From bugzilla at redhat.com Tue Aug 4 13:26:11 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Aug 2009 09:26:11 -0400 Subject: [RHSA-2009:1193-01] Important: kernel security and bug fix update Message-ID: <200908041326.n74DQBaS009279@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2009:1193-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1193.html Issue date: 2009-08-04 CVE Names: CVE-2007-5966 CVE-2009-1385 CVE-2009-1388 CVE-2009-1389 CVE-2009-1895 CVE-2009-2406 CVE-2009-2407 ===================================================================== 1. Summary: Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * the possibility of a timeout value overflow was found in the Linux kernel high-resolution timers functionality, hrtimers. This could allow a local, unprivileged user to execute arbitrary code, or cause a denial of service (kernel panic). (CVE-2007-5966, Important) * a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially-crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important) * Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than could be handled, which could lead to a remote denial of service or code execution. (CVE-2009-1389, Important) * the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2009-1895, Important) * Ramon de Carvalho Valle reported two flaws in the Linux kernel eCryptfs implementation. A local attacker with permissions to perform an eCryptfs mount could modify the metadata of the files in that eCrypfts mount to cause a buffer overflow, leading to a denial of service or privilege escalation. (CVE-2009-2406, CVE-2009-2407, Important) * Konstantin Khlebnikov discovered a race condition in the ptrace implementation in the Linux kernel. This race condition can occur when the process tracing and the process being traced participate in a core dump. A local, unprivileged user could use this flaw to trigger a deadlock, resulting in a partial denial of service. (CVE-2009-1388, Moderate) Bug fixes: * possible host (dom0) crash when installing a Xen para-virtualized guest while another para-virtualized guest was rebooting. (BZ#497812) * no audit record for a directory removal if the directory and its subtree were recursively watched by an audit rule. (BZ#507561) * running "echo 1 > /proc/sys/vm/drop_caches" on systems under high memory load could cause a kernel panic. (BZ#503692) * on 32-bit systems, core dumps for some multithreaded applications did not include all thread information. (BZ#505322) * a stack buffer used by get_event_name() was not large enough for the nul terminator sprintf() writes. This could lead to an invalid pointer or kernel panic. (BZ#506906) * when using the aic94xx driver, a system with SATA drives may not boot due to a bug in libsas. (BZ#506029) * incorrect stylus button handling when moving it away then returning it to the tablet for Wacom Cintiq 21UX and Intuos tablets. (BZ#508275) * CPU "soft lockup" messages and possibly a system hang on systems with certain Broadcom network devices and running the Linux kernel from the kernel-xen package. (BZ#503689) * on 64-bit PowerPC, getitimer() failed for programs using the ITIMER_REAL timer and that were also compiled for 64-bit systems (this caused such programs to abort). (BZ#510018) * write operations could be blocked even when using O_NONBLOCK. (BZ#510239) * the "pci=nomsi" option was required for installing and booting Red Hat Enterprise Linux 5.2 on systems with VIA VT3364 chipsets. (BZ#507529) * shutting down, destroying, or migrating Xen guests with large amounts of memory could cause other guests to be temporarily unresponsive. (BZ#512311) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 453135 - CVE-2007-5966 kernel: non-root can trigger cpu_idle soft lockup 497812 - RH5.3 x64 RC2 reboots while installing a virtual machine 502981 - CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service 503689 - Call trace thrown up when stressing the network with bw_tcp 503692 - Possible panic when drop_pagecache_sb() and prune_icache() run concurrently. 504263 - CVE-2009-1388 kernel: do_coredump() vs ptrace_start() deadlock 504726 - CVE-2009-1389 kernel: r8169: fix crash when large packets are received 505322 - [Reg][RHEL5.3] Multi-threaded application dumps a core with wrong thread information 506029 - With Red Hat errata 128.1.6 installed system hangs with SATA drives installed. 506906 - kernel: TPM: get_event_name stack corruption [rhel-5.3.z] 507529 - disable MSI on VIA VT3364 chipsets 507561 - Removal of directory doesn't produce audit record if rule is recursive 508275 - Wacom driver with Intuos tablet does not report button press after a proximity leave/re-enter 510018 - setitimer(ITIMER_REAL, ...) failing in 64bit enviroment 510239 - [5.3]Write operation with O_NONBLOCK flag to TTY terminal is blocked 511171 - CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID 512311 - A Shut down of a 32GB domU's freezes other domU's for several seconds 512861 - CVE-2009-2406 kernel: ecryptfs stack overflow in parse_tag_11_packet() 512885 - CVE-2009-2407 kernel: ecryptfs heap overflow in parse_tag_3_packet() 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-128.4.1.el5.src.rpm i386: kernel-2.6.18-128.4.1.el5.i686.rpm kernel-PAE-2.6.18-128.4.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-128.4.1.el5.i686.rpm kernel-PAE-devel-2.6.18-128.4.1.el5.i686.rpm kernel-debug-2.6.18-128.4.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-128.4.1.el5.i686.rpm kernel-debug-devel-2.6.18-128.4.1.el5.i686.rpm kernel-debuginfo-2.6.18-128.4.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-128.4.1.el5.i686.rpm kernel-devel-2.6.18-128.4.1.el5.i686.rpm kernel-headers-2.6.18-128.4.1.el5.i386.rpm kernel-xen-2.6.18-128.4.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-128.4.1.el5.i686.rpm kernel-xen-devel-2.6.18-128.4.1.el5.i686.rpm noarch: kernel-doc-2.6.18-128.4.1.el5.noarch.rpm x86_64: kernel-2.6.18-128.4.1.el5.x86_64.rpm kernel-debug-2.6.18-128.4.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-128.4.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-128.4.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-128.4.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-128.4.1.el5.x86_64.rpm kernel-devel-2.6.18-128.4.1.el5.x86_64.rpm kernel-headers-2.6.18-128.4.1.el5.x86_64.rpm kernel-xen-2.6.18-128.4.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-128.4.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-128.4.1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-128.4.1.el5.src.rpm i386: kernel-2.6.18-128.4.1.el5.i686.rpm kernel-PAE-2.6.18-128.4.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-128.4.1.el5.i686.rpm kernel-PAE-devel-2.6.18-128.4.1.el5.i686.rpm kernel-debug-2.6.18-128.4.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-128.4.1.el5.i686.rpm kernel-debug-devel-2.6.18-128.4.1.el5.i686.rpm kernel-debuginfo-2.6.18-128.4.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-128.4.1.el5.i686.rpm kernel-devel-2.6.18-128.4.1.el5.i686.rpm kernel-headers-2.6.18-128.4.1.el5.i386.rpm kernel-xen-2.6.18-128.4.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-128.4.1.el5.i686.rpm kernel-xen-devel-2.6.18-128.4.1.el5.i686.rpm ia64: kernel-2.6.18-128.4.1.el5.ia64.rpm kernel-debug-2.6.18-128.4.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-128.4.1.el5.ia64.rpm kernel-debug-devel-2.6.18-128.4.1.el5.ia64.rpm kernel-debuginfo-2.6.18-128.4.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-128.4.1.el5.ia64.rpm kernel-devel-2.6.18-128.4.1.el5.ia64.rpm kernel-headers-2.6.18-128.4.1.el5.ia64.rpm kernel-xen-2.6.18-128.4.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-128.4.1.el5.ia64.rpm kernel-xen-devel-2.6.18-128.4.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-128.4.1.el5.noarch.rpm ppc: kernel-2.6.18-128.4.1.el5.ppc64.rpm kernel-debug-2.6.18-128.4.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-128.4.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-128.4.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-128.4.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-128.4.1.el5.ppc64.rpm kernel-devel-2.6.18-128.4.1.el5.ppc64.rpm kernel-headers-2.6.18-128.4.1.el5.ppc.rpm kernel-headers-2.6.18-128.4.1.el5.ppc64.rpm kernel-kdump-2.6.18-128.4.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-128.4.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-128.4.1.el5.ppc64.rpm s390x: kernel-2.6.18-128.4.1.el5.s390x.rpm kernel-debug-2.6.18-128.4.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-128.4.1.el5.s390x.rpm kernel-debug-devel-2.6.18-128.4.1.el5.s390x.rpm kernel-debuginfo-2.6.18-128.4.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-128.4.1.el5.s390x.rpm kernel-devel-2.6.18-128.4.1.el5.s390x.rpm kernel-headers-2.6.18-128.4.1.el5.s390x.rpm kernel-kdump-2.6.18-128.4.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-128.4.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-128.4.1.el5.s390x.rpm x86_64: kernel-2.6.18-128.4.1.el5.x86_64.rpm kernel-debug-2.6.18-128.4.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-128.4.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-128.4.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-128.4.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-128.4.1.el5.x86_64.rpm kernel-devel-2.6.18-128.4.1.el5.x86_64.rpm kernel-headers-2.6.18-128.4.1.el5.x86_64.rpm kernel-xen-2.6.18-128.4.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-128.4.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-128.4.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2406 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2407 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKeDbkXlSAg2UNWIIRAmqMAKCJKaBqvKSxjhzTPrvYnl6GoDkilgCgk75v FQC+uctDALS7t4Z+lTcU/hQ= =cDeA -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 6 21:13:44 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Aug 2009 17:13:44 -0400 Subject: [RHSA-2009:1199-01] Critical: java-1.5.0-sun security update Message-ID: <200908062113.n76LDier021315@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.5.0-sun security update Advisory ID: RHSA-2009:1199-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1199.html Issue date: 2009-08-06 CVE Names: CVE-2009-2475 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 CVE-2009-2676 CVE-2009-2689 ===================================================================== 1. Summary: Updated java-1.5.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The Sun 1.5.0 Java release includes the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. These vulnerabilities are summarized on the "Advance notification of Security Updates for Java SE" page from Sun Microsystems, listed in the References section. (CVE-2009-2475, CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2689) Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 512896 - CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524) 512907 - CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071) 512914 - CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497) 512920 - CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335) 512921 - CVE-2009-2625 OpenJDK XML parsing Denial-Of-Service (6845701) 513215 - CVE-2009-2475 OpenJDK information leaks in mutable variables (6588003,6656586,6656610,6656625,6657133,6657619,6657625,6657695,6660049,6660539,6813167) 513222 - CVE-2009-2689 OpenJDK JDK13Services grants unnecessary privileges (6777448) 515890 - CVE-2009-2676 JRE applet launcher vulnerability 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm x86_64: java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.5.0-sun-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.i586.rpm x86_64: java-1.5.0-sun-1.5.0.20-1jpp.1.el5.x86_64.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.x86_64.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.x86_64.rpm java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-sun-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.i586.rpm x86_64: java-1.5.0-sun-1.5.0.20-1jpp.1.el5.x86_64.rpm java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.x86_64.rpm java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.x86_64.rpm java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.x86_64.rpm java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2689 http://www.redhat.com/security/updates/classification/#critical http://blogs.sun.com/security/entry/advance_notification_of_security_updates5 http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKe0d3XlSAg2UNWIIRAsKdAKC0qUuXJeiJ0PLnnwtoaskmb4XQwgCfUpYi 3MwyMeGAKqUUavoi1uQ8gqY= =WLM4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 6 21:24:49 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Aug 2009 17:24:49 -0400 Subject: [RHSA-2009:1200-01] Critical: java-1.6.0-sun security update Message-ID: <200908062124.n76LOnVL028335@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-sun security update Advisory ID: RHSA-2009:1200-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1200.html Issue date: 2009-08-06 CVE Names: CVE-2009-0217 CVE-2009-2475 CVE-2009-2476 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2674 CVE-2009-2675 CVE-2009-2676 CVE-2009-2690 ===================================================================== 1. Summary: Updated java-1.6.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. These vulnerabilities are summarized on the "Advance notification of Security Updates for Java SE" page from Sun Microsystems, listed in the References section. (CVE-2009-0217, CVE-2009-2475, CVE-2009-2476, CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2690) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 511915 - CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass 512896 - CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524) 512907 - CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071) 512914 - CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497) 512915 - CVE-2009-2674 Java Web Start Buffer JPEG processing integer overflow (6823373) 512920 - CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335) 512921 - CVE-2009-2625 OpenJDK XML parsing Denial-Of-Service (6845701) 513215 - CVE-2009-2475 OpenJDK information leaks in mutable variables (6588003,6656586,6656610,6656625,6657133,6657619,6657625,6657695,6660049,6660539,6813167) 513220 - CVE-2009-2476 OpenJDK OpenType checks can be bypassed (6736293) 513223 - CVE-2009-2690 OpenJDK private variable information disclosure (6777487) 515890 - CVE-2009-2676 JRE applet launcher vulnerability 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.6.0-sun-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.6.0-sun-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.6.0-sun-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.6.0-sun-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.6.0-sun-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.6.0-sun-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.15-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-src-1.6.0.15-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2690 http://www.redhat.com/security/updates/classification/#critical http://blogs.sun.com/security/entry/advance_notification_of_security_updates5 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKe0oPXlSAg2UNWIIRAjdSAKC/zjSFNl42OlmTSOV2J61XMuTzBQCgs+nd hq9eb3IusiIFflg8S6C0Q/M= =mLL7 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 6 21:25:19 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Aug 2009 17:25:19 -0400 Subject: [RHSA-2009:1201-01] Important: java-1.6.0-openjdk security and bug fix update Message-ID: <200908062125.n76LPJYI029272@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.6.0-openjdk security and bug fix update Advisory ID: RHSA-2009:1201-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1201.html Issue date: 2009-08-06 CVE Names: CVE-2009-0217 CVE-2009-2475 CVE-2009-2476 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2674 CVE-2009-2675 CVE-2009-2689 CVE-2009-2690 ===================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language. A flaw was found in the way the XML Digital Signature implementation in the JRE handled HMAC-based XML signatures. An attacker could use this flaw to create a crafted signature that could allow them to bypass authentication, or trick a user, applet, or application into accepting untrusted content. (CVE-2009-0217) Several potential information leaks were found in various mutable static variables. These could be exploited in application scenarios that execute untrusted scripting code. (CVE-2009-2475) It was discovered that OpenType checks can be bypassed. This could allow a rogue application to bypass access restrictions by acquiring references to privileged objects through finalizer resurrection. (CVE-2009-2476) A denial of service flaw was found in the way the JRE processes XML. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service. (CVE-2009-2625) A flaw was found in the JRE audio system. An untrusted applet or application could use this flaw to gain read access to restricted System properties. (CVE-2009-2670) Two flaws were found in the JRE proxy implementation. An untrusted applet or application could use these flaws to discover the usernames of users running applets and applications, or obtain web browser cookies and use them for session hijacking attacks. (CVE-2009-2671, CVE-2009-2672) An additional flaw was found in the proxy mechanism implementation. This flaw allowed an untrusted applet or application to bypass access restrictions and communicate using non-authorized socket or URL connections to hosts other than the origin host. (CVE-2009-2673) An integer overflow flaw was found in the way the JRE processes JPEG images. An untrusted application could use this flaw to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the application. (CVE-2009-2674) An integer overflow flaw was found in the JRE unpack200 functionality. An untrusted applet or application could extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-2675) It was discovered that JDK13Services grants unnecessary privileges to certain object types. This could be misused by an untrusted applet or application to use otherwise restricted functionality. (CVE-2009-2689) An information disclosure flaw was found in the way private Java variables were handled. An untrusted applet or application could use this flaw to obtain information from variables that would otherwise be private. (CVE-2009-2690) Note: The flaws concerning applets in this advisory, CVE-2009-2475, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2689, and CVE-2009-2690, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer" application. This update also fixes the following bug: * the EVR in the java-1.6.0-openjdk package as shipped with Red Hat Enterprise Linux allowed the java-1.6.0-openjdk package from the EPEL repository to take precedence (appear newer). Users using java-1.6.0-openjdk from EPEL would not have received security updates since October 2008. This update prevents the packages from EPEL from taking precedence. (BZ#499079) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 499079 - Bad EVR 511915 - CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass 512896 - CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524) 512907 - CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071) 512914 - CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497) 512915 - CVE-2009-2674 Java Web Start Buffer JPEG processing integer overflow (6823373) 512920 - CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335) 512921 - CVE-2009-2625 OpenJDK XML parsing Denial-Of-Service (6845701) 513215 - CVE-2009-2475 OpenJDK information leaks in mutable variables (6588003,6656586,6656610,6656625,6657133,6657619,6657625,6657695,6660049,6660539,6813167) 513220 - CVE-2009-2476 OpenJDK OpenType checks can be bypassed (6736293) 513222 - CVE-2009-2689 OpenJDK JDK13Services grants unnecessary privileges (6777448) 513223 - CVE-2009-2690 OpenJDK private variable information disclosure (6777487) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.2.b09.el5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.2.b09.el5.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.2.b09.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.2.b09.el5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.2.b09.el5.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.2.b09.el5.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.2.b09.el5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.2.b09.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2690 http://www.redhat.com/security/updates/classification/#important http://blogs.sun.com/security/entry/advance_notification_of_security_updates5 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKe0oyXlSAg2UNWIIRAlACAJ4oyw4TtlbYtFO8/FURlIHFjbOwwgCeIl2+ WO/yubSPNiMYUFoh3jc/+ng= =jupm -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 6 21:33:10 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Aug 2009 17:33:10 -0400 Subject: [RHSA-2009:1198-02] Critical: java-1.6.0-ibm security update Message-ID: <200908062133.n76LXAJG001372@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-ibm security update Advisory ID: RHSA-2009:1198-02 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1198.html Issue date: 2009-08-06 CVE Names: CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 ===================================================================== 1. Summary: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, ppc, s390, s390x, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ppc, s390x, x86_64 3. Description: The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, CVE-2009-1107) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR5 Java release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 490166 - CVE-2009-1101 OpenJDK JAX-WS service endpoint remote Denial-of-Service (6630639) 490167 - CVE-2009-1093 OpenJDK remote LDAP Denial-Of-Service (6717680) 490168 - CVE-2009-1094 OpenJDK LDAP client remote code execution (6737315) 490169 - CVE-2009-1095 CVE-2009-1096 OpenJDK Pack200 Buffer overflow vulnerability (6792554) 490174 - CVE-2009-1097 OpenJDK PNG processing buffer overflow vulnerability (6804996) 490178 - CVE-2009-1098 OpenJDK GIF processing buffer overflow vulnerability (6804998) 492302 - CVE-2009-1099 OpenJDK: Type1 font processing buffer overflow vulnerability 492305 - CVE-2009-1100 OpenJDK: DoS (disk consumption) via handling of temporary font files 492306 - CVE-2009-1103 OpenJDK: Files disclosure, arbitrary code execution via "deserializing applets" (6646860) 492308 - CVE-2009-1104 OpenJDK: Intended access restrictions bypass via LiveConnect (6724331) 492309 - CVE-2009-1105 OpenJDK: Possibility of trusted applet run in older, vulnerable version of JRE (6706490) 492310 - CVE-2009-1106 OpenJDK: Improper parsing of crossdomain.xml files (intended access restriction bypass) (6798948) 492312 - CVE-2009-1107 OpenJDK: Signed applet remote misuse possibility (6782871) 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.i386.rpm ppc: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.ppc64.rpm s390: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.s390.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.s390.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.s390.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.s390.rpm s390x: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.s390x.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.s390x.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.s390x.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.i386.rpm ppc: java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-accessibility-1.6.0.5-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.s390.rpm java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-accessibility-1.6.0.5-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.s390.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.s390.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.s390.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.5-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.5-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107 http://www.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKe0wFXlSAg2UNWIIRAvUSAJ90nSMa6snaWO3hstYQJtbKtKr+9wCfX4q7 pB++zeditJQcfNc935M7pTE= =mNV3 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 10 18:17:48 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Aug 2009 14:17:48 -0400 Subject: [RHSA-2009:1203-01] Important: subversion security update Message-ID: <200908101817.n7AIHmF2009337@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: subversion security update Advisory ID: RHSA-2009:1203-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1203.html Issue date: 2009-08-10 CVE Names: CVE-2009-2411 ===================================================================== 1. Summary: Updated subversion packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Matt Lewis, of Google, reported multiple heap overflow flaws in Subversion (server and client) when parsing binary deltas. A malicious user with commit access to a server could use these flaws to cause a heap overflow on that server. A malicious server could use these flaws to cause a heap overflow on a client when it attempts to checkout or update. These heap overflows can result in a crash or, possibly, arbitrary code execution. (CVE-2009-2411) All Subversion users should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the updated packages, the Subversion server must be restarted for the update to take effect: restart httpd if you are using mod_dav_svn, or restart svnserve if it is used. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 514744 - CVE-2009-2411 subversion: multiple heap overflow issues 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/subversion-1.1.4-3.el4_8.2.src.rpm i386: mod_dav_svn-1.1.4-3.el4_8.2.i386.rpm subversion-1.1.4-3.el4_8.2.i386.rpm subversion-debuginfo-1.1.4-3.el4_8.2.i386.rpm subversion-devel-1.1.4-3.el4_8.2.i386.rpm subversion-perl-1.1.4-3.el4_8.2.i386.rpm ia64: mod_dav_svn-1.1.4-3.el4_8.2.ia64.rpm subversion-1.1.4-3.el4_8.2.ia64.rpm subversion-debuginfo-1.1.4-3.el4_8.2.ia64.rpm subversion-devel-1.1.4-3.el4_8.2.ia64.rpm subversion-perl-1.1.4-3.el4_8.2.ia64.rpm ppc: mod_dav_svn-1.1.4-3.el4_8.2.ppc.rpm subversion-1.1.4-3.el4_8.2.ppc.rpm subversion-debuginfo-1.1.4-3.el4_8.2.ppc.rpm subversion-devel-1.1.4-3.el4_8.2.ppc.rpm subversion-perl-1.1.4-3.el4_8.2.ppc.rpm s390: mod_dav_svn-1.1.4-3.el4_8.2.s390.rpm subversion-1.1.4-3.el4_8.2.s390.rpm subversion-debuginfo-1.1.4-3.el4_8.2.s390.rpm subversion-devel-1.1.4-3.el4_8.2.s390.rpm subversion-perl-1.1.4-3.el4_8.2.s390.rpm s390x: mod_dav_svn-1.1.4-3.el4_8.2.s390x.rpm subversion-1.1.4-3.el4_8.2.s390x.rpm subversion-debuginfo-1.1.4-3.el4_8.2.s390x.rpm subversion-devel-1.1.4-3.el4_8.2.s390x.rpm subversion-perl-1.1.4-3.el4_8.2.s390x.rpm x86_64: mod_dav_svn-1.1.4-3.el4_8.2.x86_64.rpm subversion-1.1.4-3.el4_8.2.x86_64.rpm subversion-debuginfo-1.1.4-3.el4_8.2.x86_64.rpm subversion-devel-1.1.4-3.el4_8.2.x86_64.rpm subversion-perl-1.1.4-3.el4_8.2.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/subversion-1.1.4-3.el4_8.2.src.rpm i386: mod_dav_svn-1.1.4-3.el4_8.2.i386.rpm subversion-1.1.4-3.el4_8.2.i386.rpm subversion-debuginfo-1.1.4-3.el4_8.2.i386.rpm subversion-devel-1.1.4-3.el4_8.2.i386.rpm subversion-perl-1.1.4-3.el4_8.2.i386.rpm x86_64: mod_dav_svn-1.1.4-3.el4_8.2.x86_64.rpm subversion-1.1.4-3.el4_8.2.x86_64.rpm subversion-debuginfo-1.1.4-3.el4_8.2.x86_64.rpm subversion-devel-1.1.4-3.el4_8.2.x86_64.rpm subversion-perl-1.1.4-3.el4_8.2.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/subversion-1.1.4-3.el4_8.2.src.rpm i386: mod_dav_svn-1.1.4-3.el4_8.2.i386.rpm subversion-1.1.4-3.el4_8.2.i386.rpm subversion-debuginfo-1.1.4-3.el4_8.2.i386.rpm subversion-devel-1.1.4-3.el4_8.2.i386.rpm subversion-perl-1.1.4-3.el4_8.2.i386.rpm ia64: mod_dav_svn-1.1.4-3.el4_8.2.ia64.rpm subversion-1.1.4-3.el4_8.2.ia64.rpm subversion-debuginfo-1.1.4-3.el4_8.2.ia64.rpm subversion-devel-1.1.4-3.el4_8.2.ia64.rpm subversion-perl-1.1.4-3.el4_8.2.ia64.rpm x86_64: mod_dav_svn-1.1.4-3.el4_8.2.x86_64.rpm subversion-1.1.4-3.el4_8.2.x86_64.rpm subversion-debuginfo-1.1.4-3.el4_8.2.x86_64.rpm subversion-devel-1.1.4-3.el4_8.2.x86_64.rpm subversion-perl-1.1.4-3.el4_8.2.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/subversion-1.1.4-3.el4_8.2.src.rpm i386: mod_dav_svn-1.1.4-3.el4_8.2.i386.rpm subversion-1.1.4-3.el4_8.2.i386.rpm subversion-debuginfo-1.1.4-3.el4_8.2.i386.rpm subversion-devel-1.1.4-3.el4_8.2.i386.rpm subversion-perl-1.1.4-3.el4_8.2.i386.rpm ia64: mod_dav_svn-1.1.4-3.el4_8.2.ia64.rpm subversion-1.1.4-3.el4_8.2.ia64.rpm subversion-debuginfo-1.1.4-3.el4_8.2.ia64.rpm subversion-devel-1.1.4-3.el4_8.2.ia64.rpm subversion-perl-1.1.4-3.el4_8.2.ia64.rpm x86_64: mod_dav_svn-1.1.4-3.el4_8.2.x86_64.rpm subversion-1.1.4-3.el4_8.2.x86_64.rpm subversion-debuginfo-1.1.4-3.el4_8.2.x86_64.rpm subversion-devel-1.1.4-3.el4_8.2.x86_64.rpm subversion-perl-1.1.4-3.el4_8.2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/subversion-1.4.2-4.el5_3.1.src.rpm i386: mod_dav_svn-1.4.2-4.el5_3.1.i386.rpm subversion-1.4.2-4.el5_3.1.i386.rpm subversion-debuginfo-1.4.2-4.el5_3.1.i386.rpm subversion-devel-1.4.2-4.el5_3.1.i386.rpm subversion-javahl-1.4.2-4.el5_3.1.i386.rpm subversion-perl-1.4.2-4.el5_3.1.i386.rpm subversion-ruby-1.4.2-4.el5_3.1.i386.rpm x86_64: mod_dav_svn-1.4.2-4.el5_3.1.x86_64.rpm subversion-1.4.2-4.el5_3.1.i386.rpm subversion-1.4.2-4.el5_3.1.x86_64.rpm subversion-debuginfo-1.4.2-4.el5_3.1.i386.rpm subversion-debuginfo-1.4.2-4.el5_3.1.x86_64.rpm subversion-devel-1.4.2-4.el5_3.1.i386.rpm subversion-devel-1.4.2-4.el5_3.1.x86_64.rpm subversion-javahl-1.4.2-4.el5_3.1.x86_64.rpm subversion-perl-1.4.2-4.el5_3.1.x86_64.rpm subversion-ruby-1.4.2-4.el5_3.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/subversion-1.4.2-4.el5_3.1.src.rpm i386: mod_dav_svn-1.4.2-4.el5_3.1.i386.rpm subversion-1.4.2-4.el5_3.1.i386.rpm subversion-debuginfo-1.4.2-4.el5_3.1.i386.rpm subversion-devel-1.4.2-4.el5_3.1.i386.rpm subversion-javahl-1.4.2-4.el5_3.1.i386.rpm subversion-perl-1.4.2-4.el5_3.1.i386.rpm subversion-ruby-1.4.2-4.el5_3.1.i386.rpm ia64: mod_dav_svn-1.4.2-4.el5_3.1.ia64.rpm subversion-1.4.2-4.el5_3.1.ia64.rpm subversion-debuginfo-1.4.2-4.el5_3.1.ia64.rpm subversion-devel-1.4.2-4.el5_3.1.ia64.rpm subversion-javahl-1.4.2-4.el5_3.1.ia64.rpm subversion-perl-1.4.2-4.el5_3.1.ia64.rpm subversion-ruby-1.4.2-4.el5_3.1.ia64.rpm ppc: mod_dav_svn-1.4.2-4.el5_3.1.ppc.rpm subversion-1.4.2-4.el5_3.1.ppc.rpm subversion-1.4.2-4.el5_3.1.ppc64.rpm subversion-debuginfo-1.4.2-4.el5_3.1.ppc.rpm subversion-debuginfo-1.4.2-4.el5_3.1.ppc64.rpm subversion-devel-1.4.2-4.el5_3.1.ppc.rpm subversion-devel-1.4.2-4.el5_3.1.ppc64.rpm subversion-javahl-1.4.2-4.el5_3.1.ppc.rpm subversion-perl-1.4.2-4.el5_3.1.ppc.rpm subversion-ruby-1.4.2-4.el5_3.1.ppc.rpm s390x: mod_dav_svn-1.4.2-4.el5_3.1.s390x.rpm subversion-1.4.2-4.el5_3.1.s390.rpm subversion-1.4.2-4.el5_3.1.s390x.rpm subversion-debuginfo-1.4.2-4.el5_3.1.s390.rpm subversion-debuginfo-1.4.2-4.el5_3.1.s390x.rpm subversion-devel-1.4.2-4.el5_3.1.s390.rpm subversion-devel-1.4.2-4.el5_3.1.s390x.rpm subversion-javahl-1.4.2-4.el5_3.1.s390x.rpm subversion-perl-1.4.2-4.el5_3.1.s390x.rpm subversion-ruby-1.4.2-4.el5_3.1.s390x.rpm x86_64: mod_dav_svn-1.4.2-4.el5_3.1.x86_64.rpm subversion-1.4.2-4.el5_3.1.i386.rpm subversion-1.4.2-4.el5_3.1.x86_64.rpm subversion-debuginfo-1.4.2-4.el5_3.1.i386.rpm subversion-debuginfo-1.4.2-4.el5_3.1.x86_64.rpm subversion-devel-1.4.2-4.el5_3.1.i386.rpm subversion-devel-1.4.2-4.el5_3.1.x86_64.rpm subversion-javahl-1.4.2-4.el5_3.1.x86_64.rpm subversion-perl-1.4.2-4.el5_3.1.x86_64.rpm subversion-ruby-1.4.2-4.el5_3.