From bugzilla at redhat.com Thu Dec 4 16:56:04 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 4 Dec 2008 11:56:04 -0500 Subject: [RHSA-2008:0981-02] Moderate: ruby security update Message-ID: <200812041656.mB4Gu4Xt013785@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ruby security update Advisory ID: RHSA-2008:0981-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0981.html Issue date: 2008-12-04 CVE Names: CVE-2008-4310 ===================================================================== 1. Summary: Updated ruby packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. Vincent Danen reported, that Red Hat Security Advisory RHSA-2008:0897 did not properly address a denial of service flaw in the WEBrick (Ruby HTTP server toolkit), known as CVE-2008-3656. This flaw allowed a remote attacker to send a specially-crafted HTTP request to a WEBrick server that would cause the server to use excessive CPU time. This update properly addresses this flaw. (CVE-2008-4310) All Ruby users should upgrade to these updated packages, which contain a correct patch that resolves this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 470252 - CVE-2008-4310 ruby: Incomplete fix for CVE-2008-3656 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/ruby-1.8.1-7.el4_7.2.src.rpm i386: irb-1.8.1-7.el4_7.2.i386.rpm ruby-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-devel-1.8.1-7.el4_7.2.i386.rpm ruby-docs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-mode-1.8.1-7.el4_7.2.i386.rpm ruby-tcltk-1.8.1-7.el4_7.2.i386.rpm ia64: irb-1.8.1-7.el4_7.2.ia64.rpm ruby-1.8.1-7.el4_7.2.ia64.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.ia64.rpm ruby-devel-1.8.1-7.el4_7.2.ia64.rpm ruby-docs-1.8.1-7.el4_7.2.ia64.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.ia64.rpm ruby-mode-1.8.1-7.el4_7.2.ia64.rpm ruby-tcltk-1.8.1-7.el4_7.2.ia64.rpm ppc: irb-1.8.1-7.el4_7.2.ppc.rpm ruby-1.8.1-7.el4_7.2.ppc.rpm ruby-debuginfo-1.8.1-7.el4_7.2.ppc.rpm ruby-debuginfo-1.8.1-7.el4_7.2.ppc64.rpm ruby-devel-1.8.1-7.el4_7.2.ppc.rpm ruby-docs-1.8.1-7.el4_7.2.ppc.rpm ruby-libs-1.8.1-7.el4_7.2.ppc.rpm ruby-libs-1.8.1-7.el4_7.2.ppc64.rpm ruby-mode-1.8.1-7.el4_7.2.ppc.rpm ruby-tcltk-1.8.1-7.el4_7.2.ppc.rpm s390: irb-1.8.1-7.el4_7.2.s390.rpm ruby-1.8.1-7.el4_7.2.s390.rpm ruby-debuginfo-1.8.1-7.el4_7.2.s390.rpm ruby-devel-1.8.1-7.el4_7.2.s390.rpm ruby-docs-1.8.1-7.el4_7.2.s390.rpm ruby-libs-1.8.1-7.el4_7.2.s390.rpm ruby-mode-1.8.1-7.el4_7.2.s390.rpm ruby-tcltk-1.8.1-7.el4_7.2.s390.rpm s390x: irb-1.8.1-7.el4_7.2.s390x.rpm ruby-1.8.1-7.el4_7.2.s390x.rpm ruby-debuginfo-1.8.1-7.el4_7.2.s390.rpm ruby-debuginfo-1.8.1-7.el4_7.2.s390x.rpm ruby-devel-1.8.1-7.el4_7.2.s390x.rpm ruby-docs-1.8.1-7.el4_7.2.s390x.rpm ruby-libs-1.8.1-7.el4_7.2.s390.rpm ruby-libs-1.8.1-7.el4_7.2.s390x.rpm ruby-mode-1.8.1-7.el4_7.2.s390x.rpm ruby-tcltk-1.8.1-7.el4_7.2.s390x.rpm x86_64: irb-1.8.1-7.el4_7.2.x86_64.rpm ruby-1.8.1-7.el4_7.2.x86_64.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.x86_64.rpm ruby-devel-1.8.1-7.el4_7.2.x86_64.rpm ruby-docs-1.8.1-7.el4_7.2.x86_64.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.x86_64.rpm ruby-mode-1.8.1-7.el4_7.2.x86_64.rpm ruby-tcltk-1.8.1-7.el4_7.2.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/ruby-1.8.1-7.el4_7.2.src.rpm i386: irb-1.8.1-7.el4_7.2.i386.rpm ruby-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-devel-1.8.1-7.el4_7.2.i386.rpm ruby-docs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-mode-1.8.1-7.el4_7.2.i386.rpm ruby-tcltk-1.8.1-7.el4_7.2.i386.rpm x86_64: irb-1.8.1-7.el4_7.2.x86_64.rpm ruby-1.8.1-7.el4_7.2.x86_64.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.x86_64.rpm ruby-devel-1.8.1-7.el4_7.2.x86_64.rpm ruby-docs-1.8.1-7.el4_7.2.x86_64.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.x86_64.rpm ruby-mode-1.8.1-7.el4_7.2.x86_64.rpm ruby-tcltk-1.8.1-7.el4_7.2.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/ruby-1.8.1-7.el4_7.2.src.rpm i386: irb-1.8.1-7.el4_7.2.i386.rpm ruby-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-devel-1.8.1-7.el4_7.2.i386.rpm ruby-docs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-mode-1.8.1-7.el4_7.2.i386.rpm ruby-tcltk-1.8.1-7.el4_7.2.i386.rpm ia64: irb-1.8.1-7.el4_7.2.ia64.rpm ruby-1.8.1-7.el4_7.2.ia64.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.ia64.rpm ruby-devel-1.8.1-7.el4_7.2.ia64.rpm ruby-docs-1.8.1-7.el4_7.2.ia64.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.ia64.rpm ruby-mode-1.8.1-7.el4_7.2.ia64.rpm ruby-tcltk-1.8.1-7.el4_7.2.ia64.rpm x86_64: irb-1.8.1-7.el4_7.2.x86_64.rpm ruby-1.8.1-7.el4_7.2.x86_64.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.x86_64.rpm ruby-devel-1.8.1-7.el4_7.2.x86_64.rpm ruby-docs-1.8.1-7.el4_7.2.x86_64.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.x86_64.rpm ruby-mode-1.8.1-7.el4_7.2.x86_64.rpm ruby-tcltk-1.8.1-7.el4_7.2.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/ruby-1.8.1-7.el4_7.2.src.rpm i386: irb-1.8.1-7.el4_7.2.i386.rpm ruby-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-devel-1.8.1-7.el4_7.2.i386.rpm ruby-docs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-mode-1.8.1-7.el4_7.2.i386.rpm ruby-tcltk-1.8.1-7.el4_7.2.i386.rpm ia64: irb-1.8.1-7.el4_7.2.ia64.rpm ruby-1.8.1-7.el4_7.2.ia64.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.ia64.rpm ruby-devel-1.8.1-7.el4_7.2.ia64.rpm ruby-docs-1.8.1-7.el4_7.2.ia64.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.ia64.rpm ruby-mode-1.8.1-7.el4_7.2.ia64.rpm ruby-tcltk-1.8.1-7.el4_7.2.ia64.rpm x86_64: irb-1.8.1-7.el4_7.2.x86_64.rpm ruby-1.8.1-7.el4_7.2.x86_64.rpm ruby-debuginfo-1.8.1-7.el4_7.2.i386.rpm ruby-debuginfo-1.8.1-7.el4_7.2.x86_64.rpm ruby-devel-1.8.1-7.el4_7.2.x86_64.rpm ruby-docs-1.8.1-7.el4_7.2.x86_64.rpm ruby-libs-1.8.1-7.el4_7.2.i386.rpm ruby-libs-1.8.1-7.el4_7.2.x86_64.rpm ruby-mode-1.8.1-7.el4_7.2.x86_64.rpm ruby-tcltk-1.8.1-7.el4_7.2.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ruby-1.8.5-5.el5_2.6.src.rpm i386: ruby-1.8.5-5.el5_2.6.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.6.i386.rpm ruby-docs-1.8.5-5.el5_2.6.i386.rpm ruby-irb-1.8.5-5.el5_2.6.i386.rpm ruby-libs-1.8.5-5.el5_2.6.i386.rpm ruby-rdoc-1.8.5-5.el5_2.6.i386.rpm ruby-ri-1.8.5-5.el5_2.6.i386.rpm ruby-tcltk-1.8.5-5.el5_2.6.i386.rpm x86_64: ruby-1.8.5-5.el5_2.6.x86_64.rpm ruby-debuginfo-1.8.5-5.el5_2.6.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.6.x86_64.rpm ruby-docs-1.8.5-5.el5_2.6.x86_64.rpm ruby-irb-1.8.5-5.el5_2.6.x86_64.rpm ruby-libs-1.8.5-5.el5_2.6.i386.rpm ruby-libs-1.8.5-5.el5_2.6.x86_64.rpm ruby-rdoc-1.8.5-5.el5_2.6.x86_64.rpm ruby-ri-1.8.5-5.el5_2.6.x86_64.rpm ruby-tcltk-1.8.5-5.el5_2.6.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ruby-1.8.5-5.el5_2.6.src.rpm i386: ruby-debuginfo-1.8.5-5.el5_2.6.i386.rpm ruby-devel-1.8.5-5.el5_2.6.i386.rpm ruby-mode-1.8.5-5.el5_2.6.i386.rpm x86_64: ruby-debuginfo-1.8.5-5.el5_2.6.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.6.x86_64.rpm ruby-devel-1.8.5-5.el5_2.6.i386.rpm ruby-devel-1.8.5-5.el5_2.6.x86_64.rpm ruby-mode-1.8.5-5.el5_2.6.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/ruby-1.8.5-5.el5_2.6.src.rpm i386: ruby-1.8.5-5.el5_2.6.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.6.i386.rpm ruby-devel-1.8.5-5.el5_2.6.i386.rpm ruby-docs-1.8.5-5.el5_2.6.i386.rpm ruby-irb-1.8.5-5.el5_2.6.i386.rpm ruby-libs-1.8.5-5.el5_2.6.i386.rpm ruby-mode-1.8.5-5.el5_2.6.i386.rpm ruby-rdoc-1.8.5-5.el5_2.6.i386.rpm ruby-ri-1.8.5-5.el5_2.6.i386.rpm ruby-tcltk-1.8.5-5.el5_2.6.i386.rpm ia64: ruby-1.8.5-5.el5_2.6.ia64.rpm ruby-debuginfo-1.8.5-5.el5_2.6.ia64.rpm ruby-devel-1.8.5-5.el5_2.6.ia64.rpm ruby-docs-1.8.5-5.el5_2.6.ia64.rpm ruby-irb-1.8.5-5.el5_2.6.ia64.rpm ruby-libs-1.8.5-5.el5_2.6.ia64.rpm ruby-mode-1.8.5-5.el5_2.6.ia64.rpm ruby-rdoc-1.8.5-5.el5_2.6.ia64.rpm ruby-ri-1.8.5-5.el5_2.6.ia64.rpm ruby-tcltk-1.8.5-5.el5_2.6.ia64.rpm ppc: ruby-1.8.5-5.el5_2.6.ppc.rpm ruby-debuginfo-1.8.5-5.el5_2.6.ppc.rpm ruby-debuginfo-1.8.5-5.el5_2.6.ppc64.rpm ruby-devel-1.8.5-5.el5_2.6.ppc.rpm ruby-devel-1.8.5-5.el5_2.6.ppc64.rpm ruby-docs-1.8.5-5.el5_2.6.ppc.rpm ruby-irb-1.8.5-5.el5_2.6.ppc.rpm ruby-libs-1.8.5-5.el5_2.6.ppc.rpm ruby-libs-1.8.5-5.el5_2.6.ppc64.rpm ruby-mode-1.8.5-5.el5_2.6.ppc.rpm ruby-rdoc-1.8.5-5.el5_2.6.ppc.rpm ruby-ri-1.8.5-5.el5_2.6.ppc.rpm ruby-tcltk-1.8.5-5.el5_2.6.ppc.rpm s390x: ruby-1.8.5-5.el5_2.6.s390x.rpm ruby-debuginfo-1.8.5-5.el5_2.6.s390.rpm ruby-debuginfo-1.8.5-5.el5_2.6.s390x.rpm ruby-devel-1.8.5-5.el5_2.6.s390.rpm ruby-devel-1.8.5-5.el5_2.6.s390x.rpm ruby-docs-1.8.5-5.el5_2.6.s390x.rpm ruby-irb-1.8.5-5.el5_2.6.s390x.rpm ruby-libs-1.8.5-5.el5_2.6.s390.rpm ruby-libs-1.8.5-5.el5_2.6.s390x.rpm ruby-mode-1.8.5-5.el5_2.6.s390x.rpm ruby-rdoc-1.8.5-5.el5_2.6.s390x.rpm ruby-ri-1.8.5-5.el5_2.6.s390x.rpm ruby-tcltk-1.8.5-5.el5_2.6.s390x.rpm x86_64: ruby-1.8.5-5.el5_2.6.x86_64.rpm ruby-debuginfo-1.8.5-5.el5_2.6.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.6.x86_64.rpm ruby-devel-1.8.5-5.el5_2.6.i386.rpm ruby-devel-1.8.5-5.el5_2.6.x86_64.rpm ruby-docs-1.8.5-5.el5_2.6.x86_64.rpm ruby-irb-1.8.5-5.el5_2.6.x86_64.rpm ruby-libs-1.8.5-5.el5_2.6.i386.rpm ruby-libs-1.8.5-5.el5_2.6.x86_64.rpm ruby-mode-1.8.5-5.el5_2.6.x86_64.rpm ruby-rdoc-1.8.5-5.el5_2.6.x86_64.rpm ruby-ri-1.8.5-5.el5_2.6.x86_64.rpm ruby-tcltk-1.8.5-5.el5_2.6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4310 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJOAuiXlSAg2UNWIIRAofjAKDBjkWoNL5bsOyv1CABbHcNARiUQQCgvDlP NKKD/XIhvQhKtU7r9bbL4o4= =vyUt -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Dec 4 16:56:13 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 4 Dec 2008 11:56:13 -0500 Subject: [RHSA-2008:1018-01] Critical: java-1.6.0-sun security update Message-ID: <200812041656.mB4GuDJR013965@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-sun security update Advisory ID: RHSA-2008:1018-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1018.html Issue date: 2008-12-04 CVE Names: CVE-2008-2086 ===================================================================== 1. Summary: Updated java-1.6.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. A vulnerability was found in in Java Web Start. If a user visits a malicious website, an attacker could misuse this flaw to execute arbitrary code. (CVE-2008-2086) Additionally, these packages fix several other critical vulnerabilities. These are summarized in the "Advance notification of Security Updates for Java SE" from Sun Microsystems. Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.6.0-sun-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.6.0-sun-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.6.0-sun-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.6.0-sun-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.11-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.6.0-sun-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.11-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.6.0-sun-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.11-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.11-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.11-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.11-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.11-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.11-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086 http://www.redhat.com/security/updates/classification/#critical http://blogs.sun.com/security/entry/advance_notification_of_security_updates3 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJOAusXlSAg2UNWIIRAoRbAJ9by81uvCDhJypmcz0PPkdh83oPpwCggmNd FaHEy+hvADpQv7NeAIQH/fg= =ubuU -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Dec 4 16:56:27 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 4 Dec 2008 11:56:27 -0500 Subject: [RHSA-2008:1025-01] Critical: java-1.5.0-sun security update Message-ID: <200812041656.mB4GuRuU014130@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.5.0-sun security update Advisory ID: RHSA-2008:1025-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1025.html Issue date: 2008-12-04 CVE Names: CVE-2008-2086 ===================================================================== 1. Summary: Updated java-1.5.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. A vulnerability was found in in Java Web Start. If a user visits a malicious website, an attacker could misuse this flaw to execute arbitrary code. (CVE-2008-2086) Additionally, these packages fix several other vulnerabilities. These are summarized in the "Advance notification of Security Updates for Java SE" from Sun Microsystems. Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-sun-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-sun-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-sun-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-sun-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.17-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.5.0-sun-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-plugin-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el5.i586.rpm x86_64: java-1.5.0-sun-1.5.0.17-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-plugin-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-sun-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-plugin-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el5.i586.rpm x86_64: java-1.5.0-sun-1.5.0.17-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-demo-1.5.0.17-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-devel-1.5.0.17-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.17-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-plugin-1.5.0.17-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.17-1jpp.2.