From bugzilla at redhat.com Wed Feb 4 09:09:14 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Feb 2009 04:09:14 -0500 Subject: [RHSA-2009:0256-01] Critical: firefox security update Message-ID: <200902040909.n1499Fh7022113@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2009:0256-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0256.html Issue date: 2009-02-04 CVE Names: CVE-2009-0352 CVE-2009-0353 CVE-2009-0354 CVE-2009-0355 CVE-2009-0356 CVE-2009-0357 CVE-2009-0358 ===================================================================== 1. Summary: An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-0352, CVE-2009-0353, CVE-2009-0356) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a Firefox user into surrendering sensitive information. (CVE-2009-0354, CVE-2009-0355) A flaw was found in the way Firefox treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie. (CVE-2009-0357) A flaw was found in the way Firefox treated certain HTTP page caching directives. A local attacker could steal the contents of sensitive pages which the page author did not intend to be cached. (CVE-2009-0358) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.6. You can find a link to the Mozilla advisories in the References section. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.6, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 456849 - missing dependency on pkgconfig in the -devel subpackage 483139 - CVE-2009-0352 Firefox layout crashes with evidence of memory corruption 483141 - CVE-2009-0353 Firefox javascript crashes with evidence of memory corruption 483142 - CVE-2009-0354 Firefox XSS using a chrome XBL method and window.eval 483143 - CVE-2009-0355 Firefox local file stealing with SessionStore 483144 - CVE-2009-0356 Firefox Chrome privilege escalation via local .desktop files 483145 - CVE-2009-0357 Firefox XMLHttpRequest allows reading HTTPOnly cookies 483150 - CVE-2009-0358 Firefox directives to not cache pages ignored 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-3.0.6-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/nss-3.12.2.0-3.el4.src.rpm i386: firefox-3.0.6-1.el4.i386.rpm firefox-debuginfo-3.0.6-1.el4.i386.rpm nss-3.12.2.0-3.el4.i386.rpm nss-debuginfo-3.12.2.0-3.el4.i386.rpm nss-devel-3.12.2.0-3.el4.i386.rpm nss-tools-3.12.2.0-3.el4.i386.rpm ia64: firefox-3.0.6-1.el4.ia64.rpm firefox-debuginfo-3.0.6-1.el4.ia64.rpm nss-3.12.2.0-3.el4.i386.rpm nss-3.12.2.0-3.el4.ia64.rpm nss-debuginfo-3.12.2.0-3.el4.ia64.rpm nss-devel-3.12.2.0-3.el4.ia64.rpm nss-tools-3.12.2.0-3.el4.ia64.rpm ppc: firefox-3.0.6-1.el4.ppc.rpm firefox-debuginfo-3.0.6-1.el4.ppc.rpm nss-3.12.2.0-3.el4.ppc.rpm nss-3.12.2.0-3.el4.ppc64.rpm nss-debuginfo-3.12.2.0-3.el4.ppc.rpm nss-debuginfo-3.12.2.0-3.el4.ppc64.rpm nss-devel-3.12.2.0-3.el4.ppc.rpm nss-tools-3.12.2.0-3.el4.ppc.rpm s390: firefox-3.0.6-1.el4.s390.rpm firefox-debuginfo-3.0.6-1.el4.s390.rpm nss-3.12.2.0-3.el4.s390.rpm nss-debuginfo-3.12.2.0-3.el4.s390.rpm nss-devel-3.12.2.0-3.el4.s390.rpm nss-tools-3.12.2.0-3.el4.s390.rpm s390x: firefox-3.0.6-1.el4.s390x.rpm firefox-debuginfo-3.0.6-1.el4.s390x.rpm nss-3.12.2.0-3.el4.s390.rpm nss-3.12.2.0-3.el4.s390x.rpm nss-debuginfo-3.12.2.0-3.el4.s390x.rpm nss-devel-3.12.2.0-3.el4.s390x.rpm nss-tools-3.12.2.0-3.el4.s390x.rpm x86_64: firefox-3.0.6-1.el4.x86_64.rpm firefox-debuginfo-3.0.6-1.el4.x86_64.rpm nss-3.12.2.0-3.el4.i386.rpm nss-3.12.2.0-3.el4.x86_64.rpm nss-debuginfo-3.12.2.0-3.el4.x86_64.rpm nss-devel-3.12.2.0-3.el4.x86_64.rpm nss-tools-3.12.2.0-3.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-3.0.6-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/nss-3.12.2.0-3.el4.src.rpm i386: firefox-3.0.6-1.el4.i386.rpm firefox-debuginfo-3.0.6-1.el4.i386.rpm nss-3.12.2.0-3.el4.i386.rpm nss-debuginfo-3.12.2.0-3.el4.i386.rpm nss-devel-3.12.2.0-3.el4.i386.rpm nss-tools-3.12.2.0-3.el4.i386.rpm x86_64: firefox-3.0.6-1.el4.x86_64.rpm firefox-debuginfo-3.0.6-1.el4.x86_64.rpm nss-3.12.2.0-3.el4.i386.rpm nss-3.12.2.0-3.el4.x86_64.rpm nss-debuginfo-3.12.2.0-3.el4.x86_64.rpm nss-devel-3.12.2.0-3.el4.x86_64.rpm nss-tools-3.12.2.0-3.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-3.0.6-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/nss-3.12.2.0-3.el4.src.rpm i386: firefox-3.0.6-1.el4.i386.rpm firefox-debuginfo-3.0.6-1.el4.i386.rpm nss-3.12.2.0-3.el4.i386.rpm nss-debuginfo-3.12.2.0-3.el4.i386.rpm nss-devel-3.12.2.0-3.el4.i386.rpm nss-tools-3.12.2.0-3.el4.i386.rpm ia64: firefox-3.0.6-1.el4.ia64.rpm firefox-debuginfo-3.0.6-1.el4.ia64.rpm nss-3.12.2.0-3.el4.i386.rpm nss-3.12.2.0-3.el4.ia64.rpm nss-debuginfo-3.12.2.0-3.el4.ia64.rpm nss-devel-3.12.2.0-3.el4.ia64.rpm nss-tools-3.12.2.0-3.el4.ia64.rpm x86_64: firefox-3.0.6-1.el4.x86_64.rpm firefox-debuginfo-3.0.6-1.el4.x86_64.rpm nss-3.12.2.0-3.el4.i386.rpm nss-3.12.2.0-3.el4.x86_64.rpm nss-debuginfo-3.12.2.0-3.el4.x86_64.rpm nss-devel-3.12.2.0-3.el4.x86_64.rpm nss-tools-3.12.2.0-3.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-3.0.6-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/nss-3.12.2.0-3.el4.src.rpm i386: firefox-3.0.6-1.el4.i386.rpm firefox-debuginfo-3.0.6-1.el4.i386.rpm nss-3.12.2.0-3.el4.i386.rpm nss-debuginfo-3.12.2.0-3.el4.i386.rpm nss-devel-3.12.2.0-3.el4.i386.rpm nss-tools-3.12.2.0-3.el4.i386.rpm ia64: firefox-3.0.6-1.el4.ia64.rpm firefox-debuginfo-3.0.6-1.el4.ia64.rpm nss-3.12.2.0-3.el4.i386.rpm nss-3.12.2.0-3.el4.ia64.rpm nss-debuginfo-3.12.2.0-3.el4.ia64.rpm nss-devel-3.12.2.0-3.el4.ia64.rpm nss-tools-3.12.2.0-3.el4.ia64.rpm x86_64: firefox-3.0.6-1.el4.x86_64.rpm firefox-debuginfo-3.0.6-1.el4.x86_64.rpm nss-3.12.2.0-3.el4.i386.rpm nss-3.12.2.0-3.el4.x86_64.rpm nss-debuginfo-3.12.2.0-3.el4.x86_64.rpm nss-devel-3.12.2.0-3.el4.x86_64.rpm nss-tools-3.12.2.0-3.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-3.0.6-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.12.2.0-4.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.6-1.el5.src.rpm i386: firefox-3.0.6-1.el5.i386.rpm firefox-debuginfo-3.0.6-1.el5.i386.rpm nss-3.12.2.0-4.el5.i386.rpm nss-debuginfo-3.12.2.0-4.el5.i386.rpm nss-tools-3.12.2.0-4.el5.i386.rpm xulrunner-1.9.0.6-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.6-1.el5.i386.rpm x86_64: firefox-3.0.6-1.el5.i386.rpm firefox-3.0.6-1.el5.x86_64.rpm firefox-debuginfo-3.0.6-1.el5.i386.rpm firefox-debuginfo-3.0.6-1.el5.x86_64.rpm nss-3.12.2.0-4.el5.i386.rpm nss-3.12.2.0-4.el5.x86_64.rpm nss-debuginfo-3.12.2.0-4.el5.i386.rpm nss-debuginfo-3.12.2.0-4.el5.x86_64.rpm nss-tools-3.12.2.0-4.el5.x86_64.rpm xulrunner-1.9.0.6-1.el5.i386.rpm xulrunner-1.9.0.6-1.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.6-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.6-1.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.12.2.0-4.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.6-1.el5.src.rpm i386: nss-debuginfo-3.12.2.0-4.el5.i386.rpm nss-devel-3.12.2.0-4.el5.i386.rpm nss-pkcs11-devel-3.12.2.0-4.el5.i386.rpm xulrunner-debuginfo-1.9.0.6-1.el5.i386.rpm xulrunner-devel-1.9.0.6-1.el5.i386.rpm xulrunner-devel-unstable-1.9.0.6-1.el5.i386.rpm x86_64: nss-debuginfo-3.12.2.0-4.el5.i386.rpm nss-debuginfo-3.12.2.0-4.el5.x86_64.rpm nss-devel-3.12.2.0-4.el5.i386.rpm nss-devel-3.12.2.0-4.el5.x86_64.rpm nss-pkcs11-devel-3.12.2.0-4.el5.i386.rpm nss-pkcs11-devel-3.12.2.0-4.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.6-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.6-1.el5.x86_64.rpm xulrunner-devel-1.9.0.6-1.el5.i386.rpm xulrunner-devel-1.9.0.6-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9.0.6-1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-3.0.6-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nss-3.12.2.0-4.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9.0.6-1.el5.src.rpm i386: firefox-3.0.6-1.el5.i386.rpm firefox-debuginfo-3.0.6-1.el5.i386.rpm nss-3.12.2.0-4.el5.i386.rpm nss-debuginfo-3.12.2.0-4.el5.i386.rpm nss-devel-3.12.2.0-4.el5.i386.rpm nss-pkcs11-devel-3.12.2.0-4.el5.i386.rpm nss-tools-3.12.2.0-4.el5.i386.rpm xulrunner-1.9.0.6-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.6-1.el5.i386.rpm xulrunner-devel-1.9.0.6-1.el5.i386.rpm xulrunner-devel-unstable-1.9.0.6-1.el5.i386.rpm ia64: firefox-3.0.6-1.el5.ia64.rpm firefox-debuginfo-3.0.6-1.el5.ia64.rpm nss-3.12.2.0-4.el5.i386.rpm nss-3.12.2.0-4.el5.ia64.rpm nss-debuginfo-3.12.2.0-4.el5.i386.rpm nss-debuginfo-3.12.2.0-4.el5.ia64.rpm nss-devel-3.12.2.0-4.el5.ia64.rpm nss-pkcs11-devel-3.12.2.0-4.el5.ia64.rpm nss-tools-3.12.2.0-4.el5.ia64.rpm xulrunner-1.9.0.6-1.el5.ia64.rpm xulrunner-debuginfo-1.9.0.6-1.el5.ia64.rpm xulrunner-devel-1.9.0.6-1.el5.ia64.rpm xulrunner-devel-unstable-1.9.0.6-1.el5.ia64.rpm ppc: firefox-3.0.6-1.el5.ppc.rpm firefox-debuginfo-3.0.6-1.el5.ppc.rpm nss-3.12.2.0-4.el5.ppc.rpm nss-3.12.2.0-4.el5.ppc64.rpm nss-debuginfo-3.12.2.0-4.el5.ppc.rpm nss-debuginfo-3.12.2.0-4.el5.ppc64.rpm nss-devel-3.12.2.0-4.el5.ppc.rpm nss-devel-3.12.2.0-4.el5.ppc64.rpm nss-pkcs11-devel-3.12.2.0-4.el5.ppc.rpm nss-pkcs11-devel-3.12.2.0-4.el5.ppc64.rpm nss-tools-3.12.2.0-4.el5.ppc.rpm xulrunner-1.9.0.6-1.el5.ppc.rpm xulrunner-1.9.0.6-1.el5.ppc64.rpm xulrunner-debuginfo-1.9.0.6-1.el5.ppc.rpm xulrunner-debuginfo-1.9.0.6-1.el5.ppc64.rpm xulrunner-devel-1.9.0.6-1.el5.ppc.rpm xulrunner-devel-1.9.0.6-1.el5.ppc64.rpm xulrunner-devel-unstable-1.9.0.6-1.el5.ppc.rpm s390x: firefox-3.0.6-1.el5.s390.rpm firefox-3.0.6-1.el5.s390x.rpm firefox-debuginfo-3.0.6-1.el5.s390.rpm firefox-debuginfo-3.0.6-1.el5.s390x.rpm nss-3.12.2.0-4.el5.s390.rpm nss-3.12.2.0-4.el5.s390x.rpm nss-debuginfo-3.12.2.0-4.el5.s390.rpm nss-debuginfo-3.12.2.0-4.el5.s390x.rpm nss-devel-3.12.2.0-4.el5.s390.rpm nss-devel-3.12.2.0-4.el5.s390x.rpm nss-pkcs11-devel-3.12.2.0-4.el5.s390.rpm nss-pkcs11-devel-3.12.2.0-4.el5.s390x.rpm nss-tools-3.12.2.0-4.el5.s390x.rpm xulrunner-1.9.0.6-1.el5.s390.rpm xulrunner-1.9.0.6-1.el5.s390x.rpm xulrunner-debuginfo-1.9.0.6-1.el5.s390.rpm xulrunner-debuginfo-1.9.0.6-1.el5.s390x.rpm xulrunner-devel-1.9.0.6-1.el5.s390.rpm xulrunner-devel-1.9.0.6-1.el5.s390x.rpm xulrunner-devel-unstable-1.9.0.6-1.el5.s390x.rpm x86_64: firefox-3.0.6-1.el5.i386.rpm firefox-3.0.6-1.el5.x86_64.rpm firefox-debuginfo-3.0.6-1.el5.i386.rpm firefox-debuginfo-3.0.6-1.el5.x86_64.rpm nss-3.12.2.0-4.el5.i386.rpm nss-3.12.2.0-4.el5.x86_64.rpm nss-debuginfo-3.12.2.0-4.el5.i386.rpm nss-debuginfo-3.12.2.0-4.el5.x86_64.rpm nss-devel-3.12.2.0-4.el5.i386.rpm nss-devel-3.12.2.0-4.el5.x86_64.rpm nss-pkcs11-devel-3.12.2.0-4.el5.i386.rpm nss-pkcs11-devel-3.12.2.0-4.el5.x86_64.rpm nss-tools-3.12.2.0-4.el5.x86_64.rpm xulrunner-1.9.0.6-1.el5.i386.rpm xulrunner-1.9.0.6-1.el5.x86_64.rpm xulrunner-debuginfo-1.9.0.6-1.el5.i386.rpm xulrunner-debuginfo-1.9.0.6-1.el5.x86_64.rpm xulrunner-devel-1.9.0.6-1.el5.i386.rpm xulrunner-devel-1.9.0.6-1.el5.x86_64.rpm xulrunner-devel-unstable-1.9.0.6-1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0357 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0358 http://www.