From bugzilla at redhat.com Wed Mar 5 10:43:58 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 5 Mar 2008 05:43:58 -0500 Subject: [RHSA-2008:0156-02] Moderate: java-1.5.0-bea security update Message-ID: <200803051043.m25AhwIg017944@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: java-1.5.0-bea security update Advisory ID: RHSA-2008:0156-02 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0156.html Issue date: 2008-03-05 CVE Names: CVE-2007-5232 CVE-2007-5239 CVE-2007-5240 CVE-2007-5273 CVE-2008-0657 ===================================================================== 1. Summary: Updated java-1.5.0-bea packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64 RHEL Supplementary (v. 5 server) - i386, ia64, x86_64 3. Description: The BEA WebLogic JRockit 1.5.0_14 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.5.0_14 and are certified for the Java 5 Platform, Standard Edition, v1.5.0. A flaw in the applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Untrusted Java Applets were able to drag and drop a file to a Desktop Application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment (JRE) allowed untrusted Java Applets or applications to display oversized windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached, malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Two vulnerabilities in the Java Runtime Environment allowed an untrusted application or applet to elevate the assigned privileges. This could be misused by a malicious website to read and write local files or execute local applications in the context of the user running the Java process. (CVE-2008-0657) Those vulnerabilities concerned with applets can only be triggered in java-1.5.0-bea by calling the 'appletviewer' application. All users of java-1.5.0-bea should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.5.0_14 release that resolves these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 321951 - CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching 321981 - CVE-2007-5239 Untrusted Application or Applet May Move or Copy Arbitrary Files 321991 - CVE-2007-5240 Applets or Applications are allowed to display an oversized window 324351 - CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy 431861 - CVE-2008-0657 java-1.5.0 Privilege escalation via unstrusted applet and application 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.i686.rpm ia64: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.ia64.rpm x86_64: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.i686.rpm x86_64: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.i686.rpm ia64: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.ia64.rpm x86_64: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.i686.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.i686.rpm ia64: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.ia64.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.ia64.rpm x86_64: java-1.5.0-bea-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el4.x86_64.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el4.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-bea-1.5.0.14-1jpp.1.el5.i686.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el5.i686.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el5.i686.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el5.i686.rpm java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.1.el5.i686.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el5.i686.rpm ia64: java-1.5.0-bea-1.5.0.14-1jpp.1.el5.ia64.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el5.ia64.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el5.ia64.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el5.ia64.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el5.ia64.rpm x86_64: java-1.5.0-bea-1.5.0.14-1jpp.1.el5.x86_64.rpm java-1.5.0-bea-demo-1.5.0.14-1jpp.1.el5.x86_64.rpm java-1.5.0-bea-devel-1.5.0.14-1jpp.1.el5.x86_64.rpm java-1.5.0-bea-jdbc-1.5.0.14-1jpp.1.el5.x86_64.rpm java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.1.el5.x86_64.rpm java-1.5.0-bea-src-1.5.0.14-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5273 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0657 http://dev2dev.bea.com/pub/advisory/272 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHznk3XlSAg2UNWIIRAqtxAKC1AJyy0keGmDViEw0yqZhm+za2xwCgmbuw 9HfxBvIT4w8vsSNV45wUsf8= =Irkc -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 5 10:45:23 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 5 Mar 2008 05:45:23 -0500 Subject: [RHSA-2008:0177-01] Critical: evolution security update Message-ID: <200803051045.m25AjNkJ018499@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: evolution security update Advisory ID: RHSA-2008:0177-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0177.html Issue date: 2008-03-05 CVE Names: CVE-2008-0072 ===================================================================== 1. Summary: Updated evolution packages that fix a format string bug are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 3. Description: Evolution is the GNOME collection of personal information management (PIM) tools. A format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf H?rnhammar of Secunia Research for finding and reporting this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 435759 - CVE-2008-0072 Evolution format string flaw 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/evolution-2.0.2-35.0.4.el4_6.1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/evolution28-2.8.0-53.el4_6.2.src.rpm i386: evolution-2.0.2-35.0.4.el4_6.1.i386.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.i386.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.i386.rpm evolution28-2.8.0-53.el4_6.2.i386.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.i386.rpm evolution28-devel-2.8.0-53.el4_6.2.i386.rpm ia64: evolution-2.0.2-35.0.4.el4_6.1.ia64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.ia64.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.ia64.rpm evolution28-2.8.0-53.el4_6.2.ia64.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.ia64.rpm evolution28-devel-2.8.0-53.el4_6.2.ia64.rpm ppc: evolution-2.0.2-35.0.4.el4_6.1.ppc.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.ppc.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.ppc.rpm evolution28-2.8.0-53.el4_6.2.ppc.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.ppc.rpm evolution28-devel-2.8.0-53.el4_6.2.ppc.rpm s390: evolution-2.0.2-35.0.4.el4_6.1.s390.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.s390.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.s390.rpm evolution28-2.8.0-53.el4_6.2.s390.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.s390.rpm evolution28-devel-2.8.0-53.el4_6.2.s390.rpm s390x: evolution-2.0.2-35.0.4.el4_6.1.s390x.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.s390x.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.s390x.rpm evolution28-2.8.0-53.el4_6.2.s390x.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.s390x.rpm evolution28-devel-2.8.0-53.el4_6.2.s390x.rpm x86_64: evolution-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution28-2.8.0-53.el4_6.2.x86_64.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.x86_64.rpm evolution28-devel-2.8.0-53.el4_6.2.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/evolution-2.0.2-35.0.4.el4_6.1.src.rpm ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/evolution28-2.8.0-53.el4_6.2.src.rpm i386: evolution-2.0.2-35.0.4.el4_6.1.i386.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.i386.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.i386.rpm evolution28-2.8.0-53.el4_6.2.i386.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.i386.rpm evolution28-devel-2.8.0-53.el4_6.2.i386.rpm x86_64: evolution-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution28-2.8.0-53.el4_6.2.x86_64.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.x86_64.rpm evolution28-devel-2.8.0-53.el4_6.2.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/evolution-2.0.2-35.0.4.el4_6.1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/evolution28-2.8.0-53.el4_6.2.src.rpm i386: evolution-2.0.2-35.0.4.el4_6.1.i386.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.i386.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.i386.rpm evolution28-2.8.0-53.el4_6.2.i386.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.i386.rpm evolution28-devel-2.8.0-53.el4_6.2.i386.rpm ia64: evolution-2.0.2-35.0.4.el4_6.1.ia64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.ia64.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.ia64.rpm evolution28-2.8.0-53.el4_6.2.ia64.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.ia64.rpm evolution28-devel-2.8.0-53.el4_6.2.ia64.rpm x86_64: evolution-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution28-2.8.0-53.el4_6.2.x86_64.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.x86_64.rpm evolution28-devel-2.8.0-53.el4_6.2.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/evolution-2.0.2-35.0.4.el4_6.1.src.rpm ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/evolution28-2.8.0-53.el4_6.2.src.rpm i386: evolution-2.0.2-35.0.4.el4_6.1.i386.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.i386.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.i386.rpm evolution28-2.8.0-53.el4_6.2.i386.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.i386.rpm evolution28-devel-2.8.0-53.el4_6.2.i386.rpm ia64: evolution-2.0.2-35.0.4.el4_6.1.ia64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.ia64.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.ia64.rpm evolution28-2.8.0-53.el4_6.2.ia64.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.ia64.rpm evolution28-devel-2.8.0-53.el4_6.2.ia64.rpm x86_64: evolution-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution-devel-2.0.2-35.0.4.el4_6.1.x86_64.rpm evolution28-2.8.0-53.el4_6.2.x86_64.rpm evolution28-debuginfo-2.8.0-53.el4_6.2.x86_64.rpm evolution28-devel-2.8.0-53.el4_6.2.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/evolution-2.8.0-40.el5_1.1.src.rpm i386: evolution-2.8.0-40.el5_1.1.i386.rpm evolution-debuginfo-2.8.0-40.el5_1.1.i386.rpm x86_64: evolution-2.8.0-40.el5_1.1.i386.rpm evolution-2.8.0-40.el5_1.1.x86_64.rpm evolution-debuginfo-2.8.0-40.el5_1.1.i386.rpm evolution-debuginfo-2.8.0-40.el5_1.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/evolution-2.8.0-40.el5_1.1.src.rpm i386: evolution-debuginfo-2.8.0-40.el5_1.1.i386.rpm evolution-devel-2.8.0-40.el5_1.1.i386.rpm x86_64: evolution-debuginfo-2.8.0-40.el5_1.1.i386.rpm evolution-debuginfo-2.8.0-40.el5_1.1.x86_64.rpm evolution-devel-2.8.0-40.el5_1.1.i386.rpm evolution-devel-2.8.0-40.el5_1.1.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/evolution-2.8.0-40.el5_1.1.src.rpm i386: evolution-2.8.0-40.el5_1.1.i386.rpm evolution-debuginfo-2.8.0-40.el5_1.1.i386.rpm evolution-devel-2.8.0-40.el5_1.1.i386.rpm x86_64: evolution-2.8.0-40.el5_1.1.i386.rpm evolution-2.8.0-40.el5_1.1.x86_64.rpm evolution-debuginfo-2.8.0-40.el5_1.1.i386.rpm evolution-debuginfo-2.8.0-40.el5_1.1.x86_64.rpm evolution-devel-2.8.0-40.el5_1.1.i386.rpm evolution-devel-2.8.0-40.el5_1.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0072 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHznl5XlSAg2UNWIIRAjnvAJ4uM/wBpVQHyAiuKiF6ba6QULUSCwCgnHMH iI/+/Ms3IhsvWQWb252HGKI= =ZmDZ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 5 10:46:25 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 5 Mar 2008 05:46:25 -0500 Subject: [RHSA-2008:0178-01] Critical: evolution security update Message-ID: <200803051046.m25AkPcW018554@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: evolution security update Advisory ID: RHSA-2008:0178-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0178.html Issue date: 2008-03-05 CVE Names: CVE-2008-0072 ===================================================================== 1. Summary: Updated evolution packages that fix a format string bug are now available for Red Hat Enterprise Linux 4.5 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4.5.z - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 4.5.z - i386, ia64, x86_64 3. Description: Evolution is the GNOME collection of personal information management (PIM) tools. A format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf H?rnhammar of Secunia Research for finding and reporting this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 435759 - CVE-2008-0072 Evolution format string flaw 6. Package List: Red Hat Enterprise Linux AS version 4.5.z: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/4AS-4.5.z/en/os/SRPMS/evolution-2.0.2-35.0.4.el4_5.1.src.rpm i386: evolution-2.0.2-35.0.4.el4_5.1.i386.rpm evolution-debuginfo-2.0.2-35.0.4.el4_5.1.i386.rpm evolution-devel-2.0.2-35.0.4.el4_5.1.i386.rpm ia64: evolution-2.0.2-35.0.4.el4_5.1.ia64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_5.1.ia64.rpm evolution-devel-2.0.2-35.0.4.el4_5.1.ia64.rpm ppc: evolution-2.0.2-35.0.4.el4_5.1.ppc.rpm evolution-debuginfo-2.0.2-35.0.4.el4_5.1.ppc.rpm evolution-devel-2.0.2-35.0.4.el4_5.1.ppc.rpm s390: evolution-2.0.2-35.0.4.el4_5.1.s390.rpm evolution-debuginfo-2.0.2-35.0.4.el4_5.1.s390.rpm evolution-devel-2.0.2-35.0.4.el4_5.1.s390.rpm s390x: evolution-2.0.2-35.0.4.el4_5.1.s390x.rpm evolution-debuginfo-2.0.2-35.0.4.el4_5.1.s390x.rpm