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086 http://www.redhat.com/security/updates/classification/#critical http://blogs.sun.com/security/entry/advance_notification_of_security_updates3 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJOAu0XlSAg2UNWIIRAozLAKCvUcyY0mUPpKIHWwpCQaZVuFJPfACeLm4s rWtAWSHekZoqSiZ9eq0tiWg= =YCTd -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Dec 4 19:57:45 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 4 Dec 2008 14:57:45 -0500 Subject: [RHSA-2008:0966-02] Moderate: Red Hat Application Stack v2.2 security and enhancement update Message-ID: <200812041957.mB4Jvj0S011726@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Application Stack v2.2 security and enhancement update Advisory ID: RHSA-2008:0966-02 Product: Red Hat Application Stack Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0966.html Issue date: 2008-12-04 CVE Names: CVE-2007-6420 CVE-2008-2364 CVE-2008-2939 ===================================================================== 1. Summary: Red Hat Application Stack v2.2 is now available. This update fixes several security issues and adds various enhancements. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, noarch, x86_64 3. Description: The Red Hat Application Stack v2.2 is an integrated open source application stack, that includes Red Hat Enterprise Linux 5 and JBoss Enterprise Application Platform (EAP) 4.2. This erratum updates the Apache HTTP Server package to version 2.0.10 which addresses the following security issues: A flaw was found in the mod_proxy module. An attacker who has control of a web server to which requests are being proxied could cause a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp module. Where Apache is configured to support ftp-over-httpd proxying, a remote attacker could perform a cross-site scripting attack. (CVE-2008-2939) A cross-site request forgery issue was found in the mod_proxy_balancer module. A remote attacker could cause a denial of service if mod_proxy_balancer is enabled and an authenticated user is targeted. (CVE-2007-6420) The JBoss Enterprise Application Platform (EAP) 4.2 has been updated to version 4.2.0.CP05. The following packages were also updated: * mysql to 5.0.60sp1 * mysql-connector-odbc to 3.51.26r1127 * perl-DBI to 1.607 * perl-DBD-MySQL to 4.008 * perl-DBD-Pg to 1.49 * php-pear to 1.7.2 * postgresql to 8.2.11 * postgresqlclient81 to 8.1.11 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 451615 - CVE-2008-2364 httpd: mod_proxy_http DoS via excessive interim responses from the origin server 458250 - CVE-2008-2939 httpd: mod_proxy_ftp globbing XSS 471009 - CVE-2007-6420 mod_proxy_balancer CSRF 6. Package List: Red Hat Application Stack v2 for Enterprise Linux (v.5): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/httpd-2.2.10-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/mysql-5.0.60sp1-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/mysql-connector-odbc-3.51.26r1127-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/perl-DBD-MySQL-4.008-2.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/perl-DBD-Pg-1.49-4.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/perl-DBI-1.607-3.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/php-pear-1.7.2-2.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/postgresql-8.2.11-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/postgresqlclient81-8.1.14-1.el5s2.src.rpm i386: httpd-2.2.10-1.el5s2.i386.rpm httpd-debuginfo-2.2.10-1.el5s2.i386.rpm httpd-devel-2.2.10-1.el5s2.i386.rpm httpd-manual-2.2.10-1.el5s2.i386.rpm mod_ssl-2.2.10-1.el5s2.i386.rpm mysql-5.0.60sp1-1.el5s2.i386.rpm mysql-bench-5.0.60sp1-1.el5s2.i386.rpm mysql-cluster-5.0.60sp1-1.el5s2.i386.rpm mysql-connector-odbc-3.51.26r1127-1.el5s2.i386.rpm mysql-connector-odbc-debuginfo-3.51.26r1127-1.el5s2.i386.rpm mysql-debuginfo-5.0.60sp1-1.el5s2.i386.rpm mysql-devel-5.0.60sp1-1.el5s2.i386.rpm mysql-libs-5.0.60sp1-1.el5s2.i386.rpm mysql-server-5.0.60sp1-1.el5s2.i386.rpm mysql-test-5.0.60sp1-1.el5s2.i386.rpm perl-DBD-MySQL-4.008-2.el5s2.i386.rpm perl-DBD-MySQL-debuginfo-4.008-2.el5s2.i386.rpm perl-DBD-Pg-1.49-4.el5s2.i386.rpm perl-DBD-Pg-debuginfo-1.49-4.el5s2.i386.rpm perl-DBI-1.607-3.el5s2.i386.rpm perl-DBI-debuginfo-1.607-3.el5s2.i386.rpm postgresql-8.2.11-1.el5s2.i386.rpm postgresql-contrib-8.2.11-1.el5s2.i386.rpm postgresql-debuginfo-8.2.11-1.el5s2.i386.rpm postgresql-devel-8.2.11-1.el5s2.i386.rpm postgresql-docs-8.2.11-1.el5s2.i386.rpm postgresql-libs-8.2.11-1.el5s2.i386.rpm postgresql-plperl-8.2.11-1.el5s2.i386.rpm postgresql-plpython-8.2.11-1.el5s2.i386.rpm postgresql-pltcl-8.2.11-1.el5s2.i386.rpm postgresql-python-8.2.11-1.el5s2.i386.rpm postgresql-server-8.2.11-1.el5s2.i386.rpm postgresql-tcl-8.2.11-1.el5s2.i386.rpm postgresql-test-8.2.11-1.el5s2.i386.rpm postgresqlclient81-8.1.14-1.el5s2.i386.rpm postgresqlclient81-debuginfo-8.1.14-1.el5s2.i386.rpm noarch: php-pear-1.7.2-2.el5s2.noarch.rpm x86_64: httpd-2.2.10-1.el5s2.x86_64.rpm httpd-debuginfo-2.2.10-1.el5s2.x86_64.rpm httpd-devel-2.2.10-1.el5s2.x86_64.rpm httpd-manual-2.2.10-1.el5s2.x86_64.rpm mod_ssl-2.2.10-1.el5s2.x86_64.rpm mysql-5.0.60sp1-1.el5s2.x86_64.rpm mysql-bench-5.0.60sp1-1.el5s2.x86_64.rpm mysql-cluster-5.0.60sp1-1.el5s2.x86_64.rpm mysql-connector-odbc-3.51.26r1127-1.el5s2.x86_64.rpm mysql-connector-odbc-debuginfo-3.51.26r1127-1.el5s2.x86_64.rpm mysql-debuginfo-5.0.60sp1-1.el5s2.x86_64.rpm mysql-devel-5.0.60sp1-1.el5s2.x86_64.rpm mysql-libs-5.0.60sp1-1.el5s2.x86_64.rpm mysql-server-5.0.60sp1-1.el5s2.x86_64.rpm mysql-test-5.0.60sp1-1.el5s2.x86_64.rpm perl-DBD-MySQL-4.008-2.el5s2.x86_64.rpm perl-DBD-MySQL-debuginfo-4.008-2.el5s2.x86_64.rpm perl-DBD-Pg-1.49-4.el5s2.x86_64.rpm perl-DBD-Pg-debuginfo-1.49-4.el5s2.x86_64.rpm perl-DBI-1.607-3.el5s2.x86_64.rpm perl-DBI-debuginfo-1.607-3.el5s2.x86_64.rpm postgresql-8.2.11-1.el5s2.x86_64.rpm postgresql-contrib-8.2.11-1.el5s2.x86_64.rpm postgresql-debuginfo-8.2.11-1.el5s2.i386.rpm postgresql-debuginfo-8.2.11-1.el5s2.x86_64.rpm postgresql-devel-8.2.11-1.el5s2.i386.rpm postgresql-devel-8.2.11-1.el5s2.x86_64.rpm postgresql-docs-8.2.11-1.el5s2.x86_64.rpm postgresql-libs-8.2.11-1.el5s2.i386.rpm postgresql-libs-8.2.11-1.el5s2.x86_64.rpm postgresql-plperl-8.2.11-1.el5s2.x86_64.rpm postgresql-plpython-8.2.11-1.el5s2.x86_64.rpm postgresql-pltcl-8.2.11-1.el5s2.x86_64.rpm postgresql-python-8.2.11-1.el5s2.x86_64.rpm postgresql-server-8.2.11-1.el5s2.x86_64.rpm postgresql-tcl-8.2.11-1.el5s2.x86_64.rpm postgresql-test-8.2.11-1.el5s2.x86_64.rpm postgresqlclient81-8.1.14-1.el5s2.x86_64.rpm postgresqlclient81-debuginfo-8.1.14-1.el5s2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJODYKXlSAg2UNWIIRApeIAJsGiSmuRlKcYOr5NuYcvBXMOx7jDQCfYu9L VPoiG1uvT61EantCD5ihEcE= =widu -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 15 15:34:30 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 15 Dec 2008 10:34:30 -0500 Subject: [RHSA-2008:1016-01] Moderate: enscript security update Message-ID: <200812151534.mBFFYV8s006393@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: enscript security update Advisory ID: RHSA-2008:1016-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1016.html Issue date: 2008-12-15 CVE Names: CVE-2008-3863 CVE-2008-4306 ===================================================================== 1. Summary: An updated enscript packages that fixes several security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: GNU enscript converts ASCII files to PostScript(R) language files and spools the generated output to a specified printer or saves it to a file. Enscript can be extended to handle different output media and includes options for customizing printouts. Two buffer overflow flaws were found in GNU enscript. An attacker could craft an ASCII file in such a way that it could execute arbitrary commands if the file was opened with enscript with the "special escapes" option (-e or --escapes) enabled. (CVE-2008-3863, CVE-2008-4306) All users of enscript should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/enscript-1.6.4-4.1.1.el5_2.src.rpm i386: enscript-1.6.4-4.1.1.el5_2.i386.rpm enscript-debuginfo-1.6.4-4.1.1.el5_2.i386.rpm x86_64: enscript-1.6.4-4.1.1.el5_2.x86_64.rpm enscript-debuginfo-1.6.4-4.1.1.el5_2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/enscript-1.6.4-4.1.1.el5_2.src.rpm i386: enscript-1.6.4-4.1.1.el5_2.i386.rpm enscript-debuginfo-1.6.4-4.1.1.el5_2.i386.rpm ia64: enscript-1.6.4-4.1.1.el5_2.ia64.rpm enscript-debuginfo-1.6.4-4.1.1.el5_2.ia64.rpm ppc: enscript-1.6.4-4.1.1.el5_2.ppc.rpm enscript-debuginfo-1.6.4-4.1.1.el5_2.ppc.rpm s390x: enscript-1.6.4-4.1.1.el5_2.s390x.rpm enscript-debuginfo-1.6.4-4.1.1.el5_2.s390x.rpm x86_64: enscript-1.6.4-4.1.1.el5_2.x86_64.rpm enscript-debuginfo-1.6.4-4.1.1.el5_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306 http://www.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJRnkCXlSAg2UNWIIRAqP8AJoDjUHGSRYzSkqsLIQb++PcOohM8QCdFcgu IPth6Ywn9NFxLMjpk/zFJHw= =jR2M -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 15 15:34:36 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 15 Dec 2008 10:34:36 -0500 Subject: [RHSA-2008:1021-02] Moderate: enscript security update Message-ID: <200812151534.mBFFYaxN006464@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: enscript security update Advisory ID: RHSA-2008:1021-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1021.html Issue date: 2008-12-15 CVE Names: CVE-2008-3863 CVE-2008-4306 CVE-2008-5078 ===================================================================== 1. Summary: An updated enscript packages that fixes several security issues is now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: GNU enscript converts ASCII files to PostScript(R) language files and spools the generated output to a specified printer or saves it to a file. Enscript can be extended to handle different output media and includes options for customizing printouts. Several buffer overflow flaws were found in GNU enscript. An attacker could craft an ASCII file in such a way that it could execute arbitrary commands if the file was opened with enscript with the "special escapes" option (-e or --escapes) enabled. (CVE-2008-3863, CVE-2008-4306, CVE-2008-5078) All users of enscript should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/enscript-1.6.1-16.7.src.rpm i386: enscript-1.6.1-16.7.i386.rpm ia64: enscript-1.6.1-16.7.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/enscript-1.6.1-16.7.src.rpm ia64: enscript-1.6.1-16.7.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/enscript-1.6.1-16.7.src.rpm i386: enscript-1.6.1-16.7.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/enscript-1.6.1-16.7.src.rpm i386: enscript-1.6.1-16.7.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/enscript-1.6.1-24.7.src.rpm i386: enscript-1.6.1-24.7.i386.rpm enscript-debuginfo-1.6.1-24.7.i386.rpm ia64: enscript-1.6.1-24.7.ia64.rpm enscript-debuginfo-1.6.1-24.7.ia64.rpm ppc: enscript-1.6.1-24.7.ppc.rpm enscript-debuginfo-1.6.1-24.7.ppc.rpm s390: enscript-1.6.1-24.7.s390.rpm enscript-debuginfo-1.6.1-24.7.s390.rpm s390x: enscript-1.6.1-24.7.s390x.rpm enscript-debuginfo-1.6.1-24.7.s390x.rpm x86_64: enscript-1.6.1-24.7.x86_64.rpm enscript-debuginfo-1.6.1-24.7.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/enscript-1.6.1-24.7.src.rpm i386: enscript-1.6.1-24.7.i386.rpm enscript-debuginfo-1.6.1-24.7.i386.rpm x86_64: enscript-1.6.1-24.7.x86_64.rpm enscript-debuginfo-1.6.1-24.7.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/enscript-1.6.1-24.7.src.rpm i386: enscript-1.6.1-24.7.i386.rpm enscript-debuginfo-1.6.1-24.7.i386.rpm ia64: enscript-1.6.1-24.7.ia64.rpm enscript-debuginfo-1.6.1-24.7.ia64.rpm x86_64: enscript-1.6.1-24.7.x86_64.rpm enscript-debuginfo-1.6.1-24.7.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/enscript-1.6.1-24.7.src.rpm i386: enscript-1.6.1-24.7.i386.rpm enscript-debuginfo-1.6.1-24.7.i386.rpm ia64: enscript-1.6.1-24.7.ia64.rpm enscript-debuginfo-1.6.1-24.7.ia64.rpm x86_64: enscript-1.6.1-24.7.x86_64.rpm enscript-debuginfo-1.6.1-24.7.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/enscript-1.6.1-33.el4_7.1.src.rpm i386: enscript-1.6.1-33.el4_7.1.i386.rpm enscript-debuginfo-1.6.1-33.el4_7.1.i386.rpm ia64: enscript-1.6.1-33.el4_7.1.ia64.rpm enscript-debuginfo-1.6.1-33.el4_7.1.ia64.rpm ppc: enscript-1.6.1-33.el4_7.1.ppc.rpm enscript-debuginfo-1.6.1-33.el4_7.1.ppc.rpm s390: enscript-1.6.1-33.el4_7.1.s390.rpm enscript-debuginfo-1.6.1-33.el4_7.1.s390.rpm s390x: enscript-1.6.1-33.el4_7.1.s390x.rpm enscript-debuginfo-1.6.1-33.el4_7.1.s390x.rpm x86_64: enscript-1.6.1-33.el4_7.1.x86_64.rpm enscript-debuginfo-1.6.1-33.el4_7.