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.6 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJiVseXlSAg2UNWIIRAtPLAJ9fN011qHBizT0ivksluLtAOR9UhACfcQJI 18bK5CaI7eaijHuuKOQ6Dws= =MydX -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 4 09:48:25 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Feb 2009 04:48:25 -0500 Subject: [RHSA-2009:0257-01] Critical: seamonkey security update Message-ID: <200902040948.n149mQCD009762@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2009:0257-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0257.html Issue date: 2009-02-04 CVE Names: CVE-2009-0352 CVE-2009-0353 CVE-2009-0355 CVE-2009-0357 ===================================================================== 1. Summary: Updated seamonkey packages that fix security issues are now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-0352, CVE-2009-0353) A flaw was found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a SeaMonkey user into uploading a local file. (CVE-2009-0355) A flaw was found in the way SeaMonkey treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie. (CVE-2009-0357) All SeaMonkey users should upgrade to these updated packages, which contain backported patches that correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 483139 - CVE-2009-0352 Firefox layout crashes with evidence of memory corruption 483141 - CVE-2009-0353 Firefox javascript crashes with evidence of memory corruption 483143 - CVE-2009-0355 Firefox local file stealing with SessionStore 483145 - CVE-2009-0357 Firefox XMLHttpRequest allows reading HTTPOnly cookies 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/seamonkey-1.0.9-0.27.el2.src.rpm i386: seamonkey-1.0.9-0.27.el2.i386.rpm seamonkey-chat-1.0.9-0.27.el2.i386.rpm seamonkey-devel-1.0.9-0.27.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.27.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.27.el2.i386.rpm seamonkey-mail-1.0.9-0.27.el2.i386.rpm seamonkey-nspr-1.0.9-0.27.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.27.el2.i386.rpm seamonkey-nss-1.0.9-0.27.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.27.el2.i386.rpm ia64: seamonkey-1.0.9-0.27.el2.ia64.rpm seamonkey-chat-1.0.9-0.27.el2.ia64.rpm seamonkey-devel-1.0.9-0.27.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.27.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.27.el2.ia64.rpm seamonkey-mail-1.0.9-0.27.el2.ia64.rpm seamonkey-nspr-1.0.9-0.27.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.27.el2.ia64.rpm seamonkey-nss-1.0.9-0.27.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.27.el2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/seamonkey-1.0.9-0.27.el2.src.rpm ia64: seamonkey-1.0.9-0.27.el2.ia64.rpm seamonkey-chat-1.0.9-0.27.el2.ia64.rpm seamonkey-devel-1.0.9-0.27.el2.ia64.rpm seamonkey-dom-inspector-1.0.9-0.27.el2.ia64.rpm seamonkey-js-debugger-1.0.9-0.27.el2.ia64.rpm seamonkey-mail-1.0.9-0.27.el2.ia64.rpm seamonkey-nspr-1.0.9-0.27.el2.ia64.rpm seamonkey-nspr-devel-1.0.9-0.27.el2.ia64.rpm seamonkey-nss-1.0.9-0.27.el2.ia64.rpm seamonkey-nss-devel-1.0.9-0.27.el2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/seamonkey-1.0.9-0.27.el2.src.rpm i386: seamonkey-1.0.9-0.27.el2.i386.rpm seamonkey-chat-1.0.9-0.27.el2.i386.rpm seamonkey-devel-1.0.9-0.27.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.27.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.27.el2.i386.rpm seamonkey-mail-1.0.9-0.27.el2.i386.rpm seamonkey-nspr-1.0.9-0.27.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.27.el2.i386.rpm seamonkey-nss-1.0.9-0.27.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.27.el2.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/seamonkey-1.0.9-0.27.el2.src.rpm i386: seamonkey-1.0.9-0.27.el2.i386.rpm seamonkey-chat-1.0.9-0.27.el2.i386.rpm seamonkey-devel-1.0.9-0.27.el2.i386.rpm seamonkey-dom-inspector-1.0.9-0.27.el2.i386.rpm seamonkey-js-debugger-1.0.9-0.27.el2.i386.rpm seamonkey-mail-1.0.9-0.27.el2.i386.rpm seamonkey-nspr-1.0.9-0.27.el2.i386.rpm seamonkey-nspr-devel-1.0.9-0.27.el2.i386.rpm seamonkey-nss-1.0.9-0.27.el2.i386.rpm seamonkey-nss-devel-1.0.9-0.27.el2.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/seamonkey-1.0.9-0.32.el3.src.rpm i386: seamonkey-1.0.9-0.32.el3.i386.rpm seamonkey-chat-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-devel-1.0.9-0.32.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.32.el3.i386.rpm seamonkey-mail-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.32.el3.i386.rpm ia64: seamonkey-1.0.9-0.32.el3.ia64.rpm seamonkey-chat-1.0.9-0.32.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.ia64.rpm seamonkey-devel-1.0.9-0.32.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.32.el3.ia64.rpm seamonkey-mail-1.0.9-0.32.el3.ia64.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.ia64.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.32.el3.ia64.rpm ppc: seamonkey-1.0.9-0.32.el3.ppc.rpm seamonkey-chat-1.0.9-0.32.el3.ppc.rpm seamonkey-debuginfo-1.0.9-0.32.el3.ppc.rpm seamonkey-devel-1.0.9-0.32.el3.ppc.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.ppc.rpm seamonkey-js-debugger-1.0.9-0.32.el3.ppc.rpm seamonkey-mail-1.0.9-0.32.el3.ppc.rpm seamonkey-nspr-1.0.9-0.32.el3.ppc.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.ppc.rpm seamonkey-nss-1.0.9-0.32.el3.ppc.rpm seamonkey-nss-devel-1.0.9-0.32.el3.ppc.rpm s390: seamonkey-1.0.9-0.32.el3.s390.rpm seamonkey-chat-1.0.9-0.32.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.32.el3.s390.rpm seamonkey-devel-1.0.9-0.32.el3.s390.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.s390.rpm seamonkey-js-debugger-1.0.9-0.32.el3.s390.rpm seamonkey-mail-1.0.9-0.32.el3.s390.rpm seamonkey-nspr-1.0.9-0.32.el3.s390.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.s390.rpm seamonkey-nss-1.0.9-0.32.el3.s390.rpm seamonkey-nss-devel-1.0.9-0.32.el3.s390.rpm s390x: seamonkey-1.0.9-0.32.el3.s390x.rpm seamonkey-chat-1.0.9-0.32.el3.s390x.rpm seamonkey-debuginfo-1.0.9-0.32.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.32.el3.s390x.rpm seamonkey-devel-1.0.9-0.32.el3.s390x.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.s390x.rpm seamonkey-js-debugger-1.0.9-0.32.el3.s390x.rpm seamonkey-mail-1.0.9-0.32.el3.s390x.rpm seamonkey-nspr-1.0.9-0.32.el3.s390.rpm seamonkey-nspr-1.0.9-0.32.el3.s390x.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.s390x.rpm seamonkey-nss-1.0.9-0.32.el3.s390.rpm seamonkey-nss-1.0.9-0.32.el3.s390x.rpm seamonkey-nss-devel-1.0.9-0.32.el3.s390x.rpm x86_64: seamonkey-1.0.9-0.32.el3.i386.rpm seamonkey-1.0.9-0.32.el3.x86_64.rpm seamonkey-chat-1.0.9-0.32.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.x86_64.rpm seamonkey-devel-1.0.9-0.32.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.32.el3.x86_64.rpm seamonkey-mail-1.0.9-0.32.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.x86_64.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.32.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/seamonkey-1.0.9-0.32.el3.src.rpm i386: seamonkey-1.0.9-0.32.el3.i386.rpm seamonkey-chat-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-devel-1.0.9-0.32.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.32.el3.i386.rpm seamonkey-mail-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.32.el3.i386.rpm x86_64: seamonkey-1.0.9-0.32.el3.i386.rpm seamonkey-1.0.9-0.32.el3.x86_64.rpm seamonkey-chat-1.0.9-0.32.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.x86_64.rpm seamonkey-devel-1.0.9-0.32.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.32.el3.x86_64.rpm seamonkey-mail-1.0.9-0.32.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.x86_64.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.32.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/seamonkey-1.0.9-0.32.el3.src.rpm i386: seamonkey-1.0.9-0.32.el3.i386.rpm seamonkey-chat-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-devel-1.0.9-0.32.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.32.el3.i386.rpm seamonkey-mail-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.32.el3.i386.rpm ia64: seamonkey-1.0.9-0.32.el3.ia64.rpm seamonkey-chat-1.0.9-0.32.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.ia64.rpm seamonkey-devel-1.0.9-0.32.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.32.el3.ia64.rpm seamonkey-mail-1.0.9-0.32.el3.ia64.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.ia64.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.32.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.32.el3.i386.rpm seamonkey-1.0.9-0.32.el3.x86_64.rpm seamonkey-chat-1.0.9-0.32.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.x86_64.rpm seamonkey-devel-1.0.9-0.32.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.32.el3.x86_64.rpm seamonkey-mail-1.0.9-0.32.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.x86_64.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.32.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/seamonkey-1.0.9-0.32.el3.src.rpm i386: seamonkey-1.0.9-0.32.el3.i386.rpm seamonkey-chat-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-devel-1.0.9-0.32.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.32.el3.i386.rpm seamonkey-mail-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.32.el3.i386.rpm ia64: seamonkey-1.0.9-0.32.el3.ia64.rpm seamonkey-chat-1.0.9-0.32.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.ia64.rpm seamonkey-devel-1.0.9-0.32.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.32.el3.ia64.rpm seamonkey-mail-1.0.9-0.32.el3.ia64.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.ia64.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.32.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.32.el3.i386.rpm seamonkey-1.0.9-0.32.el3.x86_64.rpm seamonkey-chat-1.0.9-0.32.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.32.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.32.el3.x86_64.rpm seamonkey-devel-1.0.9-0.32.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.32.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.32.el3.x86_64.rpm seamonkey-mail-1.0.9-0.32.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.32.el3.i386.rpm seamonkey-nspr-1.0.9-0.32.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.32.el3.x86_64.rpm seamonkey-nss-1.0.9-0.32.el3.i386.rpm seamonkey-nss-1.0.9-0.32.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.32.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/seamonkey-1.0.9-35.el4.src.rpm i386: seamonkey-1.0.9-35.el4.i386.rpm seamonkey-chat-1.0.9-35.el4.i386.rpm seamonkey-debuginfo-1.0.9-35.el4.i386.rpm seamonkey-devel-1.0.9-35.el4.i386.rpm seamonkey-dom-inspector-1.0.9-35.el4.i386.rpm seamonkey-js-debugger-1.0.9-35.el4.i386.rpm seamonkey-mail-1.0.9-35.el4.i386.rpm ia64: seamonkey-1.0.9-35.el4.ia64.rpm seamonkey-chat-1.0.9-35.el4.ia64.rpm seamonkey-debuginfo-1.0.9-35.el4.ia64.rpm seamonkey-devel-1.0.9-35.