evolution-devel-2.0.2-35.0.4.el4_5.1.s390x.rpm x86_64: evolution-2.0.2-35.0.4.el4_5.1.x86_64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_5.1.x86_64.rpm evolution-devel-2.0.2-35.0.4.el4_5.1.x86_64.rpm Red Hat Enterprise Linux ES version 4.5.z: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/4ES-4.5.z/en/os/SRPMS/evolution-2.0.2-35.0.4.el4_5.1.src.rpm i386: evolution-2.0.2-35.0.4.el4_5.1.i386.rpm evolution-debuginfo-2.0.2-35.0.4.el4_5.1.i386.rpm evolution-devel-2.0.2-35.0.4.el4_5.1.i386.rpm ia64: evolution-2.0.2-35.0.4.el4_5.1.ia64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_5.1.ia64.rpm evolution-devel-2.0.2-35.0.4.el4_5.1.ia64.rpm x86_64: evolution-2.0.2-35.0.4.el4_5.1.x86_64.rpm evolution-debuginfo-2.0.2-35.0.4.el4_5.1.x86_64.rpm evolution-devel-2.0.2-35.0.4.el4_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0072 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHznnSXlSAg2UNWIIRAj7bAJ418aPbDLRCK2QM1+pEM3ef6JGvfACghDtD SVI+vIHc2M/juq1XUhDtt6s= =AfWE -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 5 13:59:36 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 5 Mar 2008 08:59:36 -0500 Subject: [RHSA-2008:0154-01] Important: kernel security and bug fix update Message-ID: <200803051359.m25DxaD2015601@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2008:0154-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0154.html Issue date: 2008-03-05 CVE Names: CVE-2006-6921 CVE-2007-5938 CVE-2007-6063 CVE-2007-6207 CVE-2007-6694 ===================================================================== 1. Summary: Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw in the hypervisor for hosts running on Itanium architectures allowed an Intel VTi domain to read arbitrary physical memory from other Intel VTi domains, which could make information available to unauthorized users. (CVE-2007-6207, Important) * two buffer overflow flaws were found in ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-5938: Important, CVE-2007-6063: Moderate) * a possible NULL pointer dereference was found in the subsystem used for showing CPU information, as used by CHRP systems on PowerPC architectures. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) * a flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped, possibly causing a denial of service. (CVE-2006-6921, Moderate) As well, these updated packages fix the following bugs: * a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out of memory, causing a kernel panic. * on IBM System z architectures, using the IBM Hardware Management Console to toggle IBM FICON channel path ids (CHPID) caused a file ID miscompare, possibly causing data corruption. * when running the IA-32 Execution Layer (IA-32EL) or a Java VM on Itanium architectures, a bug in the address translation in the hypervisor caused the wrong address to be registered, causing Dom0 to hang. * on Itanium architectures, frequent Corrected Platform Error errors may have caused the hypervisor to hang. * when enabling a CPU without hot plug support, routines for checking the presence of the CPU were missing. The CPU tried to access its own resources, causing a kernel panic. * after updating to kernel-2.6.18-53.el5, a bug in the CCISS driver caused the HP Array Configuration Utility CLI to become unstable, possibly causing a system hang, or a kernel panic. * a bug in NFS directory caching could have caused different hosts to have different views of NFS directories. * on Itanium architectures, the Corrected Machine Check Interrupt masked hot-added CPUs as disabled. * when running Oracle database software on the Intel 64 and AMD64 architectures, if an SGA larger than 4GB was created, and had hugepages allocated to it, the hugepages were not freed after database shutdown. * in a clustered environment, when two or more NFS clients had the same logical volume mounted, and one of them modified a file on the volume, NULL characters may have been inserted, possibly causing data corruption. These updated packages resolve several severe issues in the lpfc driver: * a system hang after LUN discovery. * a general fault protection, a NULL pointer dereference, or slab corruption could occur while running a debug on the kernel. * the inability to handle kernel paging requests in "lpfc_get_scsi_buf". * erroneous structure references caused certain FC discovery routines to reference and change "lpfc_nodelist" structures, even after they were freed. * the lpfc driver failed to interpret certain fields correctly, causing tape backup software to fail. Tape drives reported "Illegal Request". * the lpfc driver did not clear structures correctly, resulting in SCSI I/Os being rejected by targets, and causing errors. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 302921 - CVE-2006-6921 kernel: denial of service with wedged processes 310651 - audit: Logging execve arguments, out of memory in audit_expand (kernel panic) 385861 - CVE-2007-5938 NULL dereference in iwl driver 392101 - CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow 396751 - CVE-2007-6694 /proc/cpuinfo DoS on some ppc machines 402911 - LTC39906-[BBDQ] FICON DS8000: File ID Miscompare after CHPID off via HMC 406881 - CVE-2007-6207 [5.2][XEN] Security: some HVM domain can access another domain memory. 424191 - [Xen][5.1.z] Running IA32EL or java-vm causes dom0 hung 424271 - Severe issues in 5.1 lpfc driver: Request update to 8.1.10.12 428290 - [Xen ia64] hypervisor sometimes hangs on Corrected Platform Errors 429108 - [5.1] Panic if user enable a cpu which is not prepared for hotplug. 429515 - scsi: cciss - incompatability between hpacucli and RHEL 5.1 Kernel 429539 - NFS: Fix directory caching problem - with test case and patch. 430632 - CMCI is left disabled on hot-added processors 431522 - RHEL 5.1 regression in hugepages due to pagetable sharing patch 432078 - Null bytes in files access by 2 or more NFS clients 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-53.1.14.el5.src.rpm i386: kernel-2.6.18-53.1.14.el5.i686.rpm kernel-PAE-2.6.18-53.1.14.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-53.1.14.el5.i686.rpm kernel-PAE-devel-2.6.18-53.1.14.el5.i686.rpm kernel-debug-2.6.18-53.1.14.el5.i686.rpm kernel-debug-debuginfo-2.6.18-53.1.14.el5.i686.rpm kernel-debug-devel-2.6.18-53.1.14.el5.i686.rpm kernel-debuginfo-2.6.18-53.1.14.el5.i686.rpm kernel-debuginfo-common-2.6.18-53.1.14.el5.i686.rpm kernel-devel-2.6.18-53.1.14.el5.i686.rpm kernel-headers-2.6.18-53.1.14.el5.i386.rpm kernel-xen-2.6.18-53.1.14.el5.i686.rpm kernel-xen-debuginfo-2.6.18-53.1.14.el5.i686.rpm kernel-xen-devel-2.6.18-53.1.14.el5.i686.rpm noarch: kernel-doc-2.6.18-53.1.14.el5.noarch.rpm x86_64: kernel-2.6.18-53.1.14.el5.x86_64.rpm kernel-debug-2.6.18-53.1.14.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-53.1.14.el5.x86_64.rpm kernel-debug-devel-2.6.18-53.1.14.el5.x86_64.rpm kernel-debuginfo-2.6.18-53.1.14.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-53.1.14.el5.x86_64.rpm kernel-devel-2.6.18-53.1.14.el5.x86_64.rpm kernel-headers-2.6.18-53.1.14.el5.x86_64.rpm kernel-xen-2.6.18-53.1.14.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-53.1.14.el5.x86_64.rpm kernel-xen-devel-2.6.18-53.1.14.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-53.1.14.el5.src.rpm i386: kernel-2.6.18-53.1.14.el5.i686.rpm kernel-PAE-2.6.18-53.1.14.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-53.1.14.el5.i686.rpm kernel-PAE-devel-2.6.18-53.1.14.el5.i686.rpm kernel-debug-2.6.18-53.1.14.el5.i686.rpm kernel-debug-debuginfo-2.6.18-53.1.14.el5.i686.rpm kernel-debug-devel-2.6.18-53.1.14.el5.i686.rpm kernel-debuginfo-2.6.18-53.1.14.el5.i686.rpm kernel-debuginfo-common-2.6.18-53.1.14.el5.i686.rpm kernel-devel-2.6.18-53.1.14.el5.i686.rpm kernel-headers-2.6.18-53.1.14.el5.i386.rpm kernel-xen-2.6.18-53.1.14.el5.i686.rpm kernel-xen-debuginfo-2.6.18-53.1.14.el5.i686.rpm kernel-xen-devel-2.6.18-53.1.14.el5.i686.rpm ia64: kernel-2.6.18-53.1.14.el5.ia64.rpm kernel-debug-2.6.18-53.1.14.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-53.1.14.el5.ia64.rpm kernel-debug-devel-2.6.18-53.1.14.el5.ia64.rpm kernel-debuginfo-2.6.18-53.1.14.el5.ia64.rpm kernel-debuginfo-common-2.6.18-53.1.14.el5.ia64.rpm kernel-devel-2.6.18-53.1.14.el5.ia64.rpm kernel-headers-2.6.18-53.1.14.el5.ia64.rpm kernel-xen-2.6.18-53.1.14.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-53.1.14.el5.ia64.rpm kernel-xen-devel-2.6.18-53.1.14.el5.ia64.rpm noarch: kernel-doc-2.6.18-53.1.14.el5.noarch.rpm ppc: kernel-2.6.18-53.1.14.el5.ppc64.rpm kernel-debug-2.6.18-53.1.14.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-53.1.14.el5.ppc64.rpm kernel-debug-devel-2.6.18-53.1.14.el5.ppc64.rpm kernel-debuginfo-2.6.18-53.1.14.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-53.1.14.el5.ppc64.rpm kernel-devel-2.6.18-53.1.14.el5.ppc64.rpm kernel-headers-2.6.18-53.1.14.el5.ppc.rpm kernel-headers-2.6.18-53.1.14.el5.ppc64.rpm kernel-kdump-2.6.18-53.1.14.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-53.1.14.el5.ppc64.rpm kernel-kdump-devel-2.6.18-53.1.14.el5.ppc64.rpm s390x: kernel-2.6.18-53.1.14.el5.s390x.rpm kernel-debug-2.6.18-53.1.14.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-53.1.14.el5.s390x.rpm kernel-debug-devel-2.6.18-53.1.14.el5.s390x.rpm kernel-debuginfo-2.6.18-53.1.14.el5.s390x.rpm kernel-debuginfo-common-2.6.18-53.1.14.el5.s390x.rpm kernel-devel-2.6.18-53.1.14.el5.s390x.rpm kernel-headers-2.6.18-53.1.14.el5.s390x.rpm x86_64: kernel-2.6.18-53.1.14.el5.x86_64.rpm kernel-debug-2.6.18-53.1.14.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-53.1.14.el5.x86_64.rpm kernel-debug-devel-2.6.18-53.1.14.el5.x86_64.rpm kernel-debuginfo-2.6.18-53.1.14.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-53.1.14.el5.x86_64.rpm kernel-devel-2.6.18-53.1.14.el5.x86_64.rpm kernel-headers-2.6.18-53.1.14.el5.x86_64.rpm kernel-xen-2.6.18-53.1.14.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-53.1.14.el5.x86_64.rpm kernel-xen-devel-2.6.18-53.1.14.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6921 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6694 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHzqdFXlSAg2UNWIIRAqfQAKC81K/fwTcLE6oV79i5OX8G71MhhgCgtOan //RTCG3v8oOczn9EgQ2+5RI= =31js -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 6 22:17:43 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Mar 2008 17:17:43 -0500 Subject: [RHSA-2008:0186-01] Critical: java-1.5.0-sun security update Message-ID: <200803062217.m26MHhFQ013885@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.5.0-sun security update Advisory ID: RHSA-2008:0186-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0186.html Issue date: 2008-03-06 CVE Names: CVE-2008-1185 CVE-2008-1186 CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1191 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196 ===================================================================== 1. Summary: Updated java-1.5.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. Flaws in the JRE allowed an untrusted application or applet to elevate its privileges. This could be exploited by a remote attacker to access local files or execute local applications accessible to the user running the JRE (CVE-2008-1185, CVE-2008-1186) A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196) A flaw was found in the Java Plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to acesss local network services. (CVE-2008-1195) This update also fixes an issue where the Java Plug-in is not available for browser use after successful installation. Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 436029 - CVE-2008-1185 Untrusted applet and application privilege escalation (CVE-2008-1186) 436030 - CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation 436293 - CVE-2008-1188 Buffer overflow security vulnerabilities in Java Web Start (CVE-2008-1189, CVE-2008-1190, CVE-2008-1191) 436295 - CVE-2008-1192 Java Plugin same-origin-policy bypass 436296 - CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) 436299 - CVE-2008-1195 Java-API calls in untrusted Javascript allow network privilege escalation 436302 - CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-sun-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-sun-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-sun-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-sun-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.15-1jpp.2.el4.i586.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.5.0-sun-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-plugin-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el5.i586.rpm x86_64: java-1.5.0-sun-1.5.0.15-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-plugin-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-sun-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-plugin-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el5.i586.rpm x86_64: java-1.5.0-sun-1.5.0.15-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-demo-1.5.0.15-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-devel-1.5.0.15-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.15-1jpp.2.el5.x86_64.rpm java-1.5.0-sun-plugin-1.5.0.15-1jpp.2.el5.i586.rpm java-1.5.0-sun-src-1.5.0.15-1jpp.2.