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/enscript-1.6.1-33.el4_7.1.src.rpm i386: enscript-1.6.1-33.el4_7.1.i386.rpm enscript-debuginfo-1.6.1-33.el4_7.1.i386.rpm x86_64: enscript-1.6.1-33.el4_7.1.x86_64.rpm enscript-debuginfo-1.6.1-33.el4_7.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/enscript-1.6.1-33.el4_7.1.src.rpm i386: enscript-1.6.1-33.el4_7.1.i386.rpm enscript-debuginfo-1.6.1-33.el4_7.1.i386.rpm ia64: enscript-1.6.1-33.el4_7.1.ia64.rpm enscript-debuginfo-1.6.1-33.el4_7.1.ia64.rpm x86_64: enscript-1.6.1-33.el4_7.1.x86_64.rpm enscript-debuginfo-1.6.1-33.el4_7.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/enscript-1.6.1-33.el4_7.1.src.rpm i386: enscript-1.6.1-33.el4_7.1.i386.rpm enscript-debuginfo-1.6.1-33.el4_7.1.i386.rpm ia64: enscript-1.6.1-33.el4_7.1.ia64.rpm enscript-debuginfo-1.6.1-33.el4_7.1.ia64.rpm x86_64: enscript-1.6.1-33.el4_7.1.x86_64.rpm enscript-debuginfo-1.6.1-33.el4_7.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5078 http://www.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJRnkIXlSAg2UNWIIRAhZAAKCU2YXNKKM7CajBoI5YDjtHLISTbgCdGCat ACzkLVtbGMYaXPQRdC6o6tQ= =k0EG -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 15 15:34:41 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 15 Dec 2008 10:34:41 -0500 Subject: [RHSA-2008:1023-01] Moderate: pidgin security and bug fix update Message-ID: <200812151534.mBFFYf6N006597@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: pidgin security and bug fix update Advisory ID: RHSA-2008:1023-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1023.html Issue date: 2008-12-15 CVE Names: CVE-2008-2955 CVE-2008-2957 CVE-2008-3532 ===================================================================== 1. Summary: Updated Pidgin packages that fix several security issues and bugs are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 3. Description: Pidgin is a multi-protocol Internet Messaging client. A denial-of-service flaw was found in Pidgin's MSN protocol handler. If a remote user was able to send, and the Pidgin user accepted, a carefully-crafted file request, it could result in Pidgin crashing. (CVE-2008-2955) A denial-of-service flaw was found in Pidgin's Universal Plug and Play (UPnP) request handling. A malicious UPnP server could send a request to Pidgin, causing it to download an excessive amount of data, consuming all available memory or disk space. (CVE-2008-2957) A flaw was found in the way Pidgin handled SSL certificates. The NSS SSL implementation in Pidgin did not properly verify the authenticity of SSL certificates. This could have resulted in users unknowingly connecting to a malicious SSL service. (CVE-2008-3532) In addition, this update upgrades pidgin from version 2.3.1 to version 2.5.2, with many additional stability and functionality fixes from the Pidgin Project. Note: the Secure Internet Live Conferencing (SILC) chat network protocol has recently changed, affecting all versions of pidgin shipped with Red Hat Enterprise Linux. Pidgin cannot currently connect to the latest version of the SILC server (1.1.14): it fails to properly exchange keys during initial login. This update does not correct this. Red Hat Bugzilla #474212 (linked to in the References section) has more information. Note: after the errata packages are installed, Pidgin must be restarted for the update to take effect. All Pidgin users should upgrade to these updated packages, which contains Pidgin version 2.5.2 and resolves these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/pidgin-2.5.2-6.el4.src.rpm i386: finch-2.5.2-6.el4.i386.rpm finch-devel-2.5.2-6.el4.i386.rpm libpurple-2.5.2-6.el4.i386.rpm libpurple-devel-2.5.2-6.el4.i386.rpm libpurple-perl-2.5.2-6.el4.i386.rpm libpurple-tcl-2.5.2-6.el4.i386.rpm pidgin-2.5.2-6.el4.i386.rpm pidgin-debuginfo-2.5.2-6.el4.i386.rpm pidgin-devel-2.5.2-6.el4.i386.rpm pidgin-perl-2.5.2-6.el4.i386.rpm ia64: finch-2.5.2-6.el4.ia64.rpm finch-devel-2.5.2-6.el4.ia64.rpm libpurple-2.5.2-6.el4.ia64.rpm libpurple-devel-2.5.2-6.el4.ia64.rpm libpurple-perl-2.5.2-6.el4.ia64.rpm libpurple-tcl-2.5.2-6.el4.ia64.rpm pidgin-2.5.2-6.el4.ia64.rpm pidgin-debuginfo-2.5.2-6.el4.ia64.rpm pidgin-devel-2.5.2-6.el4.ia64.rpm pidgin-perl-2.5.2-6.el4.ia64.rpm ppc: finch-2.5.2-6.el4.ppc.rpm finch-devel-2.5.2-6.el4.ppc.rpm libpurple-2.5.2-6.el4.ppc.rpm libpurple-devel-2.5.2-6.el4.ppc.rpm libpurple-perl-2.5.2-6.el4.ppc.rpm libpurple-tcl-2.5.2-6.el4.ppc.rpm pidgin-2.5.2-6.el4.ppc.rpm pidgin-debuginfo-2.5.2-6.el4.ppc.rpm pidgin-devel-2.5.2-6.el4.ppc.rpm pidgin-perl-2.5.2-6.el4.ppc.rpm x86_64: finch-2.5.2-6.el4.x86_64.rpm finch-devel-2.5.2-6.el4.x86_64.rpm libpurple-2.5.2-6.el4.x86_64.rpm libpurple-devel-2.5.2-6.el4.x86_64.rpm libpurple-perl-2.5.2-6.el4.x86_64.rpm libpurple-tcl-2.5.2-6.el4.x86_64.rpm pidgin-2.5.2-6.el4.x86_64.rpm pidgin-debuginfo-2.5.2-6.el4.x86_64.rpm pidgin-devel-2.5.2-6.el4.x86_64.rpm pidgin-perl-2.5.2-6.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/pidgin-2.5.2-6.el4.src.rpm i386: finch-2.5.2-6.el4.i386.rpm finch-devel-2.5.2-6.el4.i386.rpm libpurple-2.5.2-6.el4.i386.rpm libpurple-devel-2.5.2-6.el4.i386.rpm libpurple-perl-2.5.2-6.el4.i386.rpm libpurple-tcl-2.5.2-6.el4.i386.rpm pidgin-2.5.2-6.el4.i386.rpm pidgin-debuginfo-2.5.2-6.el4.i386.rpm pidgin-devel-2.5.2-6.el4.i386.rpm pidgin-perl-2.5.2-6.el4.i386.rpm x86_64: finch-2.5.2-6.el4.x86_64.rpm finch-devel-2.5.2-6.el4.x86_64.rpm libpurple-2.5.2-6.el4.x86_64.rpm libpurple-devel-2.5.2-6.el4.x86_64.rpm libpurple-perl-2.5.2-6.el4.x86_64.rpm libpurple-tcl-2.5.2-6.el4.x86_64.rpm pidgin-2.5.2-6.el4.x86_64.rpm pidgin-debuginfo-2.5.2-6.el4.x86_64.rpm pidgin-devel-2.5.2-6.el4.x86_64.rpm pidgin-perl-2.5.2-6.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/pidgin-2.5.2-6.el4.src.rpm i386: finch-2.5.2-6.el4.i386.rpm finch-devel-2.5.2-6.el4.i386.rpm libpurple-2.5.2-6.el4.i386.rpm libpurple-devel-2.5.2-6.el4.i386.rpm libpurple-perl-2.5.2-6.el4.i386.rpm libpurple-tcl-2.5.2-6.el4.i386.rpm pidgin-2.5.2-6.el4.i386.rpm pidgin-debuginfo-2.5.2-6.el4.i386.rpm pidgin-devel-2.5.2-6.el4.i386.rpm pidgin-perl-2.5.2-6.el4.i386.rpm ia64: finch-2.5.2-6.el4.ia64.rpm finch-devel-2.5.2-6.el4.ia64.rpm libpurple-2.5.2-6.el4.ia64.rpm libpurple-devel-2.5.2-6.el4.ia64.rpm libpurple-perl-2.5.2-6.el4.ia64.rpm libpurple-tcl-2.5.2-6.el4.ia64.rpm pidgin-2.5.2-6.el4.ia64.rpm pidgin-debuginfo-2.5.2-6.el4.ia64.rpm pidgin-devel-2.5.2-6.el4.ia64.rpm pidgin-perl-2.5.2-6.el4.ia64.rpm x86_64: finch-2.5.2-6.el4.x86_64.rpm finch-devel-2.5.2-6.el4.x86_64.rpm libpurple-2.5.2-6.el4.x86_64.rpm libpurple-devel-2.5.2-6.el4.x86_64.rpm libpurple-perl-2.5.2-6.el4.x86_64.rpm libpurple-tcl-2.5.2-6.el4.x86_64.rpm pidgin-2.5.2-6.el4.x86_64.rpm pidgin-debuginfo-2.5.2-6.el4.x86_64.rpm pidgin-devel-2.5.2-6.el4.x86_64.rpm pidgin-perl-2.5.2-6.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/pidgin-2.5.2-6.el4.src.rpm i386: finch-2.5.2-6.el4.i386.rpm finch-devel-2.5.2-6.el4.i386.rpm libpurple-2.5.2-6.el4.i386.rpm libpurple-devel-2.5.2-6.el4.i386.rpm libpurple-perl-2.5.2-6.el4.i386.rpm libpurple-tcl-2.5.2-6.el4.i386.rpm pidgin-2.5.2-6.el4.i386.rpm pidgin-debuginfo-2.5.2-6.el4.i386.rpm pidgin-devel-2.5.2-6.el4.i386.rpm pidgin-perl-2.5.2-6.el4.i386.rpm ia64: finch-2.5.2-6.el4.ia64.rpm finch-devel-2.5.2-6.el4.ia64.rpm libpurple-2.5.2-6.el4.ia64.rpm libpurple-devel-2.5.2-6.el4.ia64.rpm libpurple-perl-2.5.2-6.el4.ia64.rpm libpurple-tcl-2.5.2-6.el4.ia64.rpm pidgin-2.5.2-6.el4.ia64.rpm pidgin-debuginfo-2.5.2-6.el4.ia64.rpm pidgin-devel-2.5.2-6.el4.ia64.rpm pidgin-perl-2.5.2-6.el4.ia64.rpm x86_64: finch-2.5.2-6.el4.x86_64.rpm finch-devel-2.5.2-6.el4.x86_64.rpm libpurple-2.5.2-6.el4.x86_64.rpm libpurple-devel-2.5.2-6.el4.x86_64.rpm libpurple-perl-2.5.2-6.el4.x86_64.rpm libpurple-tcl-2.5.2-6.el4.x86_64.rpm pidgin-2.5.2-6.el4.x86_64.rpm pidgin-debuginfo-2.5.2-6.el4.x86_64.rpm pidgin-devel-2.5.2-6.el4.x86_64.rpm pidgin-perl-2.5.2-6.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.5.2-6.el5.src.rpm i386: finch-2.5.2-6.el5.i386.rpm libpurple-2.5.2-6.el5.i386.rpm libpurple-perl-2.5.2-6.el5.i386.rpm libpurple-tcl-2.5.2-6.el5.i386.rpm pidgin-2.5.2-6.el5.i386.rpm pidgin-debuginfo-2.5.2-6.el5.i386.rpm pidgin-perl-2.5.2-6.el5.i386.rpm x86_64: finch-2.5.2-6.el5.i386.rpm finch-2.5.2-6.el5.x86_64.rpm libpurple-2.5.2-6.el5.i386.rpm libpurple-2.5.2-6.el5.x86_64.rpm libpurple-perl-2.5.2-6.el5.x86_64.rpm libpurple-tcl-2.5.2-6.el5.x86_64.rpm pidgin-2.5.2-6.el5.i386.rpm pidgin-2.5.2-6.el5.x86_64.rpm pidgin-debuginfo-2.5.2-6.el5.i386.rpm pidgin-debuginfo-2.5.2-6.el5.x86_64.rpm pidgin-perl-2.5.2-6.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.5.2-6.el5.src.rpm i386: finch-devel-2.5.2-6.el5.i386.rpm libpurple-devel-2.5.2-6.el5.i386.rpm pidgin-debuginfo-2.5.2-6.el5.i386.rpm pidgin-devel-2.5.2-6.el5.i386.rpm x86_64: finch-devel-2.5.2-6.el5.i386.rpm finch-devel-2.5.2-6.el5.x86_64.rpm libpurple-devel-2.5.2-6.el5.i386.rpm libpurple-devel-2.5.2-6.el5.x86_64.rpm pidgin-debuginfo-2.5.2-6.el5.i386.rpm pidgin-debuginfo-2.5.2-6.el5.x86_64.rpm pidgin-devel-2.5.2-6.el5.i386.rpm pidgin-devel-2.5.2-6.el5.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/pidgin-2.5.2-6.el5.src.rpm i386: finch-2.5.2-6.el5.i386.rpm finch-devel-2.5.2-6.el5.i386.rpm libpurple-2.5.2-6.el5.i386.rpm libpurple-devel-2.5.2-6.el5.i386.rpm libpurple-perl-2.5.2-6.el5.i386.rpm libpurple-tcl-2.5.2-6.el5.i386.rpm pidgin-2.5.2-6.el5.i386.rpm pidgin-debuginfo-2.5.2-6.el5.i386.rpm pidgin-devel-2.5.2-6.el5.i386.rpm pidgin-perl-2.5.2-6.el5.i386.rpm x86_64: finch-2.5.2-6.el5.i386.rpm finch-2.5.2-6.el5.x86_64.rpm finch-devel-2.5.2-6.el5.i386.rpm finch-devel-2.5.2-6.el5.x86_64.rpm libpurple-2.5.2-6.el5.i386.rpm libpurple-2.5.2-6.el5.x86_64.rpm libpurple-devel-2.5.2-6.el5.i386.rpm libpurple-devel-2.5.2-6.el5.x86_64.rpm libpurple-perl-2.5.2-6.el5.x86_64.rpm libpurple-tcl-2.5.2-6.el5.x86_64.rpm pidgin-2.5.2-6.el5.i386.rpm pidgin-2.5.2-6.el5.x86_64.rpm pidgin-debuginfo-2.5.2-6.el5.i386.rpm pidgin-debuginfo-2.5.2-6.el5.x86_64.rpm pidgin-devel-2.5.2-6.el5.i386.rpm pidgin-devel-2.5.2-6.el5.x86_64.rpm pidgin-perl-2.5.2-6.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532 http://www.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=474212 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJRnkNXlSAg2UNWIIRAhqBAKCguG3wjXVZEjRoBiFvGvZCiz4LrQCgsd9E oekQtGKvk5h/MuqUxX/Hm18= =t21K -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 15 15:34:47 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 15 Dec 2008 10:34:47 -0500 Subject: [RHSA-2008:1028-01] Moderate: cups security update Message-ID: <200812151534.mBFFYlIU006694@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cups security update Advisory ID: RHSA-2008:1028-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1028.html Issue date: 2008-12-15 CVE Names: CVE-2008-5286 ===================================================================== 1. Summary: Updated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The Common UNIX? Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An integer overflow flaw, leading to a heap buffer overflow, was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image-converting filters, "imagetops" and "imagetoraster". An attacker could create a malicious PNG file that could, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-5286) CUPS users should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cups-1.1.17-13.3.55.src.rpm i386: cups-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-devel-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.i386.rpm ia64: cups-1.1.17-13.3.55.ia64.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.ia64.rpm cups-devel-1.1.17-13.3.55.ia64.rpm cups-libs-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.ia64.rpm ppc: cups-1.1.17-13.3.55.ppc.rpm cups-debuginfo-1.1.17-13.3.55.ppc.rpm cups-debuginfo-1.1.17-13.3.55.ppc64.rpm cups-devel-1.1.17-13.3.55.ppc.rpm cups-libs-1.1.17-13.3.55.ppc.rpm cups-libs-1.1.17-13.3.55.ppc64.rpm s390: cups-1.1.17-13.3.55.s390.rpm cups-debuginfo-1.1.17-13.3.55.s390.rpm cups-devel-1.1.17-13.3.55.s390.rpm cups-libs-1.1.17-13.3.55.s390.rpm s390x: cups-1.1.17-13.3.55.s390x.rpm cups-debuginfo-1.1.17-13.3.55.s390.rpm cups-debuginfo-1.1.17-13.3.55.s390x.rpm cups-devel-1.1.17-13.3.55.s390x.rpm cups-libs-1.1.17-13.3.55.s390.rpm cups-libs-1.1.17-13.3.55.s390x.rpm x86_64: cups-1.1.17-13.3.55.x86_64.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.x86_64.rpm cups-devel-1.1.17-13.3.55.x86_64.rpm cups-libs-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cups-1.1.17-13.3.55.src.rpm i386: cups-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-devel-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.i386.rpm x86_64: cups-1.1.17-13.3.55.x86_64.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.x86_64.rpm cups-devel-1.1.17-13.3.55.x86_64.rpm cups-libs-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cups-1.1.17-13.3.55.src.rpm i386: cups-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-devel-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.i386.rpm ia64: cups-1.1.17-13.3.55.ia64.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.ia64.rpm cups-devel-1.1.17-13.3.55.ia64.rpm cups-libs-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.ia64.rpm x86_64: cups-1.1.17-13.3.55.x86_64.