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2411 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKgGRDXlSAg2UNWIIRArMHAKCUlTlOnLUR53wob6PX3kJM1e7uOQCcD3ws YXQdkA84Mw8b0MG7DZa+8Ds= =fkAY -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 10 18:18:06 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Aug 2009 14:18:06 -0400 Subject: [RHSA-2009:1204-01] Moderate: apr and apr-util security update Message-ID: <200908101818.n7AII6pT009427@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: apr and apr-util security update Advisory ID: RHSA-2009:1204-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1204.html Issue date: 2009-08-10 CVE Names: CVE-2009-2412 ===================================================================== 1. Summary: Updated apr and apr-util packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It aims to provide a free library of C data structures and routines. apr-util is a utility library used with APR. This library provides additional utility interfaces for APR; including support for XML parsing, LDAP, database interfaces, URI parsing, and more. Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the Apache Portable Runtime (APR) manages memory pool and relocatable memory allocations. An attacker could use these flaws to issue a specially-crafted request for memory allocation, which would lead to a denial of service (application crash) or, potentially, execute arbitrary code with the privileges of an application using the APR libraries. (CVE-2009-2412) All apr and apr-util users should upgrade to these updated packages, which contain backported patches to correct these issues. Applications using the APR libraries, such as httpd, must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 515698 - CVE-2009-2412 apr, apr-util: Integer overflows in memory pool (apr) and relocatable memory (apr-util) management 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/apr-0.9.4-24.9.el4_8.2.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/apr-util-0.9.4-22.el4_8.2.src.rpm i386: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-devel-0.9.4-24.9.el4_8.2.i386.rpm apr-util-0.9.4-22.el4_8.2.i386.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.i386.rpm apr-util-devel-0.9.4-22.el4_8.2.i386.rpm ia64: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-0.9.4-24.9.el4_8.2.ia64.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.ia64.rpm apr-devel-0.9.4-24.9.el4_8.2.ia64.rpm apr-util-0.9.4-22.el4_8.2.ia64.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.ia64.rpm apr-util-devel-0.9.4-22.el4_8.2.ia64.rpm ppc: apr-0.9.4-24.9.el4_8.2.ppc.rpm apr-0.9.4-24.9.el4_8.2.ppc64.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.ppc.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.ppc64.rpm apr-devel-0.9.4-24.9.el4_8.2.ppc.rpm apr-util-0.9.4-22.el4_8.2.ppc.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.ppc.rpm apr-util-devel-0.9.4-22.el4_8.2.ppc.rpm s390: apr-0.9.4-24.9.el4_8.2.s390.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.s390.rpm apr-devel-0.9.4-24.9.el4_8.2.s390.rpm apr-util-0.9.4-22.el4_8.2.s390.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.s390.rpm apr-util-devel-0.9.4-22.el4_8.2.s390.rpm s390x: apr-0.9.4-24.9.el4_8.2.s390.rpm apr-0.9.4-24.9.el4_8.2.s390x.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.s390.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.s390x.rpm apr-devel-0.9.4-24.9.el4_8.2.s390x.rpm apr-util-0.9.4-22.el4_8.2.s390x.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.s390x.rpm apr-util-devel-0.9.4-22.el4_8.2.s390x.rpm x86_64: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-0.9.4-24.9.el4_8.2.x86_64.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.x86_64.rpm apr-devel-0.9.4-24.9.el4_8.2.x86_64.rpm apr-util-0.9.4-22.el4_8.2.x86_64.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.x86_64.rpm apr-util-devel-0.9.4-22.el4_8.2.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/apr-0.9.4-24.9.el4_8.2.src.rpm ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/apr-util-0.9.4-22.el4_8.2.src.rpm i386: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-devel-0.9.4-24.9.el4_8.2.i386.rpm apr-util-0.9.4-22.el4_8.2.i386.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.i386.rpm apr-util-devel-0.9.4-22.el4_8.2.i386.rpm x86_64: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-0.9.4-24.9.el4_8.2.x86_64.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.x86_64.rpm apr-devel-0.9.4-24.9.el4_8.2.x86_64.rpm apr-util-0.9.4-22.el4_8.2.x86_64.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.x86_64.rpm apr-util-devel-0.9.4-22.el4_8.2.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/apr-0.9.4-24.9.el4_8.2.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/apr-util-0.9.4-22.el4_8.2.src.rpm i386: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-devel-0.9.4-24.9.el4_8.2.i386.rpm apr-util-0.9.4-22.el4_8.2.i386.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.i386.rpm apr-util-devel-0.9.4-22.el4_8.2.i386.rpm ia64: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-0.9.4-24.9.el4_8.2.ia64.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.ia64.rpm apr-devel-0.9.4-24.9.el4_8.2.ia64.rpm apr-util-0.9.4-22.el4_8.2.ia64.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.ia64.rpm apr-util-devel-0.9.4-22.el4_8.2.ia64.rpm x86_64: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-0.9.4-24.9.el4_8.2.x86_64.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.x86_64.rpm apr-devel-0.9.4-24.9.el4_8.2.x86_64.rpm apr-util-0.9.4-22.el4_8.2.x86_64.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.x86_64.rpm apr-util-devel-0.9.4-22.el4_8.2.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/apr-0.9.4-24.9.el4_8.2.src.rpm ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/apr-util-0.9.4-22.el4_8.2.src.rpm i386: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-devel-0.9.4-24.9.el4_8.2.i386.rpm apr-util-0.9.4-22.el4_8.2.i386.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.i386.rpm apr-util-devel-0.9.4-22.el4_8.2.i386.rpm ia64: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-0.9.4-24.9.el4_8.2.ia64.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.ia64.rpm apr-devel-0.9.4-24.9.el4_8.2.ia64.rpm apr-util-0.9.4-22.el4_8.2.ia64.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.ia64.rpm apr-util-devel-0.9.4-22.el4_8.2.ia64.rpm x86_64: apr-0.9.4-24.9.el4_8.2.i386.rpm apr-0.9.4-24.9.el4_8.2.x86_64.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.i386.rpm apr-debuginfo-0.9.4-24.9.el4_8.2.x86_64.rpm apr-devel-0.9.4-24.9.el4_8.2.x86_64.rpm apr-util-0.9.4-22.el4_8.2.x86_64.rpm apr-util-debuginfo-0.9.4-22.el4_8.2.x86_64.rpm apr-util-devel-0.9.4-22.el4_8.2.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/apr-1.2.7-11.el5_3.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/apr-util-1.2.7-7.el5_3.2.src.rpm i386: apr-1.2.7-11.el5_3.1.i386.rpm apr-debuginfo-1.2.7-11.el5_3.1.i386.rpm apr-docs-1.2.7-11.el5_3.1.i386.rpm apr-util-1.2.7-7.el5_3.2.i386.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.i386.rpm apr-util-docs-1.2.7-7.el5_3.2.i386.rpm x86_64: apr-1.2.7-11.el5_3.1.i386.rpm apr-1.2.7-11.el5_3.1.x86_64.rpm apr-debuginfo-1.2.7-11.el5_3.1.i386.rpm apr-debuginfo-1.2.7-11.el5_3.1.x86_64.rpm apr-docs-1.2.7-11.el5_3.1.x86_64.rpm apr-util-1.2.7-7.el5_3.2.i386.rpm apr-util-1.2.7-7.el5_3.2.x86_64.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.i386.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.x86_64.rpm apr-util-docs-1.2.7-7.el5_3.2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/apr-1.2.7-11.el5_3.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/apr-util-1.2.7-7.el5_3.2.src.rpm i386: apr-debuginfo-1.2.7-11.el5_3.1.i386.rpm apr-devel-1.2.7-11.el5_3.1.i386.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.i386.rpm apr-util-devel-1.2.7-7.el5_3.2.i386.rpm x86_64: apr-debuginfo-1.2.7-11.el5_3.1.i386.rpm apr-debuginfo-1.2.7-11.el5_3.1.x86_64.rpm apr-devel-1.2.7-11.el5_3.1.i386.rpm apr-devel-1.2.7-11.el5_3.1.x86_64.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.i386.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.x86_64.rpm apr-util-devel-1.2.7-7.el5_3.2.i386.rpm apr-util-devel-1.2.7-7.el5_3.2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/apr-1.2.7-11.el5_3.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/apr-util-1.2.7-7.el5_3.2.src.rpm i386: apr-1.2.7-11.el5_3.1.i386.rpm apr-debuginfo-1.2.7-11.el5_3.1.i386.rpm apr-devel-1.2.7-11.el5_3.1.i386.rpm apr-docs-1.2.7-11.el5_3.1.i386.rpm apr-util-1.2.7-7.el5_3.2.i386.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.i386.rpm apr-util-devel-1.2.7-7.el5_3.2.i386.rpm apr-util-docs-1.2.7-7.el5_3.2.i386.rpm ia64: apr-1.2.7-11.el5_3.1.ia64.rpm apr-debuginfo-1.2.7-11.el5_3.1.ia64.rpm apr-devel-1.2.7-11.el5_3.1.ia64.rpm apr-docs-1.2.7-11.el5_3.1.ia64.rpm apr-util-1.2.7-7.el5_3.2.ia64.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.ia64.rpm apr-util-devel-1.2.7-7.el5_3.2.ia64.rpm apr-util-docs-1.2.7-7.el5_3.2.ia64.rpm ppc: apr-1.2.7-11.el5_3.1.ppc.rpm apr-1.2.7-11.el5_3.1.ppc64.rpm apr-debuginfo-1.2.7-11.el5_3.1.ppc.rpm apr-debuginfo-1.2.7-11.el5_3.1.ppc64.rpm apr-devel-1.2.7-11.el5_3.1.ppc.rpm apr-devel-1.2.7-11.el5_3.1.ppc64.rpm apr-docs-1.2.7-11.el5_3.1.ppc.rpm apr-util-1.2.7-7.el5_3.2.ppc.rpm apr-util-1.2.7-7.el5_3.2.ppc64.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.ppc.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.ppc64.rpm apr-util-devel-1.2.7-7.el5_3.2.ppc.rpm apr-util-devel-1.2.7-7.el5_3.2.ppc64.rpm apr-util-docs-1.2.7-7.el5_3.2.ppc.rpm s390x: apr-1.2.7-11.el5_3.1.s390.rpm apr-1.2.7-11.el5_3.1.s390x.rpm apr-debuginfo-1.2.7-11.el5_3.1.s390.rpm apr-debuginfo-1.2.7-11.el5_3.1.s390x.rpm apr-devel-1.2.7-11.el5_3.1.s390.rpm apr-devel-1.2.7-11.el5_3.1.s390x.rpm apr-docs-1.2.7-11.el5_3.1.s390x.rpm apr-util-1.2.7-7.el5_3.2.s390.rpm apr-util-1.2.7-7.el5_3.2.s390x.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.s390.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.s390x.rpm apr-util-devel-1.2.7-7.el5_3.2.s390.rpm apr-util-devel-1.2.7-7.el5_3.2.s390x.rpm apr-util-docs-1.2.7-7.el5_3.2.s390x.rpm x86_64: apr-1.2.7-11.el5_3.1.i386.rpm apr-1.2.7-11.el5_3.1.x86_64.rpm apr-debuginfo-1.2.7-11.el5_3.1.i386.rpm apr-debuginfo-1.2.7-11.el5_3.1.x86_64.rpm apr-devel-1.2.7-11.el5_3.1.i386.rpm apr-devel-1.2.7-11.el5_3.1.x86_64.rpm apr-docs-1.2.7-11.el5_3.1.x86_64.rpm apr-util-1.2.7-7.el5_3.2.i386.rpm apr-util-1.2.7-7.el5_3.2.x86_64.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.i386.rpm apr-util-debuginfo-1.2.7-7.el5_3.2.x86_64.rpm apr-util-devel-1.2.7-7.el5_3.2.i386.rpm apr-util-devel-1.2.7-7.el5_3.2.x86_64.rpm apr-util-docs-1.2.7-7.el5_3.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKgGRUXlSAg2UNWIIRAntJAKCaAj41LbIQJdzhw7NzoMsFVQaoCwCfWk7+ qumP/7/SPUs6MkL0hsb1uU0= =ji/m -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 10 18:18:20 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Aug 2009 14:18:20 -0400 Subject: [RHSA-2009:1205-01] Moderate: httpd security and bug fix update Message-ID: <200908101818.n7AIIKi2009561@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: httpd security and bug fix update Advisory ID: RHSA-2009:1205-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1205.html Issue date: 2009-08-10 CVE Names: CVE-2009-1891 CVE-2009-2412 ===================================================================== 1. Summary: Updated httpd packages that fix multiple security issues and a bug are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The Apache HTTP Server is a popular Web server. The httpd package shipped with Red Hat Enterprise Linux 3 contains embedded copies of the Apache Portable Runtime (APR) libraries, which provide a free library of C data structures and routines, and also additional utility interfaces to support XML parsing, LDAP, database interfaces, URI parsing, and more. Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the Apache Portable Runtime (APR) manages memory pool and relocatable memory allocations. An attacker could use these flaws to issue a specially-crafted request for memory allocation, which would lead to a denial of service (application crash) or, potentially, execute arbitrary code with the privileges of an application using the APR libraries. (CVE-2009-2412) A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891) This update also fixes the following bug: * in some cases the Content-Length header was dropped from HEAD responses. This resulted in certain sites not working correctly with mod_proxy, such as www.windowsupdate.com. (BZ#506016) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 506016 - windowsupdate.microsoft.com does not work with mod_proxy 509125 - CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate 515698 - CVE-2009-2412 apr, apr-util: Integer overflows in memory pool (apr) and relocatable memory (apr-util) management 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-75.ent.src.rpm i386: httpd-2.0.46-75.ent.i386.rpm httpd-debuginfo-2.0.46-75.ent.i386.rpm httpd-devel-2.0.46-75.ent.i386.rpm mod_ssl-2.0.46-75.ent.i386.rpm ia64: httpd-2.0.46-75.ent.ia64.rpm httpd-debuginfo-2.0.46-75.ent.ia64.rpm httpd-devel-2.0.46-75.ent.ia64.rpm mod_ssl-2.0.46-75.ent.ia64.rpm ppc: httpd-2.0.46-75.ent.ppc.rpm httpd-debuginfo-2.0.46-75.ent.ppc.rpm httpd-devel-2.0.46-75.ent.ppc.rpm mod_ssl-2.0.46-75.ent.ppc.rpm s390: httpd-2.0.46-75.ent.s390.rpm httpd-debuginfo-2.0.46-75.ent.s390.rpm httpd-devel-2.0.46-75.ent.s390.rpm mod_ssl-2.0.46-75.ent.s390.rpm s390x: httpd-2.0.46-75.ent.s390x.rpm httpd-debuginfo-2.0.46-75.ent.s390x.rpm httpd-devel-2.0.46-75.ent.s390x.rpm mod_ssl-2.0.46-75.ent.s390x.rpm x86_64: httpd-2.0.46-75.ent.x86_64.rpm httpd-debuginfo-2.0.46-75.ent.x86_64.rpm httpd-devel-2.0.46-75.ent.x86_64.rpm mod_ssl-2.0.46-75.ent.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-75.ent.src.rpm i386: httpd-2.0.46-75.ent.i386.rpm httpd-debuginfo-2.0.46-75.ent.i386.rpm httpd-devel-2.0.46-75.ent.i386.rpm mod_ssl-2.0.46-75.ent.i386.rpm x86_64: httpd-2.0.46-75.ent.x86_64.rpm httpd-debuginfo-2.0.46-75.ent.x86_64.rpm httpd-devel-2.0.46-75.ent.x86_64.rpm mod_ssl-2.0.46-75.ent.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-75.ent.src.rpm i386: httpd-2.0.46-75.ent.i386.rpm httpd-debuginfo-2.0.46-75.ent.i386.rpm httpd-devel-2.0.46-75.ent.i386.rpm mod_ssl-2.0.46-75.ent.i386.rpm ia64: httpd-2.0.46-75.ent.ia64.rpm httpd-debuginfo-2.0.46-75.ent.ia64.rpm httpd-devel-2.0.46-75.ent.ia64.rpm mod_ssl-2.0.46-75.ent.ia64.rpm x86_64: httpd-2.0.46-75.ent.x86_64.rpm httpd-debuginfo-2.0.46-75.ent.x86_64.rpm httpd-devel-2.0.46-75.ent.x86_64.rpm mod_ssl-2.0.46-75.ent.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-75.ent.src.rpm i386: httpd-2.0.46-75.ent.i386.rpm httpd-debuginfo-2.0.46-75.ent.i386.rpm httpd-devel-2.0.46-75.ent.i386.rpm mod_ssl-2.0.46-75.ent.i386.rpm ia64: httpd-2.0.46-75.ent.ia64.rpm httpd-debuginfo-2.0.46-75.ent.ia64.rpm httpd-devel-2.0.46-75.ent.ia64.rpm mod_ssl-2.0.46-75.ent.ia64.rpm x86_64: httpd-2.0.46-75.ent.x86_64.rpm httpd-debuginfo-2.0.46-75.ent.x86_64.rpm httpd-devel-2.0.46-75.ent.x86_64.rpm mod_ssl-2.0.46-75.ent.