From bugzilla at redhat.com Wed Jul 2 13:01:39 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Jul 2008 09:01:39 -0400 Subject: [RHSA-2008:0547-01] Critical: seamonkey security update Message-ID: <200807021301.m62D1djV006641@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2008:0547-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0547.html Issue date: 2008-07-02 CVE Names: CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811 ===================================================================== 1. Summary: Updated seamonkey packages that fix a security issues are now available for Red Hat Enterprise Linux 2.1, Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Multiple flaws were found in the processing of malformed JavaScript content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-2801, CVE-2008-2802, CVE-2008-2803) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-2798, CVE-2008-2799, CVE-2008-2811) Several flaws were found in the way malformed web content was displayed. A web page containing specially-crafted content could potentially trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-2800) Two local file disclosure flaws were found in SeaMonkey. A web page containing malicious content could cause SeaMonkey to reveal the contents of a local file to a remote attacker. (CVE-2008-2805, CVE-2008-2810) A flaw was found in the way a malformed .properties file was processed by SeaMonkey. A malicious extension could read uninitialized memory, possibly leaking sensitive data to the extension. (CVE-2008-2807) A flaw was found in the way SeaMonkey escaped a listing of local file names. If a user could be tricked into listing a local directory containing malicious file names, arbitrary JavaScript could be run with the permissions of the user running SeaMonkey. (CVE-2008-2808) A flaw was found in the way SeaMonkey displayed information about self-signed certificates. It was possible for a self-signed certificate to contain multiple alternate name entries, which were not all displayed to the user, allowing them to mistakenly extend trust to an unknown site. (CVE-2008-2809) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452597 - CVE-2008-2798 Firefox malformed web content flaws 452598 - CVE-2008-2799 Firefox javascript arbitrary code execution 452599 - CVE-2008-2800 Firefox XSS attacks 452600 - CVE-2008-2802 Firefox arbitrary JavaScript code execution 452602 - CVE-2008-2803 Firefox javascript arbitrary code execution 452604 - CVE-2008-2805 Firefox arbitrary file disclosure 452605 - CVE-2008-2801 Firefox arbitrary signed JAR code execution 452709 - CVE-2008-2807 Firefox .properties memory leak 452710 - CVE-2008-2808 Firefox file location escaping flaw 452711 - CVE-2008-2809 Firefox self signed certificate flaw 452712 - CVE-2008-2810 Firefox arbitrary file disclosure 453007 - CVE-2008-2811 Firefox block reflow flaw 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/seamonkey-1.0.9-0.17.el2.src.rpm i386: seamonkey-1.0.9-0.17.el2.i386.rpm seamonkey-chat-1.0.9-0.17.el2.i386.rpm seamonkey-devel-1.0.9-0.17.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.17.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.17.el2.i386.rpm seamonkey-mail-1.0.9-0.17.el2.i386.rpm seamonkey-nspr-1.0.9-0.17.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.17.el2.i386.rpm seamonkey-nss-1.0.9-0.17.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.17.el2.i386.rpm ia64: seamonkey-1.0.9-0.17.el2.ia64.rpm seamonkey-chat-1.0.9-0.17.el2.ia64.rpm seamonkey-devel-1.0.9-0.17.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.17.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.17.el2.ia64.rpm seamonkey-mail-1.0.9-0.17.el2.ia64.rpm seamonkey-nspr-1.0.9-0.17.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.17.el2.ia64.rpm seamonkey-nss-1.0.9-0.17.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.17.el2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/seamonkey-1.0.9-0.17.el2.src.rpm ia64: seamonkey-1.0.9-0.17.el2.ia64.rpm seamonkey-chat-1.0.9-0.17.el2.ia64.rpm seamonkey-devel-1.0.9-0.17.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.17.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.17.el2.ia64.rpm seamonkey-mail-1.0.9-0.17.el2.ia64.rpm seamonkey-nspr-1.0.9-0.17.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.17.el2.ia64.rpm seamonkey-nss-1.0.9-0.17.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.17.el2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/seamonkey-1.0.9-0.17.el2.src.rpm i386: seamonkey-1.0.9-0.17.el2.i386.rpm seamonkey-chat-1.0.9-0.17.el2.i386.rpm seamonkey-devel-1.0.9-0.17.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.17.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.17.el2.i386.rpm seamonkey-mail-1.0.9-0.17.el2.i386.rpm seamonkey-nspr-1.0.9-0.17.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.17.el2.i386.rpm seamonkey-nss-1.0.9-0.17.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.17.el2.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/seamonkey-1.0.9-0.17.el2.src.rpm i386: seamonkey-1.0.9-0.17.el2.i386.rpm seamonkey-chat-1.0.9-0.17.el2.i386.rpm seamonkey-devel-1.0.9-0.17.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.17.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.17.el2.i386.rpm seamonkey-mail-1.0.9-0.17.el2.i386.rpm seamonkey-nspr-1.0.9-0.17.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.17.el2.i386.rpm seamonkey-nss-1.0.9-0.17.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.17.el2.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/seamonkey-1.0.9-0.20.el3.src.rpm i386: seamonkey-1.0.9-0.20.el3.i386.rpm seamonkey-chat-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-devel-1.0.9-0.20.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.20.el3.i386.rpm seamonkey-mail-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.20.el3.i386.rpm ia64: seamonkey-1.0.9-0.20.el3.ia64.rpm seamonkey-chat-1.0.9-0.20.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.ia64.rpm seamonkey-devel-1.0.9-0.20.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.20.el3.ia64.rpm seamonkey-mail-1.0.9-0.20.el3.ia64.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.ia64.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.20.el3.ia64.rpm ppc: seamonkey-1.0.9-0.20.el3.ppc.rpm seamonkey-chat-1.0.9-0.20.el3.ppc.rpm seamonkey-debuginfo-1.0.9-0.20.el3.ppc.rpm seamonkey-devel-1.0.9-0.20.el3.ppc.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.ppc.rpm seamonkey-js-debugger-1.0.9-0.20.el3.ppc.rpm seamonkey-mail-1.0.9-0.20.el3.ppc.rpm seamonkey-nspr-1.0.9-0.20.el3.ppc.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.ppc.rpm seamonkey-nss-1.0.9-0.20.el3.ppc.rpm seamonkey-nss-devel-1.0.9-0.20.el3.ppc.rpm s390: seamonkey-1.0.9-0.20.el3.s390.rpm seamonkey-chat-1.0.9-0.20.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.20.el3.s390.rpm seamonkey-devel-1.0.9-0.20.el3.s390.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.s390.rpm seamonkey-js-debugger-1.0.9-0.20.el3.s390.rpm seamonkey-mail-1.0.9-0.20.el3.s390.rpm seamonkey-nspr-1.0.9-0.20.el3.s390.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.s390.rpm seamonkey-nss-1.0.9-0.20.el3.s390.rpm seamonkey-nss-devel-1.0.9-0.20.el3.s390.rpm s390x: seamonkey-1.0.9-0.20.el3.s390x.rpm seamonkey-chat-1.0.9-0.20.el3.s390x.rpm seamonkey-debuginfo-1.0.9-0.20.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.20.el3.s390x.rpm seamonkey-devel-1.0.9-0.20.el3.s390x.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.s390x.rpm seamonkey-js-debugger-1.0.9-0.20.el3.s390x.rpm seamonkey-mail-1.0.9-0.20.el3.s390x.rpm seamonkey-nspr-1.0.9-0.20.el3.s390.rpm seamonkey-nspr-1.0.9-0.20.el3.s390x.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.s390x.rpm seamonkey-nss-1.0.9-0.20.el3.s390.rpm seamonkey-nss-1.0.9-0.20.el3.s390x.rpm seamonkey-nss-devel-1.0.9-0.20.el3.s390x.rpm x86_64: seamonkey-1.0.9-0.20.el3.i386.rpm seamonkey-1.0.9-0.20.el3.x86_64.rpm seamonkey-chat-1.0.9-0.20.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.x86_64.rpm seamonkey-devel-1.0.9-0.20.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.20.el3.x86_64.rpm seamonkey-mail-1.0.9-0.20.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.x86_64.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.20.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/seamonkey-1.0.9-0.20.el3.src.rpm i386: seamonkey-1.0.9-0.20.el3.i386.rpm seamonkey-chat-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-devel-1.0.9-0.20.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.20.el3.i386.rpm seamonkey-mail-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.20.el3.i386.rpm x86_64: seamonkey-1.0.9-0.20.el3.i386.rpm seamonkey-1.0.9-0.20.el3.x86_64.rpm seamonkey-chat-1.0.9-0.20.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.x86_64.rpm seamonkey-devel-1.0.9-0.20.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.20.el3.x86_64.rpm seamonkey-mail-1.0.9-0.20.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.x86_64.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.20.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/seamonkey-1.0.9-0.20.el3.src.rpm i386: seamonkey-1.0.9-0.20.el3.i386.rpm seamonkey-chat-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-devel-1.0.9-0.20.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.20.el3.i386.rpm seamonkey-mail-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.20.el3.i386.rpm ia64: seamonkey-1.0.9-0.20.el3.ia64.rpm seamonkey-chat-1.0.9-0.20.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.ia64.rpm seamonkey-devel-1.0.9-0.20.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.20.el3.ia64.rpm seamonkey-mail-1.0.9-0.20.el3.ia64.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.ia64.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.20.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.20.el3.i386.rpm seamonkey-1.0.9-0.20.el3.x86_64.rpm seamonkey-chat-1.0.9-0.20.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.x86_64.rpm seamonkey-devel-1.0.9-0.20.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.20.el3.x86_64.rpm seamonkey-mail-1.0.9-0.20.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.x86_64.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.20.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/seamonkey-1.0.9-0.20.el3.src.rpm i386: seamonkey-1.0.9-0.20.el3.i386.rpm seamonkey-chat-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-devel-1.0.9-0.20.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.20.el3.i386.rpm seamonkey-mail-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.20.el3.i386.rpm ia64: seamonkey-1.0.9-0.20.el3.ia64.rpm seamonkey-chat-1.0.9-0.20.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.ia64.rpm seamonkey-devel-1.0.9-0.20.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.20.el3.ia64.rpm seamonkey-mail-1.0.9-0.20.el3.ia64.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.ia64.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.20.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.20.el3.i386.rpm seamonkey-1.0.9-0.20.el3.x86_64.rpm seamonkey-chat-1.0.9-0.20.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.20.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.20.el3.x86_64.rpm seamonkey-devel-1.0.9-0.20.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.20.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.20.el3.x86_64.rpm seamonkey-mail-1.0.9-0.20.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.20.el3.i386.rpm seamonkey-nspr-1.0.9-0.20.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.20.el3.x86_64.rpm seamonkey-nss-1.0.9-0.20.el3.i386.rpm seamonkey-nss-1.0.9-0.20.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.20.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/seamonkey-1.0.9-16.3.el4_6.src.rpm i386: seamonkey-1.0.9-16.3.el4_6.i386.rpm seamonkey-chat-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-devel-1.0.9-16.3.el4_6.i386.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.i386.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.i386.rpm seamonkey-mail-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.i386.rpm ia64: seamonkey-1.0.9-16.3.el4_6.ia64.rpm seamonkey-chat-1.0.9-16.3.el4_6.ia64.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.ia64.rpm seamonkey-devel-1.0.9-16.3.el4_6.ia64.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.ia64.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.ia64.rpm seamonkey-mail-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.ia64.rpm ppc: seamonkey-1.0.9-16.3.el4_6.ppc.rpm seamonkey-chat-1.0.9-16.3.el4_6.ppc.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.ppc.rpm seamonkey-devel-1.0.9-16.3.el4_6.ppc.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.ppc.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.ppc.rpm seamonkey-mail-1.0.9-16.3.el4_6.ppc.rpm seamonkey-nspr-1.0.9-16.3.el4_6.ppc.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.ppc.rpm seamonkey-nss-1.0.9-16.3.el4_6.ppc.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.ppc.rpm s390: seamonkey-1.0.9-16.3.el4_6.s390.rpm seamonkey-chat-1.0.9-16.3.el4_6.s390.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.s390.rpm seamonkey-devel-1.0.9-16.3.el4_6.s390.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.s390.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.s390.rpm seamonkey-mail-1.0.9-16.3.el4_6.s390.rpm seamonkey-nspr-1.0.9-16.3.el4_6.s390.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.s390.rpm seamonkey-nss-1.0.9-16.3.el4_6.s390.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.s390.rpm s390x: seamonkey-1.0.9-16.3.el4_6.s390x.rpm seamonkey-chat-1.0.9-16.3.el4_6.s390x.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.s390.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.s390x.rpm seamonkey-devel-1.0.9-16.3.el4_6.s390x.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.s390x.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.s390x.rpm seamonkey-mail-1.0.9-16.3.el4_6.s390x.rpm seamonkey-nspr-1.0.9-16.3.el4_6.s390.rpm seamonkey-nspr-1.0.9-16.3.el4_6.s390x.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.s390x.rpm seamonkey-nss-1.0.9-16.3.el4_6.s390.rpm seamonkey-nss-1.0.9-16.3.el4_6.s390x.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.s390x.rpm x86_64: seamonkey-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-chat-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-devel-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-mail-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/seamonkey-1.0.9-16.3.el4_6.src.rpm i386: seamonkey-1.0.9-16.3.el4_6.i386.rpm seamonkey-chat-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-devel-1.0.9-16.3.el4_6.i386.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.i386.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.i386.rpm seamonkey-mail-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.i386.rpm x86_64: seamonkey-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-chat-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-devel-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-mail-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/seamonkey-1.0.9-16.3.el4_6.src.rpm i386: seamonkey-1.0.9-16.3.el4_6.i386.rpm seamonkey-chat-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-devel-1.0.9-16.3.el4_6.i386.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.i386.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.i386.rpm seamonkey-mail-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.i386.rpm ia64: seamonkey-1.0.9-16.3.el4_6.ia64.rpm seamonkey-chat-1.0.9-16.3.el4_6.ia64.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.ia64.rpm seamonkey-devel-1.0.9-16.3.el4_6.ia64.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.ia64.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.ia64.rpm seamonkey-mail-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.ia64.rpm x86_64: seamonkey-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-chat-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-devel-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-mail-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/seamonkey-1.0.9-16.3.el4_6.src.rpm i386: seamonkey-1.0.9-16.3.el4_6.i386.rpm seamonkey-chat-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-devel-1.0.9-16.3.el4_6.i386.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.i386.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.i386.rpm seamonkey-mail-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.i386.rpm ia64: seamonkey-1.0.9-16.3.el4_6.ia64.rpm seamonkey-chat-1.0.9-16.3.el4_6.ia64.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.ia64.rpm seamonkey-devel-1.0.9-16.3.el4_6.ia64.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.ia64.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.ia64.rpm seamonkey-mail-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.ia64.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.ia64.rpm x86_64: seamonkey-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-chat-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-devel-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-dom-inspector-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-js-debugger-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-mail-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nspr-1.0.9-16.3.el4_6.i386.rpm seamonkey-nspr-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nspr-devel-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nss-1.0.9-16.3.el4_6.i386.rpm seamonkey-nss-1.0.9-16.3.el4_6.x86_64.rpm seamonkey-nss-devel-1.0.9-16.3.el4_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2811 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIa3wnXlSAg2UNWIIRAibtAJwOdpoKnWhXHWLIx56KCxO1oD3W4gCfTV7y H5oWEzWHvYkstR5vIyyahmI= =v9US -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 2 13:01:48 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Jul 2008 09:01:48 -0400 Subject: [RHSA-2008:0549-01] Critical: firefox security update Message-ID: <200807021301.m62D1mX7006657@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2008:0549-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0549.html Issue date: 2008-07-02 CVE Names: CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811 ===================================================================== 1. Summary: An updated firefox package that fixes several security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Mozilla Firefox is an open source Web browser. Multiple flaws were found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-2801, CVE-2008-2802, CVE-2008-2803) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-2798, CVE-2008-2799, CVE-2008-2811) Several flaws were found in the way malformed web content was displayed. A web page containing specially-crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-2800) Two local file disclosure flaws were found in Firefox. A web page containing malicious content could cause Firefox to reveal the contents of a local file to a remote attacker. (CVE-2008-2805, CVE-2008-2810) A flaw was found in the way a malformed .properties file was processed by Firefox. A malicious extension could read uninitialized memory, possibly leaking sensitive data to the extension. (CVE-2008-2807) A flaw was found in the way Firefox escaped a listing of local file names. If a user could be tricked into listing a local directory containing malicious file names, arbitrary JavaScript could be run with the permissions of the user running Firefox. (CVE-2008-2808) A flaw was found in the way Firefox displayed information about self-signed certificates. It was possible for a self-signed certificate to contain multiple alternate name entries, which were not all displayed to the user, allowing them to mistakenly extend trust to an unknown site. (CVE-2008-2809) All Mozilla Firefox users should upgrade to this updated package, which contains backported patches that correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452597 - CVE-2008-2798 Firefox malformed web content flaws 452598 - CVE-2008-2799 Firefox javascript arbitrary code execution 452599 - CVE-2008-2800 Firefox XSS attacks 452600 - CVE-2008-2802 Firefox arbitrary JavaScript code execution 452602 - CVE-2008-2803 Firefox javascript arbitrary code execution 452604 - CVE-2008-2805 Firefox arbitrary file disclosure 452605 - CVE-2008-2801 Firefox arbitrary signed JAR code execution 452709 - CVE-2008-2807 Firefox .properties memory leak 452710 - CVE-2008-2808 Firefox file location escaping flaw 452711 - CVE-2008-2809 Firefox self signed certificate flaw 452712 - CVE-2008-2810 Firefox arbitrary file disclosure 453007 - CVE-2008-2811 Firefox block reflow flaw 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-1.5.0.12-0.19.el4.src.rpm i386: firefox-1.5.0.12-0.19.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.19.el4.i386.rpm ia64: firefox-1.5.0.12-0.19.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.19.el4.ia64.rpm ppc: firefox-1.5.0.12-0.19.el4.ppc.rpm firefox-debuginfo-1.5.0.12-0.19.el4.ppc.rpm s390: firefox-1.5.0.12-0.19.el4.s390.rpm firefox-debuginfo-1.5.0.12-0.19.el4.s390.rpm s390x: firefox-1.5.0.12-0.19.el4.s390x.rpm firefox-debuginfo-1.5.0.12-0.19.el4.s390x.rpm x86_64: firefox-1.5.0.12-0.19.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.19.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-1.5.0.12-0.19.el4.src.rpm i386: firefox-1.5.0.12-0.19.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.19.el4.i386.rpm x86_64: firefox-1.5.0.12-0.19.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.19.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-1.5.0.12-0.19.el4.src.rpm i386: firefox-1.5.0.12-0.19.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.19.el4.i386.rpm ia64: firefox-1.5.0.12-0.19.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.19.el4.ia64.rpm x86_64: firefox-1.5.0.12-0.19.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.19.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-1.5.0.12-0.19.el4.src.rpm i386: firefox-1.5.0.12-0.19.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.19.el4.i386.rpm ia64: firefox-1.5.0.12-0.19.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.19.el4.ia64.rpm x86_64: firefox-1.5.0.12-0.19.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.19.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2811 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIa3w6XlSAg2UNWIIRAtfkAJ9E9//fKb6pCnz93elzWJUsMNaDbQCdEByv 9G9/WvETDac5pG/g1rAPuJk= =Qdo6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 2 13:01:58 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Jul 2008 09:01:58 -0400 Subject: [RHSA-2008:0569-01] Critical: firefox security update Message-ID: <200807021301.m62D1wWF006670@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2008:0569-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0569.html Issue date: 2008-07-02 CVE Names: CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Mozilla Firefox is an open source Web browser. Multiple flaws were found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-2801, CVE-2008-2802, CVE-2008-2803) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-2798, CVE-2008-2799, CVE-2008-2811) Several flaws were found in the way malformed web content was displayed. A web page containing specially-crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-2800) Two local file disclosure flaws were found in Firefox. A web page containing malicious content could cause Firefox to reveal the contents of a local file to a remote attacker. (CVE-2008-2805, CVE-2008-2810) A flaw was found in the way a malformed .properties file was processed by Firefox. A malicious extension could read uninitialized memory, possibly leaking sensitive data to the extension. (CVE-2008-2807) A flaw was found in the way Firefox escaped a listing of local file names. If a user could be tricked into listing a local directory containing malicious file names, arbitrary JavaScript could be run with the permissions of the user running Firefox. (CVE-2008-2808) A flaw was found in the way Firefox displayed information about self-signed certificates. It was possible for a self-signed certificate to contain multiple alternate name entries, which were not all displayed to the user, allowing them to mistakenly extend trust to an unknown site. (CVE-2008-2809) All Mozilla Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452597 - CVE-2008-2798 Firefox malformed web content flaws 452598 - CVE-2008-2799 Firefox javascript arbitrary code execution 452599 - CVE-2008-2800 Firefox XSS attacks 452600 - CVE-2008-2802 Firefox arbitrary JavaScript code execution 452602 - CVE-2008-2803 Firefox javascript arbitrary code execution 452604 - CVE-2008-2805 Firefox arbitrary file disclosure 452605 - CVE-2008-2801 Firefox arbitrary signed JAR code execution 452709 - CVE-2008-2807 Firefox .properties memory leak 452710 - CVE-2008-2808 Firefox file location escaping flaw 452711 - CVE-2008-2809 Firefox self signed certificate flaw 452712 - CVE-2008-2810 Firefox arbitrary file disclosure 453007 - CVE-2008-2811 Firefox block reflow flaw 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-17.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-3.0-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/yelp-2.16.0-19.el5.src.rpm i386: devhelp-0.12-17.el5.i386.rpm devhelp-debuginfo-0.12-17.el5.i386.rpm firefox-3.0-2.el5.i386.rpm firefox-debuginfo-3.0-2.el5.i386.rpm xulrunner-1.9-1.el5.i386.rpm xulrunner-debuginfo-1.9-1.el5.i386.rpm yelp-2.16.0-19.el5.i386.rpm yelp-debuginfo-2.16.0-19.el5.i386.rpm x86_64: devhelp-0.12-17.el5.i386.rpm devhelp-0.12-17.el5.x86_64.rpm devhelp-debuginfo-0.12-17.el5.i386.rpm devhelp-debuginfo-0.12-17.el5.x86_64.rpm firefox-3.0-2.el5.i386.rpm firefox-3.0-2.el5.x86_64.rpm firefox-debuginfo-3.0-2.el5.i386.rpm firefox-debuginfo-3.0-2.el5.x86_64.rpm xulrunner-1.9-1.el5.i386.rpm xulrunner-1.9-1.el5.x86_64.rpm xulrunner-debuginfo-1.9-1.el5.i386.rpm xulrunner-debuginfo-1.9-1.el5.x86_64.rpm yelp-2.16.0-19.el5.x86_64.rpm yelp-debuginfo-2.16.0-19.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-17.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9-1.el5.src.rpm i386: devhelp-debuginfo-0.12-17.el5.i386.rpm devhelp-devel-0.12-17.el5.i386.rpm xulrunner-debuginfo-1.9-1.el5.i386.rpm xulrunner-devel-1.9-1.el5.i386.rpm xulrunner-devel-unstable-1.9-1.el5.i386.rpm x86_64: devhelp-debuginfo-0.12-17.el5.i386.rpm devhelp-debuginfo-0.12-17.el5.x86_64.rpm devhelp-devel-0.12-17.el5.i386.rpm devhelp-devel-0.12-17.el5.x86_64.rpm xulrunner-debuginfo-1.9-1.el5.i386.rpm xulrunner-debuginfo-1.9-1.el5.x86_64.rpm xulrunner-devel-1.9-1.el5.i386.rpm xulrunner-devel-1.9-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9-1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/devhelp-0.12-17.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-3.0-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/yelp-2.16.0-19.el5.src.rpm i386: devhelp-0.12-17.el5.i386.rpm devhelp-debuginfo-0.12-17.el5.i386.rpm devhelp-devel-0.12-17.el5.i386.rpm firefox-3.0-2.el5.i386.rpm firefox-debuginfo-3.0-2.el5.i386.rpm xulrunner-1.9-1.el5.i386.rpm xulrunner-debuginfo-1.9-1.el5.i386.rpm xulrunner-devel-1.9-1.el5.i386.rpm xulrunner-devel-unstable-1.9-1.el5.i386.rpm yelp-2.16.0-19.el5.i386.rpm yelp-debuginfo-2.16.0-19.el5.i386.rpm ia64: devhelp-0.12-17.el5.ia64.rpm devhelp-debuginfo-0.12-17.el5.ia64.rpm devhelp-devel-0.12-17.el5.ia64.rpm firefox-3.0-2.el5.ia64.rpm firefox-debuginfo-3.0-2.el5.ia64.rpm xulrunner-1.9-1.el5.ia64.rpm xulrunner-debuginfo-1.9-1.el5.ia64.rpm xulrunner-devel-1.9-1.el5.ia64.rpm xulrunner-devel-unstable-1.9-1.el5.ia64.rpm yelp-2.16.0-19.el5.ia64.rpm yelp-debuginfo-2.16.0-19.el5.ia64.rpm ppc: devhelp-0.12-17.el5.ppc.rpm devhelp-debuginfo-0.12-17.el5.ppc.rpm devhelp-devel-0.12-17.el5.ppc.rpm firefox-3.0-2.el5.ppc.rpm firefox-debuginfo-3.0-2.el5.ppc.rpm xulrunner-1.9-1.el5.ppc.rpm xulrunner-1.9-1.el5.ppc64.rpm xulrunner-debuginfo-1.9-1.el5.ppc.rpm xulrunner-debuginfo-1.9-1.el5.ppc64.rpm xulrunner-devel-1.9-1.el5.ppc.rpm xulrunner-devel-1.9-1.el5.ppc64.rpm xulrunner-devel-unstable-1.9-1.el5.ppc.rpm yelp-2.16.0-19.el5.ppc.rpm yelp-debuginfo-2.16.0-19.el5.ppc.rpm s390x: devhelp-0.12-17.el5.s390.rpm devhelp-0.12-17.el5.s390x.rpm devhelp-debuginfo-0.12-17.el5.s390.rpm devhelp-debuginfo-0.12-17.el5.s390x.rpm devhelp-devel-0.12-17.el5.s390.rpm devhelp-devel-0.12-17.el5.s390x.rpm firefox-3.0-2.el5.s390.rpm firefox-3.0-2.el5.s390x.rpm firefox-debuginfo-3.0-2.el5.s390.rpm firefox-debuginfo-3.0-2.el5.s390x.rpm xulrunner-1.9-1.el5.s390.rpm xulrunner-1.9-1.el5.s390x.rpm xulrunner-debuginfo-1.9-1.el5.s390.rpm xulrunner-debuginfo-1.9-1.el5.s390x.rpm xulrunner-devel-1.9-1.el5.s390.rpm xulrunner-devel-1.9-1.el5.s390x.rpm xulrunner-devel-unstable-1.9-1.el5.s390x.rpm yelp-2.16.0-19.el5.s390x.rpm yelp-debuginfo-2.16.0-19.el5.s390x.rpm x86_64: devhelp-0.12-17.el5.i386.rpm devhelp-0.12-17.el5.x86_64.rpm devhelp-debuginfo-0.12-17.el5.i386.rpm devhelp-debuginfo-0.12-17.el5.x86_64.rpm devhelp-devel-0.12-17.el5.i386.rpm devhelp-devel-0.12-17.el5.x86_64.rpm firefox-3.0-2.el5.i386.rpm firefox-3.0-2.el5.x86_64.rpm firefox-debuginfo-3.0-2.el5.i386.rpm firefox-debuginfo-3.0-2.el5.x86_64.rpm xulrunner-1.9-1.el5.i386.rpm xulrunner-1.9-1.el5.x86_64.rpm xulrunner-debuginfo-1.9-1.el5.i386.rpm xulrunner-debuginfo-1.9-1.el5.x86_64.rpm xulrunner-devel-1.9-1.el5.i386.rpm xulrunner-devel-1.9-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9-1.el5.x86_64.rpm yelp-2.16.0-19.el5.x86_64.rpm yelp-debuginfo-2.16.0-19.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2811 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIa3xEXlSAg2UNWIIRAvmeAJ9qR6psPhewrwgJlRf87R5No5fwOQCfR3HH 2FUWLwa/Lzisds3Yec8D8k8= =ZcPh -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 2 13:06:45 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Jul 2008 09:06:45 -0400 Subject: [RHSA-2008:0510-01] Moderate: Red Hat Application Stack v1.3 security and enhancement update Message-ID: <200807021306.m62D6jEe007597@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Application Stack v1.3 security and enhancement update Advisory ID: RHSA-2008:0510-01 Product: Red Hat Application Stack Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0510.html Issue date: 2008-07-02 CVE Names: CVE-2008-2079 ===================================================================== 1. Summary: Red Hat Application Stack v1.3 is now available. This update fixes a security issue and adds several enhancements. This updated has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64 Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64 3. Description: The Red Hat Application Stack is an integrated open source application stack, and includes JBoss Enterprise Application Platform (EAP). Starting with this update, JBoss EAP is no longer provided via the Application Stack channels. Instead, all Application Stack customers are automatically entitled to the JBoss EAP channels. This ensures all users have immediate access to JBoss EAP packages when they are released, ensuring lesser wait for security and critical patches. As a result, you must MANUALLY subscribe to the appropriate JBoss EAP channel, as all further JBoss EAP updates will only go to that channel. This update also entitles all customers to the JBoss EAP 4.3.0 channels. Users receive support for JBoss EAP 4.3.0 if they choose to install it. Important: downgrading from JBoss EAP 4.3.0 to 4.2.0 is unsupported. MySQL was updated to version 5.0.50sp1a, fixing the following security issue: MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. (CVE-2008-2079) The following packages are updated: * httpd to 2.0.63 * mod_jk to 1.2.26 * the MySQL Connector/ODBC to 3.51.24r1071 * perl-DBD-MySQL to 4.006 * perl-DBI to 1.604 * postgresqlclient7 to 7.4.19 * postgresql-jdbc to 8.1.412 * unixODBC to 2.2.12 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 445222 - CVE-2008-2079 mysql: privilege escalation via DATA/INDEX DIRECTORY directives 6. Package List: Red Hat Application Stack v1 for Enterprise Linux AS (v.4): Source: ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/httpd-2.0.63-2.el4s1.2.