f7ee667aeb httpd-2.0.46-38.ent.x86_64.rpm 6d3bd873b963a3ff1c40bef74e7e7566 httpd-devel-2.0.46-38.ent.x86_64.rpm c851e372161ce0262678158dd39d5191 mod_ssl-2.0.46-38.ent.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-38.ent.src.rpm 1988340a6e8be0c63b10c388b1243569 httpd-2.0.46-38.ent.src.rpm i386: a5b8f9a72302e14c0f410f7f83a39d32 httpd-2.0.46-38.ent.i386.rpm d8b74b3477300b5a4a156c59f5e0d4a5 httpd-devel-2.0.46-38.ent.i386.rpm 8f734e5757c8c897cf71a6109af7d632 mod_ssl-2.0.46-38.ent.i386.rpm ia64: d5ac022099d9b76006e823a3f9c07c69 httpd-2.0.46-38.ent.ia64.rpm 3a66d83595e19843fcf552fd07bcfe29 httpd-devel-2.0.46-38.ent.ia64.rpm 3c4d1bfb5b407da142c515d32782ec02 mod_ssl-2.0.46-38.ent.ia64.rpm x86_64: ed7ec8f521a72ceb98e339f7ee667aeb httpd-2.0.46-38.ent.x86_64.rpm 6d3bd873b963a3ff1c40bef74e7e7566 httpd-devel-2.0.46-38.ent.x86_64.rpm c851e372161ce0262678158dd39d5191 mod_ssl-2.0.46-38.ent.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBNjBPXlSAg2UNWIIRAjHVAKC3O3b5cMVovKmKYmS70xp3mDyOMwCfRS9u StAJ3ewb8ljo/wTT4JWhiI4= =aPrm -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 1 20:26:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Sep 2004 16:26 -0400 Subject: [RHSA-2004:436-01] Updated rsync package fixes security issue Message-ID: <200409012026.i81KQ8r18368@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated rsync package fixes security issue Advisory ID: RHSA-2004:436-01 Issue date: 2004-09-01 Updated on: 2004-09-01 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0792 - --------------------------------------------------------------------- 1. Summary: An updated rsync package that fixes a path sanitizing bug is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The rsync program synchronizes files over a network. Versions of rsync up to and including version 2.6.2 contain a path sanitization issue. This issue could allow an attacker to read or write files outside of the rsync directory. This vulnerability is only exploitable when an rsync server is enabled and is not running within a chroot. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0792 to this issue. Users of rsync are advised to upgrade to this updated package, which contains a backported patch and is not affected by this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 130050 - rsync path sanitizing bug 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/rsync-2.5.7-3.21AS.1.src.rpm 38c1f184d5cc84489a573e904c6e7988 rsync-2.5.7-3.21AS.1.src.rpm i386: ded5b61ac737f3c1c61dc8b9335c207e rsync-2.5.7-3.21AS.1.i386.rpm ia64: fa113cb18579a3d71d021ef4674deffa rsync-2.5.7-3.21AS.1.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/rsync-2.5.7-3.21AS.1.src.rpm 38c1f184d5cc84489a573e904c6e7988 rsync-2.5.7-3.21AS.1.src.rpm ia64: fa113cb18579a3d71d021ef4674deffa rsync-2.5.7-3.21AS.1.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/rsync-2.5.7-3.21AS.1.src.rpm 38c1f184d5cc84489a573e904c6e7988 rsync-2.5.7-3.21AS.1.src.rpm i386: ded5b61ac737f3c1c61dc8b9335c207e rsync-2.5.7-3.21AS.1.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/rsync-2.5.7-3.21AS.1.src.rpm 38c1f184d5cc84489a573e904c6e7988 rsync-2.5.7-3.21AS.1.src.rpm i386: ded5b61ac737f3c1c61dc8b9335c207e rsync-2.5.7-3.21AS.1.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/rsync-2.5.7-5.3E.src.rpm a08f47856c11488dbb199e2960618439 rsync-2.5.7-5.3E.src.rpm i386: d0966ec43976699f3ae0c275fdcd066f rsync-2.5.7-5.3E.i386.rpm ia64: 7a4ead9d5e1d755b453a8b5a2964eb75 rsync-2.5.7-5.3E.ia64.rpm ppc: 8a771ecf22666ed3f3de2af94ff0059b rsync-2.5.7-5.3E.ppc.rpm ppc64: cacc25c9afc8a5256204725597295be3 rsync-2.5.7-5.3E.ppc64.rpm s390: c4227c768095dd4f4c62f5b6eb7abe8c rsync-2.5.7-5.3E.s390.rpm s390x: 16177f1105d0bff168394b84e9ce187a rsync-2.5.7-5.3E.s390x.rpm x86_64: d0b5238572ed1d2b26102a8f7be694c4 rsync-2.5.7-5.3E.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/rsync-2.5.7-5.3E.src.rpm a08f47856c11488dbb199e2960618439 rsync-2.5.7-5.3E.src.rpm i386: d0966ec43976699f3ae0c275fdcd066f rsync-2.5.7-5.3E.i386.rpm x86_64: d0b5238572ed1d2b26102a8f7be694c4 rsync-2.5.7-5.3E.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/rsync-2.5.7-5.3E.src.rpm a08f47856c11488dbb199e2960618439 rsync-2.5.7-5.3E.src.rpm i386: d0966ec43976699f3ae0c275fdcd066f rsync-2.5.7-5.3E.i386.rpm ia64: 7a4ead9d5e1d755b453a8b5a2964eb75 rsync-2.5.7-5.3E.ia64.rpm x86_64: d0b5238572ed1d2b26102a8f7be694c4 rsync-2.5.7-5.3E.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/rsync-2.5.7-5.3E.src.rpm a08f47856c11488dbb199e2960618439 rsync-2.5.7-5.3E.src.rpm i386: d0966ec43976699f3ae0c275fdcd066f rsync-2.5.7-5.3E.i386.rpm ia64: 7a4ead9d5e1d755b453a8b5a2964eb75 rsync-2.5.7-5.3E.ia64.rpm x86_64: d0b5238572ed1d2b26102a8f7be694c4 rsync-2.5.7-5.3E.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://rsync.samba.org/#security_aug04 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0792 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBNjBdXlSAg2UNWIIRApbRAKCWGAeFdF3ZNQCpZL8IE7i1FVcp+QCghmO+ JYIcfuoruMeyznE4SBVIBiU= =sK4F -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Sep 7 15:40:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Sep 2004 11:40 -0400 Subject: [RHSA-2004:400-01] Updated gaim package fixes security issues Message-ID: <200409071540.i87Fetr12121@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated gaim package fixes security issues Advisory ID: RHSA-2004:400-01 Issue date: 2004-09-07 Updated on: 2004-09-07 Product: Red Hat Enterprise Linux Obsoletes: RHSA-2004:033 CVE Names: CAN-2004-0500 CAN-2004-0754 CAN-2004-0784 CAN-2004-0785 - --------------------------------------------------------------------- 1. Summary: An updated gaim package that fixes several security issues is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Gaim is an instant messenger client that can handle multiple protocols. Buffer overflow bugs were found in the Gaim MSN protocol handler. In order to exploit these bugs, an attacker would have to perform a man in the middle attack between the MSN server and the vulnerable Gaim client. Such an attack could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0500 to this issue. Buffer overflow bugs have been found in the Gaim URL decoder, local hostname resolver, and the RTF message parser. It is possible that a remote attacker could send carefully crafted data to a vulnerable client and lead to a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0785 to this issue. A shell escape bug has been found in the Gaim smiley theme file installation. When a user installs a smiley theme, which is contained within a tar file, the unarchiving of the data is done in an unsafe manner. An attacker could create a malicious smiley theme that would execute arbitrary commands if the theme was installed by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0784 to this issue. An integer overflow bug has been found in the Gaim Groupware message receiver. It is possible that if a user connects to a malicious server, an attacker could send carefully crafted data which could lead to arbitrary code execution on the victims machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0754 to this issue. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 0.82 and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 126842 - CAN-2004-0500 Gaim MSN protocol vulnerabilities 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gaim-0.82.1-0.RHEL3.src.rpm 4daa55a0489b9eb37c079c8d5f5b6b59 gaim-0.82.1-0.RHEL3.src.rpm i386: 16a0c2078927b793b9186eeb83e93be0 gaim-0.82.1-0.RHEL3.i386.rpm ia64: 9f88b162909aafb41bca2ad76c5faf45 gaim-0.82.1-0.RHEL3.ia64.rpm ppc: 7f37d28cb2c1e5b9c87807afff904147 gaim-0.82.1-0.RHEL3.ppc.rpm s390: 892285056f0b54a4b460ac2bb37a9fd2 gaim-0.82.1-0.RHEL3.s390.rpm s390x: b123c085ecb9ec973266b7b68c410c9c gaim-0.82.1-0.RHEL3.s390x.rpm x86_64: 9091ab5c18b428e8cf933e2a0767fb77 gaim-0.82.1-0.RHEL3.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/gaim-0.82.1-0.RHEL3.src.rpm 4daa55a0489b9eb37c079c8d5f5b6b59 gaim-0.82.1-0.RHEL3.src.rpm i386: 16a0c2078927b793b9186eeb83e93be0 gaim-0.82.1-0.RHEL3.i386.rpm x86_64: 9091ab5c18b428e8cf933e2a0767fb77 gaim-0.82.1-0.RHEL3.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gaim-0.82.1-0.RHEL3.src.rpm 4daa55a0489b9eb37c079c8d5f5b6b59 gaim-0.82.1-0.RHEL3.src.rpm i386: 16a0c2078927b793b9186eeb83e93be0 gaim-0.82.1-0.RHEL3.i386.rpm ia64: 9f88b162909aafb41bca2ad76c5faf45 gaim-0.82.1-0.RHEL3.ia64.rpm x86_64: 9091ab5c18b428e8cf933e2a0767fb77 gaim-0.82.1-0.RHEL3.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gaim-0.82.1-0.RHEL3.src.rpm 4daa55a0489b9eb37c079c8d5f5b6b59 gaim-0.82.1-0.RHEL3.src.rpm i386: 16a0c2078927b793b9186eeb83e93be0 gaim-0.82.1-0.RHEL3.i386.rpm ia64: 9f88b162909aafb41bca2ad76c5faf45 gaim-0.82.1-0.RHEL3.ia64.rpm x86_64: 9091ab5c18b428e8cf933e2a0767fb77 gaim-0.82.1-0.RHEL3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://gaim.sourceforge.net/security/?id=0 http://gaim.sourceforge.net/security/?id=1 http://gaim.sourceforge.net/security/?id=2 http://gaim.sourceforge.net/security/?id=3 http://gaim.sourceforge.net/security/?id=4 http://gaim.sourceforge.net/security/?id=5 http://gaim.sourceforge.net/security/?id=6 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0785 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBPdaDXlSAg2UNWIIRAizBAJ9orm7H7CHW/hEba9bxTrHZTNQQpwCeKGjX FinUptKP9j4PQpFUEbHXvRI= =7Hnj -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Sep 7 15:42:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Sep 2004 11:42 -0400 Subject: [RHSA-2004:408-01] Updated mod_ssl package fixes minor vulnerability Message-ID: <200409071542.i87Fggr12274@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated mod_ssl package fixes minor vulnerability Advisory ID: RHSA-2004:408-01 Issue date: 2004-09-07 Updated on: 2004-09-07 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0700 - --------------------------------------------------------------------- 1. Summary: An updated mod_ssl package for Apache that fixes a format string vulnerability is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 3. Problem description: The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. A format string issue was discovered in mod_ssl for Apache 1.3 which can be triggered if mod_ssl is configured to allow a client to proxy to remote SSL sites. In order to exploit this issue, a user who is authorized to use Apache as a proxy would have to attempt to connect to a carefully crafted hostname via SSL. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0700 to this issue. Users of mod_ssl should upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 128170 - CAN-2004-0700 mod_ssl format string vulnerability 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/mod_ssl-2.8.12-6.src.rpm 209d559b50b81524606203cada5c4b68 mod_ssl-2.8.12-6.src.rpm i386: ecb068475e82644cfa0ed913b3bd1dc2 mod_ssl-2.8.12-6.i386.rpm ia64: 483397e046e50c433d85bd74c3f8d7e4 mod_ssl-2.8.12-6.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/mod_ssl-2.8.12-6.src.rpm 209d559b50b81524606203cada5c4b68 mod_ssl-2.8.12-6.src.rpm ia64: 483397e046e50c433d85bd74c3f8d7e4 mod_ssl-2.8.12-6.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/mod_ssl-2.8.12-6.src.rpm 209d559b50b81524606203cada5c4b68 mod_ssl-2.8.12-6.src.rpm i386: ecb068475e82644cfa0ed913b3bd1dc2 mod_ssl-2.8.12-6.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/mod_ssl-2.8.12-6.src.rpm 209d559b50b81524606203cada5c4b68 mod_ssl-2.8.12-6.src.rpm i386: ecb068475e82644cfa0ed913b3bd1dc2 mod_ssl-2.8.12-6.