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-35.el4.ia64.rpm seamonkey-js-debugger-1.0.9-35.el4.ia64.rpm seamonkey-mail-1.0.9-35.el4.ia64.rpm ppc: seamonkey-1.0.9-35.el4.ppc.rpm seamonkey-chat-1.0.9-35.el4.ppc.rpm seamonkey-debuginfo-1.0.9-35.el4.ppc.rpm seamonkey-devel-1.0.9-35.el4.ppc.rpm seamonkey-dom-inspector-1.0.9-35.el4.ppc.rpm seamonkey-js-debugger-1.0.9-35.el4.ppc.rpm seamonkey-mail-1.0.9-35.el4.ppc.rpm s390: seamonkey-1.0.9-35.el4.s390.rpm seamonkey-chat-1.0.9-35.el4.s390.rpm seamonkey-debuginfo-1.0.9-35.el4.s390.rpm seamonkey-devel-1.0.9-35.el4.s390.rpm seamonkey-dom-inspector-1.0.9-35.el4.s390.rpm seamonkey-js-debugger-1.0.9-35.el4.s390.rpm seamonkey-mail-1.0.9-35.el4.s390.rpm s390x: seamonkey-1.0.9-35.el4.s390x.rpm seamonkey-chat-1.0.9-35.el4.s390x.rpm seamonkey-debuginfo-1.0.9-35.el4.s390x.rpm seamonkey-devel-1.0.9-35.el4.s390x.rpm seamonkey-dom-inspector-1.0.9-35.el4.s390x.rpm seamonkey-js-debugger-1.0.9-35.el4.s390x.rpm seamonkey-mail-1.0.9-35.el4.s390x.rpm x86_64: seamonkey-1.0.9-35.el4.x86_64.rpm seamonkey-chat-1.0.9-35.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-35.el4.x86_64.rpm seamonkey-devel-1.0.9-35.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-35.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-35.el4.x86_64.rpm seamonkey-mail-1.0.9-35.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/seamonkey-1.0.9-35.el4.src.rpm i386: seamonkey-1.0.9-35.el4.i386.rpm seamonkey-chat-1.0.9-35.el4.i386.rpm seamonkey-debuginfo-1.0.9-35.el4.i386.rpm seamonkey-devel-1.0.9-35.el4.i386.rpm seamonkey-dom-inspector-1.0.9-35.el4.i386.rpm seamonkey-js-debugger-1.0.9-35.el4.i386.rpm seamonkey-mail-1.0.9-35.el4.i386.rpm x86_64: seamonkey-1.0.9-35.el4.x86_64.rpm seamonkey-chat-1.0.9-35.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-35.el4.x86_64.rpm seamonkey-devel-1.0.9-35.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-35.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-35.el4.x86_64.rpm seamonkey-mail-1.0.9-35.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/seamonkey-1.0.9-35.el4.src.rpm i386: seamonkey-1.0.9-35.el4.i386.rpm seamonkey-chat-1.0.9-35.el4.i386.rpm seamonkey-debuginfo-1.0.9-35.el4.i386.rpm seamonkey-devel-1.0.9-35.el4.i386.rpm seamonkey-dom-inspector-1.0.9-35.el4.i386.rpm seamonkey-js-debugger-1.0.9-35.el4.i386.rpm seamonkey-mail-1.0.9-35.el4.i386.rpm ia64: seamonkey-1.0.9-35.el4.ia64.rpm seamonkey-chat-1.0.9-35.el4.ia64.rpm seamonkey-debuginfo-1.0.9-35.el4.ia64.rpm seamonkey-devel-1.0.9-35.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-35.el4.ia64.rpm seamonkey-js-debugger-1.0.9-35.el4.ia64.rpm seamonkey-mail-1.0.9-35.el4.ia64.rpm x86_64: seamonkey-1.0.9-35.el4.x86_64.rpm seamonkey-chat-1.0.9-35.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-35.el4.x86_64.rpm seamonkey-devel-1.0.9-35.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-35.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-35.el4.x86_64.rpm seamonkey-mail-1.0.9-35.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/seamonkey-1.0.9-35.el4.src.rpm i386: seamonkey-1.0.9-35.el4.i386.rpm seamonkey-chat-1.0.9-35.el4.i386.rpm seamonkey-debuginfo-1.0.9-35.el4.i386.rpm seamonkey-devel-1.0.9-35.el4.i386.rpm seamonkey-dom-inspector-1.0.9-35.el4.i386.rpm seamonkey-js-debugger-1.0.9-35.el4.i386.rpm seamonkey-mail-1.0.9-35.el4.i386.rpm ia64: seamonkey-1.0.9-35.el4.ia64.rpm seamonkey-chat-1.0.9-35.el4.ia64.rpm seamonkey-debuginfo-1.0.9-35.el4.ia64.rpm seamonkey-devel-1.0.9-35.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-35.el4.ia64.rpm seamonkey-js-debugger-1.0.9-35.el4.ia64.rpm seamonkey-mail-1.0.9-35.el4.ia64.rpm x86_64: seamonkey-1.0.9-35.el4.x86_64.rpm seamonkey-chat-1.0.9-35.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-35.el4.x86_64.rpm seamonkey-devel-1.0.9-35.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-35.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-35.el4.x86_64.rpm seamonkey-mail-1.0.9-35.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0357 http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJiWRSXlSAg2UNWIIRAqbtAJ9W4P5unULqLi1OiW8q58VD67HeeACfbX5r caEDmqfIgMYORHB+zY//F/U= =PMXU -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 4 15:11:31 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Feb 2009 10:11:31 -0500 Subject: [RHSA-2009:0053-01] Important: kernel-rt security and bug fix update Message-ID: <200902041511.n14FBWlj022904@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2009:0053-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0053.html Issue date: 2009-02-04 CVE Names: CVE-2008-5079 CVE-2008-5134 CVE-2008-5182 CVE-2008-5300 CVE-2008-5700 CVE-2009-0065 ===================================================================== 1. Summary: Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise MRG 1.1. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: MRG Realtime for RHEL 5 Server - i386, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages address the following security issues: * a flaw was found in the Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use the flaw to listen on the same socket more than once, possibly causing a denial of service. (CVE-2008-5079, Important) * a buffer overflow flaw was found in the libertas driver. This could, potentially, lead to a remote denial of service when an invalid beacon or probe response was received. (CVE-2008-5134, Important) * a race condition was found in the Linux kernel "inotify" watch removal and umount implementation. This could allow a local, unprivileged user to cause a privilege escalation or a denial of service. (CVE-2008-5182, Important) * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * a buffer overflow was found in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a deficiency was found in the libATA implementation. This could, potentially, lead to a denial of service. By default, the "/dev/sg*" devices are accessible only to the root user. (CVE-2008-5700, Low) These updated packages also address numerous bugs, including the following: * a race condition caused the timer to stop responding. This was fixed by correcting the behavior of the alloc_posix_timer() function. * the kernel was behaving differently for varying file capabilities. This was resolved by ensuring the get_file_caps() function was preceded by clearing bprm->caps_*. * a check was included on the limit of the shadow.bytes array, to prevent value outside the limits being written and over riding other data areas. * the kernel-rt-2.6.24.7-81.el5rt kernel displayed a warning on boot stating that the hwclock failed. This was due to a compatibility problem with the Red Hat Enterprise Linux 5 file system. It was resolved by adding a new udev rule that ensured /dev was set up correctly. * the GPS clock daemon was becoming unstable due to a problem in adjtimex. The issue was located and corrected. * the events_trace tracer was providing bad parameters to syscalls on i386 machines. This was due to the sys_call interface needing to use the assembly linked annotation and the edx register being used before it was stored on the stack. Both these issues were corrected. All Red Hat Enterprise MRG users should install this update which addresses these vulnerabilities and fixes these bugs. For this update to take effect, the system must be rebooted. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 470758 - kernel: file caps: always start with clear bprm->caps_* 470761 - CVE-2008-5134 kernel: libertas: fix buffer overrun 471835 - kernel: V4L/DVB (9621): Avoid writing outside shadow.bytes[] array 472277 - CRM 1871016 adjtimex causing instability on GPS clock daemon 472325 - CVE-2008-5182 kernel: fix inotify watch removal/umount races 473259 - CVE-2008-5300 kernel: fix soft lockups/OOM issues with unix socket garbage collector 473696 - CVE-2008-5079 Linux Kernel 'atm module' Local Denial of Service 474495 - CVE-2008-5700 kernel: enforce a minimum SG_IO timeout 474683 - event trace syscall on i386 has bogus parameters 478800 - CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID 6. Package List: MRG Realtime for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/kernel-rt-2.6.24.7-101.el5rt.src.rpm i386: kernel-rt-2.6.24.7-101.el5rt.i686.rpm kernel-rt-debug-2.6.24.7-101.el5rt.i686.rpm kernel-rt-debug-debuginfo-2.6.24.7-101.el5rt.i686.rpm kernel-rt-debug-devel-2.6.24.7-101.el5rt.i686.rpm kernel-rt-debuginfo-2.6.24.7-101.el5rt.i686.rpm kernel-rt-debuginfo-common-2.6.24.7-101.el5rt.i686.rpm kernel-rt-devel-2.6.24.7-101.el5rt.i686.rpm kernel-rt-trace-2.6.24.7-101.el5rt.i686.rpm kernel-rt-trace-debuginfo-2.6.24.7-101.el5rt.i686.rpm kernel-rt-trace-devel-2.6.24.7-101.el5rt.i686.rpm kernel-rt-vanilla-2.6.24.7-101.el5rt.i686.rpm kernel-rt-vanilla-debuginfo-2.6.24.7-101.el5rt.i686.rpm kernel-rt-vanilla-devel-2.6.24.7-101.el5rt.i686.rpm noarch: kernel-rt-doc-2.6.24.7-101.el5rt.noarch.rpm x86_64: kernel-rt-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-debug-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-debug-debuginfo-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-debug-devel-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-debuginfo-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-debuginfo-common-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-devel-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-trace-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-trace-debuginfo-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-trace-devel-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-vanilla-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-vanilla-debuginfo-2.6.24.7-101.el5rt.x86_64.rpm kernel-rt-vanilla-devel-2.6.24.7-101.el5rt.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5700 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065 http://www.redhat.com/security/updates/classification/#important http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/1.1/html/MRG_Release_Notes/ 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJia/0XlSAg2UNWIIRAt9LAJ9gj1yDSvB09gzDHQasj6mZmLYIOwCgmNOz ukWV6dRFkPO4mAUbPPtd7u0= =a5ov -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 5 16:22:28 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Feb 2009 11:22:28 -0500 Subject: [RHSA-2009:0267-01] Moderate: sudo security update Message-ID: <200902051622.n15GMTLA004443@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: sudo security update Advisory ID: RHSA-2009:0267-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0267.html Issue date: 2009-02-05 CVE Names: CVE-2009-0034 ===================================================================== 1. Summary: An updated sudo package to fix a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root with logging. A flaw was discovered in a way sudo handled group specifications in "run as" lists in the sudoers configuration file. If sudo configuration allowed a user to run commands as any user of some group and the user was also a member of that group, sudo incorrectly allowed them to run defined commands with the privileges of any system user. This gave the user unintended privileges. (CVE-2009-0034) Users of sudo should update to this updated package, which contains a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 481720 - CVE-2009-0034 sudo: incorrect handling of groups in Runas_User 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/sudo-1.6.9p17-3.el5_3.1.src.rpm i386: sudo-1.6.9p17-3.el5_3.1.i386.rpm sudo-debuginfo-1.6.9p17-3.el5_3.1.i386.rpm x86_64: sudo-1.6.9p17-3.el5_3.1.x86_64.rpm sudo-debuginfo-1.6.9p17-3.el5_3.