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKgGRiXlSAg2UNWIIRAoU/AJ0RUfF68SnohHAefHsG+yAtuM0v5gCcDW5R ckaZNb+Szv986PIA0be6Nbw= =j89N -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 10 18:18:45 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Aug 2009 14:18:45 -0400 Subject: [RHSA-2009:1206-01] Moderate: libxml and libxml2 security update Message-ID: <200908101818.n7AIIj0P009977@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libxml and libxml2 security update Advisory ID: RHSA-2009:1206-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1206.html Issue date: 2009-08-10 CVE Names: CVE-2009-2414 CVE-2009-2416 ===================================================================== 1. Summary: Updated libxml and libxml2 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: libxml is a library for parsing and manipulating XML files. A Document Type Definition (DTD) defines the legal syntax (and also which elements can be used) for certain types of files, such as XML files. A stack overflow flaw was found in the way libxml processes the root XML document element definition in a DTD. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service (application crash). (CVE-2009-2414) Multiple use-after-free flaws were found in the way libxml parses the Notation and Enumeration attribute types. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service (application crash). (CVE-2009-2416) Users should upgrade to these updated packages, which contain backported patches to resolve these issues. For Red Hat Enterprise Linux 3, they contain backported patches for the libxml and libxml2 packages. For Red Hat Enterprise Linux 4 and 5, they contain backported patches for the libxml2 packages. The desktop must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 515195 - CVE-2009-2414 libxml, libxml2, mingw32-libxml2: Stack overflow by parsing root XML element DTD definition 515205 - CVE-2009-2416 libxml, libxml2, mingw32-libxml2: Pointer use-after-free flaws by parsing Notation and Enumeration attribute types 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/libxml-1.8.17-9.3.src.rpm ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/libxml2-2.5.10-15.src.rpm i386: libxml-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-devel-1.8.17-9.3.i386.rpm libxml2-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-devel-2.5.10-15.i386.rpm libxml2-python-2.5.10-15.i386.rpm ia64: libxml-1.8.17-9.3.i386.rpm libxml-1.8.17-9.3.ia64.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.ia64.rpm libxml-devel-1.8.17-9.3.ia64.rpm libxml2-2.5.10-15.i386.rpm libxml2-2.5.10-15.ia64.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.ia64.rpm libxml2-devel-2.5.10-15.ia64.rpm libxml2-python-2.5.10-15.ia64.rpm ppc: libxml-1.8.17-9.3.ppc.rpm libxml-1.8.17-9.3.ppc64.rpm libxml-debuginfo-1.8.17-9.3.ppc.rpm libxml-debuginfo-1.8.17-9.3.ppc64.rpm libxml-devel-1.8.17-9.3.ppc.rpm libxml2-2.5.10-15.ppc.rpm libxml2-2.5.10-15.ppc64.rpm libxml2-debuginfo-2.5.10-15.ppc.rpm libxml2-debuginfo-2.5.10-15.ppc64.rpm libxml2-devel-2.5.10-15.ppc.rpm libxml2-python-2.5.10-15.ppc.rpm s390: libxml-1.8.17-9.3.s390.rpm libxml-debuginfo-1.8.17-9.3.s390.rpm libxml-devel-1.8.17-9.3.s390.rpm libxml2-2.5.10-15.s390.rpm libxml2-debuginfo-2.5.10-15.s390.rpm libxml2-devel-2.5.10-15.s390.rpm libxml2-python-2.5.10-15.s390.rpm s390x: libxml-1.8.17-9.3.s390.rpm libxml-1.8.17-9.3.s390x.rpm libxml-debuginfo-1.8.17-9.3.s390.rpm libxml-debuginfo-1.8.17-9.3.s390x.rpm libxml-devel-1.8.17-9.3.s390x.rpm libxml2-2.5.10-15.s390.rpm libxml2-2.5.10-15.s390x.rpm libxml2-debuginfo-2.5.10-15.s390.rpm libxml2-debuginfo-2.5.10-15.s390x.rpm libxml2-devel-2.5.10-15.s390x.rpm libxml2-python-2.5.10-15.s390x.rpm x86_64: libxml-1.8.17-9.3.i386.rpm libxml-1.8.17-9.3.x86_64.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.x86_64.rpm libxml-devel-1.8.17-9.3.x86_64.rpm libxml2-2.5.10-15.i386.rpm libxml2-2.5.10-15.x86_64.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.x86_64.rpm libxml2-devel-2.5.10-15.x86_64.rpm libxml2-python-2.5.10-15.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/libxml-1.8.17-9.3.src.rpm ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/libxml2-2.5.10-15.src.rpm i386: libxml-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-devel-1.8.17-9.3.i386.rpm libxml2-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-devel-2.5.10-15.i386.rpm libxml2-python-2.5.10-15.i386.rpm x86_64: libxml-1.8.17-9.3.i386.rpm libxml-1.8.17-9.3.x86_64.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.x86_64.rpm libxml-devel-1.8.17-9.3.x86_64.rpm libxml2-2.5.10-15.i386.rpm libxml2-2.5.10-15.x86_64.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.x86_64.rpm libxml2-devel-2.5.10-15.x86_64.rpm libxml2-python-2.5.10-15.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/libxml-1.8.17-9.3.src.rpm ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/libxml2-2.5.10-15.src.rpm i386: libxml-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-devel-1.8.17-9.3.i386.rpm libxml2-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-devel-2.5.10-15.i386.rpm libxml2-python-2.5.10-15.i386.rpm ia64: libxml-1.8.17-9.3.i386.rpm libxml-1.8.17-9.3.ia64.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.ia64.rpm libxml-devel-1.8.17-9.3.ia64.rpm libxml2-2.5.10-15.i386.rpm libxml2-2.5.10-15.ia64.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.ia64.rpm libxml2-devel-2.5.10-15.ia64.rpm libxml2-python-2.5.10-15.ia64.rpm x86_64: libxml-1.8.17-9.3.i386.rpm libxml-1.8.17-9.3.x86_64.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.x86_64.rpm libxml-devel-1.8.17-9.3.x86_64.rpm libxml2-2.5.10-15.i386.rpm libxml2-2.5.10-15.x86_64.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.x86_64.rpm libxml2-devel-2.5.10-15.x86_64.rpm libxml2-python-2.5.10-15.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/libxml-1.8.17-9.3.src.rpm ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/libxml2-2.5.10-15.src.rpm i386: libxml-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-devel-1.8.17-9.3.i386.rpm libxml2-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-devel-2.5.10-15.i386.rpm libxml2-python-2.5.10-15.i386.rpm ia64: libxml-1.8.17-9.3.i386.rpm libxml-1.8.17-9.3.ia64.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.ia64.rpm libxml-devel-1.8.17-9.3.ia64.rpm libxml2-2.5.10-15.i386.rpm libxml2-2.5.10-15.ia64.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.ia64.rpm libxml2-devel-2.5.10-15.ia64.rpm libxml2-python-2.5.10-15.ia64.rpm x86_64: libxml-1.8.17-9.3.i386.rpm libxml-1.8.17-9.3.x86_64.rpm libxml-debuginfo-1.8.17-9.3.i386.rpm libxml-debuginfo-1.8.17-9.3.x86_64.rpm libxml-devel-1.8.17-9.3.x86_64.rpm libxml2-2.5.10-15.i386.rpm libxml2-2.5.10-15.x86_64.rpm libxml2-debuginfo-2.5.10-15.i386.rpm libxml2-debuginfo-2.5.10-15.x86_64.rpm libxml2-devel-2.5.10-15.x86_64.rpm libxml2-python-2.5.10-15.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/libxml2-2.6.16-12.7.src.rpm i386: libxml2-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-devel-2.6.16-12.7.i386.rpm libxml2-python-2.6.16-12.7.i386.rpm ia64: libxml2-2.6.16-12.7.i386.rpm libxml2-2.6.16-12.7.ia64.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.ia64.rpm libxml2-devel-2.6.16-12.7.ia64.rpm libxml2-python-2.6.16-12.7.ia64.rpm ppc: libxml2-2.6.16-12.7.ppc.rpm libxml2-2.6.16-12.7.ppc64.rpm libxml2-debuginfo-2.6.16-12.7.ppc.rpm libxml2-debuginfo-2.6.16-12.7.ppc64.rpm libxml2-devel-2.6.16-12.7.ppc.rpm libxml2-python-2.6.16-12.7.ppc.rpm s390: libxml2-2.6.16-12.7.s390.rpm libxml2-debuginfo-2.6.16-12.7.s390.rpm libxml2-devel-2.6.16-12.7.s390.rpm libxml2-python-2.6.16-12.7.s390.rpm s390x: libxml2-2.6.16-12.7.s390.rpm libxml2-2.6.16-12.7.s390x.rpm libxml2-debuginfo-2.6.16-12.7.s390.rpm libxml2-debuginfo-2.6.16-12.7.s390x.rpm libxml2-devel-2.6.16-12.7.s390x.rpm libxml2-python-2.6.16-12.7.s390x.rpm x86_64: libxml2-2.6.16-12.7.i386.rpm libxml2-2.6.16-12.7.x86_64.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.x86_64.rpm libxml2-devel-2.6.16-12.7.x86_64.rpm libxml2-python-2.6.16-12.7.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/libxml2-2.6.16-12.7.src.rpm i386: libxml2-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-devel-2.6.16-12.7.i386.rpm libxml2-python-2.6.16-12.7.i386.rpm x86_64: libxml2-2.6.16-12.7.i386.rpm libxml2-2.6.16-12.7.x86_64.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.x86_64.rpm libxml2-devel-2.6.16-12.7.x86_64.rpm libxml2-python-2.6.16-12.7.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/libxml2-2.6.16-12.7.src.rpm i386: libxml2-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-devel-2.6.16-12.7.i386.rpm libxml2-python-2.6.16-12.7.i386.rpm ia64: libxml2-2.6.16-12.7.i386.rpm libxml2-2.6.16-12.7.ia64.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.ia64.rpm libxml2-devel-2.6.16-12.7.ia64.rpm libxml2-python-2.6.16-12.7.ia64.rpm x86_64: libxml2-2.6.16-12.7.i386.rpm libxml2-2.6.16-12.7.x86_64.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.x86_64.rpm libxml2-devel-2.6.16-12.7.x86_64.rpm libxml2-python-2.6.16-12.7.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/libxml2-2.6.16-12.7.src.rpm i386: libxml2-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-devel-2.6.16-12.7.i386.rpm libxml2-python-2.6.16-12.7.i386.rpm ia64: libxml2-2.6.16-12.7.i386.rpm libxml2-2.6.16-12.7.ia64.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.ia64.rpm libxml2-devel-2.6.16-12.7.ia64.rpm libxml2-python-2.6.16-12.7.ia64.rpm x86_64: libxml2-2.6.16-12.7.i386.rpm libxml2-2.6.16-12.7.x86_64.rpm libxml2-debuginfo-2.6.16-12.7.i386.rpm libxml2-debuginfo-2.6.16-12.7.x86_64.rpm libxml2-devel-2.6.16-12.7.x86_64.rpm libxml2-python-2.6.16-12.7.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libxml2-2.6.26-2.1.2.8.src.rpm i386: libxml2-2.6.26-2.1.2.8.i386.rpm libxml2-debuginfo-2.6.26-2.1.2.8.i386.rpm libxml2-python-2.6.26-2.1.2.8.i386.rpm x86_64: libxml2-2.6.26-2.1.2.8.i386.rpm libxml2-2.6.26-2.1.2.8.x86_64.rpm libxml2-debuginfo-2.6.26-2.1.2.8.i386.rpm libxml2-debuginfo-2.6.26-2.1.2.8.x86_64.rpm libxml2-python-2.6.26-2.1.2.8.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libxml2-2.6.26-2.1.2.8.src.rpm i386: libxml2-debuginfo-2.6.26-2.1.2.8.i386.rpm libxml2-devel-2.6.26-2.1.2.8.i386.rpm x86_64: libxml2-debuginfo-2.6.26-2.1.2.8.i386.rpm libxml2-debuginfo-2.6.26-2.1.2.8.x86_64.rpm libxml2-devel-2.6.26-2.1.2.8.i386.rpm libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/libxml2-2.6.26-2.1.2.8.src.rpm i386: libxml2-2.6.26-2.1.2.8.i386.rpm libxml2-debuginfo-2.6.26-2.1.2.8.i386.rpm libxml2-devel-2.6.26-2.1.2.8.i386.rpm libxml2-python-2.6.26-2.1.2.8.i386.rpm ia64: libxml2-2.6.26-2.1.2.8.i386.rpm libxml2-2.6.26-2.1.2.8.ia64.rpm libxml2-debuginfo-2.6.26-2.1.2.8.i386.rpm libxml2-debuginfo-2.6.26-2.1.2.8.ia64.rpm libxml2-devel-2.6.26-2.1.2.8.ia64.rpm libxml2-python-2.6.26-2.1.2.8.ia64.rpm ppc: libxml2-2.6.26-2.1.2.8.ppc.rpm libxml2-2.6.26-2.1.2.8.ppc64.rpm libxml2-debuginfo-2.6.26-2.1.2.8.ppc.rpm libxml2-debuginfo-2.6.26-2.1.2.8.ppc64.rpm libxml2-devel-2.6.26-2.1.2.8.ppc.rpm libxml2-devel-2.6.26-2.1.2.8.ppc64.rpm libxml2-python-2.6.26-2.1.2.8.ppc.rpm s390x: libxml2-2.6.26-2.1.2.8.s390.rpm libxml2-2.6.26-2.1.2.8.s390x.rpm libxml2-debuginfo-2.6.26-2.1.2.8.s390.rpm libxml2-debuginfo-2.6.26-2.1.2.8.s390x.rpm libxml2-devel-2.6.26-2.1.2.8.s390.rpm libxml2-devel-2.6.26-2.1.2.8.s390x.rpm libxml2-python-2.6.26-2.1.2.8.s390x.rpm x86_64: libxml2-2.6.26-2.1.2.8.i386.rpm libxml2-2.6.26-2.1.2.8.x86_64.rpm libxml2-debuginfo-2.6.26-2.1.2.8.i386.rpm libxml2-debuginfo-2.6.26-2.1.2.8.x86_64.rpm libxml2-devel-2.6.26-2.1.2.8.i386.rpm libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm libxml2-python-2.6.26-2.1.2.8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKgGR4XlSAg2UNWIIRAvLfAJ0elb2aiOFvjwfrJpJ/ST7u5/3DkQCfbfvr b/gh2dFP/4mY593p/m2z/FM= =eeYM -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 12 14:32:37 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Aug 2009 10:32:37 -0400 Subject: [RHSA-2009:1207-01] Critical: nspr and nss security update Message-ID: <200908121432.n7CEWb1S003653@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: nspr and nss security update Advisory ID: RHSA-2009:1207-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1207.html Issue date: 2009-08-12 CVE Names: CVE-2009-2404 CVE-2009-2408 CVE-2009-2409 ===================================================================== 1. Summary: Updated nspr and nss packages that fix security issues are now available for Red Hat Enterprise Linux 5.2 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5.2.z server) - i386, ia64, ppc, s390x, x86_64 3. Description: Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. These updated packages upgrade NSS from the previous version, 3.12.2, to a prerelease of version 3.12.4. The version of NSPR has also been upgraded from 4.7.3 to 4.7.4. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library used by browsers such as Mozilla Firefox to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running the browser. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction in Firefox, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by Firefox, otherwise Firefox presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. Dan Kaminsky discovered flaws in the way browsers such as Firefox handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by Firefox, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Firefox into accepting it by mistake. (CVE-2009-2408) Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) All users of nspr and nss are advised to upgrade to these updated packages, which resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 510197 - CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) 510251 - CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly 512912 - CVE-2009-2404 nss regexp heap overflow 6. Package List: Red Hat Enterprise Linux (v. 5.2.z server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nspr-4.7.4-1.el5_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nss-3.12.3.99.3-1.el5_2.src.rpm i386: nspr-4.7.4-1.el5_2.i386.rpm nspr-debuginfo-4.7.4-1.el5_2.i386.rpm nspr-devel-4.7.4-1.el5_2.i386.rpm nss-3.12.3.99.3-1.el5_2.i386.rpm nss-debuginfo-3.12.3.99.3-1.el5_2.i386.rpm nss-devel-3.12.3.99.3-1.el5_2.i386.rpm nss-pkcs11-devel-3.12.3.99.3-1.el5_2.i386.rpm nss-tools-3.12.3.99.3-1.el5_2.i386.rpm ia64: nspr-4.7.4-1.el5_2.i386.rpm nspr-4.7.4-1.el5_2.ia64.rpm nspr-debuginfo-4.7.4-1.el5_2.i386.rpm nspr-debuginfo-4.7.4-1.el5_2.ia64.rpm nspr-devel-4.7.4-1.el5_2.ia64.rpm nss-3.12.3.99.3-1.el5_2.i386.rpm nss-3.12.3.99.3-1.el5_2.ia64.rpm nss-debuginfo-3.12.3.99.3-1.el5_2.i386.rpm nss-debuginfo-3.12.3.99.3-1.el5_2.ia64.rpm nss-devel-3.12.3.99.3-1.el5_2.ia64.rpm nss-pkcs11-devel-3.12.3.99.3-1.el5_2.ia64.rpm nss-tools-3.12.3.99.3-1.el5_2.ia64.rpm ppc: nspr-4.7.4-1.el5_2.ppc.rpm nspr-4.7.4-1.el5_2.ppc64.rpm nspr-debuginfo-4.7.4-1.el5_2.ppc.rpm nspr-debuginfo-4.7.4-1.el5_2.ppc64.rpm nspr-devel-4.7.4-1.el5_2.ppc.rpm nspr-devel-4.7.4-1.el5_2.ppc64.rpm nss-3.12.3.99.3-1.el5_2.ppc.rpm nss-3.12.3.99.3-1.el5_2.ppc64.rpm nss-debuginfo-3.12.3.99.3-1.el5_2.ppc.rpm nss-debuginfo-3.12.3.99.3-1.el5_2.ppc64.rpm nss-devel-3.12.3.99.3-1.el5_2.ppc.rpm nss-devel-3.12.3.99.3-1.el5_2.ppc64.rpm nss-pkcs11-devel-3.12.3.99.3-1.el5_2.ppc.rpm nss-pkcs11-devel-3.12.3.99.3-1.el5_2.ppc64.rpm nss-tools-3.12.3.99.3-1.el5_2.ppc.rpm s390x: nspr-4.7.4-1.el5_2.s390.rpm nspr-4.7.4-1.el5_2.s390x.rpm nspr-debuginfo-4.7.4-1.el5_2.s390.rpm nspr-debuginfo-4.7.4-1.el5_2.s390x.rpm nspr-devel-4.7.4-1.el5_2.s390.rpm nspr-devel-4.7.4-1.el5_2.s390x.rpm nss-3.12.3.99.3-1.el5_2.s390.rpm nss-3.12.3.99.3-1.el5_2.s390x.rpm nss-debuginfo-3.12.3.99.3-1.el5_2.s390.rpm nss-debuginfo-3.12.3.99.3-1.el5_2.s390x.rpm nss-devel-3.12.3.99.3-1.el5_2.s390.rpm nss-devel-3.12.3.99.3-1.el5_2.s390x.rpm nss-pkcs11-devel-3.12.3.99.3-1.el5_2.s390.rpm nss-pkcs11-devel-3.12.3.99.3-1.el5_2.s390x.rpm nss-tools-3.12.3.99.3-1.el5_2.s390x.rpm x86_64: nspr-4.7.4-1.el5_2.i386.rpm nspr-4.7.4-1.el5_2.x86_64.rpm nspr-debuginfo-4.7.4-1.el5_2.i386.rpm nspr-debuginfo-4.7.4-1.el5_2.x86_64.rpm nspr-devel-4.7.4-1.el5_2.i386.rpm nspr-devel-4.7.4-1.el5_2.x86_64.rpm nss-3.12.3.99.3-1.el5_2.i386.rpm nss-3.12.3.99.3-1.el5_2.x86_64.rpm nss-debuginfo-3.12.3.99.3-1.el5_2.i386.rpm nss-debuginfo-3.12.3.99.3-1.el5_2.x86_64.rpm nss-devel-3.12.3.99.3-1.el5_2.i386.rpm nss-devel-3.12.3.99.3-1.el5_2.x86_64.rpm nss-pkcs11-devel-3.12.3.99.3-1.el5_2.i386.rpm nss-pkcs11-devel-3.12.3.99.3-1.el5_2.x86_64.rpm nss-tools-3.12.3.99.3-1.el5_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKgtJqXlSAg2UNWIIRAgnhAJwMg/TVRMEL/wfOqeJ6ZzBtVOSNIQCfdLM4 pOh/BgCtWMx9l1BcIXpKsm4= =c4qV -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 13 15:43:38 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 13 Aug 2009 11:43:38 -0400 Subject: [RHSA-2009:1209-01] Moderate: curl security update Message-ID: <200908131543.n7DFhcJB000968@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: curl security update Advisory ID: RHSA-2009:1209-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1209.html Issue date: 2009-08-13 CVE Names: CVE-2009-2417 ===================================================================== 1. Summary: Updated curl packages that fix security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Scott Cantor reported that cURL is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. (CVE-2009-2417) cURL users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications using libcurl must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 516181 - CVE-2009-2417 curl: incorrect verification of SSL certificate with NUL in name 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/curl-7.10.6-10.rhel3.src.rpm i386: curl-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-devel-7.10.6-10.rhel3.i386.rpm ia64: curl-7.10.6-10.rhel3.i386.rpm curl-7.10.6-10.rhel3.ia64.