From bugzilla at redhat.com Wed Apr 1 08:44:59 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Apr 2009 04:44:59 -0400 Subject: [RHSA-2009:0326-01] Important: kernel security and bug fix update Message-ID: <200904010845.n318j01h028409@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2009:0326-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0326.html Issue date: 2009-04-01 CVE Names: CVE-2008-3528 CVE-2008-5700 CVE-2009-0028 CVE-2009-0269 CVE-2009-0322 CVE-2009-0675 CVE-2009-0676 CVE-2009-0778 ===================================================================== 1. Summary: Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * memory leaks were found on some error paths in the icmp_send() function in the Linux kernel. This could, potentially, cause the network connectivity to cease. (CVE-2009-0778, Important) * Chris Evans reported a deficiency in the clone() system call when called with the CLONE_PARENT flag. This flaw permits the caller (the parent process) to indicate an arbitrary signal it wants to receive when its child process exits. This could lead to a denial of service of the parent process. (CVE-2009-0028, Moderate) * an off-by-one underflow flaw was found in the eCryptfs subsystem. This could potentially cause a local denial of service when the readlink() function returned an error. (CVE-2009-0269, Moderate) * a deficiency was found in the Remote BIOS Update (RBU) driver for Dell systems. This could allow a local, unprivileged user to cause a denial of service by reading zero bytes from the image_type or packet_size files in "/sys/devices/platform/dell_rbu/". (CVE-2009-0322, Moderate) * an inverted logic flaw was found in the SysKonnect FDDI PCI adapter driver, allowing driver statistics to be reset only when the CAP_NET_ADMIN capability was absent (local, unprivileged users could reset driver statistics). (CVE-2009-0675, Moderate) * the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure. (CVE-2009-0676, Moderate) * the ext2 and ext3 file system code failed to properly handle corrupted data structures, leading to a possible local denial of service when read or write operations were performed on a specially-crafted file system. (CVE-2008-3528, Low) * a deficiency was found in the libATA implementation. This could, potentially, lead to a local denial of service. Note: by default, the "/dev/sg*" devices are accessible only to the root user. (CVE-2008-5700, Low) Bug fixes: * a bug in aic94xx may have caused kernel panics during boot on some systems with certain SATA disks. (BZ#485909) * a word endianness problem in the qla2xx driver on PowerPC-based machines may have corrupted flash-based devices. (BZ#485908) * a memory leak in pipe() may have caused a system deadlock. The workaround in Section 1.5, Known Issues, of the Red Hat Enterprise Linux 5.3 Release Notes Updates, which involved manually allocating extra file descriptors to processes calling do_pipe, is no longer necessary. (BZ#481576) * CPU soft-lockups in the network rate estimator. (BZ#481746) * bugs in the ixgbe driver caused it to function unreliably on some systems with 16 or more CPU cores. (BZ#483210) * the iwl4965 driver may have caused a kernel panic. (BZ#483206) * a bug caused NFS attributes to not update for some long-lived NFS mounted file systems. (BZ#483201) * unmounting a GFS2 file system may have caused a panic. (BZ#485910) * a bug in ptrace() may have caused a panic when single stepping a target. (BZ#487394) * on some 64-bit systems, notsc was incorrectly set at boot, causing slow gettimeofday() calls. (BZ#488239) * do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#490433) * scaling problems caused performance problems for LAPI applications. (BZ#489457) * a panic may have occurred on systems using certain Intel WiFi Link 5000 products when booting with the RF Kill switch on. (BZ#489846) * the TSC is invariant with C/P/T states, and always runs at constant frequency from now on. (BZ#489310) All users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 459577 - CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service 474495 - CVE-2008-5700 kernel: enforce a minimum SG_IO timeout 479932 - CVE-2009-0028 Linux kernel minor signal handling vulnerability 481576 - multipath test causes memory leak and eventual system deadlock 481604 - CVE-2009-0269 kernel: ecryptfs readlink flaw 481746 - [RHEL 5] gen_estimator deadlock fix 482866 - CVE-2009-0322 kernel: dell_rbu local oops 483201 - NFS problem#3 of IT 106473 - 32-bit jiffy wrap around - NFS inode 483206 - Kernel panic in iwl4965 driver 485163 - CVE-2009-0778 kernel: rt_cache leak leads to lack of network connectivity 485908 - [QLogic 5.4 bug] qla2xx - Word-endian problem programming flash on PPC 485909 - Panic at boot if SATA disk is present 485910 - reproducible panic in debugfs_remove when unmounting gfs2 filesystem 486305 - CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt 486534 - CVE-2009-0675 kernel: skfp_ioctl inverted logic flaw 487394 - kernel BUG at kernel/ptrace.c:1068 488239 - RHEL5 kernel forces notsc on certain systems [C-state support dependant] 489310 - [Intel 5.4 FEAT] TSC keeps running in C3+ 489457 - Lapi takes too long to run 489846 - RHEL 5.3 GA kernel panics when RF Kill is on in 5100/5300 AGN 490433 - RHEL5.3 (x86_64): MCE handler must not clear status registers on fatal conditions 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-128.1.6.el5.src.rpm i386: kernel-2.6.18-128.1.6.el5.i686.rpm kernel-PAE-2.6.18-128.1.6.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-128.1.6.el5.i686.rpm kernel-PAE-devel-2.6.18-128.1.6.el5.i686.rpm kernel-debug-2.6.18-128.1.6.el5.i686.rpm kernel-debug-debuginfo-2.6.18-128.1.6.el5.i686.rpm kernel-debug-devel-2.6.18-128.1.6.el5.i686.rpm kernel-debuginfo-2.6.18-128.1.6.el5.i686.rpm kernel-debuginfo-common-2.6.18-128.1.6.el5.i686.rpm kernel-devel-2.6.18-128.1.6.el5.i686.rpm kernel-headers-2.6.18-128.1.6.el5.i386.rpm kernel-xen-2.6.18-128.1.6.el5.i686.rpm kernel-xen-debuginfo-2.6.18-128.1.6.el5.i686.rpm kernel-xen-devel-2.6.18-128.1.6.el5.i686.rpm noarch: kernel-doc-2.6.18-128.1.6.el5.noarch.rpm x86_64: kernel-2.6.18-128.1.6.el5.x86_64.rpm kernel-debug-2.6.18-128.1.6.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-128.1.6.el5.x86_64.rpm kernel-debug-devel-2.6.18-128.1.6.el5.x86_64.rpm kernel-debuginfo-2.6.18-128.1.6.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-128.1.6.el5.x86_64.rpm kernel-devel-2.6.18-128.1.6.el5.x86_64.rpm kernel-headers-2.6.18-128.1.6.el5.x86_64.rpm kernel-xen-2.6.18-128.1.6.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-128.1.6.el5.x86_64.rpm kernel-xen-devel-2.6.18-128.1.6.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-128.1.6.el5.src.rpm i386: kernel-2.6.18-128.1.6.el5.i686.rpm kernel-PAE-2.6.18-128.1.6.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-128.1.6.el5.i686.rpm kernel-PAE-devel-2.6.18-128.1.6.el5.i686.rpm kernel-debug-2.6.18-128.1.6.el5.i686.rpm kernel-debug-debuginfo-2.6.18-128.1.6.el5.i686.rpm kernel-debug-devel-2.6.18-128.1.6.el5.i686.rpm kernel-debuginfo-2.6.18-128.1.6.el5.i686.rpm kernel-debuginfo-common-2.6.18-128.1.6.el5.i686.rpm kernel-devel-2.6.18-128.1.6.el5.i686.rpm kernel-headers-2.6.18-128.1.6.el5.i386.rpm kernel-xen-2.6.18-128.1.6.el5.i686.rpm kernel-xen-debuginfo-2.6.18-128.1.6.el5.i686.rpm kernel-xen-devel-2.6.18-128.1.6.el5.i686.rpm ia64: kernel-2.6.18-128.1.6.el5.ia64.rpm kernel-debug-2.6.18-128.1.6.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-128.1.6.el5.ia64.rpm kernel-debug-devel-2.6.18-128.1.6.el5.ia64.rpm kernel-debuginfo-2.6.18-128.1.6.el5.ia64.rpm kernel-debuginfo-common-2.6.18-128.1.6.el5.ia64.rpm kernel-devel-2.6.18-128.1.6.el5.ia64.rpm kernel-headers-2.6.18-128.1.6.el5.ia64.rpm kernel-xen-2.6.18-128.1.6.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-128.1.6.el5.ia64.rpm kernel-xen-devel-2.6.18-128.1.6.el5.ia64.rpm noarch: kernel-doc-2.6.18-128.1.6.el5.noarch.rpm ppc: kernel-2.6.18-128.1.6.el5.ppc64.rpm kernel-debug-2.6.18-128.1.6.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-128.1.6.el5.ppc64.rpm kernel-debug-devel-2.6.18-128.1.6.el5.ppc64.rpm kernel-debuginfo-2.6.18-128.1.6.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-128.1.6.el5.ppc64.rpm kernel-devel-2.6.18-128.1.6.el5.ppc64.rpm kernel-headers-2.6.18-128.1.6.el5.ppc.rpm kernel-headers-2.6.18-128.1.6.el5.ppc64.rpm kernel-kdump-2.6.18-128.1.6.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-128.1.6.el5.ppc64.rpm kernel-kdump-devel-2.6.18-128.1.6.el5.ppc64.rpm s390x: kernel-2.6.18-128.1.6.el5.s390x.rpm kernel-debug-2.6.18-128.1.6.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-128.1.6.el5.s390x.rpm kernel-debug-devel-2.6.18-128.1.6.el5.s390x.rpm kernel-debuginfo-2.6.18-128.1.6.el5.s390x.rpm kernel-debuginfo-common-2.6.18-128.1.6.el5.s390x.rpm kernel-devel-2.6.18-128.1.6.el5.s390x.rpm kernel-headers-2.6.18-128.1.6.el5.s390x.rpm kernel-kdump-2.6.18-128.1.6.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-128.1.6.el5.s390x.rpm kernel-kdump-devel-2.6.18-128.1.6.el5.s390x.rpm x86_64: kernel-2.6.18-128.1.6.el5.x86_64.rpm kernel-debug-2.6.18-128.1.6.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-128.1.6.el5.x86_64.rpm kernel-debug-devel-2.6.18-128.1.6.el5.x86_64.rpm kernel-debuginfo-2.6.18-128.1.6.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-128.1.6.el5.x86_64.rpm kernel-devel-2.6.18-128.1.6.el5.x86_64.rpm kernel-headers-2.6.18-128.1.6.el5.x86_64.rpm kernel-xen-2.6.18-128.1.6.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-128.1.6.el5.x86_64.rpm kernel-xen-devel-2.6.18-128.1.6.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3528 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5700 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0778 http://www.redhat.com/security/updates/classification/#important http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Release_Notes/index.html#d0e497 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ0ylvXlSAg2UNWIIRAuTMAKC5UsLxmHAI+mIhyGW2JcJ3elMpZgCgs6Jg sRJxUgg6++Rw0tZtNN7YVIw= =REce -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Apr 6 16:59:24 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Apr 2009 12:59:24 -0400 Subject: [RHSA-2009:0337-01] Moderate: php security update Message-ID: <200904061659.n36GxSD7028963@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: php security update Advisory ID: RHSA-2009:0337-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0337.html Issue date: 2009-04-06 CVE Names: CVE-2008-3658 CVE-2008-3660 CVE-2008-5498 CVE-2008-5557 CVE-2009-0754 ===================================================================== 1. Summary: Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 459529 - CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension 459572 - CVE-2008-3660 php: FastCGI module DoS via multiple dots preceding the extension 478425 - CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure 478848 - CVE-2008-5557 php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution) 479272 - CVE-2009-0754 PHP mbstring.func_overload web server denial of service 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/php-4.3.2-51.ent.src.rpm i386: php-4.3.2-51.ent.i386.rpm php-debuginfo-4.3.2-51.ent.i386.rpm php-devel-4.3.2-51.ent.i386.rpm php-imap-4.3.2-51.ent.i386.rpm php-ldap-4.3.2-51.ent.i386.rpm php-mysql-4.3.2-51.ent.i386.rpm php-odbc-4.3.2-51.ent.i386.rpm php-pgsql-4.3.2-51.ent.i386.rpm ia64: php-4.3.2-51.ent.ia64.rpm php-debuginfo-4.3.2-51.ent.ia64.rpm php-devel-4.3.2-51.ent.ia64.rpm php-imap-4.3.2-51.ent.ia64.rpm php-ldap-4.3.2-51.ent.ia64.rpm php-mysql-4.3.2-51.ent.ia64.rpm php-odbc-4.3.2-51.ent.ia64.rpm php-pgsql-4.3.2-51.ent.ia64.rpm ppc: php-4.3.2-51.ent.ppc.rpm php-debuginfo-4.3.2-51.ent.ppc.rpm php-devel-4.3.2-51.ent.ppc.rpm php-imap-4.3.2-51.ent.ppc.rpm php-ldap-4.3.2-51.ent.ppc.rpm php-mysql-4.3.2-51.ent.ppc.rpm php-odbc-4.3.2-51.ent.ppc.rpm php-pgsql-4.3.2-51.ent.ppc.rpm s390: php-4.3.2-51.ent.s390.rpm php-debuginfo-4.3.2-51.ent.s390.rpm php-devel-4.3.2-51.ent.s390.rpm php-imap-4.3.2-51.ent.s390.rpm php-ldap-4.3.2-51.ent.s390.rpm php-mysql-4.3.2-51.ent.s390.rpm php-odbc-4.3.2-51.ent.s390.rpm php-pgsql-4.3.2-51.ent.s390.rpm s390x: php-4.3.2-51.ent.s390x.rpm php-debuginfo-4.3.2-51.ent.s390x.rpm php-devel-4.3.2-51.ent.s390x.rpm php-imap-4.3.2-51.ent.s390x.rpm php-ldap-4.3.2-51.ent.s390x.rpm php-mysql-4.3.2-51.ent.s390x.rpm php-odbc-4.3.2-51.ent.s390x.rpm php-pgsql-4.3.2-51.ent.s390x.rpm x86_64: php-4.3.2-51.ent.x86_64.rpm php-debuginfo-4.3.2-51.ent.x86_64.rpm php-devel-4.3.2-51.ent.x86_64.rpm php-imap-4.3.2-51.ent.x86_64.rpm php-ldap-4.3.2-51.ent.x86_64.rpm php-mysql-4.3.2-51.ent.x86_64.rpm php-odbc-4.3.2-51.ent.x86_64.rpm php-pgsql-4.3.2-51.ent.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/php-4.3.2-51.ent.src.rpm i386: php-4.3.2-51.ent.i386.rpm php-debuginfo-4.3.2-51.ent.i386.rpm php-devel-4.3.2-51.ent.i386.rpm php-imap-4.3.2-51.ent.i386.rpm php-ldap-4.3.2-51.ent.i386.rpm php-mysql-4.3.2-51.ent.i386.rpm php-odbc-4.3.2-51.ent.i386.rpm php-pgsql-4.3.2-51.ent.i386.rpm x86_64: php-4.3.2-51.ent.x86_64.rpm php-debuginfo-4.3.2-51.ent.x86_64.rpm php-devel-4.3.2-51.ent.x86_64.rpm php-imap-4.3.2-51.ent.x86_64.rpm php-ldap-4.3.2-51.ent.x86_64.rpm php-mysql-4.3.2-51.ent.x86_64.rpm php-odbc-4.3.2-51.ent.x86_64.rpm php-pgsql-4.3.2-51.ent.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/php-4.3.2-51.ent.src.rpm i386: php-4.3.2-51.ent.i386.rpm php-debuginfo-4.3.2-51.ent.i386.rpm php-devel-4.3.2-51.ent.i386.rpm php-imap-4.3.2-51.ent.i386.rpm php-ldap-4.3.2-51.ent.i386.rpm php-mysql-4.3.2-51.ent.i386.rpm php-odbc-4.3.2-51.ent.i386.rpm php-pgsql-4.3.2-51.ent.i386.rpm ia64: php-4.3.2-51.ent.ia64.rpm php-debuginfo-4.3.2-51.ent.ia64.rpm php-devel-4.3.2-51.ent.ia64.rpm php-imap-4.3.2-51.ent.ia64.rpm php-ldap-4.3.2-51.ent.ia64.rpm php-mysql-4.3.2-51.ent.ia64.rpm php-odbc-4.3.2-51.ent.ia64.rpm php-pgsql-4.3.2-51.ent.ia64.rpm x86_64: php-4.3.2-51.ent.x86_64.rpm php-debuginfo-4.3.2-51.ent.x86_64.rpm php-devel-4.3.2-51.ent.x86_64.rpm php-imap-4.3.2-51.ent.x86_64.rpm php-ldap-4.3.2-51.ent.x86_64.rpm php-mysql-4.3.2-51.ent.x86_64.rpm php-odbc-4.3.2-51.ent.x86_64.rpm php-pgsql-4.3.2-51.ent.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/php-4.3.2-51.ent.src.rpm i386: php-4.3.2-51.ent.i386.rpm php-debuginfo-4.3.2-51.ent.i386.rpm php-devel-4.3.2-51.ent.i386.rpm php-imap-4.3.2-51.ent.i386.rpm php-ldap-4.3.2-51.ent.i386.rpm php-mysql-4.3.2-51.ent.i386.rpm php-odbc-4.3.2-51.ent.i386.rpm php-pgsql-4.3.2-51.ent.i386.rpm ia64: php-4.3.2-51.ent.ia64.rpm php-debuginfo-4.3.2-51.ent.ia64.rpm php-devel-4.3.2-51.ent.ia64.rpm php-imap-4.3.2-51.ent.ia64.rpm php-ldap-4.3.2-51.ent.ia64.rpm php-mysql-4.3.2-51.ent.ia64.rpm php-odbc-4.3.2-51.ent.ia64.rpm php-pgsql-4.3.2-51.ent.ia64.rpm x86_64: php-4.3.2-51.ent.x86_64.rpm php-debuginfo-4.3.2-51.ent.x86_64.rpm php-devel-4.3.2-51.ent.x86_64.rpm php-imap-4.3.2-51.ent.x86_64.rpm php-ldap-4.3.2-51.ent.x86_64.rpm php-mysql-4.3.2-51.ent.x86_64.rpm php-odbc-4.3.2-51.ent.x86_64.rpm php-pgsql-4.3.2-51.ent.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/php-4.3.9-3.22.15.src.rpm i386: php-4.3.9-3.22.15.i386.rpm php-debuginfo-4.3.9-3.22.15.i386.rpm php-devel-4.3.9-3.22.15.i386.rpm php-domxml-4.3.9-3.22.15.i386.rpm php-gd-4.3.9-3.22.15.i386.rpm php-imap-4.3.9-3.22.15.i386.rpm php-ldap-4.3.9-3.22.15.i386.rpm php-mbstring-4.3.9-3.22.15.i386.rpm php-mysql-4.3.9-3.22.15.i386.rpm php-ncurses-4.3.9-3.22.15.i386.rpm php-odbc-4.3.9-3.22.15.i386.rpm php-pear-4.3.9-3.22.15.i386.rpm php-pgsql-4.3.9-3.22.15.i386.rpm php-snmp-4.3.9-3.22.15.i386.rpm php-xmlrpc-4.3.9-3.22.15.i386.rpm ia64: php-4.3.9-3.22.15.ia64.rpm php-debuginfo-4.3.9-3.22.15.ia64.rpm php-devel-4.3.9-3.22.15.ia64.rpm php-domxml-4.3.9-3.22.15.ia64.rpm php-gd-4.3.9-3.22.15.ia64.rpm php-imap-4.3.9-3.22.15.ia64.rpm php-ldap-4.3.9-3.22.15.ia64.rpm php-mbstring-4.3.9-3.22.15.ia64.rpm php-mysql-4.3.9-3.22.15.ia64.rpm php-ncurses-4.3.9-3.22.15.ia64.rpm php-odbc-4.3.9-3.22.15.ia64.rpm php-pear-4.3.9-3.22.15.ia64.rpm php-pgsql-4.3.9-3.22.15.ia64.rpm php-snmp-4.3.9-3.22.15.ia64.rpm php-xmlrpc-4.3.9-3.22.15.ia64.rpm ppc: php-4.3.9-3.22.15.ppc.rpm php-debuginfo-4.3.9-3.22.15.ppc.rpm php-devel-4.3.9-3.22.15.ppc.rpm php-domxml-4.3.9-3.22.15.ppc.rpm php-gd-4.3.9-3.22.15.ppc.rpm php-imap-4.3.9-3.22.15.ppc.rpm php-ldap-4.3.9-3.22.15.ppc.rpm php-mbstring-4.3.9-3.22.15.ppc.rpm php-mysql-4.3.9-3.22.15.ppc.rpm php-ncurses-4.3.9-3.22.15.ppc.rpm php-odbc-4.3.9-3.22.15.ppc.rpm php-pear-4.3.9-3.22.15.ppc.rpm php-pgsql-4.3.9-3.22.15.ppc.rpm php-snmp-4.3.9-3.22.15.ppc.rpm php-xmlrpc-4.3.9-3.22.15.ppc.rpm s390: php-4.3.9-3.22.15.s390.rpm php-debuginfo-4.3.9-3.22.15.s390.rpm php-devel-4.3.9-3.22.15.s390.rpm php-domxml-4.3.9-3.22.15.s390.rpm php-gd-4.3.9-3.22.15.s390.rpm php-imap-4.3.9-3.22.15.s390.rpm php-ldap-4.3.9-3.22.15.s390.rpm php-mbstring-4.3.9-3.22.15.s390.rpm php-mysql-4.3.9-3.22.15.s390.rpm php-ncurses-4.3.9-3.22.15.s390.rpm php-odbc-4.3.9-3.22.15.s390.rpm php-pear-4.3.9-3.22.15.s390.rpm php-pgsql-4.3.9-3.22.15.s390.rpm php-snmp-4.3.9-3.22.15.s390.rpm php-xmlrpc-4.3.9-3.22.15.s390.rpm s390x: php-4.3.9-3.22.15.s390x.rpm php-debuginfo-4.3.9-3.22.15.s390x.rpm php-devel-4.3.9-3.22.15.s390x.rpm php-domxml-4.3.9-3.22.15.s390x.rpm php-gd-4.3.9-3.22.15.s390x.rpm php-imap-4.3.9-3.22.15.s390x.rpm php-ldap-4.3.9-3.22.15.s390x.rpm php-mbstring-4.3.9-3.22.15.s390x.rpm php-mysql-4.3.9-3.22.15.s390x.rpm php-ncurses-4.3.9-3.22.15.s390x.rpm php-odbc-4.3.9-3.22.15.s390x.rpm php-pear-4.3.9-3.22.15.s390x.rpm php-pgsql-4.3.9-3.22.15.s390x.rpm php-snmp-4.3.9-3.22.15.s390x.rpm php-xmlrpc-4.3.9-3.22.15.s390x.rpm x86_64: php-4.3.9-3.22.15.x86_64.rpm php-debuginfo-4.3.9-3.22.15.x86_64.rpm php-devel-4.3.9-3.22.15.x86_64.rpm php-domxml-4.3.9-3.22.15.x86_64.rpm php-gd-4.3.9-3.22.15.x86_64.rpm php-imap-4.3.9-3.22.15.x86_64.rpm php-ldap-4.3.9-3.22.15.x86_64.rpm php-mbstring-4.3.9-3.22.15.x86_64.rpm php-mysql-4.3.9-3.22.15.x86_64.rpm php-ncurses-4.3.9-3.22.15.x86_64.rpm php-odbc-4.3.9-3.22.15.x86_64.rpm php-pear-4.3.9-3.22.15.x86_64.rpm php-pgsql-4.3.9-3.22.15.x86_64.rpm php-snmp-4.3.9-3.22.15.x86_64.rpm php-xmlrpc-4.3.9-3.22.15.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/php-4.3.9-3.22.15.src.rpm i386: php-4.3.9-3.22.15.i386.rpm php-debuginfo-4.3.9-3.22.15.i386.rpm php-devel-4.3.9-3.22.15.i386.rpm php-domxml-4.3.9-3.22.15.i386.rpm php-gd-4.3.9-3.22.15.i386.rpm php-imap-4.3.9-3.22.15.i386.rpm php-ldap-4.3.9-3.22.15.i386.rpm php-mbstring-4.3.9-3.22.15.i386.rpm php-mysql-4.3.9-3.22.15.i386.rpm php-ncurses-4.3.9-3.22.15.i386.rpm php-odbc-4.3.9-3.22.15.i386.rpm php-pear-4.3.9-3.22.15.i386.rpm php-pgsql-4.3.9-3.22.15.i386.rpm php-snmp-4.3.9-3.22.15.i386.rpm php-xmlrpc-4.3.9-3.22.15.i386.rpm x86_64: php-4.3.9-3.22.15.x86_64.rpm php-debuginfo-4.3.9-3.22.15.x86_64.rpm php-devel-4.3.9-3.22.15.x86_64.rpm php-domxml-4.3.9-3.22.15.x86_64.rpm php-gd-4.3.9-3.22.15.x86_64.rpm php-imap-4.3.9-3.22.15.x86_64.rpm php-ldap-4.3.9-3.22.15.x86_64.rpm php-mbstring-4.3.9-3.22.15.x86_64.rpm php-mysql-4.3.9-3.22.15.x86_64.rpm php-ncurses-4.3.9-3.22.15.x86_64.rpm php-odbc-4.3.9-3.22.15.x86_64.rpm php-pear-4.3.9-3.22.15.x86_64.rpm php-pgsql-4.3.9-3.22.15.x86_64.rpm php-snmp-4.3.9-3.22.15.x86_64.rpm php-xmlrpc-4.3.9-3.22.15.