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/mod_jk-1.2.26-1.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/mysql-5.0.50sp1a-2.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/mysql-connector-odbc-3.51.24r1071-1.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/perl-DBD-MySQL-4.006-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/perl-DBI-1.604-1.el4s1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/php-5.1.6-3.el4s1.9.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/postgresql-jdbc-8.1.412-1jpp.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/postgresqlclient7-7.4.19-1.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/unixODBC-2.2.12-6.el4s1.1.src.rpm i386: httpd-2.0.63-2.el4s1.2.i386.rpm httpd-debuginfo-2.0.63-2.el4s1.2.i386.rpm httpd-devel-2.0.63-2.el4s1.2.i386.rpm httpd-manual-2.0.63-2.el4s1.2.i386.rpm mod_jk-ap20-1.2.26-1.el4s1.1.i386.rpm mod_jk-debuginfo-1.2.26-1.el4s1.1.i386.rpm mod_jk-manual-1.2.26-1.el4s1.1.i386.rpm mod_ssl-2.0.63-2.el4s1.2.i386.rpm mysql-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-bench-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-cluster-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-connector-odbc-3.51.24r1071-1.el4s1.1.i386.rpm mysql-connector-odbc-debuginfo-3.51.24r1071-1.el4s1.1.i386.rpm mysql-debuginfo-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-devel-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-libs-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-server-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-test-5.0.50sp1a-2.el4s1.1.i386.rpm perl-DBD-MySQL-4.006-1.el4.i386.rpm perl-DBD-MySQL-debuginfo-4.006-1.el4.i386.rpm perl-DBI-1.604-1.el4s1.i386.rpm perl-DBI-debuginfo-1.604-1.el4s1.i386.rpm php-5.1.6-3.el4s1.9.i386.rpm php-bcmath-5.1.6-3.el4s1.9.i386.rpm php-cli-5.1.6-3.el4s1.9.i386.rpm php-common-5.1.6-3.el4s1.9.i386.rpm php-dba-5.1.6-3.el4s1.9.i386.rpm php-debuginfo-5.1.6-3.el4s1.9.i386.rpm php-devel-5.1.6-3.el4s1.9.i386.rpm php-gd-5.1.6-3.el4s1.9.i386.rpm php-imap-5.1.6-3.el4s1.9.i386.rpm php-ldap-5.1.6-3.el4s1.9.i386.rpm php-mbstring-5.1.6-3.el4s1.9.i386.rpm php-mysql-5.1.6-3.el4s1.9.i386.rpm php-ncurses-5.1.6-3.el4s1.9.i386.rpm php-odbc-5.1.6-3.el4s1.9.i386.rpm php-pdo-5.1.6-3.el4s1.9.i386.rpm php-pgsql-5.1.6-3.el4s1.9.i386.rpm php-snmp-5.1.6-3.el4s1.9.i386.rpm php-soap-5.1.6-3.el4s1.9.i386.rpm php-xml-5.1.6-3.el4s1.9.i386.rpm php-xmlrpc-5.1.6-3.el4s1.9.i386.rpm postgresql-jdbc-8.1.412-1jpp.el4s1.1.i386.rpm postgresql-jdbc-debuginfo-8.1.412-1jpp.el4s1.1.i386.rpm postgresqlclient7-7.4.19-1.el4s1.1.i386.rpm postgresqlclient7-debuginfo-7.4.19-1.el4s1.1.i386.rpm unixODBC-2.2.12-6.el4s1.1.i386.rpm unixODBC-debuginfo-2.2.12-6.el4s1.1.i386.rpm unixODBC-devel-2.2.12-6.el4s1.1.i386.rpm unixODBC-kde-2.2.12-6.el4s1.1.i386.rpm x86_64: httpd-2.0.63-2.el4s1.2.x86_64.rpm httpd-debuginfo-2.0.63-2.el4s1.2.x86_64.rpm httpd-devel-2.0.63-2.el4s1.2.x86_64.rpm httpd-manual-2.0.63-2.el4s1.2.x86_64.rpm mod_jk-ap20-1.2.26-1.el4s1.1.x86_64.rpm mod_jk-debuginfo-1.2.26-1.el4s1.1.x86_64.rpm mod_jk-manual-1.2.26-1.el4s1.1.x86_64.rpm mod_ssl-2.0.63-2.el4s1.2.x86_64.rpm mysql-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-bench-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-cluster-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-connector-odbc-3.51.24r1071-1.el4s1.1.x86_64.rpm mysql-connector-odbc-debuginfo-3.51.24r1071-1.el4s1.1.x86_64.rpm mysql-debuginfo-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-debuginfo-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-devel-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-libs-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-libs-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-server-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-test-5.0.50sp1a-2.el4s1.1.x86_64.rpm perl-DBD-MySQL-4.006-1.el4.x86_64.rpm perl-DBD-MySQL-debuginfo-4.006-1.el4.x86_64.rpm perl-DBI-1.604-1.el4s1.x86_64.rpm perl-DBI-debuginfo-1.604-1.el4s1.x86_64.rpm php-5.1.6-3.el4s1.9.x86_64.rpm php-bcmath-5.1.6-3.el4s1.9.x86_64.rpm php-cli-5.1.6-3.el4s1.9.x86_64.rpm php-common-5.1.6-3.el4s1.9.x86_64.rpm php-dba-5.1.6-3.el4s1.9.x86_64.rpm php-debuginfo-5.1.6-3.el4s1.9.x86_64.rpm php-devel-5.1.6-3.el4s1.9.x86_64.rpm php-gd-5.1.6-3.el4s1.9.x86_64.rpm php-imap-5.1.6-3.el4s1.9.x86_64.rpm php-ldap-5.1.6-3.el4s1.9.x86_64.rpm php-mbstring-5.1.6-3.el4s1.9.x86_64.rpm php-mysql-5.1.6-3.el4s1.9.x86_64.rpm php-ncurses-5.1.6-3.el4s1.9.x86_64.rpm php-odbc-5.1.6-3.el4s1.9.x86_64.rpm php-pdo-5.1.6-3.el4s1.9.x86_64.rpm php-pgsql-5.1.6-3.el4s1.9.x86_64.rpm php-snmp-5.1.6-3.el4s1.9.x86_64.rpm php-soap-5.1.6-3.el4s1.9.x86_64.rpm php-xml-5.1.6-3.el4s1.9.x86_64.rpm php-xmlrpc-5.1.6-3.el4s1.9.x86_64.rpm postgresql-jdbc-8.1.412-1jpp.el4s1.1.x86_64.rpm postgresql-jdbc-debuginfo-8.1.412-1jpp.el4s1.1.x86_64.rpm postgresqlclient7-7.4.19-1.el4s1.1.i386.rpm postgresqlclient7-7.4.19-1.el4s1.1.x86_64.rpm postgresqlclient7-debuginfo-7.4.19-1.el4s1.1.i386.rpm postgresqlclient7-debuginfo-7.4.19-1.el4s1.1.x86_64.rpm unixODBC-2.2.12-6.el4s1.1.i386.rpm unixODBC-2.2.12-6.el4s1.1.x86_64.rpm unixODBC-debuginfo-2.2.12-6.el4s1.1.i386.rpm unixODBC-debuginfo-2.2.12-6.el4s1.1.x86_64.rpm unixODBC-devel-2.2.12-6.el4s1.1.x86_64.rpm unixODBC-kde-2.2.12-6.el4s1.1.i386.rpm unixODBC-kde-2.2.12-6.el4s1.1.x86_64.rpm Red Hat Application Stack v1 for Enterprise Linux ES (v.4): Source: ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/httpd-2.0.63-2.el4s1.2.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/mod_jk-1.2.26-1.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/mysql-5.0.50sp1a-2.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/mysql-connector-odbc-3.51.24r1071-1.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/perl-DBD-MySQL-4.006-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/perl-DBI-1.604-1.el4s1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/php-5.1.6-3.el4s1.9.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/postgresql-jdbc-8.1.412-1jpp.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/postgresqlclient7-7.4.19-1.el4s1.1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/unixODBC-2.2.12-6.el4s1.1.src.rpm i386: httpd-2.0.63-2.el4s1.2.i386.rpm httpd-debuginfo-2.0.63-2.el4s1.2.i386.rpm httpd-devel-2.0.63-2.el4s1.2.i386.rpm httpd-manual-2.0.63-2.el4s1.2.i386.rpm mod_jk-ap20-1.2.26-1.el4s1.1.i386.rpm mod_jk-debuginfo-1.2.26-1.el4s1.1.i386.rpm mod_jk-manual-1.2.26-1.el4s1.1.i386.rpm mod_ssl-2.0.63-2.el4s1.2.i386.rpm mysql-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-bench-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-cluster-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-connector-odbc-3.51.24r1071-1.el4s1.1.i386.rpm mysql-connector-odbc-debuginfo-3.51.24r1071-1.el4s1.1.i386.rpm mysql-debuginfo-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-devel-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-libs-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-server-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-test-5.0.50sp1a-2.el4s1.1.i386.rpm perl-DBD-MySQL-4.006-1.el4.i386.rpm perl-DBD-MySQL-debuginfo-4.006-1.el4.i386.rpm perl-DBI-1.604-1.el4s1.i386.rpm perl-DBI-debuginfo-1.604-1.el4s1.i386.rpm php-5.1.6-3.el4s1.9.i386.rpm php-bcmath-5.1.6-3.el4s1.9.i386.rpm php-cli-5.1.6-3.el4s1.9.i386.rpm php-common-5.1.6-3.el4s1.9.i386.rpm php-dba-5.1.6-3.el4s1.9.i386.rpm php-debuginfo-5.1.6-3.el4s1.9.i386.rpm php-devel-5.1.6-3.el4s1.9.i386.rpm php-gd-5.1.6-3.el4s1.9.i386.rpm php-imap-5.1.6-3.el4s1.9.i386.rpm php-ldap-5.1.6-3.el4s1.9.i386.rpm php-mbstring-5.1.6-3.el4s1.9.i386.rpm php-mysql-5.1.6-3.el4s1.9.i386.rpm php-ncurses-5.1.6-3.el4s1.9.i386.rpm php-odbc-5.1.6-3.el4s1.9.i386.rpm php-pdo-5.1.6-3.el4s1.9.i386.rpm php-pgsql-5.1.6-3.el4s1.9.i386.rpm php-snmp-5.1.6-3.el4s1.9.i386.rpm php-soap-5.1.6-3.el4s1.9.i386.rpm php-xml-5.1.6-3.el4s1.9.i386.rpm php-xmlrpc-5.1.6-3.el4s1.9.i386.rpm postgresql-jdbc-8.1.412-1jpp.el4s1.1.i386.rpm postgresql-jdbc-debuginfo-8.1.412-1jpp.el4s1.1.i386.rpm postgresqlclient7-7.4.19-1.el4s1.1.i386.rpm postgresqlclient7-debuginfo-7.4.19-1.el4s1.1.i386.rpm unixODBC-2.2.12-6.el4s1.1.i386.rpm unixODBC-debuginfo-2.2.12-6.el4s1.1.i386.rpm unixODBC-devel-2.2.12-6.el4s1.1.i386.rpm unixODBC-kde-2.2.12-6.el4s1.1.i386.rpm x86_64: httpd-2.0.63-2.el4s1.2.x86_64.rpm httpd-debuginfo-2.0.63-2.el4s1.2.x86_64.rpm httpd-devel-2.0.63-2.el4s1.2.x86_64.rpm httpd-manual-2.0.63-2.el4s1.2.x86_64.rpm mod_jk-ap20-1.2.26-1.el4s1.1.x86_64.rpm mod_jk-debuginfo-1.2.26-1.el4s1.1.x86_64.rpm mod_jk-manual-1.2.26-1.el4s1.1.x86_64.rpm mod_ssl-2.0.63-2.el4s1.2.x86_64.rpm mysql-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-bench-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-cluster-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-connector-odbc-3.51.24r1071-1.el4s1.1.x86_64.rpm mysql-connector-odbc-debuginfo-3.51.24r1071-1.el4s1.1.x86_64.rpm mysql-debuginfo-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-debuginfo-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-devel-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-libs-5.0.50sp1a-2.el4s1.1.i386.rpm mysql-libs-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-server-5.0.50sp1a-2.el4s1.1.x86_64.rpm mysql-test-5.0.50sp1a-2.el4s1.1.x86_64.rpm perl-DBD-MySQL-4.006-1.el4.x86_64.rpm perl-DBD-MySQL-debuginfo-4.006-1.el4.x86_64.rpm perl-DBI-1.604-1.el4s1.x86_64.rpm perl-DBI-debuginfo-1.604-1.el4s1.x86_64.rpm php-5.1.6-3.el4s1.9.x86_64.rpm php-bcmath-5.1.6-3.el4s1.9.x86_64.rpm php-cli-5.1.6-3.el4s1.9.x86_64.rpm php-common-5.1.6-3.el4s1.9.x86_64.rpm php-dba-5.1.6-3.el4s1.9.x86_64.rpm php-debuginfo-5.1.6-3.el4s1.9.x86_64.rpm php-devel-5.1.6-3.el4s1.9.x86_64.rpm php-gd-5.1.6-3.el4s1.9.x86_64.rpm php-imap-5.1.6-3.el4s1.9.x86_64.rpm php-ldap-5.1.6-3.el4s1.9.x86_64.rpm php-mbstring-5.1.6-3.el4s1.9.x86_64.rpm php-mysql-5.1.6-3.el4s1.9.x86_64.rpm php-ncurses-5.1.6-3.el4s1.9.x86_64.rpm php-odbc-5.1.6-3.el4s1.9.x86_64.rpm php-pdo-5.1.6-3.el4s1.9.x86_64.rpm php-pgsql-5.1.6-3.el4s1.9.x86_64.rpm php-snmp-5.1.6-3.el4s1.9.x86_64.rpm php-soap-5.1.6-3.el4s1.9.x86_64.rpm php-xml-5.1.6-3.el4s1.9.x86_64.rpm php-xmlrpc-5.1.6-3.el4s1.9.x86_64.rpm postgresql-jdbc-8.1.412-1jpp.el4s1.1.x86_64.rpm postgresql-jdbc-debuginfo-8.1.412-1jpp.el4s1.1.x86_64.rpm postgresqlclient7-7.4.19-1.el4s1.1.i386.rpm postgresqlclient7-7.4.19-1.el4s1.1.x86_64.rpm postgresqlclient7-debuginfo-7.4.19-1.el4s1.1.i386.rpm postgresqlclient7-debuginfo-7.4.19-1.el4s1.1.x86_64.rpm unixODBC-2.2.12-6.el4s1.1.i386.rpm unixODBC-2.2.12-6.el4s1.1.x86_64.rpm unixODBC-debuginfo-2.2.12-6.el4s1.1.i386.rpm unixODBC-debuginfo-2.2.12-6.el4s1.1.x86_64.rpm unixODBC-devel-2.2.12-6.el4s1.1.x86_64.rpm unixODBC-kde-2.2.12-6.el4s1.1.i386.rpm unixODBC-kde-2.2.12-6.el4s1.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079 http://www.redhat.com/docs/en-US/Red_Hat_Application_Stack/1.3/html-single/Release_Notes/ http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIa31UXlSAg2UNWIIRAnL8AKCeWKFjok+M3zZm7UAKoupYDhO8XACfYcpJ HqKUkij9JOKvBqXxn6lkMMc= =KGG4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 2 13:17:19 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Jul 2008 09:17:19 -0400 Subject: [RHSA-2008:0505-01] Moderate: Red Hat Application Stack v2.1 security and enhancement update Message-ID: <200807021317.m62DHJaA009852@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Application Stack v2.1 security and enhancement update Advisory ID: RHSA-2008:0505-01 Product: Red Hat Application Stack Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0505.html Issue date: 2008-07-02 CVE Names: CVE-2008-2079 CVE-2008-2051 CVE-2007-5898 CVE-2007-5899 CVE-2007-4782 CVE-2008-2107 CVE-2008-2108 CVE-2008-0599 ===================================================================== 1. Summary: Red Hat Application Stack v2.1 is now available. This update fixes various security issues and adds several enhancements. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, noarch, x86_64 3. Description: The Red Hat Application Stack is an integrated open source application stack, and includes JBoss Enterprise Application Platform (EAP). Starting with this update, JBoss EAP is no longer provided via the Application Stack channels. Instead, all Application Stack customers are automatically entitled to the JBoss EAP channels. This ensures all users have immediate access to JBoss EAP packages when they are released, ensuring lesser wait for security and critical patches. As a result, you must MANUALLY subscribe to the appropriate JBoss EAP channel, as all further JBoss EAP updates will only go to that channel. This update also entitles all customers to the JBoss EAP 4.3.0 channels. Users receive support for JBoss EAP 4.3.0 if they choose to install it. Important: downgrading from JBoss EAP 4.3.0 to 4.2.0 is unsupported. PHP was updated to version 5.2.6, fixing the following security issues: It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external web sites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that the PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) A flaw was found in PHP's CGI server API. If the web server did not set DOCUMENT_ROOT environment variable for PHP (e.g. when running PHP in the FastCGI server mode), an attacker could cause a crash of the PHP child process, causing a temporary denial of service. (CVE-2008-0599) MySQL was updated to version 5.0.50sp1a, fixing the following security issue: MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. (CVE-2008-2079) The following packages are updated: * httpd to 2.2.8 * mod_jk to 1.2.26 * mod_perl to 2.0.4 * the MySQL Connector/ODBC to 3.51.24r1071 * the MySQL Connector/J (JDBC driver) to 5.0.8 * perl-DBD-MySQL to 4.006 * perl-DBI to 1.604 * postgresql to 8.2.7 * postgresql-jdbc to 8.2.508 * postgresqlclient81 to 8.1.11 * postgresql-odbc to 8.02.0500 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 285881 - CVE-2007-4782 php crash in glob() and fnmatch() functions 382411 - CVE-2007-5898 php htmlentities/htmlspecialchars multibyte sequences 382431 - CVE-2007-5899 php session ID leakage 445003 - CVE-2008-0599 php: buffer overflow in a CGI path translation 445006 - CVE-2008-2051 PHP multibyte shell escape flaw 445222 - CVE-2008-2079 mysql: privilege escalation via DATA/INDEX DIRECTORY directives 445684 - CVE-2008-2107 PHP 32 bit weak random seed 445685 - CVE-2008-2108 PHP weak 64 bit random seed 6. Package List: Red Hat Application Stack v2 for Enterprise Linux (v.5): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/httpd-2.2.8-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/mod_jk-1.2.26-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/mod_perl-2.0.4-3.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/mysql-5.0.50sp1a-2.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/mysql-connector-odbc-3.51.24r1071-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/mysql-jdbc-5.0.8-1jpp.1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/perl-DBD-MySQL-4.006-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/perl-DBI-1.604-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/php-5.2.6-2.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/postgresql-8.2.9-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/postgresql-jdbc-8.2.508-1jpp.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/postgresql-odbc-08.02.0500-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/postgresqlclient81-8.1.11-1.el5s2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/unixODBC-2.2.12-8.el5s2.src.rpm i386: httpd-2.2.8-1.el5s2.i386.rpm httpd-debuginfo-2.2.8-1.el5s2.i386.rpm httpd-devel-2.2.8-1.el5s2.i386.rpm httpd-manual-2.2.8-1.el5s2.i386.rpm mod_jk-ap20-1.2.26-1.el5s2.i386.rpm mod_jk-debuginfo-1.2.26-1.el5s2.i386.rpm mod_perl-2.0.4-3.el5s2.i386.rpm mod_perl-debuginfo-2.0.4-3.el5s2.i386.rpm mod_perl-devel-2.0.4-3.el5s2.i386.rpm mod_ssl-2.2.8-1.el5s2.i386.rpm mysql-5.0.50sp1a-2.el5s2.i386.rpm mysql-bench-5.0.50sp1a-2.el5s2.i386.rpm mysql-cluster-5.0.50sp1a-2.el5s2.i386.rpm mysql-connector-odbc-3.51.24r1071-1.el5s2.i386.rpm mysql-connector-odbc-debuginfo-3.51.24r1071-1.el5s2.i386.rpm mysql-debuginfo-5.0.50sp1a-2.el5s2.i386.rpm mysql-devel-5.0.50sp1a-2.el5s2.i386.rpm mysql-libs-5.0.50sp1a-2.el5s2.i386.rpm mysql-server-5.0.50sp1a-2.el5s2.i386.rpm mysql-test-5.0.50sp1a-2.el5s2.i386.rpm perl-DBD-MySQL-4.006-1.el5s2.i386.rpm perl-DBD-MySQL-debuginfo-4.006-1.el5s2.i386.rpm perl-DBI-1.604-1.el5s2.i386.rpm perl-DBI-debuginfo-1.604-1.el5s2.i386.rpm php-5.2.6-2.el5s2.i386.rpm php-bcmath-5.2.6-2.el5s2.i386.rpm php-cli-5.2.6-2.el5s2.i386.rpm php-common-5.2.6-2.el5s2.i386.rpm php-dba-5.2.6-2.el5s2.i386.rpm php-debuginfo-5.2.6-2.el5s2.i386.rpm php-devel-5.2.6-2.el5s2.i386.rpm php-gd-5.2.6-2.el5s2.i386.rpm php-imap-5.2.6-2.el5s2.i386.rpm php-ldap-5.2.6-2.el5s2.i386.rpm php-mbstring-5.2.6-2.el5s2.i386.rpm php-mysql-5.2.6-2.el5s2.i386.rpm php-ncurses-5.2.6-2.el5s2.i386.rpm php-odbc-5.2.6-2.el5s2.i386.rpm php-pdo-5.2.6-2.el5s2.i386.rpm php-pgsql-5.2.6-2.el5s2.i386.rpm php-snmp-5.2.6-2.el5s2.i386.rpm php-soap-5.2.6-2.el5s2.i386.rpm php-xml-5.2.6-2.el5s2.i386.rpm php-xmlrpc-5.2.6-2.el5s2.i386.rpm postgresql-8.2.9-1.el5s2.i386.rpm postgresql-contrib-8.2.9-1.el5s2.i386.rpm postgresql-debuginfo-8.2.9-1.el5s2.i386.rpm postgresql-devel-8.2.9-1.el5s2.i386.rpm postgresql-docs-8.2.9-1.el5s2.i386.rpm postgresql-jdbc-8.2.508-1jpp.el5s2.i386.rpm postgresql-jdbc-debuginfo-8.2.508-1jpp.el5s2.i386.rpm postgresql-libs-8.2.9-1.el5s2.i386.rpm postgresql-odbc-08.02.0500-1.el5s2.i386.rpm postgresql-odbc-debuginfo-08.02.0500-1.el5s2.i386.rpm postgresql-plperl-8.2.9-1.el5s2.i386.rpm postgresql-plpython-8.2.9-1.el5s2.i386.rpm postgresql-pltcl-8.2.9-1.el5s2.i386.rpm postgresql-python-8.2.9-1.el5s2.i386.rpm postgresql-server-8.2.9-1.el5s2.i386.rpm postgresql-tcl-8.2.9-1.el5s2.i386.rpm postgresql-test-8.2.9-1.el5s2.i386.rpm postgresqlclient81-8.1.11-1.el5s2.i386.rpm postgresqlclient81-debuginfo-8.1.11-1.el5s2.i386.rpm unixODBC-2.2.12-8.el5s2.i386.rpm unixODBC-debuginfo-2.2.12-8.el5s2.i386.rpm unixODBC-devel-2.2.12-8.el5s2.i386.rpm unixODBC-kde-2.2.12-8.el5s2.i386.rpm noarch: mysql-jdbc-5.0.8-1jpp.1.el5s2.noarch.rpm x86_64: httpd-2.2.8-1.el5s2.x86_64.rpm httpd-debuginfo-2.2.8-1.el5s2.x86_64.rpm httpd-devel-2.2.8-1.el5s2.x86_64.rpm httpd-manual-2.2.8-1.el5s2.x86_64.rpm mod_jk-ap20-1.2.26-1.el5s2.x86_64.rpm mod_jk-debuginfo-1.2.26-1.el5s2.x86_64.rpm mod_perl-2.0.4-3.el5s2.x86_64.rpm mod_perl-debuginfo-2.0.4-3.el5s2.x86_64.rpm mod_perl-devel-2.0.4-3.el5s2.x86_64.rpm mod_ssl-2.2.8-1.el5s2.x86_64.rpm mysql-5.0.50sp1a-2.el5s2.x86_64.rpm mysql-bench-5.0.50sp1a-2.el5s2.x86_64.rpm mysql-cluster-5.0.50sp1a-2.el5s2.x86_64.rpm mysql-connector-odbc-3.51.24r1071-1.el5s2.x86_64.rpm mysql-connector-odbc-debuginfo-3.51.24r1071-1.el5s2.x86_64.rpm mysql-debuginfo-5.0.50sp1a-2.el5s2.x86_64.rpm mysql-devel-5.0.50sp1a-2.el5s2.x86_64.rpm mysql-libs-5.0.50sp1a-2.el5s2.x86_64.rpm mysql-server-5.0.50sp1a-2.el5s2.x86_64.rpm mysql-test-5.0.50sp1a-2.el5s2.x86_64.rpm perl-DBD-MySQL-4.006-1.el5s2.x86_64.rpm perl-DBD-MySQL-debuginfo-4.006-1.el5s2.x86_64.rpm perl-DBI-1.604-1.el5s2.x86_64.rpm perl-DBI-debuginfo-1.604-1.el5s2.x86_64.rpm php-5.2.6-2.el5s2.x86_64.rpm php-bcmath-5.2.6-2.el5s2.x86_64.rpm php-cli-5.2.6-2.el5s2.x86_64.rpm php-common-5.2.6-2.el5s2.x86_64.rpm php-dba-5.2.6-2.el5s2.x86_64.rpm php-debuginfo-5.2.6-2.el5s2.x86_64.rpm php-devel-5.2.6-2.el5s2.x86_64.rpm php-gd-5.2.6-2.el5s2.x86_64.rpm php-imap-5.2.6-2.el5s2.x86_64.rpm php-ldap-5.2.6-2.el5s2.x86_64.rpm php-mbstring-5.2.6-2.el5s2.x86_64.rpm php-mysql-5.2.6-2.el5s2.x86_64.rpm php-ncurses-5.2.6-2.el5s2.x86_64.rpm php-odbc-5.2.6-2.el5s2.x86_64.rpm php-pdo-5.2.6-2.el5s2.x86_64.rpm php-pgsql-5.2.6-2.el5s2.x86_64.rpm php-snmp-5.2.6-2.el5s2.x86_64.rpm php-soap-5.2.6-2.el5s2.x86_64.rpm php-xml-5.2.6-2.el5s2.x86_64.rpm php-xmlrpc-5.2.6-2.el5s2.x86_64.rpm postgresql-8.2.9-1.el5s2.x86_64.rpm postgresql-contrib-8.2.9-1.el5s2.x86_64.rpm postgresql-debuginfo-8.2.9-1.el5s2.x86_64.rpm postgresql-devel-8.2.9-1.el5s2.x86_64.rpm postgresql-docs-8.2.9-1.el5s2.x86_64.rpm postgresql-jdbc-8.2.508-1jpp.el5s2.x86_64.rpm postgresql-jdbc-debuginfo-8.2.508-1jpp.el5s2.x86_64.rpm postgresql-libs-8.2.9-1.el5s2.x86_64.rpm postgresql-odbc-08.02.0500-1.el5s2.x86_64.rpm postgresql-odbc-debuginfo-08.02.0500-1.el5s2.x86_64.rpm postgresql-plperl-8.2.9-1.el5s2.x86_64.rpm postgresql-plpython-8.2.9-1.el5s2.x86_64.rpm postgresql-pltcl-8.2.9-1.el5s2.x86_64.rpm postgresql-python-8.2.9-1.el5s2.x86_64.rpm postgresql-server-8.2.9-1.el5s2.x86_64.rpm postgresql-tcl-8.2.9-1.el5s2.x86_64.rpm postgresql-test-8.2.9-1.el5s2.x86_64.rpm postgresqlclient81-8.1.11-1.el5s2.x86_64.rpm postgresqlclient81-debuginfo-8.1.11-1.el5s2.x86_64.rpm unixODBC-2.2.12-8.el5s2.x86_64.rpm unixODBC-debuginfo-2.2.12-8.el5s2.x86_64.rpm unixODBC-devel-2.2.12-8.el5s2.x86_64.rpm unixODBC-kde-2.2.12-8.el5s2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599 http://www.redhat.com/docs/en-US/Red_Hat_Application_Stack/2.1/html-single/Release_Notes/ http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIa39+XlSAg2UNWIIRAhWAAJ9sMvdJoV3iUoms2ggLAsIS3G2WuACfUID0 a66OVz+Vp0VuKf8vME1+XYo= =qDIz -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 9 07:28:11 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 9 Jul 2008 03:28:11 -0400 Subject: [RHSA-2008:0533-01] Important: bind security update Message-ID: <200807090728.m697SBKf015785@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: bind security update Advisory ID: RHSA-2008:0533-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0533.html Issue date: 2008-07-09 CVE Names: CVE-2008-1447 ===================================================================== 1. Summary: Updated bind packages that help mitigate DNS spoofing attacks are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, noarch, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. The DNS protocol protects against spoofing attacks by requiring an attacker to predict both the DNS transaction ID and UDP source port of a request. In recent years, a number of papers have found problems with DNS implementations which make it easier for an attacker to perform DNS cache-poisoning attacks. Previous versions of BIND did not use randomized UDP source ports. If an attacker was able to predict the random DNS transaction ID, this could make DNS cache-poisoning attacks easier. In order to provide more resilience, BIND has been updated to use a range of random UDP source ports. (CVE-2008-1447) Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4 and 5 to allow BIND to use random UDP source ports. Users of BIND are advised to upgrade to these updated packages, which contain a backported patch to add this functionality. Red Hat would like to thank Dan Kaminsky for reporting this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 449345 - CVE-2008-1447 implement source UDP port randomization (CERT VU#800113) 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/bind-9.2.1-10.el2.src.rpm i386: bind-9.2.1-10.el2.i386.rpm bind-devel-9.2.1-10.el2.i386.rpm bind-utils-9.2.1-10.el2.i386.rpm ia64: bind-9.2.1-10.el2.ia64.rpm bind-devel-9.2.1-10.el2.ia64.rpm bind-utils-9.2.1-10.el2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/bind-9.2.1-10.el2.src.rpm ia64: bind-9.2.1-10.el2.ia64.rpm bind-devel-9.2.1-10.el2.ia64.rpm bind-utils-9.2.1-10.el2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/bind-9.2.1-10.el2.src.rpm i386: bind-9.2.1-10.el2.i386.rpm bind-devel-9.2.1-10.el2.i386.rpm bind-utils-9.2.1-10.el2.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/bind-9.2.1-10.el2.src.rpm i386: bind-9.2.1-10.el2.i386.rpm bind-devel-9.2.1-10.el2.i386.rpm bind-utils-9.2.1-10.el2.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/bind-9.2.4-22.el3.src.rpm i386: bind-9.2.4-22.el3.i386.rpm bind-chroot-9.2.4-22.el3.i386.rpm bind-debuginfo-9.2.4-22.el3.i386.rpm bind-devel-9.2.4-22.el3.i386.rpm bind-libs-9.2.4-22.el3.i386.rpm bind-utils-9.2.4-22.el3.i386.rpm ia64: bind-9.2.4-22.el3.ia64.rpm bind-chroot-9.2.4-22.el3.ia64.rpm bind-debuginfo-9.2.4-22.el3.ia64.rpm bind-devel-9.2.4-22.el3.ia64.rpm bind-libs-9.2.4-22.el3.ia64.rpm bind-utils-9.2.4-22.el3.ia64.rpm ppc: bind-9.2.4-22.el3.ppc.rpm bind-chroot-9.2.4-22.el3.ppc.rpm bind-debuginfo-9.2.4-22.el3.ppc.rpm bind-devel-9.2.4-22.el3.ppc.rpm bind-libs-9.2.4-22.el3.ppc.rpm bind-utils-9.2.4-22.el3.ppc.rpm s390: bind-9.2.4-22.el3.s390.rpm bind-chroot-9.2.4-22.el3.s390.rpm bind-debuginfo-9.2.4-22.el3.s390.rpm bind-devel-9.2.4-22.el3.s390.rpm bind-libs-9.2.4-22.el3.s390.rpm bind-utils-9.2.4-22.el3.s390.rpm s390x: bind-9.2.4-22.el3.s390x.rpm bind-chroot-9.2.4-22.el3.s390x.rpm bind-debuginfo-9.2.4-22.el3.s390x.rpm bind-devel-9.2.4-22.el3.s390x.rpm bind-libs-9.2.4-22.el3.s390x.rpm bind-utils-9.2.4-22.el3.s390x.rpm x86_64: bind-9.2.4-22.el3.x86_64.rpm bind-chroot-9.2.4-22.el3.x86_64.rpm bind-debuginfo-9.2.4-22.el3.x86_64.rpm bind-devel-9.2.4-22.el3.x86_64.rpm bind-libs-9.2.4-22.el3.x86_64.rpm bind-utils-9.2.4-22.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/bind-9.2.4-22.el3.src.rpm i386: bind-9.2.4-22.el3.i386.rpm bind-chroot-9.2.4-22.el3.i386.rpm bind-debuginfo-9.2.4-22.el3.i386.rpm bind-devel-9.2.4-22.el3.i386.rpm bind-libs-9.2.4-22.el3.i386.rpm bind-utils-9.2.4-22.el3.i386.rpm x86_64: bind-9.2.4-22.el3.x86_64.rpm bind-chroot-9.2.4-22.el3.x86_64.rpm bind-debuginfo-9.2.4-22.el3.x86_64.rpm bind-devel-9.2.4-22.el3.x86_64.rpm bind-libs-9.2.4-22.el3.x86_64.rpm bind-utils-9.2.4-22.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/bind-9.2.4-22.el3.src.rpm i386: bind-9.2.4-22.el3.i386.rpm bind-chroot-9.2.4-22.el3.i386.rpm bind-debuginfo-9.2.4-22.el3.i386.rpm bind-devel-9.2.4-22.el3.i386.rpm bind-libs-9.2.4-22.el3.i386.rpm bind-utils-9.2.4-22.el3.i386.rpm ia64: bind-9.2.4-22.el3.ia64.rpm bind-chroot-9.2.4-22.el3.ia64.rpm bind-debuginfo-9.2.4-22.el3.ia64.rpm bind-devel-9.2.4-22.el3.ia64.rpm bind-libs-9.2.4-22.el3.ia64.rpm bind-utils-9.2.4-22.el3.ia64.rpm x86_64: bind-9.2.4-22.el3.x86_64.rpm bind-chroot-9.2.4-22.el3.x86_64.rpm bind-debuginfo-9.2.4-22.el3.x86_64.rpm bind-devel-9.2.4-22.el3.x86_64.rpm bind-libs-9.2.4-22.el3.x86_64.rpm bind-utils-9.2.4-22.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/bind-9.2.4-22.el3.src.rpm i386: bind-9.2.4-22.el3.i386.rpm bind-chroot-9.2.4-22.el3.i386.rpm bind-debuginfo-9.2.4-22.el3.i386.rpm bind-devel-9.2.4-22.el3.i386.rpm bind-libs-9.2.4-22.el3.i386.rpm bind-utils-9.2.4-22.el3.i386.rpm ia64: bind-9.2.4-22.el3.ia64.rpm bind-chroot-9.2.4-22.el3.ia64.rpm bind-debuginfo-9.2.4-22.el3.ia64.rpm bind-devel-9.2.4-22.el3.ia64.rpm bind-libs-9.2.4-22.el3.ia64.rpm bind-utils-9.2.4-22.el3.ia64.rpm x86_64: bind-9.2.4-22.el3.x86_64.rpm bind-chroot-9.2.4-22.el3.x86_64.rpm bind-debuginfo-9.2.4-22.el3.x86_64.rpm bind-devel-9.2.4-22.el3.x86_64.rpm bind-libs-9.2.4-22.el3.x86_64.rpm bind-utils-9.2.4-22.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/bind-9.2.4-28.0.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/selinux-policy-targeted-1.17.30-2.150.el4.src.rpm i386: bind-9.2.4-28.0.1.el4.i386.rpm bind-chroot-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-devel-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-utils-9.2.4-28.0.1.el4.i386.rpm ia64: bind-9.2.4-28.0.1.el4.ia64.rpm bind-chroot-9.2.4-28.0.1.el4.ia64.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.ia64.rpm bind-devel-9.2.4-28.0.1.el4.ia64.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.ia64.rpm bind-utils-9.2.4-28.0.1.el4.ia64.rpm noarch: selinux-policy-targeted-1.17.30-2.150.el4.noarch.rpm selinux-policy-targeted-sources-1.17.30-2.150.el4.noarch.rpm ppc: bind-9.2.4-28.0.1.el4.ppc.rpm bind-chroot-9.2.4-28.0.1.el4.ppc.rpm bind-debuginfo-9.2.4-28.0.1.el4.ppc.rpm bind-debuginfo-9.2.4-28.0.1.el4.ppc64.rpm bind-devel-9.2.4-28.0.1.el4.ppc.rpm bind-libs-9.2.4-28.0.1.el4.ppc.rpm bind-libs-9.2.4-28.0.1.el4.ppc64.rpm bind-utils-9.2.4-28.0.1.el4.ppc.rpm s390: bind-9.2.4-28.0.1.el4.s390.rpm bind-chroot-9.2.4-28.0.1.el4.s390.rpm bind-debuginfo-9.2.4-28.0.1.el4.s390.rpm bind-devel-9.2.4-28.0.1.el4.s390.rpm bind-libs-9.2.4-28.0.1.el4.s390.rpm bind-utils-9.2.4-28.0.1.el4.s390.rpm s390x: bind-9.2.4-28.0.1.el4.s390x.rpm bind-chroot-9.2.4-28.0.1.el4.s390x.rpm bind-debuginfo-9.2.4-28.0.1.el4.s390.rpm bind-debuginfo-9.2.4-28.0.1.el4.s390x.rpm bind-devel-9.2.4-28.0.1.el4.s390x.rpm bind-libs-9.2.4-28.0.1.el4.s390.rpm bind-libs-9.2.4-28.0.1.el4.s390x.rpm bind-utils-9.2.4-28.0.1.el4.s390x.rpm x86_64: bind-9.2.4-28.0.1.el4.x86_64.rpm bind-chroot-9.2.4-28.0.1.el4.x86_64.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.x86_64.rpm bind-devel-9.2.4-28.0.1.el4.x86_64.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.x86_64.rpm bind-utils-9.2.4-28.0.1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/bind-9.2.4-28.0.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/selinux-policy-targeted-1.17.30-2.150.el4.src.rpm i386: bind-9.2.4-28.0.1.el4.i386.rpm bind-chroot-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-devel-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-utils-9.2.4-28.0.1.el4.i386.rpm noarch: selinux-policy-targeted-1.17.30-2.150.el4.noarch.rpm selinux-policy-targeted-sources-1.17.30-2.150.el4.noarch.rpm x86_64: bind-9.2.4-28.0.1.el4.x86_64.rpm bind-chroot-9.2.4-28.0.1.el4.x86_64.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.x86_64.rpm bind-devel-9.2.4-28.0.1.el4.x86_64.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.x86_64.rpm bind-utils-9.2.4-28.0.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/bind-9.2.4-28.0.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/selinux-policy-targeted-1.17.30-2.150.el4.src.rpm i386: bind-9.2.4-28.0.1.el4.i386.rpm bind-chroot-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-devel-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-utils-9.2.4-28.0.1.el4.i386.rpm ia64: bind-9.2.4-28.0.1.el4.ia64.rpm bind-chroot-9.2.4-28.0.1.el4.ia64.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.ia64.rpm bind-devel-9.2.4-28.0.1.el4.ia64.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.ia64.rpm bind-utils-9.2.4-28.0.1.el4.ia64.rpm noarch: selinux-policy-targeted-1.17.30-2.150.el4.noarch.rpm selinux-policy-targeted-sources-1.17.30-2.150.el4.noarch.rpm x86_64: bind-9.2.4-28.0.1.el4.x86_64.rpm bind-chroot-9.2.4-28.0.1.el4.x86_64.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.x86_64.rpm bind-devel-9.2.4-28.0.1.el4.x86_64.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.x86_64.rpm bind-utils-9.2.4-28.0.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/bind-9.2.4-28.0.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/selinux-policy-targeted-1.17.30-2.150.el4.src.rpm i386: bind-9.2.4-28.0.1.el4.i386.rpm bind-chroot-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-devel-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-utils-9.2.4-28.0.1.el4.i386.rpm ia64: bind-9.2.4-28.0.1.el4.ia64.rpm bind-chroot-9.2.4-28.0.1.el4.ia64.