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.x86_64.rpm cups-devel-1.1.17-13.3.55.x86_64.rpm cups-libs-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cups-1.1.17-13.3.55.src.rpm i386: cups-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-devel-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.i386.rpm ia64: cups-1.1.17-13.3.55.ia64.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.ia64.rpm cups-devel-1.1.17-13.3.55.ia64.rpm cups-libs-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.ia64.rpm x86_64: cups-1.1.17-13.3.55.x86_64.rpm cups-debuginfo-1.1.17-13.3.55.i386.rpm cups-debuginfo-1.1.17-13.3.55.x86_64.rpm cups-devel-1.1.17-13.3.55.x86_64.rpm cups-libs-1.1.17-13.3.55.i386.rpm cups-libs-1.1.17-13.3.55.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5286 http://www.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJRnkTXlSAg2UNWIIRAiQMAJ9uO8IOQk+PUjnnag3ftIDS/7dw2gCgjWtV eaoamYj1i1jM/VxFuVYkWEc= =CMDc -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Dec 15 15:34:51 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 15 Dec 2008 10:34:51 -0500 Subject: [RHSA-2008:1029-01] Moderate: cups security update Message-ID: <200812151534.mBFFYpZq006747@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cups security update Advisory ID: RHSA-2008:1029-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1029.html Issue date: 2008-12-15 CVE Names: CVE-2008-5183 ===================================================================== 1. Summary: Updated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The Common UNIX? Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A null pointer dereference flaw was found in the way CUPS handled subscriptions for printing job completion notifications. A local user could use this flaw to crash the CUPS daemon by submitting a large number of printing jobs requiring mail notification on completion, leading to a denial of service. (CVE-2008-5183) Users of cups should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/cups-1.2.4-11.18.el5_2.3.src.rpm i386: cups-1.2.4-11.18.el5_2.3.i386.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.i386.rpm cups-libs-1.2.4-11.18.el5_2.3.i386.rpm cups-lpd-1.2.4-11.18.el5_2.3.i386.rpm x86_64: cups-1.2.4-11.18.el5_2.3.x86_64.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.i386.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.x86_64.rpm cups-libs-1.2.4-11.18.el5_2.3.i386.rpm cups-libs-1.2.4-11.18.el5_2.3.x86_64.rpm cups-lpd-1.2.4-11.18.el5_2.3.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/cups-1.2.4-11.18.el5_2.3.src.rpm i386: cups-debuginfo-1.2.4-11.18.el5_2.3.i386.rpm cups-devel-1.2.4-11.18.el5_2.3.i386.rpm x86_64: cups-debuginfo-1.2.4-11.18.el5_2.3.i386.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.x86_64.rpm cups-devel-1.2.4-11.18.el5_2.3.i386.rpm cups-devel-1.2.4-11.18.el5_2.3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/cups-1.2.4-11.18.el5_2.3.src.rpm i386: cups-1.2.4-11.18.el5_2.3.i386.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.i386.rpm cups-devel-1.2.4-11.18.el5_2.3.i386.rpm cups-libs-1.2.4-11.18.el5_2.3.i386.rpm cups-lpd-1.2.4-11.18.el5_2.3.i386.rpm ia64: cups-1.2.4-11.18.el5_2.3.ia64.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.i386.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.ia64.rpm cups-devel-1.2.4-11.18.el5_2.3.ia64.rpm cups-libs-1.2.4-11.18.el5_2.3.i386.rpm cups-libs-1.2.4-11.18.el5_2.3.ia64.rpm cups-lpd-1.2.4-11.18.el5_2.3.ia64.rpm ppc: cups-1.2.4-11.18.el5_2.3.ppc.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.ppc.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.ppc64.rpm cups-devel-1.2.4-11.18.el5_2.3.ppc.rpm cups-devel-1.2.4-11.18.el5_2.3.ppc64.rpm cups-libs-1.2.4-11.18.el5_2.3.ppc.rpm cups-libs-1.2.4-11.18.el5_2.3.ppc64.rpm cups-lpd-1.2.4-11.18.el5_2.3.ppc.rpm s390x: cups-1.2.4-11.18.el5_2.3.s390x.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.s390.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.s390x.rpm cups-devel-1.2.4-11.18.el5_2.3.s390.rpm cups-devel-1.2.4-11.18.el5_2.3.s390x.rpm cups-libs-1.2.4-11.18.el5_2.3.s390.rpm cups-libs-1.2.4-11.18.el5_2.3.s390x.rpm cups-lpd-1.2.4-11.18.el5_2.3.s390x.rpm x86_64: cups-1.2.4-11.18.el5_2.3.x86_64.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.i386.rpm cups-debuginfo-1.2.4-11.18.el5_2.3.x86_64.rpm cups-devel-1.2.4-11.18.el5_2.3.i386.rpm cups-devel-1.2.4-11.18.el5_2.3.x86_64.rpm cups-libs-1.2.4-11.18.el5_2.3.i386.rpm cups-libs-1.2.4-11.18.el5_2.3.x86_64.rpm cups-lpd-1.2.4-11.18.el5_2.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183 http://www.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJRnkZXlSAg2UNWIIRApZPAKC20dWTvYzEe1kFHoXdfLiUlnEMagCeJA5B GummpAgD3J994rgL7jFDnYA= =rtPJ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Dec 16 08:14:35 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 16 Dec 2008 03:14:35 -0500 Subject: [RHSA-2008:1017-01] Important: kernel security and bug fix update Message-ID: <200812160814.mBG8EZFp009009@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2008:1017-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1017.html Issue date: 2008-12-16 CVE Names: CVE-2008-3831 CVE-2008-4554 CVE-2008-4576 ===================================================================== 1. Summary: Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * Olaf Kirch reported a flaw in the i915 kernel driver that only affects the Intel G33 series and newer. This flaw could, potentially, lead to local privilege escalation. (CVE-2008-3831, Important) * Miklos Szeredi reported a missing check for files opened with O_APPEND in the sys_splice(). This could allow a local, unprivileged user to bypass the append-only file restrictions. (CVE-2008-4554, Important) * a deficiency was found in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. This could lead to a possible denial of service if one end of a SCTP connection did not support the AUTH extension. (CVE-2008-4576, Important) In addition, these updated packages fix the following bugs: * on Itanium? systems, when a multithreaded program was traced using the command "strace -f", messages similar to the following ones were displayed, after which the trace would stop: PANIC: attached pid 10740 exited PANIC: handle_group_exit: 10740 leader 10721 PANIC: attached pid 10739 exited PANIC: handle_group_exit: 10739 leader 10721 ... In these updated packages, tracing a multithreaded program using the "strace -f" command no longer results in these error messages, and strace terminates normally after tracing all threads. * on big-endian systems such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255. * when using an NFSv4 file system, accessing the same file with two separate processes simultaneously resulted in the NFS client process becoming unresponsive. * on AMD64 and Intel? 64 hypervisor-enabled systems, in cases in which a syscall correctly returned '-1' in code compiled on Red Hat Enterprise Linux 5, the same code, when run with the strace utility, would incorrectly return an invalid return value. This has been fixed so that on AMD64 and Intel? 64 hypervisor-enabled systems, syscalls in compiled code return the same, correct values as syscalls do when run with strace. * on the Itanium? architecture, fully-virtualized guest domains which were created using more than 64 GB of memory caused other guest domains not to receive interrupts, which caused a soft lockup on other guests. All guest domains are now able to receive interrupts regardless of their allotted memory. * when user-space used SIGIO notification, which wasn't disabled before closing a file descriptor, and was then re-enabled in a different process, an attempt by the kernel to dereference a stale pointer led to a kernel crash. With this fix, such a situation no longer causes a kernel crash. * modifications to certain pages made through a memory-mapped region could have been lost in cases when the NFS client needed to invalidate the page cache for that particular memory-mapped file. * fully-virtualized Windows guests became unresponsive due to the vIOSAPIC component being multiprocessor-unsafe. With this fix, vIOSAPIC is multiprocessor-safe and Windows guests do not become unresponsive. * on certain systems, keyboard controllers were not able to withstand a continuous flow of requests to switch keyboard LEDs on or off, which resulted in some or all key presses not being registered by the system. * on the Itanium? architecture, setting the "vm.nr_hugepages" sysctl parameter caused a kernel stack overflow resulting in a kernel panic, and possibly stack corruption. With this fix, setting vm.nr_hugepages works correctly. * hugepages allow the Linux kernel to utilize the multiple page size capabilities of modern hardware architectures. In certain configurations, systems with large amounts of memory could fail to allocate most of memory for hugepages even if it was free, which could have resulted, for example, in database restart failures. Users should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-92.1.22.el5.src.rpm i386: kernel-2.6.18-92.1.22.el5.i686.rpm kernel-PAE-2.6.18-92.1.22.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-92.1.22.el5.i686.rpm kernel-PAE-devel-2.6.18-92.1.22.el5.i686.rpm kernel-debug-2.6.18-92.1.22.el5.i686.rpm kernel-debug-debuginfo-2.6.18-92.1.22.el5.i686.rpm kernel-debug-devel-2.6.18-92.1.22.el5.i686.rpm kernel-debuginfo-2.6.18-92.1.22.el5.i686.rpm kernel-debuginfo-common-2.6.18-92.1.22.el5.i686.rpm kernel-devel-2.6.18-92.1.22.el5.i686.rpm kernel-headers-2.6.18-92.1.22.el5.i386.rpm kernel-xen-2.6.18-92.1.22.el5.i686.rpm kernel-xen-debuginfo-2.6.18-92.1.22.el5.i686.rpm kernel-xen-devel-2.6.18-92.1.22.el5.i686.rpm noarch: kernel-doc-2.6.18-92.1.22.el5.noarch.rpm x86_64: kernel-2.6.18-92.1.22.el5.x86_64.rpm kernel-debug-2.6.18-92.1.22.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-92.1.22.el5.x86_64.rpm kernel-debug-devel-2.6.18-92.1.22.el5.x86_64.rpm kernel-debuginfo-2.6.18-92.1.22.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-92.1.22.el5.x86_64.rpm kernel-devel-2.6.18-92.1.22.el5.x86_64.rpm kernel-headers-2.6.18-92.1.22.el5.x86_64.rpm kernel-xen-2.6.18-92.1.22.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-92.1.22.el5.x86_64.rpm kernel-xen-devel-2.6.18-92.1.22.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-92.1.22.el5.src.rpm i386: kernel-2.6.18-92.1.22.el5.i686.rpm kernel-PAE-2.6.18-92.1.22.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-92.1.22.el5.i686.rpm kernel-PAE-devel-2.6.18-92.1.22.el5.i686.rpm kernel-debug-2.6.18-92.1.22.el5.i686.rpm kernel-debug-debuginfo-2.6.18-92.1.22.el5.i686.rpm kernel-debug-devel-2.6.18-92.1.22.el5.i686.rpm kernel-debuginfo-2.6.18-92.1.22.el5.i686.rpm kernel-debuginfo-common-2.6.18-92.1.22.el5.i686.rpm kernel-devel-2.6.18-92.1.22.el5.i686.rpm kernel-headers-2.6.18-92.1.22.el5.i386.rpm kernel-xen-2.6.18-92.1.22.el5.i686.rpm kernel-xen-debuginfo-2.6.18-92.1.22.el5.i686.rpm kernel-xen-devel-2.6.18-92.1.22.el5.i686.rpm ia64: kernel-2.6.18-92.1.22.el5.ia64.rpm kernel-debug-2.6.18-92.1.22.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-92.1.22.el5.ia64.rpm kernel-debug-devel-2.6.18-92.1.22.el5.ia64.rpm kernel-debuginfo-2.6.18-92.1.22.el5.ia64.rpm kernel-debuginfo-common-2.6.18-92.1.22.el5.ia64.rpm kernel-devel-2.6.18-92.1.22.el5.ia64.rpm kernel-headers-2.6.18-92.1.22.el5.ia64.rpm kernel-xen-2.6.18-92.1.22.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-92.1.22.el5.ia64.rpm kernel-xen-devel-2.6.18-92.1.22.el5.ia64.rpm noarch: kernel-doc-2.6.18-92.1.22.el5.noarch.rpm ppc: kernel-2.6.18-92.1.22.el5.ppc64.rpm kernel-debug-2.6.18-92.1.22.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-92.1.22.el5.ppc64.rpm kernel-debug-devel-2.6.18-92.1.22.el5.ppc64.rpm kernel-debuginfo-2.6.18-92.1.22.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-92.1.22.el5.ppc64.rpm kernel-devel-2.6.18-92.1.22.el5.ppc64.rpm kernel-headers-2.6.18-92.1.22.el5.ppc.rpm kernel-headers-2.6.18-92.1.22.el5.ppc64.rpm kernel-kdump-2.6.18-92.1.22.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-92.1.22.el5.ppc64.rpm kernel-kdump-devel-2.6.18-92.1.22.el5.ppc64.rpm s390x: kernel-2.6.18-92.1.22.el5.s390x.rpm kernel-debug-2.6.18-92.1.22.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-92.1.22.el5.s390x.rpm kernel-debug-devel-2.6.18-92.1.22.el5.s390x.rpm kernel-debuginfo-2.6.18-92.1.22.el5.s390x.rpm kernel-debuginfo-common-2.6.18-92.1.22.el5.s390x.rpm kernel-devel-2.6.18-92.1.22.el5.s390x.rpm kernel-headers-2.6.18-92.1.22.el5.s390x.rpm kernel-kdump-2.6.18-92.1.22.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-92.1.22.el5.s390x.rpm kernel-kdump-devel-2.6.18-92.1.22.el5.s390x.rpm x86_64: kernel-2.6.18-92.1.22.el5.x86_64.rpm kernel-debug-2.6.18-92.1.22.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-92.1.22.el5.x86_64.rpm kernel-debug-devel-2.6.18-92.1.22.el5.x86_64.rpm kernel-debuginfo-2.6.18-92.1.22.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-92.1.22.el5.x86_64.rpm kernel-devel-2.6.18-92.1.22.el5.x86_64.rpm kernel-headers-2.6.18-92.1.22.el5.x86_64.rpm kernel-xen-2.6.18-92.1.22.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-92.1.22.el5.x86_64.rpm kernel-xen-devel-2.6.18-92.1.22.