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0700 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBPdbvXlSAg2UNWIIRAijxAJ9K7uhYuvKVQ4H8MgFfT9/El9tkdACfUxsZ x7TviiDIv+S62c1Zli2xPu0= =WXac -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Sep 7 15:44:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Sep 2004 11:44 -0400 Subject: [RHSA-2004:440-01] An updated lha package fixes security vulnerability Message-ID: <200409071544.i87FiXr12343@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: An updated lha package fixes security vulnerability Advisory ID: RHSA-2004:440-01 Issue date: 2004-09-07 Updated on: 2004-09-07 Product: Red Hat Enterprise Linux Obsoletes: RHSA-2004:178 CVE Names: CAN-2004-0771 CAN-2004-0769 CAN-2004-0694 CAN-2004-0745 - --------------------------------------------------------------------- 1. Summary: An updated lha package that fixes a buffer overflow is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 3. Problem description: LHA is an archiving and compression utility for LHarc format archives. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user can trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to this issue. Users of lha should update to this updated package which contains backported patches and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 126740 - Buffer overflow in lha 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/lha-1.00-17.3.src.rpm b1b6d9d7d549331766f710ba6c5bf494 lha-1.00-17.3.src.rpm i386: 3247304974c5a1ee592a1095a3a8c265 lha-1.00-17.3.i386.rpm ia64: 1d13c396eab707b0603464455b4065e0 lha-1.00-17.3.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/lha-1.00-17.3.src.rpm b1b6d9d7d549331766f710ba6c5bf494 lha-1.00-17.3.src.rpm ia64: 1d13c396eab707b0603464455b4065e0 lha-1.00-17.3.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/lha-1.00-17.3.src.rpm b1b6d9d7d549331766f710ba6c5bf494 lha-1.00-17.3.src.rpm i386: 3247304974c5a1ee592a1095a3a8c265 lha-1.00-17.3.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/lha-1.00-17.3.src.rpm b1b6d9d7d549331766f710ba6c5bf494 lha-1.00-17.3.src.rpm i386: 3247304974c5a1ee592a1095a3a8c265 lha-1.00-17.3.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153 http://lw.ftw.zamosc.pl/lha-exploit.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0694 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0745 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBPddeXlSAg2UNWIIRAmSzAKCemGu6r/fmWF+CppTjVRwGHdickACfTuhr xriT4WMM2SS9hN33IzqZU6A= =06Um -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 15 15:45:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Sep 2004 11:45 -0400 Subject: [RHSA-2004:446-01] Updated openoffice.org packages resolve security issue Message-ID: <200409151545.i8FFjaa19368@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated openoffice.org packages resolve security issue Advisory ID: RHSA-2004:446-01 Issue date: 2004-09-15 Updated on: 2004-09-15 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0752 - --------------------------------------------------------------------- 1. Summary: Updated openoffice.org packages that fix a security issue in temporary file handling are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386 Red Hat Desktop version 3 - i386 Red Hat Enterprise Linux ES version 3 - i386 Red Hat Enterprise Linux WS version 3 - i386 3. Problem description: OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Secunia Research reported an issue with the handling of temporary files. A malicious local user could use this flaw to access the contents of another user's open documents. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0752 to this issue. All users of OpenOffice.org are advised to upgrade to these updated packages which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/openoffice.org-1.1.0-16.14.EL.src.rpm e71cc56e9b9bf55a138b1af8b6da6ceb openoffice.org-1.1.0-16.14.EL.src.rpm i386: 622d3edf4ce2cc890dc1426e34884429 openoffice.org-1.1.0-16.14.EL.i386.rpm ecc099305001b53795fc39e4717563df openoffice.org-i18n-1.1.0-16.14.EL.i386.rpm 4f60302463e8df8f76e4eb17e261991b openoffice.org-libs-1.1.0-16.14.EL.i386.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/openoffice.org-1.1.0-16.14.EL.src.rpm e71cc56e9b9bf55a138b1af8b6da6ceb openoffice.org-1.1.0-16.14.EL.src.rpm i386: 622d3edf4ce2cc890dc1426e34884429 openoffice.org-1.1.0-16.14.EL.i386.rpm ecc099305001b53795fc39e4717563df openoffice.org-i18n-1.1.0-16.14.EL.i386.rpm 4f60302463e8df8f76e4eb17e261991b openoffice.org-libs-1.1.0-16.14.EL.i386.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/openoffice.org-1.1.0-16.14.EL.src.rpm e71cc56e9b9bf55a138b1af8b6da6ceb openoffice.org-1.1.0-16.14.EL.src.rpm i386: 622d3edf4ce2cc890dc1426e34884429 openoffice.org-1.1.0-16.14.EL.i386.rpm ecc099305001b53795fc39e4717563df openoffice.org-i18n-1.1.0-16.14.EL.i386.rpm 4f60302463e8df8f76e4eb17e261991b openoffice.org-libs-1.1.0-16.14.EL.i386.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/openoffice.org-1.1.0-16.14.EL.src.rpm e71cc56e9b9bf55a138b1af8b6da6ceb openoffice.org-1.1.0-16.14.EL.src.rpm i386: 622d3edf4ce2cc890dc1426e34884429 openoffice.org-1.1.0-16.14.EL.i386.rpm ecc099305001b53795fc39e4717563df openoffice.org-i18n-1.1.0-16.14.EL.i386.rpm 4f60302463e8df8f76e4eb17e261991b openoffice.org-libs-1.1.0-16.14.EL.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 6. References: http://secunia.com/advisories/12302/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0752 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBSGOdXlSAg2UNWIIRAvReAJ0Zcg76F/f4T6h7Ntf1YT/VHTkt7gCfSTrX dfMlCSVBTGCHBqEGn8D3tCQ= =ULXi -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 15 15:46:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Sep 2004 11:46 -0400 Subject: [RHSA-2004:447-01] Updated gdk-pixbuf packages fix security flaws Message-ID: <200409151546.i8FFkNa19440@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated gdk-pixbuf packages fix security flaws Advisory ID: RHSA-2004:447-01 Issue date: 2004-09-15 Updated on: 2004-09-15 Product: Red Hat Enterprise Linux Obsoletes: RHSA-2004:103 CVE Names: CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 - --------------------------------------------------------------------- 1. Summary: Updated gdk-pixbuf packages that fix several security flaws are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gdk-pixbuf. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit, Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file is opened by a victim. (CAN-2004-0788) Users of gdk-pixbuf are advised to upgrade to these packages, which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 130455 - CAN-2004-0753 bmp image loader DOS 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/gdk-pixbuf-0.22.0-11.1.2E.src.rpm 4a81129ce3485da48cd8ea297484f739 gdk-pixbuf-0.22.0-11.1.2E.src.rpm i386: fc37808aea44dc57f6d44c8258405108 gdk-pixbuf-0.22.0-11.1.2E.i386.rpm ecfafbfbb95758bddeb1c2a59df944ef gdk-pixbuf-devel-0.22.0-11.1.2E.i386.rpm 190e0a2bad3002a43410c482257ba11d gdk-pixbuf-gnome-0.22.0-11.1.2E.i386.rpm ia64: e9bfb39f870342cccc68f5b2aa24d681 gdk-pixbuf-0.22.0-11.1.2E.ia64.rpm 18b5513c5da53b975683c891c9ab9ee7 gdk-pixbuf-devel-0.22.0-11.1.2E.ia64.rpm cd9f8918bc7b5ac8ebaa76b3639191aa gdk-pixbuf-gnome-0.22.0-11.1.2E.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/gdk-pixbuf-0.22.0-11.1.2E.src.rpm 4a81129ce3485da48cd8ea297484f739 gdk-pixbuf-0.22.0-11.1.2E.src.rpm ia64: e9bfb39f870342cccc68f5b2aa24d681 gdk-pixbuf-0.22.0-11.1.2E.ia64.rpm 18b5513c5da53b975683c891c9ab9ee7 gdk-pixbuf-devel-0.22.0-11.1.2E.ia64.rpm cd9f8918bc7b5ac8ebaa76b3639191aa gdk-pixbuf-gnome-0.22.0-11.1.2E.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/gdk-pixbuf-0.22.0-11.1.2E.src.rpm 4a81129ce3485da48cd8ea297484f739 gdk-pixbuf-0.22.0-11.1.2E.src.rpm i386: fc37808aea44dc57f6d44c8258405108 gdk-pixbuf-0.22.0-11.1.2E.i386.rpm ecfafbfbb95758bddeb1c2a59df944ef gdk-pixbuf-devel-0.22.0-11.1.2E.i386.rpm 190e0a2bad3002a43410c482257ba11d gdk-pixbuf-gnome-0.22.0-11.1.2E.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/gdk-pixbuf-0.22.0-11.1.2E.src.rpm 4a81129ce3485da48cd8ea297484f739 gdk-pixbuf-0.22.0-11.1.2E.src.rpm i386: fc37808aea44dc57f6d44c8258405108 gdk-pixbuf-0.22.0-11.1.2E.i386.rpm ecfafbfbb95758bddeb1c2a59df944ef gdk-pixbuf-devel-0.22.0-11.1.2E.i386.rpm 190e0a2bad3002a43410c482257ba11d gdk-pixbuf-gnome-0.22.0-11.1.2E.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gdk-pixbuf-0.22.0-11.1.3.2.src.rpm 65da3d6c0ca50364821dba20c3d4a38e gdk-pixbuf-0.22.0-11.1.3.2.src.rpm i386: 4ebeee89a843d3a1469c7aa8be99f055 gdk-pixbuf-0.22.0-11.1.3.2.i386.rpm c6a539c6dbde002645651a60d1f868ba gdk-pixbuf-devel-0.22.0-11.1.3.2.i386.rpm 10a3a14fef750fd9bc77b6e2f83c0419 gdk-pixbuf-gnome-0.22.0-11.1.3.2.i386.rpm ia64: 248641551811128fc518b6ef2e6921df gdk-pixbuf-0.22.0-11.1.3.2.ia64.rpm ff62cbf4cf801fc44c700267585165e7 gdk-pixbuf-devel-0.22.0-11.1.3.2.ia64.rpm 5edd61801e36db3a7b7259ef33d701d3 gdk-pixbuf-gnome-0.22.0-11.1.3.2.ia64.rpm ppc: 0bcd881f394f8563e1ff97243f9e904e gdk-pixbuf-0.22.0-11.1.3.2.ppc.rpm 9bc4a86012d86bb1cb5b97f3eccecd20 gdk-pixbuf-devel-0.22.0-11.1.3.2.ppc.rpm 4a28f50a8efa26f27436a81523a112d2 gdk-pixbuf-gnome-0.22.0-11.1.3.2.ppc.rpm s390: 62fc1252743b4582758421103a908600 gdk-pixbuf-0.22.0-11.1.3.2.s390.rpm 9237691771a9195d4a9ac6eb9c7c7e64 gdk-pixbuf-devel-0.22.0-11.1.3.2.s390.rpm 592e3265dedd9dc597135fe8b1aafc7f gdk-pixbuf-gnome-0.22.0-11.1.3.2.s390.rpm s390x: 855c7c984c3cbf7782b3c66f5d619d4e gdk-pixbuf-0.22.0-11.1.3.2.s390x.rpm 9ac9638729458931a9598edd4f5af4db gdk-pixbuf-devel-0.22.0-11.1.3.2.s390x.rpm 48a01e36226b57f427bfa81ad77b3f42 gdk-pixbuf-gnome-0.22.0-11.1.3.2.s390x.rpm x86_64: df298cd9bcde6179413957bfb352e954 gdk-pixbuf-0.22.0-11.1.3.2.x86_64.rpm 43eda80058f5a1e2a8c6600e9ea0ca27 gdk-pixbuf-devel-0.22.0-11.1.3.2.x86_64.rpm 9a2081a1e1c2f592103d173108558cbc gdk-pixbuf-gnome-0.22.0-11.1.3.2.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/gdk-pixbuf-0.22.0-11.1.3.2.src.rpm 65da3d6c0ca50364821dba20c3d4a38e gdk-pixbuf-0.22.0-11.1.3.2.src.rpm i386: 4ebeee89a843d3a1469c7aa8be99f055 gdk-pixbuf-0.22.0-11.1.3.2.i386.rpm c6a539c6dbde002645651a60d1f868ba gdk-pixbuf-devel-0.22.0-11.1.3.2.i386.rpm 10a3a14fef750fd9bc77b6e2f83c0419 gdk-pixbuf-gnome-0.22.0-11.1.3.2.i386.rpm x86_64: df298cd9bcde6179413957bfb352e954 gdk-pixbuf-0.22.0-11.1.3.2.x86_64.rpm 43eda80058f5a1e2a8c6600e9ea0ca27 gdk-pixbuf-devel-0.22.0-11.1.3.2.x86_64.rpm 9a2081a1e1c2f592103d173108558cbc gdk-pixbuf-gnome-0.22.0-11.1.3.2.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gdk-pixbuf-0.22.0-11.1.3.2.src.rpm 65da3d6c0ca50364821dba20c3d4a38e gdk-pixbuf-0.22.0-11.1.3.2.src.rpm i386: 4ebeee89a843d3a1469c7aa8be99f055 gdk-pixbuf-0.22.0-11.1.3.2.i386.rpm c6a539c6dbde002645651a60d1f868ba gdk-pixbuf-devel-0.22.0-11.1.3.2.i386.rpm 10a3a14fef750fd9bc77b6e2f83c0419 gdk-pixbuf-gnome-0.22.0-11.1.3.2.i386.rpm ia64: 248641551811128fc518b6ef2e6921df gdk-pixbuf-0.22.0-11.1.3.2.ia64.rpm ff62cbf4cf801fc44c700267585165e7 gdk-pixbuf-devel-0.22.0-11.1.3.2.ia64.rpm 5edd61801e36db3a7b7259ef33d701d3 gdk-pixbuf-gnome-0.22.0-11.1.3.2.ia64.rpm x86_64: df298cd9bcde6179413957bfb352e954 gdk-pixbuf-0.22.0-11.1.3.2.x86_64.rpm 43eda80058f5a1e2a8c6600e9ea0ca27 gdk-pixbuf-devel-0.22.0-11.1.3.2.x86_64.rpm 9a2081a1e1c2f592103d173108558cbc gdk-pixbuf-gnome-0.22.0-11.1.3.2.