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1190 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1196 http://sunsolve.sun.com/search/document.do?assetkey=1-66-233321-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-233322-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-233324-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-233325-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-233326-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-233327-1 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH0G1iXlSAg2UNWIIRArwHAJwLIgvOCdFcRob44hpjM+xU+uvjdgCgs/PV U+kabpUaLdZrjIzvODKWZAc= =OV6B -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 11 10:56:14 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 11 Mar 2008 06:56:14 -0400 Subject: [RHSA-2008:0042-01] Moderate: tomcat security update Message-ID: <200803111056.m2BAuEIZ026283@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat security update Advisory ID: RHSA-2008:0042-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0042.html Issue date: 2008-03-11 Keywords: Security CVE Names: CVE-2007-5461 CVE-2007-5342 ===================================================================== 1. Summary: Updated tomcat packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. A directory traversal vulnerability existed in the Apache Tomcat webdav servlet. In some configurations it allowed remote authenticated users to read files accessible to the local tomcat process. (CVE-2007-5461) The default security policy in the JULI logging component did not restrict access permissions to files. This could be misused by untrusted web applications to access and write arbitrary files in the context of the tomcat process. (CVE-2007-5342) Users of Tomcat should update to these errata packages, which contain backported patches and are not vulnerable to these issues. 4. Solution: This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 333791 - CVE-2007-5461 Absolute path traversal Apache Tomcat WEBDAV 427216 - CVE-2007-5342 Apache Tomcat's default security policy is too open 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tomcat5-5.5.23-0jpp.3.0.3.el5_1.src.rpm i386: tomcat5-debuginfo-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.3.el5_1.i386.rpm x86_64: tomcat5-debuginfo-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tomcat5-5.5.23-0jpp.3.0.3.el5_1.src.rpm i386: tomcat5-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-common-lib-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-debuginfo-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-jasper-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-server-lib-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-webapps-5.5.23-0jpp.3.0.3.el5_1.i386.rpm x86_64: tomcat5-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-debuginfo-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/tomcat5-5.5.23-0jpp.3.0.3.el5_1.src.rpm i386: tomcat5-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-admin-webapps-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-common-lib-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-debuginfo-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-jasper-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-server-lib-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.i386.rpm tomcat5-webapps-5.5.23-0jpp.3.0.3.el5_1.i386.rpm ia64: tomcat5-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-admin-webapps-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-common-lib-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-debuginfo-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-jasper-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-server-lib-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm tomcat5-webapps-5.5.23-0jpp.3.0.3.el5_1.ia64.rpm ppc: tomcat5-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-admin-webapps-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-common-lib-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-debuginfo-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-jasper-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-server-lib-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm tomcat5-webapps-5.5.23-0jpp.3.0.3.el5_1.ppc.rpm s390x: tomcat5-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-admin-webapps-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-common-lib-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-debuginfo-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-jasper-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-server-lib-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm tomcat5-webapps-5.5.23-0jpp.3.0.3.el5_1.s390x.rpm x86_64: tomcat5-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-admin-webapps-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-common-lib-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-debuginfo-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-jasper-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-server-lib-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm tomcat5-webapps-5.5.23-0jpp.3.0.3.el5_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH1mUnXlSAg2UNWIIRAvKoAJ0cJJV5+oPc957ND3fN5gCzOtppVgCaA8H2 wWejo90pJcgiarqAqma/KYA= =yN0E -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 11 14:12:06 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 11 Mar 2008 10:12:06 -0400 Subject: [RHSA-2008:0100-01] Moderate: java-1.4.2-bea security update Message-ID: <200803111412.m2BEC6ll025889@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: java-1.4.2-bea security update Advisory ID: RHSA-2008:0100-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0100.html Issue date: 2008-03-11 Keywords: Security CVE Names: CVE-2007-4381 CVE-2007-2788 CVE-2007-2789 CVE-2007-3698 CVE-2007-5232 CVE-2007-5240 CVE-2007-5273 CVE-2007-5239 ===================================================================== 1. Summary: Updated java-1.4.2-bea packages that correct several security issues and add enhancements are now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 Extras - i386, ia64 Red Hat Desktop version 3 Extras - i386 Red Hat Enterprise Linux ES version 3 Extras - i386, ia64 Red Hat Enterprise Linux WS version 3 Extras - i386, ia64 Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ia64, x86_64 3. Description: The BEA WebLogic JRockit 1.4.2_16 JRE and SDK contains BEA WebLogic JRockit Virtual Machine 1.4.2_16 and is certified for the Java 2 Platform, Standard Edition, v1.4.2. A buffer overflow in the Java Runtime Environment image handling code was found. If an attacker could induce a server application to process a specially crafted image file, the attacker could potentially cause a denial-of-service or execute arbitrary code as the user running the Java Virtual Machine. (CVE-2007-2788, CVE-2007-2789) A denial of service flaw was found in the way the JSSE component processed SSL/TLS handshake requests. A remote attacker able to connect to a JSSE enabled service could send a specially crafted handshake which would cause the Java Runtime Environment to stop responding to future requests. (CVE-2007-3698) A flaw was found in the way the Java Runtime Environment processed font data. An applet viewed via the "appletviewer" application could elevate its privileges, allowing the applet to perform actions with the same permissions as the user running the "appletviewer" application. The same flaw could, potentially, crash a server application which processed untrusted font information from a third party. (CVE-2007-4381) A flaw in the applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Untrusted Java Applets were able to drag and drop files to a desktop application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment (JRE) allowed untrusted Java Applets or applications to display over-sized windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached, malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Please note: the vulnerabilities noted above concerned with applets can only be triggered in java-1.4.2-bea by calling the "appletviewer" application. All users of java-1.4.2-bea should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.4.2_16 release which resolves these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 249539 - CVE-2007-3698 Java Secure Socket Extension Does Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial of Service (DoS) Condition 250725 - CVE-2007-2788 Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit 250729 - CVE-2007-2789 BMP image parser vulnerability 253488 - CVE-2007-4381 java: Vulnerability in the font parsing code 321951 - CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching 321991 - CVE-2007-5240 Applets or Applications are allowed to display an oversized window 324351 - CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy 6. Package List: Red Hat Enterprise Linux AS version 3 Extras: i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el3.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el3.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el3.i686.rpm ia64: java-1.4.2-bea-1.4.2.16-1jpp.1.el3.ia64.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el3.ia64.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el3.ia64.rpm Red Hat Desktop version 3 Extras: i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el3.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el3.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el3.i686.rpm Red Hat Enterprise Linux ES version 3 Extras: i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el3.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el3.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el3.i686.rpm ia64: java-1.4.2-bea-1.4.2.16-1jpp.1.el3.ia64.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el3.ia64.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el3.ia64.rpm Red Hat Enterprise Linux WS version 3 Extras: i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el3.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el3.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el3.i686.rpm ia64: java-1.4.2-bea-1.4.2.16-1jpp.1.el3.ia64.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el3.ia64.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el3.ia64.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el4.i686.rpm ia64: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.ia64.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.ia64.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el4.ia64.rpm x86_64: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.i686.rpm Red Hat Desktop version 4 Extras: i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el4.i686.rpm x86_64: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.i686.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el4.i686.rpm ia64: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.ia64.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.ia64.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el4.ia64.rpm x86_64: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.i686.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el4.i686.rpm ia64: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.ia64.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.ia64.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el4.ia64.rpm x86_64: java-1.4.2-bea-1.4.2.16-1jpp.1.el4.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el4.i686.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-demo-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-missioncontrol-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-src-1.4.2.16-1jpp.1.el5.i686.rpm x86_64: java-1.4.2-bea-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-demo-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-missioncontrol-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-src-1.4.2.16-1jpp.1.el5.i686.rpm RHEL Supplementary (v. 5 server): i386: java-1.4.2-bea-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-demo-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-missioncontrol-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-src-1.4.2.16-1jpp.1.el5.i686.rpm ia64: java-1.4.2-bea-1.4.2.16-1jpp.1.el5.ia64.rpm java-1.4.2-bea-demo-1.4.2.16-1jpp.1.el5.ia64.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el5.ia64.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el5.ia64.rpm java-1.4.2-bea-src-1.4.2.16-1jpp.1.el5.ia64.rpm x86_64: java-1.4.2-bea-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-demo-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-devel-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-jdbc-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-missioncontrol-1.4.2.16-1jpp.1.el5.i686.rpm java-1.4.2-bea-src-1.4.2.16-1jpp.1.el5.