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.ia64.rpm curl-devel-7.10.6-10.rhel3.ia64.rpm ppc: curl-7.10.6-10.rhel3.ppc.rpm curl-7.10.6-10.rhel3.ppc64.rpm curl-debuginfo-7.10.6-10.rhel3.ppc.rpm curl-debuginfo-7.10.6-10.rhel3.ppc64.rpm curl-devel-7.10.6-10.rhel3.ppc.rpm s390: curl-7.10.6-10.rhel3.s390.rpm curl-debuginfo-7.10.6-10.rhel3.s390.rpm curl-devel-7.10.6-10.rhel3.s390.rpm s390x: curl-7.10.6-10.rhel3.s390.rpm curl-7.10.6-10.rhel3.s390x.rpm curl-debuginfo-7.10.6-10.rhel3.s390.rpm curl-debuginfo-7.10.6-10.rhel3.s390x.rpm curl-devel-7.10.6-10.rhel3.s390x.rpm x86_64: curl-7.10.6-10.rhel3.i386.rpm curl-7.10.6-10.rhel3.x86_64.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.x86_64.rpm curl-devel-7.10.6-10.rhel3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/curl-7.10.6-10.rhel3.src.rpm i386: curl-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-devel-7.10.6-10.rhel3.i386.rpm x86_64: curl-7.10.6-10.rhel3.i386.rpm curl-7.10.6-10.rhel3.x86_64.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.x86_64.rpm curl-devel-7.10.6-10.rhel3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/curl-7.10.6-10.rhel3.src.rpm i386: curl-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-devel-7.10.6-10.rhel3.i386.rpm ia64: curl-7.10.6-10.rhel3.i386.rpm curl-7.10.6-10.rhel3.ia64.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.ia64.rpm curl-devel-7.10.6-10.rhel3.ia64.rpm x86_64: curl-7.10.6-10.rhel3.i386.rpm curl-7.10.6-10.rhel3.x86_64.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.x86_64.rpm curl-devel-7.10.6-10.rhel3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/curl-7.10.6-10.rhel3.src.rpm i386: curl-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-devel-7.10.6-10.rhel3.i386.rpm ia64: curl-7.10.6-10.rhel3.i386.rpm curl-7.10.6-10.rhel3.ia64.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.ia64.rpm curl-devel-7.10.6-10.rhel3.ia64.rpm x86_64: curl-7.10.6-10.rhel3.i386.rpm curl-7.10.6-10.rhel3.x86_64.rpm curl-debuginfo-7.10.6-10.rhel3.i386.rpm curl-debuginfo-7.10.6-10.rhel3.x86_64.rpm curl-devel-7.10.6-10.rhel3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/curl-7.12.1-11.1.el4_8.1.src.rpm i386: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-devel-7.12.1-11.1.el4_8.1.i386.rpm ia64: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-7.12.1-11.1.el4_8.1.ia64.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.ia64.rpm curl-devel-7.12.1-11.1.el4_8.1.ia64.rpm ppc: curl-7.12.1-11.1.el4_8.1.ppc.rpm curl-7.12.1-11.1.el4_8.1.ppc64.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.ppc.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.ppc64.rpm curl-devel-7.12.1-11.1.el4_8.1.ppc.rpm s390: curl-7.12.1-11.1.el4_8.1.s390.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.s390.rpm curl-devel-7.12.1-11.1.el4_8.1.s390.rpm s390x: curl-7.12.1-11.1.el4_8.1.s390.rpm curl-7.12.1-11.1.el4_8.1.s390x.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.s390.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.s390x.rpm curl-devel-7.12.1-11.1.el4_8.1.s390x.rpm x86_64: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-7.12.1-11.1.el4_8.1.x86_64.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.x86_64.rpm curl-devel-7.12.1-11.1.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/curl-7.12.1-11.1.el4_8.1.src.rpm i386: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-devel-7.12.1-11.1.el4_8.1.i386.rpm x86_64: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-7.12.1-11.1.el4_8.1.x86_64.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.x86_64.rpm curl-devel-7.12.1-11.1.el4_8.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/curl-7.12.1-11.1.el4_8.1.src.rpm i386: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-devel-7.12.1-11.1.el4_8.1.i386.rpm ia64: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-7.12.1-11.1.el4_8.1.ia64.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.ia64.rpm curl-devel-7.12.1-11.1.el4_8.1.ia64.rpm x86_64: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-7.12.1-11.1.el4_8.1.x86_64.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.x86_64.rpm curl-devel-7.12.1-11.1.el4_8.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/curl-7.12.1-11.1.el4_8.1.src.rpm i386: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-devel-7.12.1-11.1.el4_8.1.i386.rpm ia64: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-7.12.1-11.1.el4_8.1.ia64.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.ia64.rpm curl-devel-7.12.1-11.1.el4_8.1.ia64.rpm x86_64: curl-7.12.1-11.1.el4_8.1.i386.rpm curl-7.12.1-11.1.el4_8.1.x86_64.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_8.1.x86_64.rpm curl-devel-7.12.1-11.1.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/curl-7.15.5-2.1.el5_3.5.src.rpm i386: curl-7.15.5-2.1.el5_3.5.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.i386.rpm x86_64: curl-7.15.5-2.1.el5_3.5.i386.rpm curl-7.15.5-2.1.el5_3.5.x86_64.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/curl-7.15.5-2.1.el5_3.5.src.rpm i386: curl-debuginfo-7.15.5-2.1.el5_3.5.i386.rpm curl-devel-7.15.5-2.1.el5_3.5.i386.rpm x86_64: curl-debuginfo-7.15.5-2.1.el5_3.5.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.x86_64.rpm curl-devel-7.15.5-2.1.el5_3.5.i386.rpm curl-devel-7.15.5-2.1.el5_3.5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/curl-7.15.5-2.1.el5_3.5.src.rpm i386: curl-7.15.5-2.1.el5_3.5.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.i386.rpm curl-devel-7.15.5-2.1.el5_3.5.i386.rpm ia64: curl-7.15.5-2.1.el5_3.5.ia64.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.ia64.rpm curl-devel-7.15.5-2.1.el5_3.5.ia64.rpm ppc: curl-7.15.5-2.1.el5_3.5.ppc.rpm curl-7.15.5-2.1.el5_3.5.ppc64.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.ppc.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.ppc64.rpm curl-devel-7.15.5-2.1.el5_3.5.ppc.rpm curl-devel-7.15.5-2.1.el5_3.5.ppc64.rpm s390x: curl-7.15.5-2.1.el5_3.5.s390.rpm curl-7.15.5-2.1.el5_3.5.s390x.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.s390.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.s390x.rpm curl-devel-7.15.5-2.1.el5_3.5.s390.rpm curl-devel-7.15.5-2.1.el5_3.5.s390x.rpm x86_64: curl-7.15.5-2.1.el5_3.5.i386.rpm curl-7.15.5-2.1.el5_3.5.x86_64.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.5.x86_64.rpm curl-devel-7.15.5-2.1.el5_3.5.i386.rpm curl-devel-7.15.5-2.1.el5_3.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKhDSaXlSAg2UNWIIRAvXOAKC8qP3bb3QHmDdt3AyebYDfX3eTKACgwqvs hauCSeyWk1fwAYz+BT/bET0= =E97k -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 13 15:43:57 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 13 Aug 2009 11:43:57 -0400 Subject: [RHSA-2009:1211-01] Important: kernel security and bug fix update Message-ID: <200908131543.n7DFhvmF001295@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2009:1211-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1211.html Issue date: 2009-08-13 CVE Names: CVE-2009-1389 CVE-2009-1439 CVE-2009-1633 ===================================================================== 1. Summary: Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than what could be handled. This could lead to a remote denial of service or code execution. (CVE-2009-1389, Important) * a buffer overflow flaw was found in the CIFSTCon() function of the Linux kernel Common Internet File System (CIFS) implementation. When mounting a CIFS share, a malicious server could send an overly-long string to the client, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, Important) * several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1633, Important) These updated packages also fix the following bugs: * when using network bonding in the "balance-tlb" or "balance-alb" mode, the primary setting for the primary slave device was lost when said device was brought down (ifdown). Bringing the slave interface back up (ifup) did not restore the primary setting (the device was not made the active slave). (BZ#507563) * a bug in timer_interrupt() may have caused the system time to move up to two days or more into the future, or to be delayed for several minutes. This bug only affected Intel 64 and AMD64 systems that have the High Precision Event Timer (HPET) enabled in the BIOS, and could have caused problems for applications that require timing to be accurate. (BZ#508835) * a race condition was resolved in the Linux kernel block layer between show_partition() and rescan_partitions(). This could have caused a NULL pointer dereference in show_partition(), leading to a system crash (kernel panic). This issue was most likely to occur on systems running monitoring software that regularly scanned hard disk partitions, or from repeatedly running commands that probe for partition information. (BZ#512310) * previously, the Stratus memory tracker missed certain modified pages. With this update, information about the type of page (small page or huge page) is passed to the Stratus memory tracker, which resolves this issue. The fix for this issue does not affect systems that do not use memory tracking. (BZ#513182) * a bug may have caused a system crash when using the cciss driver, due to an uninitialized kernel structure. A reported case of this issue occurred after issuing consecutive SCSI TUR commands (sg_turs sends SCSI test-unit-ready commands in a loop). (BZ#513189) * a bug in the SCSI implementation caused "Aborted Command - internal target failure" errors to be sent to Device-Mapper Multipath, without retries, resulting in Device-Mapper Multipath marking the path as failed and making a path group switch. With this update, all errors that return a sense key in the SCSI mid layer (including "Aborted Command - internal target failure") are retried. (BZ#514007) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 494275 - CVE-2009-1439 kernel: cifs: memory overwrite when saving nativeFileSystem field during mount 496572 - CVE-2009-1633 kernel: cifs: fix potential buffer overruns when converting unicode strings sent by server 504726 - CVE-2009-1389 kernel: r8169: fix crash when large packets are received 507563 - A bond's preferred primary setting is lost after bringing down and up of the primary slave. 508835 - [4.6] The system time leaps 2 days 21 hours 41 min future. 512310 - show_partition() oops when race with rescan_partitions(). 513182 - Function unmap_hugepage_range passing PMD instead of PTE to ptep_get_and_clear 513189 - RHEL4.8: crash in do_cciss_request() 514007 - Make Aborted Command (internal target failure) retryable at SCSI layer (sense B 44 00) 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-89.0.7.EL.src.rpm i386: kernel-2.6.9-89.0.7.EL.i686.rpm kernel-debuginfo-2.6.9-89.0.7.EL.i686.rpm kernel-devel-2.6.9-89.0.7.EL.i686.rpm kernel-hugemem-2.6.9-89.0.7.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.0.7.EL.i686.rpm kernel-smp-2.6.9-89.0.7.EL.i686.rpm kernel-smp-devel-2.6.9-89.0.7.EL.i686.rpm kernel-xenU-2.6.9-89.0.7.EL.i686.rpm kernel-xenU-devel-2.6.9-89.0.7.EL.i686.rpm ia64: kernel-2.6.9-89.0.7.EL.ia64.rpm kernel-debuginfo-2.6.9-89.0.7.EL.ia64.rpm kernel-devel-2.6.9-89.0.7.EL.ia64.rpm kernel-largesmp-2.6.9-89.0.7.EL.ia64.rpm kernel-largesmp-devel-2.6.9-89.0.7.EL.ia64.rpm noarch: kernel-doc-2.6.9-89.0.7.EL.noarch.rpm ppc: kernel-2.6.9-89.0.7.EL.ppc64.rpm kernel-2.6.9-89.0.7.EL.ppc64iseries.rpm kernel-debuginfo-2.6.9-89.0.7.EL.ppc64.rpm kernel-debuginfo-2.6.9-89.0.7.EL.ppc64iseries.rpm kernel-devel-2.6.9-89.0.7.EL.ppc64.rpm kernel-devel-2.6.9-89.0.7.EL.ppc64iseries.rpm kernel-largesmp-2.6.9-89.0.7.EL.ppc64.rpm kernel-largesmp-devel-2.6.9-89.0.7.EL.ppc64.rpm s390: kernel-2.6.9-89.0.7.EL.s390.rpm kernel-debuginfo-2.6.9-89.0.7.EL.s390.rpm kernel-devel-2.6.9-89.0.7.EL.s390.rpm s390x: kernel-2.6.9-89.0.7.EL.s390x.rpm kernel-debuginfo-2.6.9-89.0.7.EL.s390x.rpm kernel-devel-2.6.9-89.0.7.EL.s390x.rpm x86_64: kernel-2.6.9-89.0.7.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.0.7.EL.x86_64.rpm kernel-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-largesmp-2.6.9-89.0.7.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-smp-2.6.9-89.0.7.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-xenU-2.6.9-89.0.7.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.0.7.EL.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-89.0.7.EL.src.rpm i386: kernel-2.6.9-89.0.7.EL.i686.rpm kernel-debuginfo-2.6.9-89.0.7.EL.i686.rpm kernel-devel-2.6.9-89.0.7.EL.i686.rpm kernel-hugemem-2.6.9-89.0.7.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.0.7.EL.i686.rpm kernel-smp-2.6.9-89.0.7.EL.i686.rpm kernel-smp-devel-2.6.9-89.0.7.EL.i686.rpm kernel-xenU-2.6.9-89.0.7.EL.i686.rpm kernel-xenU-devel-2.6.9-89.0.7.EL.i686.rpm noarch: kernel-doc-2.6.9-89.0.7.EL.noarch.rpm x86_64: kernel-2.6.9-89.0.7.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.0.7.EL.x86_64.rpm kernel-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-largesmp-2.6.9-89.0.7.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-smp-2.6.9-89.0.7.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-xenU-2.6.9-89.0.7.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.0.7.EL.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-89.0.7.EL.src.rpm i386: kernel-2.6.9-89.0.7.EL.i686.rpm kernel-debuginfo-2.6.9-89.0.7.EL.i686.rpm kernel-devel-2.6.9-89.0.7.EL.i686.rpm kernel-hugemem-2.6.9-89.0.7.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.0.7.EL.i686.rpm kernel-smp-2.6.9-89.0.7.EL.i686.rpm kernel-smp-devel-2.6.9-89.0.7.EL.i686.rpm kernel-xenU-2.6.9-89.0.7.EL.i686.rpm kernel-xenU-devel-2.6.9-89.0.7.EL.i686.rpm ia64: kernel-2.6.9-89.0.7.EL.ia64.rpm kernel-debuginfo-2.6.9-89.0.7.EL.ia64.rpm kernel-devel-2.6.9-89.0.7.EL.ia64.rpm kernel-largesmp-2.6.9-89.0.7.EL.ia64.rpm kernel-largesmp-devel-2.6.9-89.0.7.EL.ia64.rpm noarch: kernel-doc-2.6.9-89.0.7.EL.noarch.rpm x86_64: kernel-2.6.9-89.0.7.