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gdk-pixbuf-0.22.0-11.1.3.2.src.rpm 65da3d6c0ca50364821dba20c3d4a38e gdk-pixbuf-0.22.0-11.1.3.2.src.rpm i386: 4ebeee89a843d3a1469c7aa8be99f055 gdk-pixbuf-0.22.0-11.1.3.2.i386.rpm c6a539c6dbde002645651a60d1f868ba gdk-pixbuf-devel-0.22.0-11.1.3.2.i386.rpm 10a3a14fef750fd9bc77b6e2f83c0419 gdk-pixbuf-gnome-0.22.0-11.1.3.2.i386.rpm ia64: 248641551811128fc518b6ef2e6921df gdk-pixbuf-0.22.0-11.1.3.2.ia64.rpm ff62cbf4cf801fc44c700267585165e7 gdk-pixbuf-devel-0.22.0-11.1.3.2.ia64.rpm 5edd61801e36db3a7b7259ef33d701d3 gdk-pixbuf-gnome-0.22.0-11.1.3.2.ia64.rpm x86_64: df298cd9bcde6179413957bfb352e954 gdk-pixbuf-0.22.0-11.1.3.2.x86_64.rpm 43eda80058f5a1e2a8c6600e9ea0ca27 gdk-pixbuf-devel-0.22.0-11.1.3.2.x86_64.rpm 9a2081a1e1c2f592103d173108558cbc gdk-pixbuf-gnome-0.22.0-11.1.3.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://bugzilla.gnome.org/show_bug.cgi?id=150601 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0788 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBSGO0XlSAg2UNWIIRAvwFAKCDvDyBQd4DAW5C59Ql0/zXSByx8gCfTrVd JDLEewceu8cSTOO3jOmzZmg= =vPlU -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 15 15:46:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Sep 2004 11:46 -0400 Subject: [RHSA-2004:449-01] Updated CUPS packages fix security vulnerability Message-ID: <200409151546.i8FFkna19456@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated CUPS packages fix security vulnerability Advisory ID: RHSA-2004:449-01 Issue date: 2004-09-15 Updated on: 2004-09-15 Product: Red Hat Enterprise Linux Keywords: DoS CVE Names: CAN-2004-0558 - --------------------------------------------------------------------- 1. Summary: Updated cups packages that fix a denial of service vulnerability are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The Common UNIX Printing System (CUPS) is a print spooler. Alvaro Martinez Echevarria reported a bug in the CUPS Internet Printing Protocol (IPP) implementation in versions of CUPS prior to 1.1.21. An attacker could send a carefully crafted UDP packet to the IPP port which could cause CUPS to stop listening to the port and result in a denial of service. In order to exploit this bug, an attacker would need to have the ability to send a UDP packet to the IPP port (by default 631). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0558 to this issue. All users of cups should upgrade to these updated packages, which contain a backported patch as well as a fix for a non-exploitable off-by-one bug. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cups-1.1.17-13.3.13.src.rpm 60dc089f4fdb7afe47386fcdc94b0d01 cups-1.1.17-13.3.13.src.rpm i386: 419ce850064ec7a68a37e244cac682b2 cups-1.1.17-13.3.13.i386.rpm 414bce4e73e9228729077adf7930f0ae cups-devel-1.1.17-13.3.13.i386.rpm b2e3b1632f6f334bf6ade32a6c4fc7b3 cups-libs-1.1.17-13.3.13.i386.rpm ia64: 6e99a473c522a8c0a55dd73ee2e65b3a cups-1.1.17-13.3.13.ia64.rpm a552ed6d24c3976fcd9bba81d5752310 cups-devel-1.1.17-13.3.13.ia64.rpm ae45026d23525d73f25a047a118164fd cups-libs-1.1.17-13.3.13.ia64.rpm ppc: d007ad080ce2d4016db742799cb7e7a5 cups-1.1.17-13.3.13.ppc.rpm e9ff080a397800ca9793342a4aee8046 cups-devel-1.1.17-13.3.13.ppc.rpm 99a113852d6089d14ea6fd679ba7a1a7 cups-libs-1.1.17-13.3.13.ppc.rpm ppc64: 8550fc9d8d1cf53da14707ecb5188a75 cups-1.1.17-13.3.13.ppc64.rpm d664204e2dd7c589d9f4dd10b8f32416 cups-devel-1.1.17-13.3.13.ppc64.rpm 72cc935233689e4c04737c68e36d3b29 cups-libs-1.1.17-13.3.13.ppc64.rpm s390: ae6fc52460a480b8ede3826ce9cd19e2 cups-1.1.17-13.3.13.s390.rpm 15ce65330b66ee7f66512ef0d549ca94 cups-devel-1.1.17-13.3.13.s390.rpm d1f0c816f04bb0960586261e34ae8098 cups-libs-1.1.17-13.3.13.s390.rpm s390x: 2372e49ffedcb132058e7b4c9452a741 cups-1.1.17-13.3.13.s390x.rpm d435369ed54389c1c22151ee18f0e9a7 cups-devel-1.1.17-13.3.13.s390x.rpm 32f55417cc798fbb612921d192c29436 cups-libs-1.1.17-13.3.13.s390x.rpm x86_64: b11c94a17939d262b76721fee9714c50 cups-1.1.17-13.3.13.x86_64.rpm 48b22c34e077212a6c1721bcadd01ca4 cups-devel-1.1.17-13.3.13.x86_64.rpm 07ed1e9a684182ffbaa63144cd230e1a cups-libs-1.1.17-13.3.13.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cups-1.1.17-13.3.13.src.rpm 60dc089f4fdb7afe47386fcdc94b0d01 cups-1.1.17-13.3.13.src.rpm i386: 419ce850064ec7a68a37e244cac682b2 cups-1.1.17-13.3.13.i386.rpm 414bce4e73e9228729077adf7930f0ae cups-devel-1.1.17-13.3.13.i386.rpm b2e3b1632f6f334bf6ade32a6c4fc7b3 cups-libs-1.1.17-13.3.13.i386.rpm x86_64: b11c94a17939d262b76721fee9714c50 cups-1.1.17-13.3.13.x86_64.rpm 48b22c34e077212a6c1721bcadd01ca4 cups-devel-1.1.17-13.3.13.x86_64.rpm 07ed1e9a684182ffbaa63144cd230e1a cups-libs-1.1.17-13.3.13.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cups-1.1.17-13.3.13.src.rpm 60dc089f4fdb7afe47386fcdc94b0d01 cups-1.1.17-13.3.13.src.rpm i386: 419ce850064ec7a68a37e244cac682b2 cups-1.1.17-13.3.13.i386.rpm 414bce4e73e9228729077adf7930f0ae cups-devel-1.1.17-13.3.13.i386.rpm b2e3b1632f6f334bf6ade32a6c4fc7b3 cups-libs-1.1.17-13.3.13.i386.rpm ia64: 6e99a473c522a8c0a55dd73ee2e65b3a cups-1.1.17-13.3.13.ia64.rpm a552ed6d24c3976fcd9bba81d5752310 cups-devel-1.1.17-13.3.13.ia64.rpm ae45026d23525d73f25a047a118164fd cups-libs-1.1.17-13.3.13.ia64.rpm x86_64: b11c94a17939d262b76721fee9714c50 cups-1.1.17-13.3.13.x86_64.rpm 48b22c34e077212a6c1721bcadd01ca4 cups-devel-1.1.17-13.3.13.x86_64.rpm 07ed1e9a684182ffbaa63144cd230e1a cups-libs-1.1.17-13.3.13.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cups-1.1.17-13.3.13.src.rpm 60dc089f4fdb7afe47386fcdc94b0d01 cups-1.1.17-13.3.13.src.rpm i386: 419ce850064ec7a68a37e244cac682b2 cups-1.1.17-13.3.13.i386.rpm 414bce4e73e9228729077adf7930f0ae cups-devel-1.1.17-13.3.13.i386.rpm b2e3b1632f6f334bf6ade32a6c4fc7b3 cups-libs-1.1.17-13.3.13.i386.rpm ia64: 6e99a473c522a8c0a55dd73ee2e65b3a cups-1.1.17-13.3.13.ia64.rpm a552ed6d24c3976fcd9bba81d5752310 cups-devel-1.1.17-13.3.13.ia64.rpm ae45026d23525d73f25a047a118164fd cups-libs-1.1.17-13.3.13.ia64.rpm x86_64: b11c94a17939d262b76721fee9714c50 cups-1.1.17-13.3.13.x86_64.rpm 48b22c34e077212a6c1721bcadd01ca4 cups-devel-1.1.17-13.3.13.x86_64.rpm 07ed1e9a684182ffbaa63144cd230e1a cups-libs-1.1.17-13.3.13.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 6. References: http://www.cups.org/str.php?L863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBSGPjXlSAg2UNWIIRAq81AJ9jB2yT4bsHFA+lphm31RBnRu/XAQCgjC7j qdkPURv0ZHj/Y0n+J2D2meo= =qc5V -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 15 15:47:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Sep 2004 11:47 -0400 Subject: [RHSA-2004:463-01] Updated httpd packages fix security issues Message-ID: <200409151547.i8FFl5a19483@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated httpd packages fix security issues Advisory ID: RHSA-2004:463-01 Issue date: 2004-09-15 Updated on: 2004-09-15 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0747 CAN-2004-0751 CAN-2004-0786 CAN-2004-0809 - --------------------------------------------------------------------- 1. Summary: Updated httpd packages that include fixes for security issues are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Four issues have been discovered affecting releases of the Apache HTTP 2.0 Server, up to and including version 2.0.50: Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on Red Hat Enterprise Linux. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0786 to this issue. The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0747 to this issue. An issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server. A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0751 to this issue. An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0809 to this issue. Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm 118b25881f9cc755586a3430495c84be httpd-2.0.46-40.ent.src.rpm i386: d0997b36caf1390e26ab722ff69ae574 httpd-2.0.46-40.ent.i386.rpm 47d37e2130e1e70d3c6183228a4e26da httpd-devel-2.0.46-40.ent.i386.rpm 31444c51fd279bb9eaeb7dd1a1e3682e mod_ssl-2.0.46-40.ent.i386.rpm ia64: 003b65f1afe4338b0ca0a8f943e04cdc httpd-2.0.46-40.ent.ia64.rpm 5173c129ff5c7e6f6bda97e062d5d24e httpd-devel-2.0.46-40.ent.ia64.rpm 8f0189f714f484683c9cdcbda9246db1 mod_ssl-2.0.46-40.ent.ia64.rpm ppc: ba15fb395941153af8a1948e815a7766 httpd-2.0.46-40.ent.ppc.rpm 2c0fea7d2609184e9c83f217467d6604 httpd-devel-2.0.46-40.ent.ppc.rpm 47af970958b311d847c371f613598860 mod_ssl-2.0.46-40.ent.ppc.rpm s390: 665d880863e1b6d42b781c4bdf669dbc httpd-2.0.46-40.ent.s390.rpm fb62b8c10de648d5bcc47e02283e08e2 httpd-devel-2.0.46-40.ent.s390.rpm b76e2e9b285be2a504d2bbf0891d8d61 mod_ssl-2.0.46-40.ent.s390.rpm s390x: 7b4e52ec167fcdc9a28ee182665cafb6 httpd-2.0.46-40.ent.s390x.rpm 5f22b40c3cc27953d3395c2ba7a025dd httpd-devel-2.0.46-40.ent.s390x.rpm 499cd6bba360fba292653ec177804487 mod_ssl-2.0.46-40.ent.s390x.rpm x86_64: 571a7b24d4db094924f85f1941864acb httpd-2.0.46-40.ent.x86_64.rpm 8ea0c717fcfc72fbf1c0c9b63feaddd8 httpd-devel-2.0.46-40.ent.x86_64.rpm 18beb0b00ff24f5e4065cbb3f96e041d mod_ssl-2.0.46-40.ent.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm 118b25881f9cc755586a3430495c84be httpd-2.0.46-40.ent.src.rpm i386: d0997b36caf1390e26ab722ff69ae574 httpd-2.0.46-40.ent.i386.rpm 47d37e2130e1e70d3c6183228a4e26da httpd-devel-2.0.46-40.ent.i386.rpm 31444c51fd279bb9eaeb7dd1a1e3682e mod_ssl-2.0.46-40.ent.i386.rpm x86_64: 571a7b24d4db094924f85f1941864acb httpd-2.0.46-40.ent.x86_64.rpm 8ea0c717fcfc72fbf1c0c9b63feaddd8 httpd-devel-2.0.46-40.ent.x86_64.rpm 18beb0b00ff24f5e4065cbb3f96e041d mod_ssl-2.0.46-40.ent.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm 118b25881f9cc755586a3430495c84be httpd-2.0.46-40.ent.src.rpm i386: d0997b36caf1390e26ab722ff69ae574 httpd-2.0.46-40.ent.i386.rpm 47d37e2130e1e70d3c6183228a4e26da httpd-devel-2.0.46-40.ent.i386.rpm 31444c51fd279bb9eaeb7dd1a1e3682e mod_ssl-2.0.46-40.ent.i386.rpm ia64: 003b65f1afe4338b0ca0a8f943e04cdc httpd-2.0.46-40.ent.ia64.rpm 5173c129ff5c7e6f6bda97e062d5d24e httpd-devel-2.0.46-40.ent.ia64.rpm 8f0189f714f484683c9cdcbda9246db1 mod_ssl-2.0.46-40.ent.ia64.rpm x86_64: 571a7b24d4db094924f85f1941864acb httpd-2.0.46-40.ent.x86_64.rpm 8ea0c717fcfc72fbf1c0c9b63feaddd8 httpd-devel-2.0.46-40.ent.x86_64.rpm 18beb0b00ff24f5e4065cbb3f96e041d mod_ssl-2.0.46-40.ent.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-40.ent.src.rpm 118b25881f9cc755586a3430495c84be httpd-2.0.46-40.ent.src.rpm i386: d0997b36caf1390e26ab722ff69ae574 httpd-2.0.46-40.ent.i386.rpm 47d37e2130e1e70d3c6183228a4e26da httpd-devel-2.0.46-40.ent.i386.rpm 31444c51fd279bb9eaeb7dd1a1e3682e mod_ssl-2.0.46-40.ent.i386.rpm ia64: 003b65f1afe4338b0ca0a8f943e04cdc httpd-2.0.46-40.ent.ia64.rpm 5173c129ff5c7e6f6bda97e062d5d24e httpd-devel-2.0.46-40.ent.ia64.rpm 8f0189f714f484683c9cdcbda9246db1 mod_ssl-2.0.46-40.ent.ia64.rpm x86_64: 571a7b24d4db094924f85f1941864acb httpd-2.0.46-40.ent.x86_64.rpm 8ea0c717fcfc72fbf1c0c9b63feaddd8 httpd-devel-2.0.46-40.ent.x86_64.rpm 18beb0b00ff24f5e4065cbb3f96e041d mod_ssl-2.0.46-40.ent.