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4381 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5273 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5239 http://dev2dev.bea.com/pub/advisory/249 http://dev2dev.bea.com/pub/advisory/248 http://dev2dev.bea.com/pub/advisory/272 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH1pMfXlSAg2UNWIIRAlDQAJwKE8fGT/VQQY803qGdB3NGuHOXQgCeL+WE 8WBqFhVWm3U/X425JchAeEg= =pbne -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Mar 14 10:32:07 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 14 Mar 2008 06:32:07 -0400 Subject: [RHSA-2008:0167-01] Moderate: kernel security and bug fix update Message-ID: <200803141032.m2EAW7qA023935@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel security and bug fix update Advisory ID: RHSA-2008:0167-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0167.html Issue date: 2008-03-14 CVE Names: CVE-2007-5904 ===================================================================== 1. Summary: Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. A buffer overflow flaw was found in the CIFS virtual file system. A remote authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate) As well, these updated packages fix the following bugs: * a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out out memory while attempting to create audit log messages. This could cause a kernel panic. In these updated packages, large audit messages are split into acceptable sizes, which resolves this issue. * on certain Intel chipsets, it was not possible to load the acpiphp module using the "modprobe acpiphp" command. Because the acpiphp module did not recurse across PCI bridges, hardware detection for PCI hot plug slots failed. In these updated packages, hardware detection works correctly. * on IBM System z architectures that run the IBM z/VM hypervisor, the IBM eServer zSeries HiperSockets network interface (layer 3) allowed ARP packets to be sent and received, even when the "NOARP" flag was set. These ARP packets caused problems for virtual machines. * it was possible for the iounmap function to sleep while holding a lock. This may have caused a deadlock for drivers and other code that uses the iounmap function. In these updated packages, the lock is dropped before the sleep code is called, which resolves this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 372701 - CVE-2007-5904 Buffer overflow in CIFS VFS 427393 - audit: Logging execve arguments, out of memory in audit_expand 428174 - ACPIPHP.ko will not load : RHEL4.x and RHEL5.0 on X8450 (Intel 4 socket Quad Core) but will load on RHEL5.1 430670 - LTC39262-qeth: HiperSockets layer-3 interface to drop non-IP packets 433267 - [Stratus 4.6.z bug] iounmap may sleep while holding vmlist_lock, causing a deadlock. 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-67.0.7.EL.src.rpm i386: kernel-2.6.9-67.0.7.EL.i686.rpm kernel-debuginfo-2.6.9-67.0.7.EL.i686.rpm kernel-devel-2.6.9-67.0.7.EL.i686.rpm kernel-hugemem-2.6.9-67.0.7.EL.i686.rpm kernel-hugemem-devel-2.6.9-67.0.7.EL.i686.rpm kernel-smp-2.6.9-67.0.7.EL.i686.rpm kernel-smp-devel-2.6.9-67.0.7.EL.i686.rpm kernel-xenU-2.6.9-67.0.7.EL.i686.rpm kernel-xenU-devel-2.6.9-67.0.7.EL.i686.rpm ia64: kernel-2.6.9-67.0.7.EL.ia64.rpm kernel-debuginfo-2.6.9-67.0.7.EL.ia64.rpm kernel-devel-2.6.9-67.0.7.EL.ia64.rpm kernel-largesmp-2.6.9-67.0.7.EL.ia64.rpm kernel-largesmp-devel-2.6.9-67.0.7.EL.ia64.rpm noarch: kernel-doc-2.6.9-67.0.7.EL.noarch.rpm ppc: kernel-2.6.9-67.0.7.EL.ppc64.rpm kernel-2.6.9-67.0.7.EL.ppc64iseries.rpm kernel-debuginfo-2.6.9-67.0.7.EL.ppc64.rpm kernel-debuginfo-2.6.9-67.0.7.EL.ppc64iseries.rpm kernel-devel-2.6.9-67.0.7.EL.ppc64.rpm kernel-devel-2.6.9-67.0.7.EL.ppc64iseries.rpm kernel-largesmp-2.6.9-67.0.7.EL.ppc64.rpm kernel-largesmp-devel-2.6.9-67.0.7.EL.ppc64.rpm s390: kernel-2.6.9-67.0.7.EL.s390.rpm kernel-debuginfo-2.6.9-67.0.7.EL.s390.rpm kernel-devel-2.6.9-67.0.7.EL.s390.rpm s390x: kernel-2.6.9-67.0.7.EL.s390x.rpm kernel-debuginfo-2.6.9-67.0.7.EL.s390x.rpm kernel-devel-2.6.9-67.0.7.EL.s390x.rpm x86_64: kernel-2.6.9-67.0.7.EL.x86_64.rpm kernel-debuginfo-2.6.9-67.0.7.EL.x86_64.rpm kernel-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-largesmp-2.6.9-67.0.7.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-smp-2.6.9-67.0.7.EL.x86_64.rpm kernel-smp-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-xenU-2.6.9-67.0.7.EL.x86_64.rpm kernel-xenU-devel-2.6.9-67.0.7.EL.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-67.0.7.EL.src.rpm i386: kernel-2.6.9-67.0.7.EL.i686.rpm kernel-debuginfo-2.6.9-67.0.7.EL.i686.rpm kernel-devel-2.6.9-67.0.7.EL.i686.rpm kernel-hugemem-2.6.9-67.0.7.EL.i686.rpm kernel-hugemem-devel-2.6.9-67.0.7.EL.i686.rpm kernel-smp-2.6.9-67.0.7.EL.i686.rpm kernel-smp-devel-2.6.9-67.0.7.EL.i686.rpm kernel-xenU-2.6.9-67.0.7.EL.i686.rpm kernel-xenU-devel-2.6.9-67.0.7.EL.i686.rpm noarch: kernel-doc-2.6.9-67.0.7.EL.noarch.rpm x86_64: kernel-2.6.9-67.0.7.EL.x86_64.rpm kernel-debuginfo-2.6.9-67.0.7.EL.x86_64.rpm kernel-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-largesmp-2.6.9-67.0.7.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-smp-2.6.9-67.0.7.EL.x86_64.rpm kernel-smp-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-xenU-2.6.9-67.0.7.EL.x86_64.rpm kernel-xenU-devel-2.6.9-67.0.7.EL.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-67.0.7.EL.src.rpm i386: kernel-2.6.9-67.0.7.EL.i686.rpm kernel-debuginfo-2.6.9-67.0.7.EL.i686.rpm kernel-devel-2.6.9-67.0.7.EL.i686.rpm kernel-hugemem-2.6.9-67.0.7.EL.i686.rpm kernel-hugemem-devel-2.6.9-67.0.7.EL.i686.rpm kernel-smp-2.6.9-67.0.7.EL.i686.rpm kernel-smp-devel-2.6.9-67.0.7.EL.i686.rpm kernel-xenU-2.6.9-67.0.7.EL.i686.rpm kernel-xenU-devel-2.6.9-67.0.7.EL.i686.rpm ia64: kernel-2.6.9-67.0.7.EL.ia64.rpm kernel-debuginfo-2.6.9-67.0.7.EL.ia64.rpm kernel-devel-2.6.9-67.0.7.EL.ia64.rpm kernel-largesmp-2.6.9-67.0.7.EL.ia64.rpm kernel-largesmp-devel-2.6.9-67.0.7.EL.ia64.rpm noarch: kernel-doc-2.6.9-67.0.7.EL.noarch.rpm x86_64: kernel-2.6.9-67.0.7.EL.x86_64.rpm kernel-debuginfo-2.6.9-67.0.7.EL.x86_64.rpm kernel-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-largesmp-2.6.9-67.0.7.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-smp-2.6.9-67.0.7.EL.x86_64.rpm kernel-smp-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-xenU-2.6.9-67.0.7.EL.x86_64.rpm kernel-xenU-devel-2.6.9-67.0.7.EL.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-67.0.7.EL.src.rpm i386: kernel-2.6.9-67.0.7.EL.i686.rpm kernel-debuginfo-2.6.9-67.0.7.EL.i686.rpm kernel-devel-2.6.9-67.0.7.EL.i686.rpm kernel-hugemem-2.6.9-67.0.7.EL.i686.rpm kernel-hugemem-devel-2.6.9-67.0.7.EL.i686.rpm kernel-smp-2.6.9-67.0.7.EL.i686.rpm kernel-smp-devel-2.6.9-67.0.7.EL.i686.rpm kernel-xenU-2.6.9-67.0.7.EL.i686.rpm kernel-xenU-devel-2.6.9-67.0.7.EL.i686.rpm ia64: kernel-2.6.9-67.0.7.EL.ia64.rpm kernel-debuginfo-2.6.9-67.0.7.EL.ia64.rpm kernel-devel-2.6.9-67.0.7.EL.ia64.rpm kernel-largesmp-2.6.9-67.0.7.EL.ia64.rpm kernel-largesmp-devel-2.6.9-67.0.7.EL.ia64.rpm noarch: kernel-doc-2.6.9-67.0.7.EL.noarch.rpm x86_64: kernel-2.6.9-67.0.7.EL.x86_64.rpm kernel-debuginfo-2.6.9-67.0.7.EL.x86_64.rpm kernel-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-largesmp-2.6.9-67.0.7.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-smp-2.6.9-67.0.7.EL.x86_64.rpm kernel-smp-devel-2.6.9-67.0.7.EL.x86_64.rpm kernel-xenU-2.6.9-67.0.7.EL.x86_64.rpm kernel-xenU-devel-2.6.9-67.0.7.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5904 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH2lQUXlSAg2UNWIIRAtHfAJ0eXxcyg7VQ5j9X64fhhP8r85qmsQCfSXAx ORFFtp6yUG1v+FQS1yJIwr0= =zEqZ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 18 19:42:16 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Mar 2008 15:42:16 -0400 Subject: [RHSA-2008:0164-01] Critical: krb5 security and bugfix update Message-ID: <200803181942.m2IJgGwf006850@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: krb5 security and bugfix update Advisory ID: RHSA-2008:0164-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0164.html Issue date: 2008-03-18 CVE Names: CVE-2007-5901 CVE-2007-5971 CVE-2008-0062 CVE-2008-0063 CVE-2008-0947 ===================================================================== 1. Summary: Updated krb5 packages that resolve several issues and fix multiple bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. Jeff Altman of Secure Endpoints discovered a flaw in the RPC library as used by MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind or possibly execute arbitrary code. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 5. (CVE-2008-0947) Red Hat would like to thank MIT for reporting these issues. Multiple memory management flaws were discovered in the GSSAPI library used by MIT Kerberos. These flaws could possibly result in use of already freed memory or an attempt to free already freed memory blocks (double-free flaw), possibly causing a crash or arbitrary code execution. (CVE-2007-5901, CVE-2007-5971) In addition to the security issues resolved above, the following bugs were also fixed: * delegated krb5 credentials were not properly stored when SPNEGO was the underlying mechanism during GSSAPI authentication. Consequently, applications attempting to copy delegated Kerberos 5 credentials into a credential cache received an "Invalid credential was supplied" message rather than a copy of the delegated credentials. With this update, SPNEGO credentials can be properly searched, allowing applications to copy delegated credentials as expected. * applications can initiate context acceptance (via gss_accept_sec_context) without passing a ret_flags value that would indicate that credentials were delegated. A delegated credential handle should have been returned in such instances. This updated package adds a temp_ret_flag that stores the credential status in the event no other ret_flags value is passed by an application calling gss_accept_sec_context. * kpasswd did not fallback to TCP on receipt of certain errors, or when a packet was too big for UDP. This update corrects this. * when the libkrb5 password-routine generated a set-password or change-password request, incorrect sequence numbers were generated for all requests subsequent to the first request. This caused password change requests to fail if the primary server was unavailable. This updated package corrects this by saving the sequence number value after the AP-REQ data is built and restoring this value before the request is generated. * when a user's password expired, kinit would not prompt that user to change the password, instead simply informing the user their password had expired. This update corrects this behavior: kinit now prompts for a new password to be set when a password has expired. All krb5 users are advised to upgrade to these updated packages, which contain backported fixes to address these vulnerabilities and fix these bugs. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 415321 - CVE-2007-5901 krb5: use-after-free in gssapi lib 415351 - CVE-2007-5971 krb5: double free in gssapi lib 432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc 432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request 433596 - CVE-2008-0947 krb5: file descriptor array overflow in RPC library 436460 - gss_krb5_copy_ccache can't find delegated Kerberos creds when using SPNEGO 436465 - gss_init_sec_context() mechglue wrapper doesn't handle ret_flags right 436467 - kpasswd does not fallback to tcp 436468 - krb5 password changing uses incorrect sequence numbers for every server but the first 436470 - kinit does not automatically start a password change when password is expired 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/krb5-1.6.1-17.el5_1.1.src.rpm i386: krb5-debuginfo-1.6.1-17.el5_1.1.i386.rpm krb5-libs-1.6.1-17.el5_1.1.i386.rpm krb5-workstation-1.6.1-17.el5_1.1.i386.rpm x86_64: krb5-debuginfo-1.6.1-17.el5_1.1.i386.rpm krb5-debuginfo-1.6.1-17.el5_1.1.x86_64.rpm krb5-libs-1.6.1-17.el5_1.1.i386.rpm krb5-libs-1.6.1-17.el5_1.1.x86_64.rpm krb5-workstation-1.6.1-17.el5_1.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/krb5-1.6.1-17.el5_1.1.src.rpm i386: krb5-debuginfo-1.6.1-17.el5_1.1.i386.rpm krb5-devel-1.6.1-17.el5_1.1.i386.rpm krb5-server-1.6.1-17.el5_1.1.i386.rpm x86_64: krb5-debuginfo-1.6.1-17.el5_1.1.i386.rpm krb5-debuginfo-1.6.1-17.el5_1.1.x86_64.rpm krb5-devel-1.6.1-17.el5_1.1.i386.rpm krb5-devel-1.6.1-17.el5_1.1.x86_64.rpm krb5-server-1.6.1-17.el5_1.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/krb5-1.6.1-17.el5_1.1.src.rpm i386: krb5-debuginfo-1.6.1-17.el5_1.1.i386.rpm krb5-devel-1.6.1-17.el5_1.1.i386.rpm krb5-libs-1.6.1-17.el5_1.1.i386.rpm krb5-server-1.6.1-17.el5_1.1.i386.rpm krb5-workstation-1.6.1-17.el5_1.1.i386.rpm ia64: krb5-debuginfo-1.6.1-17.el5_1.1.i386.rpm krb5-debuginfo-1.6.1-17.el5_1.1.ia64.rpm krb5-devel-1.6.1-17.el5_1.1.ia64.rpm krb5-libs-1.6.1-17.el5_1.1.i386.rpm krb5-libs-1.6.1-17.el5_1.1.ia64.rpm krb5-server-1.6.1-17.el5_1.1.ia64.rpm krb5-workstation-1.6.1-17.el5_1.1.ia64.rpm ppc: krb5-debuginfo-1.6.1-17.el5_1.1.ppc.rpm krb5-debuginfo-1.6.1-17.el5_1.1.ppc64.rpm krb5-devel-1.6.1-17.el5_1.1.ppc.rpm krb5-devel-1.6.1-17.el5_1.1.ppc64.rpm krb5-libs-1.6.1-17.el5_1.1.ppc.rpm krb5-libs-1.6.1-17.el5_1.1.ppc64.rpm krb5-server-1.6.1-17.el5_1.1.ppc.rpm krb5-workstation-1.6.1-17.el5_1.1.ppc.rpm s390x: krb5-debuginfo-1.6.1-17.el5_1.1.s390.rpm krb5-debuginfo-1.6.1-17.el5_1.1.s390x.rpm krb5-devel-1.6.1-17.el5_1.1.s390.rpm krb5-devel-1.6.1-17.el5_1.1.s390x.rpm krb5-libs-1.6.1-17.el5_1.1.s390.rpm krb5-libs-1.6.1-17.el5_1.1.s390x.rpm krb5-server-1.6.1-17.el5_1.1.s390x.rpm krb5-workstation-1.6.1-17.el5_1.1.s390x.rpm x86_64: krb5-debuginfo-1.6.1-17.el5_1.1.i386.rpm krb5-debuginfo-1.6.1-17.el5_1.1.x86_64.rpm krb5-devel-1.6.1-17.el5_1.1.i386.rpm krb5-devel-1.6.1-17.el5_1.1.x86_64.rpm krb5-libs-1.6.1-17.el5_1.1.i386.rpm krb5-libs-1.6.1-17.el5_1.1.x86_64.rpm krb5-server-1.6.1-17.el5_1.1.x86_64.rpm krb5-workstation-1.6.1-17.el5_1.