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/sudo-1.6.9p17-3.el5_3.1.src.rpm i386: sudo-1.6.9p17-3.el5_3.1.i386.rpm sudo-debuginfo-1.6.9p17-3.el5_3.1.i386.rpm ia64: sudo-1.6.9p17-3.el5_3.1.ia64.rpm sudo-debuginfo-1.6.9p17-3.el5_3.1.ia64.rpm ppc: sudo-1.6.9p17-3.el5_3.1.ppc.rpm sudo-debuginfo-1.6.9p17-3.el5_3.1.ppc.rpm s390x: sudo-1.6.9p17-3.el5_3.1.s390x.rpm sudo-debuginfo-1.6.9p17-3.el5_3.1.s390x.rpm x86_64: sudo-1.6.9p17-3.el5_3.1.x86_64.rpm sudo-debuginfo-1.6.9p17-3.el5_3.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJixI6XlSAg2UNWIIRAg5jAJ40rzHZi2LyUDTRnHrQc/0HIvVOpwCeMo5L DEqgF36XM+F/0g79dL5MV4k= =1MjX -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Feb 6 13:00:00 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 6 Feb 2009 08:00:00 -0500 Subject: [RHSA-2009:0269-01] Important: gstreamer-plugins security update Message-ID: <200902061300.n16D01bx022787@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gstreamer-plugins security update Advisory ID: RHSA-2009:0269-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0269.html Issue date: 2009-02-06 CVE Names: CVE-2009-0398 ===================================================================== 1. Summary: Updated gstreamer-plugins packages that fix one security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The gstreamer-plugins package contains plug-ins used by the GStreamer streaming-media framework to support a wide variety of media types. An array indexing error was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. (CVE-2009-0398) All users of gstreamer-plugins are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using GStreamer (such as nautilus-media) must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 483740 - CVE-2009-0398 gstreamer-plugins: Array index error while parsing malformed QuickTime media files 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gstreamer-plugins-0.6.0-19.src.rpm i386: gstreamer-plugins-0.6.0-19.i386.rpm gstreamer-plugins-debuginfo-0.6.0-19.i386.rpm gstreamer-plugins-devel-0.6.0-19.i386.rpm ia64: gstreamer-plugins-0.6.0-19.ia64.rpm gstreamer-plugins-debuginfo-0.6.0-19.ia64.rpm gstreamer-plugins-devel-0.6.0-19.ia64.rpm ppc: gstreamer-plugins-0.6.0-19.ppc.rpm gstreamer-plugins-debuginfo-0.6.0-19.ppc.rpm gstreamer-plugins-devel-0.6.0-19.ppc.rpm s390: gstreamer-plugins-0.6.0-19.s390.rpm gstreamer-plugins-debuginfo-0.6.0-19.s390.rpm gstreamer-plugins-devel-0.6.0-19.s390.rpm s390x: gstreamer-plugins-0.6.0-19.s390x.rpm gstreamer-plugins-debuginfo-0.6.0-19.s390x.rpm gstreamer-plugins-devel-0.6.0-19.s390x.rpm x86_64: gstreamer-plugins-0.6.0-19.x86_64.rpm gstreamer-plugins-debuginfo-0.6.0-19.x86_64.rpm gstreamer-plugins-devel-0.6.0-19.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/gstreamer-plugins-0.6.0-19.src.rpm i386: gstreamer-plugins-0.6.0-19.i386.rpm gstreamer-plugins-debuginfo-0.6.0-19.i386.rpm gstreamer-plugins-devel-0.6.0-19.i386.rpm x86_64: gstreamer-plugins-0.6.0-19.x86_64.rpm gstreamer-plugins-debuginfo-0.6.0-19.x86_64.rpm gstreamer-plugins-devel-0.6.0-19.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gstreamer-plugins-0.6.0-19.src.rpm i386: gstreamer-plugins-0.6.0-19.i386.rpm gstreamer-plugins-debuginfo-0.6.0-19.i386.rpm gstreamer-plugins-devel-0.6.0-19.i386.rpm ia64: gstreamer-plugins-0.6.0-19.ia64.rpm gstreamer-plugins-debuginfo-0.6.0-19.ia64.rpm gstreamer-plugins-devel-0.6.0-19.ia64.rpm x86_64: gstreamer-plugins-0.6.0-19.x86_64.rpm gstreamer-plugins-debuginfo-0.6.0-19.x86_64.rpm gstreamer-plugins-devel-0.6.0-19.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gstreamer-plugins-0.6.0-19.src.rpm i386: gstreamer-plugins-0.6.0-19.i386.rpm gstreamer-plugins-debuginfo-0.6.0-19.i386.rpm gstreamer-plugins-devel-0.6.0-19.i386.rpm ia64: gstreamer-plugins-0.6.0-19.ia64.rpm gstreamer-plugins-debuginfo-0.6.0-19.ia64.rpm gstreamer-plugins-devel-0.6.0-19.ia64.rpm x86_64: gstreamer-plugins-0.6.0-19.x86_64.rpm gstreamer-plugins-debuginfo-0.6.0-19.x86_64.rpm gstreamer-plugins-devel-0.6.0-19.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0398 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJjDQRXlSAg2UNWIIRAkybAJ9liCAEwGkN4wL1QkJn21lr1cdGfQCgxH/+ otEOgt31/GZaRjwle7mygJ8= =MQig -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Feb 6 13:00:54 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 6 Feb 2009 08:00:54 -0500 Subject: [RHSA-2009:0270-01] Important: gstreamer-plugins security update Message-ID: <200902061300.n16D0tmc024439@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gstreamer-plugins security update Advisory ID: RHSA-2009:0270-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0270.html Issue date: 2009-02-06 CVE Names: CVE-2009-0397 ===================================================================== 1. Summary: Updated gstreamer-plugins packages that fix one security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The gstreamer-plugins package contains plugins used by the GStreamer streaming-media framework to support a wide variety of media types. A heap buffer overflow was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. (CVE-2009-0397) All users of gstreamer-plugins are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using GStreamer (such as rhythmbox) must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 481267 - CVE-2009-0397 gstreamer-plugins, gstreamer-plugins-good: heap-based buffer overflow while parsing malformed QuickTime media files via crafted Time-to-sample (stss) atom data 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/gstreamer-plugins-0.8.5-1.EL.2.src.rpm i386: gstreamer-plugins-0.8.5-1.EL.2.i386.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.i386.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.i386.rpm ia64: gstreamer-plugins-0.8.5-1.EL.2.ia64.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.ia64.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.ia64.rpm ppc: gstreamer-plugins-0.8.5-1.EL.2.ppc.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.ppc.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.ppc.rpm s390: gstreamer-plugins-0.8.5-1.EL.2.s390.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.s390.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.s390.rpm s390x: gstreamer-plugins-0.8.5-1.EL.2.s390x.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.s390x.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.s390x.rpm x86_64: gstreamer-plugins-0.8.5-1.EL.2.x86_64.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.x86_64.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/gstreamer-plugins-0.8.5-1.EL.2.src.rpm i386: gstreamer-plugins-0.8.5-1.EL.2.i386.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.i386.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.i386.rpm x86_64: gstreamer-plugins-0.8.5-1.EL.2.x86_64.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.x86_64.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/gstreamer-plugins-0.8.5-1.EL.2.src.rpm i386: gstreamer-plugins-0.8.5-1.EL.2.i386.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.i386.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.i386.rpm ia64: gstreamer-plugins-0.8.5-1.EL.2.ia64.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.ia64.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.ia64.rpm x86_64: gstreamer-plugins-0.8.5-1.EL.2.x86_64.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.x86_64.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/gstreamer-plugins-0.8.5-1.EL.2.src.rpm i386: gstreamer-plugins-0.8.5-1.EL.2.i386.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.i386.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.i386.rpm ia64: gstreamer-plugins-0.8.5-1.EL.2.ia64.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.ia64.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.ia64.rpm x86_64: gstreamer-plugins-0.8.5-1.EL.2.x86_64.rpm gstreamer-plugins-debuginfo-0.8.5-1.EL.2.x86_64.rpm gstreamer-plugins-devel-0.8.5-1.EL.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0397 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJjDRVXlSAg2UNWIIRAtk5AJwND0VW4IIW9HBgtXj0GM05HEVswACfddPE D8x4fXoCXrjSA54UVzBd1KI= =YloF -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Feb 6 13:03:18 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 6 Feb 2009 08:03:18 -0500 Subject: [RHSA-2009:0271-01] Important: gstreamer-plugins-good security update Message-ID: <200902061303.n16D3KgD026996@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gstreamer-plugins-good security update Advisory ID: RHSA-2009:0271-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0271.html Issue date: 2009-02-06 CVE Names: CVE-2009-0386 CVE-2009-0387 CVE-2009-0397 ===================================================================== 1. Summary: Updated gstreamer-plugins-good packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: GStreamer is a streaming media framework, based on graphs of filters which operate on media data. GStreamer Good Plug-ins is a collection of well-supported, GStreamer plug-ins of good quality released under the LGPL license. Multiple heap buffer overflows and an array indexing error were found in the GStreamer's QuickTime media file format decoding plugin. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. (CVE-2009-0386, CVE-2009-0387, CVE-2009-0397) All users of gstreamer-plugins-good are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications using GStreamer (such as totem or rhythmbox) must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 481267 - CVE-2009-0397 gstreamer-plugins, gstreamer-plugins-good: heap-based buffer overflow while parsing malformed QuickTime media files via crafted Time-to-sample (stss) atom data 483736 - CVE-2009-0386 gstreamer-plugins-good: heap-based buffer overflow while parsing malformed QuickTime media files via crafted Composition Time To Sample (aka ctts) atom data 483737 - CVE-2009-0387 gstreamer-plugins-good: Array index error while parsing malformed QuickTime media files via crafted Sync Sample (aka stss) atom data 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gstreamer-plugins-good-0.10.9-1.el5_3.1.src.rpm i386: gstreamer-plugins-good-0.10.9-1.el5_3.1.i386.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.i386.rpm x86_64: gstreamer-plugins-good-0.10.9-1.el5_3.1.x86_64.