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/php-4.3.9-3.22.15.src.rpm i386: php-4.3.9-3.22.15.i386.rpm php-debuginfo-4.3.9-3.22.15.i386.rpm php-devel-4.3.9-3.22.15.i386.rpm php-domxml-4.3.9-3.22.15.i386.rpm php-gd-4.3.9-3.22.15.i386.rpm php-imap-4.3.9-3.22.15.i386.rpm php-ldap-4.3.9-3.22.15.i386.rpm php-mbstring-4.3.9-3.22.15.i386.rpm php-mysql-4.3.9-3.22.15.i386.rpm php-ncurses-4.3.9-3.22.15.i386.rpm php-odbc-4.3.9-3.22.15.i386.rpm php-pear-4.3.9-3.22.15.i386.rpm php-pgsql-4.3.9-3.22.15.i386.rpm php-snmp-4.3.9-3.22.15.i386.rpm php-xmlrpc-4.3.9-3.22.15.i386.rpm ia64: php-4.3.9-3.22.15.ia64.rpm php-debuginfo-4.3.9-3.22.15.ia64.rpm php-devel-4.3.9-3.22.15.ia64.rpm php-domxml-4.3.9-3.22.15.ia64.rpm php-gd-4.3.9-3.22.15.ia64.rpm php-imap-4.3.9-3.22.15.ia64.rpm php-ldap-4.3.9-3.22.15.ia64.rpm php-mbstring-4.3.9-3.22.15.ia64.rpm php-mysql-4.3.9-3.22.15.ia64.rpm php-ncurses-4.3.9-3.22.15.ia64.rpm php-odbc-4.3.9-3.22.15.ia64.rpm php-pear-4.3.9-3.22.15.ia64.rpm php-pgsql-4.3.9-3.22.15.ia64.rpm php-snmp-4.3.9-3.22.15.ia64.rpm php-xmlrpc-4.3.9-3.22.15.ia64.rpm x86_64: php-4.3.9-3.22.15.x86_64.rpm php-debuginfo-4.3.9-3.22.15.x86_64.rpm php-devel-4.3.9-3.22.15.x86_64.rpm php-domxml-4.3.9-3.22.15.x86_64.rpm php-gd-4.3.9-3.22.15.x86_64.rpm php-imap-4.3.9-3.22.15.x86_64.rpm php-ldap-4.3.9-3.22.15.x86_64.rpm php-mbstring-4.3.9-3.22.15.x86_64.rpm php-mysql-4.3.9-3.22.15.x86_64.rpm php-ncurses-4.3.9-3.22.15.x86_64.rpm php-odbc-4.3.9-3.22.15.x86_64.rpm php-pear-4.3.9-3.22.15.x86_64.rpm php-pgsql-4.3.9-3.22.15.x86_64.rpm php-snmp-4.3.9-3.22.15.x86_64.rpm php-xmlrpc-4.3.9-3.22.15.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/php-4.3.9-3.22.15.src.rpm i386: php-4.3.9-3.22.15.i386.rpm php-debuginfo-4.3.9-3.22.15.i386.rpm php-devel-4.3.9-3.22.15.i386.rpm php-domxml-4.3.9-3.22.15.i386.rpm php-gd-4.3.9-3.22.15.i386.rpm php-imap-4.3.9-3.22.15.i386.rpm php-ldap-4.3.9-3.22.15.i386.rpm php-mbstring-4.3.9-3.22.15.i386.rpm php-mysql-4.3.9-3.22.15.i386.rpm php-ncurses-4.3.9-3.22.15.i386.rpm php-odbc-4.3.9-3.22.15.i386.rpm php-pear-4.3.9-3.22.15.i386.rpm php-pgsql-4.3.9-3.22.15.i386.rpm php-snmp-4.3.9-3.22.15.i386.rpm php-xmlrpc-4.3.9-3.22.15.i386.rpm ia64: php-4.3.9-3.22.15.ia64.rpm php-debuginfo-4.3.9-3.22.15.ia64.rpm php-devel-4.3.9-3.22.15.ia64.rpm php-domxml-4.3.9-3.22.15.ia64.rpm php-gd-4.3.9-3.22.15.ia64.rpm php-imap-4.3.9-3.22.15.ia64.rpm php-ldap-4.3.9-3.22.15.ia64.rpm php-mbstring-4.3.9-3.22.15.ia64.rpm php-mysql-4.3.9-3.22.15.ia64.rpm php-ncurses-4.3.9-3.22.15.ia64.rpm php-odbc-4.3.9-3.22.15.ia64.rpm php-pear-4.3.9-3.22.15.ia64.rpm php-pgsql-4.3.9-3.22.15.ia64.rpm php-snmp-4.3.9-3.22.15.ia64.rpm php-xmlrpc-4.3.9-3.22.15.ia64.rpm x86_64: php-4.3.9-3.22.15.x86_64.rpm php-debuginfo-4.3.9-3.22.15.x86_64.rpm php-devel-4.3.9-3.22.15.x86_64.rpm php-domxml-4.3.9-3.22.15.x86_64.rpm php-gd-4.3.9-3.22.15.x86_64.rpm php-imap-4.3.9-3.22.15.x86_64.rpm php-ldap-4.3.9-3.22.15.x86_64.rpm php-mbstring-4.3.9-3.22.15.x86_64.rpm php-mysql-4.3.9-3.22.15.x86_64.rpm php-ncurses-4.3.9-3.22.15.x86_64.rpm php-odbc-4.3.9-3.22.15.x86_64.rpm php-pear-4.3.9-3.22.15.x86_64.rpm php-pgsql-4.3.9-3.22.15.x86_64.rpm php-snmp-4.3.9-3.22.15.x86_64.rpm php-xmlrpc-4.3.9-3.22.15.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ2jRBXlSAg2UNWIIRAmW5AKC9c0bXdIF+PMemxGmZN1x9K6JsRQCfdm6n JLBqI6/7mGY9y60jc8t8BmI= =vav4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Apr 6 17:01:17 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Apr 2009 13:01:17 -0400 Subject: [RHSA-2009:0338-01] Moderate: php security update Message-ID: <200904061701.n36H1K8D030785@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: php security update Advisory ID: RHSA-2009:0338-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0338.html Issue date: 2009-04-06 CVE Names: CVE-2008-3658 CVE-2008-3660 CVE-2008-5498 CVE-2008-5557 CVE-2008-5814 CVE-2009-0754 ===================================================================== 1. Summary: Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had "display_errors" enabled, a remote attacker able to set a specially-crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 459529 - CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension 459572 - CVE-2008-3660 php: FastCGI module DoS via multiple dots preceding the extension 478425 - CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure 478848 - CVE-2008-5557 php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution) 479272 - CVE-2009-0754 PHP mbstring.func_overload web server denial of service 480167 - CVE-2008-5814 php: XSS via PHP error messages 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/php-5.1.6-23.2.el5_3.src.rpm i386: php-5.1.6-23.2.el5_3.i386.rpm php-bcmath-5.1.6-23.2.el5_3.i386.rpm php-cli-5.1.6-23.2.el5_3.i386.rpm php-common-5.1.6-23.2.el5_3.i386.rpm php-dba-5.1.6-23.2.el5_3.i386.rpm php-debuginfo-5.1.6-23.2.el5_3.i386.rpm php-devel-5.1.6-23.2.el5_3.i386.rpm php-gd-5.1.6-23.2.el5_3.i386.rpm php-imap-5.1.6-23.2.el5_3.i386.rpm php-ldap-5.1.6-23.2.el5_3.i386.rpm php-mbstring-5.1.6-23.2.el5_3.i386.rpm php-mysql-5.1.6-23.2.el5_3.i386.rpm php-ncurses-5.1.6-23.2.el5_3.i386.rpm php-odbc-5.1.6-23.2.el5_3.i386.rpm php-pdo-5.1.6-23.2.el5_3.i386.rpm php-pgsql-5.1.6-23.2.el5_3.i386.rpm php-snmp-5.1.6-23.2.el5_3.i386.rpm php-soap-5.1.6-23.2.el5_3.i386.rpm php-xml-5.1.6-23.2.el5_3.i386.rpm php-xmlrpc-5.1.6-23.2.el5_3.i386.rpm x86_64: php-5.1.6-23.2.el5_3.x86_64.rpm php-bcmath-5.1.6-23.2.el5_3.x86_64.rpm php-cli-5.1.6-23.2.el5_3.x86_64.rpm php-common-5.1.6-23.2.el5_3.x86_64.rpm php-dba-5.1.6-23.2.el5_3.x86_64.rpm php-debuginfo-5.1.6-23.2.el5_3.x86_64.rpm php-devel-5.1.6-23.2.el5_3.x86_64.rpm php-gd-5.1.6-23.2.el5_3.x86_64.rpm php-imap-5.1.6-23.2.el5_3.x86_64.rpm php-ldap-5.1.6-23.2.el5_3.x86_64.rpm php-mbstring-5.1.6-23.2.el5_3.x86_64.rpm php-mysql-5.1.6-23.2.el5_3.x86_64.rpm php-ncurses-5.1.6-23.2.el5_3.x86_64.rpm php-odbc-5.1.6-23.2.el5_3.x86_64.rpm php-pdo-5.1.6-23.2.el5_3.x86_64.rpm php-pgsql-5.1.6-23.2.el5_3.x86_64.rpm php-snmp-5.1.6-23.2.el5_3.x86_64.rpm php-soap-5.1.6-23.2.el5_3.x86_64.rpm php-xml-5.1.6-23.2.el5_3.x86_64.rpm php-xmlrpc-5.1.6-23.2.el5_3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/php-5.1.6-23.2.el5_3.src.rpm i386: php-5.1.6-23.2.el5_3.i386.rpm php-bcmath-5.1.6-23.2.el5_3.i386.rpm php-cli-5.1.6-23.2.el5_3.i386.rpm php-common-5.1.6-23.2.el5_3.i386.rpm php-dba-5.1.6-23.2.el5_3.i386.rpm php-debuginfo-5.1.6-23.2.el5_3.i386.rpm php-devel-5.1.6-23.2.el5_3.i386.rpm php-gd-5.1.6-23.2.el5_3.i386.rpm php-imap-5.1.6-23.2.el5_3.i386.rpm php-ldap-5.1.6-23.2.el5_3.i386.rpm php-mbstring-5.1.6-23.2.el5_3.i386.rpm php-mysql-5.1.6-23.2.el5_3.i386.rpm php-ncurses-5.1.6-23.2.el5_3.i386.rpm php-odbc-5.1.6-23.2.el5_3.i386.rpm php-pdo-5.1.6-23.2.el5_3.i386.rpm php-pgsql-5.1.6-23.2.el5_3.i386.rpm php-snmp-5.1.6-23.2.el5_3.i386.rpm php-soap-5.1.6-23.2.el5_3.i386.rpm php-xml-5.1.6-23.2.el5_3.i386.rpm php-xmlrpc-5.1.6-23.2.el5_3.i386.rpm ia64: php-5.1.6-23.2.el5_3.ia64.rpm php-bcmath-5.1.6-23.2.el5_3.ia64.rpm php-cli-5.1.6-23.2.el5_3.ia64.rpm php-common-5.1.6-23.2.el5_3.ia64.rpm php-dba-5.1.6-23.2.el5_3.ia64.rpm php-debuginfo-5.1.6-23.2.el5_3.ia64.rpm php-devel-5.1.6-23.2.el5_3.ia64.rpm php-gd-5.1.6-23.2.el5_3.ia64.rpm php-imap-5.1.6-23.2.el5_3.ia64.rpm php-ldap-5.1.6-23.2.el5_3.ia64.rpm php-mbstring-5.1.6-23.2.el5_3.ia64.rpm php-mysql-5.1.6-23.2.el5_3.ia64.rpm php-ncurses-5.1.6-23.2.el5_3.ia64.rpm php-odbc-5.1.6-23.2.el5_3.ia64.rpm php-pdo-5.1.6-23.2.el5_3.ia64.rpm php-pgsql-5.1.6-23.2.el5_3.ia64.rpm php-snmp-5.1.6-23.2.el5_3.ia64.rpm php-soap-5.1.6-23.2.el5_3.ia64.rpm php-xml-5.1.6-23.2.el5_3.ia64.rpm php-xmlrpc-5.1.6-23.2.el5_3.ia64.rpm ppc: php-5.1.6-23.2.el5_3.ppc.rpm php-bcmath-5.1.6-23.2.el5_3.ppc.rpm php-cli-5.1.6-23.2.el5_3.ppc.rpm php-common-5.1.6-23.2.el5_3.ppc.rpm php-dba-5.1.6-23.2.el5_3.ppc.rpm php-debuginfo-5.1.6-23.2.el5_3.ppc.rpm php-devel-5.1.6-23.2.el5_3.ppc.rpm php-gd-5.1.6-23.2.el5_3.ppc.rpm php-imap-5.1.6-23.2.el5_3.ppc.rpm php-ldap-5.1.6-23.2.el5_3.ppc.rpm php-mbstring-5.1.6-23.2.el5_3.ppc.rpm php-mysql-5.1.6-23.2.el5_3.ppc.rpm php-ncurses-5.1.6-23.2.el5_3.ppc.rpm php-odbc-5.1.6-23.2.el5_3.ppc.rpm php-pdo-5.1.6-23.2.el5_3.ppc.rpm php-pgsql-5.1.6-23.2.el5_3.ppc.rpm php-snmp-5.1.6-23.2.el5_3.ppc.rpm php-soap-5.1.6-23.2.el5_3.ppc.rpm php-xml-5.1.6-23.2.el5_3.ppc.rpm php-xmlrpc-5.1.6-23.2.el5_3.ppc.rpm s390x: php-5.1.6-23.2.el5_3.s390x.rpm php-bcmath-5.1.6-23.2.el5_3.s390x.rpm php-cli-5.1.6-23.2.el5_3.s390x.rpm php-common-5.1.6-23.2.el5_3.s390x.rpm php-dba-5.1.6-23.2.el5_3.s390x.rpm php-debuginfo-5.1.6-23.2.el5_3.s390x.rpm php-devel-5.1.6-23.2.el5_3.s390x.rpm php-gd-5.1.6-23.2.el5_3.s390x.rpm php-imap-5.1.6-23.2.el5_3.s390x.rpm php-ldap-5.1.6-23.2.el5_3.s390x.rpm php-mbstring-5.1.6-23.2.el5_3.s390x.rpm php-mysql-5.1.6-23.2.el5_3.s390x.rpm php-ncurses-5.1.6-23.2.el5_3.s390x.rpm php-odbc-5.1.6-23.2.el5_3.s390x.rpm php-pdo-5.1.6-23.2.el5_3.s390x.rpm php-pgsql-5.1.6-23.2.el5_3.s390x.rpm php-snmp-5.1.6-23.2.el5_3.s390x.rpm php-soap-5.1.6-23.2.el5_3.s390x.rpm php-xml-5.1.6-23.2.el5_3.s390x.rpm php-xmlrpc-5.1.6-23.2.el5_3.s390x.rpm x86_64: php-5.1.6-23.2.el5_3.x86_64.rpm php-bcmath-5.1.6-23.2.el5_3.x86_64.rpm php-cli-5.1.6-23.2.el5_3.x86_64.rpm php-common-5.1.6-23.2.el5_3.x86_64.rpm php-dba-5.1.6-23.2.el5_3.x86_64.rpm php-debuginfo-5.1.6-23.2.el5_3.x86_64.rpm php-devel-5.1.6-23.2.el5_3.x86_64.rpm php-gd-5.1.6-23.2.el5_3.x86_64.rpm php-imap-5.1.6-23.2.el5_3.x86_64.rpm php-ldap-5.1.6-23.2.el5_3.x86_64.rpm php-mbstring-5.1.6-23.2.el5_3.x86_64.rpm php-mysql-5.1.6-23.2.el5_3.x86_64.rpm php-ncurses-5.1.6-23.2.el5_3.x86_64.rpm php-odbc-5.1.6-23.2.el5_3.x86_64.rpm php-pdo-5.1.6-23.2.el5_3.x86_64.rpm php-pgsql-5.1.6-23.2.el5_3.x86_64.rpm php-snmp-5.1.6-23.2.el5_3.x86_64.rpm php-soap-5.1.6-23.2.el5_3.x86_64.rpm php-xml-5.1.6-23.2.el5_3.x86_64.rpm php-xmlrpc-5.1.6-23.2.el5_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ2jTxXlSAg2UNWIIRAoHiAJ4888mVsN5ukU9X/dhmeZ5ph8kI5wCfYSCc rD9spJ+EXlxFzq8lFkq1NDM= =uVzM -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Apr 6 17:01:50 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Apr 2009 13:01:50 -0400 Subject: [RHSA-2009:0352-01] Moderate: gstreamer-plugins-base security update Message-ID: <200904061701.n36H1s1D031402@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: gstreamer-plugins-base security update Advisory ID: RHSA-2009:0352-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0352.html Issue date: 2009-04-06 CVE Names: CVE-2009-0586 ===================================================================== 1. Summary: Updated gstreamer-plugins-base packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins. An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586) All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 488208 - CVE-2009-0586 gstreamer-plugins-base: integer overflow in gst_vorbis_tag_add_coverart() 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gstreamer-plugins-base-0.10.20-3.0.1.el5_3.src.rpm i386: gstreamer-plugins-base-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.i386.rpm x86_64: gstreamer-plugins-base-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-0.10.20-3.0.1.el5_3.x86_64.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gstreamer-plugins-base-0.10.20-3.0.1.el5_3.src.rpm i386: gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.i386.rpm x86_64: gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.x86_64.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/gstreamer-plugins-base-0.10.20-3.0.1.el5_3.src.rpm i386: gstreamer-plugins-base-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.i386.rpm ia64: gstreamer-plugins-base-0.10.20-3.0.1.el5_3.ia64.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.ia64.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.ia64.rpm ppc: gstreamer-plugins-base-0.10.20-3.0.1.el5_3.ppc.rpm gstreamer-plugins-base-0.10.20-3.0.1.el5_3.ppc64.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.ppc.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.ppc64.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.ppc.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.ppc64.rpm s390x: gstreamer-plugins-base-0.10.20-3.0.1.el5_3.s390.rpm gstreamer-plugins-base-0.10.20-3.0.1.el5_3.s390x.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.s390.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.s390x.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.s390.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.s390x.rpm x86_64: gstreamer-plugins-base-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-0.10.20-3.0.1.el5_3.x86_64.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-debuginfo-0.10.20-3.0.1.el5_3.x86_64.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.i386.rpm gstreamer-plugins-base-devel-0.10.20-3.0.1.el5_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0586 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ2jVqXlSAg2UNWIIRAttkAKCEvxt8YInqSkz8sfGlBLf2Ybwm7QCcDrj4 bJNvs0RFOy4hJjQWgGxvRDc= =ocOu -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 7 18:58:04 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Apr 2009 14:58:04 -0400 Subject: [RHSA-2009:0377-01] Important: java-1.6.0-openjdk security update Message-ID: <200904071858.n37Iw8EE026986@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.6.0-openjdk security update Advisory ID: RHSA-2009:0377-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0377.html Issue date: 2009-04-07 CVE Names: CVE-2006-2426 CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 CVE-2009-0793 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1101 CVE-2009-1102 ===================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language. A flaw was found in the way that the Java Virtual Machine (JVM) handled temporary font files. A malicious applet could use this flaw to use large amounts of disk space, causing a denial of service. (CVE-2006-2426) A memory leak flaw was found in LittleCMS (embedded in OpenJDK). An application using color profiles could use excessive amounts of memory, and possibly crash after using all available memory, if used to open specially-crafted images. (CVE-2009-0581) Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in the way LittleCMS handled color profiles. An attacker could use these flaws to create a specially-crafted image file which could cause a Java application to crash or, possibly, execute arbitrary code when opened. (CVE-2009-0723, CVE-2009-0733) A null pointer dereference flaw was found in LittleCMS. An application using color profiles could crash while converting a specially-crafted image file. (CVE-2009-0793) A flaw in the Java API for XML Web Services (JAX-WS) service endpoint handling could allow a remote attacker to cause a denial of service on the server application hosting the JAX-WS service endpoint. (CVE-2009-1101) A flaw in the way the Java Runtime Environment initialized LDAP connections could allow a remote, authenticated user to cause a denial of service on the LDAP service. (CVE-2009-1093) A flaw in the Java Runtime Environment LDAP client could allow malicious data from an LDAP server to cause arbitrary code to be loaded and then run on an LDAP client. (CVE-2009-1094) Several buffer overflow flaws were found in the Java Runtime Environment unpack200 functionality. An untrusted applet could extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet. (CVE-2009-1095, CVE-2009-1096) A flaw in the Java Runtime Environment Virtual Machine code generation functionality could allow untrusted applets to extend their privileges. An untrusted applet could extend its privileges, allowing it to read and write local files, as well as execute local applications with the privileges of the user running the applet. (CVE-2009-1102) A buffer overflow flaw was found in the splash screen processing. A remote attacker could extend privileges to read and write local files, as well as to execute local applications with the privileges of the user running the java process. (CVE-2009-1097) A buffer overflow flaw was found in how GIF images were processed. A remote attacker could extend privileges to read and write local files, as well as execute local applications with the privileges of the user running the java process. (CVE-2009-1098) Note: The flaws concerning applets in this advisory, CVE-2009-1095, CVE-2009-1096, and CVE-2009-1102, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer" application. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 395481 - CVE-2006-2426 Untrusted applet causes DoS by filling up disk space 487508 - CVE-2009-0723 LittleCms integer overflow 487509 - CVE-2009-0581 LittleCms memory leak 487512 - CVE-2009-0733 LittleCms lack of upper-bounds check on sizes 490166 - CVE-2009-1101 OpenJDK JAX-WS service endpoint remote Denial-of-Service (6630639) 490167 - CVE-2009-1093 OpenJDK remote LDAP Denial-Of-Service (6717680) 490168 - CVE-2009-1094 OpenJDK LDAP client remote code execution (6737315) 490169 - CVE-2009-1095 CVE-2009-1096 OpenJDK Pack200 Buffer overflow vulnerability (6792554) 490172 - CVE-2009-1102 OpenJDK code generation vulnerability (6636360) 490174 - CVE-2009-1097 OpenJDK PNG processing buffer overflow vulnerability (6804996) 490178 - CVE-2009-1098 OpenJDK GIF processing buffer overflow vulnerability (6804998) 492353 - CVE-2009-0793 lcms: Null pointer dereference (DoS) by handling transformations of monochrome profiles 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-0.30.b09.el5.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-0.30.b09.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-0.30.b09.el5.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-0.30.b09.el5.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-0.30.b09.el5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-0.30.b09.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102 http://www.redhat.com/security/updates/classification/#important http://blogs.sun.com/security/entry/advance_notification_of_security_updates4 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ26GAXlSAg2UNWIIRAhFUAJ9S0aWGaXn0VDABIXwGEz+8+/fbbwCeI9L3 OxEL09Ao/GJavmR7FqUYs/U= =SFHp -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 7 19:00:15 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Apr 2009 15:00:15 -0400 Subject: [RHSA-2009:0408-01] Important: krb5 security update Message-ID: <200904071900.n37J0Jrl029411@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: krb5 security update Advisory ID: RHSA-2009:0408-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0408.html Issue date: 2009-04-07 CVE Names: CVE-2009-0844 CVE-2009-0845 CVE-2009-0846 ===================================================================== 1. Summary: Updated krb5 packages that fix various security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). The Generic Security Service Application Program Interface (GSS-API) definition provides security services to callers (protocols) in a generic fashion. The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is used by GSS-API peers to choose from a common set of security mechanisms. An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) Multiple input validation flaws were found in the MIT Kerberos GSS-API library's implementation of the SPNEGO mechanism. A remote attacker could use these flaws to crash any network service utilizing the MIT Kerberos GSS-API library to authenticate users or, possibly, leak portions of the service's memory. (CVE-2009-0844, CVE-2009-0845) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 490634 - CVE-2009-0845 krb5: NULL pointer dereference in GSSAPI SPNEGO (MITKRB5-SA-2009-001) 491033 - CVE-2009-0844 krb5: buffer over-read in SPNEGO GSS-API mechanism (MITKRB5-SA-2009-001) 491036 - CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/krb5-1.6.1-31.el5_3.3.src.rpm i386: krb5-debuginfo-1.6.1-31.el5_3.3.i386.rpm krb5-libs-1.6.1-31.el5_3.3.i386.rpm krb5-workstation-1.6.1-31.el5_3.3.i386.rpm x86_64: krb5-debuginfo-1.6.1-31.el5_3.3.i386.rpm krb5-debuginfo-1.6.1-31.el5_3.3.x86_64.rpm krb5-libs-1.6.1-31.el5_3.3.i386.rpm krb5-libs-1.6.1-31.el5_3.3.x86_64.rpm krb5-workstation-1.6.1-31.el5_3.3.