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH4BsWXlSAg2UNWIIRAgIjAKC3Y/Uio/XeDWRBEALkK8wMvbOqMQCfbiIT jxP6baLdyLdts1AGuvCZc/Q= =Xdyg -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 18 19:42:24 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Mar 2008 15:42:24 -0400 Subject: [RHSA-2008:0180-01] Critical: krb5 security update Message-ID: <200803181942.m2IJgOvl006854@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: krb5 security update Advisory ID: RHSA-2008:0180-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0180.html Issue date: 2008-03-18 CVE Names: CVE-2007-5971 CVE-2008-0062 CVE-2008-0063 ===================================================================== 1. Summary: Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. Red Hat would like to thank MIT for reporting these issues. A double-free flaw was discovered in the GSSAPI library used by MIT Kerberos. This flaw could possibly cause a crash of the application using the GSSAPI library. (CVE-2007-5971) All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 415351 - CVE-2007-5971 krb5: double free in gssapi lib 432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc 432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/krb5-1.3.4-54.el4_6.1.src.rpm i386: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-devel-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-server-1.3.4-54.el4_6.1.i386.rpm krb5-workstation-1.3.4-54.el4_6.1.i386.rpm ia64: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-debuginfo-1.3.4-54.el4_6.1.ia64.rpm krb5-devel-1.3.4-54.el4_6.1.ia64.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.ia64.rpm krb5-server-1.3.4-54.el4_6.1.ia64.rpm krb5-workstation-1.3.4-54.el4_6.1.ia64.rpm ppc: krb5-debuginfo-1.3.4-54.el4_6.1.ppc.rpm krb5-debuginfo-1.3.4-54.el4_6.1.ppc64.rpm krb5-devel-1.3.4-54.el4_6.1.ppc.rpm krb5-libs-1.3.4-54.el4_6.1.ppc.rpm krb5-libs-1.3.4-54.el4_6.1.ppc64.rpm krb5-server-1.3.4-54.el4_6.1.ppc.rpm krb5-workstation-1.3.4-54.el4_6.1.ppc.rpm s390: krb5-debuginfo-1.3.4-54.el4_6.1.s390.rpm krb5-devel-1.3.4-54.el4_6.1.s390.rpm krb5-libs-1.3.4-54.el4_6.1.s390.rpm krb5-server-1.3.4-54.el4_6.1.s390.rpm krb5-workstation-1.3.4-54.el4_6.1.s390.rpm s390x: krb5-debuginfo-1.3.4-54.el4_6.1.s390.rpm krb5-debuginfo-1.3.4-54.el4_6.1.s390x.rpm krb5-devel-1.3.4-54.el4_6.1.s390x.rpm krb5-libs-1.3.4-54.el4_6.1.s390.rpm krb5-libs-1.3.4-54.el4_6.1.s390x.rpm krb5-server-1.3.4-54.el4_6.1.s390x.rpm krb5-workstation-1.3.4-54.el4_6.1.s390x.rpm x86_64: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-debuginfo-1.3.4-54.el4_6.1.x86_64.rpm krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm krb5-server-1.3.4-54.el4_6.1.x86_64.rpm krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/krb5-1.3.4-54.el4_6.1.src.rpm i386: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-devel-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-server-1.3.4-54.el4_6.1.i386.rpm krb5-workstation-1.3.4-54.el4_6.1.i386.rpm x86_64: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-debuginfo-1.3.4-54.el4_6.1.x86_64.rpm krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm krb5-server-1.3.4-54.el4_6.1.x86_64.rpm krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/krb5-1.3.4-54.el4_6.1.src.rpm i386: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-devel-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-server-1.3.4-54.el4_6.1.i386.rpm krb5-workstation-1.3.4-54.el4_6.1.i386.rpm ia64: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-debuginfo-1.3.4-54.el4_6.1.ia64.rpm krb5-devel-1.3.4-54.el4_6.1.ia64.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.ia64.rpm krb5-server-1.3.4-54.el4_6.1.ia64.rpm krb5-workstation-1.3.4-54.el4_6.1.ia64.rpm x86_64: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-debuginfo-1.3.4-54.el4_6.1.x86_64.rpm krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm krb5-server-1.3.4-54.el4_6.1.x86_64.rpm krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/krb5-1.3.4-54.el4_6.1.src.rpm i386: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-devel-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-server-1.3.4-54.el4_6.1.i386.rpm krb5-workstation-1.3.4-54.el4_6.1.i386.rpm ia64: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-debuginfo-1.3.4-54.el4_6.1.ia64.rpm krb5-devel-1.3.4-54.el4_6.1.ia64.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.ia64.rpm krb5-server-1.3.4-54.el4_6.1.ia64.rpm krb5-workstation-1.3.4-54.el4_6.1.ia64.rpm x86_64: krb5-debuginfo-1.3.4-54.el4_6.1.i386.rpm krb5-debuginfo-1.3.4-54.el4_6.1.x86_64.rpm krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm krb5-libs-1.3.4-54.el4_6.1.i386.rpm krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm krb5-server-1.3.4-54.el4_6.1.x86_64.rpm krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH4BseXlSAg2UNWIIRAoVaAJoDUUNDU1IkiukcpsxLFuBgulbB7QCdGym5 EGvfGMrlx+c408b2A/xHVQg= =uNP0 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 18 19:42:30 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Mar 2008 15:42:30 -0400 Subject: [RHSA-2008:0181-01] Critical: krb5 security update Message-ID: <200803181942.m2IJgUAD006870@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: krb5 security update Advisory ID: RHSA-2008:0181-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0181.html Issue date: 2008-03-18 CVE Names: CVE-2008-0062 CVE-2008-0063 CVE-2008-0948 ===================================================================== 1. Summary: Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. A flaw was found in the RPC library used by the MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 2.1 or 3. (CVE-2008-0948) Red Hat would like to thank MIT for reporting these issues. All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc 432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request 435087 - CVE-2008-0948 krb5: incorrect handling of high-numbered file descriptors in RPC library 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/krb5-1.2.2-48.src.rpm i386: krb5-devel-1.2.2-48.i386.rpm krb5-libs-1.2.2-48.i386.rpm krb5-server-1.2.2-48.i386.rpm krb5-workstation-1.2.2-48.i386.rpm ia64: krb5-devel-1.2.2-48.ia64.rpm krb5-libs-1.2.2-48.ia64.rpm krb5-server-1.2.2-48.ia64.rpm krb5-workstation-1.2.2-48.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/krb5-1.2.2-48.src.rpm ia64: krb5-devel-1.2.2-48.ia64.rpm krb5-libs-1.2.2-48.ia64.rpm krb5-server-1.2.2-48.ia64.rpm krb5-workstation-1.2.2-48.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/krb5-1.2.2-48.src.rpm i386: krb5-devel-1.2.2-48.i386.rpm krb5-libs-1.2.2-48.i386.rpm krb5-server-1.2.2-48.i386.rpm krb5-workstation-1.2.2-48.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/krb5-1.2.2-48.src.rpm i386: krb5-devel-1.2.2-48.i386.rpm krb5-libs-1.2.2-48.i386.rpm krb5-server-1.2.2-48.i386.rpm krb5-workstation-1.2.2-48.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/krb5-1.2.7-68.src.rpm i386: krb5-debuginfo-1.2.7-68.i386.rpm krb5-devel-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.i386.rpm krb5-server-1.2.7-68.i386.rpm krb5-workstation-1.2.7-68.i386.rpm ia64: krb5-debuginfo-1.2.7-68.i386.rpm krb5-debuginfo-1.2.7-68.ia64.rpm krb5-devel-1.2.7-68.ia64.rpm krb5-libs-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.ia64.rpm krb5-server-1.2.7-68.ia64.rpm krb5-workstation-1.2.7-68.ia64.rpm ppc: krb5-debuginfo-1.2.7-68.ppc.rpm krb5-debuginfo-1.2.7-68.ppc64.rpm krb5-devel-1.2.7-68.ppc.rpm krb5-libs-1.2.7-68.ppc.rpm krb5-libs-1.2.7-68.ppc64.rpm krb5-server-1.2.7-68.ppc.rpm krb5-workstation-1.2.7-68.ppc.rpm s390: krb5-debuginfo-1.2.7-68.s390.rpm krb5-devel-1.2.7-68.s390.rpm krb5-libs-1.2.7-68.s390.rpm krb5-server-1.2.7-68.s390.rpm krb5-workstation-1.2.7-68.s390.rpm s390x: krb5-debuginfo-1.2.7-68.s390.rpm krb5-debuginfo-1.2.7-68.s390x.rpm krb5-devel-1.2.7-68.s390x.rpm krb5-libs-1.2.7-68.s390.rpm krb5-libs-1.2.7-68.s390x.rpm krb5-server-1.2.7-68.s390x.rpm krb5-workstation-1.2.7-68.s390x.rpm x86_64: krb5-debuginfo-1.2.7-68.i386.rpm krb5-debuginfo-1.2.7-68.x86_64.rpm krb5-devel-1.2.7-68.x86_64.rpm krb5-libs-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.x86_64.rpm krb5-server-1.2.7-68.x86_64.rpm krb5-workstation-1.2.7-68.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/krb5-1.2.7-68.src.rpm i386: krb5-debuginfo-1.2.7-68.i386.rpm krb5-devel-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.i386.rpm krb5-server-1.2.7-68.i386.rpm krb5-workstation-1.2.7-68.i386.rpm x86_64: krb5-debuginfo-1.2.7-68.i386.rpm krb5-debuginfo-1.2.7-68.x86_64.rpm krb5-devel-1.2.7-68.x86_64.rpm krb5-libs-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.x86_64.rpm krb5-server-1.2.7-68.x86_64.rpm krb5-workstation-1.2.7-68.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/krb5-1.2.7-68.src.rpm i386: krb5-debuginfo-1.2.7-68.i386.rpm krb5-devel-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.i386.rpm krb5-server-1.2.7-68.i386.rpm krb5-workstation-1.2.7-68.i386.rpm ia64: krb5-debuginfo-1.2.7-68.i386.rpm krb5-debuginfo-1.2.7-68.ia64.rpm krb5-devel-1.2.7-68.ia64.rpm krb5-libs-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.ia64.rpm krb5-server-1.2.7-68.ia64.rpm krb5-workstation-1.2.7-68.ia64.rpm x86_64: krb5-debuginfo-1.2.7-68.i386.rpm krb5-debuginfo-1.2.7-68.x86_64.rpm krb5-devel-1.2.7-68.x86_64.rpm krb5-libs-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.x86_64.rpm krb5-server-1.2.7-68.x86_64.rpm krb5-workstation-1.2.7-68.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/krb5-1.2.7-68.src.rpm i386: krb5-debuginfo-1.2.7-68.i386.rpm krb5-devel-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.i386.rpm krb5-server-1.2.7-68.i386.rpm krb5-workstation-1.2.7-68.i386.rpm ia64: krb5-debuginfo-1.2.7-68.i386.rpm krb5-debuginfo-1.2.7-68.ia64.rpm krb5-devel-1.2.7-68.ia64.rpm krb5-libs-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.ia64.rpm krb5-server-1.2.7-68.ia64.rpm krb5-workstation-1.2.7-68.ia64.rpm x86_64: krb5-debuginfo-1.2.7-68.i386.rpm krb5-debuginfo-1.2.7-68.x86_64.rpm krb5-devel-1.2.7-68.x86_64.rpm krb5-libs-1.2.7-68.i386.rpm krb5-libs-1.2.7-68.x86_64.rpm krb5-server-1.2.7-68.x86_64.rpm krb5-workstation-1.2.7-68.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0948 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH4BskXlSAg2UNWIIRAlglAJ9nAjW8nF7u4GTQHXFojwxCqtYm0gCffkFH k4nk4TL9YfMnzCOlZkhsFWk= =H3jL -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 18 19:42:34 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Mar 2008 15:42:34 -0400 Subject: [RHSA-2008:0182-01] Critical: krb5 security update Message-ID: <200803181942.m2IJgYn3006878@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: krb5 security update Advisory ID: RHSA-2008:0182-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0182.html Issue date: 2008-03-18 CVE Names: CVE-2008-0062 CVE-2008-0063 ===================================================================== 1. Summary: Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4.5 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4.5.z - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 4.5.z - i386, ia64, x86_64 3. Description: Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. Red Hat would like to thank MIT for reporting these issues. All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc 432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request 6. Package List: Red Hat Enterprise Linux AS version 4.5.z: Source: ftp://updates.redhat.com/enterprise/4AS-4.5.z/en/os/SRPMS/krb5-1.3.4-49.el4_5.1.src.rpm i386: krb5-debuginfo-1.3.4-49.el4_5.1.i386.rpm krb5-devel-1.3.4-49.el4_5.1.i386.rpm krb5-libs-1.3.4-49.el4_5.1.i386.rpm krb5-server-1.3.4-49.el4_5.1.i386.rpm krb5-workstation-1.3.4-49.el4_5.1.i386.rpm ia64: krb5-debuginfo-1.3.4-49.el4_5.1.i386.rpm krb5-debuginfo-1.3.4-49.el4_5.1.ia64.rpm krb5-devel-1.3.4-49.el4_5.1.ia64.rpm krb5-libs-1.3.4-49.el4_5.1.i386.rpm krb5-libs-1.3.4-49.el4_5.1.ia64.rpm krb5-server-1.3.4-49.el4_5.1.ia64.rpm krb5-workstation-1.3.4-49.el4_5.1.ia64.rpm ppc: krb5-debuginfo-1.3.4-49.el4_5.1.ppc.rpm krb5-debuginfo-1.3.4-49.el4_5.1.ppc64.rpm krb5-devel-1.3.4-49.el4_5.1.ppc.rpm krb5-libs-1.3.4-49.el4_5.1.ppc.rpm krb5-libs-1.3.4-49.el4_5.1.ppc64.rpm krb5-server-1.3.4-49.el4_5.1.ppc.rpm krb5-workstation-1.3.4-49.el4_5.1.ppc.rpm s390: krb5-debuginfo-1.3.4-49.el4_5.1.s390.rpm krb5-devel-1.3.4-49.el4_5.1.s390.rpm krb5-libs-1.3.4-49.el4_5.1.s390.rpm krb5-server-1.3.4-49.el4_5.1.s390.rpm krb5-workstation-1.3.4-49.el4_5.1.s390.rpm s390x: krb5-debuginfo-1.3.4-49.el4_5.1.s390.rpm krb5-debuginfo-1.3.4-49.el4_5.1.s390x.rpm krb5-devel-1.3.4-49.el4_5.1.s390x.rpm krb5-libs-1.3.4-49.el4_5.1.s390.rpm krb5-libs-1.3.4-49.el4_5.1.s390x.rpm krb5-server-1.3.4-49.el4_5.1.s390x.rpm krb5-workstation-1.3.4-49.el4_5.1.s390x.rpm x86_64: krb5-debuginfo-1.3.4-49.el4_5.1.i386.rpm krb5-debuginfo-1.3.4-49.el4_5.1.x86_64.rpm krb5-devel-1.3.4-49.el4_5.1.x86_64.rpm krb5-libs-1.3.4-49.el4_5.1.i386.rpm krb5-libs-1.3.4-49.el4_5.1.x86_64.rpm krb5-server-1.3.4-49.el4_5.1.x86_64.rpm krb5-workstation-1.3.4-49.el4_5.1.x86_64.rpm Red Hat Enterprise Linux ES version 4.5.z: Source: ftp://updates.redhat.com/enterprise/4ES-4.5.z/en/os/SRPMS/krb5-1.3.4-49.el4_5.1.src.rpm i386: krb5-debuginfo-1.3.4-49.el4_5.1.i386.rpm krb5-devel-1.3.4-49.el4_5.1.i386.rpm krb5-libs-1.3.4-49.el4_5.1.i386.rpm krb5-server-1.3.4-49.el4_5.1.i386.rpm krb5-workstation-1.3.4-49.el4_5.1.i386.rpm ia64: krb5-debuginfo-1.3.4-49.el4_5.1.i386.rpm krb5-debuginfo-1.3.4-49.el4_5.1.ia64.rpm krb5-devel-1.3.4-49.el4_5.1.ia64.rpm krb5-libs-1.3.4-49.el4_5.1.i386.rpm krb5-libs-1.3.4-49.el4_5.1.ia64.rpm krb5-server-1.3.4-49.el4_5.1.ia64.rpm krb5-workstation-1.3.4-49.el4_5.1.ia64.rpm x86_64: krb5-debuginfo-1.3.4-49.el4_5.1.i386.rpm krb5-debuginfo-1.3.4-49.el4_5.1.x86_64.rpm krb5-devel-1.3.4-49.el4_5.1.x86_64.rpm krb5-libs-1.3.4-49.el4_5.1.i386.rpm krb5-libs-1.3.4-49.el4_5.1.x86_64.rpm krb5-server-1.3.4-49.el4_5.1.x86_64.rpm krb5-workstation-1.3.4-49.el4_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH4BspXlSAg2UNWIIRAvpvAKCxupbvdQu8EoPphy/9Fke2DqHK2ACgxT8X 1KLf4GnNA3tZlh0d74oueJ0= =7McM -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 18 19:42:47 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Mar 2008 15:42:47 -0400 Subject: [RHSA-2008:0196-01] Moderate: unzip security update Message-ID: <200803181942.m2IJglFo006892@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: unzip security update Advisory ID: RHSA-2008:0196-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0196.html Issue date: 2008-03-18 CVE Names: CVE-2008-0888 ===================================================================== 1. Summary: Updated unzip packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The unzip utility is used to list, test, or extract files from a zip archive. An invalid pointer flaw was found in unzip. If a user ran unzip on a specially crafted file, an attacker could execute arbitrary code with that user's privileges. (CVE-2008-0888) Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue. All unzip users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 431438 - CVE-2008-0888 unzip: free() called for uninitialized or already freed pointer 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/unzip-5.50-31.EL2.1.src.rpm i386: unzip-5.50-31.EL2.1.i386.rpm ia64: unzip-5.50-31.EL2.1.