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 6. References: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964 http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBSGP1XlSAg2UNWIIRAl5dAKC++PBX6N2G2H0RNrj179M7lFWGHgCeOccU KR4w/QbZTDJGZ3SDmRBJffg= =taxQ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 15 15:47:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Sep 2004 11:47 -0400 Subject: [RHSA-2004:464-01] Updated mc package resolves security vulnerabilities Message-ID: <200409151547.i8FFlDa19490@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated mc package resolves security vulnerabilities Advisory ID: RHSA-2004:464-01 Issue date: 2004-09-15 Updated on: 2004-09-15 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0494 - --------------------------------------------------------------------- 1. Summary: An updated mc package that resolves several shell escape security issues is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux WS version 2.1 - i386 3. Problem description: Midnight Commander (mc) is a visual shell much like a file manager. Shell escape bugs have been discovered in several of the mc vfs backend scripts. An attacker who is able to influence a victim to open a specially-crafted URI using mc could execute arbitrary commands as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0494 to this issue. Users of mc should upgrade to this updated package which contains backported patches and is not vulnerable to this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 127974 - CAN-2004-0494 extfs vfs vulnerability in mc 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/mc-4.5.51-36.4.src.rpm afec2c565d6a6ddef751653eebaa3ad6 mc-4.5.51-36.4.src.rpm i386: 10f69a32fd981ffcb2c018e070ca9b62 mc-4.5.51-36.4.i386.rpm ia64: 662118226d4084bbe6e67f19f7918af1 mc-4.5.51-36.4.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/mc-4.5.51-36.4.src.rpm afec2c565d6a6ddef751653eebaa3ad6 mc-4.5.51-36.4.src.rpm ia64: 662118226d4084bbe6e67f19f7918af1 mc-4.5.51-36.4.ia64.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/mc-4.5.51-36.4.src.rpm afec2c565d6a6ddef751653eebaa3ad6 mc-4.5.51-36.4.src.rpm i386: 10f69a32fd981ffcb2c018e070ca9b62 mc-4.5.51-36.4.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0494 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBSGP+XlSAg2UNWIIRAhuHAKCNo6o3824QmpmxbvgmHR65vDJk/gCfQBgO pg+AChq80YlYUbhxWAc8U1c= =dhtC -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 15 15:47:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Sep 2004 11:47 -0400 Subject: [RHSA-2004:465-01] Updated imlib package fixes security vulnerability Message-ID: <200409151547.i8FFlMa19495@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated imlib package fixes security vulnerability Advisory ID: RHSA-2004:465-01 Issue date: 2004-09-15 Updated on: 2004-09-15 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0817 - --------------------------------------------------------------------- 1. Summary: An updated imlib package that fixes several heap overflows is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Imlib is an image loading and rendering library. Several heap overflow flaws were found in the imlib BMP image handler. An attacker could create a carefully crafted BMP file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0817 to this issue. Users of imlib should update to this updated package which contains backported patches and is not vulnerable to this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 130909 - CAN-2004-0817 heap overflow in BMP decoder 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/imlib-1.9.13-4.2.src.rpm 70350a36d0e898640bf0370f74d26329 imlib-1.9.13-4.2.src.rpm i386: 977d25ef2ed5d80a3d752bcc309dcea3 imlib-1.9.13-4.2.i386.rpm 4ca29312814b0c29e87acb6c1eba4f31 imlib-cfgeditor-1.9.13-4.2.i386.rpm ab03d718bd43a82cd4fa77118915ca7b imlib-devel-1.9.13-4.2.i386.rpm ia64: ca8f753c817cbe0bf24ac0ac2b03bccc imlib-1.9.13-4.2.ia64.rpm 11060c4560ee42e3e9e0e482a88189c2 imlib-cfgeditor-1.9.13-4.2.ia64.rpm 11e6bd0ee4caca73cbc0ddc80bf1d793 imlib-devel-1.9.13-4.2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/imlib-1.9.13-4.2.src.rpm 70350a36d0e898640bf0370f74d26329 imlib-1.9.13-4.2.src.rpm ia64: ca8f753c817cbe0bf24ac0ac2b03bccc imlib-1.9.13-4.2.ia64.rpm 11060c4560ee42e3e9e0e482a88189c2 imlib-cfgeditor-1.9.13-4.2.ia64.rpm 11e6bd0ee4caca73cbc0ddc80bf1d793 imlib-devel-1.9.13-4.2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/imlib-1.9.13-4.2.src.rpm 70350a36d0e898640bf0370f74d26329 imlib-1.9.13-4.2.src.rpm i386: 977d25ef2ed5d80a3d752bcc309dcea3 imlib-1.9.13-4.2.i386.rpm 4ca29312814b0c29e87acb6c1eba4f31 imlib-cfgeditor-1.9.13-4.2.i386.rpm ab03d718bd43a82cd4fa77118915ca7b imlib-devel-1.9.13-4.2.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/imlib-1.9.13-4.2.src.rpm 70350a36d0e898640bf0370f74d26329 imlib-1.9.13-4.2.src.rpm i386: 977d25ef2ed5d80a3d752bcc309dcea3 imlib-1.9.13-4.2.i386.rpm 4ca29312814b0c29e87acb6c1eba4f31 imlib-cfgeditor-1.9.13-4.2.i386.rpm ab03d718bd43a82cd4fa77118915ca7b imlib-devel-1.9.13-4.2.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/imlib-1.9.13-13.3.src.rpm 6b77190f47b54d9c4c8bfc59cb5c9a97 imlib-1.9.13-13.3.src.rpm i386: ead45a05f882e533d8967caad278a3ff imlib-1.9.13-13.3.i386.rpm fb55305b96a608e4a59d734f0c933505 imlib-devel-1.9.13-13.3.i386.rpm ia64: 9444828842659c3bec047cc18d2528ee imlib-1.9.13-13.3.ia64.rpm c559153e239abff5269e41c30233ca05 imlib-devel-1.9.13-13.3.ia64.rpm ppc: 3d5eae85598168b6e337a0689eb2d743 imlib-1.9.13-13.3.ppc.rpm c9bd4375d8e077fcc70a638804d16b65 imlib-devel-1.9.13-13.3.ppc.rpm s390: 17404e9fdddd26a89d81df23e3aae7db imlib-1.9.13-13.3.s390.rpm 5a3c49f094187deb72b9c522fedd5724 imlib-devel-1.9.13-13.3.s390.rpm s390x: 81d3bbb3472454bd14c748c60c219d2b imlib-1.9.13-13.3.s390x.rpm 7e6739f7b72993dadbc4a489898c83c1 imlib-devel-1.9.13-13.3.s390x.rpm x86_64: a541f53f7ae3b301598828d05014b46e imlib-1.9.13-13.3.x86_64.rpm ab80ef08fb5a847a729c8d69640c8366 imlib-devel-1.9.13-13.3.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/imlib-1.9.13-13.3.src.rpm 6b77190f47b54d9c4c8bfc59cb5c9a97 imlib-1.9.13-13.3.src.rpm i386: ead45a05f882e533d8967caad278a3ff imlib-1.9.13-13.3.i386.rpm fb55305b96a608e4a59d734f0c933505 imlib-devel-1.9.13-13.3.i386.rpm x86_64: a541f53f7ae3b301598828d05014b46e imlib-1.9.13-13.3.x86_64.rpm ab80ef08fb5a847a729c8d69640c8366 imlib-devel-1.9.13-13.3.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/imlib-1.9.13-13.3.src.rpm 6b77190f47b54d9c4c8bfc59cb5c9a97 imlib-1.9.13-13.3.src.rpm i386: ead45a05f882e533d8967caad278a3ff imlib-1.9.13-13.3.i386.rpm fb55305b96a608e4a59d734f0c933505 imlib-devel-1.9.13-13.3.i386.rpm ia64: 9444828842659c3bec047cc18d2528ee imlib-1.9.13-13.3.ia64.rpm c559153e239abff5269e41c30233ca05 imlib-devel-1.9.13-13.3.ia64.rpm x86_64: a541f53f7ae3b301598828d05014b46e imlib-1.9.13-13.3.x86_64.rpm ab80ef08fb5a847a729c8d69640c8366 imlib-devel-1.9.13-13.3.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/imlib-1.9.13-13.3.src.rpm 6b77190f47b54d9c4c8bfc59cb5c9a97 imlib-1.9.13-13.3.src.rpm i386: ead45a05f882e533d8967caad278a3ff imlib-1.9.13-13.3.i386.rpm fb55305b96a608e4a59d734f0c933505 imlib-devel-1.9.13-13.3.i386.rpm ia64: 9444828842659c3bec047cc18d2528ee imlib-1.9.13-13.3.ia64.rpm c559153e239abff5269e41c30233ca05 imlib-devel-1.9.13-13.3.ia64.rpm x86_64: a541f53f7ae3b301598828d05014b46e imlib-1.9.13-13.3.x86_64.rpm ab80ef08fb5a847a729c8d69640c8366 imlib-devel-1.9.13-13.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://bugzilla.gnome.org/show_bug.cgi?id=151034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0817 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBSGQHXlSAg2UNWIIRAtVWAJ4t/Dl8BUdxnuOeQQZY8PKXrqekyQCfZ3Dy cyouHzhkdCmPwYnyB3xuFsY= =FMEr -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 15 15:47:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Sep 2004 11:47 -0400 Subject: [RHSA-2004:466-01] Updated gtk2 packages fix security flaws and bugs Message-ID: <200409151547.i8FFlka19510@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated gtk2 packages fix security flaws and bugs Advisory ID: RHSA-2004:466-01 Issue date: 2004-09-15 Updated on: 2004-09-15 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 - --------------------------------------------------------------------- 1. Summary: Updated gtk2 packages that fix several security flaws and bugs are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CAN-2004-0788) This updated gtk2 package also fixes a few key combination bugs on various X servers, such as Hummingbird, ReflectionX, and X-Win32. If a server was configured to use the Swiss German, Swiss French, or France French keyboard layouts, Mode_Switched characters were unable to be entered within GTK based applications. Users of gtk2 are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 130450 - CAN-2004-0753 bmp image loader DOS 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gtk2-2.2.4-8.1.src.rpm 6ac62a2aeab6c7a99ff4b3a657530f89 gtk2-2.2.4-8.1.src.rpm i386: 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-devel-2.2.4-8.1.i386.rpm ia64: b3b57ef2a9b4c577cad9639fd194db14 gtk2-2.2.4-8.1.ia64.rpm cf89006e9943f4b23aeb7a410c91c542 gtk2-devel-2.2.4-8.1.ia64.rpm ppc: 766df9da1dca48a5f110dc96b9c29015 gtk2-2.2.4-8.1.ppc.rpm eadbbab509000019eae608a8748cfbde gtk2-devel-2.2.4-8.1.ppc.rpm s390: a3692edac044b25e4c8c2012437888e7 gtk2-2.2.4-8.1.s390.rpm f1821966b229cd61264b9af61fafdb88 gtk2-devel-2.2.4-8.1.s390.rpm s390x: e45909f903fc90707ef451051d31853c gtk2-2.2.4-8.1.s390x.rpm 4190a6fdeed17fe104def7551c1ea51e gtk2-devel-2.2.4-8.1.s390x.rpm x86_64: 7c5c8d7447e340310576c2909985268c gtk2-2.2.4-8.1.x86_64.rpm 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 8ebd7aea9fe419a1e60c1405fae01f5a gtk2-devel-2.2.4-8.1.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/gtk2-2.2.4-8.1.src.rpm 6ac62a2aeab6c7a99ff4b3a657530f89 gtk2-2.2.4-8.1.src.rpm i386: 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-devel-2.2.4-8.1.i386.rpm x86_64: 7c5c8d7447e340310576c2909985268c gtk2-2.2.4-8.1.x86_64.rpm 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 8ebd7aea9fe419a1e60c1405fae01f5a gtk2-devel-2.2.4-8.1.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gtk2-2.2.4-8.1.src.rpm 6ac62a2aeab6c7a99ff4b3a657530f89 gtk2-2.2.4-8.1.src.rpm i386: 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-devel-2.2.4-8.1.i386.rpm ia64: b3b57ef2a9b4c577cad9639fd194db14 gtk2-2.2.4-8.1.ia64.rpm cf89006e9943f4b23aeb7a410c91c542 gtk2-devel-2.2.4-8.1.ia64.rpm x86_64: 7c5c8d7447e340310576c2909985268c gtk2-2.2.4-8.1.x86_64.rpm 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 8ebd7aea9fe419a1e60c1405fae01f5a gtk2-devel-2.2.4-8.1.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gtk2-2.2.4-8.1.src.rpm 6ac62a2aeab6c7a99ff4b3a657530f89 gtk2-2.2.4-8.1.src.rpm i386: 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-devel-2.2.4-8.1.i386.rpm ia64: b3b57ef2a9b4c577cad9639fd194db14 gtk2-2.2.4-8.1.ia64.rpm cf89006e9943f4b23aeb7a410c91c542 gtk2-devel-2.2.4-8.1.ia64.rpm x86_64: 7c5c8d7447e340310576c2909985268c gtk2-2.2.4-8.1.x86_64.rpm 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 8ebd7aea9fe419a1e60c1405fae01f5a gtk2-devel-2.2.4-8.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://bugzilla.gnome.org/show_bug.cgi?id=150601 http://bugzilla.gnome.org/show_bug.cgi?id=144808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0788 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBSGQcXlSAg2UNWIIRAu2kAKC+tlzedDiSRT79O4rlLaKjy6E6twCfcmzH nvsTVhfTUPG5xC9CtaBX1zY= =m7td -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 15 21:34:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Sep 2004 17:34 -0400 Subject: [RHSA-2004:447-02] Updated gdk-pixbuf packages fix security flaws Message-ID: <200409152134.i8FLY3a10563@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated gdk-pixbuf packages fix security flaws Advisory ID: RHSA-2004:447-02 Issue date: 2004-09-15 Updated on: 2004-09-15 Product: Red Hat Enterprise Linux Obsoletes: RHSA-2004:103 CVE Names: CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 - --------------------------------------------------------------------- 1. Summary: Updated gdk-pixbuf packages that fix several security flaws are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. [Updated 15th September 2004] Packages have been updated to correct a bug which caused the xpm loader to fail. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gdk-pixbuf. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit, Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file is opened by a victim. (CAN-2004-0788) These packages have also been updated to correct a bug which caused the xpm loader to fail. Users of gdk-pixbuf are advised to upgrade to these packages, which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 130455 - CAN-2004-0753 bmp image loader DOS 130711 - CAN-2004-0782/3/8 GTK XPM decoder issues 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/gdk-pixbuf-0.22.0-11.2.2E.src.rpm fda43700c69af3535e9d3bc9e6b4f1b9 gdk-pixbuf-0.22.0-11.2.2E.src.rpm i386: 8334282664dfc3f87a377fbf7b733d41 gdk-pixbuf-0.22.0-11.2.2E.i386.rpm 30dab937b29109544bcb0bf68d8b9fc0 gdk-pixbuf-devel-0.22.0-11.2.2E.i386.rpm d1c6a6a7b4baa3219ac66040b684b133 gdk-pixbuf-gnome-0.22.0-11.2.2E.i386.rpm ia64: 68926c28e87cbbea60ce8eacb163c98e gdk-pixbuf-0.22.0-11.2.2E.ia64.rpm f0100561fb5c22ce3bf71dc08e7a88b9 gdk-pixbuf-devel-0.22.0-11.2.2E.ia64.rpm 0fa01166e066f322a78fc8e3b97085e9 gdk-pixbuf-gnome-0.22.0-11.2.2E.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/gdk-pixbuf-0.22.0-11.2.2E.src.rpm fda43700c69af3535e9d3bc9e6b4f1b9 gdk-pixbuf-0.22.0-11.2.2E.src.rpm ia64: 68926c28e87cbbea60ce8eacb163c98e gdk-pixbuf-0.22.0-11.2.2E.ia64.rpm f0100561fb5c22ce3bf71dc08e7a88b9 gdk-pixbuf-devel-0.22.0-11.2.2E.ia64.rpm 0fa01166e066f322a78fc8e3b97085e9 gdk-pixbuf-gnome-0.22.0-11.2.2E.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/gdk-pixbuf-0.22.0-11.2.2E.src.rpm fda43700c69af3535e9d3bc9e6b4f1b9 gdk-pixbuf-0.22.0-11.2.2E.src.rpm i386: 8334282664dfc3f87a377fbf7b733d41 gdk-pixbuf-0.22.0-11.2.2E.i386.rpm 30dab937b29109544bcb0bf68d8b9fc0 gdk-pixbuf-devel-0.22.0-11.2.2E.i386.rpm d1c6a6a7b4baa3219ac66040b684b133 gdk-pixbuf-gnome-0.22.0-11.2.2E.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/gdk-pixbuf-0.22.0-11.2.2E.src.rpm fda43700c69af3535e9d3bc9e6b4f1b9 gdk-pixbuf-0.22.0-11.2.2E.src.rpm i386: 8334282664dfc3f87a377fbf7b733d41 gdk-pixbuf-0.22.0-11.2.2E.i386.rpm 30dab937b29109544bcb0bf68d8b9fc0 gdk-pixbuf-devel-0.22.0-11.2.2E.i386.rpm d1c6a6a7b4baa3219ac66040b684b133 gdk-pixbuf-gnome-0.22.0-11.2.2E.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gdk-pixbuf-0.22.0-11.3.3.src.rpm adde2ead86237f92b7a346394dfb93bc gdk-pixbuf-0.22.0-11.3.3.src.rpm i386: 92fadd028df0850e6b61e01b440ade70 gdk-pixbuf-0.22.0-11.3.3.i386.rpm 4c80a32cb8573720bdcc06b39475754f gdk-pixbuf-devel-0.22.0-11.3.3.i386.rpm 6e50dafb95a1efef5e3676663c38c0a0 gdk-pixbuf-gnome-0.22.0-11.3.3.i386.rpm ia64: c50021c89b9369377247cf69141361bb gdk-pixbuf-0.22.0-11.3.3.ia64.rpm d465a6ac9407dd1fc97f7336218b2350 gdk-pixbuf-devel-0.22.0-11.3.3.ia64.rpm a925e983040b0cb85b7d3491d2928e1d gdk-pixbuf-gnome-0.22.0-11.3.3.ia64.rpm ppc: 3464b39ac9ccca779f3b8b77ba3086d7 gdk-pixbuf-0.22.0-11.3.3.ppc.rpm 742f21c2cf58a00d2e4aecfc54c1cde8 gdk-pixbuf-devel-0.22.0-11.3.3.ppc.rpm 600e801b22806cfbc11d3d5b9f175624 gdk-pixbuf-gnome-0.22.0-11.3.3.ppc.rpm s390: d9ad5bb3ef55ef9a4d453091ea53d414 gdk-pixbuf-0.22.0-11.3.3.s390.rpm 90e70ff542f9b859d7ca586ea6aba099 gdk-pixbuf-devel-0.22.0-11.3.3.s390.rpm 0722d84359e5b752ae811d7db557c473 gdk-pixbuf-gnome-0.22.0-11.3.3.s390.rpm s390x: d787c1c1cec4ed5135066a3930cd6d05 gdk-pixbuf-0.22.0-11.3.3.s390x.rpm 9f0c0dd1515ae16c5596b0c23288701f gdk-pixbuf-devel-0.22.0-11.3.3.s390x.rpm f73fb0a596c337e6e3b4e4033df84989 gdk-pixbuf-gnome-0.22.0-11.3.3.s390x.rpm x86_64: 0678c0efeb2cceae8fee9dbb8797f2af gdk-pixbuf-0.22.0-11.3.3.x86_64.rpm 160fa97f945efec1ce56ea494541c520 gdk-pixbuf-devel-0.22.0-11.3.3.x86_64.rpm 92b07889b33dc280fdb136b02325c53e gdk-pixbuf-gnome-0.22.0-11.3.3.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/gdk-pixbuf-0.22.0-11.3.3.src.rpm adde2ead86237f92b7a346394dfb93bc gdk-pixbuf-0.22.0-11.3.3.src.rpm i386: 92fadd028df0850e6b61e01b440ade70 gdk-pixbuf-0.22.0-11.3.3.i386.rpm 4c80a32cb8573720bdcc06b39475754f gdk-pixbuf-devel-0.22.0-11.3.3.i386.rpm 6e50dafb95a1efef5e3676663c38c0a0 gdk-pixbuf-gnome-0.22.0-11.3.3.i386.rpm x86_64: 0678c0efeb2cceae8fee9dbb8797f2af gdk-pixbuf-0.22.0-11.3.3.x86_64.rpm 160fa97f945efec1ce56ea494541c520 gdk-pixbuf-devel-0.22.0-11.3.3.x86_64.rpm 92b07889b33dc280fdb136b02325c53e gdk-pixbuf-gnome-0.22.0-11.3.3.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gdk-pixbuf-0.22.0-11.3.3.src.rpm adde2ead86237f92b7a346394dfb93bc gdk-pixbuf-0.22.0-11.3.3.src.rpm i386: 92fadd028df0850e6b61e01b440ade70 gdk-pixbuf-0.22.0-11.3.3.i386.rpm 4c80a32cb8573720bdcc06b39475754f gdk-pixbuf-devel-0.22.0-11.3.3.i386.rpm 6e50dafb95a1efef5e3676663c38c0a0 gdk-pixbuf-gnome-0.22.0-11.3.3.i386.rpm ia64: c50021c89b9369377247cf69141361bb gdk-pixbuf-0.22.0-11.3.3.ia64.rpm d465a6ac9407dd1fc97f7336218b2350 gdk-pixbuf-devel-0.22.0-11.3.3.ia64.rpm a925e983040b0cb85b7d3491d2928e1d gdk-pixbuf-gnome-0.22.0-11.3.3.ia64.rpm x86_64: 0678c0efeb2cceae8fee9dbb8797f2af gdk-pixbuf-0.22.0-11.3.3.x86_64.rpm 160fa97f945efec1ce56ea494541c520 gdk-pixbuf-devel-0.22.0-11.3.3.x86_64.rpm 92b07889b33dc280fdb136b02325c53e gdk-pixbuf-gnome-0.22.0-11.3.3.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gdk-pixbuf-0.22.0-11.3.3.src.rpm adde2ead86237f92b7a346394dfb93bc gdk-pixbuf-0.22.0-11.3.3.src.rpm i386: 92fadd028df0850e6b61e01b440ade70 gdk-pixbuf-0.22.0-11.3.3.i386.rpm 4c80a32cb8573720bdcc06b39475754f gdk-pixbuf-devel-0.22.0-11.3.3.i386.rpm 6e50dafb95a1efef5e3676663c38c0a0 gdk-pixbuf-gnome-0.22.0-11.3.3.i386.rpm ia64: c50021c89b9369377247cf69141361bb gdk-pixbuf-0.22.0-11.3.3.ia64.rpm d465a6ac9407dd1fc97f7336218b2350 gdk-pixbuf-devel-0.22.0-11.3.3.ia64.rpm a925e983040b0cb85b7d3491d2928e1d gdk-pixbuf-gnome-0.22.0-11.3.3.ia64.rpm x86_64: 0678c0efeb2cceae8fee9dbb8797f2af gdk-pixbuf-0.22.0-11.3.3.x86_64.rpm 160fa97f945efec1ce56ea494541c520 gdk-pixbuf-devel-0.22.0-11.3.3.x86_64.rpm 92b07889b33dc280fdb136b02325c53e gdk-pixbuf-gnome-0.22.0-11.3.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://bugzilla.gnome.org/show_bug.cgi?id=150601 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0788 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBSLVIXlSAg2UNWIIRAg1gAJ0eSKpsa4pvVxLcqairDQUKdPnr8ACfQIfs Dzci1CmXK+5NXpJ+Dzho+Yc= =u2bN -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 22 19:02:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Sep 2004 15:02 -0400 Subject: [RHSA-2004:434-01] Updated redhat-config-nfs package resolves several security issues Message-ID: <200409221902.i8MJ2Ra32041@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated redhat-config-nfs package resolves several security issues Advisory ID: RHSA-2004:434-01 Issue date: 2004-09-22 Updated on: 2004-09-22 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0750 - --------------------------------------------------------------------- 1. Summary: An updated redhat-config-nfs package that fixes bugs and potential security issues is now available for Red Hat Enterprise Linux 3. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - noarch Red Hat Desktop version 3 - noarch Red Hat Enterprise Linux ES version 3 - noarch Red Hat Enterprise Linux WS version 3 - noarch 3. Problem description: The redhat-config-nfs package includes a graphical user interface for creating, modifying, and deleting nfs shares. John Buswell discovered a flaw in redhat-config-nfs that could lead to incorrect permissions on exported shares when exporting to multiple hosts. This could cause an option such as "all_squash" to not be applied to all of the listed hosts. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0750 to this issue. Additionally, a bug was found that prevented redhat-config-nfs from being run if hosts didn't have options set in /etc/exports. All users of redhat-config-nfs are advised to upgrade to these updated packages as well as checking their NFS shares directly or via the /etc/exports file for any incorrectly set options. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 107997 - CAN-2004-0750 [PATCH] /etc/exports has incorrect syntax for multiple hosts with a single mount point 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/redhat-config-nfs-1.0.13-6.src.rpm 8ad0200a16439ba6341703e277b6edc0 redhat-config-nfs-1.0.13-6.src.rpm noarch: ddea963341fba763c3bd428f16c8fede redhat-config-nfs-1.0.13-6.noarch.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/redhat-config-nfs-1.0.13-6.src.rpm 8ad0200a16439ba6341703e277b6edc0 redhat-config-nfs-1.0.13-6.src.rpm noarch: ddea963341fba763c3bd428f16c8fede redhat-config-nfs-1.0.13-6.noarch.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/redhat-config-nfs-1.0.13-6.src.rpm 8ad0200a16439ba6341703e277b6edc0 redhat-config-nfs-1.0.13-6.src.rpm noarch: ddea963341fba763c3bd428f16c8fede redhat-config-nfs-1.0.13-6.noarch.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/redhat-config-nfs-1.0.13-6.src.rpm 8ad0200a16439ba6341703e277b6edc0 redhat-config-nfs-1.0.13-6.src.rpm noarch: ddea963341fba763c3bd428f16c8fede redhat-config-nfs-1.0.13-6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0750 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBUcxAXlSAg2UNWIIRAqSBAKCNvZQD8MZgD/xPm0oyfEwBGHZacACcCOzr Dy2AsUQJ0xCAXWddSKcLO2c= =dEP+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Sep 22 19:05:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Sep 2004 15:05 -0400 Subject: [RHSA-2004:467-01] Updated samba packages fix vulnerabilities Message-ID: <200409221905.i8MJ5Ba32213@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated samba packages fix vulnerabilities Advisory ID: RHSA-2004:467-01 Issue date: 2004-09-22 Updated on: 2004-09-22 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0807 CAN-2004-0808 - --------------------------------------------------------------------- 1. Summary: Updated samba packages that fix two denial of service vulnerabilities are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Samba provides file and printer sharing services to SMB/CIFS clients. The Samba team has discovered a denial of service bug in the smbd daemon. A defect in smbd's ASN.1 parsing allows an attacker to send a specially crafted packet during the authentication request which will send the newly spawned smbd process into an infinite loop. Given enough of these packets, it is possible to exhaust the available memory on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0807 to this issue. Additionally the Samba team has also discovered a denial of service bug in the nmbd daemon. It is possible that an attacker could send a specially crafted UDP packet which could allow the attacker to anonymously crash nmbd. This issue only affects nmbd daemons which are configured to process domain logons. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0808 to this issue. Users of Samba should upgrade to these updated packages, which contain an upgrade to Samba-3.0.7, which is not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 132207 - CAN-2004-0807/8 Samba 3 DoS 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/samba-3.0.7-1.3E.src.rpm 0e0ab76a6c01b54f2dcd37eddec1b7ae samba-3.0.7-1.3E.src.rpm i386: d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm e360c18dceb4ff62085c8574efa17912 samba-client-3.0.7-1.3E.i386.rpm d37b1eaa4241a9669346e32450562201 samba-common-3.0.7-1.3E.i386.rpm 9e89353301ef61c269ee2a7d794007f4 samba-swat-3.0.7-1.3E.i386.rpm ia64: 43fd81d53ac4c2bb5883989924259875 samba-3.0.7-1.3E.ia64.rpm d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm 83dea197d8ab12851373200986acb9bd samba-client-3.0.7-1.3E.ia64.rpm 604b1b038b14349373bd50b64e6cd7f8 samba-common-3.0.7-1.3E.ia64.rpm 64b3a01b9c0cf1d61e2e5c95ea3c501e samba-swat-3.0.7-1.3E.ia64.rpm ppc: 843d8d868f8265e5c2a44f5085518500 samba-3.0.7-1.3E.ppc.rpm f425c770f636ea0ffcdfe743003d01b8 samba-client-3.0.7-1.3E.ppc.rpm f77d534c0d392d4d08d3e0e8fec1cbf9 samba-common-3.0.7-1.3E.ppc.rpm b6060bfe3aebd38da56d4512ca8ab38b samba-swat-3.0.7-1.3E.ppc.rpm s390: 913de238b0132c09df15f394dce7962a samba-3.0.7-1.3E.s390.rpm fc5809d8ef8df1c5e3fd36c78bce3748 samba-client-3.0.7-1.3E.s390.rpm 307baf9bedf0ffe3fe9377519e0dbaef samba-common-3.0.7-1.3E.s390.rpm b55789e5dae219c4c5204c58c1dbf008 samba-swat-3.0.7-1.3E.s390.rpm s390x: 3f52f15123144fafa7406d82cde583a7 samba-3.0.7-1.3E.s390x.rpm 913de238b0132c09df15f394dce7962a samba-3.0.7-1.3E.s390.rpm 703bf257d36af3cd6418581eb68c8170 samba-client-3.0.7-1.3E.s390x.rpm 012a11c42eadc4564d04fcd78f630bae samba-common-3.0.7-1.3E.s390x.rpm 613ad324dbc90848c7de62ba1a44ad91 samba-swat-3.0.7-1.3E.s390x.rpm x86_64: 73c51df789f9b1d6f539712ed76615a5 samba-3.0.7-1.3E.x86_64.rpm d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm a543e007292695f647bf7f76b4033fb8 samba-client-3.0.7-1.3E.x86_64.rpm 0745f0f96c9026dd6bd864fb30d7b1ab samba-common-3.0.7-1.3E.x86_64.rpm 0ddf74be7e690cc60c1bf442fba641a2 samba-swat-3.0.7-1.3E.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/samba-3.0.7-1.3E.src.rpm 0e0ab76a6c01b54f2dcd37eddec1b7ae samba-3.0.7-1.3E.src.rpm i386: d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm e360c18dceb4ff62085c8574efa17912 samba-client-3.0.7-1.3E.i386.rpm d37b1eaa4241a9669346e32450562201 samba-common-3.0.7-1.3E.i386.rpm 9e89353301ef61c269ee2a7d794007f4 samba-swat-3.0.7-1.3E.i386.rpm x86_64: 73c51df789f9b1d6f539712ed76615a5 samba-3.0.7-1.3E.x86_64.rpm d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm a543e007292695f647bf7f76b4033fb8 samba-client-3.0.7-1.3E.x86_64.rpm 0745f0f96c9026dd6bd864fb30d7b1ab samba-common-3.0.7-1.3E.x86_64.rpm 0ddf74be7e690cc60c1bf442fba641a2 samba-swat-3.0.7-1.3E.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/samba-3.0.7-1.3E.src.rpm 0e0ab76a6c01b54f2dcd37eddec1b7ae samba-3.0.7-1.3E.src.rpm i386: d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm e360c18dceb4ff62085c8574efa17912 samba-client-3.0.7-1.3E.i386.rpm d37b1eaa4241a9669346e32450562201 samba-common-3.0.7-1.3E.i386.rpm 9e89353301ef61c269ee2a7d794007f4 samba-swat-3.0.7-1.3E.i386.rpm ia64: 43fd81d53ac4c2bb5883989924259875 samba-3.0.7-1.3E.ia64.rpm d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm 83dea197d8ab12851373200986acb9bd samba-client-3.0.7-1.3E.ia64.rpm 604b1b038b14349373bd50b64e6cd7f8 samba-common-3.0.7-1.3E.ia64.rpm 64b3a01b9c0cf1d61e2e5c95ea3c501e samba-swat-3.0.7-1.3E.ia64.rpm x86_64: 73c51df789f9b1d6f539712ed76615a5 samba-3.0.7-1.3E.x86_64.rpm d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm a543e007292695f647bf7f76b4033fb8 samba-client-3.0.7-1.3E.x86_64.rpm 0745f0f96c9026dd6bd864fb30d7b1ab samba-common-3.0.7-1.3E.x86_64.rpm 0ddf74be7e690cc60c1bf442fba641a2 samba-swat-3.0.7-1.3E.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/samba-3.0.7-1.3E.src.rpm 0e0ab76a6c01b54f2dcd37eddec1b7ae samba-3.0.7-1.3E.src.rpm i386: d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm e360c18dceb4ff62085c8574efa17912 samba-client-3.0.7-1.3E.i386.rpm d37b1eaa4241a9669346e32450562201 samba-common-3.0.7-1.3E.i386.rpm 9e89353301ef61c269ee2a7d794007f4 samba-swat-3.0.7-1.3E.i386.rpm ia64: 43fd81d53ac4c2bb5883989924259875 samba-3.0.7-1.3E.ia64.rpm d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm 83dea197d8ab12851373200986acb9bd samba-client-3.0.7-1.3E.ia64.rpm 604b1b038b14349373bd50b64e6cd7f8 samba-common-3.0.7-1.3E.ia64.rpm 64b3a01b9c0cf1d61e2e5c95ea3c501e samba-swat-3.0.7-1.3E.ia64.rpm x86_64: 73c51df789f9b1d6f539712ed76615a5 samba-3.0.7-1.3E.x86_64.rpm d5d35ea56621e4811b35b3c9f09f7db8 samba-3.0.7-1.3E.i386.rpm a543e007292695f647bf7f76b4033fb8 samba-client-3.0.7-1.3E.x86_64.rpm 0745f0f96c9026dd6bd864fb30d7b1ab samba-common-3.0.7-1.3E.x86_64.rpm 0ddf74be7e690cc60c1bf442fba641a2 samba-swat-3.0.7-1.3E.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://us3.samba.org/samba/history/samba-3.0.7.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBUcxfXlSAg2UNWIIRAtrYAJ9DExHj69IGpeL1+Jbsv8WUlUPWggCaA69S H709oYVrKkU2HNFoFRmgGwg= =rETX -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Sep 30 14:53:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Sep 2004 10:53 -0400 Subject: [RHSA-2004:441-01] Updated ruby package fixes security flaw Message-ID: <200409301453.i8UErTa13143@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated ruby package fixes security flaw Advisory ID: RHSA-2004:441-01 Issue date: 2004-09-30 Updated on: 2004-09-30 Product: Red Hat Enterprise Linux Keywords: file permission CVE Names: CAN-2004-0755 - --------------------------------------------------------------------- 1. Summary: An updated ruby package that fixes insecure file permissions for CGI session files is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Ruby is an interpreted scripting language for object-oriented programming. Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby. FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue. Users are advised to upgrade to this erratum package, which contains a backported patch to CGI::Session FileStore. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 130065 - CAN-2004-0755 ruby insecure file permissions 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm i386: 8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm 95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm i386: 8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm 95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm eb97376e716aa09d718d5afc0f4a0020 ruby-1.6.4-2.AS21.0.src.rpm i386: 8570dca43ce0243d098a667d77f08490 irb-1.6.4-2.AS21.0.i386.rpm ec1d1fe2f3f0ebae66342127c5a48e19 ruby-1.6.4-2.AS21.0.i386.rpm b318516e9af9320a3638d496754c3f3e ruby-devel-1.6.4-2.AS21.0.i386.rpm 95c13aa43397b4d1f8f625d5db8cf0e6 ruby-docs-1.6.4-2.AS21.0.i386.rpm dd229e6ba40dee0ddd9f7072bd24780b ruby-libs-1.6.4-2.AS21.0.i386.rpm b7b059fa23ba437057ad66125201407e ruby-tcltk-1.6.4-2.AS21.0.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm 4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm i386: b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm ia64: 54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm 3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm ppc: e111badd02691f2d3af1228cfd1305ad ruby-1.6.8-9.EL3.2.ppc.rpm 71f4002652015dc1394d1a0707dac921 ruby-devel-1.6.8-9.EL3.2.ppc.rpm 2834716a178d5c22b2a0bdc3c18e4569 ruby-libs-1.6.8-9.EL3.2.ppc.rpm c722c0ce315e1e5a4229e94b1518ba30 ruby-mode-1.6.8-9.EL3.2.ppc.rpm s390: ba3145afb52bc659a5efcc0452a55ff3 ruby-1.6.8-9.EL3.2.s390.rpm e52eb4855a8501f0c2fccf2b1e3524aa ruby-devel-1.6.8-9.EL3.2.s390.rpm 6b18d38bd6d62c84d757f229845b6079 ruby-libs-1.6.8-9.EL3.2.s390.rpm 0cf38f2a6c42ceb80a674bcc9ffa557d ruby-mode-1.6.8-9.EL3.2.s390.rpm s390x: 7292fe703498f5ee33a20d69f7ad6cd1 ruby-1.6.8-9.EL3.2.s390x.rpm e1ff142228b28536b4a3977db8d430a7 ruby-devel-1.6.8-9.EL3.2.s390x.rpm c1849a6c9570941144914d7d518d71e8 ruby-libs-1.6.8-9.EL3.2.s390x.rpm fd9f25954b2d1b87d521848a6bf2501b ruby-mode-1.6.8-9.EL3.2.s390x.rpm x86_64: 3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm 160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm 8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm 4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm i386: b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm x86_64: 3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm 160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm 8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm 4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm i386: b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm ia64: 54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm 3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm x86_64: 3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm 160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm 8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm 4a005a302e389f88e0059a04ffe1c301 ruby-1.6.8-9.EL3.2.src.rpm i386: b806ed75a84c93559323ad7a31775ce3 ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993 ruby-mode-1.6.8-9.EL3.2.i386.rpm ia64: 54124222ea6990ebae5aba4355d9ac70 ruby-1.6.8-9.EL3.2.ia64.rpm 3118ec318e2ff6065e4e598ee07374e3 ruby-devel-1.6.8-9.EL3.2.ia64.rpm bc523ead60e9bd104cf55373a9ad3b8c ruby-libs-1.6.8-9.EL3.2.ia64.rpm f5c7ade5502b67d1a35c76223de7663c ruby-mode-1.6.8-9.EL3.2.ia64.rpm x86_64: 3048997bfb6fc66ca6ec6813d2f0aff6 ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a ruby-devel-1.6.8-9.EL3.2.x86_64.rpm 160b4e7a46029a3ccb2ba98fd1a4dd7d ruby-libs-1.6.8-9.EL3.2.x86_64.rpm 8456efd1389a4d322fca5fce518e44a1 ruby-mode-1.6.8-9.EL3.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBXB3gXlSAg2UNWIIRAkXLAKChOubcTfVhoSGLL/DRgUQbMxbD2wCfRlBD foKv94hXR1OqHdgnMd45cGE= =mE/N -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Sep 30 14:53:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Sep 2004 10:53 -0400 Subject: [RHSA-2004:451-01] Updated spamassassin package fixes denial of service issue Message-ID: <200409301453.i8UErea13149@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated spamassassin package fixes denial of service issue Advisory ID: RHSA-2004:451-01 Issue date: 2004-09-30 Updated on: 2004-09-30 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0796 - --------------------------------------------------------------------- 1. Summary: An updated spamassassin package that fixes a denial of service bug when parsing malformed messages is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A denial of service bug has been found in SpamAssassin versions below 2.64. A malicious attacker could construct a message in such a way that would cause spamassassin to stop responding, potentially preventing the delivery or filtering of email. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0796 to this issue. Users of SpamAssassin should update to these updated packages which contain a backported patch and is not vulnerable to this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 129337 - CAN-2004-0796 DOS attack open to certain malformed messages 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/spamassassin-2.55-3.2.src.rpm dc61064510ef1814b033366f15838f7d spamassassin-2.55-3.2.src.rpm i386: 52dea7b072ab36c717be6fe70e8b72da spamassassin-2.55-3.2.i386.rpm ia64: a53253a30f1eac9bfa99cf48864fbea0 spamassassin-2.55-3.2.ia64.rpm ppc: f14d7231b8eeb09f44e6a7526d4dba4f spamassassin-2.55-3.2.ppc.rpm s390: a7fb9f360bffaa24ecd5da9b3406ba1a spamassassin-2.55-3.2.s390.rpm s390x: d259c8305d3661fe8137badccd4dee8c spamassassin-2.55-3.2.s390x.rpm x86_64: a49500110469d36992245f63ca0ba7ec spamassassin-2.55-3.2.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/spamassassin-2.55-3.2.src.rpm dc61064510ef1814b033366f15838f7d spamassassin-2.55-3.2.src.rpm i386: 52dea7b072ab36c717be6fe70e8b72da spamassassin-2.55-3.2.i386.rpm x86_64: a49500110469d36992245f63ca0ba7ec spamassassin-2.55-3.2.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/spamassassin-2.55-3.2.src.rpm dc61064510ef1814b033366f15838f7d spamassassin-2.55-3.2.src.rpm i386: 52dea7b072ab36c717be6fe70e8b72da spamassassin-2.55-3.2.i386.rpm ia64: a53253a30f1eac9bfa99cf48864fbea0 spamassassin-2.55-3.2.ia64.rpm x86_64: a49500110469d36992245f63ca0ba7ec spamassassin-2.55-3.2.