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/krb5-1.6.1-31.el5_3.3.src.rpm i386: krb5-debuginfo-1.6.1-31.el5_3.3.i386.rpm krb5-devel-1.6.1-31.el5_3.3.i386.rpm krb5-server-1.6.1-31.el5_3.3.i386.rpm x86_64: krb5-debuginfo-1.6.1-31.el5_3.3.i386.rpm krb5-debuginfo-1.6.1-31.el5_3.3.x86_64.rpm krb5-devel-1.6.1-31.el5_3.3.i386.rpm krb5-devel-1.6.1-31.el5_3.3.x86_64.rpm krb5-server-1.6.1-31.el5_3.3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/krb5-1.6.1-31.el5_3.3.src.rpm i386: krb5-debuginfo-1.6.1-31.el5_3.3.i386.rpm krb5-devel-1.6.1-31.el5_3.3.i386.rpm krb5-libs-1.6.1-31.el5_3.3.i386.rpm krb5-server-1.6.1-31.el5_3.3.i386.rpm krb5-workstation-1.6.1-31.el5_3.3.i386.rpm ia64: krb5-debuginfo-1.6.1-31.el5_3.3.i386.rpm krb5-debuginfo-1.6.1-31.el5_3.3.ia64.rpm krb5-devel-1.6.1-31.el5_3.3.ia64.rpm krb5-libs-1.6.1-31.el5_3.3.i386.rpm krb5-libs-1.6.1-31.el5_3.3.ia64.rpm krb5-server-1.6.1-31.el5_3.3.ia64.rpm krb5-workstation-1.6.1-31.el5_3.3.ia64.rpm ppc: krb5-debuginfo-1.6.1-31.el5_3.3.ppc.rpm krb5-debuginfo-1.6.1-31.el5_3.3.ppc64.rpm krb5-devel-1.6.1-31.el5_3.3.ppc.rpm krb5-devel-1.6.1-31.el5_3.3.ppc64.rpm krb5-libs-1.6.1-31.el5_3.3.ppc.rpm krb5-libs-1.6.1-31.el5_3.3.ppc64.rpm krb5-server-1.6.1-31.el5_3.3.ppc.rpm krb5-workstation-1.6.1-31.el5_3.3.ppc.rpm s390x: krb5-debuginfo-1.6.1-31.el5_3.3.s390.rpm krb5-debuginfo-1.6.1-31.el5_3.3.s390x.rpm krb5-devel-1.6.1-31.el5_3.3.s390.rpm krb5-devel-1.6.1-31.el5_3.3.s390x.rpm krb5-libs-1.6.1-31.el5_3.3.s390.rpm krb5-libs-1.6.1-31.el5_3.3.s390x.rpm krb5-server-1.6.1-31.el5_3.3.s390x.rpm krb5-workstation-1.6.1-31.el5_3.3.s390x.rpm x86_64: krb5-debuginfo-1.6.1-31.el5_3.3.i386.rpm krb5-debuginfo-1.6.1-31.el5_3.3.x86_64.rpm krb5-devel-1.6.1-31.el5_3.3.i386.rpm krb5-devel-1.6.1-31.el5_3.3.x86_64.rpm krb5-libs-1.6.1-31.el5_3.3.i386.rpm krb5-libs-1.6.1-31.el5_3.3.x86_64.rpm krb5-server-1.6.1-31.el5_3.3.x86_64.rpm krb5-workstation-1.6.1-31.el5_3.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 http://www.redhat.com/security/updates/classification/#important http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txt 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ26JGXlSAg2UNWIIRApmQAKCz/3j4ImhDahQrHVvNG0KzAZH2YwCgjbPL e8VvZn2yybWvy6YMSxmxApQ= =4z8P -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 7 19:02:26 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Apr 2009 15:02:26 -0400 Subject: [RHSA-2009:0409-01] Important: krb5 security update Message-ID: <200904071902.n37J2UeK031462@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: krb5 security update Advisory ID: RHSA-2009:0409-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0409.html Issue date: 2009-04-07 CVE Names: CVE-2009-0846 ===================================================================== 1. Summary: Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 491036 - CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/krb5-1.3.4-60.el4_7.2.src.rpm i386: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-devel-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-server-1.3.4-60.el4_7.2.i386.rpm krb5-workstation-1.3.4-60.el4_7.2.i386.rpm ia64: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-debuginfo-1.3.4-60.el4_7.2.ia64.rpm krb5-devel-1.3.4-60.el4_7.2.ia64.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.ia64.rpm krb5-server-1.3.4-60.el4_7.2.ia64.rpm krb5-workstation-1.3.4-60.el4_7.2.ia64.rpm ppc: krb5-debuginfo-1.3.4-60.el4_7.2.ppc.rpm krb5-debuginfo-1.3.4-60.el4_7.2.ppc64.rpm krb5-devel-1.3.4-60.el4_7.2.ppc.rpm krb5-libs-1.3.4-60.el4_7.2.ppc.rpm krb5-libs-1.3.4-60.el4_7.2.ppc64.rpm krb5-server-1.3.4-60.el4_7.2.ppc.rpm krb5-workstation-1.3.4-60.el4_7.2.ppc.rpm s390: krb5-debuginfo-1.3.4-60.el4_7.2.s390.rpm krb5-devel-1.3.4-60.el4_7.2.s390.rpm krb5-libs-1.3.4-60.el4_7.2.s390.rpm krb5-server-1.3.4-60.el4_7.2.s390.rpm krb5-workstation-1.3.4-60.el4_7.2.s390.rpm s390x: krb5-debuginfo-1.3.4-60.el4_7.2.s390.rpm krb5-debuginfo-1.3.4-60.el4_7.2.s390x.rpm krb5-devel-1.3.4-60.el4_7.2.s390x.rpm krb5-libs-1.3.4-60.el4_7.2.s390.rpm krb5-libs-1.3.4-60.el4_7.2.s390x.rpm krb5-server-1.3.4-60.el4_7.2.s390x.rpm krb5-workstation-1.3.4-60.el4_7.2.s390x.rpm x86_64: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-debuginfo-1.3.4-60.el4_7.2.x86_64.rpm krb5-devel-1.3.4-60.el4_7.2.x86_64.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.x86_64.rpm krb5-server-1.3.4-60.el4_7.2.x86_64.rpm krb5-workstation-1.3.4-60.el4_7.2.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/krb5-1.3.4-60.el4_7.2.src.rpm i386: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-devel-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-server-1.3.4-60.el4_7.2.i386.rpm krb5-workstation-1.3.4-60.el4_7.2.i386.rpm x86_64: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-debuginfo-1.3.4-60.el4_7.2.x86_64.rpm krb5-devel-1.3.4-60.el4_7.2.x86_64.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.x86_64.rpm krb5-server-1.3.4-60.el4_7.2.x86_64.rpm krb5-workstation-1.3.4-60.el4_7.2.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/krb5-1.3.4-60.el4_7.2.src.rpm i386: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-devel-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-server-1.3.4-60.el4_7.2.i386.rpm krb5-workstation-1.3.4-60.el4_7.2.i386.rpm ia64: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-debuginfo-1.3.4-60.el4_7.2.ia64.rpm krb5-devel-1.3.4-60.el4_7.2.ia64.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.ia64.rpm krb5-server-1.3.4-60.el4_7.2.ia64.rpm krb5-workstation-1.3.4-60.el4_7.2.ia64.rpm x86_64: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-debuginfo-1.3.4-60.el4_7.2.x86_64.rpm krb5-devel-1.3.4-60.el4_7.2.x86_64.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.x86_64.rpm krb5-server-1.3.4-60.el4_7.2.x86_64.rpm krb5-workstation-1.3.4-60.el4_7.2.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/krb5-1.3.4-60.el4_7.2.src.rpm i386: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-devel-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-server-1.3.4-60.el4_7.2.i386.rpm krb5-workstation-1.3.4-60.el4_7.2.i386.rpm ia64: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-debuginfo-1.3.4-60.el4_7.2.ia64.rpm krb5-devel-1.3.4-60.el4_7.2.ia64.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.ia64.rpm krb5-server-1.3.4-60.el4_7.2.ia64.rpm krb5-workstation-1.3.4-60.el4_7.2.ia64.rpm x86_64: krb5-debuginfo-1.3.4-60.el4_7.2.i386.rpm krb5-debuginfo-1.3.4-60.el4_7.2.x86_64.rpm krb5-devel-1.3.4-60.el4_7.2.x86_64.rpm krb5-libs-1.3.4-60.el4_7.2.i386.rpm krb5-libs-1.3.4-60.el4_7.2.x86_64.rpm krb5-server-1.3.4-60.el4_7.2.x86_64.rpm krb5-workstation-1.3.4-60.el4_7.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 http://www.redhat.com/security/updates/classification/#important http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txt 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ26LFXlSAg2UNWIIRAhkyAKC9j3rzj7ot8BWQLxg0xFxnU7UmnQCfeCmk mFbdrv1kjDzl28mSVOW4U9A= =A13c -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 7 19:03:30 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Apr 2009 15:03:30 -0400 Subject: [RHSA-2009:0410-01] Critical: krb5 security update Message-ID: <200904071903.n37J3ZRb032185@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: krb5 security update Advisory ID: RHSA-2009:0410-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0410.html Issue date: 2009-04-07 CVE Names: CVE-2009-0846 ===================================================================== 1. Summary: Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Linux Advanced Workstation 2.1 - ia64 3. Description: Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 491036 - CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/krb5-1.2.2-49.src.rpm i386: krb5-devel-1.2.2-49.i386.rpm krb5-libs-1.2.2-49.i386.rpm krb5-server-1.2.2-49.i386.rpm krb5-workstation-1.2.2-49.i386.rpm ia64: krb5-devel-1.2.2-49.ia64.rpm krb5-libs-1.2.2-49.ia64.rpm krb5-server-1.2.2-49.ia64.rpm krb5-workstation-1.2.2-49.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/krb5-1.2.2-49.src.rpm ia64: krb5-devel-1.2.2-49.ia64.rpm krb5-libs-1.2.2-49.ia64.rpm krb5-server-1.2.2-49.ia64.rpm krb5-workstation-1.2.2-49.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/krb5-1.2.2-49.src.rpm i386: krb5-devel-1.2.2-49.i386.rpm krb5-libs-1.2.2-49.i386.rpm krb5-server-1.2.2-49.i386.rpm krb5-workstation-1.2.2-49.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/krb5-1.2.2-49.src.rpm i386: krb5-devel-1.2.2-49.i386.rpm krb5-libs-1.2.2-49.i386.rpm krb5-server-1.2.2-49.i386.rpm krb5-workstation-1.2.2-49.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/krb5-1.2.7-70.src.rpm i386: krb5-debuginfo-1.2.7-70.i386.rpm krb5-devel-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.i386.rpm krb5-server-1.2.7-70.i386.rpm krb5-workstation-1.2.7-70.i386.rpm ia64: krb5-debuginfo-1.2.7-70.i386.rpm krb5-debuginfo-1.2.7-70.ia64.rpm krb5-devel-1.2.7-70.ia64.rpm krb5-libs-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.ia64.rpm krb5-server-1.2.7-70.ia64.rpm krb5-workstation-1.2.7-70.ia64.rpm ppc: krb5-debuginfo-1.2.7-70.ppc.rpm krb5-debuginfo-1.2.7-70.ppc64.rpm krb5-devel-1.2.7-70.ppc.rpm krb5-libs-1.2.7-70.ppc.rpm krb5-libs-1.2.7-70.ppc64.rpm krb5-server-1.2.7-70.ppc.rpm krb5-workstation-1.2.7-70.ppc.rpm s390: krb5-debuginfo-1.2.7-70.s390.rpm krb5-devel-1.2.7-70.s390.rpm krb5-libs-1.2.7-70.s390.rpm krb5-server-1.2.7-70.s390.rpm krb5-workstation-1.2.7-70.s390.rpm s390x: krb5-debuginfo-1.2.7-70.s390.rpm krb5-debuginfo-1.2.7-70.s390x.rpm krb5-devel-1.2.7-70.s390x.rpm krb5-libs-1.2.7-70.s390.rpm krb5-libs-1.2.7-70.s390x.rpm krb5-server-1.2.7-70.s390x.rpm krb5-workstation-1.2.7-70.s390x.rpm x86_64: krb5-debuginfo-1.2.7-70.i386.rpm krb5-debuginfo-1.2.7-70.x86_64.rpm krb5-devel-1.2.7-70.x86_64.rpm krb5-libs-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.x86_64.rpm krb5-server-1.2.7-70.x86_64.rpm krb5-workstation-1.2.7-70.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/krb5-1.2.7-70.src.rpm i386: krb5-debuginfo-1.2.7-70.i386.rpm krb5-devel-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.i386.rpm krb5-server-1.2.7-70.i386.rpm krb5-workstation-1.2.7-70.i386.rpm x86_64: krb5-debuginfo-1.2.7-70.i386.rpm krb5-debuginfo-1.2.7-70.x86_64.rpm krb5-devel-1.2.7-70.x86_64.rpm krb5-libs-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.x86_64.rpm krb5-server-1.2.7-70.x86_64.rpm krb5-workstation-1.2.7-70.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/krb5-1.2.7-70.src.rpm i386: krb5-debuginfo-1.2.7-70.i386.rpm krb5-devel-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.i386.rpm krb5-server-1.2.7-70.i386.rpm krb5-workstation-1.2.7-70.i386.rpm ia64: krb5-debuginfo-1.2.7-70.i386.rpm krb5-debuginfo-1.2.7-70.ia64.rpm krb5-devel-1.2.7-70.ia64.rpm krb5-libs-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.ia64.rpm krb5-server-1.2.7-70.ia64.rpm krb5-workstation-1.2.7-70.ia64.rpm x86_64: krb5-debuginfo-1.2.7-70.i386.rpm krb5-debuginfo-1.2.7-70.x86_64.rpm krb5-devel-1.2.7-70.x86_64.rpm krb5-libs-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.x86_64.rpm krb5-server-1.2.7-70.x86_64.rpm krb5-workstation-1.2.7-70.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/krb5-1.2.7-70.src.rpm i386: krb5-debuginfo-1.2.7-70.i386.rpm krb5-devel-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.i386.rpm krb5-server-1.2.7-70.i386.rpm krb5-workstation-1.2.7-70.i386.rpm ia64: krb5-debuginfo-1.2.7-70.i386.rpm krb5-debuginfo-1.2.7-70.ia64.rpm krb5-devel-1.2.7-70.ia64.rpm krb5-libs-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.ia64.rpm krb5-server-1.2.7-70.ia64.rpm krb5-workstation-1.2.7-70.ia64.rpm x86_64: krb5-debuginfo-1.2.7-70.i386.rpm krb5-debuginfo-1.2.7-70.x86_64.rpm krb5-devel-1.2.7-70.x86_64.rpm krb5-libs-1.2.7-70.i386.rpm krb5-libs-1.2.7-70.x86_64.rpm krb5-server-1.2.7-70.x86_64.rpm krb5-workstation-1.2.7-70.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 http://www.redhat.com/security/updates/classification/#critical http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txt 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ26NKXlSAg2UNWIIRAiKrAJ42UcQ4KK48hb6LuTK7xR22CpzNcQCgu96j MrtC2kgzuBSI/9r6acfHRgg= =+8HF -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 7 19:10:39 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Apr 2009 15:10:39 -0400 Subject: [RHSA-2009:0411-01] Moderate: device-mapper-multipath security update Message-ID: <200904071910.n37JAirG005348@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: device-mapper-multipath security update Advisory ID: RHSA-2009:0411-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0411.html Issue date: 2009-04-07 CVE Names: CVE-2009-0115 ===================================================================== 1. Summary: Updated device-mapper-multipath packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The device-mapper multipath packages provide tools to manage multipath devices by issuing instructions to the device-mapper multipath kernel module, and by managing the creation and removal of partitions for device-mapper devices. It was discovered that the multipathd daemon set incorrect permissions on the socket used to communicate with command line clients. An unprivileged, local user could use this flaw to send commands to multipathd, resulting in access disruptions to storage devices accessible via multiple paths and, possibly, file system corruption on these devices. (CVE-2009-0115) Users of device-mapper-multipath are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. The multipathd service must be restarted for the changes to take effect. Important: the version of the multipathd daemon in Red Hat Enterprise Linux 5 has a known issue which may cause a machine to become unresponsive when the multipathd service is stopped. This issue is tracked in the Bugzilla bug #494582; a link is provided in the References section of this erratum. Until this issue is resolved, we recommend restarting the multipathd service by issuing the following commands in sequence: # killall -KILL multipathd # service multipathd restart 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 493330 - CVE-2009-0115 device-mapper-multipath: insecure permissions on multipathd.sock 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/device-mapper-multipath-0.4.5-31.el4_7.1.src.rpm i386: device-mapper-multipath-0.4.5-31.el4_7.1.i386.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.i386.rpm ia64: device-mapper-multipath-0.4.5-31.el4_7.1.ia64.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.ia64.rpm ppc: device-mapper-multipath-0.4.5-31.el4_7.1.ppc.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.ppc.rpm s390: device-mapper-multipath-0.4.5-31.el4_7.1.s390.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.s390.rpm s390x: device-mapper-multipath-0.4.5-31.el4_7.1.s390x.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.s390x.rpm x86_64: device-mapper-multipath-0.4.5-31.el4_7.1.x86_64.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/device-mapper-multipath-0.4.5-31.el4_7.1.src.rpm i386: device-mapper-multipath-0.4.5-31.el4_7.1.i386.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.i386.rpm x86_64: device-mapper-multipath-0.4.5-31.el4_7.1.x86_64.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/device-mapper-multipath-0.4.5-31.el4_7.1.src.rpm i386: device-mapper-multipath-0.4.5-31.el4_7.1.i386.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.i386.rpm ia64: device-mapper-multipath-0.4.5-31.el4_7.1.ia64.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.ia64.rpm x86_64: device-mapper-multipath-0.4.5-31.el4_7.1.x86_64.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/device-mapper-multipath-0.4.5-31.el4_7.1.src.rpm i386: device-mapper-multipath-0.4.5-31.el4_7.1.i386.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.i386.rpm ia64: device-mapper-multipath-0.4.5-31.el4_7.1.ia64.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.ia64.rpm x86_64: device-mapper-multipath-0.4.5-31.el4_7.1.x86_64.rpm device-mapper-multipath-debuginfo-0.4.5-31.el4_7.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/device-mapper-multipath-0.4.7-23.el5_3.2.src.rpm i386: device-mapper-multipath-0.4.7-23.el5_3.2.i386.rpm device-mapper-multipath-debuginfo-0.4.7-23.el5_3.2.i386.rpm kpartx-0.4.7-23.el5_3.2.i386.rpm x86_64: device-mapper-multipath-0.4.7-23.el5_3.2.x86_64.rpm device-mapper-multipath-debuginfo-0.4.7-23.el5_3.2.x86_64.rpm kpartx-0.4.7-23.el5_3.2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/device-mapper-multipath-0.4.7-23.el5_3.2.src.rpm i386: device-mapper-multipath-0.4.7-23.el5_3.2.i386.rpm device-mapper-multipath-debuginfo-0.4.7-23.el5_3.2.i386.rpm kpartx-0.4.7-23.el5_3.2.i386.rpm ia64: device-mapper-multipath-0.4.7-23.el5_3.2.ia64.rpm device-mapper-multipath-debuginfo-0.4.7-23.el5_3.2.ia64.rpm kpartx-0.4.7-23.el5_3.2.ia64.rpm ppc: device-mapper-multipath-0.4.7-23.el5_3.2.ppc.rpm device-mapper-multipath-debuginfo-0.4.7-23.el5_3.2.ppc.rpm kpartx-0.4.7-23.el5_3.2.ppc.rpm s390x: device-mapper-multipath-0.4.7-23.el5_3.2.s390x.rpm device-mapper-multipath-debuginfo-0.4.7-23.el5_3.2.s390x.rpm kpartx-0.4.7-23.el5_3.2.s390x.rpm x86_64: device-mapper-multipath-0.4.7-23.el5_3.2.x86_64.rpm device-mapper-multipath-debuginfo-0.4.7-23.el5_3.2.x86_64.rpm kpartx-0.4.7-23.el5_3.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0115 http://www.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=494582 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ26TjXlSAg2UNWIIRAnW7AJ4tUnBrI4MY67KDkm1s/8otbCkBIgCeIG5L k0Qd+xIu8PF3oLGHw61yKbE= =AdN9 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 14 18:04:50 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 14 Apr 2009 14:04:50 -0400 Subject: [RHSA-2009:0350-01] Moderate: php security update Message-ID: <200904141804.n3EI4okN006813@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: php security update Advisory ID: RHSA-2009:0350-01 Product: Red Hat Application Stack Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0350.html Issue date: 2009-04-14 CVE Names: CVE-2008-3658 CVE-2008-3660 CVE-2008-5498 CVE-2008-5557 CVE-2008-5658 CVE-2008-5814 CVE-2009-0754 CVE-2009-1271 ===================================================================== 1. Summary: Updated php packages that fix several security issues are now available for Red Hat Application Stack v2. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had "display_errors" enabled, a remote attacker able to set a specially-crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) A flaw was found in PHP's json_decode function. A remote attacker could use this flaw to create a specially-crafted string which could cause the PHP interpreter to crash while being decoded in a PHP script. (CVE-2009-1271) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 459529 - CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension 459572 - CVE-2008-3660 php: FastCGI module DoS via multiple dots preceding the extension 474824 - CVE-2008-5658 php: ZipArchive::extractTo() Directory Traversal Vulnerability 478425 - CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure 478848 - CVE-2008-5557 php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution) 479272 - CVE-2009-0754 PHP mbstring.func_overload web server denial of service 480167 - CVE-2008-5814 php: XSS via PHP error messages 494530 - CVE-2009-1271 php: crash on malformed input in json_decode() 6. Package List: Red Hat Application Stack v2 for Enterprise Linux (v.5): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/php-5.2.6-4.el5s2.src.rpm i386: php-5.2.6-4.el5s2.i386.rpm php-bcmath-5.2.6-4.el5s2.i386.rpm php-cli-5.2.6-4.el5s2.i386.rpm php-common-5.2.6-4.el5s2.i386.rpm php-dba-5.2.6-4.el5s2.i386.rpm php-debuginfo-5.2.6-4.el5s2.i386.rpm php-devel-5.2.6-4.el5s2.i386.rpm php-gd-5.2.6-4.el5s2.i386.rpm php-imap-5.2.6-4.el5s2.i386.rpm php-ldap-5.2.6-4.el5s2.i386.rpm php-mbstring-5.2.6-4.el5s2.i386.rpm php-mysql-5.2.6-4.el5s2.i386.rpm php-ncurses-5.2.6-4.el5s2.i386.rpm php-odbc-5.2.6-4.el5s2.i386.rpm php-pdo-5.2.6-4.el5s2.i386.rpm php-pgsql-5.2.6-4.el5s2.i386.rpm php-snmp-5.2.6-4.el5s2.i386.rpm php-soap-5.2.6-4.el5s2.i386.rpm php-xml-5.2.6-4.el5s2.i386.rpm php-xmlrpc-5.2.6-4.el5s2.i386.rpm x86_64: php-5.2.6-4.el5s2.x86_64.rpm php-bcmath-5.2.6-4.el5s2.x86_64.rpm php-cli-5.2.6-4.el5s2.x86_64.rpm php-common-5.2.6-4.el5s2.x86_64.rpm php-dba-5.2.6-4.el5s2.x86_64.rpm php-debuginfo-5.2.6-4.el5s2.x86_64.rpm php-devel-5.2.6-4.el5s2.x86_64.rpm php-gd-5.2.6-4.el5s2.x86_64.rpm php-imap-5.2.6-4.el5s2.x86_64.rpm php-ldap-5.2.6-4.el5s2.x86_64.rpm php-mbstring-5.2.6-4.el5s2.x86_64.rpm php-mysql-5.2.6-4.el5s2.x86_64.rpm php-ncurses-5.2.6-4.el5s2.x86_64.rpm php-odbc-5.2.6-4.el5s2.x86_64.rpm php-pdo-5.2.6-4.el5s2.x86_64.rpm php-pgsql-5.2.6-4.el5s2.x86_64.rpm php-snmp-5.2.6-4.el5s2.x86_64.rpm php-soap-5.2.6-4.el5s2.x86_64.rpm php-xml-5.2.6-4.el5s2.x86_64.rpm php-xmlrpc-5.2.6-4.el5s2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1271 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ5NAgXlSAg2UNWIIRAtJhAKCCKdjXCXkz0PeZUk5q0S3rsSf53gCfc/vm fj9YjQ5kUoICJShHZQfaHY8= =eevn -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 14 18:07:36 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 14 Apr 2009 14:07:36 -0400 Subject: [RHSA-2009:0420-01] Moderate: ghostscript security update Message-ID: <200904141807.n3EI7aZv008867@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ghostscript security update Advisory ID: RHSA-2009:0420-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0420.html Issue date: 2009-04-14 CVE Names: CVE-2007-6725 CVE-2009-0792 ===================================================================== 1. Summary: Updated ghostscript packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. It was discovered that the Red Hat Security Advisory RHSA-2009:0345 did not address all possible integer overflow flaws in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0792) A missing boundary check was found in Ghostscript's CCITTFax decoding filter. An attacker could create a specially-crafted PostScript or PDF file that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2007-6725) Users of ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 491853 - CVE-2009-0792 ghostscript, argyllcms: Incomplete fix for CVE-2009-0583 493442 - CVE-2007-6725 ghostscript: DoS (crash) in CCITTFax decoding filter 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ghostscript-7.05-32.1.20.src.rpm i386: ghostscript-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-devel-7.05-32.1.20.i386.rpm hpijs-1.3-32.1.20.i386.rpm ia64: ghostscript-7.05-32.1.20.i386.rpm ghostscript-7.05-32.1.20.ia64.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.ia64.rpm ghostscript-devel-7.05-32.1.20.ia64.rpm hpijs-1.3-32.1.20.ia64.rpm ppc: ghostscript-7.05-32.1.20.ppc.rpm ghostscript-7.05-32.1.20.ppc64.rpm ghostscript-debuginfo-7.05-32.1.20.ppc.rpm ghostscript-debuginfo-7.05-32.1.20.ppc64.rpm ghostscript-devel-7.05-32.1.20.ppc.rpm hpijs-1.3-32.1.20.ppc.rpm s390: ghostscript-7.05-32.1.20.s390.rpm ghostscript-debuginfo-7.05-32.1.20.s390.rpm ghostscript-devel-7.05-32.1.20.s390.rpm hpijs-1.3-32.1.20.s390.rpm s390x: ghostscript-7.05-32.1.20.s390.rpm ghostscript-7.05-32.1.20.s390x.rpm ghostscript-debuginfo-7.05-32.1.20.s390.rpm ghostscript-debuginfo-7.05-32.1.20.s390x.rpm ghostscript-devel-7.05-32.1.20.s390x.rpm hpijs-1.3-32.1.20.s390x.rpm x86_64: ghostscript-7.05-32.1.20.i386.rpm ghostscript-7.05-32.1.20.x86_64.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.x86_64.rpm ghostscript-devel-7.05-32.1.20.x86_64.rpm hpijs-1.3-32.1.20.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/ghostscript-7.05-32.1.20.src.rpm i386: ghostscript-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-devel-7.05-32.1.20.i386.rpm hpijs-1.3-32.1.20.i386.rpm x86_64: ghostscript-7.05-32.1.20.i386.rpm ghostscript-7.05-32.1.20.x86_64.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.x86_64.rpm ghostscript-devel-7.05-32.1.20.x86_64.rpm hpijs-1.3-32.1.20.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/ghostscript-7.05-32.1.20.src.rpm i386: ghostscript-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-devel-7.05-32.1.20.i386.rpm hpijs-1.3-32.1.20.i386.rpm ia64: ghostscript-7.05-32.1.20.i386.rpm ghostscript-7.05-32.1.20.ia64.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.ia64.rpm ghostscript-devel-7.05-32.1.20.ia64.rpm hpijs-1.3-32.1.20.ia64.rpm x86_64: ghostscript-7.05-32.1.20.i386.rpm ghostscript-7.05-32.1.20.x86_64.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.x86_64.rpm ghostscript-devel-7.05-32.1.20.x86_64.rpm hpijs-1.3-32.1.20.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ghostscript-7.05-32.1.20.src.rpm i386: ghostscript-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-devel-7.05-32.1.20.i386.rpm hpijs-1.3-32.1.20.i386.rpm ia64: ghostscript-7.05-32.1.20.i386.rpm ghostscript-7.05-32.1.20.ia64.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.ia64.rpm ghostscript-devel-7.05-32.1.20.ia64.rpm hpijs-1.3-32.1.20.ia64.rpm x86_64: ghostscript-7.05-32.1.20.i386.rpm ghostscript-7.05-32.1.20.x86_64.rpm ghostscript-debuginfo-7.05-32.1.20.i386.rpm ghostscript-debuginfo-7.05-32.1.20.x86_64.rpm ghostscript-devel-7.05-32.1.20.x86_64.rpm hpijs-1.3-32.1.20.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/ghostscript-7.07-33.2.el4_7.8.src.rpm i386: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-devel-7.07-33.2.el4_7.8.i386.rpm ghostscript-gtk-7.07-33.2.el4_7.8.i386.rpm ia64: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-7.07-33.2.el4_7.8.ia64.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.ia64.rpm ghostscript-devel-7.07-33.2.el4_7.8.ia64.rpm ghostscript-gtk-7.07-33.2.el4_7.8.ia64.rpm ppc: ghostscript-7.07-33.2.el4_7.8.ppc.rpm ghostscript-7.07-33.2.el4_7.8.ppc64.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.ppc.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.ppc64.rpm ghostscript-devel-7.07-33.2.el4_7.8.ppc.rpm ghostscript-gtk-7.07-33.2.el4_7.8.ppc.rpm s390: ghostscript-7.07-33.2.el4_7.8.s390.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.s390.rpm ghostscript-devel-7.07-33.2.el4_7.8.s390.rpm ghostscript-gtk-7.07-33.2.el4_7.8.s390.rpm s390x: ghostscript-7.07-33.2.el4_7.8.s390.rpm ghostscript-7.07-33.2.el4_7.8.s390x.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.s390.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.s390x.rpm ghostscript-devel-7.07-33.2.el4_7.8.s390x.rpm ghostscript-gtk-7.07-33.2.el4_7.8.s390x.rpm x86_64: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-devel-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-gtk-7.07-33.2.el4_7.8.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/ghostscript-7.07-33.2.el4_7.8.src.rpm i386: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-devel-7.07-33.2.el4_7.8.i386.rpm ghostscript-gtk-7.07-33.2.el4_7.8.i386.rpm x86_64: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-devel-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-gtk-7.07-33.2.el4_7.8.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/ghostscript-7.07-33.2.el4_7.8.src.rpm i386: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-devel-7.07-33.2.el4_7.8.i386.rpm ghostscript-gtk-7.07-33.2.el4_7.8.i386.rpm ia64: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-7.07-33.2.el4_7.8.ia64.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.ia64.rpm ghostscript-devel-7.07-33.2.el4_7.8.ia64.rpm ghostscript-gtk-7.07-33.2.el4_7.8.ia64.rpm x86_64: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-devel-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-gtk-7.07-33.2.el4_7.8.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/ghostscript-7.07-33.2.el4_7.8.src.rpm i386: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-devel-7.07-33.2.el4_7.8.i386.rpm ghostscript-gtk-7.07-33.2.el4_7.8.i386.rpm ia64: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-7.07-33.2.el4_7.8.ia64.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.ia64.rpm ghostscript-devel-7.07-33.2.el4_7.8.ia64.rpm ghostscript-gtk-7.07-33.2.el4_7.8.ia64.rpm x86_64: ghostscript-7.07-33.2.el4_7.8.i386.rpm ghostscript-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.i386.rpm ghostscript-debuginfo-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-devel-7.07-33.2.el4_7.8.x86_64.rpm ghostscript-gtk-7.07-33.2.el4_7.8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ5NB3XlSAg2UNWIIRAgRPAJ9Lv0cn2hujR7bEs2z0qX62R/tqkACfcM34 CU+WdchM9zlmN4NfHMwxjKQ= =t1dk -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 14 18:08:08 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 14 Apr 2009 14:08:08 -0400 Subject: [RHSA-2009:0421-01] Moderate: ghostscript security update Message-ID: <200904141808.n3EI88bA009112@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ghostscript security update Advisory ID: RHSA-2009:0421-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0421.html Issue date: 2009-04-14 CVE Names: CVE-2007-6725 CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 ===================================================================== 1. Summary: Updated ghostscript packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. It was discovered that the Red Hat Security Advisory RHSA-2009:0345 did not address all possible integer overflow flaws in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0792) A buffer overflow flaw and multiple missing boundary checks were found in Ghostscript. An attacker could create a specially-crafted PostScript or PDF file that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2008-6679, CVE-2007-6725, CVE-2009-0196) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly reporting the CVE-2009-0196 flaw. Users of ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 491853 - CVE-2009-0792 ghostscript, argyllcms: Incomplete fix for CVE-2009-0583 493379 - CVE-2009-0196 ghostscript: Missing boundary check in Ghostscript's jbig2dec library 493442 - CVE-2007-6725 ghostscript: DoS (crash) in CCITTFax decoding filter 493445 - CVE-2008-6679 ghostscript: Buffer overflow in BaseFont writer module for pdfwrite defice 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ghostscript-8.15.2-9.4.el5_3.7.src.rpm i386: ghostscript-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-gtk-8.15.2-9.4.el5_3.7.i386.rpm x86_64: ghostscript-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-8.15.2-9.4.el5_3.7.x86_64.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.x86_64.rpm ghostscript-gtk-8.15.2-9.4.el5_3.7.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ghostscript-8.15.2-9.4.el5_3.7.src.rpm i386: ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.i386.rpm x86_64: ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.x86_64.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/ghostscript-8.15.2-9.4.el5_3.7.src.rpm i386: ghostscript-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-gtk-8.15.2-9.4.el5_3.7.i386.rpm ia64: ghostscript-8.15.2-9.4.el5_3.7.ia64.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.ia64.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.ia64.rpm ghostscript-gtk-8.15.2-9.4.el5_3.7.ia64.rpm ppc: ghostscript-8.15.2-9.4.el5_3.7.ppc.rpm ghostscript-8.15.2-9.4.el5_3.7.ppc64.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.ppc.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.ppc64.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.ppc.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.ppc64.rpm ghostscript-gtk-8.15.2-9.4.el5_3.7.ppc.rpm s390x: ghostscript-8.15.2-9.4.el5_3.7.s390.rpm ghostscript-8.15.2-9.4.el5_3.7.s390x.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.s390.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.s390x.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.s390.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.s390x.rpm ghostscript-gtk-8.15.2-9.4.el5_3.7.s390x.rpm x86_64: ghostscript-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-8.15.2-9.4.el5_3.7.x86_64.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-debuginfo-8.15.2-9.4.el5_3.7.x86_64.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.i386.rpm ghostscript-devel-8.15.2-9.4.el5_3.7.x86_64.rpm ghostscript-gtk-8.15.2-9.4.el5_3.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ5NDvXlSAg2UNWIIRAjMaAKCjfVglsgHCEb9SsKxEMkY2tYStQwCgwH01 j8WuJbWvHzKCxStqjTM4p2I= =gteK -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 16 19:44:59 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 16 Apr 2009 15:44:59 -0400 Subject: [RHSA-2009:0427-01] Important: udev security update Message-ID: <200904161944.n3GJixLY009162@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: udev security update Advisory ID: RHSA-2009:0427-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0427.html Issue date: 2009-04-16 CVE Names: CVE-2009-1185 ===================================================================== 1. Summary: Updated udev packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: udev provides a user-space API and implements a dynamic device directory, providing only the devices present on the system. udev replaces devfs in order to provide greater hot plug functionality. Netlink is a datagram oriented service, used to transfer information between kernel modules and user-space processes. It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world-writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for responsibly reporting this flaw. Users of udev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the udevd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 495051 - CVE-2009-1185 udev: Uncheck origin of NETLINK messages 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/udev-095-14.20.el5_3.src.rpm i386: libvolume_id-095-14.20.el5_3.i386.rpm udev-095-14.20.el5_3.i386.rpm udev-debuginfo-095-14.20.el5_3.i386.rpm x86_64: libvolume_id-095-14.20.el5_3.i386.rpm libvolume_id-095-14.20.el5_3.x86_64.rpm udev-095-14.20.el5_3.x86_64.rpm udev-debuginfo-095-14.20.el5_3.i386.rpm udev-debuginfo-095-14.20.el5_3.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/udev-095-14.20.el5_3.src.rpm i386: libvolume_id-devel-095-14.20.el5_3.i386.rpm udev-debuginfo-095-14.20.el5_3.i386.rpm x86_64: libvolume_id-devel-095-14.20.el5_3.i386.rpm libvolume_id-devel-095-14.20.el5_3.x86_64.rpm udev-debuginfo-095-14.20.el5_3.i386.rpm udev-debuginfo-095-14.20.el5_3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/udev-095-14.20.el5_3.src.rpm i386: libvolume_id-095-14.20.el5_3.i386.rpm libvolume_id-devel-095-14.20.el5_3.i386.rpm udev-095-14.20.el5_3.i386.rpm udev-debuginfo-095-14.20.el5_3.i386.rpm ia64: libvolume_id-095-14.20.el5_3.ia64.rpm libvolume_id-devel-095-14.20.el5_3.ia64.rpm udev-095-14.20.el5_3.ia64.rpm udev-debuginfo-095-14.20.el5_3.ia64.rpm ppc: libvolume_id-095-14.20.el5_3.ppc.rpm libvolume_id-095-14.20.el5_3.ppc64.rpm libvolume_id-devel-095-14.20.el5_3.ppc.rpm libvolume_id-devel-095-14.20.el5_3.ppc64.rpm udev-095-14.20.el5_3.ppc.rpm udev-debuginfo-095-14.20.el5_3.ppc.rpm udev-debuginfo-095-14.20.el5_3.ppc64.rpm s390x: libvolume_id-095-14.20.el5_3.s390.rpm libvolume_id-095-14.20.el5_3.s390x.rpm libvolume_id-devel-095-14.20.el5_3.s390.rpm libvolume_id-devel-095-14.20.el5_3.s390x.rpm udev-095-14.20.el5_3.s390x.rpm udev-debuginfo-095-14.20.el5_3.s390.rpm udev-debuginfo-095-14.20.el5_3.s390x.rpm x86_64: libvolume_id-095-14.20.el5_3.i386.rpm libvolume_id-095-14.20.el5_3.x86_64.rpm libvolume_id-devel-095-14.20.el5_3.i386.rpm libvolume_id-devel-095-14.20.el5_3.x86_64.rpm udev-095-14.20.el5_3.x86_64.rpm udev-debuginfo-095-14.20.el5_3.i386.rpm udev-debuginfo-095-14.20.el5_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ54p0XlSAg2UNWIIRAhPcAJ92WaPBDHgTirWgXO8esrlNP8RJTwCfdhsX twaSC4F0wSGZgdg2UEGk704= =1UHg -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 16 22:55:16 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 16 Apr 2009 18:55:16 -0400 Subject: [RHSA-2009:0428-01] Moderate: cups security update Message-ID: <200904162255.n3GMtGpr025823@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cups security update Advisory ID: RHSA-2009:0428-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0428.html Issue date: 2009-04-16 CVE Names: CVE-2009-0163 ===================================================================== 1. Summary: Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The Common UNIX? Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An integer overflow flaw, leading to a heap-based buffer overflow, was discovered in the Tagged Image File Format (TIFF) decoding routines used by the CUPS image-converting filters, "imagetops" and "imagetoraster". An attacker could create a malicious TIFF file that could, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0163) Red Hat would like to thank Aaron Sigel of the Apple Product Security team for responsibly reporting this flaw. Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 490596 - CVE-2009-0163 cups: Integer overflow in the TIFF image filter 491864 - Multiple PDF flaws 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cups-1.1.17-13.3.58.src.rpm i386: cups-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-devel-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.i386.rpm ia64: cups-1.1.17-13.3.58.ia64.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.ia64.rpm cups-devel-1.1.17-13.3.58.ia64.rpm cups-libs-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.ia64.rpm ppc: cups-1.1.17-13.3.58.ppc.rpm cups-debuginfo-1.1.17-13.3.58.ppc.rpm cups-debuginfo-1.1.17-13.3.58.ppc64.rpm cups-devel-1.1.17-13.3.58.ppc.rpm cups-libs-1.1.17-13.3.58.ppc.rpm cups-libs-1.1.17-13.3.58.ppc64.rpm s390: cups-1.1.17-13.3.58.s390.rpm cups-debuginfo-1.1.17-13.3.58.s390.rpm cups-devel-1.1.17-13.3.58.s390.rpm cups-libs-1.1.17-13.3.58.s390.rpm s390x: cups-1.1.17-13.3.58.s390x.rpm cups-debuginfo-1.1.17-13.3.58.s390.rpm cups-debuginfo-1.1.17-13.3.58.s390x.rpm cups-devel-1.1.17-13.3.58.s390x.rpm cups-libs-1.1.17-13.3.58.s390.rpm cups-libs-1.1.17-13.3.58.s390x.rpm x86_64: cups-1.1.17-13.3.58.x86_64.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.x86_64.rpm cups-devel-1.1.17-13.3.58.x86_64.rpm cups-libs-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cups-1.1.17-13.3.58.src.rpm i386: cups-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-devel-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.i386.rpm x86_64: cups-1.1.17-13.3.58.x86_64.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.x86_64.rpm cups-devel-1.1.17-13.3.58.x86_64.rpm cups-libs-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cups-1.1.17-13.3.58.src.rpm i386: cups-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-devel-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.i386.rpm ia64: cups-1.1.17-13.3.58.ia64.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.ia64.rpm cups-devel-1.1.17-13.3.58.ia64.rpm cups-libs-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.ia64.rpm x86_64: cups-1.1.17-13.3.58.x86_64.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.x86_64.rpm cups-devel-1.1.17-13.3.58.x86_64.rpm cups-libs-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cups-1.1.17-13.3.58.src.rpm i386: cups-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-devel-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.i386.rpm ia64: cups-1.1.17-13.3.58.ia64.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.ia64.rpm cups-devel-1.1.17-13.3.58.ia64.rpm cups-libs-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.ia64.rpm x86_64: cups-1.1.17-13.3.58.x86_64.rpm cups-debuginfo-1.1.17-13.3.58.i386.rpm cups-debuginfo-1.1.17-13.3.58.x86_64.rpm cups-devel-1.1.17-13.3.58.x86_64.rpm cups-libs-1.1.17-13.3.58.i386.rpm cups-libs-1.1.17-13.3.58.