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/unzip-5.50-31.EL2.1.src.rpm ia64: unzip-5.50-31.EL2.1.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/unzip-5.50-31.EL2.1.src.rpm i386: unzip-5.50-31.EL2.1.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/unzip-5.50-31.EL2.1.src.rpm i386: unzip-5.50-31.EL2.1.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/unzip-5.50-36.EL3.src.rpm i386: unzip-5.50-36.EL3.i386.rpm unzip-debuginfo-5.50-36.EL3.i386.rpm ia64: unzip-5.50-36.EL3.ia64.rpm unzip-debuginfo-5.50-36.EL3.ia64.rpm ppc: unzip-5.50-36.EL3.ppc.rpm unzip-debuginfo-5.50-36.EL3.ppc.rpm s390: unzip-5.50-36.EL3.s390.rpm unzip-debuginfo-5.50-36.EL3.s390.rpm s390x: unzip-5.50-36.EL3.s390x.rpm unzip-debuginfo-5.50-36.EL3.s390x.rpm x86_64: unzip-5.50-36.EL3.x86_64.rpm unzip-debuginfo-5.50-36.EL3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/unzip-5.50-36.EL3.src.rpm i386: unzip-5.50-36.EL3.i386.rpm unzip-debuginfo-5.50-36.EL3.i386.rpm x86_64: unzip-5.50-36.EL3.x86_64.rpm unzip-debuginfo-5.50-36.EL3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/unzip-5.50-36.EL3.src.rpm i386: unzip-5.50-36.EL3.i386.rpm unzip-debuginfo-5.50-36.EL3.i386.rpm ia64: unzip-5.50-36.EL3.ia64.rpm unzip-debuginfo-5.50-36.EL3.ia64.rpm x86_64: unzip-5.50-36.EL3.x86_64.rpm unzip-debuginfo-5.50-36.EL3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/unzip-5.50-36.EL3.src.rpm i386: unzip-5.50-36.EL3.i386.rpm unzip-debuginfo-5.50-36.EL3.i386.rpm ia64: unzip-5.50-36.EL3.ia64.rpm unzip-debuginfo-5.50-36.EL3.ia64.rpm x86_64: unzip-5.50-36.EL3.x86_64.rpm unzip-debuginfo-5.50-36.EL3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0888 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH4BsvXlSAg2UNWIIRAmuCAKCcq4uEyBJvqikSy6DpU15G6qjjRwCfVD1T Xvq+nAWJZua2Nu19qC8e0rQ= =A99l -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 25 07:46:02 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 25 Mar 2008 03:46:02 -0400 Subject: [RHSA-2008:0158-01] Moderate: JBoss Enterprise Application Platform security update Message-ID: <200803250746.m2P7k2Qk024055@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: JBoss Enterprise Application Platform security update Advisory ID: RHSA-2008:0158-01 Product: Red Hat Application Stack Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0158.html Issue date: 2008-03-24 CVE Names: CVE-2007-6306 CVE-2007-4575 CVE-2007-6433 ===================================================================== 1. Summary: Updated JBoss Enterprise Application Platform packages that fix several security issues and bugs are now available for Red Hat Application Stack v1 and v2. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - noarch Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - noarch Red Hat Application Stack v2 for Enterprise Linux (v.5) - noarch 3. Description: JBEAP is a middleware platform for Java 2 Platform, Enterprise Edition (J2EE) applications. This release of JBEAP for Red Hat Enterprise Linux 4 contains the JBoss Application Server and JBoss Seam. This release serves as a replacement to JBEAP 4.2.0.GA. The updated packages address the following security vulnerabilities: * the JFreeChart component was vulnerable to multiple cross-site scripting (XSS) vulnerabilities. An attacker could misuse the image map feature to inject arbitrary web script or HTML via several attributes of the chart area. (CVE-2007-6306) * a vulnerability caused by exposing static java methods was located within the HSQLDB component. This could be utilized by an attacker to execute arbitrary static java methods. (CVE-2007-4575) * the setOrder method in the org.jboss.seam.framework.Query class did not properly validate user-supplied parameters. This vulnerability allowed remote attackers to inject and execute arbitrary EJBQL commands via the order parameter. (CVE-2007-6433) All users are advised to upgrade to this release of JBEAP, which addresses these vulnerabilities. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 299801 - CVE-2007-4575 OpenOffice.org-base allows Denial-of-Service and command injection 421081 - CVE-2007-6306 JFreeChart: XSS vulnerabilities in the image map feature 426206 - CVE-2007-6433 EJBQL injection via 'order' parameter 6. Package List: Red Hat Application Stack v1 for Enterprise Linux AS (v.4): Source: ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/concurrent-1.3.4-7jpp.ep1.6.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/glassfish-jaf-1.1.0-0jpp.ep1.10.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/glassfish-javamail-1.4.0-0jpp.ep1.8.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/glassfish-jsf-1.2_04-1.p02.0jpp.ep1.18.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/glassfish-jstl-1.2.0-0jpp.ep1.2.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/hibernate3-3.2.4-1.SP1_CP02.0jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/hibernate3-annotations-3.2.1-1.patch02.1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/hibernate3-entitymanager-3.2.1-1jpp.ep1.6.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/hsqldb-1.8.0.8-2.patch01.1jpp.ep1.1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jacorb-2.3.0-1jpp.ep1.4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jboss-aop-1.5.5-1.CP01.0jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jboss-cache-1.4.1-4.SP8_CP01.1jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jboss-common-1.2.1-0jpp.ep1.2.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jboss-remoting-2.2.2-3.SP4.0jpp.ep1.1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jboss-seam-1.2.1-1.ep1.3.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jbossas-4.2.0-3.GA_CP02.ep1.3.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jbossweb-2.0.0-3.CP05.0jpp.ep1.1.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jbossws-jboss42-1.2.1-0jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jbossws-wsconsume-impl-2.0.0-0jpp.ep1.3.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jbossxb-1.0.0-2.SP1.0jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jcommon-1.0.12-1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jfreechart-1.0.9-1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/jgroups-2.4.1-1.SP4.0jpp.ep1.2.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/rh-eap-docs-4.2.0-3.GA_CP02.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/wsdl4j-1.6.2-1jpp.ep1.8.src.rpm noarch: concurrent-1.3.4-7jpp.ep1.6.el4.noarch.rpm glassfish-jaf-1.1.0-0jpp.ep1.10.el4.noarch.rpm glassfish-javamail-1.4.0-0jpp.ep1.8.noarch.rpm glassfish-jsf-1.2_04-1.p02.0jpp.ep1.18.noarch.rpm glassfish-jstl-1.2.0-0jpp.ep1.2.noarch.rpm hibernate3-annotations-3.2.1-1.patch02.1jpp.ep1.2.el4.noarch.rpm hibernate3-annotations-javadoc-3.2.1-1.patch02.1jpp.ep1.2.el4.noarch.rpm hibernate3-entitymanager-3.2.1-1jpp.ep1.6.el4.noarch.rpm hibernate3-entitymanager-javadoc-3.2.1-1jpp.ep1.6.el4.noarch.rpm hibernate3-javadoc-3.2.4-1.SP1_CP02.0jpp.ep1.1.el4.noarch.rpm hsqldb-1.8.0.8-2.patch01.1jpp.ep1.1.noarch.rpm jacorb-2.3.0-1jpp.ep1.4.noarch.rpm jboss-aop-1.5.5-1.CP01.0jpp.ep1.1.el4.noarch.rpm jboss-cache-1.4.1-4.SP8_CP01.1jpp.ep1.1.el4.noarch.rpm jboss-common-1.2.1-0jpp.ep1.2.noarch.rpm jboss-remoting-2.2.2-3.SP4.0jpp.ep1.1.noarch.rpm jboss-seam-1.2.1-1.ep1.3.el4.noarch.rpm jboss-seam-docs-1.2.1-1.ep1.3.el4.noarch.rpm jbossas-4.2.0-3.GA_CP02.ep1.3.el4.noarch.rpm jbossweb-2.0.0-3.CP05.0jpp.ep1.1.noarch.rpm jbossws-jboss42-1.2.1-0jpp.ep1.2.el4.noarch.rpm jbossws-wsconsume-impl-2.0.0-0jpp.ep1.3.noarch.rpm jbossxb-1.0.0-2.SP1.0jpp.ep1.2.el4.noarch.rpm jcommon-1.0.12-1jpp.ep1.2.el4.noarch.rpm jfreechart-1.0.9-1jpp.ep1.2.el4.noarch.rpm jgroups-2.4.1-1.SP4.0jpp.ep1.2.noarch.rpm rh-eap-docs-4.2.0-3.GA_CP02.ep1.1.el4.noarch.rpm rh-eap-docs-examples-4.2.0-3.GA_CP02.ep1.1.el4.noarch.rpm wsdl4j-1.6.2-1jpp.ep1.8.noarch.rpm Red Hat Application Stack v1 for Enterprise Linux ES (v.4): Source: ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/concurrent-1.3.4-7jpp.ep1.6.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/glassfish-jaf-1.1.0-0jpp.ep1.10.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/glassfish-javamail-1.4.0-0jpp.ep1.8.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/glassfish-jsf-1.2_04-1.p02.0jpp.ep1.18.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/glassfish-jstl-1.2.0-0jpp.ep1.2.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/hibernate3-3.2.4-1.SP1_CP02.0jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/hibernate3-annotations-3.2.1-1.patch02.1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/hibernate3-entitymanager-3.2.1-1jpp.ep1.6.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/hsqldb-1.8.0.8-2.patch01.1jpp.ep1.1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jacorb-2.3.0-1jpp.ep1.4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jboss-aop-1.5.5-1.CP01.0jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jboss-cache-1.4.1-4.SP8_CP01.1jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jboss-common-1.2.1-0jpp.ep1.2.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jboss-remoting-2.2.2-3.SP4.0jpp.ep1.1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jboss-seam-1.2.1-1.ep1.3.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jbossas-4.2.0-3.GA_CP02.ep1.3.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jbossweb-2.0.0-3.CP05.0jpp.ep1.1.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jbossws-jboss42-1.2.1-0jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jbossws-wsconsume-impl-2.0.0-0jpp.ep1.3.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jbossxb-1.0.0-2.SP1.0jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jcommon-1.0.12-1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jfreechart-1.0.9-1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/jgroups-2.4.1-1.SP4.0jpp.ep1.2.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/rh-eap-docs-4.2.0-3.GA_CP02.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/wsdl4j-1.6.2-1jpp.ep1.8.src.rpm noarch: concurrent-1.3.4-7jpp.ep1.6.el4.noarch.rpm glassfish-jaf-1.1.0-0jpp.ep1.10.el4.noarch.rpm glassfish-javamail-1.4.0-0jpp.ep1.8.noarch.rpm glassfish-jsf-1.2_04-1.p02.0jpp.ep1.18.noarch.rpm glassfish-jstl-1.2.0-0jpp.ep1.2.noarch.rpm hibernate3-annotations-3.2.1-1.patch02.1jpp.ep1.2.el4.noarch.rpm hibernate3-annotations-javadoc-3.2.1-1.patch02.1jpp.ep1.2.el4.noarch.rpm hibernate3-entitymanager-3.2.1-1jpp.ep1.6.el4.noarch.rpm hibernate3-entitymanager-javadoc-3.2.1-1jpp.ep1.6.el4.noarch.rpm hibernate3-javadoc-3.2.4-1.SP1_CP02.0jpp.ep1.1.el4.noarch.rpm hsqldb-1.8.0.8-2.patch01.1jpp.ep1.1.noarch.rpm jacorb-2.3.0-1jpp.ep1.4.noarch.rpm jboss-aop-1.5.5-1.CP01.0jpp.ep1.1.el4.noarch.rpm jboss-cache-1.4.1-4.SP8_CP01.1jpp.ep1.1.el4.noarch.rpm jboss-common-1.2.1-0jpp.ep1.2.noarch.rpm jboss-remoting-2.2.2-3.SP4.0jpp.ep1.1.noarch.rpm jboss-seam-1.2.1-1.ep1.3.el4.noarch.rpm jboss-seam-docs-1.2.1-1.ep1.3.el4.noarch.rpm jbossas-4.2.0-3.GA_CP02.ep1.3.el4.noarch.rpm jbossweb-2.0.0-3.CP05.0jpp.ep1.1.noarch.rpm jbossws-jboss42-1.2.1-0jpp.ep1.2.el4.noarch.rpm jbossws-wsconsume-impl-2.0.0-0jpp.ep1.3.noarch.rpm jbossxb-1.0.0-2.SP1.0jpp.ep1.2.el4.noarch.rpm jcommon-1.0.12-1jpp.ep1.2.el4.noarch.rpm jfreechart-1.0.9-1jpp.ep1.2.el4.noarch.rpm jgroups-2.4.1-1.SP4.0jpp.ep1.2.noarch.rpm rh-eap-docs-4.2.0-3.GA_CP02.ep1.1.el4.noarch.rpm rh-eap-docs-examples-4.2.0-3.GA_CP02.ep1.1.el4.noarch.rpm wsdl4j-1.6.2-1jpp.ep1.8.noarch.rpm Red Hat Application Stack v2 for Enterprise Linux (v.5): Source: ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/concurrent-1.3.4-8jpp.ep1.6.el5.1.