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.0.7.EL.x86_64.rpm kernel-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-largesmp-2.6.9-89.0.7.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-smp-2.6.9-89.0.7.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-xenU-2.6.9-89.0.7.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.0.7.EL.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-89.0.7.EL.src.rpm i386: kernel-2.6.9-89.0.7.EL.i686.rpm kernel-debuginfo-2.6.9-89.0.7.EL.i686.rpm kernel-devel-2.6.9-89.0.7.EL.i686.rpm kernel-hugemem-2.6.9-89.0.7.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.0.7.EL.i686.rpm kernel-smp-2.6.9-89.0.7.EL.i686.rpm kernel-smp-devel-2.6.9-89.0.7.EL.i686.rpm kernel-xenU-2.6.9-89.0.7.EL.i686.rpm kernel-xenU-devel-2.6.9-89.0.7.EL.i686.rpm ia64: kernel-2.6.9-89.0.7.EL.ia64.rpm kernel-debuginfo-2.6.9-89.0.7.EL.ia64.rpm kernel-devel-2.6.9-89.0.7.EL.ia64.rpm kernel-largesmp-2.6.9-89.0.7.EL.ia64.rpm kernel-largesmp-devel-2.6.9-89.0.7.EL.ia64.rpm noarch: kernel-doc-2.6.9-89.0.7.EL.noarch.rpm x86_64: kernel-2.6.9-89.0.7.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.0.7.EL.x86_64.rpm kernel-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-largesmp-2.6.9-89.0.7.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-smp-2.6.9-89.0.7.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.0.7.EL.x86_64.rpm kernel-xenU-2.6.9-89.0.7.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.0.7.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1633 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKhDSwXlSAg2UNWIIRAp5EAJ9Eba9W/Outak3VHmDTuVXn+G7yjwCgkdB3 +DIbrkzoWWKOfdStECoVjpQ= =fiRX -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 18 18:34:12 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Aug 2009 14:34:12 -0400 Subject: [RHSA-2009:1218-01] Critical: pidgin security update Message-ID: <200908181834.n7IIYCJd016016@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: pidgin security update Advisory ID: RHSA-2009:1218-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1218.html Issue date: 2009-08-18 CVE Names: CVE-2009-2694 ===================================================================== 1. Summary: Updated pidgin packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 3. Description: Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. Federico Muttis of Core Security Technologies discovered a flaw in Pidgin's MSN protocol handler. If a user received a malicious MSN message, it was possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2009-2694) Note: Users can change their privacy settings to only allow messages from users on their buddy list to limit the impact of this flaw. These packages upgrade Pidgin to version 2.5.9. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which resolve this issue. Pidgin must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 514957 - CVE-2009-2694 pidgin: insufficient input validation in msn_slplink_process_msg() 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/pidgin-1.5.1-4.el3.src.rpm i386: pidgin-1.5.1-4.el3.i386.rpm pidgin-debuginfo-1.5.1-4.el3.i386.rpm ia64: pidgin-1.5.1-4.el3.ia64.rpm pidgin-debuginfo-1.5.1-4.el3.ia64.rpm ppc: pidgin-1.5.1-4.el3.ppc.rpm pidgin-debuginfo-1.5.1-4.el3.ppc.rpm s390: pidgin-1.5.1-4.el3.s390.rpm pidgin-debuginfo-1.5.1-4.el3.s390.rpm s390x: pidgin-1.5.1-4.el3.s390x.rpm pidgin-debuginfo-1.5.1-4.el3.s390x.rpm x86_64: pidgin-1.5.1-4.el3.x86_64.rpm pidgin-debuginfo-1.5.1-4.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/pidgin-1.5.1-4.el3.src.rpm i386: pidgin-1.5.1-4.el3.i386.rpm pidgin-debuginfo-1.5.1-4.el3.i386.rpm x86_64: pidgin-1.5.1-4.el3.x86_64.rpm pidgin-debuginfo-1.5.1-4.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/pidgin-1.5.1-4.el3.src.rpm i386: pidgin-1.5.1-4.el3.i386.rpm pidgin-debuginfo-1.5.1-4.el3.i386.rpm ia64: pidgin-1.5.1-4.el3.ia64.rpm pidgin-debuginfo-1.5.1-4.el3.ia64.rpm x86_64: pidgin-1.5.1-4.el3.x86_64.rpm pidgin-debuginfo-1.5.1-4.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/pidgin-1.5.1-4.el3.src.rpm i386: pidgin-1.5.1-4.el3.i386.rpm pidgin-debuginfo-1.5.1-4.el3.i386.rpm ia64: pidgin-1.5.1-4.el3.ia64.rpm pidgin-debuginfo-1.5.1-4.el3.ia64.rpm x86_64: pidgin-1.5.1-4.el3.x86_64.rpm pidgin-debuginfo-1.5.1-4.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/pidgin-2.5.9-1.el4.src.rpm i386: finch-2.5.9-1.el4.i386.rpm finch-devel-2.5.9-1.el4.i386.rpm libpurple-2.5.9-1.el4.i386.rpm libpurple-devel-2.5.9-1.el4.i386.rpm libpurple-perl-2.5.9-1.el4.i386.rpm libpurple-tcl-2.5.9-1.el4.i386.rpm pidgin-2.5.9-1.el4.i386.rpm pidgin-debuginfo-2.5.9-1.el4.i386.rpm pidgin-devel-2.5.9-1.el4.i386.rpm pidgin-perl-2.5.9-1.el4.i386.rpm ia64: finch-2.5.9-1.el4.ia64.rpm finch-devel-2.5.9-1.el4.ia64.rpm libpurple-2.5.9-1.el4.ia64.rpm libpurple-devel-2.5.9-1.el4.ia64.rpm libpurple-perl-2.5.9-1.el4.ia64.rpm libpurple-tcl-2.5.9-1.el4.ia64.rpm pidgin-2.5.9-1.el4.ia64.rpm pidgin-debuginfo-2.5.9-1.el4.ia64.rpm pidgin-devel-2.5.9-1.el4.ia64.rpm pidgin-perl-2.5.9-1.el4.ia64.rpm ppc: finch-2.5.9-1.el4.ppc.rpm finch-devel-2.5.9-1.el4.ppc.rpm libpurple-2.5.9-1.el4.ppc.rpm libpurple-devel-2.5.9-1.el4.ppc.rpm libpurple-perl-2.5.9-1.el4.ppc.rpm libpurple-tcl-2.5.9-1.el4.ppc.rpm pidgin-2.5.9-1.el4.ppc.rpm pidgin-debuginfo-2.5.9-1.el4.ppc.rpm pidgin-devel-2.5.9-1.el4.ppc.rpm pidgin-perl-2.5.9-1.el4.ppc.rpm x86_64: finch-2.5.9-1.el4.x86_64.rpm finch-devel-2.5.9-1.el4.x86_64.rpm libpurple-2.5.9-1.el4.x86_64.rpm libpurple-devel-2.5.9-1.el4.x86_64.rpm libpurple-perl-2.5.9-1.el4.x86_64.rpm libpurple-tcl-2.5.9-1.el4.x86_64.rpm pidgin-2.5.9-1.el4.x86_64.rpm pidgin-debuginfo-2.5.9-1.el4.x86_64.rpm pidgin-devel-2.5.9-1.el4.x86_64.rpm pidgin-perl-2.5.9-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/pidgin-2.5.9-1.el4.src.rpm i386: finch-2.5.9-1.el4.i386.rpm finch-devel-2.5.9-1.el4.i386.rpm libpurple-2.5.9-1.el4.i386.rpm libpurple-devel-2.5.9-1.el4.i386.rpm libpurple-perl-2.5.9-1.el4.i386.rpm libpurple-tcl-2.5.9-1.el4.i386.rpm pidgin-2.5.9-1.el4.i386.rpm pidgin-debuginfo-2.5.9-1.el4.i386.rpm pidgin-devel-2.5.9-1.el4.i386.rpm pidgin-perl-2.5.9-1.el4.i386.rpm x86_64: finch-2.5.9-1.el4.x86_64.rpm finch-devel-2.5.9-1.el4.x86_64.rpm libpurple-2.5.9-1.el4.x86_64.rpm libpurple-devel-2.5.9-1.el4.x86_64.rpm libpurple-perl-2.5.9-1.el4.x86_64.rpm libpurple-tcl-2.5.9-1.el4.x86_64.rpm pidgin-2.5.9-1.el4.x86_64.rpm pidgin-debuginfo-2.5.9-1.el4.x86_64.rpm pidgin-devel-2.5.9-1.el4.x86_64.rpm pidgin-perl-2.5.9-1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/pidgin-2.5.9-1.el4.src.rpm i386: finch-2.5.9-1.el4.i386.rpm finch-devel-2.5.9-1.el4.i386.rpm libpurple-2.5.9-1.el4.i386.rpm libpurple-devel-2.5.9-1.el4.i386.rpm libpurple-perl-2.5.9-1.el4.i386.rpm libpurple-tcl-2.5.9-1.el4.i386.rpm pidgin-2.5.9-1.el4.i386.rpm pidgin-debuginfo-2.5.9-1.el4.i386.rpm pidgin-devel-2.5.9-1.el4.i386.rpm pidgin-perl-2.5.9-1.el4.i386.rpm ia64: finch-2.5.9-1.el4.ia64.rpm finch-devel-2.5.9-1.el4.ia64.rpm libpurple-2.5.9-1.el4.ia64.rpm libpurple-devel-2.5.9-1.el4.ia64.rpm libpurple-perl-2.5.9-1.el4.ia64.rpm libpurple-tcl-2.5.9-1.el4.ia64.rpm pidgin-2.5.9-1.el4.ia64.rpm pidgin-debuginfo-2.5.9-1.el4.ia64.rpm pidgin-devel-2.5.9-1.el4.ia64.rpm pidgin-perl-2.5.9-1.el4.ia64.rpm x86_64: finch-2.5.9-1.el4.x86_64.rpm finch-devel-2.5.9-1.el4.x86_64.rpm libpurple-2.5.9-1.el4.x86_64.rpm libpurple-devel-2.5.9-1.el4.x86_64.rpm libpurple-perl-2.5.9-1.el4.x86_64.rpm libpurple-tcl-2.5.9-1.el4.x86_64.rpm pidgin-2.5.9-1.el4.x86_64.rpm pidgin-debuginfo-2.5.9-1.el4.x86_64.rpm pidgin-devel-2.5.9-1.el4.x86_64.rpm pidgin-perl-2.5.9-1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/pidgin-2.5.9-1.el4.src.rpm i386: finch-2.5.9-1.el4.i386.rpm finch-devel-2.5.9-1.el4.i386.rpm libpurple-2.5.9-1.el4.i386.rpm libpurple-devel-2.5.9-1.el4.i386.rpm libpurple-perl-2.5.9-1.el4.i386.rpm libpurple-tcl-2.5.9-1.el4.i386.rpm pidgin-2.5.9-1.el4.i386.rpm pidgin-debuginfo-2.5.9-1.el4.i386.rpm pidgin-devel-2.5.9-1.el4.i386.rpm pidgin-perl-2.5.9-1.el4.i386.rpm ia64: finch-2.5.9-1.el4.ia64.rpm finch-devel-2.5.9-1.el4.ia64.rpm libpurple-2.5.9-1.el4.ia64.rpm libpurple-devel-2.5.9-1.el4.ia64.rpm libpurple-perl-2.5.9-1.el4.ia64.rpm libpurple-tcl-2.5.9-1.el4.ia64.rpm pidgin-2.5.9-1.el4.ia64.rpm pidgin-debuginfo-2.5.9-1.el4.ia64.rpm pidgin-devel-2.5.9-1.el4.ia64.rpm pidgin-perl-2.5.9-1.el4.ia64.rpm x86_64: finch-2.5.9-1.el4.x86_64.rpm finch-devel-2.5.9-1.el4.x86_64.rpm libpurple-2.5.9-1.el4.x86_64.rpm libpurple-devel-2.5.9-1.el4.x86_64.rpm libpurple-perl-2.5.9-1.el4.x86_64.rpm libpurple-tcl-2.5.9-1.el4.x86_64.rpm pidgin-2.5.9-1.el4.x86_64.rpm pidgin-debuginfo-2.5.9-1.el4.x86_64.rpm pidgin-devel-2.5.9-1.el4.x86_64.rpm pidgin-perl-2.5.9-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.5.9-1.el5.src.rpm i386: finch-2.5.9-1.el5.i386.rpm libpurple-2.5.9-1.el5.i386.rpm libpurple-perl-2.5.9-1.el5.i386.rpm libpurple-tcl-2.5.9-1.el5.i386.rpm pidgin-2.5.9-1.el5.i386.rpm pidgin-debuginfo-2.5.9-1.el5.i386.rpm pidgin-perl-2.5.9-1.el5.i386.rpm x86_64: finch-2.5.9-1.el5.i386.rpm finch-2.5.9-1.el5.x86_64.rpm libpurple-2.5.9-1.el5.i386.rpm libpurple-2.5.9-1.el5.x86_64.rpm libpurple-perl-2.5.9-1.el5.x86_64.rpm libpurple-tcl-2.5.9-1.el5.x86_64.rpm pidgin-2.5.9-1.el5.i386.rpm pidgin-2.5.9-1.el5.x86_64.rpm pidgin-debuginfo-2.5.9-1.el5.i386.rpm pidgin-debuginfo-2.5.9-1.el5.x86_64.rpm pidgin-perl-2.5.9-1.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.5.9-1.el5.src.rpm i386: finch-devel-2.5.9-1.el5.i386.rpm libpurple-devel-2.5.9-1.el5.i386.rpm pidgin-debuginfo-2.5.9-1.el5.i386.rpm pidgin-devel-2.5.9-1.el5.i386.rpm x86_64: finch-devel-2.5.9-1.el5.i386.rpm finch-devel-2.5.9-1.el5.x86_64.rpm libpurple-devel-2.5.9-1.el5.i386.rpm libpurple-devel-2.5.9-1.el5.x86_64.rpm pidgin-debuginfo-2.5.9-1.el5.i386.rpm pidgin-debuginfo-2.5.9-1.el5.x86_64.rpm pidgin-devel-2.5.9-1.el5.i386.rpm pidgin-devel-2.5.9-1.el5.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/pidgin-2.5.9-1.el5.src.rpm i386: finch-2.5.9-1.el5.i386.rpm finch-devel-2.5.9-1.el5.i386.rpm libpurple-2.5.9-1.el5.i386.rpm libpurple-devel-2.5.9-1.el5.i386.rpm libpurple-perl-2.5.9-1.el5.i386.rpm libpurple-tcl-2.5.9-1.el5.i386.rpm pidgin-2.5.9-1.el5.i386.rpm pidgin-debuginfo-2.5.9-1.el5.i386.rpm pidgin-devel-2.5.9-1.el5.i386.rpm pidgin-perl-2.5.9-1.el5.i386.rpm x86_64: finch-2.5.9-1.el5.i386.rpm finch-2.5.9-1.el5.x86_64.rpm finch-devel-2.5.9-1.el5.i386.rpm finch-devel-2.5.9-1.el5.x86_64.rpm libpurple-2.5.9-1.el5.i386.rpm libpurple-2.5.9-1.el5.x86_64.rpm libpurple-devel-2.5.9-1.el5.i386.rpm libpurple-devel-2.5.9-1.el5.x86_64.rpm libpurple-perl-2.5.9-1.el5.x86_64.rpm libpurple-tcl-2.5.9-1.el5.x86_64.rpm pidgin-2.5.9-1.el5.i386.rpm pidgin-2.5.9-1.el5.x86_64.rpm pidgin-debuginfo-2.5.9-1.el5.i386.rpm pidgin-debuginfo-2.5.9-1.el5.x86_64.rpm pidgin-devel-2.5.9-1.el5.i386.rpm pidgin-devel-2.5.9-1.el5.x86_64.rpm pidgin-perl-2.5.9-1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKivQeXlSAg2UNWIIRAk4nAKCJJMyUGdcpxZxqxm5DdcahlfURRACfXP9R WHSycqMw3T9WFH1QryidqTQ= =/4nR -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 18 18:34:24 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Aug 2009 14:34:24 -0400 Subject: [RHSA-2009:1219-01] Important: libvorbis security update Message-ID: <200908181834.n7IIYOPb016195@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: libvorbis security update Advisory ID: RHSA-2009:1219-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1219.html Issue date: 2009-08-18 CVE Names: CVE-2009-2663 ===================================================================== 1. Summary: Updated libvorbis packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format. An insufficient input validation flaw was found in the way libvorbis processes the codec file headers (static mode headers and encoding books) of the Ogg Vorbis audio file format (Ogg). A remote attacker could provide a specially-crafted Ogg file that would cause a denial of service (memory corruption and application crash) or, potentially, execute arbitrary code with the privileges of an application using the libvorbis library when opened by a victim. (CVE-2009-2663) Users of libvorbis should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 516259 - CVE-2009-2663 libvorbis: Improper codec headers processing (DoS, ACE) 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/libvorbis-1.0-11.el3.src.rpm i386: libvorbis-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-devel-1.0-11.el3.i386.rpm ia64: libvorbis-1.0-11.el3.i386.rpm libvorbis-1.0-11.el3.ia64.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.ia64.rpm libvorbis-devel-1.0-11.el3.ia64.rpm ppc: libvorbis-1.0-11.el3.ppc.rpm libvorbis-1.0-11.el3.ppc64.rpm libvorbis-debuginfo-1.0-11.el3.ppc.rpm libvorbis-debuginfo-1.0-11.el3.ppc64.rpm libvorbis-devel-1.0-11.el3.ppc.rpm s390: libvorbis-1.0-11.el3.s390.rpm libvorbis-debuginfo-1.0-11.el3.s390.rpm libvorbis-devel-1.0-11.el3.s390.rpm s390x: libvorbis-1.0-11.el3.s390.rpm libvorbis-1.0-11.el3.s390x.rpm libvorbis-debuginfo-1.0-11.el3.s390.rpm libvorbis-debuginfo-1.0-11.el3.s390x.rpm libvorbis-devel-1.0-11.el3.s390x.rpm x86_64: libvorbis-1.0-11.el3.i386.rpm libvorbis-1.0-11.el3.x86_64.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.x86_64.rpm libvorbis-devel-1.0-11.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/libvorbis-1.0-11.el3.src.rpm i386: libvorbis-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-devel-1.0-11.el3.i386.rpm x86_64: libvorbis-1.0-11.el3.i386.rpm libvorbis-1.0-11.el3.x86_64.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.x86_64.rpm libvorbis-devel-1.0-11.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/libvorbis-1.0-11.el3.src.rpm i386: libvorbis-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-devel-1.0-11.el3.i386.rpm ia64: libvorbis-1.0-11.el3.i386.rpm libvorbis-1.0-11.el3.ia64.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.ia64.rpm libvorbis-devel-1.0-11.el3.ia64.rpm x86_64: libvorbis-1.0-11.el3.i386.rpm libvorbis-1.0-11.el3.x86_64.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.x86_64.rpm libvorbis-devel-1.0-11.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/libvorbis-1.0-11.el3.src.rpm i386: libvorbis-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-devel-1.0-11.el3.i386.rpm ia64: libvorbis-1.0-11.el3.i386.rpm libvorbis-1.0-11.el3.ia64.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.ia64.rpm libvorbis-devel-1.0-11.el3.ia64.rpm x86_64: libvorbis-1.0-11.el3.i386.rpm libvorbis-1.0-11.el3.x86_64.rpm libvorbis-debuginfo-1.0-11.el3.i386.rpm libvorbis-debuginfo-1.0-11.el3.x86_64.rpm libvorbis-devel-1.0-11.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/libvorbis-1.1.0-3.el4_8.2.src.rpm i386: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-devel-1.1.0-3.el4_8.2.i386.rpm ia64: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-1.1.0-3.el4_8.2.ia64.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.ia64.rpm libvorbis-devel-1.1.0-3.el4_8.2.ia64.rpm ppc: libvorbis-1.1.0-3.el4_8.2.ppc.rpm libvorbis-1.1.0-3.el4_8.2.ppc64.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.ppc.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.ppc64.rpm libvorbis-devel-1.1.0-3.el4_8.2.ppc.rpm s390: libvorbis-1.1.0-3.el4_8.2.s390.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.s390.rpm libvorbis-devel-1.1.0-3.el4_8.2.s390.rpm s390x: libvorbis-1.1.0-3.el4_8.2.s390.rpm libvorbis-1.1.0-3.el4_8.2.s390x.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.s390.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.s390x.rpm libvorbis-devel-1.1.0-3.el4_8.2.s390x.rpm x86_64: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-1.1.0-3.el4_8.2.x86_64.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.x86_64.rpm libvorbis-devel-1.1.0-3.el4_8.2.