From bugzilla at redhat.com Thu Apr 1 03:00:23 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 31 Mar 2010 23:00:23 -0400 Subject: [RHSA-2010:0337-01] Critical: java-1.6.0-sun security update Message-ID: <201004010300.o3130NBZ031621@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-sun security update Advisory ID: RHSA-2010:0337-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0337.html Issue date: 2010-03-31 CVE Names: CVE-2009-3555 CVE-2010-0082 CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0090 CVE-2010-0091 CVE-2010-0092 CVE-2010-0093 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0839 CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0845 CVE-2010-0846 CVE-2010-0847 CVE-2010-0848 CVE-2010-0849 ===================================================================== 1. Summary: Updated java-1.6.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the "Oracle Java SE and Java for Business Critical Patch Update Advisory" page, listed in the References section. (CVE-2009-3555, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849) For the CVE-2009-3555 issue, this update disables renegotiation in the Java Secure Socket Extension (JSSE) component. Unsafe renegotiation can be re-enabled using the sun.security.ssl.allowUnsafeRenegotiation property. Refer to the following Knowledgebase article for details: http://kbase.redhat.com/faq/docs/DOC-20491 Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 575736 - CVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead of only the base-classes (6626217) 575740 - CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) 575747 - CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) 575755 - CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) 575756 - CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) 575760 - CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149) 575764 - CVE-2010-0093 OpenJDK System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265) 575769 - CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947) 575772 - CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) 575775 - CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807) 575808 - CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653) 575818 - CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299) 575846 - CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) 575854 - CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597) 575865 - CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) 575871 - CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability (6914866) 578430 - CVE-2010-0846 JDK unspecified vulnerability in ImageIO component 578432 - CVE-2010-0849 JDK unspecified vulnerability in Java2D component 578433 - CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component 578436 - CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities 578437 - CVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin component 578440 - CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.6.0-sun-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.6.0-sun-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.6.0-sun-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.6.0-sun-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.6.0-sun-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.6.0-sun-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.19-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-src-1.6.0.19-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3555.html https://www.redhat.com/security/data/cve/CVE-2010-0082.html https://www.redhat.com/security/data/cve/CVE-2010-0084.html https://www.redhat.com/security/data/cve/CVE-2010-0085.html https://www.redhat.com/security/data/cve/CVE-2010-0087.html https://www.redhat.com/security/data/cve/CVE-2010-0088.html https://www.redhat.com/security/data/cve/CVE-2010-0089.html https://www.redhat.com/security/data/cve/CVE-2010-0090.html https://www.redhat.com/security/data/cve/CVE-2010-0091.html https://www.redhat.com/security/data/cve/CVE-2010-0092.html https://www.redhat.com/security/data/cve/CVE-2010-0093.html https://www.redhat.com/security/data/cve/CVE-2010-0094.html https://www.redhat.com/security/data/cve/CVE-2010-0095.html https://www.redhat.com/security/data/cve/CVE-2010-0837.html https://www.redhat.com/security/data/cve/CVE-2010-0838.html https://www.redhat.com/security/data/cve/CVE-2010-0839.html https://www.redhat.com/security/data/cve/CVE-2010-0840.html https://www.redhat.com/security/data/cve/CVE-2010-0841.html https://www.redhat.com/security/data/cve/CVE-2010-0842.html https://www.redhat.com/security/data/cve/CVE-2010-0843.html https://www.redhat.com/security/data/cve/CVE-2010-0844.html https://www.redhat.com/security/data/cve/CVE-2010-0845.html https://www.redhat.com/security/data/cve/CVE-2010-0846.html https://www.redhat.com/security/data/cve/CVE-2010-0847.html https://www.redhat.com/security/data/cve/CVE-2010-0848.html https://www.redhat.com/security/data/cve/CVE-2010-0849.html http://www.redhat.com/security/updates/classification/#critical http://kbase.redhat.com/faq/docs/DOC-20491 http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLtAwVXlSAg2UNWIIRAmdlAJ0QyCnBc/FEO+Y+FVUhJpktSzIBIACfZ8C2 xmDF/nzfgr7jp1i3gerSzac= =5sMq -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 1 03:16:33 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 31 Mar 2010 23:16:33 -0400 Subject: [RHSA-2010:0338-01] Critical: java-1.5.0-sun security update Message-ID: <201004010316.o313GXsC014368@int-mx04.