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/glassfish-jsf-1.2_04-1.p02.0jpp.ep1.18.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/glassfish-jstl-1.2.0-0jpp.ep1.2.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/hibernate3-3.2.4-1.SP1_CP02.0jpp.ep1.1.el5.1.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/hibernate3-annotations-3.2.1-1.patch02.1jpp.ep1.2.el5.1.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/hibernate3-entitymanager-3.2.1-1jpp.ep1.6.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jacorb-2.3.0-1jpp.ep1.5.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jboss-aop-1.5.5-1.CP01.0jpp.ep1.1.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jboss-cache-1.4.1-4.SP8_CP01.1jpp.ep1.1.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jboss-common-1.2.1-0jpp.ep1.2.el5.1.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jboss-remoting-2.2.2-3.SP4.0jpp.ep1.1.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jboss-seam-1.2.1-1.ep1.3.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jbossas-4.2.0-4.GA_CP02.ep1.3.el5.3.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jbossweb-2.0.0-3.CP05.0jpp.ep1.1.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jbossws-jboss42-1.2.1-0jpp.ep1.2.el5.1.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jbossws-wsconsume-impl-2.0.0-0jpp.ep1.3.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jbossxb-1.0.0-2.SP1.0jpp.ep1.2.el5.1.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jcommon-1.0.12-1jpp.ep1.2.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jfreechart-1.0.9-1jpp.ep1.2.el5.1.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/jgroups-2.4.1-1.SP4.0jpp.ep1.2.el5.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/juddi-0.9-0.rc4.2jpp.ep1.3.el5.1.src.rpm ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/rh-eap-docs-4.2.0-3.GA_CP02.ep1.1.el5.1.src.rpm noarch: concurrent-1.3.4-8jpp.ep1.6.el5.1.noarch.rpm glassfish-jsf-1.2_04-1.p02.0jpp.ep1.18.el5.noarch.rpm glassfish-jstl-1.2.0-0jpp.ep1.2.el5.noarch.rpm hibernate3-annotations-3.2.1-1.patch02.1jpp.ep1.2.el5.1.noarch.rpm hibernate3-annotations-javadoc-3.2.1-1.patch02.1jpp.ep1.2.el5.1.noarch.rpm hibernate3-entitymanager-3.2.1-1jpp.ep1.6.el5.noarch.rpm hibernate3-entitymanager-javadoc-3.2.1-1jpp.ep1.6.el5.noarch.rpm hibernate3-javadoc-3.2.4-1.SP1_CP02.0jpp.ep1.1.el5.1.noarch.rpm jacorb-2.3.0-1jpp.ep1.5.el5.noarch.rpm jboss-aop-1.5.5-1.CP01.0jpp.ep1.1.el5.noarch.rpm jboss-cache-1.4.1-4.SP8_CP01.1jpp.ep1.1.el5.noarch.rpm jboss-common-1.2.1-0jpp.ep1.2.el5.1.noarch.rpm jboss-remoting-2.2.2-3.SP4.0jpp.ep1.1.el5.noarch.rpm jboss-seam-1.2.1-1.ep1.3.el5.noarch.rpm jboss-seam-docs-1.2.1-1.ep1.3.el5.noarch.rpm jbossas-4.2.0-4.GA_CP02.ep1.3.el5.3.noarch.rpm jbossweb-2.0.0-3.CP05.0jpp.ep1.1.el5.noarch.rpm jbossws-jboss42-1.2.1-0jpp.ep1.2.el5.1.noarch.rpm jbossws-wsconsume-impl-2.0.0-0jpp.ep1.3.el5.noarch.rpm jbossxb-1.0.0-2.SP1.0jpp.ep1.2.el5.1.noarch.rpm jcommon-1.0.12-1jpp.ep1.2.el5.noarch.rpm jfreechart-1.0.9-1jpp.ep1.2.el5.1.noarch.rpm jgroups-2.4.1-1.SP4.0jpp.ep1.2.el5.noarch.rpm juddi-0.9-0.rc4.2jpp.ep1.3.el5.1.noarch.rpm rh-eap-docs-4.2.0-3.GA_CP02.ep1.1.el5.1.noarch.rpm rh-eap-docs-examples-4.2.0-3.GA_CP02.ep1.1.el5.1.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6306 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4575 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6433 http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.2.0.cp02/readme.html https://rhstack.108.redhat.com/docs/Red_Hat_Application_Stack_V.1.2_Release_Notes.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH6K20XlSAg2UNWIIRAgdCAKCRA3c/PmwhAfhwABMv2LfzeIawCgCgw2Q3 cT3CLvzMgBQu1u530hgZuDE= =v5gv -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 27 01:36:27 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 26 Mar 2008 21:36:27 -0400 Subject: [RHSA-2008:0207-01] Critical: firefox security update Message-ID: <200803270136.m2R1aRcB007885@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2008:0207-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0207.html Issue date: 2008-03-26 CVE Names: CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1241 ===================================================================== 1. Summary: Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of some malformed web content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. A web page containing specially-crafted content could, potentially, trick a Firefox user into surrendering sensitive information. (CVE-2008-1234, CVE-2008-1238, CVE-2008-1241) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 438713 - CVE-2008-1233 Mozilla products XPCNativeWrapper pollution 438715 - CVE-2008-1234 universal XSS using event handlers 438717 - CVE-2008-1235 chrome privilege via wrong principal 438718 - CVE-2008-1236 browser engine crashes 438721 - CVE-2008-1237 javascript crashes 438724 - CVE-2008-1238 Referrer spoofing bug 438730 - CVE-2008-1241 XUL popup spoofing 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-1.5.0.12-0.14.el4.src.rpm i386: firefox-1.5.0.12-0.14.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.14.el4.i386.rpm ia64: firefox-1.5.0.12-0.14.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.14.el4.ia64.rpm ppc: firefox-1.5.0.12-0.14.el4.ppc.rpm firefox-debuginfo-1.5.0.12-0.14.el4.ppc.rpm s390: firefox-1.5.0.12-0.14.el4.s390.rpm firefox-debuginfo-1.5.0.12-0.14.el4.s390.rpm s390x: firefox-1.5.0.12-0.14.el4.s390x.rpm firefox-debuginfo-1.5.0.12-0.14.el4.s390x.rpm x86_64: firefox-1.5.0.12-0.14.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.14.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-1.5.0.12-0.14.el4.src.rpm i386: firefox-1.5.0.12-0.14.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.14.el4.i386.rpm x86_64: firefox-1.5.0.12-0.14.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.14.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-1.5.0.12-0.14.el4.src.rpm i386: firefox-1.5.0.12-0.14.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.14.el4.i386.rpm ia64: firefox-1.5.0.12-0.14.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.14.el4.ia64.rpm x86_64: firefox-1.5.0.12-0.14.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.14.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-1.5.0.12-0.14.el4.src.rpm i386: firefox-1.5.0.12-0.14.el4.i386.rpm firefox-debuginfo-1.5.0.12-0.14.el4.i386.rpm ia64: firefox-1.5.0.12-0.14.el4.ia64.rpm firefox-debuginfo-1.5.0.12-0.14.el4.ia64.rpm x86_64: firefox-1.5.0.12-0.14.el4.x86_64.rpm firefox-debuginfo-1.5.0.12-0.14.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.12-14.el5_1.src.rpm i386: firefox-1.5.0.12-14.el5_1.i386.rpm firefox-debuginfo-1.5.0.12-14.el5_1.i386.rpm x86_64: firefox-1.5.0.12-14.el5_1.i386.rpm firefox-1.5.0.12-14.el5_1.x86_64.rpm firefox-debuginfo-1.5.0.12-14.el5_1.i386.rpm firefox-debuginfo-1.5.0.12-14.el5_1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.12-14.el5_1.src.rpm i386: firefox-debuginfo-1.5.0.12-14.el5_1.i386.rpm firefox-devel-1.5.0.12-14.el5_1.i386.rpm x86_64: firefox-debuginfo-1.5.0.12-14.el5_1.i386.rpm firefox-debuginfo-1.5.0.12-14.el5_1.x86_64.rpm firefox-devel-1.5.0.12-14.el5_1.i386.rpm firefox-devel-1.5.0.12-14.el5_1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-1.5.0.12-14.el5_1.src.rpm i386: firefox-1.5.0.12-14.el5_1.i386.rpm firefox-debuginfo-1.5.0.12-14.el5_1.i386.rpm firefox-devel-1.5.0.12-14.el5_1.i386.rpm ia64: firefox-1.5.0.12-14.el5_1.ia64.rpm firefox-debuginfo-1.5.0.12-14.el5_1.ia64.rpm firefox-devel-1.5.0.12-14.el5_1.ia64.rpm ppc: firefox-1.5.0.12-14.el5_1.ppc.rpm firefox-debuginfo-1.5.0.12-14.el5_1.ppc.rpm firefox-devel-1.5.0.12-14.el5_1.ppc.rpm s390x: firefox-1.5.0.12-14.el5_1.s390.rpm firefox-1.5.0.12-14.el5_1.s390x.rpm firefox-debuginfo-1.5.0.12-14.el5_1.s390.rpm firefox-debuginfo-1.5.0.12-14.el5_1.s390x.rpm firefox-devel-1.5.0.12-14.el5_1.s390.rpm firefox-devel-1.5.0.12-14.el5_1.s390x.rpm x86_64: firefox-1.5.0.12-14.el5_1.i386.rpm firefox-1.5.0.12-14.el5_1.x86_64.rpm firefox-debuginfo-1.5.0.12-14.el5_1.i386.rpm firefox-debuginfo-1.5.0.12-14.el5_1.x86_64.rpm firefox-devel-1.5.0.12-14.el5_1.i386.rpm firefox-devel-1.5.0.12-14.el5_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH6voZXlSAg2UNWIIRAuPjAKChhhNMqFXaQCoWJt9pjRt0asOyYwCfcL3L nAD957ZeuYfuf/BXbfRx0Ls= =PQum -----END PGP SIGNATURE----- From ac.chappellsw at astound.net Thu Mar 27 05:27:48 2008 From: ac.chappellsw at astound.net (Albert C. Chappell) Date: Wed, 26 Mar 2008 22:27:48 -0700 Subject: l Guaranteed LowestPrice: Vicodin(Hydrocodone), Phentermin, CialixViagra, Ambien hqrrqm l16lji3mbl In-Reply-To: Message-ID: <1206595668.4782@astound.net> *** No.1 Generic Pharmacy On Web *** *** LowPrice on all meds *** *** ship to all countries *** *** VISA card accepted *** * 8 Pills for FREE! Limited Time Offer for 2008 * You can get 8 pills for FREE for first time purchase at our site * Purchase over $199 and get a Free Shipping + 8 bonus pills for FREE Vicodin(Hydrocodone) 750 mg x 30 pills Phentermin 37.5 mg x 30 pills ValiumS 5 mg x 60 pills XanaxS 0.5 mg x 30 pills AtivanS 1 mg x 30 pills AmbienS 5 mg x 30 pills ViagraS 50 mg x 120 pills Ciali 10 mg x 120 pills LevitraS 20 mg x 120 pills PropeciaS 5 mg x 120 pills + many many more meds Click below link to view over 100 popular meds yourself http://fcqodnffo47.googlepages.com/ sz0 ht2xm7zk eigg racr78sp From bugzilla at redhat.com Fri Mar 28 00:46:08 2008 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Mar 2008 20:46:08 -0400 Subject: [RHSA-2008:0208-01] Critical: seamonkey security update Message-ID: <200803280046.m2S0k8rB002871@pobox.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2008:0208-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0208.html Issue date: 2008-03-27 CVE Names: CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1241 ===================================================================== 1. Summary: Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of some malformed web content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. A web page containing specially-crafted content could, potentially, trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-1234, CVE-2008-1238, CVE-2008-1241) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 438713 - CVE-2008-1233 Mozilla products XPCNativeWrapper pollution 438715 - CVE-2008-1234 universal XSS using event handlers 438717 - CVE-2008-1235 chrome privilege via wrong principal 438718 - CVE-2008-1236 browser engine crashes 438721 - CVE-2008-1237 javascript crashes 438724 - CVE-2008-1238 Referrer spoofing bug 438730 - CVE-2008-1241 XUL popup spoofing 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/seamonkey-1.0.9-0.14.el2.src.rpm i386: seamonkey-1.0.9-0.14.el2.i386.rpm seamonkey-chat-1.0.9-0.14.el2.i386.rpm seamonkey-devel-1.0.9-0.14.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.14.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.14.el2.i386.rpm seamonkey-mail-1.0.9-0.14.el2.i386.rpm seamonkey-nspr-1.0.9-0.14.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.14.el2.i386.rpm seamonkey-nss-1.0.9-0.14.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.14.el2.i386.rpm ia64: seamonkey-1.0.9-0.14.el2.ia64.rpm seamonkey-chat-1.0.9-0.14.el2.ia64.rpm seamonkey-devel-1.0.9-0.14.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.14.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.14.el2.ia64.rpm seamonkey-mail-1.0.9-0.14.el2.ia64.rpm seamonkey-nspr-1.0.9-0.14.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.14.el2.ia64.rpm seamonkey-nss-1.0.9-0.14.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.14.el2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/seamonkey-1.0.9-0.14.el2.src.rpm ia64: seamonkey-1.0.9-0.14.el2.ia64.rpm seamonkey-chat-1.0.9-0.14.el2.ia64.rpm seamonkey-devel-1.0.9-0.14.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.14.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.14.el2.ia64.rpm seamonkey-mail-1.0.9-0.14.el2.ia64.rpm seamonkey-nspr-1.0.9-0.14.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.14.el2.ia64.rpm seamonkey-nss-1.0.9-0.14.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.14.el2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/seamonkey-1.0.9-0.14.el2.src.rpm i386: seamonkey-1.0.9-0.14.el2.i386.rpm seamonkey-chat-1.0.9-0.14.el2.i386.rpm seamonkey-devel-1.0.9-0.14.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.14.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.14.el2.i386.rpm seamonkey-mail-1.0.9-0.14.el2.i386.rpm seamonkey-nspr-1.0.9-0.14.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.14.el2.i386.rpm seamonkey-nss-1.0.9-0.14.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.14.el2.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/seamonkey-1.0.9-0.14.el2.src.rpm i386: seamonkey-1.0.9-0.14.el2.i386.rpm seamonkey-chat-1.0.9-0.14.el2.i386.rpm seamonkey-devel-1.0.9-0.14.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.14.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.14.el2.i386.rpm seamonkey-mail-1.0.9-0.14.el2.i386.rpm seamonkey-nspr-1.0.9-0.14.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.14.el2.i386.rpm seamonkey-nss-1.0.9-0.14.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.14.el2.