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/spamassassin-2.55-3.2.src.rpm dc61064510ef1814b033366f15838f7d spamassassin-2.55-3.2.src.rpm i386: 52dea7b072ab36c717be6fe70e8b72da spamassassin-2.55-3.2.i386.rpm ia64: a53253a30f1eac9bfa99cf48864fbea0 spamassassin-2.55-3.2.ia64.rpm x86_64: a49500110469d36992245f63ca0ba7ec spamassassin-2.55-3.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBXB3wXlSAg2UNWIIRAo8JAJ4uF5p97GxC+u/Be7qpxO1nE4cKeACfY1uV pkrMySxxH0wsS0LnVLAdEwE= =hT7f -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Sep 30 14:54:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Sep 2004 10:54 -0400 Subject: [RHSA-2004:462-01] Updated squid package fixes security vulnerability Message-ID: <200409301454.i8UEs3a13185@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated squid package fixes security vulnerability Advisory ID: RHSA-2004:462-01 Issue date: 2004-09-30 Updated on: 2004-09-30 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0832 - --------------------------------------------------------------------- 1. Summary: An updated squid package that fixes a security vulnerability in the NTLM authentication helper is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Squid is a full-featured Web proxy cache. An out of bounds memory read bug was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could send a carefully crafted NTLM authentication packet and cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0832 to this issue. Note: The NTLM authentication helper is not enabled by default in Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it shipped with a version of Squid which did not contain the vulnerable helper. Users of Squid should update to this erratum package, which contains a backported patch and is not vulnerable to this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 131750 - CAN-2004-0832 Certain malformed NTLMSSP packets could crash the NTLM helpers provided by Squid 6. RPMs required: Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/squid-2.5.STABLE3-6.3E.1.src.rpm 319a574d8ab2d7e1bfa454055f3f1933 squid-2.5.STABLE3-6.3E.1.src.rpm i386: 3b46288783aacdd9842d43f221201c44 squid-2.5.STABLE3-6.3E.1.i386.rpm ia64: e92e66c250e34497a397c53c33ae1c2b squid-2.5.STABLE3-6.3E.1.ia64.rpm ppc: 726578556b36bb263526841add7dd9a2 squid-2.5.STABLE3-6.3E.1.ppc.rpm s390: ce1c585636cfe7843f9188f283533800 squid-2.5.STABLE3-6.3E.1.s390.rpm s390x: cd974ecba26d90d98a145e9813221dfb squid-2.5.STABLE3-6.3E.1.s390x.rpm x86_64: 0c63d4747a0e6848cd69259b6e7648dd squid-2.5.STABLE3-6.3E.1.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/squid-2.5.STABLE3-6.3E.1.src.rpm 319a574d8ab2d7e1bfa454055f3f1933 squid-2.5.STABLE3-6.3E.1.src.rpm i386: 3b46288783aacdd9842d43f221201c44 squid-2.5.STABLE3-6.3E.1.i386.rpm x86_64: 0c63d4747a0e6848cd69259b6e7648dd squid-2.5.STABLE3-6.3E.1.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/squid-2.5.STABLE3-6.3E.1.src.rpm 319a574d8ab2d7e1bfa454055f3f1933 squid-2.5.STABLE3-6.3E.1.src.rpm i386: 3b46288783aacdd9842d43f221201c44 squid-2.5.STABLE3-6.3E.1.i386.rpm ia64: e92e66c250e34497a397c53c33ae1c2b squid-2.5.STABLE3-6.3E.1.ia64.rpm x86_64: 0c63d4747a0e6848cd69259b6e7648dd squid-2.5.STABLE3-6.3E.1.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/squid-2.5.STABLE3-6.3E.1.src.rpm 319a574d8ab2d7e1bfa454055f3f1933 squid-2.5.STABLE3-6.3E.1.src.rpm i386: 3b46288783aacdd9842d43f221201c44 squid-2.5.STABLE3-6.3E.1.i386.rpm ia64: e92e66c250e34497a397c53c33ae1c2b squid-2.5.STABLE3-6.3E.1.ia64.rpm x86_64: 0c63d4747a0e6848cd69259b6e7648dd squid-2.5.STABLE3-6.3E.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://www.squid-cache.org/bugs/show_bug.cgi?id=1045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0832 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBXB3/XlSAg2UNWIIRAv+0AKCCo4giuS0f4+08gpTrkQf1Tq5hGACePATc WS+U3uPqlRwelHaCy3CGGYU= =Dg9j -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Sep 30 14:54:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Sep 2004 10:54 -0400 Subject: [RHSA-2004:486-01] Updated mozilla packages fix security issues Message-ID: <200409301454.i8UEsIa13199@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated mozilla packages fix security issues Advisory ID: RHSA-2004:486-01 Issue date: 2004-09-30 Updated on: 2004-09-30 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908 - --------------------------------------------------------------------- 1. Summary: Updated mozilla packages that fix a number of security issues are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Jesse Ruderman discovered a cross-domain scripting bug in Mozilla. If a user is tricked into dragging a javascript link into another frame or page, it becomes possible for an attacker to steal or modify sensitive information from that site. Additionally, if a user is tricked into dragging two links in sequence to another window (not frame), it is possible for the attacker to execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0905 to this issue. Gael Delalleau discovered an integer overflow which affects the BMP handling code inside Mozilla. An attacker could create a carefully crafted BMP file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0904 to this issue. Georgi Guninski discovered a stack-based buffer overflow in the vCard display routines. An attacker could create a carefully crafted vCard file in such a way that it would cause Mozilla to crash or execute arbitrary code when viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0903 to this issue. Wladimir Palant discovered a flaw in the way javascript interacts with the clipboard. It is possible that an attacker could use malicious javascript code to steal sensitive data which has been copied into the clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0908 to this issue. Georgi Guninski discovered a heap based buffer overflow in the "Send Page" feature. It is possible that an attacker could construct a link in such a way that a user attempting to forward it could result in a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0902 to this issue. Users of Mozilla should update to these updated packages, which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 133023 - CAN-2004-0902 "send page" heap based buffer overflow 133024 - CAN-2004-0902 "send page" heap based buffer overflow 133022 - CAN-2004-0908 javascript clipboard information leakage 133021 - CAN-2004-0908 javascript clipboard information leakage 133017 - CAN-2004-0903 VCard buffer overflow 133016 - CAN-2004-0903 VCard buffer overflow 133015 - CAN-2004-0904 BMP integer overflows 133014 - CAN-2004-0904 BMP integer overflows 133013 - CAN-2004-0905 javascript link dragging information leak 133012 - CAN-2004-0905 javascript link dragging information leak 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/galeon-1.2.13-5.2.1.src.rpm 38d208921a49cdba604bb43913abe051 galeon-1.2.13-5.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/mozilla-1.4.3-2.1.4.src.rpm 1df0013c48248d17778fc1551ff15dad mozilla-1.4.3-2.1.4.src.rpm i386: 0113f2b2e33551ddae0b48ede67b31e6 galeon-1.2.13-5.2.1.i386.rpm fea3285b8dd5da3a3bb611a7d5738d0b mozilla-1.4.3-2.1.4.i386.rpm a89a3550a7773de347018c8a463027cb mozilla-chat-1.4.3-2.1.4.i386.rpm b57acd6332cb88d652a3cc41b5f9c527 mozilla-devel-1.4.3-2.1.4.i386.rpm 8bea20265ab364b52d6fd361bf23d190 mozilla-dom-inspector-1.4.3-2.1.4.i386.rpm 4bfcd1dd7b588edf2052efc9e8f6326a mozilla-js-debugger-1.4.3-2.1.4.i386.rpm 9c512ae1ecc4c8efe7a9684465b8b871 mozilla-mail-1.4.3-2.1.4.i386.rpm 1e7977951fc2c8c69e03b50377f2398d mozilla-nspr-1.4.3-2.1.4.i386.rpm c268cd8846a17b8cc7aee6a3d50f9c9c mozilla-nspr-devel-1.4.3-2.1.4.i386.rpm 69cc833f9d5a469b258a474e1ebc9ddf mozilla-nss-1.4.3-2.1.4.i386.rpm 891300626fafc05a8cd371f8b256dd15 mozilla-nss-devel-1.4.3-2.1.4.i386.rpm ia64: fcb96e9637ce3b6dfe17a0171d15a50c galeon-1.2.13-5.2.1.ia64.rpm 6c4a5d7e011e56e4aa1018ae7e705b57 mozilla-1.4.3-2.1.4.ia64.rpm 0eee8252025e7d702b91df5660ee34ef mozilla-chat-1.4.3-2.1.4.ia64.rpm 529225b13b9aae00118083bbef99834d mozilla-devel-1.4.3-2.1.4.ia64.rpm 0dcd345bd8163775000a77126668a4d8 mozilla-dom-inspector-1.4.3-2.1.4.ia64.rpm 17761fdf3bc78ededd68ca4c6e26ae2e mozilla-js-debugger-1.4.3-2.1.4.ia64.rpm 8f804d0ac0d0d2755b557226f488dca2 mozilla-mail-1.4.3-2.1.4.ia64.rpm da89647961a2ebde1270b6789bca51b8 mozilla-nspr-1.4.3-2.1.4.ia64.rpm 870ae30ec76b4cb4eaa6bb2002c50b83 mozilla-nspr-devel-1.4.3-2.1.4.ia64.rpm 8a3ee63abfb58c99c0dd45c37bb0fffb mozilla-nss-1.4.3-2.1.4.ia64.rpm e5b52d933f797a5fb5b815bc75427b2e mozilla-nss-devel-1.4.3-2.1.4.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/galeon-1.2.13-5.2.1.src.rpm 38d208921a49cdba604bb43913abe051 galeon-1.2.13-5.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/mozilla-1.4.3-2.1.4.src.rpm 1df0013c48248d17778fc1551ff15dad mozilla-1.4.3-2.1.4.src.rpm ia64: fcb96e9637ce3b6dfe17a0171d15a50c galeon-1.2.13-5.2.1.ia64.rpm 6c4a5d7e011e56e4aa1018ae7e705b57 mozilla-1.4.3-2.1.4.ia64.rpm 0eee8252025e7d702b91df5660ee34ef mozilla-chat-1.4.3-2.1.4.ia64.rpm 529225b13b9aae00118083bbef99834d mozilla-devel-1.4.3-2.1.4.ia64.rpm 0dcd345bd8163775000a77126668a4d8 mozilla-dom-inspector-1.4.3-2.1.4.ia64.rpm 17761fdf3bc78ededd68ca4c6e26ae2e mozilla-js-debugger-1.4.3-2.1.4.ia64.rpm 8f804d0ac0d0d2755b557226f488dca2 mozilla-mail-1.4.3-2.1.4.ia64.rpm da89647961a2ebde1270b6789bca51b8 mozilla-nspr-1.4.3-2.1.4.ia64.rpm 870ae30ec76b4cb4eaa6bb2002c50b83 mozilla-nspr-devel-1.4.3-2.1.4.ia64.rpm 8a3ee63abfb58c99c0dd45c37bb0fffb mozilla-nss-1.4.3-2.1.4.ia64.rpm e5b52d933f797a5fb5b815bc75427b2e mozilla-nss-devel-1.4.3-2.1.4.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/galeon-1.2.13-5.2.1.src.rpm 38d208921a49cdba604bb43913abe051 galeon-1.2.13-5.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/mozilla-1.4.3-2.1.4.src.rpm 1df0013c48248d17778fc1551ff15dad mozilla-1.4.3-2.1.4.src.rpm i386: 0113f2b2e33551ddae0b48ede67b31e6 galeon-1.2.13-5.2.1.i386.rpm fea3285b8dd5da3a3bb611a7d5738d0b mozilla-1.4.3-2.1.4.i386.rpm a89a3550a7773de347018c8a463027cb mozilla-chat-1.4.3-2.1.4.i386.rpm b57acd6332cb88d652a3cc41b5f9c527 mozilla-devel-1.4.3-2.1.4.i386.rpm 8bea20265ab364b52d6fd361bf23d190 mozilla-dom-inspector-1.4.3-2.1.4.i386.rpm 4bfcd1dd7b588edf2052efc9e8f6326a mozilla-js-debugger-1.4.3-2.1.4.i386.rpm 9c512ae1ecc4c8efe7a9684465b8b871 mozilla-mail-1.4.3-2.1.4.i386.rpm 1e7977951fc2c8c69e03b50377f2398d mozilla-nspr-1.4.3-2.1.4.i386.rpm c268cd8846a17b8cc7aee6a3d50f9c9c mozilla-nspr-devel-1.4.3-2.1.4.i386.rpm 69cc833f9d5a469b258a474e1ebc9ddf mozilla-nss-1.4.3-2.1.4.i386.rpm 891300626fafc05a8cd371f8b256dd15 mozilla-nss-devel-1.4.3-2.1.4.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/galeon-1.2.13-5.2.1.src.rpm 38d208921a49cdba604bb43913abe051 galeon-1.2.13-5.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/mozilla-1.4.3-2.1.4.src.rpm 1df0013c48248d17778fc1551ff15dad mozilla-1.4.3-2.1.4.src.rpm i386: 0113f2b2e33551ddae0b48ede67b31e6 galeon-1.2.13-5.2.1.i386.rpm fea3285b8dd5da3a3bb611a7d5738d0b mozilla-1.4.3-2.1.4.i386.rpm a89a3550a7773de347018c8a463027cb mozilla-chat-1.4.3-2.1.4.i386.rpm b57acd6332cb88d652a3cc41b5f9c527 mozilla-devel-1.4.3-2.1.4.i386.rpm 8bea20265ab364b52d6fd361bf23d190 mozilla-dom-inspector-1.4.3-2.1.4.i386.rpm 4bfcd1dd7b588edf2052efc9e8f6326a mozilla-js-debugger-1.4.3-2.1.4.i386.rpm 9c512ae1ecc4c8efe7a9684465b8b871 mozilla-mail-1.4.3-2.1.4.i386.rpm 1e7977951fc2c8c69e03b50377f2398d mozilla-nspr-1.4.3-2.1.4.i386.rpm c268cd8846a17b8cc7aee6a3d50f9c9c mozilla-nspr-devel-1.4.3-2.1.4.i386.rpm 69cc833f9d5a469b258a474e1ebc9ddf mozilla-nss-1.4.3-2.1.4.i386.rpm 891300626fafc05a8cd371f8b256dd15 mozilla-nss-devel-1.4.3-2.1.4.