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.ia64.rpm bind-devel-9.2.4-28.0.1.el4.ia64.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.ia64.rpm bind-utils-9.2.4-28.0.1.el4.ia64.rpm noarch: selinux-policy-targeted-1.17.30-2.150.el4.noarch.rpm selinux-policy-targeted-sources-1.17.30-2.150.el4.noarch.rpm x86_64: bind-9.2.4-28.0.1.el4.x86_64.rpm bind-chroot-9.2.4-28.0.1.el4.x86_64.rpm bind-debuginfo-9.2.4-28.0.1.el4.i386.rpm bind-debuginfo-9.2.4-28.0.1.el4.x86_64.rpm bind-devel-9.2.4-28.0.1.el4.x86_64.rpm bind-libs-9.2.4-28.0.1.el4.i386.rpm bind-libs-9.2.4-28.0.1.el4.x86_64.rpm bind-utils-9.2.4-28.0.1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bind-9.3.4-6.0.1.P1.el5_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/selinux-policy-2.4.6-137.1.el5_2.src.rpm i386: bind-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-sdb-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-utils-9.3.4-6.0.1.P1.el5_2.i386.rpm noarch: selinux-policy-2.4.6-137.1.el5_2.noarch.rpm selinux-policy-mls-2.4.6-137.1.el5_2.noarch.rpm selinux-policy-strict-2.4.6-137.1.el5_2.noarch.rpm selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm x86_64: bind-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-sdb-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-utils-9.3.4-6.0.1.P1.el5_2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bind-9.3.4-6.0.1.P1.el5_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/selinux-policy-2.4.6-137.1.el5_2.src.rpm i386: bind-chroot-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm caching-nameserver-9.3.4-6.0.1.P1.el5_2.i386.rpm noarch: selinux-policy-devel-2.4.6-137.1.el5_2.noarch.rpm x86_64: bind-chroot-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.x86_64.rpm caching-nameserver-9.3.4-6.0.1.P1.el5_2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bind-9.3.4-6.0.1.P1.el5_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/selinux-policy-2.4.6-137.1.el5_2.src.rpm i386: bind-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-chroot-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-sdb-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-utils-9.3.4-6.0.1.P1.el5_2.i386.rpm caching-nameserver-9.3.4-6.0.1.P1.el5_2.i386.rpm ia64: bind-9.3.4-6.0.1.P1.el5_2.ia64.rpm bind-chroot-9.3.4-6.0.1.P1.el5_2.ia64.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.ia64.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.ia64.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.ia64.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.ia64.rpm bind-sdb-9.3.4-6.0.1.P1.el5_2.ia64.rpm bind-utils-9.3.4-6.0.1.P1.el5_2.ia64.rpm caching-nameserver-9.3.4-6.0.1.P1.el5_2.ia64.rpm noarch: selinux-policy-2.4.6-137.1.el5_2.noarch.rpm selinux-policy-devel-2.4.6-137.1.el5_2.noarch.rpm selinux-policy-mls-2.4.6-137.1.el5_2.noarch.rpm selinux-policy-strict-2.4.6-137.1.el5_2.noarch.rpm selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm ppc: bind-9.3.4-6.0.1.P1.el5_2.ppc.rpm bind-chroot-9.3.4-6.0.1.P1.el5_2.ppc.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.ppc.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.ppc64.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.ppc.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.ppc64.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.ppc.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.ppc64.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.ppc.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.ppc64.rpm bind-sdb-9.3.4-6.0.1.P1.el5_2.ppc.rpm bind-utils-9.3.4-6.0.1.P1.el5_2.ppc.rpm caching-nameserver-9.3.4-6.0.1.P1.el5_2.ppc.rpm s390x: bind-9.3.4-6.0.1.P1.el5_2.s390x.rpm bind-chroot-9.3.4-6.0.1.P1.el5_2.s390x.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.s390.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.s390x.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.s390.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.s390x.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.s390.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.s390x.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.s390.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.s390x.rpm bind-sdb-9.3.4-6.0.1.P1.el5_2.s390x.rpm bind-utils-9.3.4-6.0.1.P1.el5_2.s390x.rpm caching-nameserver-9.3.4-6.0.1.P1.el5_2.s390x.rpm x86_64: bind-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-chroot-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-debuginfo-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-devel-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm bind-libs-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-sdb-9.3.4-6.0.1.P1.el5_2.x86_64.rpm bind-utils-9.3.4-6.0.1.P1.el5_2.x86_64.rpm caching-nameserver-9.3.4-6.0.1.P1.el5_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIdGh+XlSAg2UNWIIRAhxcAKCPOm/A40vN2hDcMHRSgmCvTk5MgACfQLYO 3LsbahUrWO+sM/epydia0rA= =HNsH -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 9 08:36:25 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 9 Jul 2008 04:36:25 -0400 Subject: [RHSA-2008:0584-01] Important: pidgin security and bug fix update Message-ID: <200807090836.m698aP16026516@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: pidgin security and bug fix update Advisory ID: RHSA-2008:0584-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0584.html Issue date: 2008-07-09 CVE Names: CVE-2008-2927 ===================================================================== 1. Summary: Updated Pidgin packages that fix a security issue and address a bug are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 3. Description: Pidgin is a multi-protocol Internet Messaging client. An integer overflow flaw was found in Pidgin's MSN protocol handler. If a user received a malicious MSN message, it was possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2008-2927) Note: the default Pidgin privacy setting only allows messages from users in the buddy list. This prevents arbitrary MSN users from exploiting this flaw. This update also addresses the following bug: * when attempting to connect to the ICQ network, Pidgin would fail to connect, present an alert saying the "The client version you are using is too old", and de-activate the ICQ account. This update restores Pidgin's ability to connect to the ICQ network. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 453634 - RHEL5 - Fix ICQ login 453764 - CVE-2008-2927 pidgin MSN integer overflow 453773 - RHEL4 - Fix ICQ login 453774 - RHEL3 - Fix ICQ login 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/pidgin-1.5.1-2.el3.src.rpm i386: pidgin-1.5.1-2.el3.i386.rpm pidgin-debuginfo-1.5.1-2.el3.i386.rpm ia64: pidgin-1.5.1-2.el3.ia64.rpm pidgin-debuginfo-1.5.1-2.el3.ia64.rpm ppc: pidgin-1.5.1-2.el3.ppc.rpm pidgin-debuginfo-1.5.1-2.el3.ppc.rpm s390: pidgin-1.5.1-2.el3.s390.rpm pidgin-debuginfo-1.5.1-2.el3.s390.rpm s390x: pidgin-1.5.1-2.el3.s390x.rpm pidgin-debuginfo-1.5.1-2.el3.s390x.rpm x86_64: pidgin-1.5.1-2.el3.x86_64.rpm pidgin-debuginfo-1.5.1-2.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/pidgin-1.5.1-2.el3.src.rpm i386: pidgin-1.5.1-2.el3.i386.rpm pidgin-debuginfo-1.5.1-2.el3.i386.rpm x86_64: pidgin-1.5.1-2.el3.x86_64.rpm pidgin-debuginfo-1.5.1-2.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/pidgin-1.5.1-2.el3.src.rpm i386: pidgin-1.5.1-2.el3.i386.rpm pidgin-debuginfo-1.5.1-2.el3.i386.rpm ia64: pidgin-1.5.1-2.el3.ia64.rpm pidgin-debuginfo-1.5.1-2.el3.ia64.rpm x86_64: pidgin-1.5.1-2.el3.x86_64.rpm pidgin-debuginfo-1.5.1-2.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/pidgin-1.5.1-2.el3.src.rpm i386: pidgin-1.5.1-2.el3.i386.rpm pidgin-debuginfo-1.5.1-2.el3.i386.rpm ia64: pidgin-1.5.1-2.el3.ia64.rpm pidgin-debuginfo-1.5.1-2.el3.ia64.rpm x86_64: pidgin-1.5.1-2.el3.x86_64.rpm pidgin-debuginfo-1.5.1-2.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/pidgin-1.5.1-2.el4.src.rpm i386: pidgin-1.5.1-2.el4.i386.rpm pidgin-debuginfo-1.5.1-2.el4.i386.rpm ia64: pidgin-1.5.1-2.el4.ia64.rpm pidgin-debuginfo-1.5.1-2.el4.ia64.rpm ppc: pidgin-1.5.1-2.el4.ppc.rpm pidgin-debuginfo-1.5.1-2.el4.ppc.rpm s390: pidgin-1.5.1-2.el4.s390.rpm pidgin-debuginfo-1.5.1-2.el4.s390.rpm s390x: pidgin-1.5.1-2.el4.s390x.rpm pidgin-debuginfo-1.5.1-2.el4.s390x.rpm x86_64: pidgin-1.5.1-2.el4.x86_64.rpm pidgin-debuginfo-1.5.1-2.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/pidgin-1.5.1-2.el4.src.rpm i386: pidgin-1.5.1-2.el4.i386.rpm pidgin-debuginfo-1.5.1-2.el4.i386.rpm x86_64: pidgin-1.5.1-2.el4.x86_64.rpm pidgin-debuginfo-1.5.1-2.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/pidgin-1.5.1-2.el4.src.rpm i386: pidgin-1.5.1-2.el4.i386.rpm pidgin-debuginfo-1.5.1-2.el4.i386.rpm ia64: pidgin-1.5.1-2.el4.ia64.rpm pidgin-debuginfo-1.5.1-2.el4.ia64.rpm x86_64: pidgin-1.5.1-2.el4.x86_64.rpm pidgin-debuginfo-1.5.1-2.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/pidgin-1.5.1-2.el4.src.rpm i386: pidgin-1.5.1-2.el4.i386.rpm pidgin-debuginfo-1.5.1-2.el4.i386.rpm ia64: pidgin-1.5.1-2.el4.ia64.rpm pidgin-debuginfo-1.5.1-2.el4.ia64.rpm x86_64: pidgin-1.5.1-2.el4.x86_64.rpm pidgin-debuginfo-1.5.1-2.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.3.1-2.el5_2.src.rpm i386: finch-2.3.1-2.el5_2.i386.rpm libpurple-2.3.1-2.el5_2.i386.rpm libpurple-perl-2.3.1-2.el5_2.i386.rpm libpurple-tcl-2.3.1-2.el5_2.i386.rpm pidgin-2.3.1-2.el5_2.i386.rpm pidgin-debuginfo-2.3.1-2.el5_2.i386.rpm pidgin-perl-2.3.1-2.el5_2.i386.rpm x86_64: finch-2.3.1-2.el5_2.i386.rpm finch-2.3.1-2.el5_2.x86_64.rpm libpurple-2.3.1-2.el5_2.i386.rpm libpurple-2.3.1-2.el5_2.x86_64.rpm libpurple-perl-2.3.1-2.el5_2.x86_64.rpm libpurple-tcl-2.3.1-2.el5_2.x86_64.rpm pidgin-2.3.1-2.el5_2.i386.rpm pidgin-2.3.1-2.el5_2.x86_64.rpm pidgin-debuginfo-2.3.1-2.el5_2.i386.rpm pidgin-debuginfo-2.3.1-2.el5_2.x86_64.rpm pidgin-perl-2.3.1-2.el5_2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.3.1-2.el5_2.src.rpm i386: finch-devel-2.3.1-2.el5_2.i386.rpm libpurple-devel-2.3.1-2.el5_2.i386.rpm pidgin-debuginfo-2.3.1-2.el5_2.i386.rpm pidgin-devel-2.3.1-2.el5_2.i386.rpm x86_64: finch-devel-2.3.1-2.el5_2.i386.rpm finch-devel-2.3.1-2.el5_2.x86_64.rpm libpurple-devel-2.3.1-2.el5_2.i386.rpm libpurple-devel-2.3.1-2.el5_2.x86_64.rpm pidgin-debuginfo-2.3.1-2.el5_2.i386.rpm pidgin-debuginfo-2.3.1-2.el5_2.x86_64.rpm pidgin-devel-2.3.1-2.el5_2.i386.rpm pidgin-devel-2.3.1-2.el5_2.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/pidgin-2.3.1-2.el5_2.src.rpm i386: finch-2.3.1-2.el5_2.i386.rpm finch-devel-2.3.1-2.el5_2.i386.rpm libpurple-2.3.1-2.el5_2.i386.rpm libpurple-devel-2.3.1-2.el5_2.i386.rpm libpurple-perl-2.3.1-2.el5_2.i386.rpm libpurple-tcl-2.3.1-2.el5_2.i386.rpm pidgin-2.3.1-2.el5_2.i386.rpm pidgin-debuginfo-2.3.1-2.el5_2.i386.rpm pidgin-devel-2.3.1-2.el5_2.i386.rpm pidgin-perl-2.3.1-2.el5_2.i386.rpm x86_64: finch-2.3.1-2.el5_2.i386.rpm finch-2.3.1-2.el5_2.x86_64.rpm finch-devel-2.3.1-2.el5_2.i386.rpm finch-devel-2.3.1-2.el5_2.x86_64.rpm libpurple-2.3.1-2.el5_2.i386.rpm libpurple-2.3.1-2.el5_2.x86_64.rpm libpurple-devel-2.3.1-2.el5_2.i386.rpm libpurple-devel-2.3.1-2.el5_2.x86_64.rpm libpurple-perl-2.3.1-2.el5_2.x86_64.rpm libpurple-tcl-2.3.1-2.el5_2.x86_64.rpm pidgin-2.3.1-2.el5_2.i386.rpm pidgin-2.3.1-2.el5_2.x86_64.rpm pidgin-debuginfo-2.3.1-2.el5_2.i386.rpm pidgin-debuginfo-2.3.1-2.el5_2.x86_64.rpm pidgin-devel-2.3.1-2.el5_2.i386.rpm pidgin-devel-2.3.1-2.el5_2.x86_64.rpm pidgin-perl-2.3.1-2.el5_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIdHhjXlSAg2UNWIIRApb8AKCFwCdWDQPP4RehZm1TwJfHkGyiXwCeMrxR v3bU7BEj1iMzbSO94rmQhEE= =aldb -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 9 14:54:33 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 9 Jul 2008 10:54:33 -0400 Subject: [RHSA-2008:0583-01] Important: openldap security update Message-ID: <200807091454.m69EsX6e023520@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openldap security update Advisory ID: RHSA-2008:0583-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0583.html Issue date: 2008-07-09 CVE Names: CVE-2008-2952 ===================================================================== 1. Summary: Updated openldap packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols for accessing directory services. A denial of service flaw was found in the way the OpenLDAP slapd daemon processed certain network messages. An unauthenticated remote attacker could send a specially crafted request that would crash the slapd daemon. (CVE-2008-2952) Users of openldap should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 453444 - CVE-2008-2952 OpenLDAP denial-of-service flaw in ASN.1 decoder 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/openldap-2.2.13-8.el4_6.5.src.rpm i386: compat-openldap-2.1.30-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-clients-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-devel-2.2.13-8.el4_6.5.i386.rpm openldap-servers-2.2.13-8.el4_6.5.i386.rpm openldap-servers-sql-2.2.13-8.el4_6.5.i386.rpm ia64: compat-openldap-2.1.30-8.el4_6.5.i386.rpm compat-openldap-2.1.30-8.el4_6.5.ia64.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.ia64.rpm openldap-clients-2.2.13-8.el4_6.5.ia64.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.ia64.rpm openldap-devel-2.2.13-8.el4_6.5.ia64.rpm openldap-servers-2.2.13-8.el4_6.5.ia64.rpm openldap-servers-sql-2.2.13-8.el4_6.5.ia64.rpm ppc: compat-openldap-2.1.30-8.el4_6.5.ppc.rpm compat-openldap-2.1.30-8.el4_6.5.ppc64.rpm openldap-2.2.13-8.el4_6.5.ppc.rpm openldap-2.2.13-8.el4_6.5.ppc64.rpm openldap-clients-2.2.13-8.el4_6.5.ppc.rpm openldap-debuginfo-2.2.13-8.el4_6.5.ppc.rpm openldap-debuginfo-2.2.13-8.el4_6.5.ppc64.rpm openldap-devel-2.2.13-8.el4_6.5.ppc.rpm openldap-servers-2.2.13-8.el4_6.5.ppc.rpm openldap-servers-sql-2.2.13-8.el4_6.5.ppc.rpm s390: compat-openldap-2.1.30-8.el4_6.5.s390.rpm openldap-2.2.13-8.el4_6.5.s390.rpm openldap-clients-2.2.13-8.el4_6.5.s390.rpm openldap-debuginfo-2.2.13-8.el4_6.5.s390.rpm openldap-devel-2.2.13-8.el4_6.5.s390.rpm openldap-servers-2.2.13-8.el4_6.5.s390.rpm openldap-servers-sql-2.2.13-8.el4_6.5.s390.rpm s390x: compat-openldap-2.1.30-8.el4_6.5.s390.rpm compat-openldap-2.1.30-8.el4_6.5.s390x.rpm openldap-2.2.13-8.el4_6.5.s390.rpm openldap-2.2.13-8.el4_6.5.s390x.rpm openldap-clients-2.2.13-8.el4_6.5.s390x.rpm openldap-debuginfo-2.2.13-8.el4_6.5.s390.rpm openldap-debuginfo-2.2.13-8.el4_6.5.s390x.rpm openldap-devel-2.2.13-8.el4_6.5.s390x.rpm openldap-servers-2.2.13-8.el4_6.5.s390x.rpm openldap-servers-sql-2.2.13-8.el4_6.5.s390x.rpm x86_64: compat-openldap-2.1.30-8.el4_6.5.i386.rpm compat-openldap-2.1.30-8.el4_6.5.x86_64.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.x86_64.rpm openldap-clients-2.2.13-8.el4_6.5.x86_64.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.x86_64.rpm openldap-devel-2.2.13-8.el4_6.5.x86_64.rpm openldap-servers-2.2.13-8.el4_6.5.x86_64.rpm openldap-servers-sql-2.2.13-8.el4_6.5.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/openldap-2.2.13-8.el4_6.5.src.rpm i386: compat-openldap-2.1.30-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-clients-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-devel-2.2.13-8.el4_6.5.i386.rpm openldap-servers-2.2.13-8.el4_6.5.i386.rpm openldap-servers-sql-2.2.13-8.el4_6.5.i386.rpm x86_64: compat-openldap-2.1.30-8.el4_6.5.i386.rpm compat-openldap-2.1.30-8.el4_6.5.x86_64.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.x86_64.rpm openldap-clients-2.2.13-8.el4_6.5.x86_64.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.x86_64.rpm openldap-devel-2.2.13-8.el4_6.5.x86_64.rpm openldap-servers-2.2.13-8.el4_6.5.x86_64.rpm openldap-servers-sql-2.2.13-8.el4_6.5.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/openldap-2.2.13-8.el4_6.5.src.rpm i386: compat-openldap-2.1.30-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-clients-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-devel-2.2.13-8.el4_6.5.i386.rpm openldap-servers-2.2.13-8.el4_6.5.i386.rpm openldap-servers-sql-2.2.13-8.el4_6.5.i386.rpm ia64: compat-openldap-2.1.30-8.el4_6.5.i386.rpm compat-openldap-2.1.30-8.el4_6.5.ia64.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.ia64.rpm openldap-clients-2.2.13-8.el4_6.5.ia64.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.ia64.rpm openldap-devel-2.2.13-8.el4_6.5.ia64.rpm openldap-servers-2.2.13-8.el4_6.5.ia64.rpm openldap-servers-sql-2.2.13-8.el4_6.5.ia64.rpm x86_64: compat-openldap-2.1.30-8.el4_6.5.i386.rpm compat-openldap-2.1.30-8.el4_6.5.x86_64.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.x86_64.rpm openldap-clients-2.2.13-8.el4_6.5.x86_64.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.x86_64.rpm openldap-devel-2.2.13-8.el4_6.5.x86_64.rpm openldap-servers-2.2.13-8.el4_6.5.x86_64.rpm openldap-servers-sql-2.2.13-8.el4_6.5.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/openldap-2.2.13-8.el4_6.5.src.rpm i386: compat-openldap-2.1.30-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-clients-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-devel-2.2.13-8.el4_6.5.i386.rpm openldap-servers-2.2.13-8.el4_6.5.i386.rpm openldap-servers-sql-2.2.13-8.el4_6.5.i386.rpm ia64: compat-openldap-2.1.30-8.el4_6.5.i386.rpm compat-openldap-2.1.30-8.el4_6.5.ia64.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.ia64.rpm openldap-clients-2.2.13-8.el4_6.5.ia64.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.ia64.rpm openldap-devel-2.2.13-8.el4_6.5.ia64.rpm openldap-servers-2.2.13-8.el4_6.5.ia64.rpm openldap-servers-sql-2.2.13-8.el4_6.5.ia64.rpm x86_64: compat-openldap-2.1.30-8.el4_6.5.i386.rpm compat-openldap-2.1.30-8.el4_6.5.x86_64.rpm openldap-2.2.13-8.el4_6.5.i386.rpm openldap-2.2.13-8.el4_6.5.x86_64.rpm openldap-clients-2.2.13-8.el4_6.5.x86_64.rpm openldap-debuginfo-2.2.13-8.el4_6.5.i386.rpm openldap-debuginfo-2.2.13-8.el4_6.5.x86_64.rpm openldap-devel-2.2.13-8.el4_6.5.x86_64.rpm openldap-servers-2.2.13-8.el4_6.5.x86_64.rpm openldap-servers-sql-2.2.13-8.el4_6.5.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openldap-2.3.27-8.el5_2.4.src.rpm i386: compat-openldap-2.3.27_2.2.29-8.el5_2.4.i386.rpm openldap-2.3.27-8.el5_2.4.i386.rpm openldap-clients-2.3.27-8.el5_2.4.i386.rpm openldap-debuginfo-2.3.27-8.el5_2.4.i386.rpm x86_64: compat-openldap-2.3.27_2.2.29-8.el5_2.4.i386.rpm compat-openldap-2.3.27_2.2.29-8.el5_2.4.x86_64.rpm openldap-2.3.27-8.el5_2.4.i386.rpm openldap-2.3.27-8.el5_2.4.x86_64.rpm openldap-clients-2.3.27-8.el5_2.4.x86_64.rpm openldap-debuginfo-2.3.27-8.el5_2.4.i386.rpm openldap-debuginfo-2.3.27-8.el5_2.4.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openldap-2.3.27-8.el5_2.4.src.rpm i386: openldap-debuginfo-2.3.27-8.el5_2.4.i386.rpm openldap-devel-2.3.27-8.el5_2.4.i386.rpm openldap-servers-2.3.27-8.el5_2.4.i386.rpm openldap-servers-sql-2.3.27-8.el5_2.4.i386.rpm x86_64: openldap-debuginfo-2.3.27-8.el5_2.4.i386.rpm openldap-debuginfo-2.3.27-8.el5_2.4.x86_64.rpm openldap-devel-2.3.27-8.el5_2.4.i386.rpm openldap-devel-2.3.27-8.el5_2.4.x86_64.rpm openldap-servers-2.3.27-8.el5_2.4.x86_64.rpm openldap-servers-sql-2.3.27-8.el5_2.4.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/openldap-2.3.27-8.el5_2.4.src.rpm i386: compat-openldap-2.3.27_2.2.29-8.el5_2.4.i386.rpm openldap-2.3.27-8.el5_2.4.i386.rpm openldap-clients-2.3.27-8.el5_2.4.i386.rpm openldap-debuginfo-2.3.27-8.el5_2.4.i386.rpm openldap-devel-2.3.27-8.el5_2.4.i386.rpm openldap-servers-2.3.27-8.el5_2.4.i386.rpm openldap-servers-sql-2.3.27-8.el5_2.4.i386.rpm ia64: compat-openldap-2.3.27_2.2.29-8.el5_2.4.i386.rpm compat-openldap-2.3.27_2.2.29-8.el5_2.4.ia64.rpm openldap-2.3.27-8.el5_2.4.i386.rpm openldap-2.3.27-8.el5_2.4.ia64.rpm openldap-clients-2.3.27-8.el5_2.4.ia64.rpm openldap-debuginfo-2.3.27-8.el5_2.4.i386.rpm openldap-debuginfo-2.3.27-8.el5_2.4.ia64.rpm openldap-devel-2.3.27-8.el5_2.4.ia64.rpm openldap-servers-2.3.27-8.el5_2.4.ia64.rpm openldap-servers-sql-2.3.27-8.el5_2.4.ia64.rpm ppc: compat-openldap-2.3.27_2.2.29-8.el5_2.4.ppc.rpm compat-openldap-2.3.27_2.2.29-8.el5_2.4.ppc64.rpm openldap-2.3.27-8.el5_2.4.ppc.rpm openldap-2.3.27-8.el5_2.4.ppc64.rpm openldap-clients-2.3.27-8.el5_2.4.ppc.rpm openldap-debuginfo-2.3.27-8.el5_2.4.ppc.rpm openldap-debuginfo-2.3.27-8.el5_2.4.ppc64.rpm openldap-devel-2.3.27-8.el5_2.4.ppc.rpm openldap-devel-2.3.27-8.el5_2.4.ppc64.rpm openldap-servers-2.3.27-8.el5_2.4.ppc.rpm openldap-servers-sql-2.3.27-8.el5_2.4.ppc.rpm s390x: compat-openldap-2.3.27_2.2.29-8.el5_2.4.s390.rpm compat-openldap-2.3.27_2.2.29-8.el5_2.4.s390x.rpm openldap-2.3.27-8.el5_2.4.s390.rpm openldap-2.3.27-8.el5_2.4.s390x.rpm openldap-clients-2.3.27-8.el5_2.4.s390x.rpm openldap-debuginfo-2.3.27-8.el5_2.4.s390.rpm openldap-debuginfo-2.3.27-8.el5_2.4.s390x.rpm openldap-devel-2.3.27-8.el5_2.4.s390.rpm openldap-devel-2.3.27-8.el5_2.4.s390x.rpm openldap-servers-2.3.27-8.el5_2.4.s390x.rpm openldap-servers-sql-2.3.27-8.el5_2.4.s390x.rpm x86_64: compat-openldap-2.3.27_2.2.29-8.el5_2.4.i386.rpm compat-openldap-2.3.27_2.2.29-8.el5_2.4.x86_64.rpm openldap-2.3.27-8.el5_2.4.i386.rpm openldap-2.3.27-8.el5_2.4.x86_64.rpm openldap-clients-2.3.27-8.el5_2.4.x86_64.rpm openldap-debuginfo-2.3.27-8.el5_2.4.i386.rpm openldap-debuginfo-2.3.27-8.el5_2.4.x86_64.rpm openldap-devel-2.3.27-8.el5_2.4.i386.rpm openldap-devel-2.3.27-8.el5_2.4.x86_64.rpm openldap-servers-2.3.27-8.el5_2.4.x86_64.rpm openldap-servers-sql-2.3.27-8.el5_2.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIdNEXXlSAg2UNWIIRAhzyAKCuw0azs/H8AjvTtabTaQ2g+oZ/XACfcaIe ocxNY8mhw4xDl60h6ssruec= =oFHr -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 14 13:11:03 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 14 Jul 2008 09:11:03 -0400 Subject: [RHSA-2008:0555-01] Critical: java-1.4.2-ibm security update Message-ID: <200807141311.m6EDB3b9009151@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.4.2-ibm security update Advisory ID: RHSA-2008:0555-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0555.html Issue date: 2008-07-14 Keywords: Security CVE Names: CVE-2008-1187 CVE-2008-1196 ===================================================================== 1. Summary: Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4 Extras, and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 Extras - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 3 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: IBM's 1.4.2 SR11 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) A buffer overflow flaw was found in Java Web Start (JWS). An untrusted application using the Java Network Launch Protocol (JNLP) could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1196) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain IBM's 1.4.2 SR11 Java release which resolves these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 436030 - CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation 436302 - CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start 6. Package List: Red Hat Enterprise Linux AS version 3 Extras: i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.i386.rpm ia64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.ia64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.ia64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.ia64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.ppc.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.ppc.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.ppc.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el3.ppc.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.ppc.rpm s390: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.s390.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.s390.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.s390.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el3.s390.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.s390.rpm s390x: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.s390x.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.s390x.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.s390x.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.x86_64.rpm Red Hat Desktop version 3 Extras: i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3 Extras: i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.i386.rpm ia64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.ia64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.ia64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.ia64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3 Extras: i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.i386.rpm ia64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.ia64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.ia64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.ia64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.ppc.rpm s390: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.s390.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.s390.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.s390.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el4.s390.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.s390.rpm s390x: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.s390x.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.s390x.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.s390x.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.i386.rpm ia64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.ia64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.ia64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.ia64.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.ppc64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.ppc64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.ppc64.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el5.ppc64.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.ppc64.rpm s390x: java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.s390.rpm java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.s390x.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.s390.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.s390x.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.s390.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.s390x.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el5.s390.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.s390.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-1.4.2.11-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.11-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.11-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.11-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-jdbc-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.11-1jpp.2.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1196 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIe1BWXlSAg2UNWIIRAkUbAKCV+U/8p2idcPBcEejZkAuM0qjO4QCgwn4i YU/Ty2pa3RbZxcj2dHXJw/c= =PDMq -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 14 13:27:52 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 14 Jul 2008 09:27:52 -0400 Subject: [RHSA-2008:0561-01] Moderate: ruby security update Message-ID: <200807141327.m6EDRqYl011624@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ruby security update Advisory ID: RHSA-2008:0561-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0561.html Issue date: 2008-07-14 CVE Names: CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376 ===================================================================== 1. Summary: Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. Users of Ruby should upgrade to these updated packages, which contain a backported patch to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 450821 - CVE-2008-2662 ruby: Integer overflows in rb_str_buf_append() 450825 - CVE-2008-2663 ruby: Integer overflows in rb_ary_store() 450834 - CVE-2008-2664 ruby: Unsafe use of alloca in rb_str_format() 451821 - CVE-2008-2725 ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N 451828 - CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen 453589 - CVE-2008-2376 ruby: integer overflows in rb_ary_fill() / Array#fill 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/ruby-1.8.1-7.el4_6.1.src.rpm i386: irb-1.8.1-7.el4_6.1.i386.rpm ruby-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-devel-1.8.1-7.el4_6.1.i386.rpm ruby-docs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-mode-1.8.1-7.el4_6.1.i386.rpm ruby-tcltk-1.8.1-7.el4_6.1.i386.rpm ia64: irb-1.8.1-7.el4_6.1.ia64.rpm ruby-1.8.1-7.el4_6.1.ia64.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.ia64.rpm ruby-devel-1.8.1-7.el4_6.1.ia64.rpm ruby-docs-1.8.1-7.el4_6.1.ia64.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.ia64.rpm ruby-mode-1.8.1-7.el4_6.1.ia64.rpm ruby-tcltk-1.8.1-7.el4_6.1.ia64.rpm ppc: irb-1.8.1-7.el4_6.1.ppc.rpm ruby-1.8.1-7.el4_6.1.ppc.rpm ruby-debuginfo-1.8.1-7.el4_6.1.ppc.rpm ruby-debuginfo-1.8.1-7.el4_6.1.ppc64.rpm ruby-devel-1.8.1-7.el4_6.1.ppc.rpm ruby-docs-1.8.1-7.el4_6.1.ppc.rpm ruby-libs-1.8.1-7.el4_6.1.ppc.rpm ruby-libs-1.8.1-7.el4_6.1.ppc64.rpm ruby-mode-1.8.1-7.el4_6.1.ppc.rpm ruby-tcltk-1.8.1-7.el4_6.1.ppc.rpm s390: irb-1.8.1-7.el4_6.1.s390.rpm ruby-1.8.1-7.el4_6.1.s390.rpm ruby-debuginfo-1.8.1-7.el4_6.1.s390.rpm ruby-devel-1.8.1-7.el4_6.1.s390.rpm ruby-docs-1.8.1-7.el4_6.1.s390.rpm ruby-libs-1.8.1-7.el4_6.1.s390.rpm ruby-mode-1.8.1-7.el4_6.1.s390.rpm ruby-tcltk-1.8.1-7.el4_6.1.s390.rpm s390x: irb-1.8.1-7.el4_6.1.s390x.rpm ruby-1.8.1-7.el4_6.1.s390x.rpm ruby-debuginfo-1.8.1-7.el4_6.1.s390.rpm ruby-debuginfo-1.8.1-7.el4_6.1.s390x.rpm ruby-devel-1.8.1-7.el4_6.1.s390x.rpm ruby-docs-1.8.1-7.el4_6.1.s390x.rpm ruby-libs-1.8.1-7.el4_6.1.s390.rpm ruby-libs-1.8.1-7.el4_6.1.s390x.rpm ruby-mode-1.8.1-7.el4_6.1.s390x.rpm ruby-tcltk-1.8.1-7.el4_6.1.s390x.rpm x86_64: irb-1.8.1-7.el4_6.1.x86_64.rpm ruby-1.8.1-7.el4_6.1.x86_64.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.x86_64.rpm ruby-devel-1.8.1-7.el4_6.1.x86_64.rpm ruby-docs-1.8.1-7.el4_6.1.x86_64.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.x86_64.rpm ruby-mode-1.8.1-7.el4_6.1.x86_64.rpm ruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/ruby-1.8.1-7.el4_6.1.src.rpm i386: irb-1.8.1-7.el4_6.1.i386.rpm ruby-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-devel-1.8.1-7.el4_6.1.i386.rpm ruby-docs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-mode-1.8.1-7.el4_6.1.i386.rpm ruby-tcltk-1.8.1-7.el4_6.1.i386.rpm x86_64: irb-1.8.1-7.el4_6.1.x86_64.rpm ruby-1.8.1-7.el4_6.1.x86_64.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.x86_64.rpm ruby-devel-1.8.1-7.el4_6.1.x86_64.rpm ruby-docs-1.8.1-7.el4_6.1.x86_64.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.x86_64.rpm ruby-mode-1.8.1-7.el4_6.1.x86_64.rpm ruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/ruby-1.8.1-7.el4_6.1.src.rpm i386: irb-1.8.1-7.el4_6.1.i386.rpm ruby-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-devel-1.8.1-7.el4_6.1.i386.rpm ruby-docs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-mode-1.8.1-7.el4_6.1.i386.rpm ruby-tcltk-1.8.1-7.el4_6.1.i386.rpm ia64: irb-1.8.1-7.el4_6.1.ia64.rpm ruby-1.8.1-7.el4_6.1.ia64.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.ia64.rpm ruby-devel-1.8.1-7.el4_6.1.ia64.rpm ruby-docs-1.8.1-7.el4_6.1.ia64.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.ia64.rpm ruby-mode-1.8.1-7.el4_6.1.ia64.rpm ruby-tcltk-1.8.1-7.el4_6.1.ia64.rpm x86_64: irb-1.8.1-7.el4_6.1.x86_64.rpm ruby-1.8.1-7.el4_6.1.x86_64.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.x86_64.rpm ruby-devel-1.8.1-7.el4_6.1.x86_64.rpm ruby-docs-1.8.1-7.el4_6.1.x86_64.