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gstreamer-plugins-good-0.10.9-1.el5_3.1.src.rpm i386: gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.i386.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.i386.rpm x86_64: gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.i386.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.x86_64.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.i386.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/gstreamer-plugins-good-0.10.9-1.el5_3.1.src.rpm i386: gstreamer-plugins-good-0.10.9-1.el5_3.1.i386.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.i386.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.i386.rpm ia64: gstreamer-plugins-good-0.10.9-1.el5_3.1.ia64.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.ia64.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.ia64.rpm ppc: gstreamer-plugins-good-0.10.9-1.el5_3.1.ppc.rpm gstreamer-plugins-good-0.10.9-1.el5_3.1.ppc64.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.ppc.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.ppc64.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.ppc.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.ppc64.rpm s390x: gstreamer-plugins-good-0.10.9-1.el5_3.1.s390x.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.s390.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.s390x.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.s390.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.s390x.rpm x86_64: gstreamer-plugins-good-0.10.9-1.el5_3.1.x86_64.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.i386.rpm gstreamer-plugins-good-debuginfo-0.10.9-1.el5_3.1.x86_64.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.i386.rpm gstreamer-plugins-good-devel-0.10.9-1.el5_3.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0397 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJjDUHXlSAg2UNWIIRAm/pAKCF35iRiroZG2zGKasYOFtp6K/egQCeL016 vLOI6DihaIUbobzQmYfyEFw= =/a5n -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 10 15:53:43 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 10 Feb 2009 10:53:43 -0500 Subject: [RHSA-2009:0264-01] Important: kernel security update Message-ID: <200902101553.n1AFriHC020170@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2009:0264-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0264.html Issue date: 2009-02-10 CVE Names: CVE-2008-4933 CVE-2008-4934 CVE-2008-5025 CVE-2008-5713 CVE-2009-0031 CVE-2009-0065 ===================================================================== 1. Summary: Updated kernel packages that resolve several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues: * a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) * a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important) * the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low) In addition, these updated packages fix the following bugs: * when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target. * the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value. * nfs_create_rpc_client was called with a "flavor" parameter which was usually ignored and ended up unconditionally creating the RPC client with an AUTH_UNIX flavor. This caused problems on AUTH_GSS mounts when the credentials needed to be refreshed. The credops did not match the authorization type, which resulted in the credops dereferencing an incorrect part of the AUTH_UNIX rpc_auth struct. * when copy_user_c terminated prematurely due to reading beyond the end of the user buffer and the kernel jumped to the exception table entry, the rsi register was not cleared. This resulted in exiting back to user code with garbage in the rsi register. * the hexdump data in s390dbf traces was incomplete. The length of the data traced was incorrect and the SAN payload was read from a different place then it was written to. * when using connected mode (CM) in IPoIB on ehca2 hardware, it was not possible to transmit any data. * when an application called fork() and pthread_create() many times and, at some point, a thread forked a child and then attempted to call the setpgid() function, then this function failed and returned and ESRCH error value. Users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: for this update to take effect, the system must be rebooted. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 469631 - CVE-2008-4933 kernel: hfsplus: fix Buffer overflow with a corrupted image 469640 - CVE-2008-4934 kernel: hfsplus: check read_mapping_page() return value 470769 - CVE-2008-5025 kernel: hfs: fix namelength memory corruption 477744 - CVE-2008-5713 kernel: soft lockup occurs when network load is very high 478800 - CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID 479812 - IB/ipoib: data transmission fails in connected mode on any HCA 480576 - RHEL5.2/3 - setpgid() returns ESRCH in some situations 480592 - CVE-2009-0031 kernel: local denial of service in keyctl_join_session_keyring 480996 - zfcp: fix hexdump data in s390dbf traces 481117 - RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken 481119 - Kernel panic in auth_rpcgss:__gss_find_upcall 481120 - oops in mirror_map (dm-raid1.c) 481122 - [5.3] clock_gettime() syscall returns a smaller timespec value than previous. 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-128.1.1.el5.src.rpm i386: kernel-2.6.18-128.1.1.el5.i686.rpm kernel-PAE-2.6.18-128.1.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-128.1.1.el5.i686.rpm kernel-PAE-devel-2.6.18-128.1.1.el5.i686.rpm kernel-debug-2.6.18-128.1.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-128.1.1.el5.i686.rpm kernel-debug-devel-2.6.18-128.1.1.el5.i686.rpm kernel-debuginfo-2.6.18-128.1.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-128.1.1.el5.i686.rpm kernel-devel-2.6.18-128.1.1.el5.i686.rpm kernel-headers-2.6.18-128.1.1.el5.i386.rpm kernel-xen-2.6.18-128.1.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-128.1.1.el5.i686.rpm kernel-xen-devel-2.6.18-128.1.1.el5.i686.rpm noarch: kernel-doc-2.6.18-128.1.1.el5.noarch.rpm x86_64: kernel-2.6.18-128.1.1.el5.x86_64.rpm kernel-debug-2.6.18-128.1.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-128.1.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-128.1.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-128.1.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-128.1.1.el5.x86_64.rpm kernel-devel-2.6.18-128.1.1.el5.x86_64.rpm kernel-headers-2.6.18-128.1.1.el5.x86_64.rpm kernel-xen-2.6.18-128.1.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-128.1.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-128.1.1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-128.1.1.el5.src.rpm i386: kernel-2.6.18-128.1.1.el5.i686.rpm kernel-PAE-2.6.18-128.1.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-128.1.1.el5.i686.rpm kernel-PAE-devel-2.6.18-128.1.1.el5.i686.rpm kernel-debug-2.6.18-128.1.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-128.1.1.el5.i686.rpm kernel-debug-devel-2.6.18-128.1.1.el5.i686.rpm kernel-debuginfo-2.6.18-128.1.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-128.1.1.el5.i686.rpm kernel-devel-2.6.18-128.1.1.el5.i686.rpm kernel-headers-2.6.18-128.1.1.el5.i386.rpm kernel-xen-2.6.18-128.1.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-128.1.1.el5.i686.rpm kernel-xen-devel-2.6.18-128.1.1.el5.i686.rpm ia64: kernel-2.6.18-128.1.1.el5.ia64.rpm kernel-debug-2.6.18-128.1.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-128.1.1.el5.ia64.rpm kernel-debug-devel-2.6.18-128.1.1.el5.ia64.rpm kernel-debuginfo-2.6.18-128.1.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-128.1.1.el5.ia64.rpm kernel-devel-2.6.18-128.1.1.el5.ia64.rpm kernel-headers-2.6.18-128.1.1.el5.ia64.rpm kernel-xen-2.6.18-128.1.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-128.1.1.el5.ia64.rpm kernel-xen-devel-2.6.18-128.1.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-128.1.1.el5.noarch.rpm ppc: kernel-2.6.18-128.1.1.el5.ppc64.rpm kernel-debug-2.6.18-128.1.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-128.1.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-128.1.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-128.1.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-128.1.1.el5.ppc64.rpm kernel-devel-2.6.18-128.1.1.el5.ppc64.rpm kernel-headers-2.6.18-128.1.1.el5.ppc.rpm kernel-headers-2.6.18-128.1.1.el5.ppc64.rpm kernel-kdump-2.6.18-128.1.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-128.1.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-128.1.1.el5.ppc64.rpm s390x: kernel-2.6.18-128.1.1.el5.s390x.rpm kernel-debug-2.6.18-128.1.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-128.1.1.el5.s390x.rpm kernel-debug-devel-2.6.18-128.1.1.el5.s390x.rpm kernel-debuginfo-2.6.18-128.1.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-128.1.1.el5.s390x.rpm kernel-devel-2.6.18-128.1.1.el5.s390x.rpm kernel-headers-2.6.18-128.1.1.el5.s390x.rpm kernel-kdump-2.6.18-128.1.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-128.1.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-128.1.1.el5.s390x.rpm x86_64: kernel-2.6.18-128.1.1.el5.x86_64.rpm kernel-debug-2.6.18-128.1.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-128.1.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-128.1.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-128.1.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-128.1.1.el5.x86_64.rpm kernel-devel-2.6.18-128.1.1.el5.x86_64.rpm kernel-headers-2.6.18-128.1.1.el5.x86_64.rpm kernel-xen-2.6.18-128.1.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-128.1.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-128.1.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4933 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4934 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5713 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJkaKzXlSAg2UNWIIRAjf6AJ96KXJlQnOtRNWzmMJU2vsYRbLUyQCgh/a7 zz0VbnVGmhjzWxNtwvGsGqg= =GBOZ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 11 16:53:29 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 11 Feb 2009 11:53:29 -0500 Subject: [RHSA-2009:0012-01] Moderate: netpbm security update Message-ID: <200902111653.n1BGrVA5031873@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: netpbm security update Advisory ID: RHSA-2009:0012-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0012.html Issue date: 2009-02-11 CVE Names: CVE-2007-2721 CVE-2008-3520 ===================================================================== 1. Summary: Updated netpbm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The netpbm package contains a library of functions for editing and converting between various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. An input validation flaw and multiple integer overflows were discovered in the JasPer library providing support for JPEG-2000 image format and used in the jpeg2ktopam and pamtojpeg2k converters. An attacker could create a carefully-crafted JPEG file which could cause jpeg2ktopam to crash or, possibly, execute arbitrary code as the user running jpeg2ktopam. (CVE-2007-2721, CVE-2008-3520) All users are advised to upgrade to these updated packages which contain backported patches which resolve these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 346501 - CVE-2007-2721 jasper crash in jpc_qcx_getcompparms 461476 - CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/netpbm-10.25-2.1.el4_7.4.src.rpm i386: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-devel-10.25-2.1.el4_7.4.i386.rpm netpbm-progs-10.25-2.1.el4_7.4.i386.rpm ia64: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-10.25-2.1.el4_7.4.ia64.