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ57dDXlSAg2UNWIIRAmZqAJ49YW3bcLdTcdYcnIWVgMnBGzEpGgCfd+hz CF6iOifH8TT68moNiHHtKJQ= =tis5 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 16 22:55:28 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 16 Apr 2009 18:55:28 -0400 Subject: [RHSA-2009:0429-01] Important: cups security update Message-ID: <200904162255.n3GMtSHX025953@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: cups security update Advisory ID: RHSA-2009:0429-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0429.html Issue date: 2009-04-16 CVE Names: CVE-2009-0146 CVE-2009-0147 CVE-2009-0163 CVE-2009-0166 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 ===================================================================== 1. Summary: Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The Common UNIX? Printing System (CUPS) provides a portable printing layer for UNIX operating systems. Multiple integer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in the CUPS JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0800) An integer overflow flaw, leading to a heap-based buffer overflow, was discovered in the Tagged Image File Format (TIFF) decoding routines used by the CUPS image-converting filters, "imagetops" and "imagetoraster". An attacker could create a malicious TIFF file that could, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0163) Multiple denial of service flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash when printed. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Aaron Sigel, Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 490596 - CVE-2009-0163 cups: Integer overflow in the TIFF image filter 490612 - CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) 490614 - CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder 490625 - CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder 491864 - Multiple PDF flaws 495886 - CVE-2009-0799 PDF JBIG2 decoder OOB read 495887 - CVE-2009-0800 PDF JBIG2 multiple input validation flaws 495889 - CVE-2009-1179 PDF JBIG2 integer overflow 495892 - CVE-2009-1180 PDF JBIG2 invalid free() 495894 - CVE-2009-1181 PDF JBIG2 NULL dereference 495896 - CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows 495899 - CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/cups-1.1.22-0.rc1.9.27.el4_7.5.src.rpm i386: cups-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm ia64: cups-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm ppc: cups-1.1.22-0.rc1.9.27.el4_7.5.ppc.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.ppc.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.ppc64.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.ppc.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.ppc.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.ppc64.rpm s390: cups-1.1.22-0.rc1.9.27.el4_7.5.s390.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.s390.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.s390.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.s390.rpm s390x: cups-1.1.22-0.rc1.9.27.el4_7.5.s390x.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.s390.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.s390x.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.s390x.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.s390.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.s390x.rpm x86_64: cups-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/cups-1.1.22-0.rc1.9.27.el4_7.5.src.rpm i386: cups-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm x86_64: cups-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/cups-1.1.22-0.rc1.9.27.el4_7.5.src.rpm i386: cups-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm ia64: cups-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm x86_64: cups-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/cups-1.1.22-0.rc1.9.27.el4_7.5.src.rpm i386: cups-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm ia64: cups-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.ia64.rpm x86_64: cups-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-devel-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.i386.rpm cups-libs-1.1.22-0.rc1.9.27.el4_7.5.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/cups-1.3.7-8.el5_3.4.src.rpm i386: cups-1.3.7-8.el5_3.4.i386.rpm cups-debuginfo-1.3.7-8.el5_3.4.i386.rpm cups-libs-1.3.7-8.el5_3.4.i386.rpm cups-lpd-1.3.7-8.el5_3.4.i386.rpm x86_64: cups-1.3.7-8.el5_3.4.x86_64.rpm cups-debuginfo-1.3.7-8.el5_3.4.i386.rpm cups-debuginfo-1.3.7-8.el5_3.4.x86_64.rpm cups-libs-1.3.7-8.el5_3.4.i386.rpm cups-libs-1.3.7-8.el5_3.4.x86_64.rpm cups-lpd-1.3.7-8.el5_3.4.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/cups-1.3.7-8.el5_3.4.src.rpm i386: cups-debuginfo-1.3.7-8.el5_3.4.i386.rpm cups-devel-1.3.7-8.el5_3.4.i386.rpm x86_64: cups-debuginfo-1.3.7-8.el5_3.4.i386.rpm cups-debuginfo-1.3.7-8.el5_3.4.x86_64.rpm cups-devel-1.3.7-8.el5_3.4.i386.rpm cups-devel-1.3.7-8.el5_3.4.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/cups-1.3.7-8.el5_3.4.src.rpm i386: cups-1.3.7-8.el5_3.4.i386.rpm cups-debuginfo-1.3.7-8.el5_3.4.i386.rpm cups-devel-1.3.7-8.el5_3.4.i386.rpm cups-libs-1.3.7-8.el5_3.4.i386.rpm cups-lpd-1.3.7-8.el5_3.4.i386.rpm ia64: cups-1.3.7-8.el5_3.4.ia64.rpm cups-debuginfo-1.3.7-8.el5_3.4.i386.rpm cups-debuginfo-1.3.7-8.el5_3.4.ia64.rpm cups-devel-1.3.7-8.el5_3.4.ia64.rpm cups-libs-1.3.7-8.el5_3.4.i386.rpm cups-libs-1.3.7-8.el5_3.4.ia64.rpm cups-lpd-1.3.7-8.el5_3.4.ia64.rpm ppc: cups-1.3.7-8.el5_3.4.ppc.rpm cups-debuginfo-1.3.7-8.el5_3.4.ppc.rpm cups-debuginfo-1.3.7-8.el5_3.4.ppc64.rpm cups-devel-1.3.7-8.el5_3.4.ppc.rpm cups-devel-1.3.7-8.el5_3.4.ppc64.rpm cups-libs-1.3.7-8.el5_3.4.ppc.rpm cups-libs-1.3.7-8.el5_3.4.ppc64.rpm cups-lpd-1.3.7-8.el5_3.4.ppc.rpm s390x: cups-1.3.7-8.el5_3.4.s390x.rpm cups-debuginfo-1.3.7-8.el5_3.4.s390.rpm cups-debuginfo-1.3.7-8.el5_3.4.s390x.rpm cups-devel-1.3.7-8.el5_3.4.s390.rpm cups-devel-1.3.7-8.el5_3.4.s390x.rpm cups-libs-1.3.7-8.el5_3.4.s390.rpm cups-libs-1.3.7-8.el5_3.4.s390x.rpm cups-lpd-1.3.7-8.el5_3.4.s390x.rpm x86_64: cups-1.3.7-8.el5_3.4.x86_64.rpm cups-debuginfo-1.3.7-8.el5_3.4.i386.rpm cups-debuginfo-1.3.7-8.el5_3.4.x86_64.rpm cups-devel-1.3.7-8.el5_3.4.i386.rpm cups-devel-1.3.7-8.el5_3.4.x86_64.rpm cups-libs-1.3.7-8.el5_3.4.i386.rpm cups-libs-1.3.7-8.el5_3.4.x86_64.rpm cups-lpd-1.3.7-8.el5_3.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ57dZXlSAg2UNWIIRAvj2AJ9i1uz3VLxVEBzEnw1pOAN9VNLXlwCffB9l f6l+nuX4BIWDN3B+AkCLzaE= =vC/2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 16 22:55:40 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 16 Apr 2009 18:55:40 -0400 Subject: [RHSA-2009:0430-01] Important: xpdf security update Message-ID: <200904162255.n3GMte3o026050@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: xpdf security update Advisory ID: RHSA-2009:0430-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0430.html Issue date: 2009-04-16 CVE Names: CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 ===================================================================== 1. Summary: An updated xpdf package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in Xpdf's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF that would cause Xpdf to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 490612 - CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) 490614 - CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder 490625 - CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder 491864 - Multiple PDF flaws 495886 - CVE-2009-0799 PDF JBIG2 decoder OOB read 495887 - CVE-2009-0800 PDF JBIG2 multiple input validation flaws 495889 - CVE-2009-1179 PDF JBIG2 integer overflow 495892 - CVE-2009-1180 PDF JBIG2 invalid free() 495894 - CVE-2009-1181 PDF JBIG2 NULL dereference 495896 - CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows 495899 - CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/xpdf-2.02-14.el3.src.rpm i386: xpdf-2.02-14.el3.i386.rpm xpdf-debuginfo-2.02-14.el3.i386.rpm ia64: xpdf-2.02-14.el3.ia64.rpm xpdf-debuginfo-2.02-14.el3.ia64.rpm ppc: xpdf-2.02-14.el3.ppc.rpm xpdf-debuginfo-2.02-14.el3.ppc.rpm s390: xpdf-2.02-14.el3.s390.rpm xpdf-debuginfo-2.02-14.el3.s390.rpm s390x: xpdf-2.02-14.el3.s390x.rpm xpdf-debuginfo-2.02-14.el3.s390x.rpm x86_64: xpdf-2.02-14.el3.x86_64.rpm xpdf-debuginfo-2.02-14.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/xpdf-2.02-14.el3.src.rpm i386: xpdf-2.02-14.el3.i386.rpm xpdf-debuginfo-2.02-14.el3.i386.rpm x86_64: xpdf-2.02-14.el3.x86_64.rpm xpdf-debuginfo-2.02-14.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/xpdf-2.02-14.el3.src.rpm i386: xpdf-2.02-14.el3.i386.rpm xpdf-debuginfo-2.02-14.el3.i386.rpm ia64: xpdf-2.02-14.el3.ia64.rpm xpdf-debuginfo-2.02-14.el3.ia64.rpm x86_64: xpdf-2.02-14.el3.x86_64.rpm xpdf-debuginfo-2.02-14.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/xpdf-2.02-14.el3.src.rpm i386: xpdf-2.02-14.el3.i386.rpm xpdf-debuginfo-2.02-14.el3.i386.rpm ia64: xpdf-2.02-14.el3.ia64.rpm xpdf-debuginfo-2.02-14.el3.ia64.rpm x86_64: xpdf-2.02-14.el3.x86_64.rpm xpdf-debuginfo-2.02-14.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/xpdf-3.00-20.el4.src.rpm i386: xpdf-3.00-20.el4.i386.rpm xpdf-debuginfo-3.00-20.el4.i386.rpm ia64: xpdf-3.00-20.el4.ia64.rpm xpdf-debuginfo-3.00-20.el4.ia64.rpm ppc: xpdf-3.00-20.el4.ppc.rpm xpdf-debuginfo-3.00-20.el4.ppc.rpm s390: xpdf-3.00-20.el4.s390.rpm xpdf-debuginfo-3.00-20.el4.s390.rpm s390x: xpdf-3.00-20.el4.s390x.rpm xpdf-debuginfo-3.00-20.el4.s390x.rpm x86_64: xpdf-3.00-20.el4.x86_64.rpm xpdf-debuginfo-3.00-20.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/xpdf-3.00-20.el4.src.rpm i386: xpdf-3.00-20.el4.i386.rpm xpdf-debuginfo-3.00-20.el4.i386.rpm x86_64: xpdf-3.00-20.el4.x86_64.rpm xpdf-debuginfo-3.00-20.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/xpdf-3.00-20.el4.src.rpm i386: xpdf-3.00-20.el4.i386.rpm xpdf-debuginfo-3.00-20.el4.i386.rpm ia64: xpdf-3.00-20.el4.ia64.rpm xpdf-debuginfo-3.00-20.el4.ia64.rpm x86_64: xpdf-3.00-20.el4.x86_64.rpm xpdf-debuginfo-3.00-20.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/xpdf-3.00-20.el4.src.rpm i386: xpdf-3.00-20.el4.i386.rpm xpdf-debuginfo-3.00-20.el4.i386.rpm ia64: xpdf-3.00-20.el4.ia64.rpm xpdf-debuginfo-3.00-20.el4.ia64.rpm x86_64: xpdf-3.00-20.el4.x86_64.rpm xpdf-debuginfo-3.00-20.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ57dlXlSAg2UNWIIRAu14AJoDQj50em3D8P9xM8zD4tXDqN1cHACglDWW RlQ5C+Xf20RosrBoIAE4LpQ= =kgzl -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 16 22:55:51 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 16 Apr 2009 18:55:51 -0400 Subject: [RHSA-2009:0431-01] Important: kdegraphics security update Message-ID: <200904162255.n3GMtp3Z026108@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kdegraphics security update Advisory ID: RHSA-2009:0431-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0431.html Issue date: 2009-04-16 CVE Names: CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 ===================================================================== 1. Summary: Updated kdegraphics packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in KPDF's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF that would cause KPDF to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 490612 - CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) 490614 - CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder 490625 - CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder 491864 - Multiple PDF flaws 495886 - CVE-2009-0799 PDF JBIG2 decoder OOB read 495887 - CVE-2009-0800 PDF JBIG2 multiple input validation flaws 495889 - CVE-2009-1179 PDF JBIG2 integer overflow 495892 - CVE-2009-1180 PDF JBIG2 invalid free() 495894 - CVE-2009-1181 PDF JBIG2 NULL dereference 495896 - CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows 495899 - CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kdegraphics-3.3.1-13.el4.src.rpm i386: kdegraphics-3.3.1-13.el4.i386.rpm kdegraphics-debuginfo-3.3.1-13.el4.i386.rpm kdegraphics-devel-3.3.1-13.el4.i386.rpm ia64: kdegraphics-3.3.1-13.el4.ia64.rpm kdegraphics-debuginfo-3.3.1-13.el4.ia64.rpm kdegraphics-devel-3.3.1-13.el4.ia64.rpm ppc: kdegraphics-3.3.1-13.el4.ppc.rpm kdegraphics-debuginfo-3.3.1-13.el4.ppc.rpm kdegraphics-devel-3.3.1-13.el4.ppc.rpm s390: kdegraphics-3.3.1-13.el4.s390.rpm kdegraphics-debuginfo-3.3.1-13.el4.s390.rpm kdegraphics-devel-3.3.1-13.el4.s390.rpm s390x: kdegraphics-3.3.1-13.el4.s390x.rpm kdegraphics-debuginfo-3.3.1-13.el4.s390x.rpm kdegraphics-devel-3.3.1-13.el4.s390x.rpm x86_64: kdegraphics-3.3.1-13.el4.x86_64.rpm kdegraphics-debuginfo-3.3.1-13.el4.x86_64.rpm kdegraphics-devel-3.3.1-13.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kdegraphics-3.3.1-13.el4.src.rpm i386: kdegraphics-3.3.1-13.el4.i386.rpm kdegraphics-debuginfo-3.3.1-13.el4.i386.rpm kdegraphics-devel-3.3.1-13.el4.i386.rpm x86_64: kdegraphics-3.3.1-13.el4.x86_64.rpm kdegraphics-debuginfo-3.3.1-13.el4.x86_64.rpm kdegraphics-devel-3.3.1-13.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kdegraphics-3.3.1-13.el4.src.rpm i386: kdegraphics-3.3.1-13.el4.i386.rpm kdegraphics-debuginfo-3.3.1-13.el4.i386.rpm kdegraphics-devel-3.3.1-13.el4.i386.rpm ia64: kdegraphics-3.3.1-13.el4.ia64.rpm kdegraphics-debuginfo-3.3.1-13.el4.ia64.rpm kdegraphics-devel-3.3.1-13.el4.ia64.rpm x86_64: kdegraphics-3.3.1-13.el4.x86_64.rpm kdegraphics-debuginfo-3.3.1-13.el4.x86_64.rpm kdegraphics-devel-3.3.1-13.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kdegraphics-3.3.1-13.el4.src.rpm i386: kdegraphics-3.3.1-13.el4.i386.rpm kdegraphics-debuginfo-3.3.1-13.el4.i386.rpm kdegraphics-devel-3.3.1-13.el4.i386.rpm ia64: kdegraphics-3.3.1-13.el4.ia64.rpm kdegraphics-debuginfo-3.3.1-13.el4.ia64.rpm kdegraphics-devel-3.3.1-13.el4.ia64.rpm x86_64: kdegraphics-3.3.1-13.el4.x86_64.rpm kdegraphics-debuginfo-3.3.1-13.el4.x86_64.rpm kdegraphics-devel-3.3.1-13.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdegraphics-3.5.4-12.el5_3.src.rpm i386: kdegraphics-3.5.4-12.el5_3.i386.rpm kdegraphics-debuginfo-3.5.4-12.el5_3.i386.rpm x86_64: kdegraphics-3.5.4-12.el5_3.x86_64.rpm kdegraphics-debuginfo-3.5.4-12.el5_3.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdegraphics-3.5.4-12.el5_3.src.rpm i386: kdegraphics-debuginfo-3.5.4-12.el5_3.i386.rpm kdegraphics-devel-3.5.4-12.el5_3.i386.rpm x86_64: kdegraphics-debuginfo-3.5.4-12.el5_3.i386.rpm kdegraphics-debuginfo-3.5.4-12.el5_3.x86_64.rpm kdegraphics-devel-3.5.4-12.el5_3.i386.rpm kdegraphics-devel-3.5.4-12.el5_3.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kdegraphics-3.5.4-12.el5_3.src.rpm i386: kdegraphics-3.5.4-12.el5_3.i386.rpm kdegraphics-debuginfo-3.5.4-12.el5_3.i386.rpm kdegraphics-devel-3.5.4-12.el5_3.i386.rpm x86_64: kdegraphics-3.5.4-12.el5_3.x86_64.rpm kdegraphics-debuginfo-3.5.4-12.el5_3.i386.rpm kdegraphics-debuginfo-3.5.4-12.el5_3.x86_64.rpm kdegraphics-devel-3.5.4-12.el5_3.i386.rpm kdegraphics-devel-3.5.4-12.el5_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ57dvXlSAg2UNWIIRAinIAJ93Hh8lWbQCXn6tf0KDANcdVzYV8gCfcuXB rJdEcBbhXM+ht+AS8sxouG0= =+W+Y -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 22 02:16:02 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 21 Apr 2009 22:16:02 -0400 Subject: [RHSA-2009:0436-02] Critical: firefox security update Message-ID: <200904220216.n3M2G2RI014796@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2009:0436-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0436.html Issue date: 2009-04-21 CVE Names: CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1310 CVE-2009-1311 CVE-2009-1312 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1302, CVE-2009-1303, CVE-2009-1304, CVE-2009-1305) Several flaws were found in the way malformed web content was processed. A web page containing malicious content could execute arbitrary JavaScript in the context of the site, possibly presenting misleading data to a user, or stealing sensitive information such as login credentials. (CVE-2009-0652, CVE-2009-1306, CVE-2009-1307, CVE-2009-1308, CVE-2009-1309, CVE-2009-1310, CVE-2009-1312) A flaw was found in the way Firefox saved certain web pages to a local file. If a user saved the inner frame of a web page containing POST data, the POST data could be revealed to the inner frame, possibly surrendering sensitive information such as login credentials. (CVE-2009-1311) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.9. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.9, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 486704 - CVE-2009-0652 firefox: does not properly prevent the literal rendering of homoglyph characters in IDN domain names (spoof URLs and conduct phishing attacks) 496252 - CVE-2009-1302 Firefox 3 Layout engine crashes 496253 - CVE-2009-1303 Firefox 2 and 3 Layout engine crash 496255 - CVE-2009-1304 Firefox 3 JavaScript engine crashes 496256 - CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash 496262 - CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI 496263 - CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol 496266 - CVE-2009-1308 Firefox XSS hazard using third-party stylesheets and XBL bindings 496267 - CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString 496270 - CVE-2009-1310 Firefox Malicious search plugins can inject code into arbitrary sites 496271 - CVE-2009-1311 Firefox POST data sent to wrong site when saving web page with embedded frame 496274 - CVE-2009-1312 Firefox allows Refresh header to redirect to javascript: URIs 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-3.0.9-1.el4.src.rpm i386: firefox-3.0.9-1.el4.i386.rpm firefox-debuginfo-3.0.9-1.el4.i386.rpm ia64: firefox-3.0.9-1.el4.ia64.rpm firefox-debuginfo-3.0.9-1.el4.ia64.rpm ppc: firefox-3.0.9-1.el4.ppc.rpm firefox-debuginfo-3.0.9-1.el4.ppc.rpm s390: firefox-3.0.9-1.el4.s390.rpm firefox-debuginfo-3.0.9-1.el4.s390.rpm s390x: firefox-3.0.9-1.el4.s390x.rpm firefox-debuginfo-3.0.9-1.el4.s390x.rpm x86_64: firefox-3.0.9-1.el4.x86_64.rpm firefox-debuginfo-3.0.9-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-3.0.9-1.el4.src.rpm i386: firefox-3.0.9-1.el4.i386.rpm firefox-debuginfo-3.0.9-1.el4.i386.rpm x86_64: firefox-3.0.9-1.el4.x86_64.rpm firefox-debuginfo-3.0.9-1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-3.0.9-1.el4.src.rpm i386: firefox-3.0.9-1.el4.i386.rpm firefox-debuginfo-3.0.9-1.el4.i386.rpm ia64: firefox-3.0.9-1.el4.ia64.rpm firefox-debuginfo-3.0.9-1.el4.ia64.rpm x86_64: firefox-3.0.9-1.el4.x86_64.rpm firefox-debuginfo-3.0.9-1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-3.0.9-1.el4.src.rpm i386: firefox-3.0.9-1.el4.i386.rpm firefox-debuginfo-3.0.9-1.el4.i386.rpm ia64: firefox-3.0.9-1.el4.ia64.rpm firefox-debuginfo-3.0.9-1.el4.ia64.rpm x86_64: firefox-3.0.9-1.el4.x86_64.rpm firefox-debuginfo-3.0.9-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-3.0.9-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.9-1.el5.src.rpm i386: firefox-3.0.9-1.el5.i386.rpm firefox-debuginfo-3.0.9-1.el5.i386.rpm xulrunner-1.9.0.9-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.9-1.el5.i386.rpm x86_64: firefox-3.0.9-1.el5.i386.rpm firefox-3.0.9-1.el5.x86_64.rpm firefox-debuginfo-3.0.9-1.el5.i386.rpm firefox-debuginfo-3.0.9-1.el5.x86_64.rpm xulrunner-1.9.0.9-1.el5.i386.rpm xulrunner-1.9.0.9-1.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.9-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.9-1.