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.x86_64.rpm ruby-mode-1.8.1-7.el4_6.1.x86_64.rpm ruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/ruby-1.8.1-7.el4_6.1.src.rpm i386: irb-1.8.1-7.el4_6.1.i386.rpm ruby-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-devel-1.8.1-7.el4_6.1.i386.rpm ruby-docs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-mode-1.8.1-7.el4_6.1.i386.rpm ruby-tcltk-1.8.1-7.el4_6.1.i386.rpm ia64: irb-1.8.1-7.el4_6.1.ia64.rpm ruby-1.8.1-7.el4_6.1.ia64.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.ia64.rpm ruby-devel-1.8.1-7.el4_6.1.ia64.rpm ruby-docs-1.8.1-7.el4_6.1.ia64.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.ia64.rpm ruby-mode-1.8.1-7.el4_6.1.ia64.rpm ruby-tcltk-1.8.1-7.el4_6.1.ia64.rpm x86_64: irb-1.8.1-7.el4_6.1.x86_64.rpm ruby-1.8.1-7.el4_6.1.x86_64.rpm ruby-debuginfo-1.8.1-7.el4_6.1.i386.rpm ruby-debuginfo-1.8.1-7.el4_6.1.x86_64.rpm ruby-devel-1.8.1-7.el4_6.1.x86_64.rpm ruby-docs-1.8.1-7.el4_6.1.x86_64.rpm ruby-libs-1.8.1-7.el4_6.1.i386.rpm ruby-libs-1.8.1-7.el4_6.1.x86_64.rpm ruby-mode-1.8.1-7.el4_6.1.x86_64.rpm ruby-tcltk-1.8.1-7.el4_6.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ruby-1.8.5-5.el5_2.3.src.rpm i386: ruby-1.8.5-5.el5_2.3.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.3.i386.rpm ruby-docs-1.8.5-5.el5_2.3.i386.rpm ruby-irb-1.8.5-5.el5_2.3.i386.rpm ruby-libs-1.8.5-5.el5_2.3.i386.rpm ruby-rdoc-1.8.5-5.el5_2.3.i386.rpm ruby-ri-1.8.5-5.el5_2.3.i386.rpm ruby-tcltk-1.8.5-5.el5_2.3.i386.rpm x86_64: ruby-1.8.5-5.el5_2.3.x86_64.rpm ruby-debuginfo-1.8.5-5.el5_2.3.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.3.x86_64.rpm ruby-docs-1.8.5-5.el5_2.3.x86_64.rpm ruby-irb-1.8.5-5.el5_2.3.x86_64.rpm ruby-libs-1.8.5-5.el5_2.3.i386.rpm ruby-libs-1.8.5-5.el5_2.3.x86_64.rpm ruby-rdoc-1.8.5-5.el5_2.3.x86_64.rpm ruby-ri-1.8.5-5.el5_2.3.x86_64.rpm ruby-tcltk-1.8.5-5.el5_2.3.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ruby-1.8.5-5.el5_2.3.src.rpm i386: ruby-debuginfo-1.8.5-5.el5_2.3.i386.rpm ruby-devel-1.8.5-5.el5_2.3.i386.rpm ruby-mode-1.8.5-5.el5_2.3.i386.rpm x86_64: ruby-debuginfo-1.8.5-5.el5_2.3.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.3.x86_64.rpm ruby-devel-1.8.5-5.el5_2.3.i386.rpm ruby-devel-1.8.5-5.el5_2.3.x86_64.rpm ruby-mode-1.8.5-5.el5_2.3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/ruby-1.8.5-5.el5_2.3.src.rpm i386: ruby-1.8.5-5.el5_2.3.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.3.i386.rpm ruby-devel-1.8.5-5.el5_2.3.i386.rpm ruby-docs-1.8.5-5.el5_2.3.i386.rpm ruby-irb-1.8.5-5.el5_2.3.i386.rpm ruby-libs-1.8.5-5.el5_2.3.i386.rpm ruby-mode-1.8.5-5.el5_2.3.i386.rpm ruby-rdoc-1.8.5-5.el5_2.3.i386.rpm ruby-ri-1.8.5-5.el5_2.3.i386.rpm ruby-tcltk-1.8.5-5.el5_2.3.i386.rpm ia64: ruby-1.8.5-5.el5_2.3.ia64.rpm ruby-debuginfo-1.8.5-5.el5_2.3.ia64.rpm ruby-devel-1.8.5-5.el5_2.3.ia64.rpm ruby-docs-1.8.5-5.el5_2.3.ia64.rpm ruby-irb-1.8.5-5.el5_2.3.ia64.rpm ruby-libs-1.8.5-5.el5_2.3.ia64.rpm ruby-mode-1.8.5-5.el5_2.3.ia64.rpm ruby-rdoc-1.8.5-5.el5_2.3.ia64.rpm ruby-ri-1.8.5-5.el5_2.3.ia64.rpm ruby-tcltk-1.8.5-5.el5_2.3.ia64.rpm ppc: ruby-1.8.5-5.el5_2.3.ppc.rpm ruby-debuginfo-1.8.5-5.el5_2.3.ppc.rpm ruby-debuginfo-1.8.5-5.el5_2.3.ppc64.rpm ruby-devel-1.8.5-5.el5_2.3.ppc.rpm ruby-devel-1.8.5-5.el5_2.3.ppc64.rpm ruby-docs-1.8.5-5.el5_2.3.ppc.rpm ruby-irb-1.8.5-5.el5_2.3.ppc.rpm ruby-libs-1.8.5-5.el5_2.3.ppc.rpm ruby-libs-1.8.5-5.el5_2.3.ppc64.rpm ruby-mode-1.8.5-5.el5_2.3.ppc.rpm ruby-rdoc-1.8.5-5.el5_2.3.ppc.rpm ruby-ri-1.8.5-5.el5_2.3.ppc.rpm ruby-tcltk-1.8.5-5.el5_2.3.ppc.rpm s390x: ruby-1.8.5-5.el5_2.3.s390x.rpm ruby-debuginfo-1.8.5-5.el5_2.3.s390.rpm ruby-debuginfo-1.8.5-5.el5_2.3.s390x.rpm ruby-devel-1.8.5-5.el5_2.3.s390.rpm ruby-devel-1.8.5-5.el5_2.3.s390x.rpm ruby-docs-1.8.5-5.el5_2.3.s390x.rpm ruby-irb-1.8.5-5.el5_2.3.s390x.rpm ruby-libs-1.8.5-5.el5_2.3.s390.rpm ruby-libs-1.8.5-5.el5_2.3.s390x.rpm ruby-mode-1.8.5-5.el5_2.3.s390x.rpm ruby-rdoc-1.8.5-5.el5_2.3.s390x.rpm ruby-ri-1.8.5-5.el5_2.3.s390x.rpm ruby-tcltk-1.8.5-5.el5_2.3.s390x.rpm x86_64: ruby-1.8.5-5.el5_2.3.x86_64.rpm ruby-debuginfo-1.8.5-5.el5_2.3.i386.rpm ruby-debuginfo-1.8.5-5.el5_2.3.x86_64.rpm ruby-devel-1.8.5-5.el5_2.3.i386.rpm ruby-devel-1.8.5-5.el5_2.3.x86_64.rpm ruby-docs-1.8.5-5.el5_2.3.x86_64.rpm ruby-irb-1.8.5-5.el5_2.3.x86_64.rpm ruby-libs-1.8.5-5.el5_2.3.i386.rpm ruby-libs-1.8.5-5.el5_2.3.x86_64.rpm ruby-mode-1.8.5-5.el5_2.3.x86_64.rpm ruby-rdoc-1.8.5-5.el5_2.3.x86_64.rpm ruby-ri-1.8.5-5.el5_2.3.x86_64.rpm ruby-tcltk-1.8.5-5.el5_2.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIe1RLXlSAg2UNWIIRAs7wAJ95TZIQYSJIlD2t+wAjaF+2UE5DPwCePi9Z r2B3QtLlibky8F9MTvwxPGg= =9jL4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 14 13:43:50 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 14 Jul 2008 09:43:50 -0400 Subject: [RHSA-2008:0562-01] Moderate: ruby security update Message-ID: <200807141343.m6EDhojP014379@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ruby security update Advisory ID: RHSA-2008:0562-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0562.html Issue date: 2008-07-14 CVE Names: CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2006-6303 CVE-2008-2376 ===================================================================== 1. Summary: Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. A flaw was discovered in the way Ruby's CGI module handles certain HTTP requests. A remote attacker could send a specially crafted request and cause the Ruby CGI script to enter an infinite loop, possibly causing a denial of service. (CVE-2006-6303) Users of Ruby should upgrade to these updated packages, which contain a backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 218287 - CVE-2006-6303 ruby's cgi.rb vulnerable infinite loop DoS 450825 - CVE-2008-2663 ruby: Integer overflows in rb_ary_store() 450834 - CVE-2008-2664 ruby: Unsafe use of alloca in rb_str_format() 451821 - CVE-2008-2725 ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N 451828 - CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen 453589 - CVE-2008-2376 ruby: integer overflows in rb_ary_fill() / Array#fill 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ruby-1.6.4-6.el2.src.rpm i386: irb-1.6.4-6.el2.i386.rpm ruby-1.6.4-6.el2.i386.rpm ruby-devel-1.6.4-6.el2.i386.rpm ruby-docs-1.6.4-6.el2.i386.rpm ruby-libs-1.6.4-6.el2.i386.rpm ruby-tcltk-1.6.4-6.el2.i386.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ruby-1.6.4-6.el2.src.rpm i386: irb-1.6.4-6.el2.i386.rpm ruby-1.6.4-6.el2.i386.rpm ruby-devel-1.6.4-6.el2.i386.rpm ruby-docs-1.6.4-6.el2.i386.rpm ruby-libs-1.6.4-6.el2.i386.rpm ruby-tcltk-1.6.4-6.el2.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/ruby-1.6.4-6.el2.src.rpm i386: irb-1.6.4-6.el2.i386.rpm ruby-1.6.4-6.el2.i386.rpm ruby-devel-1.6.4-6.el2.i386.rpm ruby-docs-1.6.4-6.el2.i386.rpm ruby-libs-1.6.4-6.el2.i386.rpm ruby-tcltk-1.6.4-6.el2.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ruby-1.6.8-12.el3.src.rpm i386: irb-1.6.8-12.el3.i386.rpm ruby-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-devel-1.6.8-12.el3.i386.rpm ruby-docs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-mode-1.6.8-12.el3.i386.rpm ruby-tcltk-1.6.8-12.el3.i386.rpm ia64: irb-1.6.8-12.el3.ia64.rpm ruby-1.6.8-12.el3.ia64.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.ia64.rpm ruby-devel-1.6.8-12.el3.ia64.rpm ruby-docs-1.6.8-12.el3.ia64.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.ia64.rpm ruby-mode-1.6.8-12.el3.ia64.rpm ruby-tcltk-1.6.8-12.el3.ia64.rpm ppc: irb-1.6.8-12.el3.ppc.rpm ruby-1.6.8-12.el3.ppc.rpm ruby-debuginfo-1.6.8-12.el3.ppc.rpm ruby-debuginfo-1.6.8-12.el3.ppc64.rpm ruby-devel-1.6.8-12.el3.ppc.rpm ruby-docs-1.6.8-12.el3.ppc.rpm ruby-libs-1.6.8-12.el3.ppc.rpm ruby-libs-1.6.8-12.el3.ppc64.rpm ruby-mode-1.6.8-12.el3.ppc.rpm ruby-tcltk-1.6.8-12.el3.ppc.rpm s390: irb-1.6.8-12.el3.s390.rpm ruby-1.6.8-12.el3.s390.rpm ruby-debuginfo-1.6.8-12.el3.s390.rpm ruby-devel-1.6.8-12.el3.s390.rpm ruby-docs-1.6.8-12.el3.s390.rpm ruby-libs-1.6.8-12.el3.s390.rpm ruby-mode-1.6.8-12.el3.s390.rpm ruby-tcltk-1.6.8-12.el3.s390.rpm s390x: irb-1.6.8-12.el3.s390x.rpm ruby-1.6.8-12.el3.s390x.rpm ruby-debuginfo-1.6.8-12.el3.s390.rpm ruby-debuginfo-1.6.8-12.el3.s390x.rpm ruby-devel-1.6.8-12.el3.s390x.rpm ruby-docs-1.6.8-12.el3.s390x.rpm ruby-libs-1.6.8-12.el3.s390.rpm ruby-libs-1.6.8-12.el3.s390x.rpm ruby-mode-1.6.8-12.el3.s390x.rpm ruby-tcltk-1.6.8-12.el3.s390x.rpm x86_64: irb-1.6.8-12.el3.x86_64.rpm ruby-1.6.8-12.el3.x86_64.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.x86_64.rpm ruby-devel-1.6.8-12.el3.x86_64.rpm ruby-docs-1.6.8-12.el3.x86_64.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.x86_64.rpm ruby-mode-1.6.8-12.el3.x86_64.rpm ruby-tcltk-1.6.8-12.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/ruby-1.6.8-12.el3.src.rpm i386: irb-1.6.8-12.el3.i386.rpm ruby-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-devel-1.6.8-12.el3.i386.rpm ruby-docs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-mode-1.6.8-12.el3.i386.rpm ruby-tcltk-1.6.8-12.el3.i386.rpm x86_64: irb-1.6.8-12.el3.x86_64.rpm ruby-1.6.8-12.el3.x86_64.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.x86_64.rpm ruby-devel-1.6.8-12.el3.x86_64.rpm ruby-docs-1.6.8-12.el3.x86_64.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.x86_64.rpm ruby-mode-1.6.8-12.el3.x86_64.rpm ruby-tcltk-1.6.8-12.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/ruby-1.6.8-12.el3.src.rpm i386: irb-1.6.8-12.el3.i386.rpm ruby-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-devel-1.6.8-12.el3.i386.rpm ruby-docs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-mode-1.6.8-12.el3.i386.rpm ruby-tcltk-1.6.8-12.el3.i386.rpm ia64: irb-1.6.8-12.el3.ia64.rpm ruby-1.6.8-12.el3.ia64.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.ia64.rpm ruby-devel-1.6.8-12.el3.ia64.rpm ruby-docs-1.6.8-12.el3.ia64.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.ia64.rpm ruby-mode-1.6.8-12.el3.ia64.rpm ruby-tcltk-1.6.8-12.el3.ia64.rpm x86_64: irb-1.6.8-12.el3.x86_64.rpm ruby-1.6.8-12.el3.x86_64.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.x86_64.rpm ruby-devel-1.6.8-12.el3.x86_64.rpm ruby-docs-1.6.8-12.el3.x86_64.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.x86_64.rpm ruby-mode-1.6.8-12.el3.x86_64.rpm ruby-tcltk-1.6.8-12.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ruby-1.6.8-12.el3.src.rpm i386: irb-1.6.8-12.el3.i386.rpm ruby-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-devel-1.6.8-12.el3.i386.rpm ruby-docs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-mode-1.6.8-12.el3.i386.rpm ruby-tcltk-1.6.8-12.el3.i386.rpm ia64: irb-1.6.8-12.el3.ia64.rpm ruby-1.6.8-12.el3.ia64.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.ia64.rpm ruby-devel-1.6.8-12.el3.ia64.rpm ruby-docs-1.6.8-12.el3.ia64.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.ia64.rpm ruby-mode-1.6.8-12.el3.ia64.rpm ruby-tcltk-1.6.8-12.el3.ia64.rpm x86_64: irb-1.6.8-12.el3.x86_64.rpm ruby-1.6.8-12.el3.x86_64.rpm ruby-debuginfo-1.6.8-12.el3.i386.rpm ruby-debuginfo-1.6.8-12.el3.x86_64.rpm ruby-devel-1.6.8-12.el3.x86_64.rpm ruby-docs-1.6.8-12.el3.x86_64.rpm ruby-libs-1.6.8-12.el3.i386.rpm ruby-libs-1.6.8-12.el3.x86_64.rpm ruby-mode-1.6.8-12.el3.x86_64.rpm ruby-tcltk-1.6.8-12.el3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6303 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIe1gHXlSAg2UNWIIRAqHZAJ0YYdTHBI+3VWFF4dmaD5mN71lp8ACeLwsY +KFTmUehS8lDB967OCewHL0= =7Ubq -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 14 13:58:38 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 14 Jul 2008 09:58:38 -0400 Subject: [RHSA-2008:0581-01] Moderate: bluez-libs and bluez-utils security update Message-ID: <200807141358.m6EDwchR017195@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: bluez-libs and bluez-utils security update Advisory ID: RHSA-2008:0581-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0581.html Issue date: 2008-07-14 CVE Names: CVE-2008-2374 ===================================================================== 1. Summary: Updated bluez-libs and bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, x86_64 3. Description: The bluez-libs package contains libraries for use in Bluetooth applications. The bluez-utils package contains Bluetooth daemons and utilities. An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used by the Bluez Bluetooth utilities. A Bluetooth device with an already-established trust relationship, or a local user registering a service record via a UNIX? socket or D-Bus interface, could cause a crash, or possibly execute arbitrary code with privileges of the hcid daemon. (CVE-2008-2374) Users of bluez-libs and bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452715 - CVE-2008-2374 bluez-libs: SDP payload processing vulnerability 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/bluez-libs-2.10-3.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/bluez-utils-2.10-2.4.src.rpm i386: bluez-libs-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-devel-2.10-3.i386.rpm bluez-utils-2.10-2.4.i386.rpm bluez-utils-cups-2.10-2.4.i386.rpm bluez-utils-debuginfo-2.10-2.4.i386.rpm ia64: bluez-libs-2.10-3.i386.rpm bluez-libs-2.10-3.ia64.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.ia64.rpm bluez-libs-devel-2.10-3.ia64.rpm bluez-utils-2.10-2.4.ia64.rpm bluez-utils-cups-2.10-2.4.ia64.rpm bluez-utils-debuginfo-2.10-2.4.ia64.rpm ppc: bluez-libs-2.10-3.ppc.rpm bluez-libs-2.10-3.ppc64.rpm bluez-libs-debuginfo-2.10-3.ppc.rpm bluez-libs-debuginfo-2.10-3.ppc64.rpm bluez-libs-devel-2.10-3.ppc.rpm bluez-utils-2.10-2.4.ppc.rpm bluez-utils-cups-2.10-2.4.ppc.rpm bluez-utils-debuginfo-2.10-2.4.ppc.rpm x86_64: bluez-libs-2.10-3.i386.rpm bluez-libs-2.10-3.x86_64.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.x86_64.rpm bluez-libs-devel-2.10-3.x86_64.rpm bluez-utils-2.10-2.4.x86_64.rpm bluez-utils-cups-2.10-2.4.x86_64.rpm bluez-utils-debuginfo-2.10-2.4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/bluez-libs-2.10-3.src.rpm ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/bluez-utils-2.10-2.4.src.rpm i386: bluez-libs-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-devel-2.10-3.i386.rpm bluez-utils-2.10-2.4.i386.rpm bluez-utils-cups-2.10-2.4.i386.rpm bluez-utils-debuginfo-2.10-2.4.i386.rpm x86_64: bluez-libs-2.10-3.i386.rpm bluez-libs-2.10-3.x86_64.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.x86_64.rpm bluez-libs-devel-2.10-3.x86_64.rpm bluez-utils-2.10-2.4.x86_64.rpm bluez-utils-cups-2.10-2.4.x86_64.rpm bluez-utils-debuginfo-2.10-2.4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/bluez-libs-2.10-3.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/bluez-utils-2.10-2.4.src.rpm i386: bluez-libs-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-devel-2.10-3.i386.rpm bluez-utils-2.10-2.4.i386.rpm bluez-utils-cups-2.10-2.4.i386.rpm bluez-utils-debuginfo-2.10-2.4.i386.rpm ia64: bluez-libs-2.10-3.i386.rpm bluez-libs-2.10-3.ia64.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.ia64.rpm bluez-libs-devel-2.10-3.ia64.rpm bluez-utils-2.10-2.4.ia64.rpm bluez-utils-cups-2.10-2.4.ia64.rpm bluez-utils-debuginfo-2.10-2.4.ia64.rpm x86_64: bluez-libs-2.10-3.i386.rpm bluez-libs-2.10-3.x86_64.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.x86_64.rpm bluez-libs-devel-2.10-3.x86_64.rpm bluez-utils-2.10-2.4.x86_64.rpm bluez-utils-cups-2.10-2.4.x86_64.rpm bluez-utils-debuginfo-2.10-2.4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/bluez-libs-2.10-3.src.rpm ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/bluez-utils-2.10-2.4.src.rpm i386: bluez-libs-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-devel-2.10-3.i386.rpm bluez-utils-2.10-2.4.i386.rpm bluez-utils-cups-2.10-2.4.i386.rpm bluez-utils-debuginfo-2.10-2.4.i386.rpm ia64: bluez-libs-2.10-3.i386.rpm bluez-libs-2.10-3.ia64.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.ia64.rpm bluez-libs-devel-2.10-3.ia64.rpm bluez-utils-2.10-2.4.ia64.rpm bluez-utils-cups-2.10-2.4.ia64.rpm bluez-utils-debuginfo-2.10-2.4.ia64.rpm x86_64: bluez-libs-2.10-3.i386.rpm bluez-libs-2.10-3.x86_64.rpm bluez-libs-debuginfo-2.10-3.i386.rpm bluez-libs-debuginfo-2.10-3.x86_64.rpm bluez-libs-devel-2.10-3.x86_64.rpm bluez-utils-2.10-2.4.x86_64.rpm bluez-utils-cups-2.10-2.4.x86_64.rpm bluez-utils-debuginfo-2.10-2.4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bluez-libs-3.7-1.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bluez-utils-3.7-2.2.src.rpm i386: bluez-libs-3.7-1.1.i386.rpm bluez-libs-debuginfo-3.7-1.1.i386.rpm bluez-utils-3.7-2.2.i386.rpm bluez-utils-cups-3.7-2.2.i386.rpm bluez-utils-debuginfo-3.7-2.2.i386.rpm x86_64: bluez-libs-3.7-1.1.i386.rpm bluez-libs-3.7-1.1.x86_64.rpm bluez-libs-debuginfo-3.7-1.1.i386.rpm bluez-libs-debuginfo-3.7-1.1.x86_64.rpm bluez-utils-3.7-2.2.x86_64.rpm bluez-utils-cups-3.7-2.2.x86_64.rpm bluez-utils-debuginfo-3.7-2.2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bluez-libs-3.7-1.1.src.rpm i386: bluez-libs-debuginfo-3.7-1.1.i386.rpm bluez-libs-devel-3.7-1.1.i386.rpm x86_64: bluez-libs-debuginfo-3.7-1.1.i386.rpm bluez-libs-debuginfo-3.7-1.1.x86_64.rpm bluez-libs-devel-3.7-1.1.i386.rpm bluez-libs-devel-3.7-1.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bluez-libs-3.7-1.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bluez-utils-3.7-2.2.src.rpm i386: bluez-libs-3.7-1.1.i386.rpm bluez-libs-debuginfo-3.7-1.1.i386.rpm bluez-libs-devel-3.7-1.1.i386.rpm bluez-utils-3.7-2.2.i386.rpm bluez-utils-cups-3.7-2.2.i386.rpm bluez-utils-debuginfo-3.7-2.2.i386.rpm ia64: bluez-libs-3.7-1.1.ia64.rpm bluez-libs-debuginfo-3.7-1.1.ia64.rpm bluez-libs-devel-3.7-1.1.ia64.rpm bluez-utils-3.7-2.2.ia64.rpm bluez-utils-cups-3.7-2.2.ia64.rpm bluez-utils-debuginfo-3.7-2.2.ia64.rpm ppc: bluez-libs-3.7-1.1.ppc.rpm bluez-libs-3.7-1.1.ppc64.rpm bluez-libs-debuginfo-3.7-1.1.ppc.rpm bluez-libs-debuginfo-3.7-1.1.ppc64.rpm bluez-libs-devel-3.7-1.1.ppc.rpm bluez-libs-devel-3.7-1.1.ppc64.rpm bluez-utils-3.7-2.2.ppc.rpm bluez-utils-cups-3.7-2.2.ppc.rpm bluez-utils-debuginfo-3.7-2.2.ppc.rpm x86_64: bluez-libs-3.7-1.1.i386.rpm bluez-libs-3.7-1.1.x86_64.rpm bluez-libs-debuginfo-3.7-1.1.i386.rpm bluez-libs-debuginfo-3.7-1.1.x86_64.rpm bluez-libs-devel-3.7-1.1.i386.rpm bluez-libs-devel-3.7-1.1.x86_64.rpm bluez-utils-3.7-2.2.x86_64.rpm bluez-utils-cups-3.7-2.2.x86_64.rpm bluez-utils-debuginfo-3.7-2.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2374 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIe1uBXlSAg2UNWIIRAtQzAJ4ibtJQcMpYv1yeQ+z/bu8+klcDAwCdF5lb L9br//0aSCZqA99PSZgd3ac= =mb9u -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 14 15:32:26 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 14 Jul 2008 11:32:26 -0400 Subject: [RHSA-2008:0594-01] Critical: java-1.6.0-sun security update Message-ID: <200807141532.m6EFWQTR002301@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-sun security update Advisory ID: RHSA-2008:0594-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0594.html Issue date: 2008-07-14 CVE Names: CVE-2008-3103 CVE-2008-3104 CVE-2008-3105 CVE-2008-3106 CVE-2008-3107 CVE-2008-3109 CVE-2008-3110 CVE-2008-3112 CVE-2008-3114 ===================================================================== 1. Summary: Updated java-1.6.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. A vulnerability was found in the Java Management Extensions (JMX) management agent, when local monitoring is enabled. This allowed remote attackers to perform illegal operations. (CVE-2008-3103) Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) Several vulnerabilities in the Java API for XML Web Services (JAX-WS) client and service implementation were found. A remote attacker who caused malicious XML to be processed by a trusted or untrusted application was able access URLs or cause a denial of service. (CVE-2008-3105, CVE-2008-3106) A JRE vulnerability could be triggered by an untrusted application or applet. A remote attacker could grant an untrusted applet or application extended privileges such as being able to read and write local files, or execute local programs. (CVE-2008-3107) Several vulnerabilities within the JRE scripting support were reported. A remote attacker could grant an untrusted applet extended privileges such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110) A vulnerability in Java Web Start was found. A remote attacker was able to create arbitrary files with the permissions of the user running the untrusted Java Web Start application. (CVE-2008-3112) Another vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452649 - CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088) 452658 - CVE-2008-3107 JDK untrusted applet/application privilege escalation (6661918) 452659 - CVE-2008-3103 OpenJDK JMX allows illegal operations with local monitoring (6332953) 454601 - CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) 454603 - CVE-2008-3109 CVE-2008-3110 Security Vulnerabilities in the Java Runtime Environment Scripting Language Support (6529568, 6529579) 454606 - CVE-2008-3112 Java Web Start, arbitrary file creation (6703909) 454608 - CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074) 6. Package List: RHEL Desktop Supplementary (v. 5 client): i386: java-1.6.0-sun-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.7-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.7-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.7-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.7-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.7-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.7-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.6.0-sun-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.7-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.7-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.7-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.7-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.7-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.7-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.7-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIe3GCXlSAg2UNWIIRArt1AJ45wdIc73WX8WmHSdNW6xXu8BbuVACfYLR6 OKHPr6bal50QVb1whF6263o= =tpsU -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 14 15:37:56 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 14 Jul 2008 11:37:56 -0400 Subject: [RHSA-2008:0595-01] Critical: java-1.5.0-sun security update Message-ID: <200807141537.m6EFbuLT003200@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.5.0-sun security update Advisory ID: RHSA-2008:0595-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0595.html Issue date: 2008-07-14 CVE Names: CVE-2008-3103 CVE-2008-3104 CVE-2008-3107 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 ===================================================================== 1. Summary: Updated java-1.5.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. A vulnerability was found in the Java Management Extensions (JMX) management agent, when local monitoring is enabled. This allowed remote attackers to perform illegal operations. (CVE-2008-3103) Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) A Java Runtime Environment (JRE) vulnerability could be triggered by an untrusted application or applet. A remote attacker could grant an untrusted applet extended privileges such as reading and writing local files, or executing local programs. (CVE-2008-3107) Several buffer overflow vulnerabilities in Java Web Start were reported. These vulnerabilities may allow an untrusted Java Web Start application to elevate its privileges and thereby grant itself permission to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3111) Two file processing vulnerabilities in Java Web Start were found. A remote attacker, by means of an untrusted Java Web Start application, was able to create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112, CVE-2008-3113) A vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114) Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452658 - CVE-2008-3107 JDK untrusted applet/application privilege escalation (6661918) 452659 - CVE-2008-3103 OpenJDK JMX allows illegal operations with local monitoring (6332953) 454601 - CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) 454605 - CVE-2008-3111 Java Web Start Buffer overflow vulnerabilities (6557220) 454606 - CVE-2008-3112 Java Web Start, arbitrary file creation (6703909) 454607 - CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077) 454608 - CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074) 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-sun-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-sun-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-sun-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-sun-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.16-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.5.0-sun-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-plugin-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el5.i586.rpm x86_64: java-1.5.0-sun-1.5.0.16-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-plugin-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-sun-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-plugin-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el5.i586.rpm x86_64: java-1.5.0-sun-1.5.0.16-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-demo-1.5.0.16-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-devel-1.5.0.16-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.16-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-plugin-1.5.0.16-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.16-1jpp.2.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIe3LOXlSAg2UNWIIRAkDvAJ0WngQ8Olo5k5yGNd6WCap4FoYFigCeKdvq 823MhwPE7ZYulNbq6UHICKs= =HYAF -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 16 09:46:56 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Jul 2008 05:46:56 -0400 Subject: [RHSA-2008:0544-01] Moderate: php security update Message-ID: <200807160946.m6G9kuu8028328@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: php security update Advisory ID: RHSA-2008:0544-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0544.html Issue date: 2008-07-16 CVE Names: CVE-2008-2051 CVE-2007-5898 CVE-2007-5899 CVE-2007-4782 CVE-2008-2107 CVE-2008-2108 ===================================================================== 1. Summary: Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external web sites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 285881 - CVE-2007-4782 php crash in glob() and fnmatch() functions 382411 - CVE-2007-5898 php htmlentities/htmlspecialchars multibyte sequences 382431 - CVE-2007-5899 php session ID leakage 445006 - CVE-2008-2051 PHP multibyte shell escape flaw 445684 - CVE-2008-2107 PHP 32 bit weak random seed 445685 - CVE-2008-2108 PHP weak 64 bit random seed 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/php-4.3.2-48.ent.src.rpm i386: php-4.3.2-48.ent.i386.rpm php-debuginfo-4.3.2-48.ent.i386.rpm php-devel-4.3.2-48.ent.i386.rpm php-imap-4.3.2-48.ent.i386.rpm php-ldap-4.3.2-48.ent.i386.rpm php-mysql-4.3.2-48.ent.i386.rpm php-odbc-4.3.2-48.ent.i386.rpm php-pgsql-4.3.2-48.ent.i386.rpm ia64: php-4.3.2-48.ent.ia64.rpm php-debuginfo-4.3.2-48.ent.ia64.rpm php-devel-4.3.2-48.ent.ia64.rpm php-imap-4.3.2-48.ent.ia64.rpm php-ldap-4.3.2-48.ent.ia64.rpm php-mysql-4.3.2-48.ent.ia64.rpm php-odbc-4.3.2-48.ent.ia64.rpm php-pgsql-4.3.2-48.ent.ia64.rpm ppc: php-4.3.2-48.ent.ppc.rpm php-debuginfo-4.3.2-48.ent.ppc.rpm php-devel-4.3.2-48.ent.ppc.rpm php-imap-4.3.2-48.ent.ppc.rpm php-ldap-4.3.2-48.ent.ppc.rpm php-mysql-4.3.2-48.ent.ppc.rpm php-odbc-4.3.2-48.ent.ppc.rpm php-pgsql-4.3.2-48.ent.ppc.rpm s390: php-4.3.2-48.ent.s390.rpm php-debuginfo-4.3.2-48.ent.s390.rpm php-devel-4.3.2-48.ent.s390.rpm php-imap-4.3.2-48.ent.s390.rpm php-ldap-4.3.2-48.ent.s390.rpm php-mysql-4.3.2-48.ent.s390.rpm php-odbc-4.3.2-48.ent.s390.rpm php-pgsql-4.3.2-48.ent.s390.rpm s390x: php-4.3.2-48.ent.s390x.rpm php-debuginfo-4.3.2-48.ent.s390x.rpm php-devel-4.3.2-48.ent.s390x.rpm php-imap-4.3.2-48.ent.s390x.rpm php-ldap-4.3.2-48.ent.s390x.rpm php-mysql-4.3.2-48.ent.s390x.rpm php-odbc-4.3.2-48.ent.s390x.rpm php-pgsql-4.3.2-48.ent.s390x.rpm x86_64: php-4.3.2-48.ent.x86_64.rpm php-debuginfo-4.3.2-48.ent.x86_64.rpm php-devel-4.3.2-48.ent.x86_64.rpm php-imap-4.3.2-48.ent.x86_64.rpm php-ldap-4.3.2-48.ent.x86_64.rpm php-mysql-4.3.2-48.ent.x86_64.rpm php-odbc-4.3.2-48.ent.x86_64.rpm php-pgsql-4.3.2-48.ent.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/php-4.3.2-48.ent.src.rpm i386: php-4.3.2-48.ent.i386.rpm php-debuginfo-4.3.2-48.ent.i386.rpm php-devel-4.3.2-48.ent.i386.rpm php-imap-4.3.2-48.ent.i386.rpm php-ldap-4.3.2-48.ent.i386.rpm php-mysql-4.3.2-48.ent.i386.rpm php-odbc-4.3.2-48.ent.i386.rpm php-pgsql-4.3.2-48.ent.i386.rpm x86_64: php-4.3.2-48.ent.x86_64.rpm php-debuginfo-4.3.2-48.ent.x86_64.rpm php-devel-4.3.2-48.ent.x86_64.rpm php-imap-4.3.2-48.ent.x86_64.rpm php-ldap-4.3.2-48.ent.x86_64.rpm php-mysql-4.3.2-48.ent.x86_64.rpm php-odbc-4.3.2-48.ent.x86_64.rpm php-pgsql-4.3.2-48.ent.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/php-4.3.2-48.ent.src.rpm i386: php-4.3.2-48.ent.i386.rpm php-debuginfo-4.3.2-48.ent.i386.rpm php-devel-4.3.2-48.ent.i386.rpm php-imap-4.3.2-48.ent.i386.rpm php-ldap-4.3.2-48.ent.i386.rpm php-mysql-4.3.2-48.ent.i386.rpm php-odbc-4.3.2-48.ent.i386.rpm php-pgsql-4.3.2-48.ent.i386.rpm ia64: php-4.3.2-48.ent.ia64.rpm php-debuginfo-4.3.2-48.ent.ia64.rpm php-devel-4.3.2-48.ent.ia64.rpm php-imap-4.3.2-48.ent.ia64.rpm php-ldap-4.3.2-48.ent.ia64.rpm php-mysql-4.3.2-48.ent.ia64.rpm php-odbc-4.3.2-48.ent.ia64.rpm php-pgsql-4.3.2-48.ent.ia64.rpm x86_64: php-4.3.2-48.ent.x86_64.rpm php-debuginfo-4.3.2-48.ent.x86_64.rpm php-devel-4.3.2-48.ent.x86_64.rpm php-imap-4.3.2-48.ent.x86_64.rpm php-ldap-4.3.2-48.ent.x86_64.rpm php-mysql-4.3.2-48.ent.x86_64.rpm php-odbc-4.3.2-48.ent.x86_64.rpm php-pgsql-4.3.2-48.ent.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/php-4.3.2-48.ent.src.rpm i386: php-4.3.2-48.ent.i386.rpm php-debuginfo-4.3.2-48.ent.i386.rpm php-devel-4.3.2-48.ent.i386.rpm php-imap-4.3.2-48.ent.i386.rpm php-ldap-4.3.2-48.ent.i386.rpm php-mysql-4.3.2-48.ent.i386.rpm php-odbc-4.3.2-48.ent.i386.rpm php-pgsql-4.3.2-48.ent.i386.rpm ia64: php-4.3.2-48.ent.ia64.rpm php-debuginfo-4.3.2-48.ent.ia64.rpm php-devel-4.3.2-48.ent.ia64.rpm php-imap-4.3.2-48.ent.ia64.rpm php-ldap-4.3.2-48.ent.ia64.rpm php-mysql-4.3.2-48.ent.ia64.rpm php-odbc-4.3.2-48.ent.ia64.rpm php-pgsql-4.3.2-48.ent.ia64.rpm x86_64: php-4.3.2-48.ent.x86_64.rpm php-debuginfo-4.3.2-48.ent.x86_64.rpm php-devel-4.3.2-48.ent.x86_64.rpm php-imap-4.3.2-48.ent.x86_64.rpm php-ldap-4.3.2-48.ent.x86_64.rpm php-mysql-4.3.2-48.ent.x86_64.rpm php-odbc-4.3.2-48.ent.x86_64.rpm php-pgsql-4.3.2-48.ent.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/php-5.1.6-20.el5_2.1.src.rpm i386: php-5.1.6-20.el5_2.1.i386.rpm php-bcmath-5.1.6-20.el5_2.1.i386.rpm php-cli-5.1.6-20.el5_2.1.i386.rpm php-common-5.1.6-20.el5_2.1.i386.rpm php-dba-5.1.6-20.el5_2.1.i386.rpm php-debuginfo-5.1.6-20.el5_2.1.i386.rpm php-devel-5.1.6-20.el5_2.1.i386.rpm php-gd-5.1.6-20.el5_2.1.i386.rpm php-imap-5.1.6-20.el5_2.1.i386.rpm php-ldap-5.1.6-20.el5_2.1.i386.rpm php-mbstring-5.1.6-20.el5_2.1.i386.rpm php-mysql-5.1.6-20.el5_2.1.i386.rpm php-ncurses-5.1.6-20.el5_2.1.i386.rpm php-odbc-5.1.6-20.el5_2.1.i386.rpm php-pdo-5.1.6-20.el5_2.1.i386.rpm php-pgsql-5.1.6-20.el5_2.1.i386.rpm php-snmp-5.1.6-20.el5_2.1.i386.rpm php-soap-5.1.6-20.el5_2.1.i386.rpm php-xml-5.1.6-20.el5_2.1.i386.rpm php-xmlrpc-5.1.6-20.el5_2.1.i386.rpm x86_64: php-5.1.6-20.el5_2.1.x86_64.rpm php-bcmath-5.1.6-20.el5_2.1.x86_64.rpm php-cli-5.1.6-20.el5_2.1.x86_64.rpm php-common-5.1.6-20.el5_2.1.x86_64.rpm php-dba-5.1.6-20.el5_2.1.x86_64.rpm php-debuginfo-5.1.6-20.el5_2.1.x86_64.rpm php-devel-5.1.6-20.el5_2.1.x86_64.rpm php-gd-5.1.6-20.el5_2.1.x86_64.rpm php-imap-5.1.6-20.el5_2.1.x86_64.rpm php-ldap-5.1.6-20.el5_2.1.x86_64.rpm php-mbstring-5.1.6-20.el5_2.1.x86_64.rpm php-mysql-5.1.6-20.el5_2.1.x86_64.rpm php-ncurses-5.1.6-20.el5_2.1.x86_64.rpm php-odbc-5.1.6-20.el5_2.1.x86_64.rpm php-pdo-5.1.6-20.el5_2.1.x86_64.rpm php-pgsql-5.1.6-20.el5_2.1.x86_64.rpm php-snmp-5.1.6-20.el5_2.1.x86_64.rpm php-soap-5.1.6-20.el5_2.1.x86_64.rpm php-xml-5.1.6-20.el5_2.1.x86_64.rpm php-xmlrpc-5.1.6-20.el5_2.