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.ia64.rpm netpbm-devel-10.25-2.1.el4_7.4.ia64.rpm netpbm-progs-10.25-2.1.el4_7.4.ia64.rpm ppc: netpbm-10.25-2.1.el4_7.4.ppc.rpm netpbm-10.25-2.1.el4_7.4.ppc64.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.ppc.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.ppc64.rpm netpbm-devel-10.25-2.1.el4_7.4.ppc.rpm netpbm-progs-10.25-2.1.el4_7.4.ppc.rpm s390: netpbm-10.25-2.1.el4_7.4.s390.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.s390.rpm netpbm-devel-10.25-2.1.el4_7.4.s390.rpm netpbm-progs-10.25-2.1.el4_7.4.s390.rpm s390x: netpbm-10.25-2.1.el4_7.4.s390.rpm netpbm-10.25-2.1.el4_7.4.s390x.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.s390.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.s390x.rpm netpbm-devel-10.25-2.1.el4_7.4.s390x.rpm netpbm-progs-10.25-2.1.el4_7.4.s390x.rpm x86_64: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-10.25-2.1.el4_7.4.x86_64.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.x86_64.rpm netpbm-devel-10.25-2.1.el4_7.4.x86_64.rpm netpbm-progs-10.25-2.1.el4_7.4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/netpbm-10.25-2.1.el4_7.4.src.rpm i386: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-devel-10.25-2.1.el4_7.4.i386.rpm netpbm-progs-10.25-2.1.el4_7.4.i386.rpm x86_64: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-10.25-2.1.el4_7.4.x86_64.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.x86_64.rpm netpbm-devel-10.25-2.1.el4_7.4.x86_64.rpm netpbm-progs-10.25-2.1.el4_7.4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/netpbm-10.25-2.1.el4_7.4.src.rpm i386: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-devel-10.25-2.1.el4_7.4.i386.rpm netpbm-progs-10.25-2.1.el4_7.4.i386.rpm ia64: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-10.25-2.1.el4_7.4.ia64.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.ia64.rpm netpbm-devel-10.25-2.1.el4_7.4.ia64.rpm netpbm-progs-10.25-2.1.el4_7.4.ia64.rpm x86_64: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-10.25-2.1.el4_7.4.x86_64.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.x86_64.rpm netpbm-devel-10.25-2.1.el4_7.4.x86_64.rpm netpbm-progs-10.25-2.1.el4_7.4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/netpbm-10.25-2.1.el4_7.4.src.rpm i386: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-devel-10.25-2.1.el4_7.4.i386.rpm netpbm-progs-10.25-2.1.el4_7.4.i386.rpm ia64: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-10.25-2.1.el4_7.4.ia64.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.ia64.rpm netpbm-devel-10.25-2.1.el4_7.4.ia64.rpm netpbm-progs-10.25-2.1.el4_7.4.ia64.rpm x86_64: netpbm-10.25-2.1.el4_7.4.i386.rpm netpbm-10.25-2.1.el4_7.4.x86_64.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.i386.rpm netpbm-debuginfo-10.25-2.1.el4_7.4.x86_64.rpm netpbm-devel-10.25-2.1.el4_7.4.x86_64.rpm netpbm-progs-10.25-2.1.el4_7.4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/netpbm-10.35-6.1.el5_3.1.src.rpm i386: netpbm-10.35-6.1.el5_3.1.i386.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.i386.rpm netpbm-progs-10.35-6.1.el5_3.1.i386.rpm x86_64: netpbm-10.35-6.1.el5_3.1.i386.rpm netpbm-10.35-6.1.el5_3.1.x86_64.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.i386.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.x86_64.rpm netpbm-progs-10.35-6.1.el5_3.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/netpbm-10.35-6.1.el5_3.1.src.rpm i386: netpbm-debuginfo-10.35-6.1.el5_3.1.i386.rpm netpbm-devel-10.35-6.1.el5_3.1.i386.rpm x86_64: netpbm-debuginfo-10.35-6.1.el5_3.1.i386.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.x86_64.rpm netpbm-devel-10.35-6.1.el5_3.1.i386.rpm netpbm-devel-10.35-6.1.el5_3.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/netpbm-10.35-6.1.el5_3.1.src.rpm i386: netpbm-10.35-6.1.el5_3.1.i386.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.i386.rpm netpbm-devel-10.35-6.1.el5_3.1.i386.rpm netpbm-progs-10.35-6.1.el5_3.1.i386.rpm ia64: netpbm-10.35-6.1.el5_3.1.ia64.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.ia64.rpm netpbm-devel-10.35-6.1.el5_3.1.ia64.rpm netpbm-progs-10.35-6.1.el5_3.1.ia64.rpm ppc: netpbm-10.35-6.1.el5_3.1.ppc.rpm netpbm-10.35-6.1.el5_3.1.ppc64.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.ppc.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.ppc64.rpm netpbm-devel-10.35-6.1.el5_3.1.ppc.rpm netpbm-devel-10.35-6.1.el5_3.1.ppc64.rpm netpbm-progs-10.35-6.1.el5_3.1.ppc.rpm s390x: netpbm-10.35-6.1.el5_3.1.s390.rpm netpbm-10.35-6.1.el5_3.1.s390x.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.s390.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.s390x.rpm netpbm-devel-10.35-6.1.el5_3.1.s390.rpm netpbm-devel-10.35-6.1.el5_3.1.s390x.rpm netpbm-progs-10.35-6.1.el5_3.1.s390x.rpm x86_64: netpbm-10.35-6.1.el5_3.1.i386.rpm netpbm-10.35-6.1.el5_3.1.x86_64.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.i386.rpm netpbm-debuginfo-10.35-6.1.el5_3.1.x86_64.rpm netpbm-devel-10.35-6.1.el5_3.1.i386.rpm netpbm-devel-10.35-6.1.el5_3.1.x86_64.rpm netpbm-progs-10.35-6.1.el5_3.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJkwJ7XlSAg2UNWIIRAr3GAJ420x6y/8zrsjJy/vjwUsPJcCCWyQCgmvx9 qCm0VPAzeemi4rh/giT+GSQ= =gvDQ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 11 16:58:36 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 11 Feb 2009 11:58:36 -0500 Subject: [RHSA-2009:0259-01] Moderate: mod_auth_mysql security update Message-ID: <200902111658.n1BGwbsa002367@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mod_auth_mysql security update Advisory ID: RHSA-2009:0259-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0259.html Issue date: 2009-02-11 CVE Names: CVE-2008-2384 ===================================================================== 1. Summary: An updated mod_auth_mysql package to correct a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The mod_auth_mysql package includes an extension module for the Apache HTTP Server which can be used to implement web user authentication against a MySQL database. A flaw was found in the way mod_auth_mysql escaped certain multibyte-encoded strings. If mod_auth_mysql was configured to use a multibyte character set that allowed a backslash '\' as part of the character encodings, a remote attacker could inject arbitrary SQL commands into a login request. (CVE-2008-2384) Note: This flaw only affected non-default installations where AuthMySQLCharacterSet is configured to use one of the affected multibyte character sets. Installations that did not use the AuthMySQLCharacterSet configuration option were not vulnerable to this flaw. All mod_auth_mysql users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. After installing the update, the httpd daemon must be restarted for the fix to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 480238 - CVE-2008-2384 mod_auth_mysql: character encoding SQL injection flaw 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/mod_auth_mysql-3.0.0-3.2.el5_3.src.rpm i386: mod_auth_mysql-3.0.0-3.2.el5_3.i386.rpm mod_auth_mysql-debuginfo-3.0.0-3.2.el5_3.i386.rpm x86_64: mod_auth_mysql-3.0.0-3.2.el5_3.x86_64.rpm mod_auth_mysql-debuginfo-3.0.0-3.2.el5_3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/mod_auth_mysql-3.0.0-3.2.el5_3.src.rpm i386: mod_auth_mysql-3.0.0-3.2.el5_3.i386.rpm mod_auth_mysql-debuginfo-3.0.0-3.2.el5_3.i386.rpm ia64: mod_auth_mysql-3.0.0-3.2.el5_3.ia64.rpm mod_auth_mysql-debuginfo-3.0.0-3.2.el5_3.ia64.rpm ppc: mod_auth_mysql-3.0.0-3.2.el5_3.ppc.rpm mod_auth_mysql-debuginfo-3.0.0-3.2.el5_3.ppc.rpm s390x: mod_auth_mysql-3.0.0-3.2.el5_3.s390x.rpm mod_auth_mysql-debuginfo-3.0.0-3.2.el5_3.s390x.rpm x86_64: mod_auth_mysql-3.0.0-3.2.el5_3.x86_64.rpm mod_auth_mysql-debuginfo-3.0.0-3.2.el5_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2384 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJkwO2XlSAg2UNWIIRAnmLAJ4yxCsX6fHioIHFG265C06pyt7OpQCgmaVj 9BbhB7DPLQKJhBNKE7r+eo0= =mOe2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 11 17:08:26 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 11 Feb 2009 12:08:26 -0500 Subject: [RHSA-2009:0261-01] Moderate: vnc security update Message-ID: <200902111708.n1BH8ctj010297@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: vnc security update Advisory ID: RHSA-2009:0261-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0261.html Issue date: 2009-02-11 CVE Names: CVE-2008-4770 ===================================================================== 1. Summary: Updated vnc packages to correct a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Virtual Network Computing (VNC) is a remote display system which allows you to view a computer's "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. An insufficient input validation flaw was discovered in the VNC client application, vncviewer. If an attacker could convince a victim to connect to a malicious VNC server, or when an attacker was able to connect to vncviewer running in the "listen" mode, the attacker could cause the victim's vncviewer to crash or, possibly, execute arbitrary code. (CVE-2008-4770) Users of vncviewer should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all running instances of vncviewer must be restarted after the update is installed. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 471777 - VNC Free Edition 4.1.3 fixes a possible security vulnerability only present in the listening viewer. VNC Server is not compromised. 480590 - CVE-2008-4770 vnc: vncviewer insufficient encoding value validation in CMsgReader::readRect 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/vnc-4.0-0.beta4.1.8.src.rpm i386: vnc-4.0-0.beta4.1.8.i386.rpm vnc-debuginfo-4.0-0.beta4.1.8.i386.rpm vnc-server-4.0-0.beta4.1.8.i386.rpm ia64: vnc-4.0-0.beta4.1.8.ia64.rpm vnc-debuginfo-4.0-0.beta4.1.8.ia64.rpm vnc-server-4.0-0.beta4.1.8.ia64.rpm ppc: vnc-4.0-0.beta4.1.8.ppc.rpm vnc-debuginfo-4.0-0.beta4.1.8.ppc.rpm vnc-server-4.0-0.beta4.1.8.ppc.rpm s390: vnc-4.0-0.beta4.1.8.s390.rpm vnc-debuginfo-4.0-0.beta4.1.8.s390.rpm vnc-server-4.0-0.beta4.1.8.s390.rpm s390x: vnc-4.0-0.beta4.1.8.s390x.rpm vnc-debuginfo-4.0-0.beta4.1.8.s390x.rpm vnc-server-4.0-0.beta4.1.8.s390x.rpm x86_64: vnc-4.0-0.beta4.1.8.x86_64.rpm vnc-debuginfo-4.0-0.beta4.1.8.x86_64.rpm vnc-server-4.0-0.beta4.1.8.