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/libvorbis-1.1.0-3.el4_8.2.src.rpm i386: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-devel-1.1.0-3.el4_8.2.i386.rpm x86_64: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-1.1.0-3.el4_8.2.x86_64.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.x86_64.rpm libvorbis-devel-1.1.0-3.el4_8.2.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/libvorbis-1.1.0-3.el4_8.2.src.rpm i386: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-devel-1.1.0-3.el4_8.2.i386.rpm ia64: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-1.1.0-3.el4_8.2.ia64.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.ia64.rpm libvorbis-devel-1.1.0-3.el4_8.2.ia64.rpm x86_64: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-1.1.0-3.el4_8.2.x86_64.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.x86_64.rpm libvorbis-devel-1.1.0-3.el4_8.2.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/libvorbis-1.1.0-3.el4_8.2.src.rpm i386: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-devel-1.1.0-3.el4_8.2.i386.rpm ia64: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-1.1.0-3.el4_8.2.ia64.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.ia64.rpm libvorbis-devel-1.1.0-3.el4_8.2.ia64.rpm x86_64: libvorbis-1.1.0-3.el4_8.2.i386.rpm libvorbis-1.1.0-3.el4_8.2.x86_64.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.i386.rpm libvorbis-debuginfo-1.1.0-3.el4_8.2.x86_64.rpm libvorbis-devel-1.1.0-3.el4_8.2.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libvorbis-1.1.2-3.el5_3.3.src.rpm i386: libvorbis-1.1.2-3.el5_3.3.i386.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.i386.rpm x86_64: libvorbis-1.1.2-3.el5_3.3.i386.rpm libvorbis-1.1.2-3.el5_3.3.x86_64.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.i386.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libvorbis-1.1.2-3.el5_3.3.src.rpm i386: libvorbis-debuginfo-1.1.2-3.el5_3.3.i386.rpm libvorbis-devel-1.1.2-3.el5_3.3.i386.rpm x86_64: libvorbis-debuginfo-1.1.2-3.el5_3.3.i386.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.x86_64.rpm libvorbis-devel-1.1.2-3.el5_3.3.i386.rpm libvorbis-devel-1.1.2-3.el5_3.3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/libvorbis-1.1.2-3.el5_3.3.src.rpm i386: libvorbis-1.1.2-3.el5_3.3.i386.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.i386.rpm libvorbis-devel-1.1.2-3.el5_3.3.i386.rpm ia64: libvorbis-1.1.2-3.el5_3.3.ia64.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.ia64.rpm libvorbis-devel-1.1.2-3.el5_3.3.ia64.rpm ppc: libvorbis-1.1.2-3.el5_3.3.ppc.rpm libvorbis-1.1.2-3.el5_3.3.ppc64.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.ppc.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.ppc64.rpm libvorbis-devel-1.1.2-3.el5_3.3.ppc.rpm libvorbis-devel-1.1.2-3.el5_3.3.ppc64.rpm s390x: libvorbis-1.1.2-3.el5_3.3.s390.rpm libvorbis-1.1.2-3.el5_3.3.s390x.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.s390.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.s390x.rpm libvorbis-devel-1.1.2-3.el5_3.3.s390.rpm libvorbis-devel-1.1.2-3.el5_3.3.s390x.rpm x86_64: libvorbis-1.1.2-3.el5_3.3.i386.rpm libvorbis-1.1.2-3.el5_3.3.x86_64.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.i386.rpm libvorbis-debuginfo-1.1.2-3.el5_3.3.x86_64.rpm libvorbis-devel-1.1.2-3.el5_3.3.i386.rpm libvorbis-devel-1.1.2-3.el5_3.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2663 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKivQoXlSAg2UNWIIRArqPAJ9f4mMAuTPjT/z8JGHf8TOSn2+7twCcDoHK IYx3mnWwTuUrQ+aGiNVwz7o= =8BVV -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 24 11:11:18 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Aug 2009 07:11:18 -0400 Subject: [RHSA-2009:1222-02] Important: kernel security and bug fix update Message-ID: <200908241111.n7OBBIUA009895@int-mx08.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2009:1222-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1222.html Issue date: 2009-08-24 CVE Names: CVE-2009-2692 CVE-2009-2698 ===================================================================== 1. Summary: Updated kernel packages that fix two security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. These updated packages also fix the following bug: * in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running "cman_tool kill -n [nodename]". (BZ#515432) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 515432 - dlm_send socket leak [rhel-5.3.z] 516949 - CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc 518034 - CVE-2009-2698 kernel: udp socket NULL ptr dereference 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-128.7.1.el5.src.rpm i386: kernel-2.6.18-128.7.1.el5.i686.rpm kernel-PAE-2.6.18-128.7.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-128.7.1.el5.i686.rpm kernel-PAE-devel-2.6.18-128.7.1.el5.i686.rpm kernel-debug-2.6.18-128.7.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-128.7.1.el5.i686.rpm kernel-debug-devel-2.6.18-128.7.1.el5.i686.rpm kernel-debuginfo-2.6.18-128.7.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-128.7.1.el5.i686.rpm kernel-devel-2.6.18-128.7.1.el5.i686.rpm kernel-headers-2.6.18-128.7.1.el5.i386.rpm kernel-xen-2.6.18-128.7.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-128.7.1.el5.i686.rpm kernel-xen-devel-2.6.18-128.7.1.el5.i686.rpm noarch: kernel-doc-2.6.18-128.7.1.el5.noarch.rpm x86_64: kernel-2.6.18-128.7.1.el5.x86_64.rpm kernel-debug-2.6.18-128.7.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-128.7.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-128.7.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-128.7.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-128.7.1.el5.x86_64.rpm kernel-devel-2.6.18-128.7.1.el5.x86_64.rpm kernel-headers-2.6.18-128.7.1.el5.x86_64.rpm kernel-xen-2.6.18-128.7.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-128.7.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-128.7.1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-128.7.1.el5.src.rpm i386: kernel-2.6.18-128.7.1.el5.i686.rpm kernel-PAE-2.6.18-128.7.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-128.7.1.el5.i686.rpm kernel-PAE-devel-2.6.18-128.7.1.el5.i686.rpm kernel-debug-2.6.18-128.7.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-128.7.1.el5.i686.rpm kernel-debug-devel-2.6.18-128.7.1.el5.i686.rpm kernel-debuginfo-2.6.18-128.7.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-128.7.1.el5.i686.rpm kernel-devel-2.6.18-128.7.1.el5.i686.rpm kernel-headers-2.6.18-128.7.1.el5.i386.rpm kernel-xen-2.6.18-128.7.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-128.7.1.el5.i686.rpm kernel-xen-devel-2.6.18-128.7.1.el5.i686.rpm ia64: kernel-2.6.18-128.7.1.el5.ia64.rpm kernel-debug-2.6.18-128.7.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-128.7.1.el5.ia64.rpm kernel-debug-devel-2.6.18-128.7.1.el5.ia64.rpm kernel-debuginfo-2.6.18-128.7.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-128.7.1.el5.ia64.rpm kernel-devel-2.6.18-128.7.1.el5.ia64.rpm kernel-headers-2.6.18-128.7.1.el5.ia64.rpm kernel-xen-2.6.18-128.7.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-128.7.1.el5.ia64.rpm kernel-xen-devel-2.6.18-128.7.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-128.7.1.el5.noarch.rpm ppc: kernel-2.6.18-128.7.1.el5.ppc64.rpm kernel-debug-2.6.18-128.7.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-128.7.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-128.7.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-128.7.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-128.7.1.el5.ppc64.rpm kernel-devel-2.6.18-128.7.1.el5.ppc64.rpm kernel-headers-2.6.18-128.7.1.el5.ppc.rpm kernel-headers-2.6.18-128.7.1.el5.ppc64.rpm kernel-kdump-2.6.18-128.7.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-128.7.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-128.7.1.el5.ppc64.rpm s390x: kernel-2.6.18-128.7.1.el5.s390x.rpm kernel-debug-2.6.18-128.7.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-128.7.1.el5.s390x.rpm kernel-debug-devel-2.6.18-128.7.1.el5.s390x.rpm kernel-debuginfo-2.6.18-128.7.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-128.7.1.el5.s390x.rpm kernel-devel-2.6.18-128.7.1.el5.s390x.rpm kernel-headers-2.6.18-128.7.1.el5.s390x.rpm kernel-kdump-2.6.18-128.7.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-128.7.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-128.7.1.el5.s390x.rpm x86_64: kernel-2.6.18-128.7.1.el5.x86_64.rpm kernel-debug-2.6.18-128.7.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-128.7.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-128.7.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-128.7.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-128.7.1.el5.x86_64.rpm kernel-devel-2.6.18-128.7.1.el5.x86_64.rpm kernel-headers-2.6.18-128.7.1.el5.x86_64.rpm kernel-xen-2.6.18-128.7.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-128.7.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-128.7.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKknU0XlSAg2UNWIIRAmOLAKC0URPslJPGifVuSazeaZQo5mhR2gCfRiOp vqJZ9EkXny6AUSslh+QlZZk= =BU4H -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 24 11:14:44 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Aug 2009 07:14:44 -0400 Subject: [RHSA-2009:1223-02] Important: kernel security update Message-ID: <200908241114.n7OBEirg028380@int-mx06.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2009:1223-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1223.html Issue date: 2009-08-24 CVE Names: CVE-2009-2692 CVE-2009-2698 ===================================================================== 1. Summary: Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 516949 - CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc 518034 - CVE-2009-2698 kernel: udp socket NULL ptr dereference 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-89.0.9.EL.src.rpm i386: kernel-2.6.9-89.0.9.EL.i686.rpm kernel-debuginfo-2.6.9-89.0.9.EL.i686.rpm kernel-devel-2.6.9-89.0.9.EL.i686.rpm kernel-hugemem-2.6.9-89.0.9.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.0.9.EL.i686.rpm kernel-smp-2.6.9-89.0.9.EL.i686.rpm kernel-smp-devel-2.6.9-89.0.9.EL.i686.rpm kernel-xenU-2.6.9-89.0.9.EL.i686.rpm kernel-xenU-devel-2.6.9-89.0.9.EL.i686.rpm ia64: kernel-2.6.9-89.0.9.EL.ia64.rpm kernel-debuginfo-2.6.9-89.0.9.EL.ia64.rpm kernel-devel-2.6.9-89.0.9.EL.ia64.rpm kernel-largesmp-2.6.9-89.0.9.EL.ia64.rpm kernel-largesmp-devel-2.6.9-89.0.9.EL.ia64.rpm noarch: kernel-doc-2.6.9-89.0.9.EL.noarch.rpm ppc: kernel-2.6.9-89.0.9.EL.ppc64.rpm kernel-2.6.9-89.0.9.EL.ppc64iseries.rpm kernel-debuginfo-2.6.9-89.0.9.EL.ppc64.rpm kernel-debuginfo-2.6.9-89.0.9.EL.ppc64iseries.rpm kernel-devel-2.6.9-89.0.9.EL.ppc64.rpm kernel-devel-2.6.9-89.0.9.EL.ppc64iseries.rpm kernel-largesmp-2.6.9-89.0.9.EL.ppc64.rpm kernel-largesmp-devel-2.6.9-89.0.9.EL.ppc64.rpm s390: kernel-2.6.9-89.0.9.EL.s390.rpm kernel-debuginfo-2.6.9-89.0.9.EL.s390.rpm kernel-devel-2.6.9-89.0.9.EL.s390.rpm s390x: kernel-2.6.9-89.0.9.EL.s390x.rpm kernel-debuginfo-2.6.9-89.0.9.EL.s390x.rpm kernel-devel-2.6.9-89.0.9.EL.s390x.rpm x86_64: kernel-2.6.9-89.0.9.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.0.9.EL.x86_64.rpm kernel-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-largesmp-2.6.9-89.0.9.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-smp-2.6.9-89.0.9.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-xenU-2.6.9-89.0.9.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.0.9.EL.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-89.0.9.EL.src.rpm i386: kernel-2.6.9-89.0.9.EL.i686.rpm kernel-debuginfo-2.6.9-89.0.9.EL.i686.rpm kernel-devel-2.6.9-89.0.9.EL.i686.rpm kernel-hugemem-2.6.9-89.0.9.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.0.9.EL.i686.rpm kernel-smp-2.6.9-89.0.9.EL.i686.rpm kernel-smp-devel-2.6.9-89.0.9.EL.i686.rpm kernel-xenU-2.6.9-89.0.9.EL.i686.rpm kernel-xenU-devel-2.6.9-89.0.9.EL.i686.rpm noarch: kernel-doc-2.6.9-89.0.9.EL.noarch.rpm x86_64: kernel-2.6.9-89.0.9.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.0.9.EL.x86_64.rpm kernel-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-largesmp-2.6.9-89.0.9.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-smp-2.6.9-89.0.9.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-xenU-2.6.9-89.0.9.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.0.9.EL.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-89.0.9.EL.src.rpm i386: kernel-2.6.9-89.0.9.EL.i686.rpm kernel-debuginfo-2.6.9-89.0.9.EL.i686.rpm kernel-devel-2.6.9-89.0.9.EL.i686.rpm kernel-hugemem-2.6.9-89.0.9.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.0.9.EL.i686.rpm kernel-smp-2.6.9-89.0.9.EL.i686.rpm kernel-smp-devel-2.6.9-89.0.9.EL.i686.rpm kernel-xenU-2.6.9-89.0.9.EL.i686.rpm kernel-xenU-devel-2.6.9-89.0.9.EL.i686.rpm ia64: kernel-2.6.9-89.0.9.EL.ia64.rpm kernel-debuginfo-2.6.9-89.0.9.EL.ia64.rpm kernel-devel-2.6.9-89.0.9.EL.ia64.rpm kernel-largesmp-2.6.9-89.0.9.EL.ia64.rpm kernel-largesmp-devel-2.6.9-89.0.9.EL.ia64.rpm noarch: kernel-doc-2.6.9-89.0.9.EL.noarch.rpm x86_64: kernel-2.6.9-89.0.9.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.0.9.EL.x86_64.rpm kernel-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-largesmp-2.6.9-89.0.9.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-smp-2.6.9-89.0.9.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-xenU-2.6.9-89.0.9.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.0.9.EL.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-89.0.9.EL.src.rpm i386: kernel-2.6.9-89.0.9.EL.i686.rpm kernel-debuginfo-2.6.9-89.0.9.EL.i686.rpm kernel-devel-2.6.9-89.0.9.EL.i686.rpm kernel-hugemem-2.6.9-89.0.9.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.0.9.EL.i686.rpm kernel-smp-2.6.9-89.0.9.EL.i686.rpm kernel-smp-devel-2.6.9-89.0.9.EL.i686.rpm kernel-xenU-2.6.9-89.0.9.EL.i686.rpm kernel-xenU-devel-2.6.9-89.0.9.EL.i686.rpm ia64: kernel-2.6.9-89.0.9.EL.ia64.rpm kernel-debuginfo-2.6.9-89.0.9.EL.ia64.rpm kernel-devel-2.6.9-89.0.9.EL.ia64.rpm kernel-largesmp-2.6.9-89.0.9.EL.ia64.rpm kernel-largesmp-devel-2.6.9-89.0.9.EL.ia64.rpm noarch: kernel-doc-2.6.9-89.0.9.EL.noarch.rpm x86_64: kernel-2.6.9-89.0.9.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.0.9.EL.x86_64.rpm kernel-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-largesmp-2.6.9-89.0.9.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-smp-2.6.9-89.0.9.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.0.9.EL.x86_64.rpm kernel-xenU-2.6.9-89.0.9.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.0.9.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKknYZXlSAg2UNWIIRAvelAKCjAoFmnGHoPRDwkUlaPaAfTyGUJQCfcUEE o0yoW5qddla4PXzclIJD/Hg= =z1tj -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 26 14:50:50 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 26 Aug 2009 10:50:50 -0400 Subject: [RHSA-2009:1232-01] Moderate: gnutls security update Message-ID: <200908261450.n7QEooKc006325@int-mx07.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: gnutls security update Advisory ID: RHSA-2009:1232-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1232.html Issue date: 2009-08-26 CVE Names: CVE-2009-2730 ===================================================================== 1. Summary: Updated gnutls packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was discovered in the way GnuTLS handles NULL characters in certain fields of X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by an application using GnuTLS, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse the application into accepting it by mistake. (CVE-2009-2730) Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 516231 - CVE-2009-2730 gnutls: incorrect verification of SSL certificate with NUL in name (GNUTLS-SA-2009-4) 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/gnutls-1.0.20-4.el4_8.3.src.rpm i386: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-devel-1.0.20-4.el4_8.3.i386.rpm ia64: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-1.0.20-4.el4_8.3.ia64.