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/php-5.1.6-20.el5_2.1.src.rpm i386: php-5.1.6-20.el5_2.1.i386.rpm php-bcmath-5.1.6-20.el5_2.1.i386.rpm php-cli-5.1.6-20.el5_2.1.i386.rpm php-common-5.1.6-20.el5_2.1.i386.rpm php-dba-5.1.6-20.el5_2.1.i386.rpm php-debuginfo-5.1.6-20.el5_2.1.i386.rpm php-devel-5.1.6-20.el5_2.1.i386.rpm php-gd-5.1.6-20.el5_2.1.i386.rpm php-imap-5.1.6-20.el5_2.1.i386.rpm php-ldap-5.1.6-20.el5_2.1.i386.rpm php-mbstring-5.1.6-20.el5_2.1.i386.rpm php-mysql-5.1.6-20.el5_2.1.i386.rpm php-ncurses-5.1.6-20.el5_2.1.i386.rpm php-odbc-5.1.6-20.el5_2.1.i386.rpm php-pdo-5.1.6-20.el5_2.1.i386.rpm php-pgsql-5.1.6-20.el5_2.1.i386.rpm php-snmp-5.1.6-20.el5_2.1.i386.rpm php-soap-5.1.6-20.el5_2.1.i386.rpm php-xml-5.1.6-20.el5_2.1.i386.rpm php-xmlrpc-5.1.6-20.el5_2.1.i386.rpm ia64: php-5.1.6-20.el5_2.1.ia64.rpm php-bcmath-5.1.6-20.el5_2.1.ia64.rpm php-cli-5.1.6-20.el5_2.1.ia64.rpm php-common-5.1.6-20.el5_2.1.ia64.rpm php-dba-5.1.6-20.el5_2.1.ia64.rpm php-debuginfo-5.1.6-20.el5_2.1.ia64.rpm php-devel-5.1.6-20.el5_2.1.ia64.rpm php-gd-5.1.6-20.el5_2.1.ia64.rpm php-imap-5.1.6-20.el5_2.1.ia64.rpm php-ldap-5.1.6-20.el5_2.1.ia64.rpm php-mbstring-5.1.6-20.el5_2.1.ia64.rpm php-mysql-5.1.6-20.el5_2.1.ia64.rpm php-ncurses-5.1.6-20.el5_2.1.ia64.rpm php-odbc-5.1.6-20.el5_2.1.ia64.rpm php-pdo-5.1.6-20.el5_2.1.ia64.rpm php-pgsql-5.1.6-20.el5_2.1.ia64.rpm php-snmp-5.1.6-20.el5_2.1.ia64.rpm php-soap-5.1.6-20.el5_2.1.ia64.rpm php-xml-5.1.6-20.el5_2.1.ia64.rpm php-xmlrpc-5.1.6-20.el5_2.1.ia64.rpm ppc: php-5.1.6-20.el5_2.1.ppc.rpm php-bcmath-5.1.6-20.el5_2.1.ppc.rpm php-cli-5.1.6-20.el5_2.1.ppc.rpm php-common-5.1.6-20.el5_2.1.ppc.rpm php-dba-5.1.6-20.el5_2.1.ppc.rpm php-debuginfo-5.1.6-20.el5_2.1.ppc.rpm php-devel-5.1.6-20.el5_2.1.ppc.rpm php-gd-5.1.6-20.el5_2.1.ppc.rpm php-imap-5.1.6-20.el5_2.1.ppc.rpm php-ldap-5.1.6-20.el5_2.1.ppc.rpm php-mbstring-5.1.6-20.el5_2.1.ppc.rpm php-mysql-5.1.6-20.el5_2.1.ppc.rpm php-ncurses-5.1.6-20.el5_2.1.ppc.rpm php-odbc-5.1.6-20.el5_2.1.ppc.rpm php-pdo-5.1.6-20.el5_2.1.ppc.rpm php-pgsql-5.1.6-20.el5_2.1.ppc.rpm php-snmp-5.1.6-20.el5_2.1.ppc.rpm php-soap-5.1.6-20.el5_2.1.ppc.rpm php-xml-5.1.6-20.el5_2.1.ppc.rpm php-xmlrpc-5.1.6-20.el5_2.1.ppc.rpm s390x: php-5.1.6-20.el5_2.1.s390x.rpm php-bcmath-5.1.6-20.el5_2.1.s390x.rpm php-cli-5.1.6-20.el5_2.1.s390x.rpm php-common-5.1.6-20.el5_2.1.s390x.rpm php-dba-5.1.6-20.el5_2.1.s390x.rpm php-debuginfo-5.1.6-20.el5_2.1.s390x.rpm php-devel-5.1.6-20.el5_2.1.s390x.rpm php-gd-5.1.6-20.el5_2.1.s390x.rpm php-imap-5.1.6-20.el5_2.1.s390x.rpm php-ldap-5.1.6-20.el5_2.1.s390x.rpm php-mbstring-5.1.6-20.el5_2.1.s390x.rpm php-mysql-5.1.6-20.el5_2.1.s390x.rpm php-ncurses-5.1.6-20.el5_2.1.s390x.rpm php-odbc-5.1.6-20.el5_2.1.s390x.rpm php-pdo-5.1.6-20.el5_2.1.s390x.rpm php-pgsql-5.1.6-20.el5_2.1.s390x.rpm php-snmp-5.1.6-20.el5_2.1.s390x.rpm php-soap-5.1.6-20.el5_2.1.s390x.rpm php-xml-5.1.6-20.el5_2.1.s390x.rpm php-xmlrpc-5.1.6-20.el5_2.1.s390x.rpm x86_64: php-5.1.6-20.el5_2.1.x86_64.rpm php-bcmath-5.1.6-20.el5_2.1.x86_64.rpm php-cli-5.1.6-20.el5_2.1.x86_64.rpm php-common-5.1.6-20.el5_2.1.x86_64.rpm php-dba-5.1.6-20.el5_2.1.x86_64.rpm php-debuginfo-5.1.6-20.el5_2.1.x86_64.rpm php-devel-5.1.6-20.el5_2.1.x86_64.rpm php-gd-5.1.6-20.el5_2.1.x86_64.rpm php-imap-5.1.6-20.el5_2.1.x86_64.rpm php-ldap-5.1.6-20.el5_2.1.x86_64.rpm php-mbstring-5.1.6-20.el5_2.1.x86_64.rpm php-mysql-5.1.6-20.el5_2.1.x86_64.rpm php-ncurses-5.1.6-20.el5_2.1.x86_64.rpm php-odbc-5.1.6-20.el5_2.1.x86_64.rpm php-pdo-5.1.6-20.el5_2.1.x86_64.rpm php-pgsql-5.1.6-20.el5_2.1.x86_64.rpm php-snmp-5.1.6-20.el5_2.1.x86_64.rpm php-soap-5.1.6-20.el5_2.1.x86_64.rpm php-xml-5.1.6-20.el5_2.1.x86_64.rpm php-xmlrpc-5.1.6-20.el5_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIfcOCXlSAg2UNWIIRAuzMAJ9z4Ak83eymPWItkPlzI8wD9RYH1wCfRkK0 dL3jd6gst/KwpA2UI5VjESs= =BFXE -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 16 09:57:41 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Jul 2008 05:57:41 -0400 Subject: [RHSA-2008:0545-01] Moderate: php security and bug fix update Message-ID: <200807160957.m6G9vfl2029836@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: php security and bug fix update Advisory ID: RHSA-2008:0545-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0545.html Issue date: 2008-07-16 CVE Names: CVE-2008-2051 CVE-2007-5898 CVE-2007-5899 CVE-2007-4782 CVE-2008-2107 CVE-2008-2108 ===================================================================== 1. Summary: Updated php packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external web sites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that the PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) As well, these updated packages fix the following bug: * after 2008-01-01, when using PEAR version 1.3.6 or older, it was not possible to use the PHP Extension and Application Repository (PEAR) to upgrade or install packages. In these updated packages, PEAR has been upgraded to version 1.4.9, which restores support for the current pear.php.net update server. The following changes were made to the PEAR packages included in php-pear: Console_Getopt and Archive_Tar are now included by default, and XML_RPC has been upgraded to version 1.5.0. All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 263501 - fix PEAR with current pear.php.net server 285881 - CVE-2007-4782 php crash in glob() and fnmatch() functions 382411 - CVE-2007-5898 php htmlentities/htmlspecialchars multibyte sequences 382431 - CVE-2007-5899 php session ID leakage 445006 - CVE-2008-2051 PHP multibyte shell escape flaw 445684 - CVE-2008-2107 PHP 32 bit weak random seed 445685 - CVE-2008-2108 PHP weak 64 bit random seed 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/php-4.3.9-3.22.12.src.rpm i386: php-4.3.9-3.22.12.i386.rpm php-debuginfo-4.3.9-3.22.12.i386.rpm php-devel-4.3.9-3.22.12.i386.rpm php-domxml-4.3.9-3.22.12.i386.rpm php-gd-4.3.9-3.22.12.i386.rpm php-imap-4.3.9-3.22.12.i386.rpm php-ldap-4.3.9-3.22.12.i386.rpm php-mbstring-4.3.9-3.22.12.i386.rpm php-mysql-4.3.9-3.22.12.i386.rpm php-ncurses-4.3.9-3.22.12.i386.rpm php-odbc-4.3.9-3.22.12.i386.rpm php-pear-4.3.9-3.22.12.i386.rpm php-pgsql-4.3.9-3.22.12.i386.rpm php-snmp-4.3.9-3.22.12.i386.rpm php-xmlrpc-4.3.9-3.22.12.i386.rpm ia64: php-4.3.9-3.22.12.ia64.rpm php-debuginfo-4.3.9-3.22.12.ia64.rpm php-devel-4.3.9-3.22.12.ia64.rpm php-domxml-4.3.9-3.22.12.ia64.rpm php-gd-4.3.9-3.22.12.ia64.rpm php-imap-4.3.9-3.22.12.ia64.rpm php-ldap-4.3.9-3.22.12.ia64.rpm php-mbstring-4.3.9-3.22.12.ia64.rpm php-mysql-4.3.9-3.22.12.ia64.rpm php-ncurses-4.3.9-3.22.12.ia64.rpm php-odbc-4.3.9-3.22.12.ia64.rpm php-pear-4.3.9-3.22.12.ia64.rpm php-pgsql-4.3.9-3.22.12.ia64.rpm php-snmp-4.3.9-3.22.12.ia64.rpm php-xmlrpc-4.3.9-3.22.12.ia64.rpm ppc: php-4.3.9-3.22.12.ppc.rpm php-debuginfo-4.3.9-3.22.12.ppc.rpm php-devel-4.3.9-3.22.12.ppc.rpm php-domxml-4.3.9-3.22.12.ppc.rpm php-gd-4.3.9-3.22.12.ppc.rpm php-imap-4.3.9-3.22.12.ppc.rpm php-ldap-4.3.9-3.22.12.ppc.rpm php-mbstring-4.3.9-3.22.12.ppc.rpm php-mysql-4.3.9-3.22.12.ppc.rpm php-ncurses-4.3.9-3.22.12.ppc.rpm php-odbc-4.3.9-3.22.12.ppc.rpm php-pear-4.3.9-3.22.12.ppc.rpm php-pgsql-4.3.9-3.22.12.ppc.rpm php-snmp-4.3.9-3.22.12.ppc.rpm php-xmlrpc-4.3.9-3.22.12.ppc.rpm s390: php-4.3.9-3.22.12.s390.rpm php-debuginfo-4.3.9-3.22.12.s390.rpm php-devel-4.3.9-3.22.12.s390.rpm php-domxml-4.3.9-3.22.12.s390.rpm php-gd-4.3.9-3.22.12.s390.rpm php-imap-4.3.9-3.22.12.s390.rpm php-ldap-4.3.9-3.22.12.s390.rpm php-mbstring-4.3.9-3.22.12.s390.rpm php-mysql-4.3.9-3.22.12.s390.rpm php-ncurses-4.3.9-3.22.12.s390.rpm php-odbc-4.3.9-3.22.12.s390.rpm php-pear-4.3.9-3.22.12.s390.rpm php-pgsql-4.3.9-3.22.12.s390.rpm php-snmp-4.3.9-3.22.12.s390.rpm php-xmlrpc-4.3.9-3.22.12.s390.rpm s390x: php-4.3.9-3.22.12.s390x.rpm php-debuginfo-4.3.9-3.22.12.s390x.rpm php-devel-4.3.9-3.22.12.s390x.rpm php-domxml-4.3.9-3.22.12.s390x.rpm php-gd-4.3.9-3.22.12.s390x.rpm php-imap-4.3.9-3.22.12.s390x.rpm php-ldap-4.3.9-3.22.12.s390x.rpm php-mbstring-4.3.9-3.22.12.s390x.rpm php-mysql-4.3.9-3.22.12.s390x.rpm php-ncurses-4.3.9-3.22.12.s390x.rpm php-odbc-4.3.9-3.22.12.s390x.rpm php-pear-4.3.9-3.22.12.s390x.rpm php-pgsql-4.3.9-3.22.12.s390x.rpm php-snmp-4.3.9-3.22.12.s390x.rpm php-xmlrpc-4.3.9-3.22.12.s390x.rpm x86_64: php-4.3.9-3.22.12.x86_64.rpm php-debuginfo-4.3.9-3.22.12.x86_64.rpm php-devel-4.3.9-3.22.12.x86_64.rpm php-domxml-4.3.9-3.22.12.x86_64.rpm php-gd-4.3.9-3.22.12.x86_64.rpm php-imap-4.3.9-3.22.12.x86_64.rpm php-ldap-4.3.9-3.22.12.x86_64.rpm php-mbstring-4.3.9-3.22.12.x86_64.rpm php-mysql-4.3.9-3.22.12.x86_64.rpm php-ncurses-4.3.9-3.22.12.x86_64.rpm php-odbc-4.3.9-3.22.12.x86_64.rpm php-pear-4.3.9-3.22.12.x86_64.rpm php-pgsql-4.3.9-3.22.12.x86_64.rpm php-snmp-4.3.9-3.22.12.x86_64.rpm php-xmlrpc-4.3.9-3.22.12.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/php-4.3.9-3.22.12.src.rpm i386: php-4.3.9-3.22.12.i386.rpm php-debuginfo-4.3.9-3.22.12.i386.rpm php-devel-4.3.9-3.22.12.i386.rpm php-domxml-4.3.9-3.22.12.i386.rpm php-gd-4.3.9-3.22.12.i386.rpm php-imap-4.3.9-3.22.12.i386.rpm php-ldap-4.3.9-3.22.12.i386.rpm php-mbstring-4.3.9-3.22.12.i386.rpm php-mysql-4.3.9-3.22.12.i386.rpm php-ncurses-4.3.9-3.22.12.i386.rpm php-odbc-4.3.9-3.22.12.i386.rpm php-pear-4.3.9-3.22.12.i386.rpm php-pgsql-4.3.9-3.22.12.i386.rpm php-snmp-4.3.9-3.22.12.i386.rpm php-xmlrpc-4.3.9-3.22.12.i386.rpm x86_64: php-4.3.9-3.22.12.x86_64.rpm php-debuginfo-4.3.9-3.22.12.x86_64.rpm php-devel-4.3.9-3.22.12.x86_64.rpm php-domxml-4.3.9-3.22.12.x86_64.rpm php-gd-4.3.9-3.22.12.x86_64.rpm php-imap-4.3.9-3.22.12.x86_64.rpm php-ldap-4.3.9-3.22.12.x86_64.rpm php-mbstring-4.3.9-3.22.12.x86_64.rpm php-mysql-4.3.9-3.22.12.x86_64.rpm php-ncurses-4.3.9-3.22.12.x86_64.rpm php-odbc-4.3.9-3.22.12.x86_64.rpm php-pear-4.3.9-3.22.12.x86_64.rpm php-pgsql-4.3.9-3.22.12.x86_64.rpm php-snmp-4.3.9-3.22.12.x86_64.rpm php-xmlrpc-4.3.9-3.22.12.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/php-4.3.9-3.22.12.src.rpm i386: php-4.3.9-3.22.12.i386.rpm php-debuginfo-4.3.9-3.22.12.i386.rpm php-devel-4.3.9-3.22.12.i386.rpm php-domxml-4.3.9-3.22.12.i386.rpm php-gd-4.3.9-3.22.12.i386.rpm php-imap-4.3.9-3.22.12.i386.rpm php-ldap-4.3.9-3.22.12.i386.rpm php-mbstring-4.3.9-3.22.12.i386.rpm php-mysql-4.3.9-3.22.12.i386.rpm php-ncurses-4.3.9-3.22.12.i386.rpm php-odbc-4.3.9-3.22.12.i386.rpm php-pear-4.3.9-3.22.12.i386.rpm php-pgsql-4.3.9-3.22.12.i386.rpm php-snmp-4.3.9-3.22.12.i386.rpm php-xmlrpc-4.3.9-3.22.12.i386.rpm ia64: php-4.3.9-3.22.12.ia64.rpm php-debuginfo-4.3.9-3.22.12.ia64.rpm php-devel-4.3.9-3.22.12.ia64.rpm php-domxml-4.3.9-3.22.12.ia64.rpm php-gd-4.3.9-3.22.12.ia64.rpm php-imap-4.3.9-3.22.12.ia64.rpm php-ldap-4.3.9-3.22.12.ia64.rpm php-mbstring-4.3.9-3.22.12.ia64.rpm php-mysql-4.3.9-3.22.12.ia64.rpm php-ncurses-4.3.9-3.22.12.ia64.rpm php-odbc-4.3.9-3.22.12.ia64.rpm php-pear-4.3.9-3.22.12.ia64.rpm php-pgsql-4.3.9-3.22.12.ia64.rpm php-snmp-4.3.9-3.22.12.ia64.rpm php-xmlrpc-4.3.9-3.22.12.ia64.rpm x86_64: php-4.3.9-3.22.12.x86_64.rpm php-debuginfo-4.3.9-3.22.12.x86_64.rpm php-devel-4.3.9-3.22.12.x86_64.rpm php-domxml-4.3.9-3.22.12.x86_64.rpm php-gd-4.3.9-3.22.12.x86_64.rpm php-imap-4.3.9-3.22.12.x86_64.rpm php-ldap-4.3.9-3.22.12.x86_64.rpm php-mbstring-4.3.9-3.22.12.x86_64.rpm php-mysql-4.3.9-3.22.12.x86_64.rpm php-ncurses-4.3.9-3.22.12.x86_64.rpm php-odbc-4.3.9-3.22.12.x86_64.rpm php-pear-4.3.9-3.22.12.x86_64.rpm php-pgsql-4.3.9-3.22.12.x86_64.rpm php-snmp-4.3.9-3.22.12.x86_64.rpm php-xmlrpc-4.3.9-3.22.12.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/php-4.3.9-3.22.12.src.rpm i386: php-4.3.9-3.22.12.i386.rpm php-debuginfo-4.3.9-3.22.12.i386.rpm php-devel-4.3.9-3.22.12.i386.rpm php-domxml-4.3.9-3.22.12.i386.rpm php-gd-4.3.9-3.22.12.i386.rpm php-imap-4.3.9-3.22.12.i386.rpm php-ldap-4.3.9-3.22.12.i386.rpm php-mbstring-4.3.9-3.22.12.i386.rpm php-mysql-4.3.9-3.22.12.i386.rpm php-ncurses-4.3.9-3.22.12.i386.rpm php-odbc-4.3.9-3.22.12.i386.rpm php-pear-4.3.9-3.22.12.i386.rpm php-pgsql-4.3.9-3.22.12.i386.rpm php-snmp-4.3.9-3.22.12.i386.rpm php-xmlrpc-4.3.9-3.22.12.i386.rpm ia64: php-4.3.9-3.22.12.ia64.rpm php-debuginfo-4.3.9-3.22.12.ia64.rpm php-devel-4.3.9-3.22.12.ia64.rpm php-domxml-4.3.9-3.22.12.ia64.rpm php-gd-4.3.9-3.22.12.ia64.rpm php-imap-4.3.9-3.22.12.ia64.rpm php-ldap-4.3.9-3.22.12.ia64.rpm php-mbstring-4.3.9-3.22.12.ia64.rpm php-mysql-4.3.9-3.22.12.ia64.rpm php-ncurses-4.3.9-3.22.12.ia64.rpm php-odbc-4.3.9-3.22.12.ia64.rpm php-pear-4.3.9-3.22.12.ia64.rpm php-pgsql-4.3.9-3.22.12.ia64.rpm php-snmp-4.3.9-3.22.12.ia64.rpm php-xmlrpc-4.3.9-3.22.12.ia64.rpm x86_64: php-4.3.9-3.22.12.x86_64.rpm php-debuginfo-4.3.9-3.22.12.x86_64.rpm php-devel-4.3.9-3.22.12.x86_64.rpm php-domxml-4.3.9-3.22.12.x86_64.rpm php-gd-4.3.9-3.22.12.x86_64.rpm php-imap-4.3.9-3.22.12.x86_64.rpm php-ldap-4.3.9-3.22.12.x86_64.rpm php-mbstring-4.3.9-3.22.12.x86_64.rpm php-mysql-4.3.9-3.22.12.x86_64.rpm php-ncurses-4.3.9-3.22.12.x86_64.rpm php-odbc-4.3.9-3.22.12.x86_64.rpm php-pear-4.3.9-3.22.12.x86_64.rpm php-pgsql-4.3.9-3.22.12.x86_64.rpm php-snmp-4.3.9-3.22.12.x86_64.rpm php-xmlrpc-4.3.9-3.22.12.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIfcYSXlSAg2UNWIIRAil/AJ9cQt3gaHonckDOFrZYj4Y33+D5xgCgpehn +2tIq9ImTxk4fLQtIePfzkk= =R25d -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 16 09:59:33 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Jul 2008 05:59:33 -0400 Subject: [RHSA-2008:0546-01] Moderate: php security update Message-ID: <200807160959.m6G9xXAD029983@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: php security update Advisory ID: RHSA-2008:0546-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0546.html Issue date: 2008-07-16 CVE Names: CVE-2008-2051 CVE-2007-5898 CVE-2007-5899 CVE-2006-7228 CVE-2007-1660 CVE-2008-2107 CVE-2008-2108 ===================================================================== 1. Summary: Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external web sites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Integer overflow and memory requirements miscalculation issues were discovered in the Perl-Compatible Regular Expression (PCRE) library used by PHP to process regular expressions. These issues could cause a crash, or possibly execute an arbitrary code with the privileges of the PHP script that processes regular expressions from untrusted sources. Note: PHP packages shipped with Red Hat Enterprise Linux 2.1 did not use the system-level PCRE library. By default they used an embedded copy of the library included with the PHP package. (CVE-2006-7228, CVE-2007-1660) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 315881 - CVE-2007-1660 pcre regular expression flaws 382411 - CVE-2007-5898 php htmlentities/htmlspecialchars multibyte sequences 382431 - CVE-2007-5899 php session ID leakage 383371 - CVE-2006-7228 pcre integer overflow 445006 - CVE-2008-2051 PHP multibyte shell escape flaw 445684 - CVE-2008-2107 PHP 32 bit weak random seed 445685 - CVE-2008-2108 PHP weak 64 bit random seed 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/php-4.1.2-2.20.src.rpm i386: php-4.1.2-2.20.i386.rpm php-devel-4.1.2-2.20.i386.rpm php-imap-4.1.2-2.20.i386.rpm php-ldap-4.1.2-2.20.i386.rpm php-manual-4.1.2-2.20.i386.rpm php-mysql-4.1.2-2.20.i386.rpm php-odbc-4.1.2-2.20.i386.rpm php-pgsql-4.1.2-2.20.i386.rpm ia64: php-4.1.2-2.20.ia64.rpm php-devel-4.1.2-2.20.ia64.rpm php-imap-4.1.2-2.20.ia64.rpm php-ldap-4.1.2-2.20.ia64.rpm php-manual-4.1.2-2.20.ia64.rpm php-mysql-4.1.2-2.20.ia64.rpm php-odbc-4.1.2-2.20.ia64.rpm php-pgsql-4.1.2-2.20.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/php-4.1.2-2.20.src.rpm ia64: php-4.1.2-2.20.ia64.rpm php-devel-4.1.2-2.20.ia64.rpm php-imap-4.1.2-2.20.ia64.rpm php-ldap-4.1.2-2.20.ia64.rpm php-manual-4.1.2-2.20.ia64.rpm php-mysql-4.1.2-2.20.ia64.rpm php-odbc-4.1.2-2.20.ia64.rpm php-pgsql-4.1.2-2.20.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/php-4.1.2-2.20.src.rpm i386: php-4.1.2-2.20.i386.rpm php-devel-4.1.2-2.20.i386.rpm php-imap-4.1.2-2.20.i386.rpm php-ldap-4.1.2-2.20.i386.rpm php-manual-4.1.2-2.20.i386.rpm php-mysql-4.1.2-2.20.i386.rpm php-odbc-4.1.2-2.20.i386.rpm php-pgsql-4.1.2-2.20.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/php-4.1.2-2.20.src.rpm i386: php-4.1.2-2.20.i386.rpm php-devel-4.1.2-2.20.i386.rpm php-imap-4.1.2-2.20.i386.rpm php-ldap-4.1.2-2.20.i386.rpm php-manual-4.1.2-2.20.i386.rpm php-mysql-4.1.2-2.20.i386.rpm php-odbc-4.1.2-2.20.i386.rpm php-pgsql-4.1.2-2.20.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIfcZ8XlSAg2UNWIIRApNUAJ4zkxoEST7BV0cROBSgYRsSWL5WIACdHcEX RglnYO1z72hpkPRvdnwTp8Q= =bKAh -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 16 17:12:34 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Jul 2008 13:12:34 -0400 Subject: [RHSA-2008:0597-01] Critical: firefox security update Message-ID: <200807161712.m6GHCYaG007683@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2008:0597-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0597.html Issue date: 2008-07-16 CVE Names: CVE-2008-2785 CVE-2008-2933 ===================================================================== 1. Summary: Updated firefox packages that fix various security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Mozilla Firefox is an open source Web browser. An integer overflow flaw was found in the way Firefox displayed certain web content. A malicious web site could cause Firefox to crash, or execute arbitrary code with the permissions of the user running Firefox. (CVE-2008-2785) A flaw was found in the way Firefox handled certain command line URLs. If another application passed Firefox a malformed URL, it could result in Firefox executing local malicious content with chrome privileges. (CVE-2008-2933) All firefox users should upgrade to these updated packages, which contain Firefox 3.0.1 that corrects these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452204 - CVE-2008-2785 mozilla: CSS reference counter overflow (ZDI-CAN-349) 454697 - CVE-2008-2933 Firefox command line URL launches multi-tabs 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-18.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-3.0.1-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.1-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/yelp-2.16.0-20.el5.src.rpm i386: devhelp-0.12-18.el5.i386.rpm devhelp-debuginfo-0.12-18.el5.i386.rpm firefox-3.0.1-1.el5.i386.rpm firefox-debuginfo-3.0.1-1.el5.i386.rpm xulrunner-1.9.0.1-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.1-1.el5.i386.rpm yelp-2.16.0-20.el5.i386.rpm yelp-debuginfo-2.16.0-20.el5.i386.rpm x86_64: devhelp-0.12-18.el5.i386.rpm devhelp-0.12-18.el5.x86_64.rpm devhelp-debuginfo-0.12-18.el5.i386.rpm devhelp-debuginfo-0.12-18.el5.x86_64.rpm firefox-3.0.1-1.el5.i386.rpm firefox-3.0.1-1.el5.x86_64.rpm firefox-debuginfo-3.0.1-1.el5.i386.rpm firefox-debuginfo-3.0.1-1.el5.x86_64.rpm xulrunner-1.9.0.1-1.el5.i386.rpm xulrunner-1.9.0.1-1.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.1-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.1-1.el5.x86_64.rpm yelp-2.16.0-20.el5.x86_64.rpm yelp-debuginfo-2.16.0-20.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-18.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.1-1.el5.src.rpm i386: devhelp-debuginfo-0.12-18.el5.i386.rpm devhelp-devel-0.12-18.el5.i386.rpm xulrunner-debuginfo-1.9.0.1-1.el5.i386.rpm xulrunner-devel-1.9.0.1-1.el5.i386.rpm xulrunner-devel-unstable-1.9.0.1-1.el5.i386.rpm x86_64: devhelp-debuginfo-0.12-18.el5.i386.rpm devhelp-debuginfo-0.12-18.el5.x86_64.rpm devhelp-devel-0.12-18.el5.i386.rpm devhelp-devel-0.12-18.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.1-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.1-1.el5.x86_64.rpm xulrunner-devel-1.9.0.1-1.el5.i386.rpm xulrunner-devel-1.9.0.1-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9.0.1-1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/devhelp-0.12-18.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-3.0.1-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9.0.1-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/yelp-2.16.0-20.el5.src.rpm i386: devhelp-0.12-18.el5.i386.rpm devhelp-debuginfo-0.12-18.el5.i386.rpm devhelp-devel-0.12-18.el5.i386.rpm firefox-3.0.1-1.el5.i386.rpm firefox-debuginfo-3.0.1-1.el5.i386.rpm xulrunner-1.9.0.1-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.1-1.el5.i386.rpm xulrunner-devel-1.9.0.1-1.el5.i386.rpm xulrunner-devel-unstable-1.9.0.1-1.el5.i386.rpm yelp-2.16.0-20.el5.i386.rpm yelp-debuginfo-2.16.0-20.el5.i386.rpm ia64: devhelp-0.12-18.el5.ia64.rpm devhelp-debuginfo-0.12-18.el5.ia64.rpm devhelp-devel-0.12-18.el5.ia64.rpm firefox-3.0.1-1.el5.ia64.rpm firefox-debuginfo-3.0.1-1.el5.ia64.rpm xulrunner-1.9.0.1-1.el5.ia64.rpm xulrunner-debuginfo-1.9.0.1-1.el5.ia64.rpm xulrunner-devel-1.9.0.1-1.el5.ia64.rpm xulrunner-devel-unstable-1.9.0.1-1.el5.ia64.rpm yelp-2.16.0-20.el5.ia64.rpm yelp-debuginfo-2.16.0-20.el5.ia64.rpm ppc: devhelp-0.12-18.el5.ppc.rpm devhelp-debuginfo-0.12-18.el5.ppc.rpm devhelp-devel-0.12-18.el5.ppc.rpm firefox-3.0.1-1.el5.ppc.rpm firefox-debuginfo-3.0.1-1.el5.ppc.rpm xulrunner-1.9.0.1-1.el5.ppc.rpm xulrunner-1.9.0.1-1.el5.ppc64.rpm xulrunner-debuginfo-1.9.0.1-1.el5.ppc.rpm xulrunner-debuginfo-1.9.0.1-1.el5.ppc64.rpm xulrunner-devel-1.9.0.1-1.el5.ppc.rpm xulrunner-devel-1.9.0.1-1.el5.ppc64.rpm xulrunner-devel-unstable-1.9.0.1-1.el5.ppc.rpm yelp-2.16.0-20.el5.ppc.rpm yelp-debuginfo-2.16.0-20.el5.ppc.rpm s390x: devhelp-0.12-18.el5.s390.rpm devhelp-0.12-18.el5.s390x.rpm devhelp-debuginfo-0.12-18.el5.s390.rpm devhelp-debuginfo-0.12-18.el5.s390x.rpm devhelp-devel-0.12-18.el5.s390.rpm devhelp-devel-0.12-18.el5.s390x.rpm firefox-3.0.1-1.el5.s390.rpm firefox-3.0.1-1.el5.s390x.rpm firefox-debuginfo-3.0.1-1.el5.s390.rpm firefox-debuginfo-3.0.1-1.el5.s390x.rpm xulrunner-1.9.0.1-1.el5.s390.rpm xulrunner-1.9.0.1-1.el5.s390x.rpm xulrunner-debuginfo-1.9.0.1-1.el5.s390.rpm xulrunner-debuginfo-1.9.0.1-1.el5.s390x.rpm xulrunner-devel-1.9.0.1-1.el5.s390.rpm xulrunner-devel-1.9.0.1-1.el5.s390x.rpm xulrunner-devel-unstable-1.9.0.1-1.el5.s390x.rpm yelp-2.16.0-20.el5.s390x.rpm yelp-debuginfo-2.16.0-20.el5.s390x.rpm x86_64: devhelp-0.12-18.el5.i386.rpm devhelp-0.12-18.el5.x86_64.rpm devhelp-debuginfo-0.12-18.el5.i386.rpm devhelp-debuginfo-0.12-18.el5.x86_64.rpm devhelp-devel-0.12-18.el5.i386.rpm devhelp-devel-0.12-18.el5.x86_64.rpm firefox-3.0.1-1.el5.i386.rpm firefox-3.0.1-1.el5.x86_64.rpm firefox-debuginfo-3.0.1-1.el5.i386.rpm firefox-debuginfo-3.0.1-1.el5.x86_64.rpm xulrunner-1.9.0.1-1.el5.i386.rpm xulrunner-1.9.0.1-1.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.1-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.1-1.el5.x86_64.rpm xulrunner-devel-1.9.0.1-1.el5.i386.rpm xulrunner-devel-1.9.0.1-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9.0.1-1.el5.x86_64.rpm yelp-2.16.0-20.el5.x86_64.rpm yelp-debuginfo-2.16.0-20.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2933 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIfiv/XlSAg2UNWIIRAvq7AKCNheU6hBjn3hRNYUbmpy+0o3sBIACePTuQ vXCoV0E+gCDqjB8RcL5fZc8= =Oy9Z -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 16 17:12:45 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Jul 2008 13:12:45 -0400 Subject: [RHSA-2008:0598-02] Critical: firefox security update Message-ID: <200807161712.m6GHCjGv007699@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2008:0598-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0598.html Issue date: 2008-07-16 CVE Names: CVE-2008-2785 CVE-2008-2933 ===================================================================== 1. Summary: An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4.5.z - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4.5.z - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Mozilla Firefox is an open source Web browser. An integer overflow flaw was found in the way Firefox displayed certain web content. A malicious web site could cause Firefox to crash, or execute arbitrary code with the permissions of the user running Firefox. (CVE-2008-2785) A flaw was found in the way Firefox handled certain command line URLs. If another application passed Firefox a malformed URL, it could result in Firefox executing local malicious content with chrome privileges. (CVE-2008-2933) All firefox users should upgrade to this updated package, which contains backported patches that correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452204 - CVE-2008-2785 mozilla: CSS reference counter overflow (ZDI-CAN-349) 454697 - CVE-2008-2933 Firefox command line URL launches multi-tabs 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-1.5.0.12-0.21.el4.src.rpm i386: firefox-1.5.0.12-0.21.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.21.el4.i386.rpm ia64: firefox-1.5.0.12-0.21.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.ia64.rpm ppc: firefox-1.5.0.12-0.21.el4.ppc.rpm firefox-debuginfo-1.5.0.12-0.21.el4.ppc.rpm s390: firefox-1.5.0.12-0.21.el4.s390.rpm firefox-debuginfo-1.5.0.12-0.21.el4.s390.rpm s390x: firefox-1.5.0.12-0.21.el4.s390x.rpm firefox-debuginfo-1.5.0.12-0.21.el4.s390x.rpm x86_64: firefox-1.5.0.12-0.21.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.x86_64.rpm Red Hat Enterprise Linux AS version 4.5.z: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/4AS-4.5.z/en/os/SRPMS/firefox-1.5.0.12-0.21.el4.src.rpm i386: firefox-1.5.0.12-0.21.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.21.el4.i386.rpm ia64: firefox-1.5.0.12-0.21.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.ia64.rpm ppc: firefox-1.5.0.12-0.21.el4.ppc.rpm firefox-debuginfo-1.5.0.12-0.21.el4.ppc.rpm s390: firefox-1.5.0.12-0.21.el4.s390.rpm firefox-debuginfo-1.5.0.12-0.21.el4.s390.rpm s390x: firefox-1.5.0.12-0.21.el4.s390x.rpm firefox-debuginfo-1.5.0.12-0.21.el4.s390x.rpm x86_64: firefox-1.5.0.12-0.21.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-1.5.0.12-0.21.el4.src.rpm i386: firefox-1.5.0.12-0.21.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.21.el4.i386.rpm x86_64: firefox-1.5.0.12-0.21.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-1.5.0.12-0.21.el4.src.rpm i386: firefox-1.5.0.12-0.21.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.21.el4.i386.rpm ia64: firefox-1.5.0.12-0.21.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.ia64.rpm x86_64: firefox-1.5.0.12-0.21.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4.5.z: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/4ES-4.5.z/en/os/SRPMS/firefox-1.5.0.12-0.21.el4.src.rpm i386: firefox-1.5.0.12-0.21.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.21.el4.i386.rpm ia64: firefox-1.5.0.12-0.21.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.ia64.rpm x86_64: firefox-1.5.0.12-0.21.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-1.5.0.12-0.21.el4.src.rpm i386: firefox-1.5.0.12-0.21.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.21.el4.i386.rpm ia64: firefox-1.5.0.12-0.21.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.ia64.rpm x86_64: firefox-1.5.0.12-0.21.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.21.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2933 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIfiwLXlSAg2UNWIIRAuzDAJ9/hIL1wH8Rx8Yrj5ewIaqUE76ZnwCePjlL Hc1vcRZGG9iZHbGcrn+qmMc= =CvOl -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 16 17:13:09 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Jul 2008 13:13:09 -0400 Subject: [RHSA-2008:0599-01] Critical: seamonkey security update Message-ID: <200807161713.m6GHDDec007723@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2008:0599-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0599.html Issue date: 2008-07-16 CVE Names: CVE-2008-2785 ===================================================================== 1. Summary: Updated seamonkey packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. An integer overflow flaw was found in the way SeaMonkey displayed certain web content. A malicious web site could cause SeaMonkey to crash or execute arbitrary code with the permissions of the user running SeaMonkey. (CVE-2008-2785) All seamonkey users should upgrade to these updated packages, which contain a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452204 - CVE-2008-2785 mozilla: CSS reference counter overflow (ZDI-CAN-349) 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/seamonkey-1.0.9-0.18.el2.src.rpm i386: seamonkey-1.0.9-0.18.el2.i386.rpm seamonkey-chat-1.0.9-0.18.el2.i386.rpm seamonkey-devel-1.0.9-0.18.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.18.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.18.el2.i386.rpm seamonkey-mail-1.0.9-0.18.el2.i386.rpm seamonkey-nspr-1.0.9-0.18.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.18.el2.i386.rpm seamonkey-nss-1.0.9-0.18.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.18.el2.i386.rpm ia64: seamonkey-1.0.9-0.18.el2.ia64.rpm seamonkey-chat-1.0.9-0.18.el2.ia64.rpm seamonkey-devel-1.0.9-0.18.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.18.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.18.el2.ia64.rpm seamonkey-mail-1.0.9-0.18.el2.ia64.rpm seamonkey-nspr-1.0.9-0.18.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.18.el2.ia64.rpm seamonkey-nss-1.0.9-0.18.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.18.el2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/seamonkey-1.0.9-0.18.el2.src.rpm ia64: seamonkey-1.0.9-0.18.el2.ia64.rpm seamonkey-chat-1.0.9-0.18.el2.ia64.rpm seamonkey-devel-1.0.9-0.18.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.18.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.18.el2.ia64.rpm seamonkey-mail-1.0.9-0.18.el2.ia64.rpm seamonkey-nspr-1.0.9-0.18.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.18.el2.ia64.rpm seamonkey-nss-1.0.9-0.18.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.18.el2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/seamonkey-1.0.9-0.18.el2.src.rpm i386: seamonkey-1.0.9-0.18.el2.i386.rpm seamonkey-chat-1.0.9-0.18.el2.i386.rpm seamonkey-devel-1.0.9-0.18.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.18.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.18.el2.i386.rpm seamonkey-mail-1.0.9-0.18.el2.i386.rpm seamonkey-nspr-1.0.9-0.18.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.18.el2.i386.rpm seamonkey-nss-1.0.9-0.18.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.18.el2.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/seamonkey-1.0.9-0.18.el2.src.rpm i386: seamonkey-1.0.9-0.18.el2.i386.rpm seamonkey-chat-1.0.9-0.18.el2.i386.rpm seamonkey-devel-1.0.9-0.18.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.18.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.18.el2.i386.rpm seamonkey-mail-1.0.9-0.18.el2.i386.rpm seamonkey-nspr-1.0.9-0.18.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.18.el2.i386.rpm seamonkey-nss-1.0.9-0.18.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.18.el2.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/seamonkey-1.0.9-0.22.el3.src.rpm i386: seamonkey-1.0.9-0.22.el3.i386.rpm seamonkey-chat-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-devel-1.0.9-0.22.