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3831 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4554 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4576 http://www.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJR2NcXlSAg2UNWIIRAtJdAKCqKJueg3rKLpmuhO5WlE2pF+PNYACeLp5p ZpKKOdpNV4hA3IdyoKUUwi4= =Y0cQ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 17 02:00:18 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 16 Dec 2008 21:00:18 -0500 Subject: [RHSA-2008:1036-01] Critical: firefox security update Message-ID: <200812170200.mBH20IOm001729@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2008:1036-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1036.html Issue date: 2008-12-16 CVE Names: CVE-2008-5500 CVE-2008-5501 CVE-2008-5502 CVE-2008-5505 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5510 CVE-2008-5511 CVE-2008-5512 CVE-2008-5513 ===================================================================== 1. Summary: An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-5506, CVE-2008-5507) A flaw was found in the way Firefox stored attributes in XML User Interface Language (XUL) elements. A web site could use this flaw to track users across browser sessions, even if users did not allow the site to store cookies in the victim's browser. (CVE-2008-5505) A flaw was found in the way malformed URLs were processed by Firefox. This flaw could prevent various URL sanitization mechanisms from properly parsing a malicious URL. (CVE-2008-5508) A flaw was found in Firefox's CSS parser. A malicious web page could inject NULL characters into a CSS input string, possibly bypassing an application's script sanitization routines. (CVE-2008-5510) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.5. You can find a link to the Mozilla advisories in the References section. Note: after the errata packages are installed, Firefox must be restarted for the update to take effect. All firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-3.0.5-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/nspr-4.7.3-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/nss-3.12.2.0-1.el4.src.rpm i386: firefox-3.0.5-1.el4.i386.rpm firefox-debuginfo-3.0.5-1.el4.i386.rpm nspr-4.7.3-1.el4.i386.rpm nspr-debuginfo-4.7.3-1.el4.i386.rpm nspr-devel-4.7.3-1.el4.i386.rpm nss-3.12.2.0-1.el4.i386.rpm nss-debuginfo-3.12.2.0-1.el4.i386.rpm nss-devel-3.12.2.0-1.el4.i386.rpm ia64: firefox-3.0.5-1.el4.ia64.rpm firefox-debuginfo-3.0.5-1.el4.ia64.rpm nspr-4.7.3-1.el4.i386.rpm nspr-4.7.3-1.el4.ia64.rpm nspr-debuginfo-4.7.3-1.el4.ia64.rpm nspr-devel-4.7.3-1.el4.ia64.rpm nss-3.12.2.0-1.el4.i386.rpm nss-3.12.2.0-1.el4.ia64.rpm nss-debuginfo-3.12.2.0-1.el4.ia64.rpm nss-devel-3.12.2.0-1.el4.ia64.rpm ppc: firefox-3.0.5-1.el4.ppc.rpm firefox-debuginfo-3.0.5-1.el4.ppc.rpm nspr-4.7.3-1.el4.ppc.rpm nspr-4.7.3-1.el4.ppc64.rpm nspr-debuginfo-4.7.3-1.el4.ppc.rpm nspr-debuginfo-4.7.3-1.el4.ppc64.rpm nspr-devel-4.7.3-1.el4.ppc.rpm nss-3.12.2.0-1.el4.ppc.rpm nss-3.12.2.0-1.el4.ppc64.rpm nss-debuginfo-3.12.2.0-1.el4.ppc.rpm nss-debuginfo-3.12.2.0-1.el4.ppc64.rpm nss-devel-3.12.2.0-1.el4.ppc.rpm s390: firefox-3.0.5-1.el4.s390.rpm firefox-debuginfo-3.0.5-1.el4.s390.rpm nspr-4.7.3-1.el4.s390.rpm nspr-debuginfo-4.7.3-1.el4.s390.rpm nspr-devel-4.7.3-1.el4.s390.rpm nss-3.12.2.0-1.el4.s390.rpm nss-debuginfo-3.12.2.0-1.el4.s390.rpm nss-devel-3.12.2.0-1.el4.s390.rpm s390x: firefox-3.0.5-1.el4.s390x.rpm firefox-debuginfo-3.0.5-1.el4.s390x.rpm nspr-4.7.3-1.el4.s390.rpm nspr-4.7.3-1.el4.s390x.rpm nspr-debuginfo-4.7.3-1.el4.s390x.rpm nspr-devel-4.7.3-1.el4.s390x.rpm nss-3.12.2.0-1.el4.s390.rpm nss-3.12.2.0-1.el4.s390x.rpm nss-debuginfo-3.12.2.0-1.el4.s390x.rpm nss-devel-3.12.2.0-1.el4.s390x.rpm x86_64: firefox-3.0.5-1.el4.x86_64.rpm firefox-debuginfo-3.0.5-1.el4.x86_64.rpm nspr-4.7.3-1.el4.i386.rpm nspr-4.7.3-1.el4.x86_64.rpm nspr-debuginfo-4.7.3-1.el4.x86_64.rpm nspr-devel-4.7.3-1.el4.x86_64.rpm nss-3.12.2.0-1.el4.i386.rpm nss-3.12.2.0-1.el4.x86_64.rpm nss-debuginfo-3.12.2.0-1.el4.x86_64.rpm nss-devel-3.12.2.0-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-3.0.5-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/nspr-4.7.3-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/nss-3.12.2.0-1.el4.src.rpm i386: firefox-3.0.5-1.el4.i386.rpm firefox-debuginfo-3.0.5-1.el4.i386.rpm nspr-4.7.3-1.el4.i386.rpm nspr-debuginfo-4.7.3-1.el4.i386.rpm nspr-devel-4.7.3-1.el4.i386.rpm nss-3.12.2.0-1.el4.i386.rpm nss-debuginfo-3.12.2.0-1.el4.i386.rpm nss-devel-3.12.2.0-1.el4.i386.rpm x86_64: firefox-3.0.5-1.el4.x86_64.rpm firefox-debuginfo-3.0.5-1.el4.x86_64.rpm nspr-4.7.3-1.el4.i386.rpm nspr-4.7.3-1.el4.x86_64.rpm nspr-debuginfo-4.7.3-1.el4.x86_64.rpm nspr-devel-4.7.3-1.el4.x86_64.rpm nss-3.12.2.0-1.el4.i386.rpm nss-3.12.2.0-1.el4.x86_64.rpm nss-debuginfo-3.12.2.0-1.el4.x86_64.rpm nss-devel-3.12.2.0-1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-3.0.5-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/nspr-4.7.3-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/nss-3.12.2.0-1.el4.src.rpm i386: firefox-3.0.5-1.el4.i386.rpm firefox-debuginfo-3.0.5-1.el4.i386.rpm nspr-4.7.3-1.el4.i386.rpm nspr-debuginfo-4.7.3-1.el4.i386.rpm nspr-devel-4.7.3-1.el4.i386.rpm nss-3.12.2.0-1.el4.i386.rpm nss-debuginfo-3.12.2.0-1.el4.i386.rpm nss-devel-3.12.2.0-1.el4.i386.rpm ia64: firefox-3.0.5-1.el4.ia64.rpm firefox-debuginfo-3.0.5-1.el4.ia64.rpm nspr-4.7.3-1.el4.i386.rpm nspr-4.7.3-1.el4.ia64.rpm nspr-debuginfo-4.7.3-1.el4.ia64.rpm nspr-devel-4.7.3-1.el4.ia64.rpm nss-3.12.2.0-1.el4.i386.rpm nss-3.12.2.0-1.el4.ia64.rpm nss-debuginfo-3.12.2.0-1.el4.ia64.rpm nss-devel-3.12.2.0-1.el4.ia64.rpm x86_64: firefox-3.0.5-1.el4.x86_64.rpm firefox-debuginfo-3.0.5-1.el4.x86_64.rpm nspr-4.7.3-1.el4.i386.rpm nspr-4.7.3-1.el4.x86_64.rpm nspr-debuginfo-4.7.3-1.el4.x86_64.rpm nspr-devel-4.7.3-1.el4.x86_64.rpm nss-3.12.2.0-1.el4.i386.rpm nss-3.12.2.0-1.el4.x86_64.rpm nss-debuginfo-3.12.2.0-1.el4.x86_64.rpm nss-devel-3.12.2.0-1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-3.0.5-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/nspr-4.7.3-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/nss-3.12.2.0-1.el4.src.rpm i386: firefox-3.0.5-1.el4.i386.rpm firefox-debuginfo-3.0.5-1.el4.i386.rpm nspr-4.7.3-1.el4.i386.rpm nspr-debuginfo-4.7.3-1.el4.i386.rpm nspr-devel-4.7.3-1.el4.i386.rpm nss-3.12.2.0-1.el4.i386.rpm nss-debuginfo-3.12.2.0-1.el4.i386.rpm nss-devel-3.12.2.0-1.el4.i386.rpm ia64: firefox-3.0.5-1.el4.ia64.rpm firefox-debuginfo-3.0.5-1.el4.ia64.rpm nspr-4.7.3-1.el4.i386.rpm nspr-4.7.3-1.el4.ia64.rpm nspr-debuginfo-4.7.3-1.el4.ia64.rpm nspr-devel-4.7.3-1.el4.ia64.rpm nss-3.12.2.0-1.el4.i386.rpm nss-3.12.2.0-1.el4.ia64.rpm nss-debuginfo-3.12.2.0-1.el4.ia64.rpm nss-devel-3.12.2.0-1.el4.ia64.rpm x86_64: firefox-3.0.5-1.el4.x86_64.rpm firefox-debuginfo-3.0.5-1.el4.x86_64.rpm nspr-4.7.3-1.el4.i386.rpm nspr-4.7.3-1.el4.x86_64.rpm nspr-debuginfo-4.7.3-1.el4.x86_64.rpm nspr-devel-4.7.3-1.el4.x86_64.rpm nss-3.12.2.0-1.el4.i386.rpm nss-3.12.2.0-1.el4.x86_64.rpm nss-debuginfo-3.12.2.0-1.el4.x86_64.rpm nss-devel-3.12.2.0-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-3.0.5-1.el5_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nspr-4.7.3-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.12.2.0-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.5-1.el5_2.src.rpm i386: firefox-3.0.5-1.el5_2.i386.rpm firefox-debuginfo-3.0.5-1.el5_2.i386.rpm nspr-4.7.3-2.el5.i386.rpm nspr-debuginfo-4.7.3-2.el5.i386.rpm nss-3.12.2.0-2.el5.i386.rpm nss-debuginfo-3.12.2.0-2.el5.i386.rpm nss-tools-3.12.2.0-2.el5.i386.rpm xulrunner-1.9.0.5-1.el5_2.i386.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.i386.rpm x86_64: firefox-3.0.5-1.el5_2.i386.rpm firefox-3.0.5-1.el5_2.x86_64.rpm firefox-debuginfo-3.0.5-1.el5_2.i386.rpm firefox-debuginfo-3.0.5-1.el5_2.x86_64.rpm nspr-4.7.3-2.el5.i386.rpm nspr-4.7.3-2.el5.x86_64.rpm nspr-debuginfo-4.7.3-2.el5.i386.rpm nspr-debuginfo-4.7.3-2.el5.x86_64.rpm nss-3.12.2.0-2.el5.i386.rpm nss-3.12.2.0-2.el5.x86_64.rpm nss-debuginfo-3.12.2.0-2.el5.i386.rpm nss-debuginfo-3.12.2.0-2.el5.x86_64.rpm nss-tools-3.12.2.0-2.el5.x86_64.rpm xulrunner-1.9.0.5-1.el5_2.i386.rpm xulrunner-1.9.0.5-1.el5_2.x86_64.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.i386.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nspr-4.7.3-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.12.2.0-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.5-1.el5_2.src.rpm i386: nspr-debuginfo-4.7.3-2.el5.i386.rpm nspr-devel-4.7.3-2.el5.i386.rpm nss-debuginfo-3.12.2.0-2.el5.i386.rpm nss-devel-3.12.2.0-2.el5.i386.rpm nss-pkcs11-devel-3.12.2.0-2.el5.i386.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.i386.rpm xulrunner-devel-1.9.0.5-1.el5_2.i386.rpm xulrunner-devel-unstable-1.9.0.5-1.el5_2.i386.rpm x86_64: nspr-debuginfo-4.7.3-2.el5.i386.rpm nspr-debuginfo-4.7.3-2.el5.x86_64.rpm nspr-devel-4.7.3-2.el5.i386.rpm nspr-devel-4.7.3-2.el5.x86_64.rpm nss-debuginfo-3.12.2.0-2.el5.i386.rpm nss-debuginfo-3.12.2.0-2.el5.x86_64.rpm nss-devel-3.12.2.0-2.el5.i386.rpm nss-devel-3.12.2.0-2.el5.x86_64.rpm nss-pkcs11-devel-3.12.2.0-2.el5.i386.rpm nss-pkcs11-devel-3.12.2.0-2.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.i386.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.x86_64.rpm xulrunner-devel-1.9.0.5-1.el5_2.i386.rpm xulrunner-devel-1.9.0.5-1.el5_2.x86_64.rpm xulrunner-devel-unstable-1.9.0.5-1.el5_2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-3.0.5-1.el5_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nspr-4.7.3-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nss-3.12.2.0-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9.0.5-1.el5_2.src.rpm i386: firefox-3.0.5-1.el5_2.i386.rpm firefox-debuginfo-3.0.5-1.el5_2.i386.rpm nspr-4.7.3-2.el5.i386.rpm nspr-debuginfo-4.7.3-2.el5.i386.rpm nspr-devel-4.7.3-2.el5.i386.rpm nss-3.12.2.0-2.el5.i386.rpm nss-debuginfo-3.12.2.0-2.el5.i386.rpm nss-devel-3.12.2.0-2.el5.i386.rpm nss-pkcs11-devel-3.12.2.0-2.el5.i386.rpm nss-tools-3.12.2.0-2.el5.i386.rpm xulrunner-1.9.0.5-1.el5_2.i386.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.i386.rpm xulrunner-devel-1.9.0.5-1.el5_2.i386.rpm xulrunner-devel-unstable-1.9.0.5-1.el5_2.i386.rpm ia64: firefox-3.0.5-1.el5_2.ia64.rpm firefox-debuginfo-3.0.5-1.el5_2.ia64.rpm nspr-4.7.3-2.el5.i386.rpm nspr-4.7.3-2.el5.ia64.rpm nspr-debuginfo-4.7.3-2.el5.i386.rpm nspr-debuginfo-4.7.3-2.el5.ia64.rpm nspr-devel-4.7.3-2.el5.ia64.rpm nss-3.12.2.0-2.el5.i386.rpm nss-3.12.2.0-2.el5.ia64.rpm nss-debuginfo-3.12.2.0-2.el5.i386.rpm nss-debuginfo-3.12.2.0-2.el5.ia64.rpm nss-devel-3.12.2.0-2.el5.ia64.rpm nss-pkcs11-devel-3.12.2.0-2.el5.ia64.rpm nss-tools-3.12.2.0-2.el5.ia64.rpm xulrunner-1.9.0.5-1.el5_2.ia64.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.ia64.rpm xulrunner-devel-1.9.0.5-1.el5_2.ia64.rpm xulrunner-devel-unstable-1.9.0.5-1.el5_2.ia64.rpm ppc: firefox-3.0.5-1.el5_2.ppc.rpm firefox-debuginfo-3.0.5-1.el5_2.ppc.rpm nspr-4.7.3-2.el5.ppc.rpm nspr-4.7.3-2.el5.ppc64.rpm nspr-debuginfo-4.7.3-2.el5.ppc.rpm nspr-debuginfo-4.7.3-2.el5.ppc64.rpm nspr-devel-4.7.3-2.el5.ppc.rpm nspr-devel-4.7.3-2.el5.ppc64.rpm nss-3.12.2.0-2.el5.ppc.rpm nss-3.12.2.0-2.el5.ppc64.rpm nss-debuginfo-3.12.2.0-2.el5.ppc.rpm nss-debuginfo-3.12.2.0-2.el5.ppc64.rpm nss-devel-3.12.2.0-2.el5.ppc.rpm nss-devel-3.12.2.0-2.el5.ppc64.rpm nss-pkcs11-devel-3.12.2.0-2.el5.ppc.rpm nss-pkcs11-devel-3.12.2.0-2.el5.ppc64.rpm nss-tools-3.12.2.0-2.el5.ppc.rpm xulrunner-1.9.0.5-1.el5_2.ppc.rpm xulrunner-1.9.0.5-1.el5_2.ppc64.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.ppc.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.ppc64.rpm xulrunner-devel-1.9.0.5-1.el5_2.ppc.rpm xulrunner-devel-1.9.0.5-1.el5_2.ppc64.rpm xulrunner-devel-unstable-1.9.0.5-1.el5_2.ppc.rpm s390x: firefox-3.0.5-1.el5_2.s390.rpm firefox-3.0.5-1.el5_2.s390x.rpm firefox-debuginfo-3.0.5-1.el5_2.s390.rpm firefox-debuginfo-3.0.5-1.el5_2.s390x.rpm nspr-4.7.3-2.el5.s390.rpm nspr-4.7.3-2.el5.s390x.rpm nspr-debuginfo-4.7.3-2.el5.s390.rpm nspr-debuginfo-4.7.3-2.el5.s390x.rpm nspr-devel-4.7.3-2.el5.s390.rpm nspr-devel-4.7.3-2.el5.s390x.rpm nss-3.12.2.0-2.el5.s390.rpm nss-3.12.2.0-2.el5.s390x.rpm nss-debuginfo-3.12.2.0-2.el5.s390.rpm nss-debuginfo-3.12.2.0-2.el5.s390x.rpm nss-devel-3.12.2.0-2.el5.s390.rpm nss-devel-3.12.2.0-2.el5.s390x.rpm nss-pkcs11-devel-3.12.2.0-2.el5.s390.rpm nss-pkcs11-devel-3.12.2.0-2.el5.s390x.rpm nss-tools-3.12.2.0-2.el5.s390x.rpm xulrunner-1.9.0.5-1.el5_2.s390.rpm xulrunner-1.9.0.5-1.el5_2.s390x.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.s390.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.s390x.rpm xulrunner-devel-1.9.0.5-1.el5_2.s390.rpm xulrunner-devel-1.9.0.5-1.el5_2.s390x.rpm xulrunner-devel-unstable-1.9.0.5-1.el5_2.s390x.rpm x86_64: firefox-3.0.5-1.el5_2.i386.rpm firefox-3.0.5-1.el5_2.x86_64.rpm firefox-debuginfo-3.0.5-1.el5_2.i386.rpm firefox-debuginfo-3.0.5-1.el5_2.x86_64.rpm nspr-4.7.3-2.el5.i386.rpm nspr-4.7.3-2.el5.x86_64.rpm nspr-debuginfo-4.7.3-2.el5.i386.rpm nspr-debuginfo-4.7.3-2.el5.x86_64.rpm nspr-devel-4.7.3-2.el5.i386.rpm nspr-devel-4.7.3-2.el5.x86_64.rpm nss-3.12.2.0-2.el5.i386.rpm nss-3.12.2.0-2.el5.x86_64.rpm nss-debuginfo-3.12.2.0-2.el5.i386.rpm nss-debuginfo-3.12.2.0-2.el5.x86_64.rpm nss-devel-3.12.2.0-2.el5.i386.rpm nss-devel-3.12.2.0-2.el5.x86_64.rpm nss-pkcs11-devel-3.12.2.0-2.el5.i386.rpm nss-pkcs11-devel-3.12.2.0-2.el5.x86_64.rpm nss-tools-3.12.2.0-2.el5.x86_64.rpm xulrunner-1.9.0.5-1.el5_2.i386.rpm xulrunner-1.9.0.5-1.el5_2.x86_64.