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/vnc-4.0-0.beta4.1.8.src.rpm i386: vnc-4.0-0.beta4.1.8.i386.rpm vnc-debuginfo-4.0-0.beta4.1.8.i386.rpm vnc-server-4.0-0.beta4.1.8.i386.rpm x86_64: vnc-4.0-0.beta4.1.8.x86_64.rpm vnc-debuginfo-4.0-0.beta4.1.8.x86_64.rpm vnc-server-4.0-0.beta4.1.8.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/vnc-4.0-0.beta4.1.8.src.rpm i386: vnc-4.0-0.beta4.1.8.i386.rpm vnc-debuginfo-4.0-0.beta4.1.8.i386.rpm vnc-server-4.0-0.beta4.1.8.i386.rpm ia64: vnc-4.0-0.beta4.1.8.ia64.rpm vnc-debuginfo-4.0-0.beta4.1.8.ia64.rpm vnc-server-4.0-0.beta4.1.8.ia64.rpm x86_64: vnc-4.0-0.beta4.1.8.x86_64.rpm vnc-debuginfo-4.0-0.beta4.1.8.x86_64.rpm vnc-server-4.0-0.beta4.1.8.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/vnc-4.0-0.beta4.1.8.src.rpm i386: vnc-4.0-0.beta4.1.8.i386.rpm vnc-debuginfo-4.0-0.beta4.1.8.i386.rpm vnc-server-4.0-0.beta4.1.8.i386.rpm ia64: vnc-4.0-0.beta4.1.8.ia64.rpm vnc-debuginfo-4.0-0.beta4.1.8.ia64.rpm vnc-server-4.0-0.beta4.1.8.ia64.rpm x86_64: vnc-4.0-0.beta4.1.8.x86_64.rpm vnc-debuginfo-4.0-0.beta4.1.8.x86_64.rpm vnc-server-4.0-0.beta4.1.8.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/vnc-4.0-12.el4_7.1.src.rpm i386: vnc-4.0-12.el4_7.1.i386.rpm vnc-debuginfo-4.0-12.el4_7.1.i386.rpm vnc-server-4.0-12.el4_7.1.i386.rpm ia64: vnc-4.0-12.el4_7.1.ia64.rpm vnc-debuginfo-4.0-12.el4_7.1.ia64.rpm vnc-server-4.0-12.el4_7.1.ia64.rpm ppc: vnc-4.0-12.el4_7.1.ppc.rpm vnc-debuginfo-4.0-12.el4_7.1.ppc.rpm vnc-server-4.0-12.el4_7.1.ppc.rpm s390: vnc-4.0-12.el4_7.1.s390.rpm vnc-debuginfo-4.0-12.el4_7.1.s390.rpm vnc-server-4.0-12.el4_7.1.s390.rpm s390x: vnc-4.0-12.el4_7.1.s390x.rpm vnc-debuginfo-4.0-12.el4_7.1.s390x.rpm vnc-server-4.0-12.el4_7.1.s390x.rpm x86_64: vnc-4.0-12.el4_7.1.x86_64.rpm vnc-debuginfo-4.0-12.el4_7.1.x86_64.rpm vnc-server-4.0-12.el4_7.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/vnc-4.0-12.el4_7.1.src.rpm i386: vnc-4.0-12.el4_7.1.i386.rpm vnc-debuginfo-4.0-12.el4_7.1.i386.rpm vnc-server-4.0-12.el4_7.1.i386.rpm x86_64: vnc-4.0-12.el4_7.1.x86_64.rpm vnc-debuginfo-4.0-12.el4_7.1.x86_64.rpm vnc-server-4.0-12.el4_7.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/vnc-4.0-12.el4_7.1.src.rpm i386: vnc-4.0-12.el4_7.1.i386.rpm vnc-debuginfo-4.0-12.el4_7.1.i386.rpm vnc-server-4.0-12.el4_7.1.i386.rpm ia64: vnc-4.0-12.el4_7.1.ia64.rpm vnc-debuginfo-4.0-12.el4_7.1.ia64.rpm vnc-server-4.0-12.el4_7.1.ia64.rpm x86_64: vnc-4.0-12.el4_7.1.x86_64.rpm vnc-debuginfo-4.0-12.el4_7.1.x86_64.rpm vnc-server-4.0-12.el4_7.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/vnc-4.0-12.el4_7.1.src.rpm i386: vnc-4.0-12.el4_7.1.i386.rpm vnc-debuginfo-4.0-12.el4_7.1.i386.rpm vnc-server-4.0-12.el4_7.1.i386.rpm ia64: vnc-4.0-12.el4_7.1.ia64.rpm vnc-debuginfo-4.0-12.el4_7.1.ia64.rpm vnc-server-4.0-12.el4_7.1.ia64.rpm x86_64: vnc-4.0-12.el4_7.1.x86_64.rpm vnc-debuginfo-4.0-12.el4_7.1.x86_64.rpm vnc-server-4.0-12.el4_7.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/vnc-4.1.2-14.el5_3.1.src.rpm i386: vnc-4.1.2-14.el5_3.1.i386.rpm vnc-debuginfo-4.1.2-14.el5_3.1.i386.rpm vnc-server-4.1.2-14.el5_3.1.i386.rpm x86_64: vnc-4.1.2-14.el5_3.1.x86_64.rpm vnc-debuginfo-4.1.2-14.el5_3.1.x86_64.rpm vnc-server-4.1.2-14.el5_3.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/vnc-4.1.2-14.el5_3.1.src.rpm i386: vnc-4.1.2-14.el5_3.1.i386.rpm vnc-debuginfo-4.1.2-14.el5_3.1.i386.rpm vnc-server-4.1.2-14.el5_3.1.i386.rpm ia64: vnc-4.1.2-14.el5_3.1.ia64.rpm vnc-debuginfo-4.1.2-14.el5_3.1.ia64.rpm vnc-server-4.1.2-14.el5_3.1.ia64.rpm ppc: vnc-4.1.2-14.el5_3.1.ppc.rpm vnc-debuginfo-4.1.2-14.el5_3.1.ppc.rpm vnc-server-4.1.2-14.el5_3.1.ppc.rpm s390x: vnc-4.1.2-14.el5_3.1.s390x.rpm vnc-debuginfo-4.1.2-14.el5_3.1.s390x.rpm vnc-server-4.1.2-14.el5_3.1.s390x.rpm x86_64: vnc-4.1.2-14.el5_3.1.x86_64.rpm vnc-debuginfo-4.1.2-14.el5_3.1.x86_64.rpm vnc-server-4.1.2-14.el5_3.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4770 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJkwXzXlSAg2UNWIIRApG1AKClL7LyNAPkzTbLbqNor4QWYTcpNACfZWdm 1Uf/6GYcBMQvF+tw16RXe3A= =kZFh -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 19 17:53:02 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Feb 2009 12:53:02 -0500 Subject: [RHSA-2009:0275-01] Moderate: imap security update Message-ID: <200902191753.n1JHr2ri007710@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: imap security update Advisory ID: RHSA-2009:0275-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0275.html Issue date: 2009-02-19 CVE Names: CVE-2008-5005 ===================================================================== 1. Summary: Updated imap packages to fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A buffer overflow flaw was discovered in the dmail and tmail mail delivery utilities shipped with imap. If either of these utilities were used as a mail delivery agent, a remote attacker could potentially use this flaw to run arbitrary code as the targeted user by sending a specially-crafted mail message to the victim. (CVE-2008-5005) Users of imap should upgrade to these updated packages, which contain a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 469667 - CVE-2008-5005 uw-imap: buffer overflow in dmail and tmail 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/imap-2002d-15.src.rpm i386: imap-2002d-15.i386.rpm imap-debuginfo-2002d-15.i386.rpm imap-devel-2002d-15.i386.rpm imap-utils-2002d-15.i386.rpm ia64: imap-2002d-15.ia64.rpm imap-debuginfo-2002d-15.ia64.rpm imap-devel-2002d-15.ia64.rpm imap-utils-2002d-15.ia64.rpm ppc: imap-2002d-15.ppc.rpm imap-debuginfo-2002d-15.ppc.rpm imap-devel-2002d-15.ppc.rpm imap-utils-2002d-15.ppc.rpm s390: imap-2002d-15.s390.rpm imap-debuginfo-2002d-15.s390.rpm imap-devel-2002d-15.s390.rpm imap-utils-2002d-15.s390.rpm s390x: imap-2002d-15.s390x.rpm imap-debuginfo-2002d-15.s390x.rpm imap-devel-2002d-15.s390x.rpm imap-utils-2002d-15.s390x.rpm x86_64: imap-2002d-15.x86_64.rpm imap-debuginfo-2002d-15.x86_64.rpm imap-devel-2002d-15.x86_64.rpm imap-utils-2002d-15.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/imap-2002d-15.src.rpm i386: imap-2002d-15.i386.rpm imap-debuginfo-2002d-15.i386.rpm imap-devel-2002d-15.i386.rpm imap-utils-2002d-15.i386.rpm x86_64: imap-2002d-15.x86_64.rpm imap-debuginfo-2002d-15.x86_64.rpm imap-devel-2002d-15.x86_64.rpm imap-utils-2002d-15.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/imap-2002d-15.src.rpm i386: imap-2002d-15.i386.rpm imap-debuginfo-2002d-15.i386.rpm imap-devel-2002d-15.i386.rpm imap-utils-2002d-15.i386.rpm ia64: imap-2002d-15.ia64.rpm imap-debuginfo-2002d-15.ia64.rpm imap-devel-2002d-15.ia64.rpm imap-utils-2002d-15.ia64.rpm x86_64: imap-2002d-15.x86_64.rpm imap-debuginfo-2002d-15.x86_64.rpm imap-devel-2002d-15.x86_64.rpm imap-utils-2002d-15.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/imap-2002d-15.src.rpm i386: imap-2002d-15.i386.rpm imap-debuginfo-2002d-15.i386.rpm imap-devel-2002d-15.i386.rpm imap-utils-2002d-15.i386.rpm ia64: imap-2002d-15.ia64.rpm imap-debuginfo-2002d-15.ia64.rpm imap-devel-2002d-15.ia64.rpm imap-utils-2002d-15.ia64.rpm x86_64: imap-2002d-15.x86_64.rpm imap-debuginfo-2002d-15.x86_64.rpm imap-devel-2002d-15.x86_64.rpm imap-utils-2002d-15.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5005 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJnZxEXlSAg2UNWIIRArmNAJ9VgMSzjUNp0L//cI9Qpr5VfGv97wCfWwp9 ItdbEFnU6DHnpZPwHHymnjM= =yZD1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 19 17:54:04 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Feb 2009 12:54:04 -0500 Subject: [RHSA-2009:0308-01] Important: cups security update Message-ID: <200902191754.n1JHs4Y8008154@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: cups security update Advisory ID: RHSA-2009:0308-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0308.html Issue date: 2009-02-19 CVE Names: CVE-2009-0577 ===================================================================== 1. Summary: Updated cups packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The Common UNIX? Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS security advisory, RHSA-2008:0937, stated that it fixed CVE-2008-3640 for Red Hat Enterprise Linux 3, 4, and 5. It was discovered this flaw was not properly fixed on Red Hat Enterprise Linux 3, however. (CVE-2009-0577) These new packages contain a proper fix for CVE-2008-3640 on Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 4 and 5 already contain the appropriate fix for this flaw and do not need to be updated. Users of cups should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 486052 - CVE-2009-0577 cups-CVE-2008-3640.patch has been corrupted. 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cups-1.1.17-13.3.56.src.rpm i386: cups-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-devel-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.i386.rpm ia64: cups-1.1.17-13.3.56.ia64.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.ia64.rpm cups-devel-1.1.17-13.3.56.ia64.rpm cups-libs-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.ia64.rpm ppc: cups-1.1.17-13.3.56.ppc.rpm cups-debuginfo-1.1.17-13.3.56.ppc.rpm cups-debuginfo-1.1.17-13.3.56.ppc64.rpm cups-devel-1.1.17-13.3.56.ppc.rpm cups-libs-1.1.17-13.3.56.ppc.rpm cups-libs-1.1.17-13.3.56.ppc64.rpm s390: cups-1.1.17-13.3.56.s390.rpm cups-debuginfo-1.1.17-13.3.56.s390.rpm cups-devel-1.1.17-13.3.56.s390.rpm cups-libs-1.1.17-13.3.56.s390.rpm s390x: cups-1.1.17-13.3.56.s390x.rpm cups-debuginfo-1.1.17-13.3.56.s390.rpm cups-debuginfo-1.1.17-13.3.56.s390x.rpm cups-devel-1.1.17-13.3.56.s390x.rpm cups-libs-1.1.17-13.3.56.s390.rpm cups-libs-1.1.17-13.3.56.s390x.rpm x86_64: cups-1.1.17-13.3.56.x86_64.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.x86_64.rpm cups-devel-1.1.17-13.3.56.x86_64.rpm cups-libs-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cups-1.1.17-13.3.56.src.rpm i386: cups-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-devel-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.i386.rpm x86_64: cups-1.1.17-13.3.56.x86_64.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.x86_64.rpm cups-devel-1.1.17-13.3.56.x86_64.rpm cups-libs-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cups-1.1.17-13.3.56.src.rpm i386: cups-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-devel-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.i386.rpm ia64: cups-1.1.17-13.3.56.ia64.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.ia64.rpm cups-devel-1.1.17-13.3.56.ia64.rpm cups-libs-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.ia64.rpm x86_64: cups-1.1.17-13.3.56.x86_64.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.x86_64.rpm cups-devel-1.1.17-13.3.56.x86_64.rpm cups-libs-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cups-1.1.17-13.3.56.src.rpm i386: cups-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-devel-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.i386.rpm ia64: cups-1.1.17-13.3.56.ia64.