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.22.el3.i386.rpm seamonkey-mail-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.22.el3.i386.rpm ia64: seamonkey-1.0.9-0.22.el3.ia64.rpm seamonkey-chat-1.0.9-0.22.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.ia64.rpm seamonkey-devel-1.0.9-0.22.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.22.el3.ia64.rpm seamonkey-mail-1.0.9-0.22.el3.ia64.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.ia64.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.22.el3.ia64.rpm ppc: seamonkey-1.0.9-0.22.el3.ppc.rpm seamonkey-chat-1.0.9-0.22.el3.ppc.rpm seamonkey-debuginfo-1.0.9-0.22.el3.ppc.rpm seamonkey-devel-1.0.9-0.22.el3.ppc.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.ppc.rpm seamonkey-js-debugger-1.0.9-0.22.el3.ppc.rpm seamonkey-mail-1.0.9-0.22.el3.ppc.rpm seamonkey-nspr-1.0.9-0.22.el3.ppc.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.ppc.rpm seamonkey-nss-1.0.9-0.22.el3.ppc.rpm seamonkey-nss-devel-1.0.9-0.22.el3.ppc.rpm s390: seamonkey-1.0.9-0.22.el3.s390.rpm seamonkey-chat-1.0.9-0.22.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.22.el3.s390.rpm seamonkey-devel-1.0.9-0.22.el3.s390.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.s390.rpm seamonkey-js-debugger-1.0.9-0.22.el3.s390.rpm seamonkey-mail-1.0.9-0.22.el3.s390.rpm seamonkey-nspr-1.0.9-0.22.el3.s390.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.s390.rpm seamonkey-nss-1.0.9-0.22.el3.s390.rpm seamonkey-nss-devel-1.0.9-0.22.el3.s390.rpm s390x: seamonkey-1.0.9-0.22.el3.s390x.rpm seamonkey-chat-1.0.9-0.22.el3.s390x.rpm seamonkey-debuginfo-1.0.9-0.22.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.22.el3.s390x.rpm seamonkey-devel-1.0.9-0.22.el3.s390x.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.s390x.rpm seamonkey-js-debugger-1.0.9-0.22.el3.s390x.rpm seamonkey-mail-1.0.9-0.22.el3.s390x.rpm seamonkey-nspr-1.0.9-0.22.el3.s390.rpm seamonkey-nspr-1.0.9-0.22.el3.s390x.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.s390x.rpm seamonkey-nss-1.0.9-0.22.el3.s390.rpm seamonkey-nss-1.0.9-0.22.el3.s390x.rpm seamonkey-nss-devel-1.0.9-0.22.el3.s390x.rpm x86_64: seamonkey-1.0.9-0.22.el3.i386.rpm seamonkey-1.0.9-0.22.el3.x86_64.rpm seamonkey-chat-1.0.9-0.22.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.x86_64.rpm seamonkey-devel-1.0.9-0.22.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.22.el3.x86_64.rpm seamonkey-mail-1.0.9-0.22.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.x86_64.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.22.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/seamonkey-1.0.9-0.22.el3.src.rpm i386: seamonkey-1.0.9-0.22.el3.i386.rpm seamonkey-chat-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-devel-1.0.9-0.22.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.22.el3.i386.rpm seamonkey-mail-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.22.el3.i386.rpm x86_64: seamonkey-1.0.9-0.22.el3.i386.rpm seamonkey-1.0.9-0.22.el3.x86_64.rpm seamonkey-chat-1.0.9-0.22.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.x86_64.rpm seamonkey-devel-1.0.9-0.22.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.22.el3.x86_64.rpm seamonkey-mail-1.0.9-0.22.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.x86_64.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.22.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/seamonkey-1.0.9-0.22.el3.src.rpm i386: seamonkey-1.0.9-0.22.el3.i386.rpm seamonkey-chat-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-devel-1.0.9-0.22.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.22.el3.i386.rpm seamonkey-mail-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.22.el3.i386.rpm ia64: seamonkey-1.0.9-0.22.el3.ia64.rpm seamonkey-chat-1.0.9-0.22.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.ia64.rpm seamonkey-devel-1.0.9-0.22.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.22.el3.ia64.rpm seamonkey-mail-1.0.9-0.22.el3.ia64.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.ia64.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.22.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.22.el3.i386.rpm seamonkey-1.0.9-0.22.el3.x86_64.rpm seamonkey-chat-1.0.9-0.22.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.x86_64.rpm seamonkey-devel-1.0.9-0.22.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.22.el3.x86_64.rpm seamonkey-mail-1.0.9-0.22.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.x86_64.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.22.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/seamonkey-1.0.9-0.22.el3.src.rpm i386: seamonkey-1.0.9-0.22.el3.i386.rpm seamonkey-chat-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-devel-1.0.9-0.22.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.22.el3.i386.rpm seamonkey-mail-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.22.el3.i386.rpm ia64: seamonkey-1.0.9-0.22.el3.ia64.rpm seamonkey-chat-1.0.9-0.22.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.ia64.rpm seamonkey-devel-1.0.9-0.22.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.22.el3.ia64.rpm seamonkey-mail-1.0.9-0.22.el3.ia64.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.ia64.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.22.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.22.el3.i386.rpm seamonkey-1.0.9-0.22.el3.x86_64.rpm seamonkey-chat-1.0.9-0.22.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.22.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.22.el3.x86_64.rpm seamonkey-devel-1.0.9-0.22.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.22.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.22.el3.x86_64.rpm seamonkey-mail-1.0.9-0.22.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.22.el3.i386.rpm seamonkey-nspr-1.0.9-0.22.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.22.el3.x86_64.rpm seamonkey-nss-1.0.9-0.22.el3.i386.rpm seamonkey-nss-1.0.9-0.22.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.22.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/devhelp-0.10-0.8.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/seamonkey-1.0.9-16.4.el4_6.src.rpm i386: devhelp-0.10-0.8.1.el4.i386.rpm devhelp-debuginfo-0.10-0.8.1.el4.i386.rpm devhelp-devel-0.10-0.8.1.el4.i386.rpm seamonkey-1.0.9-16.4.el4_6.i386.rpm seamonkey-chat-1.0.9-16.4.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.i386.rpm seamonkey-devel-1.0.9-16.4.el4_6.i386.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.i386.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.i386.rpm seamonkey-mail-1.0.9-16.4.el4_6.i386.rpm ia64: seamonkey-1.0.9-16.4.el4_6.ia64.rpm seamonkey-chat-1.0.9-16.4.el4_6.ia64.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.ia64.rpm seamonkey-devel-1.0.9-16.4.el4_6.ia64.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.ia64.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.ia64.rpm seamonkey-mail-1.0.9-16.4.el4_6.ia64.rpm ppc: devhelp-0.10-0.8.1.el4.ppc.rpm devhelp-debuginfo-0.10-0.8.1.el4.ppc.rpm devhelp-devel-0.10-0.8.1.el4.ppc.rpm seamonkey-1.0.9-16.4.el4_6.ppc.rpm seamonkey-chat-1.0.9-16.4.el4_6.ppc.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.ppc.rpm seamonkey-devel-1.0.9-16.4.el4_6.ppc.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.ppc.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.ppc.rpm seamonkey-mail-1.0.9-16.4.el4_6.ppc.rpm s390: seamonkey-1.0.9-16.4.el4_6.s390.rpm seamonkey-chat-1.0.9-16.4.el4_6.s390.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.s390.rpm seamonkey-devel-1.0.9-16.4.el4_6.s390.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.s390.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.s390.rpm seamonkey-mail-1.0.9-16.4.el4_6.s390.rpm s390x: seamonkey-1.0.9-16.4.el4_6.s390x.rpm seamonkey-chat-1.0.9-16.4.el4_6.s390x.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.s390x.rpm seamonkey-devel-1.0.9-16.4.el4_6.s390x.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.s390x.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.s390x.rpm seamonkey-mail-1.0.9-16.4.el4_6.s390x.rpm x86_64: devhelp-0.10-0.8.1.el4.x86_64.rpm devhelp-debuginfo-0.10-0.8.1.el4.x86_64.rpm devhelp-devel-0.10-0.8.1.el4.x86_64.rpm seamonkey-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-chat-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-devel-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-mail-1.0.9-16.4.el4_6.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/devhelp-0.10-0.8.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/seamonkey-1.0.9-16.4.el4_6.src.rpm i386: devhelp-0.10-0.8.1.el4.i386.rpm devhelp-debuginfo-0.10-0.8.1.el4.i386.rpm devhelp-devel-0.10-0.8.1.el4.i386.rpm seamonkey-1.0.9-16.4.el4_6.i386.rpm seamonkey-chat-1.0.9-16.4.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.i386.rpm seamonkey-devel-1.0.9-16.4.el4_6.i386.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.i386.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.i386.rpm seamonkey-mail-1.0.9-16.4.el4_6.i386.rpm x86_64: devhelp-0.10-0.8.1.el4.x86_64.rpm devhelp-debuginfo-0.10-0.8.1.el4.x86_64.rpm devhelp-devel-0.10-0.8.1.el4.x86_64.rpm seamonkey-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-chat-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-devel-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-mail-1.0.9-16.4.el4_6.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/devhelp-0.10-0.8.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/seamonkey-1.0.9-16.4.el4_6.src.rpm i386: devhelp-0.10-0.8.1.el4.i386.rpm devhelp-debuginfo-0.10-0.8.1.el4.i386.rpm devhelp-devel-0.10-0.8.1.el4.i386.rpm seamonkey-1.0.9-16.4.el4_6.i386.rpm seamonkey-chat-1.0.9-16.4.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.i386.rpm seamonkey-devel-1.0.9-16.4.el4_6.i386.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.i386.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.i386.rpm seamonkey-mail-1.0.9-16.4.el4_6.i386.rpm ia64: seamonkey-1.0.9-16.4.el4_6.ia64.rpm seamonkey-chat-1.0.9-16.4.el4_6.ia64.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.ia64.rpm seamonkey-devel-1.0.9-16.4.el4_6.ia64.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.ia64.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.ia64.rpm seamonkey-mail-1.0.9-16.4.el4_6.ia64.rpm x86_64: devhelp-0.10-0.8.1.el4.x86_64.rpm devhelp-debuginfo-0.10-0.8.1.el4.x86_64.rpm devhelp-devel-0.10-0.8.1.el4.x86_64.rpm seamonkey-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-chat-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-devel-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-mail-1.0.9-16.4.el4_6.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/devhelp-0.10-0.8.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/seamonkey-1.0.9-16.4.el4_6.src.rpm i386: devhelp-0.10-0.8.1.el4.i386.rpm devhelp-debuginfo-0.10-0.8.1.el4.i386.rpm devhelp-devel-0.10-0.8.1.el4.i386.rpm seamonkey-1.0.9-16.4.el4_6.i386.rpm seamonkey-chat-1.0.9-16.4.el4_6.i386.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.i386.rpm seamonkey-devel-1.0.9-16.4.el4_6.i386.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.i386.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.i386.rpm seamonkey-mail-1.0.9-16.4.el4_6.i386.rpm ia64: seamonkey-1.0.9-16.4.el4_6.ia64.rpm seamonkey-chat-1.0.9-16.4.el4_6.ia64.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.ia64.rpm seamonkey-devel-1.0.9-16.4.el4_6.ia64.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.ia64.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.ia64.rpm seamonkey-mail-1.0.9-16.4.el4_6.ia64.rpm x86_64: devhelp-0.10-0.8.1.el4.x86_64.rpm devhelp-debuginfo-0.10-0.8.1.el4.x86_64.rpm devhelp-devel-0.10-0.8.1.el4.x86_64.rpm seamonkey-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-chat-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-debuginfo-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-devel-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-dom-inspector-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-js-debugger-1.0.9-16.4.el4_6.x86_64.rpm seamonkey-mail-1.0.9-16.4.el4_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIfiweXlSAg2UNWIIRAlfDAJ4qJmvvv5E0FGfhaU5AWHbAR6AeCQCgu0Dd hXL7oEbtuQnagyHC12/4Pxw= =i/tX -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 21 13:48:33 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 21 Jul 2008 09:48:33 -0400 Subject: [RHSA-2008:0641-02] Critical: acroread security update Message-ID: <200807211348.m6LDmXhv001250@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: acroread security update Advisory ID: RHSA-2008:0641-02 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0641.html Issue date: 2008-07-21 CVE Names: CVE-2008-0883 CVE-2008-2641 ===================================================================== 1. Summary: Updated acroread packages that fix various security issues are now available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 Extras - i386, x86_64 Red Hat Desktop version 3 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 3 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 3 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: Adobe Acrobat Reader allows users to view and print documents in Portable Document Format (PDF). An input validation flaw was discovered in a JavaScript engine used by Acrobat Reader. A malicious PDF file could cause Acrobat Reader to crash or, potentially, execute arbitrary code as the user running Acrobat Reader. (CVE-2008-2641) An insecure temporary file usage issue was discovered in the Acrobat Reader "acroread" startup script. A local attacker could potentially overwrite arbitrary files that were writable by the user running Acrobat Reader, if the victim ran "acroread" with certain command line arguments. (CVE-2008-0883) All acroread users are advised to upgrade to these updated packages, that contain Acrobat Reader version 8.1.2 Security Update 1, and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 436263 - CVE-2008-0883 acroread: insecure handling of temporary files 452632 - CVE-2008-2641 acroread: input validation issue in a JavaScript method 6. Package List: Red Hat Enterprise Linux AS version 3 Extras: i386: acroread-8.1.2.SU1-2.i386.rpm acroread-plugin-8.1.2.SU1-2.i386.rpm x86_64: acroread-8.1.2.SU1-2.i386.rpm Red Hat Desktop version 3 Extras: i386: acroread-8.1.2.SU1-2.i386.rpm acroread-plugin-8.1.2.SU1-2.i386.rpm x86_64: acroread-8.1.2.SU1-2.i386.rpm Red Hat Enterprise Linux ES version 3 Extras: i386: acroread-8.1.2.SU1-2.i386.rpm acroread-plugin-8.1.2.SU1-2.i386.rpm x86_64: acroread-8.1.2.SU1-2.i386.rpm Red Hat Enterprise Linux WS version 3 Extras: i386: acroread-8.1.2.SU1-2.i386.rpm acroread-plugin-8.1.2.SU1-2.i386.rpm x86_64: acroread-8.1.2.SU1-2.i386.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: acroread-8.1.2.SU1-2.el4.i386.rpm acroread-plugin-8.1.2.SU1-2.el4.i386.rpm x86_64: acroread-8.1.2.SU1-2.el4.i386.rpm Red Hat Desktop version 4 Extras: i386: acroread-8.1.2.SU1-2.el4.i386.rpm acroread-plugin-8.1.2.SU1-2.el4.i386.rpm x86_64: acroread-8.1.2.SU1-2.el4.i386.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: acroread-8.1.2.SU1-2.el4.i386.rpm acroread-plugin-8.1.2.SU1-2.el4.i386.rpm x86_64: acroread-8.1.2.SU1-2.el4.i386.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: acroread-8.1.2.SU1-2.el4.i386.rpm acroread-plugin-8.1.2.SU1-2.el4.i386.rpm x86_64: acroread-8.1.2.SU1-2.el4.i386.rpm RHEL Desktop Supplementary (v. 5 client): i386: acroread-8.1.2.SU1-2.el5.i386.rpm acroread-plugin-8.1.2.SU1-2.el5.i386.rpm x86_64: acroread-8.1.2.SU1-2.el5.i386.rpm acroread-plugin-8.1.2.SU1-2.el5.i386.rpm RHEL Supplementary (v. 5 server): i386: acroread-8.1.2.SU1-2.el5.i386.rpm acroread-plugin-8.1.2.SU1-2.el5.i386.rpm x86_64: acroread-8.1.2.SU1-2.el5.i386.rpm acroread-plugin-8.1.2.SU1-2.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2641 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIhJObXlSAg2UNWIIRAuHyAKC8GWDFYYR6267KxejasPciSGD8PwCfYb9g 1lakVQNvDBjtL6wcwS6s2ls= =oIJz -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jul 22 12:31:57 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 22 Jul 2008 08:31:57 -0400 Subject: [RHSA-2008:0582-01] Moderate: php security update Message-ID: <200807221231.m6MCVv8V022477@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: php security update Advisory ID: RHSA-2008:0582-01 Product: Red Hat Application Stack Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0582.html Issue date: 2008-07-22 CVE Names: CVE-2008-2051 CVE-2007-5898 CVE-2007-5899 CVE-2007-4782 CVE-2008-2107 CVE-2008-2108 ===================================================================== 1. Summary: Updated PHP packages that fix several security issues are now available for Red Hat Application Stack v1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64 Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external web sites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 285881 - CVE-2007-4782 php crash in glob() and fnmatch() functions 382411 - CVE-2007-5898 php htmlentities/htmlspecialchars multibyte sequences 382431 - CVE-2007-5899 php session ID leakage 445006 - CVE-2008-2051 PHP multibyte shell escape flaw 445684 - CVE-2008-2107 PHP 32 bit weak random seed 445685 - CVE-2008-2108 PHP weak 64 bit random seed 6. Package List: Red Hat Application Stack v1 for Enterprise Linux AS (v.4): Source: ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/php-5.1.6-3.el4s1.10.src.rpm i386: php-5.1.6-3.el4s1.10.i386.rpm php-bcmath-5.1.6-3.el4s1.10.i386.rpm php-cli-5.1.6-3.el4s1.10.i386.rpm php-common-5.1.6-3.el4s1.10.i386.rpm php-dba-5.1.6-3.el4s1.10.i386.rpm php-debuginfo-5.1.6-3.el4s1.10.i386.rpm php-devel-5.1.6-3.el4s1.10.i386.rpm php-gd-5.1.6-3.el4s1.10.i386.rpm php-imap-5.1.6-3.el4s1.10.i386.rpm php-ldap-5.1.6-3.el4s1.10.i386.rpm php-mbstring-5.1.6-3.el4s1.10.i386.rpm php-mysql-5.1.6-3.el4s1.10.i386.rpm php-ncurses-5.1.6-3.el4s1.10.i386.rpm php-odbc-5.1.6-3.el4s1.10.i386.rpm php-pdo-5.1.6-3.el4s1.10.i386.rpm php-pgsql-5.1.6-3.el4s1.10.i386.rpm php-snmp-5.1.6-3.el4s1.10.i386.rpm php-soap-5.1.6-3.el4s1.10.i386.rpm php-xml-5.1.6-3.el4s1.10.i386.rpm php-xmlrpc-5.1.6-3.el4s1.10.i386.rpm x86_64: php-5.1.6-3.el4s1.10.x86_64.rpm php-bcmath-5.1.6-3.el4s1.10.x86_64.rpm php-cli-5.1.6-3.el4s1.10.x86_64.rpm php-common-5.1.6-3.el4s1.10.x86_64.rpm php-dba-5.1.6-3.el4s1.10.x86_64.rpm php-debuginfo-5.1.6-3.el4s1.10.x86_64.rpm php-devel-5.1.6-3.el4s1.10.x86_64.rpm php-gd-5.1.6-3.el4s1.10.x86_64.rpm php-imap-5.1.6-3.el4s1.10.x86_64.rpm php-ldap-5.1.6-3.el4s1.10.x86_64.rpm php-mbstring-5.1.6-3.el4s1.10.x86_64.rpm php-mysql-5.1.6-3.el4s1.10.x86_64.rpm php-ncurses-5.1.6-3.el4s1.10.x86_64.rpm php-odbc-5.1.6-3.el4s1.10.x86_64.rpm php-pdo-5.1.6-3.el4s1.10.x86_64.rpm php-pgsql-5.1.6-3.el4s1.10.x86_64.rpm php-snmp-5.1.6-3.el4s1.10.x86_64.rpm php-soap-5.1.6-3.el4s1.10.x86_64.rpm php-xml-5.1.6-3.el4s1.10.x86_64.rpm php-xmlrpc-5.1.6-3.el4s1.10.x86_64.rpm Red Hat Application Stack v1 for Enterprise Linux ES (v.4): Source: ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/php-5.1.6-3.el4s1.10.src.rpm i386: php-5.1.6-3.el4s1.10.i386.rpm php-bcmath-5.1.6-3.el4s1.10.i386.rpm php-cli-5.1.6-3.el4s1.10.i386.rpm php-common-5.1.6-3.el4s1.10.i386.rpm php-dba-5.1.6-3.el4s1.10.i386.rpm php-debuginfo-5.1.6-3.el4s1.10.i386.rpm php-devel-5.1.6-3.el4s1.10.i386.rpm php-gd-5.1.6-3.el4s1.10.i386.rpm php-imap-5.1.6-3.el4s1.10.i386.rpm php-ldap-5.1.6-3.el4s1.10.i386.rpm php-mbstring-5.1.6-3.el4s1.10.i386.rpm php-mysql-5.1.6-3.el4s1.10.i386.rpm php-ncurses-5.1.6-3.el4s1.10.i386.rpm php-odbc-5.1.6-3.el4s1.10.i386.rpm php-pdo-5.1.6-3.el4s1.10.i386.rpm php-pgsql-5.1.6-3.el4s1.10.i386.rpm php-snmp-5.1.6-3.el4s1.10.i386.rpm php-soap-5.1.6-3.el4s1.10.i386.rpm php-xml-5.1.6-3.el4s1.10.i386.rpm php-xmlrpc-5.1.6-3.el4s1.10.i386.rpm x86_64: php-5.1.6-3.el4s1.10.x86_64.rpm php-bcmath-5.1.6-3.el4s1.10.x86_64.rpm php-cli-5.1.6-3.el4s1.10.x86_64.rpm php-common-5.1.6-3.el4s1.10.x86_64.rpm php-dba-5.1.6-3.el4s1.10.x86_64.rpm php-debuginfo-5.1.6-3.el4s1.10.x86_64.rpm php-devel-5.1.6-3.el4s1.10.x86_64.rpm php-gd-5.1.6-3.el4s1.10.x86_64.rpm php-imap-5.1.6-3.el4s1.10.x86_64.rpm php-ldap-5.1.6-3.el4s1.10.x86_64.rpm php-mbstring-5.1.6-3.el4s1.10.x86_64.rpm php-mysql-5.1.6-3.el4s1.10.x86_64.rpm php-ncurses-5.1.6-3.el4s1.10.x86_64.rpm php-odbc-5.1.6-3.el4s1.10.x86_64.rpm php-pdo-5.1.6-3.el4s1.10.x86_64.rpm php-pgsql-5.1.6-3.el4s1.10.x86_64.rpm php-snmp-5.1.6-3.el4s1.10.x86_64.rpm php-soap-5.1.6-3.el4s1.10.x86_64.rpm php-xml-5.1.6-3.el4s1.10.x86_64.rpm php-xmlrpc-5.1.6-3.el4s1.10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIhdMrXlSAg2UNWIIRAv6eAKCb/Uo5NdU/wGCV7t1uxOgPzWZVMgCfXQZC qV8KMB7Oc0svuN3gB/rcFQw= =htz1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 23 13:31:54 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 23 Jul 2008 09:31:54 -0400 Subject: [RHSA-2008:0607-01] Important: kernel security and bug fix update Message-ID: <200807231331.m6NDVsO7004832@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2008:0607-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0607.html Issue date: 2008-07-23 CVE Names: CVE-2008-2136 ===================================================================== 1. Summary: Updated kernel packages that fix a security issue and several bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issue: * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) As well, these updated packages fix the following bugs: * a possible kernel hang on hugemem systems, due to a bug in NFS, which may have caused systems to become unresponsive, has been resolved. * an inappropriate exit condition occurred in the architecture-specific "mmap()" realization, which fell into an infinite loop under certain conditions. On 64-bit systems, this issue may have manifested itself to users as a soft lockup, or process hangs. * due to a bug in hardware initialization in the "ohci_hcd" kernel module, the kernel may have failed with a NULL pointer dereference. On 64-bit PowerPC systems, this may have caused booting to fail, and drop to xmon. On other platforms, a kernel oops occurred. * due to insufficient locks in task termination code, a panic may have occurred in the "sys_times()" system call on SMP machines. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 446031 - CVE-2008-2136 kernel: sit memory leak 450185 - [RHEL 4] cffimtgsaslx08 hung 450760 - Patch for bug 360281 "Odd behaviour in mmap" introduces regression 450865 - kernel failed to boot and dropped to xmon 455072 - kernel panic with kernel version 2.6.9-67.0.20.EL 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-67.0.22.EL.src.rpm i386: kernel-2.6.9-67.0.22.EL.i686.rpm kernel-debuginfo-2.6.9-67.0.22.EL.i686.rpm kernel-devel-2.6.9-67.0.22.EL.i686.rpm kernel-hugemem-2.6.9-67.0.22.EL.i686.rpm kernel-hugemem-devel-2.6.9-67.0.22.EL.i686.rpm kernel-smp-2.6.9-67.0.22.EL.i686.rpm kernel-smp-devel-2.6.9-67.0.22.EL.i686.rpm kernel-xenU-2.6.9-67.0.22.EL.i686.rpm kernel-xenU-devel-2.6.9-67.0.22.EL.i686.rpm ia64: kernel-2.6.9-67.0.22.EL.ia64.rpm kernel-debuginfo-2.6.9-67.0.22.EL.ia64.rpm kernel-devel-2.6.9-67.0.22.EL.ia64.rpm kernel-largesmp-2.6.9-67.0.22.EL.ia64.rpm kernel-largesmp-devel-2.6.9-67.0.22.EL.ia64.rpm noarch: kernel-doc-2.6.9-67.0.22.EL.noarch.rpm ppc: kernel-2.6.9-67.0.22.EL.ppc64.rpm kernel-2.6.9-67.0.22.EL.ppc64iseries.rpm kernel-debuginfo-2.6.9-67.0.22.EL.ppc64.rpm kernel-debuginfo-2.6.9-67.0.22.EL.ppc64iseries.rpm kernel-devel-2.6.9-67.0.22.EL.ppc64.rpm kernel-devel-2.6.9-67.0.22.EL.ppc64iseries.rpm kernel-largesmp-2.6.9-67.0.22.EL.ppc64.rpm kernel-largesmp-devel-2.6.9-67.0.22.EL.ppc64.rpm s390: kernel-2.6.9-67.0.22.EL.s390.rpm kernel-debuginfo-2.6.9-67.0.22.EL.s390.rpm kernel-devel-2.6.9-67.0.22.EL.s390.rpm s390x: kernel-2.6.9-67.0.22.EL.s390x.rpm kernel-debuginfo-2.6.9-67.0.22.EL.s390x.rpm kernel-devel-2.6.9-67.0.22.EL.s390x.rpm x86_64: kernel-2.6.9-67.0.22.EL.x86_64.rpm kernel-debuginfo-2.6.9-67.0.22.EL.x86_64.rpm kernel-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-largesmp-2.6.9-67.0.22.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-smp-2.6.9-67.0.22.EL.x86_64.rpm kernel-smp-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-xenU-2.6.9-67.0.22.EL.x86_64.rpm kernel-xenU-devel-2.6.9-67.0.22.EL.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-67.0.22.EL.src.rpm i386: kernel-2.6.9-67.0.22.EL.i686.rpm kernel-debuginfo-2.6.9-67.0.22.EL.i686.rpm kernel-devel-2.6.9-67.0.22.EL.i686.rpm kernel-hugemem-2.6.9-67.0.22.EL.i686.rpm kernel-hugemem-devel-2.6.9-67.0.22.EL.i686.rpm kernel-smp-2.6.9-67.0.22.EL.i686.rpm kernel-smp-devel-2.6.9-67.0.22.EL.i686.rpm kernel-xenU-2.6.9-67.0.22.EL.i686.rpm kernel-xenU-devel-2.6.9-67.0.22.EL.i686.rpm noarch: kernel-doc-2.6.9-67.0.22.EL.noarch.rpm x86_64: kernel-2.6.9-67.0.22.EL.x86_64.rpm kernel-debuginfo-2.6.9-67.0.22.EL.x86_64.rpm kernel-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-largesmp-2.6.9-67.0.22.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-smp-2.6.9-67.0.22.EL.x86_64.rpm kernel-smp-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-xenU-2.6.9-67.0.22.EL.x86_64.rpm kernel-xenU-devel-2.6.9-67.0.22.EL.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-67.0.22.EL.src.rpm i386: kernel-2.6.9-67.0.22.EL.i686.rpm kernel-debuginfo-2.6.9-67.0.22.EL.i686.rpm kernel-devel-2.6.9-67.0.22.EL.i686.rpm kernel-hugemem-2.6.9-67.0.22.EL.i686.rpm kernel-hugemem-devel-2.6.9-67.0.22.EL.i686.rpm kernel-smp-2.6.9-67.0.22.EL.i686.rpm kernel-smp-devel-2.6.9-67.0.22.EL.i686.rpm kernel-xenU-2.6.9-67.0.22.EL.i686.rpm kernel-xenU-devel-2.6.9-67.0.22.EL.i686.rpm ia64: kernel-2.6.9-67.0.22.EL.ia64.rpm kernel-debuginfo-2.6.9-67.0.22.EL.ia64.rpm kernel-devel-2.6.9-67.0.22.EL.ia64.rpm kernel-largesmp-2.6.9-67.0.22.EL.ia64.rpm kernel-largesmp-devel-2.6.9-67.0.22.EL.ia64.rpm noarch: kernel-doc-2.6.9-67.0.22.EL.noarch.rpm x86_64: kernel-2.6.9-67.0.22.EL.x86_64.rpm kernel-debuginfo-2.6.9-67.0.22.EL.x86_64.rpm kernel-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-largesmp-2.6.9-67.0.22.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-smp-2.6.9-67.0.22.EL.x86_64.rpm kernel-smp-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-xenU-2.6.9-67.0.22.EL.x86_64.rpm kernel-xenU-devel-2.6.9-67.0.22.EL.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-67.0.22.EL.src.rpm i386: kernel-2.6.9-67.0.22.EL.i686.rpm kernel-debuginfo-2.6.9-67.0.22.EL.i686.rpm kernel-devel-2.6.9-67.0.22.EL.i686.rpm kernel-hugemem-2.6.9-67.0.22.EL.i686.rpm kernel-hugemem-devel-2.6.9-67.0.22.EL.i686.rpm kernel-smp-2.6.9-67.0.22.EL.i686.rpm kernel-smp-devel-2.6.9-67.0.22.EL.i686.rpm kernel-xenU-2.6.9-67.0.22.EL.i686.rpm kernel-xenU-devel-2.6.9-67.0.22.EL.i686.rpm ia64: kernel-2.6.9-67.0.22.EL.ia64.rpm kernel-debuginfo-2.6.9-67.0.22.EL.ia64.rpm kernel-devel-2.6.9-67.0.22.EL.ia64.rpm kernel-largesmp-2.6.9-67.0.22.EL.ia64.rpm kernel-largesmp-devel-2.6.9-67.0.22.EL.ia64.rpm noarch: kernel-doc-2.6.9-67.0.22.EL.noarch.rpm x86_64: kernel-2.6.9-67.0.22.EL.x86_64.rpm kernel-debuginfo-2.6.9-67.0.22.EL.x86_64.rpm kernel-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-largesmp-2.6.9-67.0.22.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-smp-2.6.9-67.0.22.EL.x86_64.rpm kernel-smp-devel-2.6.9-67.0.22.EL.x86_64.rpm kernel-xenU-2.6.9-67.0.22.EL.x86_64.rpm kernel-xenU-devel-2.6.9-67.0.22.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2136 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIhzLCXlSAg2UNWIIRAmwOAJ96HdACdEqmx+9KrjC7I8Qbg0NJGgCffMWN 2maO73NvbzcIEFAv43RE10M= =vrNg -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 00:04:38 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 23 Jul 2008 20:04:38 -0400 Subject: [RHSA-2008:0616-01] Moderate: thunderbird security update Message-ID: <200807240004.m6O04cgI018431@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: thunderbird security update Advisory ID: RHSA-2008:0616-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0616.html Issue date: 2008-07-23 CVE Names: CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811 ===================================================================== 1. Summary: Updated thunderbird packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Multiple flaws were found in the processing of malformed JavaScript content. An HTML mail containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-2801, CVE-2008-2802, CVE-2008-2803) Several flaws were found in the processing of malformed HTML content. An HTML mail containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-2785, CVE-2008-2798, CVE-2008-2799, CVE-2008-2811) Several flaws were found in the way malformed HTML content was displayed. An HTML mail containing specially-crafted content could, potentially, trick a Thunderbird user into surrendering sensitive information. (CVE-2008-2800) Two local file disclosure flaws were found in Thunderbird. An HTML mail containing malicious content could cause Thunderbird to reveal the contents of a local file to a remote attacker. (CVE-2008-2805, CVE-2008-2810) A flaw was found in the way a malformed .properties file was processed by Thunderbird. A malicious extension could read uninitialized memory, possibly leaking sensitive data to the extension. (CVE-2008-2807) A flaw was found in the way Thunderbird escaped a listing of local file names. If a user could be tricked into listing a local directory containing malicious file names, arbitrary JavaScript could be run with the permissions of the user running Thunderbird. (CVE-2008-2808) A flaw was found in the way Thunderbird displayed information about self-signed certificates. It was possible for a self-signed certificate to contain multiple alternate name entries, which were not all displayed to the user, allowing them to mistakenly extend trust to an unknown site. (CVE-2008-2809) Note: JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452204 - CVE-2008-2785 mozilla: CSS reference counter overflow (ZDI-CAN-349) 452597 - CVE-2008-2798 Firefox malformed web content flaws 452598 - CVE-2008-2799 Firefox javascript arbitrary code execution 452599 - CVE-2008-2800 Firefox XSS attacks 452600 - CVE-2008-2802 Firefox arbitrary JavaScript code execution 452602 - CVE-2008-2803 Firefox javascript arbitrary code execution 452604 - CVE-2008-2805 Firefox arbitrary file disclosure 452605 - CVE-2008-2801 Firefox arbitrary signed JAR code execution 452709 - CVE-2008-2807 Firefox .properties memory leak 452710 - CVE-2008-2808 Firefox file location escaping flaw 452711 - CVE-2008-2809 Firefox self signed certificate flaw 452712 - CVE-2008-2810 Firefox arbitrary file disclosure 453007 - CVE-2008-2811 Firefox block reflow flaw 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/thunderbird-1.5.0.12-14.el4.src.rpm i386: thunderbird-1.5.0.12-14.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-14.el4.i386.rpm ia64: thunderbird-1.5.0.12-14.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-14.el4.ia64.rpm ppc: thunderbird-1.5.0.12-14.el4.ppc.rpm thunderbird-debuginfo-1.5.0.12-14.el4.ppc.rpm s390: thunderbird-1.5.0.12-14.el4.s390.rpm thunderbird-debuginfo-1.5.0.12-14.el4.s390.rpm s390x: thunderbird-1.5.0.12-14.el4.s390x.rpm thunderbird-debuginfo-1.5.0.12-14.el4.s390x.rpm x86_64: thunderbird-1.5.0.12-14.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-14.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/thunderbird-1.5.0.12-14.el4.src.rpm i386: thunderbird-1.5.0.12-14.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-14.el4.i386.rpm x86_64: thunderbird-1.5.0.12-14.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-14.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/thunderbird-1.5.0.12-14.el4.src.rpm i386: thunderbird-1.5.0.12-14.