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.i386.rpm xulrunner-debuginfo-1.9.0.5-1.el5_2.x86_64.rpm xulrunner-devel-1.9.0.5-1.el5_2.i386.rpm xulrunner-devel-1.9.0.5-1.el5_2.x86_64.rpm xulrunner-devel-unstable-1.9.0.5-1.el5_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5513 http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.5 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJSFyIXlSAg2UNWIIRAr0OAJ4jCxOt/DgOVYG8ef5apn2htaDekACfSNRO iIxxvFIi0waeSjPcm7HuQgQ= =yQLA -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 17 02:01:21 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 16 Dec 2008 21:01:21 -0500 Subject: [RHSA-2008:1037-01] Critical: seamonkey security update Message-ID: <200812170201.mBH21LsE001995@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2008:1037-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1037.html Issue date: 2008-12-16 CVE Names: CVE-2008-5500 CVE-2008-5501 CVE-2008-5502 CVE-2008-5503 CVE-2008-5504 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512 CVE-2008-5513 ===================================================================== 1. Summary: Updated seamonkey packages that fix security issues are now available for Red Hat Enterprise Linux 2.1, Red Hat Enterprise Linux 3, and Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5504, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could potentially trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-5503, CVE-2008-5506, CVE-2008-5507) A flaw was found in the way malformed URLs were processed by SeaMonkey. This flaw could prevent various URL sanitization mechanisms from properly parsing a malicious URL. (CVE-2008-5508) Note: after the errata packages are installed, SeaMonkey must be restarted for the update to take effect. All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/seamonkey-1.0.9-0.25.el2.src.rpm i386: seamonkey-1.0.9-0.25.el2.i386.rpm seamonkey-chat-1.0.9-0.25.el2.i386.rpm seamonkey-devel-1.0.9-0.25.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.25.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.25.el2.i386.rpm seamonkey-mail-1.0.9-0.25.el2.i386.rpm seamonkey-nspr-1.0.9-0.25.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.25.el2.i386.rpm seamonkey-nss-1.0.9-0.25.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.25.el2.i386.rpm ia64: seamonkey-1.0.9-0.25.el2.ia64.rpm seamonkey-chat-1.0.9-0.25.el2.ia64.rpm seamonkey-devel-1.0.9-0.25.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.25.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.25.el2.ia64.rpm seamonkey-mail-1.0.9-0.25.el2.ia64.rpm seamonkey-nspr-1.0.9-0.25.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.25.el2.ia64.rpm seamonkey-nss-1.0.9-0.25.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.25.el2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/seamonkey-1.0.9-0.25.el2.src.rpm ia64: seamonkey-1.0.9-0.25.el2.ia64.rpm seamonkey-chat-1.0.9-0.25.el2.ia64.rpm seamonkey-devel-1.0.9-0.25.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.25.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.25.el2.ia64.rpm seamonkey-mail-1.0.9-0.25.el2.ia64.rpm seamonkey-nspr-1.0.9-0.25.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.25.el2.ia64.rpm seamonkey-nss-1.0.9-0.25.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.25.el2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/seamonkey-1.0.9-0.25.el2.src.rpm i386: seamonkey-1.0.9-0.25.el2.i386.rpm seamonkey-chat-1.0.9-0.25.el2.i386.rpm seamonkey-devel-1.0.9-0.25.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.25.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.25.el2.i386.rpm seamonkey-mail-1.0.9-0.25.el2.i386.rpm seamonkey-nspr-1.0.9-0.25.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.25.el2.i386.rpm seamonkey-nss-1.0.9-0.25.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.25.el2.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/seamonkey-1.0.9-0.25.el2.src.rpm i386: seamonkey-1.0.9-0.25.el2.i386.rpm seamonkey-chat-1.0.9-0.25.el2.i386.rpm seamonkey-devel-1.0.9-0.25.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.25.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.25.el2.i386.rpm seamonkey-mail-1.0.9-0.25.el2.i386.rpm seamonkey-nspr-1.0.9-0.25.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.25.el2.i386.rpm seamonkey-nss-1.0.9-0.25.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.25.el2.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/seamonkey-1.0.9-0.29.el3.src.rpm i386: seamonkey-1.0.9-0.29.el3.i386.rpm seamonkey-chat-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-devel-1.0.9-0.29.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.29.el3.i386.rpm seamonkey-mail-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.29.el3.i386.rpm ia64: seamonkey-1.0.9-0.29.el3.ia64.rpm seamonkey-chat-1.0.9-0.29.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.ia64.rpm seamonkey-devel-1.0.9-0.29.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.29.el3.ia64.rpm seamonkey-mail-1.0.9-0.29.el3.ia64.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.ia64.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.29.el3.ia64.rpm ppc: seamonkey-1.0.9-0.29.el3.ppc.rpm seamonkey-chat-1.0.9-0.29.el3.ppc.rpm seamonkey-debuginfo-1.0.9-0.29.el3.ppc.rpm seamonkey-devel-1.0.9-0.29.el3.ppc.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.ppc.rpm seamonkey-js-debugger-1.0.9-0.29.el3.ppc.rpm seamonkey-mail-1.0.9-0.29.el3.ppc.rpm seamonkey-nspr-1.0.9-0.29.el3.ppc.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.ppc.rpm seamonkey-nss-1.0.9-0.29.el3.ppc.rpm seamonkey-nss-devel-1.0.9-0.29.el3.ppc.rpm s390: seamonkey-1.0.9-0.29.el3.s390.rpm seamonkey-chat-1.0.9-0.29.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.29.el3.s390.rpm seamonkey-devel-1.0.9-0.29.el3.s390.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.s390.rpm seamonkey-js-debugger-1.0.9-0.29.el3.s390.rpm seamonkey-mail-1.0.9-0.29.el3.s390.rpm seamonkey-nspr-1.0.9-0.29.el3.s390.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.s390.rpm seamonkey-nss-1.0.9-0.29.el3.s390.rpm seamonkey-nss-devel-1.0.9-0.29.el3.s390.rpm s390x: seamonkey-1.0.9-0.29.el3.s390x.rpm seamonkey-chat-1.0.9-0.29.el3.s390x.rpm seamonkey-debuginfo-1.0.9-0.29.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.29.el3.s390x.rpm seamonkey-devel-1.0.9-0.29.el3.s390x.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.s390x.rpm seamonkey-js-debugger-1.0.9-0.29.el3.s390x.rpm seamonkey-mail-1.0.9-0.29.el3.s390x.rpm seamonkey-nspr-1.0.9-0.29.el3.s390.rpm seamonkey-nspr-1.0.9-0.29.el3.s390x.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.s390x.rpm seamonkey-nss-1.0.9-0.29.el3.s390.rpm seamonkey-nss-1.0.9-0.29.el3.s390x.rpm seamonkey-nss-devel-1.0.9-0.29.el3.s390x.rpm x86_64: seamonkey-1.0.9-0.29.el3.i386.rpm seamonkey-1.0.9-0.29.el3.x86_64.rpm seamonkey-chat-1.0.9-0.29.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.x86_64.rpm seamonkey-devel-1.0.9-0.29.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.29.el3.x86_64.rpm seamonkey-mail-1.0.9-0.29.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.x86_64.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.29.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/seamonkey-1.0.9-0.29.el3.src.rpm i386: seamonkey-1.0.9-0.29.el3.i386.rpm seamonkey-chat-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-devel-1.0.9-0.29.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.29.el3.i386.rpm seamonkey-mail-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.29.el3.i386.rpm x86_64: seamonkey-1.0.9-0.29.el3.i386.rpm seamonkey-1.0.9-0.29.el3.x86_64.rpm seamonkey-chat-1.0.9-0.29.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.x86_64.rpm seamonkey-devel-1.0.9-0.29.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.29.el3.x86_64.rpm seamonkey-mail-1.0.9-0.29.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.x86_64.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.29.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/seamonkey-1.0.9-0.29.el3.src.rpm i386: seamonkey-1.0.9-0.29.el3.i386.rpm seamonkey-chat-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-devel-1.0.9-0.29.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.29.el3.i386.rpm seamonkey-mail-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.29.el3.i386.rpm ia64: seamonkey-1.0.9-0.29.el3.ia64.rpm seamonkey-chat-1.0.9-0.29.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.ia64.rpm seamonkey-devel-1.0.9-0.29.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.29.el3.ia64.rpm seamonkey-mail-1.0.9-0.29.el3.ia64.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.ia64.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.29.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.29.el3.i386.rpm seamonkey-1.0.9-0.29.el3.x86_64.rpm seamonkey-chat-1.0.9-0.29.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.x86_64.rpm seamonkey-devel-1.0.9-0.29.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.29.el3.x86_64.rpm seamonkey-mail-1.0.9-0.29.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.x86_64.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.29.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/seamonkey-1.0.9-0.29.el3.src.rpm i386: seamonkey-1.0.9-0.29.el3.i386.rpm seamonkey-chat-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-devel-1.0.9-0.29.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.29.el3.i386.rpm seamonkey-mail-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.29.el3.i386.rpm ia64: seamonkey-1.0.9-0.29.el3.ia64.rpm seamonkey-chat-1.0.9-0.29.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.ia64.rpm seamonkey-devel-1.0.9-0.29.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.29.el3.ia64.rpm seamonkey-mail-1.0.9-0.29.el3.ia64.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.ia64.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.29.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.29.el3.i386.rpm seamonkey-1.0.9-0.29.el3.x86_64.rpm seamonkey-chat-1.0.9-0.29.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.29.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.29.el3.x86_64.rpm seamonkey-devel-1.0.9-0.29.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.29.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.29.el3.x86_64.rpm seamonkey-mail-1.0.9-0.29.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.29.el3.i386.rpm seamonkey-nspr-1.0.9-0.29.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.29.el3.x86_64.rpm seamonkey-nss-1.0.9-0.29.el3.i386.rpm seamonkey-nss-1.0.9-0.29.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.29.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/seamonkey-1.0.9-32.el4.src.rpm i386: seamonkey-1.0.9-32.el4.i386.rpm seamonkey-chat-1.0.9-32.el4.i386.rpm seamonkey-debuginfo-1.0.9-32.el4.i386.rpm seamonkey-devel-1.0.9-32.el4.i386.rpm seamonkey-dom-inspector-1.0.9-32.el4.i386.rpm seamonkey-js-debugger-1.0.9-32.el4.i386.rpm seamonkey-mail-1.0.9-32.el4.i386.rpm ia64: seamonkey-1.0.9-32.el4.ia64.rpm seamonkey-chat-1.0.9-32.el4.ia64.rpm seamonkey-debuginfo-1.0.9-32.el4.ia64.rpm seamonkey-devel-1.0.9-32.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-32.el4.ia64.rpm seamonkey-js-debugger-1.0.9-32.el4.ia64.rpm seamonkey-mail-1.0.9-32.el4.ia64.rpm ppc: seamonkey-1.0.9-32.el4.ppc.rpm seamonkey-chat-1.0.9-32.el4.ppc.rpm seamonkey-debuginfo-1.0.9-32.el4.ppc.rpm seamonkey-devel-1.0.9-32.el4.ppc.rpm seamonkey-dom-inspector-1.0.9-32.el4.ppc.rpm seamonkey-js-debugger-1.0.9-32.el4.ppc.rpm seamonkey-mail-1.0.9-32.el4.ppc.rpm s390: seamonkey-1.0.9-32.el4.s390.rpm seamonkey-chat-1.0.9-32.el4.s390.rpm seamonkey-debuginfo-1.0.9-32.el4.s390.rpm seamonkey-devel-1.0.9-32.el4.s390.rpm seamonkey-dom-inspector-1.0.9-32.el4.s390.rpm seamonkey-js-debugger-1.0.9-32.el4.s390.rpm seamonkey-mail-1.0.9-32.el4.s390.rpm s390x: seamonkey-1.0.9-32.el4.s390x.rpm seamonkey-chat-1.0.9-32.el4.s390x.rpm seamonkey-debuginfo-1.0.9-32.el4.s390x.rpm seamonkey-devel-1.0.9-32.el4.s390x.rpm seamonkey-dom-inspector-1.0.9-32.el4.s390x.rpm seamonkey-js-debugger-1.0.9-32.el4.s390x.rpm seamonkey-mail-1.0.9-32.el4.s390x.rpm x86_64: seamonkey-1.0.9-32.el4.x86_64.rpm seamonkey-chat-1.0.9-32.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-32.el4.x86_64.rpm seamonkey-devel-1.0.9-32.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-32.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-32.el4.x86_64.rpm seamonkey-mail-1.0.9-32.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/seamonkey-1.0.9-32.el4.src.rpm i386: seamonkey-1.0.9-32.el4.i386.rpm seamonkey-chat-1.0.9-32.el4.i386.rpm seamonkey-debuginfo-1.0.9-32.el4.i386.rpm seamonkey-devel-1.0.9-32.el4.i386.rpm seamonkey-dom-inspector-1.0.9-32.el4.i386.rpm seamonkey-js-debugger-1.0.9-32.el4.i386.rpm seamonkey-mail-1.0.9-32.el4.i386.rpm x86_64: seamonkey-1.0.9-32.el4.x86_64.rpm seamonkey-chat-1.0.9-32.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-32.el4.x86_64.rpm seamonkey-devel-1.0.9-32.