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.ia64.rpm gnutls-devel-1.0.20-4.el4_8.3.ia64.rpm ppc: gnutls-1.0.20-4.el4_8.3.ppc.rpm gnutls-1.0.20-4.el4_8.3.ppc64.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.ppc.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.ppc64.rpm gnutls-devel-1.0.20-4.el4_8.3.ppc.rpm s390: gnutls-1.0.20-4.el4_8.3.s390.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.s390.rpm gnutls-devel-1.0.20-4.el4_8.3.s390.rpm s390x: gnutls-1.0.20-4.el4_8.3.s390.rpm gnutls-1.0.20-4.el4_8.3.s390x.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.s390.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.s390x.rpm gnutls-devel-1.0.20-4.el4_8.3.s390x.rpm x86_64: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-1.0.20-4.el4_8.3.x86_64.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.x86_64.rpm gnutls-devel-1.0.20-4.el4_8.3.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/gnutls-1.0.20-4.el4_8.3.src.rpm i386: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-devel-1.0.20-4.el4_8.3.i386.rpm x86_64: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-1.0.20-4.el4_8.3.x86_64.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.x86_64.rpm gnutls-devel-1.0.20-4.el4_8.3.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/gnutls-1.0.20-4.el4_8.3.src.rpm i386: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-devel-1.0.20-4.el4_8.3.i386.rpm ia64: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-1.0.20-4.el4_8.3.ia64.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.ia64.rpm gnutls-devel-1.0.20-4.el4_8.3.ia64.rpm x86_64: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-1.0.20-4.el4_8.3.x86_64.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.x86_64.rpm gnutls-devel-1.0.20-4.el4_8.3.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/gnutls-1.0.20-4.el4_8.3.src.rpm i386: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-devel-1.0.20-4.el4_8.3.i386.rpm ia64: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-1.0.20-4.el4_8.3.ia64.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.ia64.rpm gnutls-devel-1.0.20-4.el4_8.3.ia64.rpm x86_64: gnutls-1.0.20-4.el4_8.3.i386.rpm gnutls-1.0.20-4.el4_8.3.x86_64.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.3.x86_64.rpm gnutls-devel-1.0.20-4.el4_8.3.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gnutls-1.4.1-3.el5_3.5.src.rpm i386: gnutls-1.4.1-3.el5_3.5.i386.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.i386.rpm gnutls-utils-1.4.1-3.el5_3.5.i386.rpm x86_64: gnutls-1.4.1-3.el5_3.5.i386.rpm gnutls-1.4.1-3.el5_3.5.x86_64.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.i386.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.x86_64.rpm gnutls-utils-1.4.1-3.el5_3.5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gnutls-1.4.1-3.el5_3.5.src.rpm i386: gnutls-debuginfo-1.4.1-3.el5_3.5.i386.rpm gnutls-devel-1.4.1-3.el5_3.5.i386.rpm x86_64: gnutls-debuginfo-1.4.1-3.el5_3.5.i386.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.x86_64.rpm gnutls-devel-1.4.1-3.el5_3.5.i386.rpm gnutls-devel-1.4.1-3.el5_3.5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/gnutls-1.4.1-3.el5_3.5.src.rpm i386: gnutls-1.4.1-3.el5_3.5.i386.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.i386.rpm gnutls-devel-1.4.1-3.el5_3.5.i386.rpm gnutls-utils-1.4.1-3.el5_3.5.i386.rpm ia64: gnutls-1.4.1-3.el5_3.5.i386.rpm gnutls-1.4.1-3.el5_3.5.ia64.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.i386.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.ia64.rpm gnutls-devel-1.4.1-3.el5_3.5.ia64.rpm gnutls-utils-1.4.1-3.el5_3.5.ia64.rpm ppc: gnutls-1.4.1-3.el5_3.5.ppc.rpm gnutls-1.4.1-3.el5_3.5.ppc64.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.ppc.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.ppc64.rpm gnutls-devel-1.4.1-3.el5_3.5.ppc.rpm gnutls-devel-1.4.1-3.el5_3.5.ppc64.rpm gnutls-utils-1.4.1-3.el5_3.5.ppc.rpm s390x: gnutls-1.4.1-3.el5_3.5.s390.rpm gnutls-1.4.1-3.el5_3.5.s390x.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.s390.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.s390x.rpm gnutls-devel-1.4.1-3.el5_3.5.s390.rpm gnutls-devel-1.4.1-3.el5_3.5.s390x.rpm gnutls-utils-1.4.1-3.el5_3.5.s390x.rpm x86_64: gnutls-1.4.1-3.el5_3.5.i386.rpm gnutls-1.4.1-3.el5_3.5.x86_64.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.i386.rpm gnutls-debuginfo-1.4.1-3.el5_3.5.x86_64.rpm gnutls-devel-1.4.1-3.el5_3.5.i386.rpm gnutls-devel-1.4.1-3.el5_3.5.x86_64.rpm gnutls-utils-1.4.1-3.el5_3.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2730 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKlUvEXlSAg2UNWIIRAmrSAJ0epUOb0gdLes272Opa/qJyCTH3bQCbBtBx NPBbqnwFHWhc8uZbag39Nf8= =/NCj -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 27 20:04:31 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Aug 2009 16:04:31 -0400 Subject: [RHSA-2009:1233-01] Important: kernel security update Message-ID: <200908272004.n7RK4Wnd009205@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2009:1233-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1233.html Issue date: 2009-08-27 CVE Names: CVE-2009-2692 CVE-2009-2698 ===================================================================== 1. Summary: Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. All Red Hat Enterprise Linux 3 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 516949 - CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc 518034 - CVE-2009-2698 kernel: udp socket NULL ptr dereference 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kernel-2.4.21-60.EL.src.rpm i386: kernel-2.4.21-60.EL.athlon.rpm kernel-2.4.21-60.EL.i686.rpm kernel-BOOT-2.4.21-60.EL.i386.rpm kernel-debuginfo-2.4.21-60.EL.athlon.rpm kernel-debuginfo-2.4.21-60.EL.i386.rpm kernel-debuginfo-2.4.21-60.EL.i686.rpm kernel-doc-2.4.21-60.EL.i386.rpm kernel-hugemem-2.4.21-60.EL.i686.rpm kernel-hugemem-unsupported-2.4.21-60.EL.i686.rpm kernel-smp-2.4.21-60.EL.athlon.rpm kernel-smp-2.4.21-60.EL.i686.rpm kernel-smp-unsupported-2.4.21-60.EL.athlon.rpm kernel-smp-unsupported-2.4.21-60.EL.i686.rpm kernel-source-2.4.21-60.EL.i386.rpm kernel-unsupported-2.4.21-60.EL.athlon.rpm kernel-unsupported-2.4.21-60.EL.i686.rpm ia64: kernel-2.4.21-60.EL.ia64.rpm kernel-debuginfo-2.4.21-60.EL.ia64.rpm kernel-doc-2.4.21-60.EL.ia64.rpm kernel-source-2.4.21-60.EL.ia64.rpm kernel-unsupported-2.4.21-60.EL.ia64.rpm ppc: kernel-2.4.21-60.EL.ppc64iseries.rpm kernel-2.4.21-60.EL.ppc64pseries.rpm kernel-debuginfo-2.4.21-60.EL.ppc64.rpm kernel-debuginfo-2.4.21-60.EL.ppc64iseries.rpm kernel-debuginfo-2.4.21-60.EL.ppc64pseries.rpm kernel-doc-2.4.21-60.EL.ppc64.rpm kernel-source-2.4.21-60.EL.ppc64.rpm kernel-unsupported-2.4.21-60.EL.ppc64iseries.rpm kernel-unsupported-2.4.21-60.EL.ppc64pseries.rpm s390: kernel-2.4.21-60.EL.s390.rpm kernel-debuginfo-2.4.21-60.EL.s390.rpm kernel-doc-2.4.21-60.EL.s390.rpm kernel-source-2.4.21-60.EL.s390.rpm kernel-unsupported-2.4.21-60.EL.s390.rpm s390x: kernel-2.4.21-60.EL.s390x.rpm kernel-debuginfo-2.4.21-60.EL.s390x.rpm kernel-doc-2.4.21-60.EL.s390x.rpm kernel-source-2.4.21-60.EL.s390x.rpm kernel-unsupported-2.4.21-60.EL.s390x.rpm x86_64: kernel-2.4.21-60.EL.ia32e.rpm kernel-2.4.21-60.EL.x86_64.rpm kernel-debuginfo-2.4.21-60.EL.ia32e.rpm kernel-debuginfo-2.4.21-60.EL.x86_64.rpm kernel-doc-2.4.21-60.EL.x86_64.rpm kernel-smp-2.4.21-60.EL.x86_64.rpm kernel-smp-unsupported-2.4.21-60.EL.x86_64.rpm kernel-source-2.4.21-60.EL.x86_64.rpm kernel-unsupported-2.4.21-60.EL.ia32e.rpm kernel-unsupported-2.4.21-60.EL.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kernel-2.4.21-60.EL.src.rpm i386: kernel-2.4.21-60.EL.athlon.rpm kernel-2.4.21-60.EL.i686.rpm kernel-BOOT-2.4.21-60.EL.i386.rpm kernel-debuginfo-2.4.21-60.EL.athlon.rpm kernel-debuginfo-2.4.21-60.EL.i386.rpm kernel-debuginfo-2.4.21-60.EL.i686.rpm kernel-doc-2.4.21-60.EL.i386.rpm kernel-hugemem-2.4.21-60.EL.i686.rpm kernel-hugemem-unsupported-2.4.21-60.EL.i686.rpm kernel-smp-2.4.21-60.EL.athlon.rpm kernel-smp-2.4.21-60.EL.i686.rpm kernel-smp-unsupported-2.4.21-60.EL.athlon.rpm kernel-smp-unsupported-2.4.21-60.EL.i686.rpm kernel-source-2.4.21-60.EL.i386.rpm kernel-unsupported-2.4.21-60.EL.athlon.rpm kernel-unsupported-2.4.21-60.EL.i686.rpm x86_64: kernel-2.4.21-60.EL.ia32e.rpm kernel-2.4.21-60.EL.x86_64.rpm kernel-debuginfo-2.4.21-60.EL.ia32e.rpm kernel-debuginfo-2.4.21-60.EL.x86_64.rpm kernel-doc-2.4.21-60.EL.x86_64.rpm kernel-smp-2.4.21-60.EL.x86_64.rpm kernel-smp-unsupported-2.4.21-60.EL.x86_64.rpm kernel-source-2.4.21-60.EL.x86_64.rpm kernel-unsupported-2.4.21-60.EL.ia32e.rpm kernel-unsupported-2.4.21-60.EL.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kernel-2.4.21-60.EL.src.rpm i386: kernel-2.4.21-60.EL.athlon.rpm kernel-2.4.21-60.EL.i686.rpm kernel-BOOT-2.4.21-60.EL.i386.rpm kernel-debuginfo-2.4.21-60.EL.athlon.rpm kernel-debuginfo-2.4.21-60.EL.i386.rpm kernel-debuginfo-2.4.21-60.EL.i686.rpm kernel-doc-2.4.21-60.EL.i386.rpm kernel-hugemem-2.4.21-60.EL.i686.rpm kernel-hugemem-unsupported-2.4.21-60.EL.i686.rpm kernel-smp-2.4.21-60.EL.athlon.rpm kernel-smp-2.4.21-60.EL.i686.rpm kernel-smp-unsupported-2.4.21-60.EL.athlon.rpm kernel-smp-unsupported-2.4.21-60.EL.i686.rpm kernel-source-2.4.21-60.EL.i386.rpm kernel-unsupported-2.4.21-60.EL.athlon.rpm kernel-unsupported-2.4.21-60.EL.i686.rpm ia64: kernel-2.4.21-60.EL.ia64.rpm kernel-debuginfo-2.4.21-60.EL.ia64.rpm kernel-doc-2.4.21-60.EL.ia64.rpm kernel-source-2.4.21-60.EL.ia64.rpm kernel-unsupported-2.4.21-60.EL.ia64.rpm x86_64: kernel-2.4.21-60.EL.ia32e.rpm kernel-2.4.21-60.EL.x86_64.rpm kernel-debuginfo-2.4.21-60.EL.ia32e.rpm kernel-debuginfo-2.4.21-60.EL.x86_64.rpm kernel-doc-2.4.21-60.EL.x86_64.rpm kernel-smp-2.4.21-60.EL.x86_64.rpm kernel-smp-unsupported-2.4.21-60.EL.x86_64.rpm kernel-source-2.4.21-60.EL.x86_64.rpm kernel-unsupported-2.4.21-60.EL.ia32e.rpm kernel-unsupported-2.4.21-60.EL.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kernel-2.4.21-60.EL.src.rpm i386: kernel-2.4.21-60.EL.athlon.rpm kernel-2.4.21-60.EL.i686.rpm kernel-BOOT-2.4.21-60.EL.i386.rpm kernel-debuginfo-2.4.21-60.EL.athlon.rpm kernel-debuginfo-2.4.21-60.EL.i386.rpm kernel-debuginfo-2.4.21-60.EL.i686.rpm kernel-doc-2.4.21-60.EL.i386.rpm kernel-hugemem-2.4.21-60.EL.i686.rpm kernel-hugemem-unsupported-2.4.21-60.EL.i686.rpm kernel-smp-2.4.21-60.EL.athlon.rpm kernel-smp-2.4.21-60.EL.i686.rpm kernel-smp-unsupported-2.4.21-60.EL.athlon.rpm kernel-smp-unsupported-2.4.21-60.EL.i686.rpm kernel-source-2.4.21-60.EL.i386.rpm kernel-unsupported-2.4.21-60.EL.athlon.rpm kernel-unsupported-2.4.21-60.EL.i686.rpm ia64: kernel-2.4.21-60.EL.ia64.rpm kernel-debuginfo-2.4.21-60.EL.ia64.rpm kernel-doc-2.4.21-60.EL.ia64.rpm kernel-source-2.4.21-60.EL.ia64.rpm kernel-unsupported-2.4.21-60.EL.ia64.rpm x86_64: kernel-2.4.21-60.EL.ia32e.rpm kernel-2.4.21-60.EL.x86_64.rpm kernel-debuginfo-2.4.21-60.EL.ia32e.rpm kernel-debuginfo-2.4.21-60.EL.x86_64.rpm kernel-doc-2.4.21-60.EL.x86_64.rpm kernel-smp-2.4.21-60.EL.x86_64.rpm kernel-smp-unsupported-2.4.21-60.EL.x86_64.rpm kernel-source-2.4.21-60.EL.x86_64.rpm kernel-unsupported-2.4.21-60.EL.ia32e.rpm kernel-unsupported-2.4.21-60.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKluZjXlSAg2UNWIIRAlfDAJ9/g4uxFYk4vJR9tuvtCqvvY3d+5gCgib0S wLyJpwtkPrB7ZLrrNq8WUtI= =4s0T -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Aug 28 09:15:34 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 28 Aug 2009 05:15:34 -0400 Subject: [RHSA-2009:1236-01] Critical: java-1.5.0-ibm security update Message-ID: <200908280915.n7S9FYwm005735@int-mx04.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.5.0-ibm security update Advisory ID: RHSA-2009:1236-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1236.html Issue date: 2009-08-28 CVE Names: CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 ===================================================================== 1. Summary: Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 Extras - i386, ppc, s390, s390x, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ppc, s390x, x86_64 3. Description: The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR10 Java release. All running instances of IBM Java must be restarted for this update to take effect. Note: The packages included in this update are identical to the packages made available by RHEA-2009:1208 and RHEA-2009:1210 on the 13th of August 2009. These packages are being reissued as a Red Hat Security Advisory as they fixed a number of security issues that were not made public until after those errata were released. Since the packages are identical, there is no need to install this update if RHEA-2009:1208 or RHEA-2009:1210 has already been installed. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 512896 - CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524) 512907 - CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071) 512914 - CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497) 512920 - CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335) 512921 - CVE-2009-2625 OpenJDK XML parsing Denial-Of-Service (6845701) 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.i386.rpm ppc: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.ppc.rpm java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.ppc64.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.ppc.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.ppc.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el4.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el4.ppc.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.ppc.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.ppc64.rpm s390: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.s390.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.s390.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.s390.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el4.s390.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.s390.rpm s390x: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.s390x.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.s390x.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.s390x.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.i386.rpm ppc: java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.ppc.rpm java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.ppc64.rpm java-1.5.0-ibm-accessibility-1.5.0.10-1jpp.4.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.ppc.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el5.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el5.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el5.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.ppc64.rpm s390x: java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.s390.rpm java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.s390x.rpm java-1.5.0-ibm-accessibility-1.5.0.10-1jpp.4.el5.s390x.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.s390.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.s390x.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.s390.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.s390x.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.10-1jpp.4.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.10-1jpp.4.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675 http://www.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKl6AlXlSAg2UNWIIRAp6HAKCRP0Ua7K1Y+hCzkmHBwsFcM6m2EQCdH8gE GBNVEmiZ+t+r0t9GEUvCXF4= =m1Qu -----END PGP SIGNATURE-----