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-14.el4.i386.rpm ia64: thunderbird-1.5.0.12-14.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-14.el4.ia64.rpm x86_64: thunderbird-1.5.0.12-14.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-14.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/thunderbird-1.5.0.12-14.el4.src.rpm i386: thunderbird-1.5.0.12-14.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-14.el4.i386.rpm ia64: thunderbird-1.5.0.12-14.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-14.el4.ia64.rpm x86_64: thunderbird-1.5.0.12-14.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-14.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-2.0.0.16-1.el5.src.rpm i386: thunderbird-2.0.0.16-1.el5.i386.rpm thunderbird-debuginfo-2.0.0.16-1.el5.i386.rpm x86_64: thunderbird-2.0.0.16-1.el5.x86_64.rpm thunderbird-debuginfo-2.0.0.16-1.el5.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-2.0.0.16-1.el5.src.rpm i386: thunderbird-2.0.0.16-1.el5.i386.rpm thunderbird-debuginfo-2.0.0.16-1.el5.i386.rpm x86_64: thunderbird-2.0.0.16-1.el5.x86_64.rpm thunderbird-debuginfo-2.0.0.16-1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2811 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIh8bOXlSAg2UNWIIRAqV5AJ90I0bqntzHqBP84a4DhS540CwU7QCfT9U+ 5kg9P4DZwj9C45lSl2SH9/g= =TTi/ -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 17:16:55 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Jul 2008 13:16:55 -0400 Subject: [RHSA-2008:0575-01] Moderate: rdesktop security update Message-ID: <200807241716.m6OHGtlq020568@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rdesktop security update Advisory ID: RHSA-2008:0575-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0575.html Issue date: 2008-07-24 CVE Names: CVE-2008-1801 CVE-2008-1803 ===================================================================== 1. Summary: An updated rdesktop package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user's NT desktop. No additional server extensions are required. An integer underflow and integer signedness issue were discovered in the rdesktop. If an attacker could convince a victim to connect to a malicious RDP server, the attacker could cause the victim's rdesktop to crash or, possibly, execute an arbitrary code. (CVE-2008-1801, CVE-2008-1803) Users of rdesktop should upgrade to these updated packages, which contain a backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 445825 - CVE-2008-1801 rdesktop: iso_recv_msg() Integer Underflow Vulnerability 445829 - CVE-2008-1803 rdesktop: channel_process() Integer Signedness Vulnerability 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/rdesktop-1.4.1-6.src.rpm i386: rdesktop-1.4.1-6.i386.rpm rdesktop-debuginfo-1.4.1-6.i386.rpm x86_64: rdesktop-1.4.1-6.x86_64.rpm rdesktop-debuginfo-1.4.1-6.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/rdesktop-1.4.1-6.src.rpm i386: rdesktop-1.4.1-6.i386.rpm rdesktop-debuginfo-1.4.1-6.i386.rpm ia64: rdesktop-1.4.1-6.ia64.rpm rdesktop-debuginfo-1.4.1-6.ia64.rpm ppc: rdesktop-1.4.1-6.ppc.rpm rdesktop-debuginfo-1.4.1-6.ppc.rpm s390x: rdesktop-1.4.1-6.s390x.rpm rdesktop-debuginfo-1.4.1-6.s390x.rpm x86_64: rdesktop-1.4.1-6.x86_64.rpm rdesktop-debuginfo-1.4.1-6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1803 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIiLj1XlSAg2UNWIIRAjdGAKCWz7r6OCf2FlDISQm35hBg32L0fwCffBxh nnrwiuTDMm2rXnbjiCiiUqY= =5TOg -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 17:26:17 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Jul 2008 13:26:17 -0400 Subject: [RHSA-2008:0576-01] Moderate: rdesktop security update Message-ID: <200807241726.m6OHQMnx022108@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rdesktop security update Advisory ID: RHSA-2008:0576-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0576.html Issue date: 2008-07-24 CVE Names: CVE-2008-1801 ===================================================================== 1. Summary: Updated rdesktop packages that fix a security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user's NT desktop. No additional server extensions are required. An integer underflow vulnerability was discovered in the rdesktop. If an attacker could convince a victim to connect to a malicious RDP server, the attacker could cause the victim's rdesktop to crash or, possibly, execute an arbitrary code. (CVE-2008-1801) Users of rdesktop should upgrade to these updated packages, which contain a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 445825 - CVE-2008-1801 rdesktop: iso_recv_msg() Integer Underflow Vulnerability 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/rdesktop-1.2.0-3.src.rpm i386: rdesktop-1.2.0-3.i386.rpm rdesktop-debuginfo-1.2.0-3.i386.rpm ia64: rdesktop-1.2.0-3.ia64.rpm rdesktop-debuginfo-1.2.0-3.ia64.rpm ppc: rdesktop-1.2.0-3.ppc.rpm rdesktop-debuginfo-1.2.0-3.ppc.rpm s390: rdesktop-1.2.0-3.s390.rpm rdesktop-debuginfo-1.2.0-3.s390.rpm s390x: rdesktop-1.2.0-3.s390x.rpm rdesktop-debuginfo-1.2.0-3.s390x.rpm x86_64: rdesktop-1.2.0-3.x86_64.rpm rdesktop-debuginfo-1.2.0-3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/rdesktop-1.2.0-3.src.rpm i386: rdesktop-1.2.0-3.i386.rpm rdesktop-debuginfo-1.2.0-3.i386.rpm x86_64: rdesktop-1.2.0-3.x86_64.rpm rdesktop-debuginfo-1.2.0-3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/rdesktop-1.2.0-3.src.rpm i386: rdesktop-1.2.0-3.i386.rpm rdesktop-debuginfo-1.2.0-3.i386.rpm ia64: rdesktop-1.2.0-3.ia64.rpm rdesktop-debuginfo-1.2.0-3.ia64.rpm x86_64: rdesktop-1.2.0-3.x86_64.rpm rdesktop-debuginfo-1.2.0-3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/rdesktop-1.2.0-3.src.rpm i386: rdesktop-1.2.0-3.i386.rpm rdesktop-debuginfo-1.2.0-3.i386.rpm ia64: rdesktop-1.2.0-3.ia64.rpm rdesktop-debuginfo-1.2.0-3.ia64.rpm x86_64: rdesktop-1.2.0-3.x86_64.rpm rdesktop-debuginfo-1.2.0-3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1801 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIiLswXlSAg2UNWIIRAsc9AJ45INLTygFtmAKBrjek5widzMXLKACfbMIE jDxxaCk3bwfwipE4cel+yR8= =QEoI -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 17:30:14 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Jul 2008 13:30:14 -0400 Subject: [RHSA-2008:0579-01] Moderate: vsftpd security update Message-ID: <200807241730.m6OHUEkP022746@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: vsftpd security update Advisory ID: RHSA-2008:0579-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0579.html Issue date: 2008-07-24 CVE Names: CVE-2008-2375 ===================================================================== 1. Summary: An updated vsftpd package that fixes a security issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 3. Description: vsftpd (Very Secure File Transfer Protocol (FTP) daemon) is a secure FTP server for Linux and Unix-like systems. The version of vsftpd as shipped in Red Hat Enterprise Linux 3 when used in combination with Pluggable Authentication Modules (PAM) had a memory leak on an invalid authentication attempt. Since vsftpd prior to version 2.0.5 allows any number of invalid attempts on the same connection this memory leak could lead to an eventual DoS. (CVE-2008-2375) This update mitigates this security issue by including a backported patch which terminates a session after a given number of failed log in attempts. The default number of attempts is 3 and this can be configured using the "max_login_fails" directive. All vsftpd users should upgrade to this updated package, which addresses this vulnerability. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 453376 - CVE-2008-2375 older vsftpd authentication memory leak 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/vsftpd-1.2.1-3E.16.src.rpm i386: vsftpd-1.2.1-3E.16.i386.rpm vsftpd-debuginfo-1.2.1-3E.16.i386.rpm ia64: vsftpd-1.2.1-3E.16.ia64.rpm vsftpd-debuginfo-1.2.1-3E.16.ia64.rpm ppc: vsftpd-1.2.1-3E.16.ppc.rpm vsftpd-debuginfo-1.2.1-3E.16.ppc.rpm s390: vsftpd-1.2.1-3E.16.s390.rpm vsftpd-debuginfo-1.2.1-3E.16.s390.rpm s390x: vsftpd-1.2.1-3E.16.s390x.rpm vsftpd-debuginfo-1.2.1-3E.16.s390x.rpm x86_64: vsftpd-1.2.1-3E.16.x86_64.rpm vsftpd-debuginfo-1.2.1-3E.16.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/vsftpd-1.2.1-3E.16.src.rpm i386: vsftpd-1.2.1-3E.16.i386.rpm vsftpd-debuginfo-1.2.1-3E.16.i386.rpm ia64: vsftpd-1.2.1-3E.16.ia64.rpm vsftpd-debuginfo-1.2.1-3E.16.ia64.rpm x86_64: vsftpd-1.2.1-3E.16.x86_64.rpm vsftpd-debuginfo-1.2.1-3E.16.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2375 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIiLwkXlSAg2UNWIIRAr3TAJ4kxkzI7NNKqvt9xb2F8abuHApjFwCgoNRa 5I+/SXj/isJ10sHdOS8kl2M= =fnwt -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 17:31:05 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Jul 2008 13:31:05 -0400 Subject: [RHSA-2008:0665-01] Moderate: Updated kernel packages for Red Hat Enterprise Linux 4.7 Message-ID: <200807241731.m6OHV5AK022781@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Updated kernel packages for Red Hat Enterprise Linux 4.7 Advisory ID: RHSA-2008:0665-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0665.html Issue date: 2008-07-24 Keywords: nahant kernel update Obsoletes: RHBA-2007:0791 CVE Names: CVE-2006-4145 CVE-2008-2812 ===================================================================== 1. Summary: Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux 4. This is the seventh regular update. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Kernel Feature Support: * iostat displays I/O performance for partitions * I/O task accounting added to getrusage(), allowing comprehensive core statistics * page cache pages count added to show_mem() output * tux O_ATOMICLOOKUP flag removed from the open() system call: replaced with O_CLOEXEC * the kernel now exports process limit information to /proc/[PID]/limits * implement udp_poll() to reduce likelihood of false positives returned from select() * the TCP_RTO_MIN parameter can now be configured to a maximum of 3000 milliseconds. This is configured using "ip route" * update CIFS to version 1.50 Added Features: * nfs.enable_ino64 boot command line parameter: enable and disable 32-bit inode numbers when using NFS * tick "divider" kernel boot parameter: reduce CPU overhead, and increase efficiency at the cost of lowering timing accuracy * /proc/sys/vm/nfs-writeback-lowmem-only tunable parameter: resolve NFS read performance * /proc/sys/vm/write-mapped tunable option, allowing the option of faster NFS reads * support for Large Receive Offload as a networking module * core dump masking, allowing a core dump process to skip the shared memory segments of a process Virtualization: * para-virtualized network and block device drivers, to increase fully-virtualized guest performance * support for more than three VNIF numbers per guest domain Platform Support: * AMD ATI SB800 SATA controller, AMD ATI SB600 and SB700 40-pin IDE cable * 64-bit DMA support on AMD ATI SB700 * PCI device IDs to support Intel ICH10 * /dev/msr[0-n] device files * powernow-k8 as a module * SLB shadow buffer support for IBM POWER6 systems * support for CPU frequencies greater than 32-bit on IBM POWER5, IBM POWER6 * floating point load and store handler for IBM POWER6 Added Drivers and Updates: * ixgbe 1.1.18, for the Intel 82598 10GB ethernet controller * bnx2x 1.40.22, for network adapters on the Broadcom 5710 chipset * dm-hp-sw 1.0.0, for HP Active/Standby * zfcp version and bug fixes * qdio to fix FCP/SCSI write I/O expiring on LPARs * cio bug fixes * eHEA latest upstream, and netdump and netconsole support * ipr driver support for dual SAS RAID controllers * correct CPU cache info and SATA support for Intel Tolapai * i5000_edac support for Intel 5000 chipsets * i3000_edac support for Intel 3000 and 3010 chipsets * add i2c_piix4 module on 64-bit systems to support AMD ATI SB600, 700 and 800 * i2c-i801 support for Intel Tolapai * qla4xxx: 5.01.01-d2 to 5.01.02-d4-rhel4.7-00 * qla2xxx: 8.01.07-d4 to 8.01.07-d4-rhel4.7-02 * cciss: 2.6.16 to 2.6.20 * mptfusion: 3.02.99.00rh to 3.12.19.00rh * lpfc:0: 8.0.16.34 to 8.0.16.40 * megaraid_sas: 00.00.03.13 to 00.00.03.18-rh1 * stex: 3.0.0.1 to 3.6.0101.2 * arcmsr: 1.20.00.13 to 1.20.00.15.rh4u7 * aacraid: 1.1-5[2441] to 1.1.5[2455] Miscellaneous Updates: * OFED 1.3 support * wacom driver to add support for Cintiq 20WSX, Wacom Intuos3 12x19, 12x12 and 4x6 tablets * sata_svw driver to support Broadcom HT-1100 chipsets * libata to un-blacklist Hitachi drives to enable NCQ * ide driver allows command line option to disable ide drivers * psmouse support for cortps protocol These updated packages fix the following security issues: * NULL pointer access due to missing checks for terminal validity. (CVE-2008-2812, Moderate) * a security flaw was found in the Linux kernel Universal Disk Format file system. (CVE-2006-4145, Low) For further details, refer to the latest Red Hat Enterprise Linux 4.7 release notes: redhat.com/docs/manuals/enterprise 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 151085 - mount are not interruptible 166038 - ext2online can't resize: No space left on device 171712 - A NFS export mounted using version 4 and TCP shows up as UDP in /proc/mounts 179201 - pvmove causes kernel panic 183119 - Assertion failure in journal_next_log_block 185202 - Kernel build requires "High Memory Support" 186606 - Incorrect suggestion on when to install largesmp kernel 194585 - mdadm --grow -n 2 (old: 3) fails on particular raid1 devices 195685 - RFE: Add dm-hp-sw to kernel to allow use of active/passive sans with dm multipathing 204309 - kernel retries portmap query indefinitely when statd is down 205966 - Firewall - Premature ip_conntrack timer expiry on 3+ ack or window size advertisements - (hanging tomcat threads problem) 206113 - [PATCH][RHEL4U4] Fix estimate-mistake (e820-memory-hole and numnodes) of available_memory in x86_64 212321 - [PATCH][RHEL4U4] Backported udp_poll() function (Fix the problem that select() returns in RHEL4 though select() must not return essentially when kernel receives broken UDP packet(s)) 212922 - /sbin/service iptables stop hangs on modprobe -r ipt_state 219639 - Crash dump fails on IA64 with block_order set to 10 227610 - READDIR on a NFSv4 directory containing a referral returns -EIO for entire directory 233234 - Missing definition for mutex_destroy in linux/kernel.h 247446 - RHEL4-U5: "cdrom open failed" message in /var/log/messages on every reboot 247879 - dm-mirror: spinlock in write_callback has the potential for deadlock 248488 - Backport divider= option from RHEL5 U1 to RHEL4 248787 - [RHEL4 U4] NFS server, rpciod was stuck in a infinite loop, 248954 - Oracle ASM DBWR process goes into 100% CPU spin when using hugepages on ia64 249727 - xenbus has use-after-free in drivers/xen/xenbus/xenbus_xs.c 250381 - xenbus suspend_mutex remains locked after transaction failure 250842 - oopses when multicasting with connection oriented socket 251560 - [Promise 4.7 feat] Update stex driver to version 3.6.0101.2 252222 - ipv6 device reference counting error in net/ipv6/anycast.c 252287 - AMD/ATI SB600/700/800 use same SMBus controller devID 252400 - RHEL4 U5: ia64 machine hang when DB starts using rac/nfs/hugepages 252939 - Long Delay before OOMKill launches 253592 - [RHEL 4.5] forcedeth: pull latest upstream updates 270661 - need a way to disable ide drivers 278961 - epoll_wait(..., -100) results in printk 280431 - ip_tables reference count will underflow occasionally 287741 - PCI: hotplug: acpiphp: avoid acpiphp "cannot get bridge info" PCI hotplug failure 299901 - We need SB800 SATA Controller supported in RHEL4.7 300861 - sb600 system generates ATA errors during initscripts 306911 - CVE-2006-4145 UDF truncating issue 309081 - i386 compressed diskdump header contains incorrect panic cpu 311431 - kernel BUG at mm/rmap.c:479 during suspend/resume testing 311881 - ptrace: i386 debugger + x86_64 kernel + threaded (i386) inferior = error 335361 - RHEL 4.7: SB700 contains two IDE channels 337671 - [RHEL4] Patch pata_jmicron to support new controller 351911 - RHEL4.6: AD1984 HDAudio does not work on AMD Trevally Board(RS690 + SB700) 354371 - readdir on nfs4 passing non-posix errors to userspace 355141 - pull upstream patches for smbfs 359651 - [PATCH] nfsv4 fails to update content of files when open for write 359671 - RHEL4: Hald causes system deadlock on ia64 360311 - kernel dm: panic on shrinking device size 361931 - [Stratus 4.7 bug] iounmap may sleep while holding vmlist_lock, causing a deadlock. 364361 - NFS: Fix directory caching problem - with test case and patch. 377351 - kernel dm: bd_mount_sem counter corruption 377371 - kernel dm crypt: oops on device removal 377611 - Marvell NIC using skge driver loses promiscuous mode on rewiring 381221 - Assertion failure in journal_start() at fs/jbd/transaction.c:274: 'handle->h_transaction->t_journal == journal' 393501 - execve returning EFBIG when running 4 GB executable 396081 - Since "Patch2037: linux-2.6.9-vm-balance.patch" my NFS performance is poorly 402581 - Deadlock while performing nfs operations. 414131 - Checksum offloading and IP connection tracking don't play well together 424541 - Please build SMBus driver i2c-piix4 as a module in RHEL4.7 424871 - Implement netif_release_rx_bufs for copying receiver 425721 - [QLogic 4.7 bug][3/5] qla4xxx - Targets not seen on first port (5.01.02-d2 --> 5.01.02-d3) 426031 - rapid block device plug / unplug leads to kernel crash and/or soft lockup 426301 - FEAT: RHEL 4.7 Intel Tolapai cpucache patch 426411 - [QLogic 4.7 Bug][5/5] qla2xxx - avoid delay for loop ready when loop dead 426647 - ptrace: PTRACE_SINGLESTEP,signal steps on the 2nd instr. 427204 - RHEL4, make tcp_input_metrics() get minimum RTO via tcp_rto_min() 427544 - Update CIFS to 1.50cRH for 4.7 427799 - [RHEL-4] RFE: Add EDAC driver for Intel 3000/3010 chipsets 428801 - [Areca 4.7 feat] Update the arcmsr driver to 1.20.00.15.RH 428934 - Can not send redirect packet when jiffiess wraparound 428964 - RHEL4.7: HDMI Audio support for AMD ATI chipsets 429103 - Allocations on resume path can cause deadlock due to attempting to swap 429930 - Fake ARP dropped after migration leading to loss of network connectivity 430313 - [QLogic 4.7 bug][4/5] qla4xxx - Race condition fixes w/ constant qla3xxx ifup/ifdown (5.01.02-d3 --> 5.01.02-d4) 430494 - [NetApp-S 4.7 bug] LUN removal status is not updated on the host without a driver reload 430946 - nfs server sending short packets on nfsv2 UDP readdir replies 431081 - [RHEL4.6]: Under load, an i386 PV guest on i386 HV will hang during save/restore 433249 - [EMC 4.7 bug] nfs_access_cache_shrinker() race with umount 433524 - oProfile Driver Module Patch for Family10h 435000 - ptrace: ERESTARTSYS from calling a function from a debugger 435351 - [RHEL4.7]: PV kernel can OOPs during live migrate 435787 - RHEL4.7: USB stress test failure on AMD SBX00 437423 - Add Xen disk and network paravirtualized drivers to bare-metal kernel 437865 - [RHEL 4.6] bonding 802.3ad does not work 438027 - RHEL4.6 Diskdump performance regression (mptfusion) 438115 - Add invocation of weak-modules on kernel install/remove 438688 - 68.25 Kernel rpm installation/uninstallation errors out 438723 - 32bit NFS server returns -EIO for readdirplus request when backing file system has 32bit inodes 438834 - cluster mirrors should not be attempted when cmirror modules are not loaded 438975 - gettimeofday is not monotonically increasing 439109 - [Broadcom 4.7 bug] HT1000 chip based systems getting blacklisted for msi 439539 - RHEL4 kernel ignores extended cpu model field 439540 - oprofile fix to support Penryn-based processors 439926 - do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY 441445 - [QLogic 4.7 feat] Update qla2xxx - qla84xx variant support. 442124 - bonding: incorrect backport creates possible incorrect interface flags 442298 - Memory corruption due to VNIF increase 442538 - kernel panic in gnttab_map when booting RHEL4 x86_64 FV xen guest 442789 - oops in cifs module while trying to stop a thread (kthread_stop) during filesystem mount 443052 - kernel failed to boot and dropped to xmon 443053 - cciss driver crash 443825 - ls shows two /proc/[pid]/limits files for every process 444473 - Fake ARP dropped after migration leading to loss of network connectivity 447315 - parted error: Can't open /dev/xvda while probing disks during installation 448641 - [QLogic 4.7 bug] qla2xxx - Update firmware for 4, 8 Gb/S adapters 448934 - Patch for bug 435280 introduces possibility of dead lock 449381 - System hangs when using /proc/sys/vm/drop_caches under heavy load on large system. 450094 - Patch for bug 360281 "Odd behaviour in mmap" introduces regression 450645 - [QLogic 4.7 bug] qla2xxx- several fixes: ioctl module and slab corruption (8.02.09-d0-rhel4.7-04) 450918 - vmware - Console graphic problem when mouse is moved 453419 - CVE-2008-2812 kernel: NULL ptr dereference in multiple network drivers due to missing checks in tty code 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-78.EL.src.rpm i386: kernel-2.6.9-78.EL.i686.rpm kernel-debuginfo-2.6.9-78.EL.i686.rpm kernel-devel-2.6.9-78.EL.i686.rpm kernel-hugemem-2.6.9-78.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.EL.i686.rpm kernel-smp-2.6.9-78.EL.i686.rpm kernel-smp-devel-2.6.9-78.EL.i686.rpm kernel-xenU-2.6.9-78.EL.i686.rpm kernel-xenU-devel-2.6.9-78.EL.i686.rpm ia64: kernel-2.6.9-78.EL.ia64.rpm kernel-debuginfo-2.6.9-78.EL.ia64.rpm kernel-devel-2.6.9-78.EL.ia64.rpm kernel-largesmp-2.6.9-78.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.EL.ia64.rpm noarch: kernel-doc-2.6.9-78.EL.noarch.rpm ppc: kernel-2.6.9-78.EL.ppc64.rpm kernel-2.6.9-78.EL.ppc64iseries.rpm kernel-debuginfo-2.6.9-78.EL.ppc64.rpm kernel-debuginfo-2.6.9-78.EL.ppc64iseries.rpm kernel-devel-2.6.9-78.EL.ppc64.rpm kernel-devel-2.6.9-78.EL.ppc64iseries.rpm kernel-largesmp-2.6.9-78.EL.ppc64.rpm kernel-largesmp-devel-2.6.9-78.EL.ppc64.rpm s390: kernel-2.6.9-78.EL.s390.rpm kernel-debuginfo-2.6.9-78.EL.s390.rpm kernel-devel-2.6.9-78.EL.s390.rpm s390x: kernel-2.6.9-78.EL.s390x.rpm kernel-debuginfo-2.6.9-78.EL.s390x.rpm kernel-devel-2.6.9-78.EL.s390x.rpm x86_64: kernel-2.6.9-78.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.EL.x86_64.rpm kernel-devel-2.6.9-78.EL.x86_64.rpm kernel-largesmp-2.6.9-78.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.EL.x86_64.rpm kernel-smp-2.6.9-78.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.EL.x86_64.rpm kernel-xenU-2.6.9-78.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.EL.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-78.EL.src.rpm i386: kernel-2.6.9-78.EL.i686.rpm kernel-debuginfo-2.6.9-78.EL.i686.rpm kernel-devel-2.6.9-78.EL.i686.rpm kernel-hugemem-2.6.9-78.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.EL.i686.rpm kernel-smp-2.6.9-78.EL.i686.rpm kernel-smp-devel-2.6.9-78.EL.i686.rpm kernel-xenU-2.6.9-78.EL.i686.rpm kernel-xenU-devel-2.6.9-78.EL.i686.rpm noarch: kernel-doc-2.6.9-78.EL.noarch.rpm x86_64: kernel-2.6.9-78.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.EL.x86_64.rpm kernel-devel-2.6.9-78.EL.x86_64.rpm kernel-largesmp-2.6.9-78.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.EL.x86_64.rpm kernel-smp-2.6.9-78.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.EL.x86_64.rpm kernel-xenU-2.6.9-78.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.EL.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-78.EL.src.rpm i386: kernel-2.6.9-78.EL.i686.rpm kernel-debuginfo-2.6.9-78.EL.i686.rpm kernel-devel-2.6.9-78.EL.i686.rpm kernel-hugemem-2.6.9-78.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.EL.i686.rpm kernel-smp-2.6.9-78.EL.i686.rpm kernel-smp-devel-2.6.9-78.EL.i686.rpm kernel-xenU-2.6.9-78.EL.i686.rpm kernel-xenU-devel-2.6.9-78.EL.i686.rpm ia64: kernel-2.6.9-78.EL.ia64.rpm kernel-debuginfo-2.6.9-78.EL.ia64.rpm kernel-devel-2.6.9-78.EL.ia64.rpm kernel-largesmp-2.6.9-78.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.EL.ia64.rpm noarch: kernel-doc-2.6.9-78.EL.noarch.rpm x86_64: kernel-2.6.9-78.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.EL.x86_64.rpm kernel-devel-2.6.9-78.EL.x86_64.rpm kernel-largesmp-2.6.9-78.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.EL.x86_64.rpm kernel-smp-2.6.9-78.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.EL.x86_64.rpm kernel-xenU-2.6.9-78.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.EL.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-78.EL.src.rpm i386: kernel-2.6.9-78.EL.i686.rpm kernel-debuginfo-2.6.9-78.EL.i686.rpm kernel-devel-2.6.9-78.EL.i686.rpm kernel-hugemem-2.6.9-78.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.EL.i686.rpm kernel-smp-2.6.9-78.EL.i686.rpm kernel-smp-devel-2.6.9-78.EL.i686.rpm kernel-xenU-2.6.9-78.EL.i686.rpm kernel-xenU-devel-2.6.9-78.EL.i686.rpm ia64: kernel-2.6.9-78.EL.ia64.rpm kernel-debuginfo-2.6.9-78.EL.ia64.rpm kernel-devel-2.6.9-78.EL.ia64.rpm kernel-largesmp-2.6.9-78.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.EL.ia64.rpm noarch: kernel-doc-2.6.9-78.EL.noarch.rpm x86_64: kernel-2.6.9-78.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.EL.x86_64.rpm kernel-devel-2.6.9-78.EL.x86_64.rpm kernel-largesmp-2.6.9-78.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.EL.x86_64.rpm kernel-smp-2.6.9-78.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.EL.x86_64.rpm kernel-xenU-2.6.9-78.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2812 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIiLxWXlSAg2UNWIIRAnNBAJ0WWy92sgjJAWZJuyjV7OSTphc2ggCff5sN 5QK08QIEy/sIB9OUn0HerV8= =pTNA -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 17:31:16 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Jul 2008 13:31:16 -0400 Subject: [RHSA-2008:0680-01] Moderate: vsftpd security and bug fix update Message-ID: <200807241731.m6OHVGkB022794@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: vsftpd security and bug fix update Advisory ID: RHSA-2008:0680-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0680.html Issue date: 2008-07-24 CVE Names: CVE-2008-2375 ===================================================================== 1. Summary: An updated vsftpd package that fixes a security issue and various bugs is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 3. Description: vsftpd (Very Secure File Transfer Protocol (FTP) daemon) is a secure FTP server for Linux and Unix-like systems. The version of vsftpd as shipped in Red Hat Enterprise Linux 4 when used in combination with Pluggable Authentication Modules (PAM) had a memory leak on an invalid authentication attempt. Since vsftpd prior to version 2.0.5 allows any number of invalid attempts on the same connection this memory leak could lead to an eventual DoS. (CVE-2008-2375) This update mitigates this security issue by including a backported patch which terminates a session after a given number of failed log in attempts. The default number of attempts is 3 and this can be configured using the "max_login_fails" directive. This package also addresses the following bugs: * when uploading unique files, a bug in vsftpd caused the file to be saved with a suffix '.1' even when no previous file with that name existed. This issues is resolved in this package. * when vsftpd was run through the init script, it was possible for the init script to print an 'OK' message, even though the vsftpd may not have started. The init script no longer produces a false verification with this update. * vsftpd only supported usernames with a maximum length of 32 characters. The updated package now supports usernames up to 128 characters long. * a system flaw meant vsftpd output could become dependent on the timing or sequence of other events, even when the "lock_upload_files" option was set. If a file, filename.ext, was being uploaded and a second transfer of the file, filename.ext, was started before the first transfer was finished, the resultant uploaded file was a corrupt concatenation of the latter upload and the tail of the earlier upload. With this updated package, vsftpd allows the earlier upload to complete before overwriting with the latter upload, fixing the issue. * the 'lock_upload_files' option was not documented in the manual page. A new manual page describing this option is included in this package. * vsftpd did not support usernames that started with an underscore or a period character. These special characters are now allowed at the beginning of a username. * when storing a unique file, vsftpd could cause an error for some clients. This is rectified in this package. * vsftpd init script was found to not be Linux Standards Base compliant. This update corrects their exit codes to conform to the standard. All vsftpd users are advised to upgrade to this updated package, which resolves these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 197141 - vsftpd 2.0.1 memory leak 206843 - vsftpd is checked wrongly in init script 236326 - maximum username length too short 240550 - vsftpd has a create/lock race condition which corrupts uploads 250727 - Uploaded file corrupted when two connections from same client uploading same file simultaneously 316381 - lock_upload_files not documented in vsftpd.conf man page 408431 - Memory leak in pattern matching function 431450 - Wrong init script 453376 - CVE-2008-2375 older vsftpd authentication memory leak 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/vsftpd-2.0.1-6.el4.src.rpm i386: vsftpd-2.0.1-6.el4.i386.rpm vsftpd-debuginfo-2.0.1-6.el4.i386.rpm ia64: vsftpd-2.0.1-6.el4.ia64.rpm vsftpd-debuginfo-2.0.1-6.el4.ia64.rpm ppc: vsftpd-2.0.1-6.el4.ppc.rpm vsftpd-debuginfo-2.0.1-6.el4.ppc.rpm s390: vsftpd-2.0.1-6.el4.s390.rpm vsftpd-debuginfo-2.0.1-6.el4.s390.rpm s390x: vsftpd-2.0.1-6.el4.s390x.rpm vsftpd-debuginfo-2.0.1-6.el4.s390x.rpm x86_64: vsftpd-2.0.1-6.el4.x86_64.rpm vsftpd-debuginfo-2.0.1-6.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/vsftpd-2.0.1-6.el4.src.rpm i386: vsftpd-2.0.1-6.el4.i386.rpm vsftpd-debuginfo-2.0.1-6.el4.i386.rpm ia64: vsftpd-2.0.1-6.el4.ia64.rpm vsftpd-debuginfo-2.0.1-6.el4.ia64.rpm x86_64: vsftpd-2.0.1-6.el4.x86_64.rpm vsftpd-debuginfo-2.0.1-6.