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.5.0-sun security update Advisory ID: RHSA-2010:0338-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0338.html Issue date: 2010-03-31 Keywords: Security CVE Names: CVE-2009-3555 CVE-2010-0082 CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0091 CVE-2010-0092 CVE-2010-0093 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0839 CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0845 CVE-2010-0846 CVE-2010-0847 CVE-2010-0848 CVE-2010-0849 ===================================================================== 1. Summary: The java-1.5.0-sun packages as shipped in Red Hat Enterprise Linux 4 Extras and 5 Supplementary contain security flaws and should not be used. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 RHEL Supplementary (v. 5.2.Z server) - i386, x86_64 RHEL Supplementary (v. 5.3.Z server) - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4.7.z Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4.7.z Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: The Sun 1.5.0 Java release includes the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. The java-1.5.0-sun packages are vulnerable to a number of security flaws and should no longer be used. (CVE-2009-3555, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849) The Sun Java SE Release family 5.0 reached its End of Service Life on November 3, 2009. The RHSA-2009:1571 update provided the final publicly available update of version 5.0 (Update 22). Users interested in continuing to receive critical fixes for Sun Java SE 5.0 should contact Oracle: http://www.sun.com/software/javaforbusiness/index.jsp An alternative to Sun Java SE 5.0 is the Java 2 Technology Edition of the IBM Developer Kit for Linux, which is available from the Extras and Supplementary channels on the Red Hat Network. Applications capable of using the Java 6 runtime can be migrated to Java 6 on: OpenJDK (java-1.6.0-openjdk), an open source JDK included in Red Hat Enterprise Linux 5, since 5.3; the IBM JDK, java-1.6.0-ibm; or the Sun JDK, java-1.6.0-sun. This update removes the java-1.5.0-sun packages as they have reached their End of Service Life. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 575736 - CVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead of only the base-classes (6626217) 575740 - CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) 575747 - CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) 575755 - CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) 575756 - CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) 575760 - CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149) 575764 - CVE-2010-0093 OpenJDK System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265) 575769 - CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947) 575772 - CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) 575775 - CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807) 575808 - CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653) 575818 - CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299) 575846 - CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) 575854 - CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597) 575865 - CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) 575871 - CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability (6914866) 578430 - CVE-2010-0846 JDK unspecified vulnerability in ImageIO component 578432 - CVE-2010-0849 JDK unspecified vulnerability in Java2D component 578433 - CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component 578436 - CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities 578440 - CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component 6. Package List: Red Hat Enterprise Linux AS version 4.7.z Extras: i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.x86_64.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4.7.z Extras: i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el5.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el5.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el5.x86_64.rpm RHEL Supplementary (v. 5.2.Z server): i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el5.