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/mozilla-1.4.3-3.0.4.src.rpm c8db78ffe83ebd4a0e935a4c5287a509 mozilla-1.4.3-3.0.4.src.rpm i386: ed34cad577e7a2ec43b73155662c3823 mozilla-1.4.3-3.0.4.i386.rpm 30035e1900b293f3c01f5441e5b3486d mozilla-chat-1.4.3-3.0.4.i386.rpm e2f44df2fa7ac76f50c419ad7415c898 mozilla-devel-1.4.3-3.0.4.i386.rpm fe6c46344d57ac89a453edab1e2a249a mozilla-dom-inspector-1.4.3-3.0.4.i386.rpm 0ae9c284917a0813202d13977ebc23d8 mozilla-js-debugger-1.4.3-3.0.4.i386.rpm 9682e260d658b97c748b34bb5a52c1ee mozilla-mail-1.4.3-3.0.4.i386.rpm dfa30f1286bab6f24603e1947314567f mozilla-nspr-1.4.3-3.0.4.i386.rpm 488703befef51e466079b462c02094c7 mozilla-nspr-devel-1.4.3-3.0.4.i386.rpm b3165005cd23d7cb33024f67de209cc1 mozilla-nss-1.4.3-3.0.4.i386.rpm 0daea4b62934c4825267bdfa57121d9d mozilla-nss-devel-1.4.3-3.0.4.i386.rpm ia64: 764f44795fae70df98eb784cfc24cb61 mozilla-1.4.3-3.0.4.ia64.rpm 498f1bc992269627837acfd9fb5c1c16 mozilla-chat-1.4.3-3.0.4.ia64.rpm 3c0e32e6dfd33b5b42d6ceecfc0e5d5a mozilla-devel-1.4.3-3.0.4.ia64.rpm 4a67ebbcb89f5e8add363f47a657d6df mozilla-dom-inspector-1.4.3-3.0.4.ia64.rpm 445ed37eb27214ef386114fe97d15ef9 mozilla-js-debugger-1.4.3-3.0.4.ia64.rpm 618d5c39e66f2ff6a2ca461647b91fa2 mozilla-mail-1.4.3-3.0.4.ia64.rpm 5927274883eaa60f10ec714085d22a48 mozilla-nspr-1.4.3-3.0.4.ia64.rpm 83f18ec8692a9f309737efbb502ae5b9 mozilla-nspr-devel-1.4.3-3.0.4.ia64.rpm dcd233f7708eb136a18ab6070d028592 mozilla-nss-1.4.3-3.0.4.ia64.rpm 9e7b9754a77d136636c6d35f932fcc86 mozilla-nss-devel-1.4.3-3.0.4.ia64.rpm ppc: 7cced64ddef3f5f449bc93bf1d2fe2de mozilla-1.4.3-3.0.4.ppc.rpm 4c1754389a897376b33f4eedfc307fbd mozilla-chat-1.4.3-3.0.4.ppc.rpm 781272325efec348c82bf9f13f2b1c01 mozilla-devel-1.4.3-3.0.4.ppc.rpm 21bca14e1c7debc4517762c42ea0af18 mozilla-dom-inspector-1.4.3-3.0.4.ppc.rpm 267b1669158b9ae70d8a216bedd8ab3d mozilla-js-debugger-1.4.3-3.0.4.ppc.rpm fe897ea969605ea7b7b8c65cfbca5837 mozilla-mail-1.4.3-3.0.4.ppc.rpm 850877d573ac4c3c246be7bac1d0ae9e mozilla-nspr-1.4.3-3.0.4.ppc.rpm 736e608b4ff8802fa2ff156149399b79 mozilla-nspr-devel-1.4.3-3.0.4.ppc.rpm 1e0c30c752fff593fb0b7ccc56d72a3b mozilla-nss-1.4.3-3.0.4.ppc.rpm e23c2cd94df856a5a852c090a5f935b9 mozilla-nss-devel-1.4.3-3.0.4.ppc.rpm s390: f509c61bed2d17bb777e26c362dc7d3c mozilla-1.4.3-3.0.4.s390.rpm 2adcad1473851141f73d847b9ea8658b mozilla-chat-1.4.3-3.0.4.s390.rpm aa87922bcf00504f4433b05f08c9880a mozilla-devel-1.4.3-3.0.4.s390.rpm bd57c23e7c4348f05ab7e3d8d1a209c3 mozilla-dom-inspector-1.4.3-3.0.4.s390.rpm f1827ae1bfb53d7e334b0f50351d2733 mozilla-js-debugger-1.4.3-3.0.4.s390.rpm f4013dbd4fb1fdb5d66f2d059aeeaf65 mozilla-mail-1.4.3-3.0.4.s390.rpm e8f1f5dff953ad3e4bebeb3720034870 mozilla-nspr-1.4.3-3.0.4.s390.rpm 7b7073e954a3806af5190c6022a33846 mozilla-nspr-devel-1.4.3-3.0.4.s390.rpm 34bf96dc6d7c74e118eca502d639619f mozilla-nss-1.4.3-3.0.4.s390.rpm 995dd5f501ce1849843b4b0b8b7e362e mozilla-nss-devel-1.4.3-3.0.4.s390.rpm s390x: 42e7bbd941624c0d5f78a2daaef77a36 mozilla-1.4.3-3.0.4.s390x.rpm 452d26a8fe47ce1ae6519a3fe0f69fd6 mozilla-chat-1.4.3-3.0.4.s390x.rpm 9107c76c5feba6761df5eb0c05e361e6 mozilla-devel-1.4.3-3.0.4.s390x.rpm 2d2bcee4e192763a6fa6e1b9c0020e46 mozilla-dom-inspector-1.4.3-3.0.4.s390x.rpm 4b314a8025478ceea7643f1afbcbc3d4 mozilla-js-debugger-1.4.3-3.0.4.s390x.rpm 2ec20f1e7645e5e3a5bf9774dfcbcb9a mozilla-mail-1.4.3-3.0.4.s390x.rpm 08a8ad7f957bf7758f0eb25de18cdae3 mozilla-nspr-1.4.3-3.0.4.s390x.rpm 7e8b974544b0f496a76cb69464b87c22 mozilla-nspr-devel-1.4.3-3.0.4.s390x.rpm 2df9052e3d468aae9fec4a87c5ec1fab mozilla-nss-1.4.3-3.0.4.s390x.rpm 46568a244360960aa670751c2feab9d7 mozilla-nss-devel-1.4.3-3.0.4.s390x.rpm x86_64: 02f35e9307a780aaf4394db84c924fe7 mozilla-1.4.3-3.0.4.x86_64.rpm ed34cad577e7a2ec43b73155662c3823 mozilla-1.4.3-3.0.4.i386.rpm eba11930db2fd0105bd960970db013db mozilla-chat-1.4.3-3.0.4.x86_64.rpm 76e5e88cc598f0a7e4507beeb519290c mozilla-devel-1.4.3-3.0.4.x86_64.rpm e7e8dcc47f550d61e3cef3d350726c4b mozilla-dom-inspector-1.4.3-3.0.4.x86_64.rpm df5183bafcdb220fa4ed9ce7bad36f5a mozilla-js-debugger-1.4.3-3.0.4.x86_64.rpm 4e15297548c9b21f595fe6bbd3e51e48 mozilla-mail-1.4.3-3.0.4.x86_64.rpm 38e9db5a3bc1092e83bb2f8820235100 mozilla-nspr-1.4.3-3.0.4.x86_64.rpm dfa30f1286bab6f24603e1947314567f mozilla-nspr-1.4.3-3.0.4.i386.rpm 96f6b2eca2afe2fa512f494d138fa327 mozilla-nspr-devel-1.4.3-3.0.4.x86_64.rpm 13aae14a38c165a32b123b2e84af5ee7 mozilla-nss-1.4.3-3.0.4.x86_64.rpm b3165005cd23d7cb33024f67de209cc1 mozilla-nss-1.4.3-3.0.4.i386.rpm c679a873dad6b08eb47f69c871bb04b9 mozilla-nss-devel-1.4.3-3.0.4.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/mozilla-1.4.3-3.0.4.src.rpm c8db78ffe83ebd4a0e935a4c5287a509 mozilla-1.4.3-3.0.4.src.rpm i386: ed34cad577e7a2ec43b73155662c3823 mozilla-1.4.3-3.0.4.i386.rpm 30035e1900b293f3c01f5441e5b3486d mozilla-chat-1.4.3-3.0.4.i386.rpm e2f44df2fa7ac76f50c419ad7415c898 mozilla-devel-1.4.3-3.0.4.i386.rpm fe6c46344d57ac89a453edab1e2a249a mozilla-dom-inspector-1.4.3-3.0.4.i386.rpm 0ae9c284917a0813202d13977ebc23d8 mozilla-js-debugger-1.4.3-3.0.4.i386.rpm 9682e260d658b97c748b34bb5a52c1ee mozilla-mail-1.4.3-3.0.4.i386.rpm dfa30f1286bab6f24603e1947314567f mozilla-nspr-1.4.3-3.0.4.i386.rpm 488703befef51e466079b462c02094c7 mozilla-nspr-devel-1.4.3-3.0.4.i386.rpm b3165005cd23d7cb33024f67de209cc1 mozilla-nss-1.4.3-3.0.4.i386.rpm 0daea4b62934c4825267bdfa57121d9d mozilla-nss-devel-1.4.3-3.0.4.i386.rpm x86_64: 02f35e9307a780aaf4394db84c924fe7 mozilla-1.4.3-3.0.4.x86_64.rpm ed34cad577e7a2ec43b73155662c3823 mozilla-1.4.3-3.0.4.i386.rpm eba11930db2fd0105bd960970db013db mozilla-chat-1.4.3-3.0.4.x86_64.rpm 76e5e88cc598f0a7e4507beeb519290c mozilla-devel-1.4.3-3.0.4.x86_64.rpm e7e8dcc47f550d61e3cef3d350726c4b mozilla-dom-inspector-1.4.3-3.0.4.x86_64.rpm df5183bafcdb220fa4ed9ce7bad36f5a mozilla-js-debugger-1.4.3-3.0.4.x86_64.rpm 4e15297548c9b21f595fe6bbd3e51e48 mozilla-mail-1.4.3-3.0.4.x86_64.rpm 38e9db5a3bc1092e83bb2f8820235100 mozilla-nspr-1.4.3-3.0.4.x86_64.rpm dfa30f1286bab6f24603e1947314567f mozilla-nspr-1.4.3-3.0.4.i386.rpm 96f6b2eca2afe2fa512f494d138fa327 mozilla-nspr-devel-1.4.3-3.0.4.x86_64.rpm 13aae14a38c165a32b123b2e84af5ee7 mozilla-nss-1.4.3-3.0.4.x86_64.rpm b3165005cd23d7cb33024f67de209cc1 mozilla-nss-1.4.3-3.0.4.i386.rpm c679a873dad6b08eb47f69c871bb04b9 mozilla-nss-devel-1.4.3-3.0.4.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/mozilla-1.4.3-3.0.4.src.rpm c8db78ffe83ebd4a0e935a4c5287a509 mozilla-1.4.3-3.0.4.src.rpm i386: ed34cad577e7a2ec43b73155662c3823 mozilla-1.4.3-3.0.4.i386.rpm 30035e1900b293f3c01f5441e5b3486d mozilla-chat-1.4.3-3.0.4.i386.rpm e2f44df2fa7ac76f50c419ad7415c898 mozilla-devel-1.4.3-3.0.4.i386.rpm fe6c46344d57ac89a453edab1e2a249a mozilla-dom-inspector-1.4.3-3.0.4.i386.rpm 0ae9c284917a0813202d13977ebc23d8 mozilla-js-debugger-1.4.3-3.0.4.i386.rpm 9682e260d658b97c748b34bb5a52c1ee mozilla-mail-1.4.3-3.0.4.i386.rpm dfa30f1286bab6f24603e1947314567f mozilla-nspr-1.4.3-3.0.4.i386.rpm 488703befef51e466079b462c02094c7 mozilla-nspr-devel-1.4.3-3.0.4.i386.rpm b3165005cd23d7cb33024f67de209cc1 mozilla-nss-1.4.3-3.0.4.i386.rpm 0daea4b62934c4825267bdfa57121d9d mozilla-nss-devel-1.4.3-3.0.4.i386.rpm ia64: 764f44795fae70df98eb784cfc24cb61 mozilla-1.4.3-3.0.4.ia64.rpm 498f1bc992269627837acfd9fb5c1c16 mozilla-chat-1.4.3-3.0.4.ia64.rpm 3c0e32e6dfd33b5b42d6ceecfc0e5d5a mozilla-devel-1.4.3-3.0.4.ia64.rpm 4a67ebbcb89f5e8add363f47a657d6df mozilla-dom-inspector-1.4.3-3.0.4.ia64.rpm 445ed37eb27214ef386114fe97d15ef9 mozilla-js-debugger-1.4.3-3.0.4.ia64.rpm 618d5c39e66f2ff6a2ca461647b91fa2 mozilla-mail-1.4.3-3.0.4.ia64.rpm 5927274883eaa60f10ec714085d22a48 mozilla-nspr-1.4.3-3.0.4.ia64.rpm 83f18ec8692a9f309737efbb502ae5b9 mozilla-nspr-devel-1.4.3-3.0.4.ia64.rpm dcd233f7708eb136a18ab6070d028592 mozilla-nss-1.4.3-3.0.4.ia64.rpm 9e7b9754a77d136636c6d35f932fcc86 mozilla-nss-devel-1.4.3-3.0.4.ia64.rpm x86_64: 02f35e9307a780aaf4394db84c924fe7 mozilla-1.4.3-3.0.4.x86_64.rpm ed34cad577e7a2ec43b73155662c3823 mozilla-1.4.3-3.0.4.i386.rpm eba11930db2fd0105bd960970db013db mozilla-chat-1.4.3-3.0.4.x86_64.rpm 76e5e88cc598f0a7e4507beeb519290c mozilla-devel-1.4.3-3.0.4.x86_64.rpm e7e8dcc47f550d61e3cef3d350726c4b mozilla-dom-inspector-1.4.3-3.0.4.x86_64.rpm df5183bafcdb220fa4ed9ce7bad36f5a mozilla-js-debugger-1.4.3-3.0.4.x86_64.rpm 4e15297548c9b21f595fe6bbd3e51e48 mozilla-mail-1.4.3-3.0.4.x86_64.rpm 38e9db5a3bc1092e83bb2f8820235100 mozilla-nspr-1.4.3-3.0.4.x86_64.rpm dfa30f1286bab6f24603e1947314567f mozilla-nspr-1.4.3-3.0.4.i386.rpm 96f6b2eca2afe2fa512f494d138fa327 mozilla-nspr-devel-1.4.3-3.0.4.x86_64.rpm 13aae14a38c165a32b123b2e84af5ee7 mozilla-nss-1.4.3-3.0.4.x86_64.rpm b3165005cd23d7cb33024f67de209cc1 mozilla-nss-1.4.3-3.0.4.i386.rpm c679a873dad6b08eb47f69c871bb04b9 mozilla-nss-devel-1.4.3-3.0.4.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/mozilla-1.4.3-3.0.4.src.rpm c8db78ffe83ebd4a0e935a4c5287a509 mozilla-1.4.3-3.0.4.src.rpm i386: ed34cad577e7a2ec43b73155662c3823 mozilla-1.4.3-3.0.4.i386.rpm 30035e1900b293f3c01f5441e5b3486d mozilla-chat-1.4.3-3.0.4.i386.rpm e2f44df2fa7ac76f50c419ad7415c898 mozilla-devel-1.4.3-3.0.4.i386.rpm fe6c46344d57ac89a453edab1e2a249a mozilla-dom-inspector-1.4.3-3.0.4.i386.rpm 0ae9c284917a0813202d13977ebc23d8 mozilla-js-debugger-1.4.3-3.0.4.i386.rpm 9682e260d658b97c748b34bb5a52c1ee mozilla-mail-1.4.3-3.0.4.i386.rpm dfa30f1286bab6f24603e1947314567f mozilla-nspr-1.4.3-3.0.4.i386.rpm 488703befef51e466079b462c02094c7 mozilla-nspr-devel-1.4.3-3.0.4.i386.rpm b3165005cd23d7cb33024f67de209cc1 mozilla-nss-1.4.3-3.0.4.i386.rpm 0daea4b62934c4825267bdfa57121d9d mozilla-nss-devel-1.4.3-3.0.4.i386.rpm ia64: 764f44795fae70df98eb784cfc24cb61 mozilla-1.4.3-3.0.4.ia64.rpm 498f1bc992269627837acfd9fb5c1c16 mozilla-chat-1.4.3-3.0.4.ia64.rpm 3c0e32e6dfd33b5b42d6ceecfc0e5d5a mozilla-devel-1.4.3-3.0.4.ia64.rpm 4a67ebbcb89f5e8add363f47a657d6df mozilla-dom-inspector-1.4.3-3.0.4.ia64.rpm 445ed37eb27214ef386114fe97d15ef9 mozilla-js-debugger-1.4.3-3.0.4.ia64.rpm 618d5c39e66f2ff6a2ca461647b91fa2 mozilla-mail-1.4.3-3.0.4.ia64.rpm 5927274883eaa60f10ec714085d22a48 mozilla-nspr-1.4.3-3.0.4.ia64.rpm 83f18ec8692a9f309737efbb502ae5b9 mozilla-nspr-devel-1.4.3-3.0.4.ia64.rpm dcd233f7708eb136a18ab6070d028592 mozilla-nss-1.4.3-3.0.4.ia64.rpm 9e7b9754a77d136636c6d35f932fcc86 mozilla-nss-devel-1.4.3-3.0.4.ia64.rpm x86_64: 02f35e9307a780aaf4394db84c924fe7 mozilla-1.4.3-3.0.4.x86_64.rpm ed34cad577e7a2ec43b73155662c3823 mozilla-1.4.3-3.0.4.i386.rpm eba11930db2fd0105bd960970db013db mozilla-chat-1.4.3-3.0.4.x86_64.rpm 76e5e88cc598f0a7e4507beeb519290c mozilla-devel-1.4.3-3.0.4.x86_64.rpm e7e8dcc47f550d61e3cef3d350726c4b mozilla-dom-inspector-1.4.3-3.0.4.x86_64.rpm df5183bafcdb220fa4ed9ce7bad36f5a mozilla-js-debugger-1.4.3-3.0.4.x86_64.rpm 4e15297548c9b21f595fe6bbd3e51e48 mozilla-mail-1.4.3-3.0.4.x86_64.rpm 38e9db5a3bc1092e83bb2f8820235100 mozilla-nspr-1.4.3-3.0.4.x86_64.rpm dfa30f1286bab6f24603e1947314567f mozilla-nspr-1.4.3-3.0.4.i386.rpm 96f6b2eca2afe2fa512f494d138fa327 mozilla-nspr-devel-1.4.3-3.0.4.x86_64.rpm 13aae14a38c165a32b123b2e84af5ee7 mozilla-nss-1.4.3-3.0.4.x86_64.rpm b3165005cd23d7cb33024f67de209cc1 mozilla-nss-1.4.3-3.0.4.i386.rpm c679a873dad6b08eb47f69c871bb04b9 mozilla-nss-devel-1.4.3-3.0.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 http://secunia.com/advisories/12526/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0902 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0903 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0904 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0908 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBXB4YXlSAg2UNWIIRAqmYAJkBGoxR78vGZp7RawhXNlTpTp3v9QCfTC7T OVJnwLDKB0KZ5vJIFH1HB8s= =ijeu -----END PGP SIGNATURE-----