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.9-1.el5.src.rpm i386: xulrunner-debuginfo-1.9.0.9-1.el5.i386.rpm xulrunner-devel-1.9.0.9-1.el5.i386.rpm xulrunner-devel-unstable-1.9.0.9-1.el5.i386.rpm x86_64: xulrunner-debuginfo-1.9.0.9-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.9-1.el5.x86_64.rpm xulrunner-devel-1.9.0.9-1.el5.i386.rpm xulrunner-devel-1.9.0.9-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9.0.9-1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-3.0.9-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9.0.9-1.el5.src.rpm i386: firefox-3.0.9-1.el5.i386.rpm firefox-debuginfo-3.0.9-1.el5.i386.rpm xulrunner-1.9.0.9-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.9-1.el5.i386.rpm xulrunner-devel-1.9.0.9-1.el5.i386.rpm xulrunner-devel-unstable-1.9.0.9-1.el5.i386.rpm ia64: firefox-3.0.9-1.el5.ia64.rpm firefox-debuginfo-3.0.9-1.el5.ia64.rpm xulrunner-1.9.0.9-1.el5.ia64.rpm xulrunner-debuginfo-1.9.0.9-1.el5.ia64.rpm xulrunner-devel-1.9.0.9-1.el5.ia64.rpm xulrunner-devel-unstable-1.9.0.9-1.el5.ia64.rpm ppc: firefox-3.0.9-1.el5.ppc.rpm firefox-debuginfo-3.0.9-1.el5.ppc.rpm xulrunner-1.9.0.9-1.el5.ppc.rpm xulrunner-1.9.0.9-1.el5.ppc64.rpm xulrunner-debuginfo-1.9.0.9-1.el5.ppc.rpm xulrunner-debuginfo-1.9.0.9-1.el5.ppc64.rpm xulrunner-devel-1.9.0.9-1.el5.ppc.rpm xulrunner-devel-1.9.0.9-1.el5.ppc64.rpm xulrunner-devel-unstable-1.9.0.9-1.el5.ppc.rpm s390x: firefox-3.0.9-1.el5.s390.rpm firefox-3.0.9-1.el5.s390x.rpm firefox-debuginfo-3.0.9-1.el5.s390.rpm firefox-debuginfo-3.0.9-1.el5.s390x.rpm xulrunner-1.9.0.9-1.el5.s390.rpm xulrunner-1.9.0.9-1.el5.s390x.rpm xulrunner-debuginfo-1.9.0.9-1.el5.s390.rpm xulrunner-debuginfo-1.9.0.9-1.el5.s390x.rpm xulrunner-devel-1.9.0.9-1.el5.s390.rpm xulrunner-devel-1.9.0.9-1.el5.s390x.rpm xulrunner-devel-unstable-1.9.0.9-1.el5.s390x.rpm x86_64: firefox-3.0.9-1.el5.i386.rpm firefox-3.0.9-1.el5.x86_64.rpm firefox-debuginfo-3.0.9-1.el5.i386.rpm firefox-debuginfo-3.0.9-1.el5.x86_64.rpm xulrunner-1.9.0.9-1.el5.i386.rpm xulrunner-1.9.0.9-1.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.9-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.9-1.el5.x86_64.rpm xulrunner-devel-1.9.0.9-1.el5.i386.rpm xulrunner-devel-1.9.0.9-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9.0.9-1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0652 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1303 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1304 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1306 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1307 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1309 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1310 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1311 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1312 http://www.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.9 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ7n3UXlSAg2UNWIIRAsr9AKCGJOttefqVmPHQ2fVLEfdS5eLObwCeOH6i jQSoPReFJ8Scrc+sCUlwhS0= =KOQy -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 22 02:16:14 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 21 Apr 2009 22:16:14 -0400 Subject: [RHSA-2009:0437-02] Critical: seamonkey security update Message-ID: <200904220216.n3M2GEQf014889@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2009:0437-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0437.html Issue date: 2009-04-21 CVE Names: CVE-2009-0652 CVE-2009-1303 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1309 CVE-2009-1311 CVE-2009-1312 ===================================================================== 1. Summary: Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-1303, CVE-2009-1305) Several flaws were found in the way malformed web content was processed. A web page containing malicious content could execute arbitrary JavaScript in the context of the site, possibly presenting misleading data to a user, or stealing sensitive information such as login credentials. (CVE-2009-0652, CVE-2009-1306, CVE-2009-1307, CVE-2009-1309, CVE-2009-1312) A flaw was found in the way SeaMonkey saved certain web pages to a local file. If a user saved the inner frame of a web page containing POST data, the POST data could be revealed to the inner frame, possibly surrendering sensitive information such as login credentials. (CVE-2009-1311) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 486704 - CVE-2009-0652 firefox: does not properly prevent the literal rendering of homoglyph characters in IDN domain names (spoof URLs and conduct phishing attacks) 496253 - CVE-2009-1303 Firefox 2 and 3 Layout engine crash 496256 - CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash 496262 - CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI 496263 - CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol 496267 - CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString 496271 - CVE-2009-1311 Firefox POST data sent to wrong site when saving web page with embedded frame 496274 - CVE-2009-1312 Firefox allows Refresh header to redirect to javascript: URIs 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/seamonkey-1.0.9-0.33.el2.src.rpm i386: seamonkey-1.0.9-0.33.el2.i386.rpm seamonkey-chat-1.0.9-0.33.el2.i386.rpm seamonkey-devel-1.0.9-0.33.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.33.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.33.el2.i386.rpm seamonkey-mail-1.0.9-0.33.el2.i386.rpm seamonkey-nspr-1.0.9-0.33.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.33.el2.i386.rpm seamonkey-nss-1.0.9-0.33.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.33.el2.i386.rpm ia64: seamonkey-1.0.9-0.33.el2.ia64.rpm seamonkey-chat-1.0.9-0.33.el2.ia64.rpm seamonkey-devel-1.0.9-0.33.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.33.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.33.el2.ia64.rpm seamonkey-mail-1.0.9-0.33.el2.ia64.rpm seamonkey-nspr-1.0.9-0.33.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.33.el2.ia64.rpm seamonkey-nss-1.0.9-0.33.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.33.el2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/seamonkey-1.0.9-0.33.el2.src.rpm ia64: seamonkey-1.0.9-0.33.el2.ia64.rpm seamonkey-chat-1.0.9-0.33.el2.ia64.rpm seamonkey-devel-1.0.9-0.33.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.33.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.33.el2.ia64.rpm seamonkey-mail-1.0.9-0.33.el2.ia64.rpm seamonkey-nspr-1.0.9-0.33.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.33.el2.ia64.rpm seamonkey-nss-1.0.9-0.33.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.33.el2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/seamonkey-1.0.9-0.33.el2.src.rpm i386: seamonkey-1.0.9-0.33.el2.i386.rpm seamonkey-chat-1.0.9-0.33.el2.i386.rpm seamonkey-devel-1.0.9-0.33.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.33.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.33.el2.i386.rpm seamonkey-mail-1.0.9-0.33.el2.i386.rpm seamonkey-nspr-1.0.9-0.33.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.33.el2.i386.rpm seamonkey-nss-1.0.9-0.33.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.33.el2.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/seamonkey-1.0.9-0.33.el2.src.rpm i386: seamonkey-1.0.9-0.33.el2.i386.rpm seamonkey-chat-1.0.9-0.33.el2.i386.rpm seamonkey-devel-1.0.9-0.33.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.33.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.33.el2.i386.rpm seamonkey-mail-1.0.9-0.33.el2.i386.rpm seamonkey-nspr-1.0.9-0.33.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.33.el2.i386.rpm seamonkey-nss-1.0.9-0.33.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.33.el2.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/seamonkey-1.0.9-0.37.el3.src.rpm i386: seamonkey-1.0.9-0.37.el3.i386.rpm seamonkey-chat-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-devel-1.0.9-0.37.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.37.el3.i386.rpm seamonkey-mail-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.37.el3.i386.rpm ia64: seamonkey-1.0.9-0.37.el3.ia64.rpm seamonkey-chat-1.0.9-0.37.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.ia64.rpm seamonkey-devel-1.0.9-0.37.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.37.el3.ia64.rpm seamonkey-mail-1.0.9-0.37.el3.ia64.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.ia64.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.37.el3.ia64.rpm ppc: seamonkey-1.0.9-0.37.el3.ppc.rpm seamonkey-chat-1.0.9-0.37.el3.ppc.rpm seamonkey-debuginfo-1.0.9-0.37.el3.ppc.rpm seamonkey-devel-1.0.9-0.37.el3.ppc.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.ppc.rpm seamonkey-js-debugger-1.0.9-0.37.el3.ppc.rpm seamonkey-mail-1.0.9-0.37.el3.ppc.rpm seamonkey-nspr-1.0.9-0.37.el3.ppc.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.ppc.rpm seamonkey-nss-1.0.9-0.37.el3.ppc.rpm seamonkey-nss-devel-1.0.9-0.37.el3.ppc.rpm s390: seamonkey-1.0.9-0.37.el3.s390.rpm seamonkey-chat-1.0.9-0.37.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.37.el3.s390.rpm seamonkey-devel-1.0.9-0.37.el3.s390.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.s390.rpm seamonkey-js-debugger-1.0.9-0.37.el3.s390.rpm seamonkey-mail-1.0.9-0.37.el3.s390.rpm seamonkey-nspr-1.0.9-0.37.el3.s390.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.s390.rpm seamonkey-nss-1.0.9-0.37.el3.s390.rpm seamonkey-nss-devel-1.0.9-0.37.el3.s390.rpm s390x: seamonkey-1.0.9-0.37.el3.s390x.rpm seamonkey-chat-1.0.9-0.37.el3.s390x.rpm seamonkey-debuginfo-1.0.9-0.37.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.37.el3.s390x.rpm seamonkey-devel-1.0.9-0.37.el3.s390x.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.s390x.rpm seamonkey-js-debugger-1.0.9-0.37.el3.s390x.rpm seamonkey-mail-1.0.9-0.37.el3.s390x.rpm seamonkey-nspr-1.0.9-0.37.el3.s390.rpm seamonkey-nspr-1.0.9-0.37.el3.s390x.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.s390x.rpm seamonkey-nss-1.0.9-0.37.el3.s390.rpm seamonkey-nss-1.0.9-0.37.el3.s390x.rpm seamonkey-nss-devel-1.0.9-0.37.el3.s390x.rpm x86_64: seamonkey-1.0.9-0.37.el3.i386.rpm seamonkey-1.0.9-0.37.el3.x86_64.rpm seamonkey-chat-1.0.9-0.37.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.x86_64.rpm seamonkey-devel-1.0.9-0.37.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.37.el3.x86_64.rpm seamonkey-mail-1.0.9-0.37.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.x86_64.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.37.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/seamonkey-1.0.9-0.37.el3.src.rpm i386: seamonkey-1.0.9-0.37.el3.i386.rpm seamonkey-chat-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-devel-1.0.9-0.37.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.37.el3.i386.rpm seamonkey-mail-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.37.el3.i386.rpm x86_64: seamonkey-1.0.9-0.37.el3.i386.rpm seamonkey-1.0.9-0.37.el3.x86_64.rpm seamonkey-chat-1.0.9-0.37.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.x86_64.rpm seamonkey-devel-1.0.9-0.37.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.37.el3.x86_64.rpm seamonkey-mail-1.0.9-0.37.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.x86_64.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.37.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/seamonkey-1.0.9-0.37.el3.src.rpm i386: seamonkey-1.0.9-0.37.el3.i386.rpm seamonkey-chat-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-devel-1.0.9-0.37.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.37.el3.i386.rpm seamonkey-mail-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.37.el3.i386.rpm ia64: seamonkey-1.0.9-0.37.el3.ia64.rpm seamonkey-chat-1.0.9-0.37.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.ia64.rpm seamonkey-devel-1.0.9-0.37.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.37.el3.ia64.rpm seamonkey-mail-1.0.9-0.37.el3.ia64.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.ia64.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.37.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.37.el3.i386.rpm seamonkey-1.0.9-0.37.el3.x86_64.rpm seamonkey-chat-1.0.9-0.37.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.x86_64.rpm seamonkey-devel-1.0.9-0.37.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.37.el3.x86_64.rpm seamonkey-mail-1.0.9-0.37.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.x86_64.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.37.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/seamonkey-1.0.9-0.37.el3.src.rpm i386: seamonkey-1.0.9-0.37.el3.i386.rpm seamonkey-chat-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-devel-1.0.9-0.37.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.37.el3.i386.rpm seamonkey-mail-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.37.el3.i386.rpm ia64: seamonkey-1.0.9-0.37.el3.ia64.rpm seamonkey-chat-1.0.9-0.37.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.ia64.rpm seamonkey-devel-1.0.9-0.37.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.37.el3.ia64.rpm seamonkey-mail-1.0.9-0.37.el3.ia64.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.ia64.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.37.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.37.el3.i386.rpm seamonkey-1.0.9-0.37.el3.x86_64.rpm seamonkey-chat-1.0.9-0.37.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.37.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.37.el3.x86_64.rpm seamonkey-devel-1.0.9-0.37.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.37.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.37.el3.x86_64.rpm seamonkey-mail-1.0.9-0.37.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.37.el3.i386.rpm seamonkey-nspr-1.0.9-0.37.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.37.el3.x86_64.rpm seamonkey-nss-1.0.9-0.37.el3.i386.rpm seamonkey-nss-1.0.9-0.37.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.37.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/seamonkey-1.0.9-41.el4.src.rpm i386: seamonkey-1.0.9-41.el4.i386.rpm seamonkey-chat-1.0.9-41.el4.i386.rpm seamonkey-debuginfo-1.0.9-41.el4.i386.rpm seamonkey-devel-1.0.9-41.el4.i386.rpm seamonkey-dom-inspector-1.0.9-41.el4.i386.rpm seamonkey-js-debugger-1.0.9-41.el4.i386.rpm seamonkey-mail-1.0.9-41.el4.i386.rpm ia64: seamonkey-1.0.9-41.el4.ia64.rpm seamonkey-chat-1.0.9-41.el4.ia64.rpm seamonkey-debuginfo-1.0.9-41.el4.ia64.rpm seamonkey-devel-1.0.9-41.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-41.el4.ia64.rpm seamonkey-js-debugger-1.0.9-41.el4.ia64.rpm seamonkey-mail-1.0.9-41.el4.ia64.rpm ppc: seamonkey-1.0.9-41.el4.ppc.rpm seamonkey-chat-1.0.9-41.el4.ppc.rpm seamonkey-debuginfo-1.0.9-41.el4.ppc.rpm seamonkey-devel-1.0.9-41.el4.ppc.rpm seamonkey-dom-inspector-1.0.9-41.el4.ppc.rpm seamonkey-js-debugger-1.0.9-41.el4.ppc.rpm seamonkey-mail-1.0.9-41.el4.ppc.rpm s390: seamonkey-1.0.9-41.el4.s390.rpm seamonkey-chat-1.0.9-41.el4.s390.rpm seamonkey-debuginfo-1.0.9-41.el4.s390.rpm seamonkey-devel-1.0.9-41.el4.s390.rpm seamonkey-dom-inspector-1.0.9-41.el4.s390.rpm seamonkey-js-debugger-1.0.9-41.el4.s390.rpm seamonkey-mail-1.0.9-41.el4.s390.rpm s390x: seamonkey-1.0.9-41.el4.s390x.rpm seamonkey-chat-1.0.9-41.el4.s390x.rpm seamonkey-debuginfo-1.0.9-41.el4.s390x.rpm seamonkey-devel-1.0.9-41.el4.s390x.rpm seamonkey-dom-inspector-1.0.9-41.el4.s390x.rpm seamonkey-js-debugger-1.0.9-41.el4.s390x.rpm seamonkey-mail-1.0.9-41.el4.s390x.rpm x86_64: seamonkey-1.0.9-41.el4.x86_64.rpm seamonkey-chat-1.0.9-41.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-41.el4.x86_64.rpm seamonkey-devel-1.0.9-41.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-41.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-41.el4.x86_64.rpm seamonkey-mail-1.0.9-41.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/seamonkey-1.0.9-41.el4.src.rpm i386: seamonkey-1.0.9-41.el4.i386.rpm seamonkey-chat-1.0.9-41.el4.i386.rpm seamonkey-debuginfo-1.0.9-41.el4.i386.rpm seamonkey-devel-1.0.9-41.el4.i386.rpm seamonkey-dom-inspector-1.0.9-41.el4.i386.rpm seamonkey-js-debugger-1.0.9-41.el4.i386.rpm seamonkey-mail-1.0.9-41.el4.i386.rpm x86_64: seamonkey-1.0.9-41.el4.x86_64.rpm seamonkey-chat-1.0.9-41.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-41.el4.x86_64.rpm seamonkey-devel-1.0.9-41.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-41.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-41.el4.x86_64.rpm seamonkey-mail-1.0.9-41.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/seamonkey-1.0.9-41.el4.src.rpm i386: seamonkey-1.0.9-41.el4.i386.rpm seamonkey-chat-1.0.9-41.el4.i386.rpm seamonkey-debuginfo-1.0.9-41.el4.i386.rpm seamonkey-devel-1.0.9-41.el4.i386.rpm seamonkey-dom-inspector-1.0.9-41.el4.i386.rpm seamonkey-js-debugger-1.0.9-41.el4.i386.rpm seamonkey-mail-1.0.9-41.el4.i386.rpm ia64: seamonkey-1.0.9-41.el4.ia64.rpm seamonkey-chat-1.0.9-41.el4.ia64.rpm seamonkey-debuginfo-1.0.9-41.el4.ia64.rpm seamonkey-devel-1.0.9-41.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-41.el4.ia64.rpm seamonkey-js-debugger-1.0.9-41.el4.ia64.rpm seamonkey-mail-1.0.9-41.el4.ia64.rpm x86_64: seamonkey-1.0.9-41.el4.x86_64.rpm seamonkey-chat-1.0.9-41.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-41.el4.x86_64.rpm seamonkey-devel-1.0.9-41.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-41.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-41.el4.x86_64.rpm seamonkey-mail-1.0.9-41.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/seamonkey-1.0.9-41.el4.src.rpm i386: seamonkey-1.0.9-41.el4.i386.rpm seamonkey-chat-1.0.9-41.el4.i386.rpm seamonkey-debuginfo-1.0.9-41.el4.i386.rpm seamonkey-devel-1.0.9-41.el4.i386.rpm seamonkey-dom-inspector-1.0.9-41.el4.i386.rpm seamonkey-js-debugger-1.0.9-41.el4.i386.rpm seamonkey-mail-1.0.9-41.el4.i386.rpm ia64: seamonkey-1.0.9-41.el4.ia64.rpm seamonkey-chat-1.0.9-41.el4.ia64.rpm seamonkey-debuginfo-1.0.9-41.el4.ia64.rpm seamonkey-devel-1.0.9-41.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-41.el4.ia64.rpm seamonkey-js-debugger-1.0.9-41.el4.ia64.rpm seamonkey-mail-1.0.9-41.el4.ia64.rpm x86_64: seamonkey-1.0.9-41.el4.x86_64.rpm seamonkey-chat-1.0.9-41.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-41.el4.x86_64.rpm seamonkey-devel-1.0.9-41.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-41.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-41.el4.x86_64.rpm seamonkey-mail-1.0.9-41.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0652 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1303 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1306 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1307 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1309 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1311 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1312 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD4DBQFJ7n3lXlSAg2UNWIIRAk/UAJiFayCHhpHCMO0/DuDGM7UmS+HmAJ0WxNkB cqdtO8487yQfdtg9VxalwA== =5/xz -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 22 17:42:55 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Apr 2009 13:42:55 -0400 Subject: [RHSA-2009:0444-01] Important: giflib security update Message-ID: <200904221742.n3MHgtb1024970@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: giflib security update Advisory ID: RHSA-2009:0444-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0444.html Issue date: 2009-04-22 CVE Names: CVE-2005-2974 CVE-2005-3350 ===================================================================== 1. Summary: Updated giflib packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The giflib packages contain a shared library of functions for loading and saving GIF image files. This library is API and ABI compatible with libungif, the library that supported uncompressed GIF image files while the Unisys LZW patent was in effect. Several flaws were discovered in the way giflib decodes GIF images. An attacker could create a carefully crafted GIF image that could cause an application using giflib to crash or, possibly, execute arbitrary code when opened by a victim. (CVE-2005-2974, CVE-2005-3350) All users of giflib are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications using giflib must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 494823 - CVE-2005-3350 giflib/libunfig: memory corruption via a crafted GIF 494826 - CVE-2005-2974 giflib/libunfig: NULL pointer dereference crash 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/giflib-4.1.3-7.1.el5_3.1.src.rpm i386: giflib-4.1.3-7.1.el5_3.1.i386.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.i386.rpm giflib-utils-4.1.3-7.1.el5_3.1.i386.rpm x86_64: giflib-4.1.3-7.1.el5_3.1.i386.rpm giflib-4.1.3-7.1.el5_3.1.x86_64.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.i386.