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2375 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIiLxjXlSAg2UNWIIRAtYVAJ4tHv04keg0koYFqpZdmTk3EQjwPwCgreNP tHUJ4dM2RbOceKZaZ+Tz0Gg= =wnyk -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 17:31:31 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Jul 2008 13:31:31 -0400 Subject: [RHSA-2008:0715-01] Low: nss_ldap security and bug fix update Message-ID: <200807241731.m6OHVVdf022818@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: nss_ldap security and bug fix update Advisory ID: RHSA-2008:0715-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0715.html Issue date: 2008-07-24 CVE Names: CVE-2007-5794 ===================================================================== 1. Summary: An updated nss_ldap package that fixes a security issue and several bugs is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap module is a plug-in which allows applications to retrieve information about users and groups from a directory server. The pam_ldap module allows PAM-aware applications to use a directory server to verify user passwords. A race condition was discovered in nss_ldap, which affected certain applications that make LDAP connections, such as Dovecot. This could cause nss_ldap to answer a request for information about one user with the information about a different user. (CVE-2007-5794) As well, this updated package fixes the following bugs: * in certain situations, on Itanium(R) architectures, when an application performed an LDAP lookup for a highly populated group, for example, containing more than 150 members, the application crashed, or may have caused a segmentation fault. As well, this issue may have caused commands, such as "ls", to return a "ber_free_buf: Assertion" error. * when an application enumerated members of a netgroup, the nss_ldap module returned a successful status result and the netgroup name, even when the netgroup did not exist. This behavior was not consistent with other modules. In this updated package, nss_ldap no longer returns a successful status when the netgroup does not exist. * in master and slave server environments, with systems that were configured to use a read-only directory server, if user log in attempts were denied because their passwords had expired, and users attempted to immediately change their passwords, the replication server returned an LDAP referral, instructing the pam_ldap module to resissue its request to a different server; however, the pam_ldap module failed to do so. In these situations, an error such as the following occurred: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry [entry] In this updated package, password changes are allowed when binding against a slave server, which resolves this issue. * when a system used a directory server for naming information, and "nss_initgroups_ignoreusers root" was configured in "/etc/ldap.conf", dbus-daemon-1 would hang. Running the "service messagebus start" command did not start the service, and it did not fail, which would stop the boot process if it was not cancelled. As well, this updated package upgrades nss_ldap to the version as shipped with Red Hat Enterprise Linux 5. Users of nss_ldap are advised to upgrade to this updated package, which resolves these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 155187 - CVE-2007-5794 nss_ldap randomly replying with wrong user's data [rhel-4.7] 233382 - nss_ldap crashes on large groups (IA64) 253997 - nss_ldap / setnetgrent() returns always 1 despite not retrieving any valid results. 367461 - CVE-2007-5794 nss_ldap randomly replying with wrong user's data 401731 - Rebase nss_ldap to RHEL 5.2 version 429101 - dbus-daemon-1 hangs when using the option nss_initgroups_ignoreusers in /etc/ldap.conf with the user root 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/nss_ldap-253-5.el4.src.rpm i386: nss_ldap-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm ia64: nss_ldap-253-5.el4.i386.rpm nss_ldap-253-5.el4.ia64.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.ia64.rpm ppc: nss_ldap-253-5.el4.ppc.rpm nss_ldap-253-5.el4.ppc64.rpm nss_ldap-debuginfo-253-5.el4.ppc.rpm nss_ldap-debuginfo-253-5.el4.ppc64.rpm s390: nss_ldap-253-5.el4.s390.rpm nss_ldap-debuginfo-253-5.el4.s390.rpm s390x: nss_ldap-253-5.el4.s390.rpm nss_ldap-253-5.el4.s390x.rpm nss_ldap-debuginfo-253-5.el4.s390.rpm nss_ldap-debuginfo-253-5.el4.s390x.rpm x86_64: nss_ldap-253-5.el4.i386.rpm nss_ldap-253-5.el4.x86_64.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/nss_ldap-253-5.el4.src.rpm i386: nss_ldap-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm x86_64: nss_ldap-253-5.el4.i386.rpm nss_ldap-253-5.el4.x86_64.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/nss_ldap-253-5.el4.src.rpm i386: nss_ldap-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm ia64: nss_ldap-253-5.el4.i386.rpm nss_ldap-253-5.el4.ia64.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.ia64.rpm x86_64: nss_ldap-253-5.el4.i386.rpm nss_ldap-253-5.el4.x86_64.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/nss_ldap-253-5.el4.src.rpm i386: nss_ldap-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm ia64: nss_ldap-253-5.el4.i386.rpm nss_ldap-253-5.el4.ia64.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.ia64.rpm x86_64: nss_ldap-253-5.el4.i386.rpm nss_ldap-253-5.el4.x86_64.rpm nss_ldap-debuginfo-253-5.el4.i386.rpm nss_ldap-debuginfo-253-5.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794 http://www.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIiLxwXlSAg2UNWIIRAiCyAJ9KKnPFImIHWRDpC5cstrqc8RzxdgCdHCXl XE/9aQzCZdbZ0RaKlWj5acw= =c8qv -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 17:31:44 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Jul 2008 13:31:44 -0400 Subject: [RHSA-2008:0725-01] Moderate: rdesktop security and bug fix update Message-ID: <200807241731.m6OHViGX022825@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rdesktop security and bug fix update Advisory ID: RHSA-2008:0725-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0725.html Issue date: 2008-04-16 Updated on: 2008-07-24 CVE Names: CVE-2008-1801 ===================================================================== 1. Summary: Updated rdesktop packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user's NT desktop. No additional server extensions are required. An integer underflow vulnerability was discovered in the rdesktop. If an attacker could convince a victim to connect to a malicious RDP server, the attacker could cause the victim's rdesktop to crash or, possibly, execute an arbitrary code. (CVE-2008-1801) Additionally, the following bug was fixed: A missing command line option caused rdesktop to fail when using the krdc remote desktop utility. Using krdc to connect to a terminal server resulted in errors such as the following: The version of rdesktop you are using ([version]) is too old: rdesktop [version] or greater is required. A working patch for rdesktop [version] can be found in KDE CVS. In this updated package, krdc successfully connects to terminal servers. Users of rdesktop should upgrade to these updated packages, which contain a backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 164462 - krdc requires rdesktop > 1.3.1 445825 - CVE-2008-1801 rdesktop: iso_recv_msg() Integer Underflow Vulnerability 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/rdesktop-1.3.1-9.src.rpm i386: rdesktop-1.3.1-9.i386.rpm rdesktop-debuginfo-1.3.1-9.i386.rpm ia64: rdesktop-1.3.1-9.ia64.rpm rdesktop-debuginfo-1.3.1-9.ia64.rpm ppc: rdesktop-1.3.1-9.ppc.rpm rdesktop-debuginfo-1.3.1-9.ppc.rpm s390: rdesktop-1.3.1-9.s390.rpm rdesktop-debuginfo-1.3.1-9.s390.rpm s390x: rdesktop-1.3.1-9.s390x.rpm rdesktop-debuginfo-1.3.1-9.s390x.rpm x86_64: rdesktop-1.3.1-9.x86_64.rpm rdesktop-debuginfo-1.3.1-9.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/rdesktop-1.3.1-9.src.rpm i386: rdesktop-1.3.1-9.i386.rpm rdesktop-debuginfo-1.3.1-9.i386.rpm x86_64: rdesktop-1.3.1-9.x86_64.rpm rdesktop-debuginfo-1.3.1-9.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/rdesktop-1.3.1-9.src.rpm i386: rdesktop-1.3.1-9.i386.rpm rdesktop-debuginfo-1.3.1-9.i386.rpm ia64: rdesktop-1.3.1-9.ia64.rpm rdesktop-debuginfo-1.3.1-9.ia64.rpm x86_64: rdesktop-1.3.1-9.x86_64.rpm rdesktop-debuginfo-1.3.1-9.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/rdesktop-1.3.1-9.src.rpm i386: rdesktop-1.3.1-9.i386.rpm rdesktop-debuginfo-1.3.1-9.i386.rpm ia64: rdesktop-1.3.1-9.ia64.rpm rdesktop-debuginfo-1.3.1-9.ia64.rpm x86_64: rdesktop-1.3.1-9.x86_64.rpm rdesktop-debuginfo-1.3.1-9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1801 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD4DBQFIiLx8XlSAg2UNWIIRAm5TAJ9w6oIJeMG8U987RaiYe4RDHJoNNgCY4nfu C3e3AESwcBA3iMDpTMuHoQ== =lPc1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 17:31:55 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Jul 2008 13:31:55 -0400 Subject: [RHSA-2008:0768-01] Moderate: mysql security, bug fix, and enhancement update Message-ID: <200807241731.m6OHVtg2022830@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mysql security, bug fix, and enhancement update Advisory ID: RHSA-2008:0768-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0768.html Issue date: 2008-07-24 CVE Names: CVE-2006-3469 CVE-2006-4031 CVE-2007-2691 CVE-2008-2079 ===================================================================== 1. Summary: Updated mysql packages that fix various security issues, several bugs, and add an enhancement are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. (CVE-2008-2079) MySQL did not require the "DROP" privilege for "RENAME TABLE" statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the "--skip-merge" option. (CVE-2006-4031) A flaw in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-3469) As well, these updated packages fix the following bugs: * in the previous mysql packages, if a column name was referenced more than once in an "ORDER BY" section of a query, a segmentation fault occurred. * when MySQL failed to start, the init script returned a successful (0) exit code. When using the Red Hat Cluster Suite, this may have caused cluster services to report a successful start, even when MySQL failed to start. In these updated packages, the init script returns the correct exit codes, which resolves this issue. * it was possible to use the mysqld_safe command to specify invalid port numbers (higher than 65536), causing invalid ports to be created, and, in some cases, a "port number definition: unsigned short" error. In these updated packages, when an invalid port number is specified, the default port number is used. * when setting "myisam_repair_threads > 1", any repair set the index cardinality to "1", regardless of the table size. * the MySQL init script no longer runs "chmod -R" on the entire database directory tree during every startup. * when running "mysqldump" with the MySQL 4.0 compatibility mode option, "--compatible=mysql40", mysqldump created dumps that omitted the "auto_increment" field. As well, the MySQL init script now uses more reliable methods for determining parameters, such as the data directory location. Note: these updated packages upgrade MySQL to version 4.1.22. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-22.html All mysql users are advised to upgrade to these updated packages, which resolve these issues and add this enhancement. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 201904 - CVE-2006-3469 mysql server DoS 201988 - Queries using a column name multiple times in ORDER BY crash mysql 202246 - CVE-2006-4031 MySQL improper permission revocation 221085 - chown -R of the mysql data directory every startup 233771 - RFE+patch: MySQLd "init.d" startup script should rely on "/usr/bin/my_print_defaults" to get at options 241688 - CVE-2007-2691 mysql DROP privilege not enforced when renaming tables 445222 - CVE-2008-2079 mysql: privilege escalation via DATA/INDEX DIRECTORY directives 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/mysql-4.1.22-2.el4.src.rpm i386: mysql-4.1.22-2.el4.i386.rpm mysql-bench-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-devel-4.1.22-2.el4.i386.rpm mysql-server-4.1.22-2.el4.i386.rpm ia64: mysql-4.1.22-2.el4.i386.rpm mysql-4.1.22-2.el4.ia64.rpm mysql-bench-4.1.22-2.el4.ia64.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.ia64.rpm mysql-devel-4.1.22-2.el4.ia64.rpm mysql-server-4.1.22-2.el4.ia64.rpm ppc: mysql-4.1.22-2.el4.ppc.rpm mysql-4.1.22-2.el4.ppc64.rpm mysql-bench-4.1.22-2.el4.ppc.rpm mysql-debuginfo-4.1.22-2.el4.ppc.rpm mysql-debuginfo-4.1.22-2.el4.ppc64.rpm mysql-devel-4.1.22-2.el4.ppc.rpm mysql-server-4.1.22-2.el4.ppc.rpm s390: mysql-4.1.22-2.el4.s390.rpm mysql-bench-4.1.22-2.el4.s390.rpm mysql-debuginfo-4.1.22-2.el4.s390.rpm mysql-devel-4.1.22-2.el4.s390.rpm mysql-server-4.1.22-2.el4.s390.rpm s390x: mysql-4.1.22-2.el4.s390.rpm mysql-4.1.22-2.el4.s390x.rpm mysql-bench-4.1.22-2.el4.s390x.rpm mysql-debuginfo-4.1.22-2.el4.s390.rpm mysql-debuginfo-4.1.22-2.el4.s390x.rpm mysql-devel-4.1.22-2.el4.s390x.rpm mysql-server-4.1.22-2.el4.s390x.rpm x86_64: mysql-4.1.22-2.el4.i386.rpm mysql-4.1.22-2.el4.x86_64.rpm mysql-bench-4.1.22-2.el4.x86_64.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.x86_64.rpm mysql-devel-4.1.22-2.el4.x86_64.rpm mysql-server-4.1.22-2.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/mysql-4.1.22-2.el4.src.rpm i386: mysql-4.1.22-2.el4.i386.rpm mysql-bench-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-devel-4.1.22-2.el4.i386.rpm mysql-server-4.1.22-2.el4.i386.rpm x86_64: mysql-4.1.22-2.el4.i386.rpm mysql-4.1.22-2.el4.x86_64.rpm mysql-bench-4.1.22-2.el4.x86_64.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.x86_64.rpm mysql-devel-4.1.22-2.el4.x86_64.rpm mysql-server-4.1.22-2.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/mysql-4.1.22-2.el4.src.rpm i386: mysql-4.1.22-2.el4.i386.rpm mysql-bench-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-devel-4.1.22-2.el4.i386.rpm mysql-server-4.1.22-2.el4.i386.rpm ia64: mysql-4.1.22-2.el4.i386.rpm mysql-4.1.22-2.el4.ia64.rpm mysql-bench-4.1.22-2.el4.ia64.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.ia64.rpm mysql-devel-4.1.22-2.el4.ia64.rpm mysql-server-4.1.22-2.el4.ia64.rpm x86_64: mysql-4.1.22-2.el4.i386.rpm mysql-4.1.22-2.el4.x86_64.rpm mysql-bench-4.1.22-2.el4.x86_64.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.x86_64.rpm mysql-devel-4.1.22-2.el4.x86_64.rpm mysql-server-4.1.22-2.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/mysql-4.1.22-2.el4.src.rpm i386: mysql-4.1.22-2.el4.i386.rpm mysql-bench-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-devel-4.1.22-2.el4.i386.rpm mysql-server-4.1.22-2.el4.i386.rpm ia64: mysql-4.1.22-2.el4.i386.rpm mysql-4.1.22-2.el4.ia64.rpm mysql-bench-4.1.22-2.el4.ia64.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.ia64.rpm mysql-devel-4.1.22-2.el4.ia64.rpm mysql-server-4.1.22-2.el4.ia64.rpm x86_64: mysql-4.1.22-2.el4.i386.rpm mysql-4.1.22-2.el4.x86_64.rpm mysql-bench-4.1.22-2.el4.x86_64.rpm mysql-debuginfo-4.1.22-2.el4.i386.rpm mysql-debuginfo-4.1.22-2.el4.x86_64.rpm mysql-devel-4.1.22-2.el4.x86_64.rpm mysql-server-4.1.22-2.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIiLyJXlSAg2UNWIIRArBHAKC62RfDzLo5S34aHextiX0mpiZTMQCfVpG3 ZtbcR3clj+yx6AKQ2sND3rQ= =aUwH -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 24 17:32:15 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Jul 2008 13:32:15 -0400 Subject: [RHSA-2008:0780-01] Low: coreutils security update Message-ID: <200807241732.m6OHWFMI022853@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: coreutils security update Advisory ID: RHSA-2008:0780-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0780.html Issue date: 2008-07-24 CVE Names: CVE-2008-1946 ===================================================================== 1. Summary: Updated coreutils packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The coreutils package contains the core GNU utilities. It is the combination of the old GNU fileutils, sh-utils, and textutils packages. The coreutils packages were found to not use the pam_succeed_if Pluggable Authentication Module (PAM) correctly in the configuration file for the "su" command. Any local user could use this command to change to a locked or expired user account if the target account's password was known to the user running "su". These updated packages, correctly, only allow the root user to switch to locked or expired accounts using "su". (CVE-2008-1946) All users of coreutils are advised to upgrade to this updated package, which resolve this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 446488 - CVE-2008-1946 /etc/pam.d/su is wrong in RHEL-4.6 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/coreutils-5.2.1-31.8.el4.src.rpm i386: coreutils-5.2.1-31.8.el4.i386.rpm coreutils-debuginfo-5.2.1-31.8.el4.i386.rpm ia64: coreutils-5.2.1-31.8.el4.ia64.rpm coreutils-debuginfo-5.2.1-31.8.el4.ia64.rpm ppc: coreutils-5.2.1-31.8.el4.ppc.rpm coreutils-debuginfo-5.2.1-31.8.el4.ppc.rpm s390: coreutils-5.2.1-31.8.el4.s390.rpm coreutils-debuginfo-5.2.1-31.8.el4.s390.rpm s390x: coreutils-5.2.1-31.8.el4.s390x.rpm coreutils-debuginfo-5.2.1-31.8.el4.s390x.rpm x86_64: coreutils-5.2.1-31.8.el4.x86_64.rpm coreutils-debuginfo-5.2.1-31.8.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/coreutils-5.2.1-31.8.el4.src.rpm i386: coreutils-5.2.1-31.8.el4.i386.rpm coreutils-debuginfo-5.2.1-31.8.el4.i386.rpm x86_64: coreutils-5.2.1-31.8.el4.x86_64.rpm coreutils-debuginfo-5.2.1-31.8.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/coreutils-5.2.1-31.8.el4.src.rpm i386: coreutils-5.2.1-31.8.el4.i386.rpm coreutils-debuginfo-5.2.1-31.8.el4.i386.rpm ia64: coreutils-5.2.1-31.8.el4.ia64.rpm coreutils-debuginfo-5.2.1-31.8.el4.ia64.rpm x86_64: coreutils-5.2.1-31.8.el4.x86_64.rpm coreutils-debuginfo-5.2.1-31.8.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/coreutils-5.2.1-31.8.el4.src.rpm i386: coreutils-5.2.1-31.8.el4.i386.rpm coreutils-debuginfo-5.2.1-31.8.el4.i386.rpm ia64: coreutils-5.2.1-31.8.el4.ia64.rpm coreutils-debuginfo-5.2.1-31.8.el4.ia64.rpm x86_64: coreutils-5.2.1-31.8.el4.x86_64.rpm coreutils-debuginfo-5.2.1-31.8.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1946 http://www.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIiLyaXlSAg2UNWIIRAhh8AJ9Wuw80v98jb+69XYHy4oUIROOlNACgwbej +qu+astcueAWaG9oCMHMC84= =ecVb -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 31 15:59:13 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 31 Jul 2008 11:59:13 -0400 Subject: [RHSA-2008:0486-01] Moderate: nfs-utils security update Message-ID: <200807311559.m6VFxDgF032232@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nfs-utils security update Advisory ID: RHSA-2008:0486-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0486.html Issue date: 2008-07-31 CVE Names: CVE-2008-1376 ===================================================================== 1. Summary: An updated nfs-utils package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The nfs-utils package provides a daemon for the kernel NFS server and related tools. A flaw was found in the nfs-utils package build. The nfs-utils package was missing TCP wrappers support, which could result in an administrator believing they had access restrictions enabled when they did not. (CVE-2008-1376) Users of nfs-utils are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 440114 - CVE-2008-1376 RHEL5 nfs-utils is missing tcp_wrappers support 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nfs-utils-1.0.9-35z.el5_2.src.rpm i386: nfs-utils-1.0.9-35z.el5_2.i386.rpm nfs-utils-debuginfo-1.0.9-35z.el5_2.i386.rpm x86_64: nfs-utils-1.0.9-35z.el5_2.x86_64.rpm nfs-utils-debuginfo-1.0.9-35z.el5_2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nfs-utils-1.0.9-35z.el5_2.src.rpm i386: nfs-utils-1.0.9-35z.el5_2.i386.rpm nfs-utils-debuginfo-1.0.9-35z.el5_2.i386.rpm ia64: nfs-utils-1.0.9-35z.el5_2.ia64.rpm nfs-utils-debuginfo-1.0.9-35z.el5_2.ia64.rpm ppc: nfs-utils-1.0.9-35z.el5_2.ppc.rpm nfs-utils-debuginfo-1.0.9-35z.el5_2.ppc.rpm s390x: nfs-utils-1.0.9-35z.el5_2.s390x.rpm nfs-utils-debuginfo-1.0.9-35z.el5_2.s390x.rpm x86_64: nfs-utils-1.0.9-35z.el5_2.x86_64.rpm nfs-utils-debuginfo-1.0.9-35z.el5_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1376 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIkeFJXlSAg2UNWIIRAlS9AJ93Y3z3ZJ5JHDKV5H7DLHxt5Bkp3gCglxAz FZXbqFkieed7A82VZOuWPqQ= =GxAj -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 31 15:59:32 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 31 Jul 2008 11:59:32 -0400 Subject: [RHSA-2008:0649-01] Moderate: libxslt security update Message-ID: <200807311559.m6VFxWSq032245@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libxslt security update Advisory ID: RHSA-2008:0649-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0649.html Issue date: 2008-07-31 CVE Names: CVE-2008-2935 ===================================================================== 1. Summary: Updated libxslt packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: libxslt is a library for transforming XML files into other XML files using the standard XSLT stylesheet transformation mechanism. A heap buffer overflow flaw was discovered in the RC4 libxslt library extension. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute arbitrary code with the privileges of the application using the libxslt library to perform XSL transformations on untrusted XSL style sheets. (CVE-2008-2935) Red Hat would like to thank Chris Evans for reporting this vulnerability. All libxslt users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 455848 - CVE-2008-2935 libxslt: buffer overflow in libexslt RC4 encryption/decryption functions 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/libxslt-1.1.11-1.el4_7.2.src.rpm i386: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-devel-1.1.11-1.el4_7.2.i386.rpm libxslt-python-1.1.11-1.el4_7.2.i386.rpm ia64: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-1.1.11-1.el4_7.2.ia64.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.ia64.rpm libxslt-devel-1.1.11-1.el4_7.2.ia64.rpm libxslt-python-1.1.11-1.el4_7.2.ia64.rpm ppc: libxslt-1.1.11-1.el4_7.2.ppc.rpm libxslt-1.1.11-1.el4_7.2.ppc64.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.ppc.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.ppc64.rpm libxslt-devel-1.1.11-1.el4_7.2.ppc.rpm libxslt-python-1.1.11-1.el4_7.2.ppc.rpm s390: libxslt-1.1.11-1.el4_7.2.s390.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.s390.rpm libxslt-devel-1.1.11-1.el4_7.2.s390.rpm libxslt-python-1.1.11-1.el4_7.2.s390.rpm s390x: libxslt-1.1.11-1.el4_7.2.s390.rpm libxslt-1.1.11-1.el4_7.2.s390x.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.s390.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.s390x.rpm libxslt-devel-1.1.11-1.el4_7.2.s390x.rpm libxslt-python-1.1.11-1.el4_7.2.s390x.rpm x86_64: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-1.1.11-1.el4_7.2.x86_64.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.x86_64.rpm libxslt-devel-1.1.11-1.el4_7.2.x86_64.rpm libxslt-python-1.1.11-1.el4_7.2.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/libxslt-1.1.11-1.el4_7.2.src.rpm i386: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-devel-1.1.11-1.el4_7.2.i386.rpm libxslt-python-1.1.11-1.el4_7.2.i386.rpm x86_64: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-1.1.11-1.el4_7.2.x86_64.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.x86_64.rpm libxslt-devel-1.1.11-1.el4_7.2.x86_64.rpm libxslt-python-1.1.11-1.el4_7.2.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/libxslt-1.1.11-1.el4_7.2.src.rpm i386: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-devel-1.1.11-1.el4_7.2.i386.rpm libxslt-python-1.1.11-1.el4_7.2.i386.rpm ia64: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-1.1.11-1.el4_7.2.ia64.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.ia64.rpm libxslt-devel-1.1.11-1.el4_7.2.ia64.rpm libxslt-python-1.1.11-1.el4_7.2.ia64.rpm x86_64: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-1.1.11-1.el4_7.2.x86_64.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.x86_64.rpm libxslt-devel-1.1.11-1.el4_7.2.x86_64.rpm libxslt-python-1.1.11-1.el4_7.2.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/libxslt-1.1.11-1.el4_7.2.src.rpm i386: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-devel-1.1.11-1.el4_7.2.i386.rpm libxslt-python-1.1.11-1.el4_7.2.i386.rpm ia64: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-1.1.11-1.el4_7.2.ia64.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.ia64.rpm libxslt-devel-1.1.11-1.el4_7.2.ia64.rpm libxslt-python-1.1.11-1.el4_7.2.ia64.rpm x86_64: libxslt-1.1.11-1.el4_7.2.i386.rpm libxslt-1.1.11-1.el4_7.2.x86_64.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.i386.rpm libxslt-debuginfo-1.1.11-1.el4_7.2.x86_64.rpm libxslt-devel-1.1.11-1.el4_7.2.x86_64.rpm libxslt-python-1.1.11-1.el4_7.2.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libxslt-1.1.17-2.el5_2.2.src.rpm i386: libxslt-1.1.17-2.el5_2.2.i386.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.i386.rpm libxslt-python-1.1.17-2.el5_2.2.i386.rpm x86_64: libxslt-1.1.17-2.el5_2.2.i386.rpm libxslt-1.1.17-2.el5_2.2.x86_64.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.i386.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.x86_64.rpm libxslt-python-1.1.17-2.el5_2.2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libxslt-1.1.17-2.el5_2.2.src.rpm i386: libxslt-debuginfo-1.1.17-2.el5_2.2.i386.rpm libxslt-devel-1.1.17-2.el5_2.2.i386.rpm x86_64: libxslt-debuginfo-1.1.17-2.el5_2.2.i386.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.x86_64.rpm libxslt-devel-1.1.17-2.el5_2.2.i386.rpm libxslt-devel-1.1.17-2.el5_2.2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/libxslt-1.1.17-2.el5_2.2.src.rpm i386: libxslt-1.1.17-2.el5_2.2.i386.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.i386.rpm libxslt-devel-1.1.17-2.el5_2.2.i386.rpm libxslt-python-1.1.17-2.el5_2.2.i386.rpm ia64: libxslt-1.1.17-2.el5_2.2.i386.rpm libxslt-1.1.17-2.el5_2.2.ia64.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.i386.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.ia64.rpm libxslt-devel-1.1.17-2.el5_2.2.ia64.rpm libxslt-python-1.1.17-2.el5_2.2.ia64.rpm ppc: libxslt-1.1.17-2.el5_2.2.ppc.rpm libxslt-1.1.17-2.el5_2.2.ppc64.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.ppc.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.ppc64.rpm libxslt-devel-1.1.17-2.el5_2.2.ppc.rpm libxslt-devel-1.1.17-2.el5_2.2.ppc64.rpm libxslt-python-1.1.17-2.el5_2.2.ppc.rpm s390x: libxslt-1.1.17-2.el5_2.2.s390.rpm libxslt-1.1.17-2.el5_2.2.s390x.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.s390.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.s390x.rpm libxslt-devel-1.1.17-2.el5_2.2.s390.rpm libxslt-devel-1.1.17-2.el5_2.2.s390x.rpm libxslt-python-1.1.17-2.el5_2.2.s390x.rpm x86_64: libxslt-1.1.17-2.el5_2.2.i386.rpm libxslt-1.1.17-2.el5_2.2.x86_64.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.i386.rpm libxslt-debuginfo-1.1.17-2.el5_2.2.x86_64.rpm libxslt-devel-1.1.17-2.el5_2.2.i386.rpm libxslt-devel-1.1.17-2.el5_2.2.x86_64.rpm libxslt-python-1.1.17-2.el5_2.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIkeFYXlSAg2UNWIIRAgnwAJ98WMzD2JTmUS5k1CvOgKmJtNcbDgCfWZIt rKZkc9HrSSFRqgu7RyDLWFc= =RWsJ -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 31 15:59:55 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 31 Jul 2008 11:59:55 -0400 Subject: [RHSA-2008:0790-02] Critical: java-1.5.0-ibm security update Message-ID: <200807311559.m6VFxtKU032258@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.5.0-ibm security update Advisory ID: RHSA-2008:0790-02 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0790.html Issue date: 2008-07-31 CVE Names: CVE-2008-3104 CVE-2008-3106 CVE-2008-3108 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 ===================================================================== 1. Summary: Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, ppc, s390, s390x, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ppc, s390x, x86_64 3. Description: The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) A vulnerability in the XML processing API was found. A remote attacker who caused malicious XML to be processed by an untrusted applet or application was able to elevate permissions to access URLs on a remote host. (CVE-2008-3106) A buffer overflow vulnerability was found in the font processing code. This allowed remote attackers to extend the permissions of an untrusted applet or application, allowing it to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3108) Several buffer overflow vulnerabilities in Java Web Start were reported. These vulnerabilities allowed an untrusted Java Web Start application to elevate its privileges, allowing it to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3111) Two file processing vulnerabilities in Java Web Start were found. A remote attacker, by means of an untrusted Java Web Start application, was able to create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112, CVE-2008-3113) A vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, that contain the IBM 1.5.0 SR8 Java release, which resolves these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 452649 - CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088) 454601 - CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) 454604 - CVE-2008-3108 Security Vulnerability with JRE fonts processing may allow Elevation of Privileges (6450319) 454605 - CVE-2008-3111 Java Web Start Buffer overflow vulnerabilities (6557220) 454606 - CVE-2008-3112 Java Web Start, arbitrary file creation (6703909) 454607 - CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077) 454608 - CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074) 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.i386.rpm ppc: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.ppc.rpm s390: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.s390.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.s390.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.s390.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.s390.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.s390.rpm s390x: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.s390x.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.s390x.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.s390x.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.i386.rpm ppc: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.ppc64.rpm s390x: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.s390.rpm java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.s390.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.s390.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.8-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.8-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIkeFsXlSAg2UNWIIRAos9AJ4w1I6Apy8jbfmpRyH6owZ6ZkP3ngCgp/HL AMU4/upQTckzSA+QtlWnO2o= =g0z4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 31 16:00:20 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 31 Jul 2008 12:00:20 -0400 Subject: [RHSA-2008:0812-01] Critical: RealPlayer security update Message-ID: <200807311600.m6VG0Ka7032742@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: RealPlayer security update Advisory ID: RHSA-2008:0812-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0812.html Issue date: 2008-07-31 ===================================================================== 1. Summary: RealPlayer 10.0.9 as shipped in Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary, contains a security flaw and should not be used. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Description: RealPlayer is a media player that provides media playback locally and via streaming. RealPlayer 10.0.9 is vulnerable to a critical security flaw and should no longer be used. A remote attacker could leverage this flaw to execute arbitrary code as the user running RealPlayer. (CVE-2007-5400) This issue is addressed in RealPlayer 11. Red Hat is unable to ship RealPlayer 11 due to additional proprietary codecs included in that version. Therefore, users who wish to continue to use RealPlayer should get an update directly from www.real.com. RealPlayer 10.0.9 packages will remain available via Red Hat Network for those who choose to use them, despite their known security vulnerabilities. 3. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 4. Bugs fixed (http://bugzilla.redhat.com/): 456855 - CVE-2007-5400 RealPlayer: SWF Frame Handling Buffer Overflow 5. References: http://www.redhat.com/security/updates/classification/#critical 6. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFIkeGBXlSAg2UNWIIRAvH3AJkBVmxJ3rSqH9WKYDUxB1YoFhX0jACgpyNb vu54aLyXeAWRq4VQipzMqXY= =gjYj -----END PGP SIGNATURE-----