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.ia64.rpm cups-devel-1.1.17-13.3.56.ia64.rpm cups-libs-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.ia64.rpm x86_64: cups-1.1.17-13.3.56.x86_64.rpm cups-debuginfo-1.1.17-13.3.56.i386.rpm cups-debuginfo-1.1.17-13.3.56.x86_64.rpm cups-devel-1.1.17-13.3.56.x86_64.rpm cups-libs-1.1.17-13.3.56.i386.rpm cups-libs-1.1.17-13.3.56.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0577 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJnZyOXlSAg2UNWIIRAjH4AJ4gyEaFl9O8mFVA2ILB0T/wJFV3RQCgqbZ5 1UaLg7vKlahnwp5ZBrkBIwM= =w6M6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 25 01:12:56 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 24 Feb 2009 20:12:56 -0500 Subject: [RHSA-2009:0021-01] Important: kernel security update Message-ID: <200902250112.n1P1Cu2O008976@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2009:0021-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0021.html Issue date: 2009-02-24 CVE Names: CVE-2008-5029 CVE-2008-5079 CVE-2008-5182 CVE-2008-5300 ===================================================================== 1. Summary: Updated kernel packages that resolve several security issues are now available for Red Hat Enterprise Linux 5.2 Extended Update Support. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5.2.z server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update includes backported fixes for four security issues. These issues only affected users of Red Hat Enterprise Linux 5.2 Extended Update Support as they have already been addressed for users of Red Hat Enterprise Linux 5 in the 5.3 update, RHSA-2009:0225. In accordance with the support policy, future security updates to Red Hat Enterprise Linux 5.2 Extended Update Support will only include issues of critical security impact. * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue. (CVE-2008-5029, Important) * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * a flaw was found in the Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use the flaw to listen on the same socket more than once, possibly causing a denial of service. (CVE-2008-5079, Important) * a race condition was found in the Linux kernel "inotify" watch removal and umount implementation. This could allow a local, unprivileged user to cause a privilege escalation or a denial of service. (CVE-2008-5182, Important) Users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: for this update to take effect, the system must be rebooted. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 470201 - CVE-2008-5029 kernel: Unix sockets kernel panic 472325 - CVE-2008-5182 kernel: fix inotify watch removal/umount races 473259 - CVE-2008-5300 kernel: fix soft lockups/OOM issues with unix socket garbage collector 473696 - CVE-2008-5079 Linux Kernel 'atm module' Local Denial of Service 6. Package List: Red Hat Enterprise Linux (v. 5.2.z server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-92.1.24.el5.src.rpm i386: kernel-2.6.18-92.1.24.el5.i686.rpm kernel-PAE-2.6.18-92.1.24.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-92.1.24.el5.i686.rpm kernel-PAE-devel-2.6.18-92.1.24.el5.i686.rpm kernel-debug-2.6.18-92.1.24.el5.i686.rpm kernel-debug-debuginfo-2.6.18-92.1.24.el5.i686.rpm kernel-debug-devel-2.6.18-92.1.24.el5.i686.rpm kernel-debuginfo-2.6.18-92.1.24.el5.i686.rpm kernel-debuginfo-common-2.6.18-92.1.24.el5.i686.rpm kernel-devel-2.6.18-92.1.24.el5.i686.rpm kernel-headers-2.6.18-92.1.24.el5.i386.rpm kernel-xen-2.6.18-92.1.24.el5.i686.rpm kernel-xen-debuginfo-2.6.18-92.1.24.el5.i686.rpm kernel-xen-devel-2.6.18-92.1.24.el5.i686.rpm ia64: kernel-2.6.18-92.1.24.el5.ia64.rpm kernel-debug-2.6.18-92.1.24.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-92.1.24.el5.ia64.rpm kernel-debug-devel-2.6.18-92.1.24.el5.ia64.rpm kernel-debuginfo-2.6.18-92.1.24.el5.ia64.rpm kernel-debuginfo-common-2.6.18-92.1.24.el5.ia64.rpm kernel-devel-2.6.18-92.1.24.el5.ia64.rpm kernel-headers-2.6.18-92.1.24.el5.ia64.rpm kernel-xen-2.6.18-92.1.24.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-92.1.24.el5.ia64.rpm kernel-xen-devel-2.6.18-92.1.24.el5.ia64.rpm noarch: kernel-doc-2.6.18-92.1.24.el5.noarch.rpm ppc: kernel-2.6.18-92.1.24.el5.ppc64.rpm kernel-debug-2.6.18-92.1.24.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-92.1.24.el5.ppc64.rpm kernel-debug-devel-2.6.18-92.1.24.el5.ppc64.rpm kernel-debuginfo-2.6.18-92.1.24.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-92.1.24.el5.ppc64.rpm kernel-devel-2.6.18-92.1.24.el5.ppc64.rpm kernel-headers-2.6.18-92.1.24.el5.ppc.rpm kernel-headers-2.6.18-92.1.24.el5.ppc64.rpm kernel-kdump-2.6.18-92.1.24.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-92.1.24.el5.ppc64.rpm kernel-kdump-devel-2.6.18-92.1.24.el5.ppc64.rpm s390x: kernel-2.6.18-92.1.24.el5.s390x.rpm kernel-debug-2.6.18-92.1.24.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-92.1.24.el5.s390x.rpm kernel-debug-devel-2.6.18-92.1.24.el5.s390x.rpm kernel-debuginfo-2.6.18-92.1.24.el5.s390x.rpm kernel-debuginfo-common-2.6.18-92.1.24.el5.s390x.rpm kernel-devel-2.6.18-92.1.24.el5.s390x.rpm kernel-headers-2.6.18-92.1.24.el5.s390x.rpm kernel-kdump-2.6.18-92.1.24.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-92.1.24.el5.s390x.rpm kernel-kdump-devel-2.6.18-92.1.24.el5.s390x.rpm x86_64: kernel-2.6.18-92.1.24.el5.x86_64.rpm kernel-debug-2.6.18-92.1.24.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-92.1.24.el5.x86_64.rpm kernel-debug-devel-2.6.18-92.1.24.el5.x86_64.rpm kernel-debuginfo-2.6.18-92.1.24.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-92.1.24.el5.x86_64.rpm kernel-devel-2.6.18-92.1.24.el5.x86_64.rpm kernel-headers-2.6.18-92.1.24.el5.x86_64.rpm kernel-xen-2.6.18-92.1.24.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-92.1.24.el5.x86_64.rpm kernel-xen-devel-2.6.18-92.1.24.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5300 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJpJsDXlSAg2UNWIIRAh0UAJ99/pGumbq971RYOA7DVVs70is6JgCfem3M fzxViHJKMqTwbOQDyjKgchk= =fNTP -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 26 00:02:56 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 25 Feb 2009 19:02:56 -0500 Subject: [RHSA-2009:0332-01] Critical: flash-plugin security update Message-ID: <200902260002.n1Q02ugF023603@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2009:0332-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0332.html Issue date: 2009-02-25 CVE Names: CVE-2009-0519 CVE-2009-0520 CVE-2009-0521 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 3. Description: The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in. Multiple input validation flaws were found in the way Flash Player displayed certain SWF (Shockwave Flash) content. An attacker could use these flaws to create a specially-crafted SWF file that could cause flash-plugin to crash, or, possibly, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2009-0520, CVE-2009-0519) It was discovered that Adobe Flash Player had an insecure RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user with write access to the directory pointed to by RPATH could use this flaw to execute arbitrary code with the privileges of the user running Adobe Flash Player. (CVE-2009-0521) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.0.22.87. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 487141 - CVE-2009-0519 flash-plugin: Input validation flaw (DoS) 487142 - CVE-2009-0520 flash-plugin: Buffer overflow (arbitrary code execution) via crafted SWF file. 487144 - CVE-2009-0521 flash-plugin: Linux-specific information disclosure (privilege escalation) 6. Package List: RHEL Desktop Supplementary (v. 5 client): i386: flash-plugin-10.0.22.87-1.el5.i386.rpm x86_64: flash-plugin-10.0.22.87-1.el5.i386.rpm RHEL Supplementary (v. 5 server): i386: flash-plugin-10.0.22.87-1.el5.i386.rpm x86_64: flash-plugin-10.0.22.87-1.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0521 http://www.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb09-01.html http://www.adobe.com/products/flashplayer/ 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJpdwkXlSAg2UNWIIRAl8LAJ4pW0zXSt9hYvTGjOVYcc2qoOfafwCgvLc+ GhVQGINv4QMXgqYcMjP1Az8= =/b9n -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 26 00:03:13 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 25 Feb 2009 19:03:13 -0500 Subject: [RHSA-2009:0334-01] Critical: flash-plugin security update Message-ID: <200902260003.n1Q03DYU023756@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2009:0334-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0334.html Issue date: 2009-02-25 CVE Names: CVE-2009-0519 CVE-2009-0520 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 3 and 4 Extras. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 Extras - i386 Red Hat Desktop version 3 Extras - i386 Red Hat Enterprise Linux ES version 3 Extras - i386 Red Hat Enterprise Linux WS version 3 Extras - i386 Red Hat Enterprise Linux AS version 4 Extras - i386 Red Hat Desktop version 4 Extras - i386 Red Hat Enterprise Linux ES version 4 Extras - i386 Red Hat Enterprise Linux WS version 4 Extras - i386 3. Description: The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in. Multiple input validation flaws were found in the way Flash Player displayed certain SWF (Shockwave Flash) content. An attacker could use these flaws to create a specially-crafted SWF file that could cause flash-plugin to crash, or, possibly, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2009-0520, CVE-2009-0519) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 9.0.159.0. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 487141 - CVE-2009-0519 flash-plugin: Input validation flaw (DoS) 487142 - CVE-2009-0520 flash-plugin: Buffer overflow (arbitrary code execution) via crafted SWF file. 6. Package List: Red Hat Enterprise Linux AS version 3 Extras: i386: flash-plugin-9.0.159.0-1.el3.with.oss.i386.rpm Red Hat Desktop version 3 Extras: i386: flash-plugin-9.0.159.0-1.el3.with.oss.i386.rpm Red Hat Enterprise Linux ES version 3 Extras: i386: flash-plugin-9.0.159.0-1.el3.with.oss.i386.rpm Red Hat Enterprise Linux WS version 3 Extras: i386: flash-plugin-9.0.159.0-1.el3.with.oss.i386.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: flash-plugin-9.0.159.0-1.el4.i386.rpm Red Hat Desktop version 4 Extras: i386: flash-plugin-9.0.159.0-1.el4.i386.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: flash-plugin-9.0.159.0-1.el4.i386.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: flash-plugin-9.0.159.0-1.el4.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0520 http://www.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb09-01.html http://www.adobe.com/products/flashplayer/ 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJpdw0XlSAg2UNWIIRApxFAJ0eQA6G6c8ZVO8ocuKT0Gp5mnOMwwCgtn3D OIrsYZT9hVUnhPh9leHQtc0= =dNzf -----END PGP SIGNATURE-----