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-32.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-32.el4.x86_64.rpm seamonkey-mail-1.0.9-32.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/seamonkey-1.0.9-32.el4.src.rpm i386: seamonkey-1.0.9-32.el4.i386.rpm seamonkey-chat-1.0.9-32.el4.i386.rpm seamonkey-debuginfo-1.0.9-32.el4.i386.rpm seamonkey-devel-1.0.9-32.el4.i386.rpm seamonkey-dom-inspector-1.0.9-32.el4.i386.rpm seamonkey-js-debugger-1.0.9-32.el4.i386.rpm seamonkey-mail-1.0.9-32.el4.i386.rpm ia64: seamonkey-1.0.9-32.el4.ia64.rpm seamonkey-chat-1.0.9-32.el4.ia64.rpm seamonkey-debuginfo-1.0.9-32.el4.ia64.rpm seamonkey-devel-1.0.9-32.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-32.el4.ia64.rpm seamonkey-js-debugger-1.0.9-32.el4.ia64.rpm seamonkey-mail-1.0.9-32.el4.ia64.rpm x86_64: seamonkey-1.0.9-32.el4.x86_64.rpm seamonkey-chat-1.0.9-32.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-32.el4.x86_64.rpm seamonkey-devel-1.0.9-32.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-32.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-32.el4.x86_64.rpm seamonkey-mail-1.0.9-32.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/seamonkey-1.0.9-32.el4.src.rpm i386: seamonkey-1.0.9-32.el4.i386.rpm seamonkey-chat-1.0.9-32.el4.i386.rpm seamonkey-debuginfo-1.0.9-32.el4.i386.rpm seamonkey-devel-1.0.9-32.el4.i386.rpm seamonkey-dom-inspector-1.0.9-32.el4.i386.rpm seamonkey-js-debugger-1.0.9-32.el4.i386.rpm seamonkey-mail-1.0.9-32.el4.i386.rpm ia64: seamonkey-1.0.9-32.el4.ia64.rpm seamonkey-chat-1.0.9-32.el4.ia64.rpm seamonkey-debuginfo-1.0.9-32.el4.ia64.rpm seamonkey-devel-1.0.9-32.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-32.el4.ia64.rpm seamonkey-js-debugger-1.0.9-32.el4.ia64.rpm seamonkey-mail-1.0.9-32.el4.ia64.rpm x86_64: seamonkey-1.0.9-32.el4.x86_64.rpm seamonkey-chat-1.0.9-32.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-32.el4.x86_64.rpm seamonkey-devel-1.0.9-32.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-32.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-32.el4.x86_64.rpm seamonkey-mail-1.0.9-32.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5503 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5504 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5513 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJSF04XlSAg2UNWIIRAlrQAKCyCzFNNNRVgpp3fOKQacWfCyI5/gCdGggF malJYq44wtWhco3AS9Qf6u8= =I/ez -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Dec 17 09:47:36 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 17 Dec 2008 04:47:36 -0500 Subject: [RHSA-2008:0973-03] Important: kernel security and bug fix update Message-ID: <200812170947.mBH9ledN031823@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2008:0973-03 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0973.html Issue date: 2008-12-16 CVE Names: CVE-2008-4210 CVE-2008-3275 CVE-2008-0598 CVE-2008-2136 CVE-2008-2812 CVE-2007-6063 CVE-2008-3525 ===================================================================== 1. Summary: Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues: * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local, unprivileged user to prepare and run a specially-crafted binary which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local user to bypass intended capability restrictions. (CVE-2008-3525, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local, unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important) * a buffer overflow flaw was found in Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6063, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) * a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) This update also fixes the following bugs: * the incorrect kunmap function was used in nfs_xdr_readlinkres. kunmap() was used where kunmap_atomic() should have been. As a consequence, if an NFSv2 or NFSv3 server exported a volume containing a symlink which included a path equal to or longer than the local system's PATH_MAX, accessing the link caused a kernel oops. This has been corrected in this update. * mptctl_gettargetinfo did not check if pIoc3 was NULL before using it as a pointer. This caused a kernel panic in mptctl_gettargetinfo in some circumstances. A check has been added which prevents this. * lost tick compensation code in the timer interrupt routine triggered without apparent cause. When running as a fully-virtualized client, this spurious triggering caused the 64-bit version of Red Hat Enterprise Linux 3 to present highly inaccurate times. With this update the lost tick compensation code is turned off when the operating system is running as a fully-virtualized client under Xen or VMWare?. All Red Hat Enterprise Linux 3 users should install this updated kernel which addresses these vulnerabilities and fixes these bugs. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 392101 - CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow 433938 - CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data 438758 - wrong kunmap call in nfs_xdr_readlinkres 446031 - CVE-2008-2136 kernel: sit memory leak 453419 - CVE-2008-2812 kernel: NULL ptr dereference in multiple network drivers due to missing checks in tty code 457858 - CVE-2008-3275 Linux kernel local filesystem DoS 460401 - CVE-2008-3525 kernel: missing capability checks in sbni_ioctl() 463661 - CVE-2008-4210 kernel: open() call allows setgid bit when user is not in new file's group 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kernel-2.4.21-58.EL.src.rpm i386: kernel-2.4.21-58.EL.athlon.rpm kernel-2.4.21-58.EL.i686.rpm kernel-BOOT-2.4.21-58.EL.i386.rpm kernel-debuginfo-2.4.21-58.EL.athlon.rpm kernel-debuginfo-2.4.21-58.EL.i386.rpm kernel-debuginfo-2.4.21-58.EL.i686.rpm kernel-doc-2.4.21-58.EL.i386.rpm kernel-hugemem-2.4.21-58.EL.i686.rpm kernel-hugemem-unsupported-2.4.21-58.EL.i686.rpm kernel-smp-2.4.21-58.EL.athlon.rpm kernel-smp-2.4.21-58.EL.i686.rpm kernel-smp-unsupported-2.4.21-58.EL.athlon.rpm kernel-smp-unsupported-2.4.21-58.EL.i686.rpm kernel-source-2.4.21-58.EL.i386.rpm kernel-unsupported-2.4.21-58.EL.athlon.rpm kernel-unsupported-2.4.21-58.EL.i686.rpm ia64: kernel-2.4.21-58.EL.ia64.rpm kernel-debuginfo-2.4.21-58.EL.ia64.rpm kernel-doc-2.4.21-58.EL.ia64.rpm kernel-source-2.4.21-58.EL.ia64.rpm kernel-unsupported-2.4.21-58.EL.ia64.rpm ppc: kernel-2.4.21-58.EL.ppc64iseries.rpm kernel-2.4.21-58.EL.ppc64pseries.rpm kernel-debuginfo-2.4.21-58.EL.ppc64.rpm kernel-debuginfo-2.4.21-58.EL.ppc64iseries.rpm kernel-debuginfo-2.4.21-58.EL.ppc64pseries.rpm kernel-doc-2.4.21-58.EL.ppc64.rpm kernel-source-2.4.21-58.EL.ppc64.rpm kernel-unsupported-2.4.21-58.EL.ppc64iseries.rpm kernel-unsupported-2.4.21-58.EL.ppc64pseries.rpm s390: kernel-2.4.21-58.EL.s390.rpm kernel-debuginfo-2.4.21-58.EL.s390.rpm kernel-doc-2.4.21-58.EL.s390.rpm kernel-source-2.4.21-58.EL.s390.rpm kernel-unsupported-2.4.21-58.EL.s390.rpm s390x: kernel-2.4.21-58.EL.s390x.rpm kernel-debuginfo-2.4.21-58.EL.s390x.rpm kernel-doc-2.4.21-58.EL.s390x.rpm kernel-source-2.4.21-58.EL.s390x.rpm kernel-unsupported-2.4.21-58.EL.s390x.rpm x86_64: kernel-2.4.21-58.EL.ia32e.rpm kernel-2.4.21-58.EL.x86_64.rpm kernel-debuginfo-2.4.21-58.EL.ia32e.rpm kernel-debuginfo-2.4.21-58.EL.x86_64.rpm kernel-doc-2.4.21-58.EL.x86_64.rpm kernel-smp-2.4.21-58.EL.x86_64.rpm kernel-smp-unsupported-2.4.21-58.EL.x86_64.rpm kernel-source-2.4.21-58.EL.x86_64.rpm kernel-unsupported-2.4.21-58.EL.ia32e.rpm kernel-unsupported-2.4.21-58.EL.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kernel-2.4.21-58.EL.src.rpm i386: kernel-2.4.21-58.EL.athlon.rpm kernel-2.4.21-58.EL.i686.rpm kernel-BOOT-2.4.21-58.EL.i386.rpm kernel-debuginfo-2.4.21-58.EL.athlon.rpm kernel-debuginfo-2.4.21-58.EL.i386.rpm kernel-debuginfo-2.4.21-58.EL.i686.rpm kernel-doc-2.4.21-58.EL.i386.rpm kernel-hugemem-2.4.21-58.EL.i686.rpm kernel-hugemem-unsupported-2.4.21-58.EL.i686.rpm kernel-smp-2.4.21-58.EL.athlon.rpm kernel-smp-2.4.21-58.EL.i686.rpm kernel-smp-unsupported-2.4.21-58.EL.athlon.rpm kernel-smp-unsupported-2.4.21-58.EL.i686.rpm kernel-source-2.4.21-58.EL.i386.rpm kernel-unsupported-2.4.21-58.EL.athlon.rpm kernel-unsupported-2.4.21-58.EL.i686.rpm x86_64: kernel-2.4.21-58.EL.ia32e.rpm kernel-2.4.21-58.EL.x86_64.rpm kernel-debuginfo-2.4.21-58.EL.ia32e.rpm kernel-debuginfo-2.4.21-58.EL.x86_64.rpm kernel-doc-2.4.21-58.EL.x86_64.rpm kernel-smp-2.4.21-58.EL.x86_64.rpm kernel-smp-unsupported-2.4.21-58.EL.x86_64.rpm kernel-source-2.4.21-58.EL.x86_64.rpm kernel-unsupported-2.4.21-58.EL.ia32e.rpm kernel-unsupported-2.4.21-58.EL.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kernel-2.4.21-58.EL.src.rpm i386: kernel-2.4.21-58.EL.athlon.rpm kernel-2.4.21-58.EL.i686.rpm kernel-BOOT-2.4.21-58.EL.i386.rpm kernel-debuginfo-2.4.21-58.EL.athlon.rpm kernel-debuginfo-2.4.21-58.EL.i386.rpm kernel-debuginfo-2.4.21-58.EL.i686.rpm kernel-doc-2.4.21-58.EL.i386.rpm kernel-hugemem-2.4.21-58.EL.i686.rpm kernel-hugemem-unsupported-2.4.21-58.EL.i686.rpm kernel-smp-2.4.21-58.EL.athlon.rpm kernel-smp-2.4.21-58.EL.i686.rpm kernel-smp-unsupported-2.4.21-58.EL.athlon.rpm kernel-smp-unsupported-2.4.21-58.EL.i686.rpm kernel-source-2.4.21-58.EL.i386.rpm kernel-unsupported-2.4.21-58.EL.athlon.rpm kernel-unsupported-2.4.21-58.EL.i686.rpm ia64: kernel-2.4.21-58.EL.ia64.rpm kernel-debuginfo-2.4.21-58.EL.ia64.rpm kernel-doc-2.4.21-58.EL.ia64.rpm kernel-source-2.4.21-58.EL.ia64.rpm kernel-unsupported-2.4.21-58.EL.ia64.rpm x86_64: kernel-2.4.21-58.EL.ia32e.rpm kernel-2.4.21-58.EL.x86_64.rpm kernel-debuginfo-2.4.21-58.EL.ia32e.rpm kernel-debuginfo-2.4.21-58.EL.x86_64.rpm kernel-doc-2.4.21-58.EL.x86_64.rpm kernel-smp-2.4.21-58.EL.x86_64.rpm kernel-smp-unsupported-2.4.21-58.EL.x86_64.rpm kernel-source-2.4.21-58.EL.x86_64.rpm kernel-unsupported-2.4.21-58.EL.ia32e.rpm kernel-unsupported-2.4.21-58.EL.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kernel-2.4.21-58.EL.src.rpm i386: kernel-2.4.21-58.EL.athlon.rpm kernel-2.4.21-58.EL.i686.rpm kernel-BOOT-2.4.21-58.EL.i386.rpm kernel-debuginfo-2.4.21-58.EL.athlon.rpm kernel-debuginfo-2.4.21-58.EL.i386.rpm kernel-debuginfo-2.4.21-58.EL.i686.rpm kernel-doc-2.4.21-58.EL.i386.rpm kernel-hugemem-2.4.21-58.EL.i686.rpm kernel-hugemem-unsupported-2.4.21-58.EL.i686.rpm kernel-smp-2.4.21-58.EL.athlon.rpm kernel-smp-2.4.21-58.EL.i686.rpm kernel-smp-unsupported-2.4.21-58.EL.athlon.rpm kernel-smp-unsupported-2.4.21-58.EL.i686.rpm kernel-source-2.4.21-58.EL.i386.rpm kernel-unsupported-2.4.21-58.EL.athlon.rpm kernel-unsupported-2.4.21-58.EL.i686.rpm ia64: kernel-2.4.21-58.EL.ia64.rpm kernel-debuginfo-2.4.21-58.EL.ia64.rpm kernel-doc-2.4.21-58.EL.ia64.rpm kernel-source-2.4.21-58.EL.ia64.rpm kernel-unsupported-2.4.21-58.EL.ia64.rpm x86_64: kernel-2.4.21-58.EL.ia32e.rpm kernel-2.4.21-58.EL.x86_64.rpm kernel-debuginfo-2.4.21-58.EL.ia32e.rpm kernel-debuginfo-2.4.21-58.EL.x86_64.rpm kernel-doc-2.4.21-58.EL.x86_64.rpm kernel-smp-2.4.21-58.EL.x86_64.rpm kernel-smp-unsupported-2.4.21-58.EL.x86_64.rpm kernel-source-2.4.21-58.EL.x86_64.rpm kernel-unsupported-2.4.21-58.EL.ia32e.rpm kernel-unsupported-2.4.21-58.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3275 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3525 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJSMqsXlSAg2UNWIIRAriYAJwML/skLsQgbSxqwjUNsIQFY4WaagCgxOKG LAEWBR4C/F8hvHVWkkZiHYw= =UChf -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Dec 18 18:35:37 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 Dec 2008 13:35:37 -0500 Subject: [RHSA-2008:1043-01] Important: java-1.4.2-bea security update Message-ID: <200812181835.mBIIZb8I010391@ns3.rdu.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.4.2-bea security update Advisory ID: RHSA-2008:1043-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1043.html Issue date: 2008-12-18 Keywords: Security ===================================================================== 1. Summary: java-1.4.2-bea as shipped in Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary, contains security flaws and should not be used. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 Extras - i386, ia64 Red Hat Desktop version 3 Extras - i386 Red Hat Enterprise Linux ES version 3 Extras - i386, ia64 Red Hat Enterprise Linux WS version 3 Extras - i386, ia64 Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ia64, x86_64 3. Description: The BEA WebLogic JRockit JRE and SDK contains BEA WebLogic JRockit Virtual Machine and is certified for the Java? 2 Platform, Standard Edition, v1.4.2. The java-1.4.2-bea packages are vulnerable to important security flaws and should no longer be used. Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104) A buffer overflow vulnerability was found in the font processing code. This allowed remote attackers to extend the permissions of an untrusted applet or application, allowing it to read or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3108) The vulnerabilities concerning applets listed above can only be triggered in java-1.4.2-bea by calling the "appletviewer" application. BEA was acquired by Oracle? during 2008 (the acquisition was completed on April 29, 2008). Consequently, JRockit is now an Oracle offering and these issues are addressed in the current release of Oracle JRockit. Due to a license change by Oracle, however, Red Hat is unable to ship Oracle JRockit. Users who wish to continue using JRockit should get an update directly from Oracle: http://oracle.com/technology/software/products/jrockit/. Alternatives to Oracle JRockit include the Java 2 Technology Edition of the IBM? Developer Kit for Linux and the Sun? Java SE Development Kit (JDK), both of which are available on the Extras or Supplementary channels. For Java 6 users, the new OpenJDK open source JDK will be included in Red Hat Enterprise Linux 5.3 and will be supported by Red Hat. This update removes the java-1.4.2-bea packages due to their known security vulnerabilities. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux AS version 3 Extras: i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el3.i686.rpm ia64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el3.ia64.rpm Red Hat Desktop version 3 Extras: i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el3.i686.rpm Red Hat Enterprise Linux ES version 3 Extras: i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el3.i686.rpm ia64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el3.ia64.rpm Red Hat Enterprise Linux WS version 3 Extras: i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el3.i686.rpm ia64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el3.ia64.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.i686.rpm ia64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.ia64.rpm x86_64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.i686.rpm Red Hat Desktop version 4 Extras: i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.i686.rpm x86_64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.i686.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.i686.rpm ia64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.ia64.rpm x86_64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.i686.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.i686.rpm ia64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.ia64.rpm x86_64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.7.el4.i686.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el5.i686.rpm x86_64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el5.i686.rpm RHEL Supplementary (v. 5 server): i386: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el5.i686.rpm ia64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el5.ia64.rpm x86_64: java-1.4.2-bea-uninstall-1.4.2.16-1jpp.3.el5.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: https://support.bea.com/application_content/product_portlets/securityadvisories/jrockitindex.html http://oracle.com/technology/software/products/jrockit/ http://www.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJSpf2XlSAg2UNWIIRAn4XAJ9650nNv4u7meGAS6aR9lD1NHhadwCgpUyS 3ZkzVMrspmAjmGFEpj5Jxgc= =ZzDQ -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Dec 18 18:35:41 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 Dec 2008 13:35:41 -0500 Subject: [RHSA-2008:1044-01] Important: java-1.5.0-bea security update Message-ID: <200812181835.mBIIZfXS010395@ns3.rdu.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.5.0-bea security update Advisory ID: RHSA-2008:1044-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1044.html Issue date: 2008-12-18 Keywords: Security ===================================================================== 1. Summary: java-1.5.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, contains security flaws and should not be used. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64 RHEL Supplementary (v. 5 server) - i386, ia64, x86_64 3. Description: The BEA WebLogic JRockit JRE and SDK contains BEA WebLogic JRockit Virtual Machine and is certified for the Java? 2 Platform, Standard Edition, v1.5.0. The java-1.5.0-bea packages are vulnerable to important security flaws and should no longer be used. A flaw was found in the Java Management Extensions (JMX) management agent. When local monitoring was enabled, remote attackers could use this flaw to perform illegal operations. (CVE-2008-3103) Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104) Several flaws in the Java API for XML Web Services (JAX-WS) client and the JAX-WS service implementation were found. A remote attacker who could cause malicious XML to be processed by an application could access URLs, or cause a denial of service. (CVE-2008-3105, CVE-2008-3106) A buffer overflow vulnerability was found in the font processing code. This allowed remote attackers to extend the permissions of an untrusted applet or application, allowing it to read or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3108) The vulnerabilities concerning applets listed above can only be triggered in java-1.5.0-bea, by calling the "appletviewer" application. BEA was acquired by Oracle? during 2008 (the acquisition was completed on April 29, 2008). Consequently, JRockit is now an Oracle offering and these issues are addressed in the current release of Oracle JRockit. Due to a license change by Oracle, however, Red Hat is unable to ship Oracle JRockit. Users who wish to continue using JRockit should get an update directly from Oracle: http://oracle.com/technology/software/products/jrockit/. Alternatives to Oracle JRockit include the Java 2 Technology Edition of the IBM? Developer Kit for Linux and the Sun? Java SE Development Kit (JDK), both of which are available on the Extras or Supplementary channels. For Java 6 users, the new OpenJDK open source JDK will be included in Red Hat Enterprise Linux 5.3 and will be supported by Red Hat. This update removes the java-1.5.0-bea packages due to their known security vulnerabilities. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.i686.rpm ia64: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.ia64.rpm x86_64: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.i686.rpm x86_64: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.i686.rpm ia64: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.ia64.rpm x86_64: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.i686.rpm ia64: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.ia64.rpm x86_64: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el4.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el5.i686.rpm ia64: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el5.ia64.rpm x86_64: java-1.5.0-bea-uninstall-1.5.0.14-1jpp.5.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: https://support.bea.com/application_content/product_portlets/securityadvisories/jrockitindex.html http://www.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJSpf8XlSAg2UNWIIRAiBxAKCZ5YTZ8wFipxpNQQmF5TChwq3qBgCeKgUk Z/cpyWTbkrdd0se9g9OmGMY= =Oe3+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Dec 18 18:35:46 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 Dec 2008 13:35:46 -0500 Subject: [RHSA-2008:1045-01] Important: java-1.6.0-bea security update Message-ID: <200812181835.mBIIZkaG010401@ns3.rdu.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.6.0-bea security update Advisory ID: RHSA-2008:1045-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1045.html Issue date: 2008-12-18 Keywords: Security ===================================================================== 1. Summary: java-1.6.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, contains security flaws and should not be used. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The BEA WebLogic JRockit JRE and SDK contains BEA WebLogic JRockit Virtual Machine and is certified for the Java? 2 Platform, Standard Edition, v1.6.0. The java-1.6.0-bea packages are vulnerable to important security flaws and should no longer be used. A flaw was found in the Java Management Extensions (JMX) management agent. When local monitoring was enabled, remote attackers could use this flaw to perform illegal operations. (CVE-2008-3103) Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104) Several flaws in the Java API for XML Web Services (JAX-WS) client and the JAX-WS service implementation were found. A remote attacker who could cause malicious XML to be processed by an application could access URLs, or cause a denial of service. (CVE-2008-3105, CVE-2008-3106) Several flaws within the Java Runtime Environment's (JRE) scripting support were found. A remote attacker could grant an untrusted applet extended privileges, such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110) The vulnerabilities concerning applets listed above can only be triggered in java-1.6.0-bea, by calling the "appletviewer" application. BEA was acquired by Oracle? during 2008 (the acquisition was completed on April 29, 2008). Consequently, JRockit is now an Oracle offering and these issues are addressed in the current release of Oracle JRockit. Due to a license change by Oracle, however, Red Hat is unable to ship Oracle JRockit. Users who wish to continue using JRockit should get an update directly from Oracle: http://oracle.com/technology/software/products/jrockit/. Alternatives to Oracle JRockit include the Java 2 Technology Edition of the IBM? Developer Kit for Linux and the Sun? Java SE Development Kit (JDK), both of which are available on the Extras or Supplementary channels. For Java 6 users, the new OpenJDK open source JDK will be included in Red Hat Enterprise Linux 5.3 and will be supported by Red Hat. This update removes the java-1.6.0-bea packages due to their known security vulnerabilities. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.4.el4.i686.rpm x86_64: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.4.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.4.el4.i686.rpm x86_64: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.4.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.4.el4.i686.rpm x86_64: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.4.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.4.el4.i686.rpm x86_64: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.4.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.i686.rpm x86_64: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.i686.rpm x86_64: java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: https://support.bea.com/application_content/product_portlets/securityadvisories/jrockitindex.html http://www.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJSpgAXlSAg2UNWIIRAi7pAKCXH5YA6teY1sHLkeLy7B+XwJEfzQCeObm7 dXy5RBTi2k7/VT7/7x9eT1Q= =BYnS -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Dec 19 17:53:25 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 19 Dec 2008 12:53:25 -0500 Subject: [RHSA-2008:1047-01] Critical: flash-plugin security update Message-ID: <200812191753.mBJHrPWs016113@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2008:1047-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-1047.html Issue date: 2008-12-19 CVE Names: CVE-2008-5499 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes a security issue is now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 Extras - i386 Red Hat Desktop version 3 Extras - i386 Red Hat Enterprise Linux ES version 3 Extras - i386 Red Hat Enterprise Linux WS version 3 Extras - i386 Red Hat Enterprise Linux AS version 4 Extras - i386 Red Hat Desktop version 4 Extras - i386 Red Hat Enterprise Linux ES version 4 Extras - i386 Red Hat Enterprise Linux WS version 4 Extras - i386 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in. A security flaw was found in the way Flash Player displayed certain SWF (Shockwave Flash) content. This may have made it possible to execute arbitrary code on a victim's machine, if the victim opened a malicious Adobe Flash file. (CVE-2008-5499) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.0.15.3 for users of Red Hat Enterprise Linux 5 Supplementary, and 9.0.152.0 for users of Red Hat Enterprise 3 and 4 Extras. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Package List: Red Hat Enterprise Linux AS version 3 Extras: i386: flash-plugin-9.0.152.0-1.el3.with.oss.i386.rpm Red Hat Desktop version 3 Extras: i386: flash-plugin-9.0.152.0-1.el3.with.oss.i386.rpm Red Hat Enterprise Linux ES version 3 Extras: i386: flash-plugin-9.0.152.0-1.el3.with.oss.i386.rpm Red Hat Enterprise Linux WS version 3 Extras: i386: flash-plugin-9.0.152.0-1.el3.with.oss.i386.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: flash-plugin-9.0.152.0-1.el4.i386.rpm Red Hat Desktop version 4 Extras: i386: flash-plugin-9.0.152.0-1.el4.i386.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: flash-plugin-9.0.152.0-1.el4.i386.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: flash-plugin-9.0.152.0-1.el4.i386.rpm RHEL Desktop Supplementary (v. 5 client): i386: flash-plugin-10.0.15.3-2.el5.i386.rpm x86_64: flash-plugin-10.0.15.3-2.el5.i386.rpm RHEL Supplementary (v. 5 server): i386: flash-plugin-10.0.15.3-2.el5.i386.rpm x86_64: flash-plugin-10.0.15.3-2.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5499 http://www.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb08-24.html http://www.adobe.com/products/flashplayer/ 7. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJS9+RXlSAg2UNWIIRAoPHAJ9dEEgKvJOI4uayFqHSkicmv/CFLgCeL8TW /Fr3lWj9w+JvjZwA5GLKmNo= =kGBt -----END PGP SIGNATURE-----