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.x86_64.rpm giflib-utils-4.1.3-7.1.el5_3.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/giflib-4.1.3-7.1.el5_3.1.src.rpm i386: giflib-debuginfo-4.1.3-7.1.el5_3.1.i386.rpm giflib-devel-4.1.3-7.1.el5_3.1.i386.rpm x86_64: giflib-debuginfo-4.1.3-7.1.el5_3.1.i386.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.x86_64.rpm giflib-devel-4.1.3-7.1.el5_3.1.i386.rpm giflib-devel-4.1.3-7.1.el5_3.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/giflib-4.1.3-7.1.el5_3.1.src.rpm i386: giflib-4.1.3-7.1.el5_3.1.i386.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.i386.rpm giflib-devel-4.1.3-7.1.el5_3.1.i386.rpm giflib-utils-4.1.3-7.1.el5_3.1.i386.rpm ia64: giflib-4.1.3-7.1.el5_3.1.ia64.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.ia64.rpm giflib-devel-4.1.3-7.1.el5_3.1.ia64.rpm giflib-utils-4.1.3-7.1.el5_3.1.ia64.rpm ppc: giflib-4.1.3-7.1.el5_3.1.ppc.rpm giflib-4.1.3-7.1.el5_3.1.ppc64.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.ppc.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.ppc64.rpm giflib-devel-4.1.3-7.1.el5_3.1.ppc.rpm giflib-devel-4.1.3-7.1.el5_3.1.ppc64.rpm giflib-utils-4.1.3-7.1.el5_3.1.ppc.rpm s390x: giflib-4.1.3-7.1.el5_3.1.s390.rpm giflib-4.1.3-7.1.el5_3.1.s390x.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.s390.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.s390x.rpm giflib-devel-4.1.3-7.1.el5_3.1.s390.rpm giflib-devel-4.1.3-7.1.el5_3.1.s390x.rpm giflib-utils-4.1.3-7.1.el5_3.1.s390x.rpm x86_64: giflib-4.1.3-7.1.el5_3.1.i386.rpm giflib-4.1.3-7.1.el5_3.1.x86_64.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.i386.rpm giflib-debuginfo-4.1.3-7.1.el5_3.1.x86_64.rpm giflib-devel-4.1.3-7.1.el5_3.1.i386.rpm giflib-devel-4.1.3-7.1.el5_3.1.x86_64.rpm giflib-utils-4.1.3-7.1.el5_3.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3350 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ71cKXlSAg2UNWIIRAmrPAJ4jcuVPgKlrDBLIb2kSfL1oZVhhGQCeKJd3 xE9FcS2yXniv8trTUfjiScM= =5rFW -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 23 18:51:54 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 23 Apr 2009 14:51:54 -0400 Subject: [RHSA-2009:0445-01] Critical: java-1.4.2-ibm security update Message-ID: <200904231851.n3NIpsOV024304@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.4.2-ibm security update Advisory ID: RHSA-2009:0445-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0445.html Issue date: 2009-04-23 Keywords: Security CVE Names: CVE-2008-2086 CVE-2008-5339 CVE-2008-5340 CVE-2008-5342 CVE-2008-5343 CVE-2008-5344 CVE-2008-5345 CVE-2008-5346 CVE-2008-5348 CVE-2008-5350 CVE-2008-5351 CVE-2008-5353 CVE-2008-5354 CVE-2008-5359 CVE-2008-5360 ===================================================================== 1. Summary: Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 Extras - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 3 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The IBM? 1.4.2 SR13 Java? release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2008-2086, CVE-2008-5339, CVE-2008-5340, CVE-2008-5342, CVE-2008-5343, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2008-5348, CVE-2008-5350, CVE-2008-5351, CVE-2008-5353, CVE-2008-5354, CVE-2008-5359, CVE-2008-5360) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13 Java release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 472201 - CVE-2008-5350 OpenJDK allows to list files within the user home directory (6484091) 472209 - CVE-2008-5348 OpenJDK Denial-Of-Service in kerberos authentication (6588160) 472211 - CVE-2008-5360 OpenJDK temporary files have guessable file names (6721753) 472212 - CVE-2008-5359 OpenJDK Buffer overflow in image processing (6726779) 472213 - CVE-2008-5351 OpenJDK UTF-8 decoder accepts non-shortest form sequences (4486841) 472224 - CVE-2008-5353 OpenJDK calendar object deserialization allows privilege escalation (6734167) 472228 - CVE-2008-5354 OpenJDK Privilege escalation in command line applications (6733959) 474556 - CVE-2008-2086 Java Web Start File Inclusion via System Properties Override 474772 - CVE-2008-5339 JavaWebStart allows unauthorized network connections 474773 - CVE-2008-5340 Java WebStart privilege escalation 474789 - CVE-2008-5342 Java Web Start BasicService displays local files in the browser 474790 - CVE-2008-5343 Java WebStart allows hidden code privilege escalation 474792 - CVE-2008-5344 Java WebStart unprivileged local file and network access 474793 - CVE-2008-5345 JRE allows unauthorized file access and connections to localhost 474794 - CVE-2008-5346 JRE allows unauthorized memory read access via a crafted ZIP file 6. Package List: Red Hat Enterprise Linux AS version 3 Extras: i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.ia64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.ppc.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.ppc.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.ppc.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el3.ppc.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.ppc.rpm s390: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.s390.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.s390.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.s390.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el3.s390.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.s390.rpm s390x: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.s390x.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.s390x.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.s390x.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.x86_64.rpm Red Hat Desktop version 3 Extras: i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3 Extras: i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.ia64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3 Extras: i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.ia64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.ppc.rpm s390: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.s390.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.s390.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.s390.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el4.s390.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.s390.rpm s390x: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.s390x.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.s390x.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.s390x.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.ia64.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.ppc64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.ppc64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.ppc64.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el5.ppc64.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.ppc64.rpm s390x: java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.s390.rpm java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.s390x.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.s390.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.s390x.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.s390.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.s390x.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el5.s390.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.s390.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-1.4.2.13-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-jdbc-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360 http://www.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ8LiqXlSAg2UNWIIRApnFAKCyvDkx6XZJI+J4pEstl9wmEOiFRwCfZPR1 nBq/ooya5td3BsWPq2nGfn8= =vvxs -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 23 18:52:17 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 23 Apr 2009 14:52:17 -0400 Subject: [RHSA-2009:0446-01] Important: mod_jk security update Message-ID: <200904231852.n3NIqHJO024487@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: mod_jk security update Advisory ID: RHSA-2009:0446-01 Product: Red Hat Application Stack Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0446.html Issue date: 2009-04-23 CVE Names: CVE-2008-5519 ===================================================================== 1. Summary: An updated mod_jk package that fixes a security issue is now available for Red Hat Application Stack v2. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, x86_64 3. Description: mod_jk is an Apache Tomcat connector that allows Apache Tomcat and the Apache HTTP Server to communicate with each other. An information disclosure flaw was found in mod_jk. In certain situations, if a faulty client set the "Content-Length" header without providing data, or if a user sent repeated requests very quickly, one user may view a response intended for another user. (CVE-2008-5519) As well, the sample configuration files provided in the documentation have been updated to reflect recommended practice. All mod_jk users are advised to upgrade to this updated package. It provides mod_jk 1.2.28, which is not vulnerable to this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 490201 - CVE-2008-5519 mod_jk: session information leak 6. Package List: Red Hat Application Stack v2 for Enterprise Linux (v.5): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/mod_jk-1.2.28-1.el5s2.src.rpm i386: mod_jk-ap20-1.2.28-1.el5s2.i386.rpm mod_jk-debuginfo-1.2.28-1.el5s2.i386.rpm x86_64: mod_jk-ap20-1.2.28-1.el5s2.x86_64.rpm mod_jk-debuginfo-1.2.28-1.el5s2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ8LjPXlSAg2UNWIIRAgFiAJ4xQ4dDKEjK8XVgj73RcJsksb5fzACfTXYF f1JHE2ckaE0HDvYM6QIG8m4= =8HcS -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Apr 27 21:06:23 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 27 Apr 2009 17:06:23 -0400 Subject: [RHSA-2009:0449-01] Critical: firefox security update Message-ID: <200904272106.n3RL6NAJ011196@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2009:0449-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0449.html Issue date: 2009-04-27 CVE Names: CVE-2009-1313 ===================================================================== 1. Summary: Updated firefox packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1313) For technical details regarding this flaw, refer to the Mozilla security advisory for Firefox 3.0.10. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.10, which corrects this issue. After installing the update, Firefox must be restarted for the change to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 497447 - CVE-2009-1313 Firefox crash in nsTextFrame::ClearTextRun() 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-3.0.10-1.el4.src.rpm i386: firefox-3.0.10-1.el4.i386.rpm firefox-debuginfo-3.0.10-1.el4.i386.rpm ia64: firefox-3.0.10-1.el4.ia64.rpm firefox-debuginfo-3.0.10-1.el4.ia64.rpm ppc: firefox-3.0.10-1.el4.ppc.rpm firefox-debuginfo-3.0.10-1.el4.ppc.rpm s390: firefox-3.0.10-1.el4.s390.rpm firefox-debuginfo-3.0.10-1.el4.s390.rpm s390x: firefox-3.0.10-1.el4.s390x.rpm firefox-debuginfo-3.0.10-1.el4.s390x.rpm x86_64: firefox-3.0.10-1.el4.x86_64.rpm firefox-debuginfo-3.0.10-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-3.0.10-1.el4.src.rpm i386: firefox-3.0.10-1.el4.i386.rpm firefox-debuginfo-3.0.10-1.el4.i386.rpm x86_64: firefox-3.0.10-1.el4.x86_64.rpm firefox-debuginfo-3.0.10-1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-3.0.10-1.el4.src.rpm i386: firefox-3.0.10-1.el4.i386.rpm firefox-debuginfo-3.0.10-1.el4.i386.rpm ia64: firefox-3.0.10-1.el4.ia64.rpm firefox-debuginfo-3.0.10-1.el4.ia64.rpm x86_64: firefox-3.0.10-1.el4.x86_64.rpm firefox-debuginfo-3.0.10-1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-3.0.10-1.el4.src.rpm i386: firefox-3.0.10-1.el4.i386.rpm firefox-debuginfo-3.0.10-1.el4.i386.rpm ia64: firefox-3.0.10-1.el4.ia64.rpm firefox-debuginfo-3.0.10-1.el4.ia64.rpm x86_64: firefox-3.0.10-1.el4.x86_64.rpm firefox-debuginfo-3.0.10-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-3.0.10-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.10-1.el5.src.rpm i386: firefox-3.0.10-1.el5.i386.rpm firefox-debuginfo-3.0.10-1.el5.i386.rpm xulrunner-1.9.0.10-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.10-1.el5.i386.rpm x86_64: firefox-3.0.10-1.el5.i386.rpm firefox-3.0.10-1.el5.x86_64.rpm firefox-debuginfo-3.0.10-1.el5.i386.rpm firefox-debuginfo-3.0.10-1.el5.x86_64.rpm xulrunner-1.9.0.10-1.el5.i386.rpm xulrunner-1.9.0.10-1.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.10-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.10-1.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.10-1.el5.src.rpm i386: xulrunner-debuginfo-1.9.0.10-1.el5.i386.rpm xulrunner-devel-1.9.0.10-1.el5.i386.rpm xulrunner-devel-unstable-1.9.0.10-1.el5.i386.rpm x86_64: xulrunner-debuginfo-1.9.0.10-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.10-1.el5.x86_64.rpm xulrunner-devel-1.9.0.10-1.el5.i386.rpm xulrunner-devel-1.9.0.10-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9.0.10-1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-3.0.10-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9.0.10-1.el5.src.rpm i386: firefox-3.0.10-1.el5.i386.rpm firefox-debuginfo-3.0.10-1.el5.i386.rpm xulrunner-1.9.0.10-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.10-1.el5.i386.rpm xulrunner-devel-1.9.0.10-1.el5.i386.rpm xulrunner-devel-unstable-1.9.0.10-1.el5.i386.rpm ia64: firefox-3.0.10-1.el5.ia64.rpm firefox-debuginfo-3.0.10-1.el5.ia64.rpm xulrunner-1.9.0.10-1.el5.ia64.rpm xulrunner-debuginfo-1.9.0.10-1.el5.ia64.rpm xulrunner-devel-1.9.0.10-1.el5.ia64.rpm xulrunner-devel-unstable-1.9.0.10-1.el5.ia64.rpm ppc: firefox-3.0.10-1.el5.ppc.rpm firefox-debuginfo-3.0.10-1.el5.ppc.rpm xulrunner-1.9.0.10-1.el5.ppc.rpm xulrunner-1.9.0.10-1.el5.ppc64.rpm xulrunner-debuginfo-1.9.0.10-1.el5.ppc.rpm xulrunner-debuginfo-1.9.0.10-1.el5.ppc64.rpm xulrunner-devel-1.9.0.10-1.el5.ppc.rpm xulrunner-devel-1.9.0.10-1.el5.ppc64.rpm xulrunner-devel-unstable-1.9.0.10-1.el5.ppc.rpm s390x: firefox-3.0.10-1.el5.s390.rpm firefox-3.0.10-1.el5.s390x.rpm firefox-debuginfo-3.0.10-1.el5.s390.rpm firefox-debuginfo-3.0.10-1.el5.s390x.rpm xulrunner-1.9.0.10-1.el5.s390.rpm xulrunner-1.9.0.10-1.el5.s390x.rpm xulrunner-debuginfo-1.9.0.10-1.el5.s390.rpm xulrunner-debuginfo-1.9.0.10-1.el5.s390x.rpm xulrunner-devel-1.9.0.10-1.el5.s390.rpm xulrunner-devel-1.9.0.10-1.el5.s390x.rpm xulrunner-devel-unstable-1.9.0.10-1.el5.s390x.rpm x86_64: firefox-3.0.10-1.el5.i386.rpm firefox-3.0.10-1.el5.x86_64.rpm firefox-debuginfo-3.0.10-1.el5.i386.rpm firefox-debuginfo-3.0.10-1.el5.x86_64.rpm xulrunner-1.9.0.10-1.el5.i386.rpm xulrunner-1.9.0.10-1.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.10-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.10-1.el5.x86_64.rpm xulrunner-devel-1.9.0.10-1.el5.i386.rpm xulrunner-devel-1.9.0.10-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9.0.10-1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1313 http://www.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.10 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ9h4hXlSAg2UNWIIRAnGnAJ4oQbWJtpC+GFZamxyy2rlVjdbA1ACePu2J Hm6gXJrU69fit1UaFV6dHk8= =RplP -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 29 10:54:58 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 29 Apr 2009 06:54:58 -0400 Subject: [RHSA-2009:0451-02] Important: kernel-rt security and bug fix update Message-ID: <200904291054.n3TAsw8v007709@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2009:0451-02 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0451.html Issue date: 2009-04-29 CVE Names: CVE-2008-4307 CVE-2009-0028 CVE-2009-0834 CVE-2009-0835 CVE-2009-1046 CVE-2009-1337 ===================================================================== 1. Summary: Updated kernel-rt packages that fix several security issues and a bug are now available for Red Hat Enterprise MRG 1.1.2. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: MRG Realtime for RHEL 5 Server - i386, noarch, x86_64 3. Description: The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a logic error was found in the do_setlk() function of the Linux kernel Network File System (NFS) implementation. If a signal interrupted a lock request, the local POSIX lock was incorrectly created. This could cause a denial of service on the NFS server if a file descriptor was closed before its corresponding lock request returned. (CVE-2008-4307, Important) * a deficiency was found in the Linux kernel system call auditing implementation on 64-bit systems. This could allow a local, unprivileged user to circumvent a system call audit configuration, if that configuration filtered based on the "syscall" number or arguments. (CVE-2009-0834, Important) * Chris Evans reported a deficiency in the Linux kernel secure-computing implementation on 64-bit systems. This could allow a local, unprivileged user to bypass intended access restrictions, if those access restriction filters were based on the "syscall" number or arguments. (CVE-2009-0835, Important) * the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important) * Chris Evans reported a deficiency in the Linux kernel signals implementation. The clone() system call permits the caller to indicate the signal it wants to receive when its child exits. When clone() is called with the CLONE_PARENT flag, it permits the caller to clone a new child that shares the same parent as itself, enabling the indicated signal to be sent to the caller's parent (instead of the caller), even if the caller's parent has different real and effective user IDs. This could lead to a denial of service of the parent. (CVE-2009-0028, Moderate) * an off-by-two error was found in the set_selection() function of the Linux kernel. This could allow a local, unprivileged user to cause a denial of service when making a selection of characters in a UTF-8 console. Note: physical console access is required to exploit this issue. (CVE-2009-1046, Low) These updated packages also fix the following bug: * the __scsi_device_lookup_by_target() function was always returning the first matching device, regardless of the state of the device. This meant that any valid device listed after a deleted device would not be found. The __scsi_device_lookup_by_target() function was modified so that deleted devices are skipped, and valid devices are now found. (BZ#495976) All Red Hat Enterprise MRG users should install this update, which resolves these issues. For this update to take effect, the system must be rebooted. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 456282 - CVE-2008-4307 Kernel BUG() in locks_remove_flock 479932 - CVE-2009-0028 Linux kernel minor signal handling vulnerability 487255 - CVE-2009-0835 kernel: x86-64: seccomp: 32/64 syscall hole 487990 - CVE-2009-0834 kernel: x86-64: syscall-audit: 32/64 syscall hole 491787 - CVE-2009-1046 kernel: utf8 selection memory corruption 493771 - CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check 6. Package List: MRG Realtime for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/kernel-rt-2.6.24.7-111.el5rt.src.rpm i386: kernel-rt-2.6.24.7-111.el5rt.i686.rpm kernel-rt-debug-2.6.24.7-111.el5rt.i686.rpm kernel-rt-debug-debuginfo-2.6.24.7-111.el5rt.i686.rpm kernel-rt-debug-devel-2.6.24.7-111.el5rt.i686.rpm kernel-rt-debuginfo-2.6.24.7-111.el5rt.i686.rpm kernel-rt-debuginfo-common-2.6.24.7-111.el5rt.i686.rpm kernel-rt-devel-2.6.24.7-111.el5rt.i686.rpm kernel-rt-trace-2.6.24.7-111.el5rt.i686.rpm kernel-rt-trace-debuginfo-2.6.24.7-111.el5rt.i686.rpm kernel-rt-trace-devel-2.6.24.7-111.el5rt.i686.rpm kernel-rt-vanilla-2.6.24.7-111.el5rt.i686.rpm kernel-rt-vanilla-debuginfo-2.6.24.7-111.el5rt.i686.rpm kernel-rt-vanilla-devel-2.6.24.7-111.el5rt.i686.rpm noarch: kernel-rt-doc-2.6.24.7-111.el5rt.noarch.rpm x86_64: kernel-rt-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-debug-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-debug-debuginfo-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-debug-devel-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-debuginfo-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-debuginfo-common-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-devel-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-trace-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-trace-debuginfo-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-trace-devel-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-vanilla-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-vanilla-debuginfo-2.6.24.7-111.el5rt.x86_64.rpm kernel-rt-vanilla-devel-2.6.24.7-111.el5rt.