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/seamonkey-1.0.9-0.16.el3.src.rpm i386: seamonkey-1.0.9-0.16.el3.i386.rpm seamonkey-chat-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-devel-1.0.9-0.16.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.16.el3.i386.rpm seamonkey-mail-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.16.el3.i386.rpm ia64: seamonkey-1.0.9-0.16.el3.ia64.rpm seamonkey-chat-1.0.9-0.16.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.ia64.rpm seamonkey-devel-1.0.9-0.16.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.16.el3.ia64.rpm seamonkey-mail-1.0.9-0.16.el3.ia64.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.ia64.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.16.el3.ia64.rpm ppc: seamonkey-1.0.9-0.16.el3.ppc.rpm seamonkey-chat-1.0.9-0.16.el3.ppc.rpm seamonkey-debuginfo-1.0.9-0.16.el3.ppc.rpm seamonkey-devel-1.0.9-0.16.el3.ppc.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.ppc.rpm seamonkey-js-debugger-1.0.9-0.16.el3.ppc.rpm seamonkey-mail-1.0.9-0.16.el3.ppc.rpm seamonkey-nspr-1.0.9-0.16.el3.ppc.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.ppc.rpm seamonkey-nss-1.0.9-0.16.el3.ppc.rpm seamonkey-nss-devel-1.0.9-0.16.el3.ppc.rpm s390: seamonkey-1.0.9-0.16.el3.s390.rpm seamonkey-chat-1.0.9-0.16.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.16.el3.s390.rpm seamonkey-devel-1.0.9-0.16.el3.s390.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.s390.rpm seamonkey-js-debugger-1.0.9-0.16.el3.s390.rpm seamonkey-mail-1.0.9-0.16.el3.s390.rpm seamonkey-nspr-1.0.9-0.16.el3.s390.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.s390.rpm seamonkey-nss-1.0.9-0.16.el3.s390.rpm seamonkey-nss-devel-1.0.9-0.16.el3.s390.rpm s390x: seamonkey-1.0.9-0.16.el3.s390x.rpm seamonkey-chat-1.0.9-0.16.el3.s390x.rpm seamonkey-debuginfo-1.0.9-0.16.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.16.el3.s390x.rpm seamonkey-devel-1.0.9-0.16.el3.s390x.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.s390x.rpm seamonkey-js-debugger-1.0.9-0.16.el3.s390x.rpm seamonkey-mail-1.0.9-0.16.el3.s390x.rpm seamonkey-nspr-1.0.9-0.16.el3.s390.rpm seamonkey-nspr-1.0.9-0.16.el3.s390x.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.s390x.rpm seamonkey-nss-1.0.9-0.16.el3.s390.rpm seamonkey-nss-1.0.9-0.16.el3.s390x.rpm seamonkey-nss-devel-1.0.9-0.16.el3.s390x.rpm x86_64: seamonkey-1.0.9-0.16.el3.i386.rpm seamonkey-1.0.9-0.16.el3.x86_64.rpm seamonkey-chat-1.0.9-0.16.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.x86_64.rpm seamonkey-devel-1.0.9-0.16.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.16.el3.x86_64.rpm seamonkey-mail-1.0.9-0.16.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.x86_64.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.16.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/seamonkey-1.0.9-0.16.el3.src.rpm i386: seamonkey-1.0.9-0.16.el3.i386.rpm seamonkey-chat-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-devel-1.0.9-0.16.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.16.el3.i386.rpm seamonkey-mail-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.16.el3.i386.rpm x86_64: seamonkey-1.0.9-0.16.el3.i386.rpm seamonkey-1.0.9-0.16.el3.x86_64.rpm seamonkey-chat-1.0.9-0.16.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.x86_64.rpm seamonkey-devel-1.0.9-0.16.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.16.el3.x86_64.rpm seamonkey-mail-1.0.9-0.16.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.x86_64.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.16.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/seamonkey-1.0.9-0.16.el3.src.rpm i386: seamonkey-1.0.9-0.16.el3.i386.rpm seamonkey-chat-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-devel-1.0.9-0.16.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.16.el3.i386.rpm seamonkey-mail-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.16.el3.i386.rpm ia64: seamonkey-1.0.9-0.16.el3.ia64.rpm seamonkey-chat-1.0.9-0.16.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.ia64.rpm seamonkey-devel-1.0.9-0.16.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.16.el3.ia64.rpm seamonkey-mail-1.0.9-0.16.el3.ia64.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.ia64.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.16.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.16.el3.i386.rpm seamonkey-1.0.9-0.16.el3.x86_64.rpm seamonkey-chat-1.0.9-0.16.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.x86_64.rpm seamonkey-devel-1.0.9-0.16.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.16.el3.x86_64.rpm seamonkey-mail-1.0.9-0.16.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.x86_64.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.16.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/seamonkey-1.0.9-0.16.el3.src.rpm i386: seamonkey-1.0.9-0.16.el3.i386.rpm seamonkey-chat-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-devel-1.0.9-0.16.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.16.el3.i386.rpm seamonkey-mail-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.16.el3.i386.rpm ia64: seamonkey-1.0.9-0.16.el3.ia64.rpm seamonkey-chat-1.0.9-0.16.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.ia64.rpm seamonkey-devel-1.0.9-0.16.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.16.el3.ia64.rpm seamonkey-mail-1.0.9-0.16.el3.ia64.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.ia64.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.16.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.16.el3.i386.rpm seamonkey-1.0.9-0.16.el3.x86_64.rpm seamonkey-chat-1.0.9-0.16.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.16.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.16.el3.x86_64.rpm seamonkey-devel-1.0.9-0.16.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.16.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.16.el3.x86_64.rpm seamonkey-mail-1.0.9-0.16.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.16.el3.i386.rpm seamonkey-nspr-1.0.9-0.16.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.16.el3.x86_64.rpm seamonkey-nss-1.0.9-0.16.el3.i386.rpm seamonkey-nss-1.0.9-0.16.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.16.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/seamonkey-1.0.9-15.el4.src.rpm i386: seamonkey-1.0.9-15.el4.i386.rpm seamonkey-chat-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-devel-1.0.9-15.el4.i386.rpm seamonkey-dom-inspector-1.0.9-15.el4.i386.rpm seamonkey-js-debugger-1.0.9-15.el4.i386.rpm seamonkey-mail-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-devel-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-devel-1.0.9-15.el4.i386.rpm ia64: seamonkey-1.0.9-15.el4.ia64.rpm seamonkey-chat-1.0.9-15.el4.ia64.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.ia64.rpm seamonkey-devel-1.0.9-15.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-15.el4.ia64.rpm seamonkey-js-debugger-1.0.9-15.el4.ia64.rpm seamonkey-mail-1.0.9-15.el4.ia64.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.ia64.rpm seamonkey-nspr-devel-1.0.9-15.el4.ia64.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.ia64.rpm seamonkey-nss-devel-1.0.9-15.el4.ia64.rpm ppc: seamonkey-1.0.9-15.el4.ppc.rpm seamonkey-chat-1.0.9-15.el4.ppc.rpm seamonkey-debuginfo-1.0.9-15.el4.ppc.rpm seamonkey-devel-1.0.9-15.el4.ppc.rpm seamonkey-dom-inspector-1.0.9-15.el4.ppc.rpm seamonkey-js-debugger-1.0.9-15.el4.ppc.rpm seamonkey-mail-1.0.9-15.el4.ppc.rpm seamonkey-nspr-1.0.9-15.el4.ppc.rpm seamonkey-nspr-devel-1.0.9-15.el4.ppc.rpm seamonkey-nss-1.0.9-15.el4.ppc.rpm seamonkey-nss-devel-1.0.9-15.el4.ppc.rpm s390: seamonkey-1.0.9-15.el4.s390.rpm seamonkey-chat-1.0.9-15.el4.s390.rpm seamonkey-debuginfo-1.0.9-15.el4.s390.rpm seamonkey-devel-1.0.9-15.el4.s390.rpm seamonkey-dom-inspector-1.0.9-15.el4.s390.rpm seamonkey-js-debugger-1.0.9-15.el4.s390.rpm seamonkey-mail-1.0.9-15.el4.s390.rpm seamonkey-nspr-1.0.9-15.el4.s390.rpm seamonkey-nspr-devel-1.0.9-15.el4.s390.rpm seamonkey-nss-1.0.9-15.el4.s390.rpm seamonkey-nss-devel-1.0.9-15.el4.s390.rpm s390x: seamonkey-1.0.9-15.el4.s390x.rpm seamonkey-chat-1.0.9-15.el4.s390x.rpm seamonkey-debuginfo-1.0.9-15.el4.s390.rpm seamonkey-debuginfo-1.0.9-15.el4.s390x.rpm seamonkey-devel-1.0.9-15.el4.s390x.rpm seamonkey-dom-inspector-1.0.9-15.el4.s390x.rpm seamonkey-js-debugger-1.0.9-15.el4.s390x.rpm seamonkey-mail-1.0.9-15.el4.s390x.rpm seamonkey-nspr-1.0.9-15.el4.s390.rpm seamonkey-nspr-1.0.9-15.el4.s390x.rpm seamonkey-nspr-devel-1.0.9-15.el4.s390x.rpm seamonkey-nss-1.0.9-15.el4.s390.rpm seamonkey-nss-1.0.9-15.el4.s390x.rpm seamonkey-nss-devel-1.0.9-15.el4.s390x.rpm x86_64: seamonkey-1.0.9-15.el4.x86_64.rpm seamonkey-chat-1.0.9-15.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.x86_64.rpm seamonkey-devel-1.0.9-15.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-15.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-15.el4.x86_64.rpm seamonkey-mail-1.0.9-15.el4.x86_64.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.x86_64.rpm seamonkey-nspr-devel-1.0.9-15.el4.x86_64.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.x86_64.rpm seamonkey-nss-devel-1.0.9-15.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/seamonkey-1.0.9-15.el4.src.rpm i386: seamonkey-1.0.9-15.el4.i386.rpm seamonkey-chat-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-devel-1.0.9-15.el4.i386.rpm seamonkey-dom-inspector-1.0.9-15.el4.i386.rpm seamonkey-js-debugger-1.0.9-15.el4.i386.rpm seamonkey-mail-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-devel-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-devel-1.0.9-15.el4.i386.rpm x86_64: seamonkey-1.0.9-15.el4.x86_64.rpm seamonkey-chat-1.0.9-15.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.x86_64.rpm seamonkey-devel-1.0.9-15.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-15.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-15.el4.x86_64.rpm seamonkey-mail-1.0.9-15.el4.x86_64.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.x86_64.rpm seamonkey-nspr-devel-1.0.9-15.el4.x86_64.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.x86_64.rpm seamonkey-nss-devel-1.0.9-15.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/seamonkey-1.0.9-15.el4.src.rpm i386: seamonkey-1.0.9-15.el4.i386.rpm seamonkey-chat-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-devel-1.0.9-15.el4.i386.rpm seamonkey-dom-inspector-1.0.9-15.el4.i386.rpm seamonkey-js-debugger-1.0.9-15.el4.i386.rpm seamonkey-mail-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-devel-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-devel-1.0.9-15.el4.i386.rpm ia64: seamonkey-1.0.9-15.el4.ia64.rpm seamonkey-chat-1.0.9-15.el4.ia64.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.ia64.rpm seamonkey-devel-1.0.9-15.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-15.el4.ia64.rpm seamonkey-js-debugger-1.0.9-15.el4.ia64.rpm seamonkey-mail-1.0.9-15.el4.ia64.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.ia64.rpm seamonkey-nspr-devel-1.0.9-15.el4.ia64.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.ia64.rpm seamonkey-nss-devel-1.0.9-15.el4.ia64.rpm x86_64: seamonkey-1.0.9-15.el4.x86_64.rpm seamonkey-chat-1.0.9-15.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.x86_64.rpm seamonkey-devel-1.0.9-15.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-15.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-15.el4.x86_64.rpm seamonkey-mail-1.0.9-15.el4.x86_64.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.x86_64.rpm seamonkey-nspr-devel-1.0.9-15.el4.x86_64.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.x86_64.rpm seamonkey-nss-devel-1.0.9-15.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/seamonkey-1.0.9-15.el4.src.rpm i386: seamonkey-1.0.9-15.el4.i386.rpm seamonkey-chat-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-devel-1.0.9-15.el4.i386.rpm seamonkey-dom-inspector-1.0.9-15.el4.i386.rpm seamonkey-js-debugger-1.0.9-15.el4.i386.rpm seamonkey-mail-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-devel-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-devel-1.0.9-15.el4.i386.rpm ia64: seamonkey-1.0.9-15.el4.ia64.rpm seamonkey-chat-1.0.9-15.el4.ia64.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.ia64.rpm seamonkey-devel-1.0.9-15.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-15.el4.ia64.rpm seamonkey-js-debugger-1.0.9-15.el4.ia64.rpm seamonkey-mail-1.0.9-15.el4.ia64.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.ia64.rpm seamonkey-nspr-devel-1.0.9-15.el4.ia64.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.ia64.rpm seamonkey-nss-devel-1.0.9-15.el4.ia64.rpm x86_64: seamonkey-1.0.9-15.el4.x86_64.rpm seamonkey-chat-1.0.9-15.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-15.el4.i386.rpm seamonkey-debuginfo-1.0.9-15.el4.x86_64.rpm seamonkey-devel-1.0.9-15.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-15.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-15.el4.x86_64.rpm seamonkey-mail-1.0.9-15.el4.x86_64.rpm seamonkey-nspr-1.0.9-15.el4.i386.rpm seamonkey-nspr-1.0.9-15.el4.x86_64.rpm seamonkey-nspr-devel-1.0.9-15.el4.x86_64.rpm seamonkey-nss-1.0.9-15.el4.i386.rpm seamonkey-nss-1.0.9-15.el4.x86_64.rpm seamonkey-nss-devel-1.0.9-15.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH7D/BXlSAg2UNWIIRApZlAJ9KiKcYOjUyfLbTgH2U5hUV/RjeHACfdSw5 7DVX9e/G4jlZuMHg4SunHTs= =0jg9 -----END PGP SIGNATURE-----