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4307 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1046 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1337 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ+DH7XlSAg2UNWIIRAuPjAJ9gKgsyAIK5at18acHpmHl+NaNncACeMPxj nzPTYCBjX11hkMphizFzvDI= =qlVP -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 30 21:13:24 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Apr 2009 17:13:24 -0400 Subject: [RHSA-2009:0457-01] Moderate: libwmf security update Message-ID: <200904302113.n3ULDOIo022513@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libwmf security update Advisory ID: RHSA-2009:0457-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0457.html Issue date: 2009-04-30 CVE Names: CVE-2009-1364 ===================================================================== 1. Summary: Updated libwmf packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: libwmf is a library for reading and converting Windows Metafile Format (WMF) vector graphics. libwmf is used by applications such as GIMP and ImageMagick. A pointer use-after-free flaw was found in the GD graphics library embedded in libwmf. An attacker could create a specially-crafted WMF file that would cause an application using libwmf to crash or, potentially, execute arbitrary code as the user running the application when opened by a victim. (CVE-2009-1364) Note: This flaw is specific to the GD graphics library embedded in libwmf. It does not affect the GD graphics library from the "gd" packages, or applications using it. Red Hat would like to thank Tavis Ormandy of the Google Security Team for responsibly reporting this flaw. All users of libwmf are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libwmf must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 496864 - CVE-2009-1364 libwmf: embedded gd use-after-free error 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/libwmf-0.2.8.3-5.8.src.rpm i386: libwmf-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-devel-0.2.8.3-5.8.i386.rpm ia64: libwmf-0.2.8.3-5.8.i386.rpm libwmf-0.2.8.3-5.8.ia64.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.ia64.rpm libwmf-devel-0.2.8.3-5.8.ia64.rpm ppc: libwmf-0.2.8.3-5.8.ppc.rpm libwmf-0.2.8.3-5.8.ppc64.rpm libwmf-debuginfo-0.2.8.3-5.8.ppc.rpm libwmf-debuginfo-0.2.8.3-5.8.ppc64.rpm libwmf-devel-0.2.8.3-5.8.ppc.rpm s390: libwmf-0.2.8.3-5.8.s390.rpm libwmf-debuginfo-0.2.8.3-5.8.s390.rpm libwmf-devel-0.2.8.3-5.8.s390.rpm s390x: libwmf-0.2.8.3-5.8.s390.rpm libwmf-0.2.8.3-5.8.s390x.rpm libwmf-debuginfo-0.2.8.3-5.8.s390.rpm libwmf-debuginfo-0.2.8.3-5.8.s390x.rpm libwmf-devel-0.2.8.3-5.8.s390x.rpm x86_64: libwmf-0.2.8.3-5.8.i386.rpm libwmf-0.2.8.3-5.8.x86_64.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.x86_64.rpm libwmf-devel-0.2.8.3-5.8.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/libwmf-0.2.8.3-5.8.src.rpm i386: libwmf-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-devel-0.2.8.3-5.8.i386.rpm x86_64: libwmf-0.2.8.3-5.8.i386.rpm libwmf-0.2.8.3-5.8.x86_64.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.x86_64.rpm libwmf-devel-0.2.8.3-5.8.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/libwmf-0.2.8.3-5.8.src.rpm i386: libwmf-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-devel-0.2.8.3-5.8.i386.rpm ia64: libwmf-0.2.8.3-5.8.i386.rpm libwmf-0.2.8.3-5.8.ia64.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.ia64.rpm libwmf-devel-0.2.8.3-5.8.ia64.rpm x86_64: libwmf-0.2.8.3-5.8.i386.rpm libwmf-0.2.8.3-5.8.x86_64.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.x86_64.rpm libwmf-devel-0.2.8.3-5.8.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/libwmf-0.2.8.3-5.8.src.rpm i386: libwmf-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-devel-0.2.8.3-5.8.i386.rpm ia64: libwmf-0.2.8.3-5.8.i386.rpm libwmf-0.2.8.3-5.8.ia64.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.ia64.rpm libwmf-devel-0.2.8.3-5.8.ia64.rpm x86_64: libwmf-0.2.8.3-5.8.i386.rpm libwmf-0.2.8.3-5.8.x86_64.rpm libwmf-debuginfo-0.2.8.3-5.8.i386.rpm libwmf-debuginfo-0.2.8.3-5.8.x86_64.rpm libwmf-devel-0.2.8.3-5.8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libwmf-0.2.8.4-10.2.src.rpm i386: libwmf-0.2.8.4-10.2.i386.rpm libwmf-debuginfo-0.2.8.4-10.2.i386.rpm x86_64: libwmf-0.2.8.4-10.2.i386.rpm libwmf-0.2.8.4-10.2.x86_64.rpm libwmf-debuginfo-0.2.8.4-10.2.i386.rpm libwmf-debuginfo-0.2.8.4-10.2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libwmf-0.2.8.4-10.2.src.rpm i386: libwmf-debuginfo-0.2.8.4-10.2.i386.rpm libwmf-devel-0.2.8.4-10.2.i386.rpm x86_64: libwmf-debuginfo-0.2.8.4-10.2.i386.rpm libwmf-debuginfo-0.2.8.4-10.2.x86_64.rpm libwmf-devel-0.2.8.4-10.2.i386.rpm libwmf-devel-0.2.8.4-10.2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/libwmf-0.2.8.4-10.2.src.rpm i386: libwmf-0.2.8.4-10.2.i386.rpm libwmf-debuginfo-0.2.8.4-10.2.i386.rpm libwmf-devel-0.2.8.4-10.2.i386.rpm ia64: libwmf-0.2.8.4-10.2.ia64.rpm libwmf-debuginfo-0.2.8.4-10.2.ia64.rpm libwmf-devel-0.2.8.4-10.2.ia64.rpm ppc: libwmf-0.2.8.4-10.2.ppc.rpm libwmf-0.2.8.4-10.2.ppc64.rpm libwmf-debuginfo-0.2.8.4-10.2.ppc.rpm libwmf-debuginfo-0.2.8.4-10.2.ppc64.rpm libwmf-devel-0.2.8.4-10.2.ppc.rpm libwmf-devel-0.2.8.4-10.2.ppc64.rpm s390x: libwmf-0.2.8.4-10.2.s390.rpm libwmf-0.2.8.4-10.2.s390x.rpm libwmf-debuginfo-0.2.8.4-10.2.s390.rpm libwmf-debuginfo-0.2.8.4-10.2.s390x.rpm libwmf-devel-0.2.8.4-10.2.s390.rpm libwmf-devel-0.2.8.4-10.2.s390x.rpm x86_64: libwmf-0.2.8.4-10.2.i386.rpm libwmf-0.2.8.4-10.2.x86_64.rpm libwmf-debuginfo-0.2.8.4-10.2.i386.rpm libwmf-debuginfo-0.2.8.4-10.2.x86_64.rpm libwmf-devel-0.2.8.4-10.2.i386.rpm libwmf-devel-0.2.8.4-10.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1364 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ+hRnXlSAg2UNWIIRAjLnAKCSTbPY7lX6u4Ewo01ToJRrIahnNwCdEMSQ dvy8m7qrSQmmgzVFOUcWpPs= =eeAb -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 30 21:13:56 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Apr 2009 17:13:56 -0400 Subject: [RHSA-2009:0458-01] Important: gpdf security update Message-ID: <200904302113.n3ULDu7n022815@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gpdf security update Advisory ID: RHSA-2009:0458-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0458.html Issue date: 2009-04-30 CVE Names: CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 ===================================================================== 1. Summary: An updated gpdf package that fixes multiple security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: GPdf is a viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in GPdf's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF that would cause GPdf to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 490612 - CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) 490614 - CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder 490625 - CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder 495886 - CVE-2009-0799 PDF JBIG2 decoder OOB read 495887 - CVE-2009-0800 PDF JBIG2 multiple input validation flaws 495889 - CVE-2009-1179 PDF JBIG2 integer overflow 495892 - CVE-2009-1180 PDF JBIG2 invalid free() 495894 - CVE-2009-1181 PDF JBIG2 NULL dereference 495896 - CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows 495899 - CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/gpdf-2.8.2-7.7.2.el4_7.4.src.rpm i386: gpdf-2.8.2-7.7.2.el4_7.4.i386.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.i386.rpm ia64: gpdf-2.8.2-7.7.2.el4_7.4.ia64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.ia64.rpm ppc: gpdf-2.8.2-7.7.2.el4_7.4.ppc.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.ppc.rpm s390: gpdf-2.8.2-7.7.2.el4_7.4.s390.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.s390.rpm s390x: gpdf-2.8.2-7.7.2.el4_7.4.s390x.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.s390x.rpm x86_64: gpdf-2.8.2-7.7.2.el4_7.4.x86_64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/gpdf-2.8.2-7.7.2.el4_7.4.src.rpm i386: gpdf-2.8.2-7.7.2.el4_7.4.i386.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.i386.rpm x86_64: gpdf-2.8.2-7.7.2.el4_7.4.x86_64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/gpdf-2.8.2-7.7.2.el4_7.4.src.rpm i386: gpdf-2.8.2-7.7.2.el4_7.4.i386.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.i386.rpm ia64: gpdf-2.8.2-7.7.2.el4_7.4.ia64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.ia64.rpm x86_64: gpdf-2.8.2-7.7.2.el4_7.4.x86_64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/gpdf-2.8.2-7.7.2.el4_7.4.src.rpm i386: gpdf-2.8.2-7.7.2.el4_7.4.i386.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.i386.rpm ia64: gpdf-2.8.2-7.7.2.el4_7.4.ia64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.ia64.rpm x86_64: gpdf-2.8.2-7.7.2.el4_7.4.x86_64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_7.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ+hR3XlSAg2UNWIIRAm2KAKCY4sGVDIOzM9pN2C6GMXQk94YaGgCfZ+IJ bcLhjzjifXdyL86hCCFUjIo= =nWX+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 30 21:27:27 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Apr 2009 17:27:27 -0400 Subject: [RHSA-2009:0459-01] Important: kernel security and bug fix update Message-ID: <200904302127.n3ULRRjR001242@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2009:0459-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0459.html Issue date: 2009-04-30 CVE Names: CVE-2008-4307 CVE-2009-0028 CVE-2009-0676 CVE-2009-0834 ===================================================================== 1. Summary: Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * a logic error was found in the do_setlk() function of the Linux kernel Network File System (NFS) implementation. If a signal interrupted a lock request, the local POSIX lock was incorrectly created. This could cause a denial of service on the NFS server if a file descriptor was closed before its corresponding lock request returned. (CVE-2008-4307, Important) * a deficiency was found in the Linux kernel system call auditing implementation on 64-bit systems. This could allow a local, unprivileged user to circumvent a system call audit configuration, if that configuration filtered based on the "syscall" number or arguments. (CVE-2009-0834, Important) * Chris Evans reported a deficiency in the Linux kernel signals implementation. The clone() system call permits the caller to indicate the signal it wants to receive when its child exits. When clone() is called with the CLONE_PARENT flag, it permits the caller to clone a new child that shares the same parent as itself, enabling the indicated signal to be sent to the caller's parent (instead of the caller), even if the caller's parent has different real and effective user IDs. This could lead to a denial of service of the parent. (CVE-2009-0028, Moderate) * the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure. (CVE-2009-0676, Moderate) Bug fixes: * a kernel crash may have occurred for Red Hat Enterprise Linux 4.7 guests if their guest configuration file specified "vif = [ "type=ioemu" ]". This crash only occurred when starting guests via the "xm create" command. (BZ#477146) * a bug in IO-APIC NMI watchdog may have prevented Red Hat Enterprise Linux 4.7 from being installed on HP ProLiant DL580 G5 systems. Hangs during installation and "NMI received for unknown reason [xx]" errors may have occurred. (BZ#479184) * a kernel deadlock on some systems when using netdump through a network interface that uses the igb driver. (BZ#480579) * a possible kernel hang in sys_ptrace() on the Itanium? architecture, possibly triggered by tracing a threaded process with strace. (BZ#484904) * the RHSA-2008:0665 errata only fixed the known problem with the LSI Logic LSI53C1030 Ultra320 SCSI controller, for tape devices. Read commands sent to tape devices may have received incorrect data. This issue may have led to data corruption. This update includes a fix for all types of devices. (BZ#487399) * a missing memory barrier caused a race condition in the AIO subsystem between the read_events() and aio_complete() functions. This may have caused a thread in read_events() to sleep indefinitely, possibly causing an application hang. (BZ#489935) * due to a lack of synchronization in the NFS client code, modifications to some pages (for files on an NFS mounted file system) made through a region of memory mapped by mmap() may be lost if the NFS client invalidates its page cache for particular files. (BZ#490119) * a NULL pointer dereference in the megaraid_mbox driver caused a system crash on some systems. (BZ#493420) * the ext3_symlink() function in the ext3 file system code used an illegal __GFP_FS allocation inside some transactions. This may have resulted in a kernel panic and "Assertion failure" errors. (BZ#493422) * do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#494915) * a bug prevented NMI watchdog from initializing on HP ProLiant DL580 G5 systems. (BZ#497330) This update contains backported patches to fix these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 456282 - CVE-2008-4307 Kernel BUG() in locks_remove_flock 477146 - RHEL4.7 guest will crash, if creating with only RTL8139 emulation NIC 479184 - RHEL 4.7: unknown NMI errors on x86_64 on DL580 G5 479932 - CVE-2009-0028 Linux kernel minor signal handling vulnerability 480579 - deadlock in igb during netdump 484904 - [RHEL4U4] strace utility can cause system to hang at sys_ptrace 486305 - CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt 487399 - [4.7]When SCSI READ Command is issued to tape device, the read data might not be correct for LSI 53C1030 Errata No28. 487990 - CVE-2009-0834 kernel: x86-64: syscall-audit: 32/64 syscall hole 489935 - race in aio_complete() leads to process hang 490119 - LTC41974-Pages of a memory mapped NFS file get corrupted. 493420 - NULL pointer dereference at megaraid_queue_command after a reset 493422 - [RHEL4u4] Kernel panic was caused by page_symlink() when kernel has to shrink caches 497330 - Enable NMI watchdog on HP DL580 G5 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-78.0.22.EL.src.rpm i386: kernel-2.6.9-78.0.22.EL.i686.rpm kernel-debuginfo-2.6.9-78.0.22.EL.i686.rpm kernel-devel-2.6.9-78.0.22.EL.i686.rpm kernel-hugemem-2.6.9-78.0.22.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.0.22.EL.i686.rpm kernel-smp-2.6.9-78.0.22.EL.i686.rpm kernel-smp-devel-2.6.9-78.0.22.EL.i686.rpm kernel-xenU-2.6.9-78.0.22.EL.i686.rpm kernel-xenU-devel-2.6.9-78.0.22.EL.i686.rpm ia64: kernel-2.6.9-78.0.22.EL.ia64.rpm kernel-debuginfo-2.6.9-78.0.22.EL.ia64.rpm kernel-devel-2.6.9-78.0.22.EL.ia64.rpm kernel-largesmp-2.6.9-78.0.22.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.0.22.EL.ia64.rpm noarch: kernel-doc-2.6.9-78.0.22.EL.noarch.rpm ppc: kernel-2.6.9-78.0.22.EL.ppc64.rpm kernel-2.6.9-78.0.22.EL.ppc64iseries.rpm kernel-debuginfo-2.6.9-78.0.22.EL.ppc64.rpm kernel-debuginfo-2.6.9-78.0.22.EL.ppc64iseries.rpm kernel-devel-2.6.9-78.0.22.EL.ppc64.rpm kernel-devel-2.6.9-78.0.22.EL.ppc64iseries.rpm kernel-largesmp-2.6.9-78.0.22.EL.ppc64.rpm kernel-largesmp-devel-2.6.9-78.0.22.EL.ppc64.rpm s390: kernel-2.6.9-78.0.22.EL.s390.rpm kernel-debuginfo-2.6.9-78.0.22.EL.s390.rpm kernel-devel-2.6.9-78.0.22.EL.s390.rpm s390x: kernel-2.6.9-78.0.22.EL.s390x.rpm kernel-debuginfo-2.6.9-78.0.22.EL.s390x.rpm kernel-devel-2.6.9-78.0.22.EL.s390x.rpm x86_64: kernel-2.6.9-78.0.22.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.0.22.EL.x86_64.rpm kernel-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-largesmp-2.6.9-78.0.22.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-smp-2.6.9-78.0.22.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-xenU-2.6.9-78.0.22.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.0.22.EL.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-78.0.22.EL.src.rpm i386: kernel-2.6.9-78.0.22.EL.i686.rpm kernel-debuginfo-2.6.9-78.0.22.EL.i686.rpm kernel-devel-2.6.9-78.0.22.EL.i686.rpm kernel-hugemem-2.6.9-78.0.22.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.0.22.EL.i686.rpm kernel-smp-2.6.9-78.0.22.EL.i686.rpm kernel-smp-devel-2.6.9-78.0.22.EL.i686.rpm kernel-xenU-2.6.9-78.0.22.EL.i686.rpm kernel-xenU-devel-2.6.9-78.0.22.EL.i686.rpm noarch: kernel-doc-2.6.9-78.0.22.EL.noarch.rpm x86_64: kernel-2.6.9-78.0.22.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.0.22.EL.x86_64.rpm kernel-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-largesmp-2.6.9-78.0.22.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-smp-2.6.9-78.0.22.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-xenU-2.6.9-78.0.22.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.0.22.EL.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-78.0.22.EL.src.rpm i386: kernel-2.6.9-78.0.22.EL.i686.rpm kernel-debuginfo-2.6.9-78.0.22.EL.i686.rpm kernel-devel-2.6.9-78.0.22.EL.i686.rpm kernel-hugemem-2.6.9-78.0.22.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.0.22.EL.i686.rpm kernel-smp-2.6.9-78.0.22.EL.i686.rpm kernel-smp-devel-2.6.9-78.0.22.EL.i686.rpm kernel-xenU-2.6.9-78.0.22.EL.i686.rpm kernel-xenU-devel-2.6.9-78.0.22.EL.i686.rpm ia64: kernel-2.6.9-78.0.22.EL.ia64.rpm kernel-debuginfo-2.6.9-78.0.22.EL.ia64.rpm kernel-devel-2.6.9-78.0.22.EL.ia64.rpm kernel-largesmp-2.6.9-78.0.22.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.0.22.EL.ia64.rpm noarch: kernel-doc-2.6.9-78.0.22.EL.noarch.rpm x86_64: kernel-2.6.9-78.0.22.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.0.22.EL.x86_64.rpm kernel-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-largesmp-2.6.9-78.0.22.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-smp-2.6.9-78.0.22.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-xenU-2.6.9-78.0.22.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.0.22.EL.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-78.0.22.EL.src.rpm i386: kernel-2.6.9-78.0.22.EL.i686.rpm kernel-debuginfo-2.6.9-78.0.22.EL.i686.rpm kernel-devel-2.6.9-78.0.22.EL.i686.rpm kernel-hugemem-2.6.9-78.0.22.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.0.22.EL.i686.rpm kernel-smp-2.6.9-78.0.22.EL.i686.rpm kernel-smp-devel-2.6.9-78.0.22.EL.i686.rpm kernel-xenU-2.6.9-78.0.22.EL.i686.rpm kernel-xenU-devel-2.6.9-78.0.22.EL.i686.rpm ia64: kernel-2.6.9-78.0.22.EL.ia64.rpm kernel-debuginfo-2.6.9-78.0.22.EL.ia64.rpm kernel-devel-2.6.9-78.0.22.EL.ia64.rpm kernel-largesmp-2.6.9-78.0.22.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.0.22.EL.ia64.rpm noarch: kernel-doc-2.6.9-78.0.22.EL.noarch.rpm x86_64: kernel-2.6.9-78.0.22.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.0.22.EL.x86_64.rpm kernel-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-largesmp-2.6.9-78.0.22.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-smp-2.6.9-78.0.22.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.0.22.EL.x86_64.rpm kernel-xenU-2.6.9-78.0.22.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.0.22.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4307 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJ+heZXlSAg2UNWIIRAgkeAJwNztdzpIy4F2Cxdw2mS4B0KzNPCACgsIMD wEfW5pV1r2asVKJnCNKSGCI= =4I0g -----END PGP SIGNATURE-----