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el5.x86_64.rpm RHEL Supplementary (v. 5.3.Z server): i386: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el5.i586.rpm x86_64: java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3555.html https://www.redhat.com/security/data/cve/CVE-2010-0082.html https://www.redhat.com/security/data/cve/CVE-2010-0084.html https://www.redhat.com/security/data/cve/CVE-2010-0085.html https://www.redhat.com/security/data/cve/CVE-2010-0087.html https://www.redhat.com/security/data/cve/CVE-2010-0088.html https://www.redhat.com/security/data/cve/CVE-2010-0089.html https://www.redhat.com/security/data/cve/CVE-2010-0091.html https://www.redhat.com/security/data/cve/CVE-2010-0092.html https://www.redhat.com/security/data/cve/CVE-2010-0093.html https://www.redhat.com/security/data/cve/CVE-2010-0094.html https://www.redhat.com/security/data/cve/CVE-2010-0095.html https://www.redhat.com/security/data/cve/CVE-2010-0837.html https://www.redhat.com/security/data/cve/CVE-2010-0838.html https://www.redhat.com/security/data/cve/CVE-2010-0839.html https://www.redhat.com/security/data/cve/CVE-2010-0840.html https://www.redhat.com/security/data/cve/CVE-2010-0841.html https://www.redhat.com/security/data/cve/CVE-2010-0842.html https://www.redhat.com/security/data/cve/CVE-2010-0843.html https://www.redhat.com/security/data/cve/CVE-2010-0844.html https://www.redhat.com/security/data/cve/CVE-2010-0845.html https://www.redhat.com/security/data/cve/CVE-2010-0846.html https://www.redhat.com/security/data/cve/CVE-2010-0847.html https://www.redhat.com/security/data/cve/CVE-2010-0848.html https://www.redhat.com/security/data/cve/CVE-2010-0849.html http://www.redhat.com/security/updates/classification/#critical http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLtA/WXlSAg2UNWIIRAscTAJ0bmtju24ZGUrmT6I2bcmRPlg2GJQCfYSg+ DadPDqmt4NipOsj/YKY4+Ro= =AYQY -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 1 03:16:59 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 31 Mar 2010 23:16:59 -0400 Subject: [RHSA-2010:0339-01] Important: java-1.6.0-openjdk security update Message-ID: <201004010316.o313GxXO007328@int-mx05.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.6.0-openjdk security update Advisory ID: RHSA-2010:0339-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0339.html Issue date: 2010-03-31 CVE Names: CVE-2009-3555 CVE-2010-0082 CVE-2010-0084 CVE-2010-0085 CVE-2010-0088 CVE-2010-0091 CVE-2010-0092 CVE-2010-0093 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0840 CVE-2010-0845 CVE-2010-0847 CVE-2010-0848 ===================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. (CVE-2009-3555) This update disables renegotiation in the Java Secure Socket Extension (JSSE) component. Unsafe renegotiation can be re-enabled using the sun.security.ssl.allowUnsafeRenegotiation property. Refer to the following Knowledgebase article for details: http://kbase.redhat.com/faq/docs/DOC-20491 A number of flaws have been fixed in the Java Virtual Machine (JVM) and in various Java class implementations. These flaws could allow an unsigned applet or application to bypass intended access restrictions. (CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0088, CVE-2010-0094) An untrusted applet could access clipboard information if a drag operation was performed over that applet's canvas. This could lead to an information leak. (CVE-2010-0091) The rawIndex operation incorrectly handled large values, causing the corruption of internal memory structures, resulting in an untrusted applet or application crashing. (CVE-2010-0092) The System.arraycopy operation incorrectly handled large index values, potentially causing array corruption in an untrusted applet or application. (CVE-2010-0093) Subclasses of InetAddress may incorrectly interpret network addresses, allowing an untrusted applet or application to bypass network access restrictions. (CVE-2010-0095) In certain cases, type assignments could result in "non-exact" interface types. This could be used to bypass type-safety restrictions. (CVE-2010-0845) A buffer overflow flaw in LittleCMS (embedded in OpenJDK) could cause an untrusted applet or application using color profiles from untrusted sources to crash. (CVE-2010-0838) An input validation flaw was found in the JRE unpack200 functionality. An untrusted applet or application could use this flaw to elevate its privileges. (CVE-2010-0837) Deferred calls to trusted applet methods could be granted incorrect permissions, allowing an untrusted applet or application to extend its privileges. (CVE-2010-0840) A missing input validation flaw in the JRE could allow an attacker to crash an untrusted applet or application. (CVE-2010-0848) A flaw in Java2D could allow an attacker to execute arbitrary code with the privileges of a user running an untrusted applet or application that uses Java2D. (CVE-2010-0847) Note: The flaws concerning applets in this advisory, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0088, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0840, CVE-2010-0847, and CVE-2010-0848, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer" application. This update also provides three defense in depth patches. (BZ#575745, BZ#575861, BZ#575789) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 575736 - CVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead of only the base-classes (6626217) 575740 - CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) 575747 - CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) 575755 - CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) 575756 - CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) 575760 - CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149) 575764 - CVE-2010-0093 OpenJDK System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265) 575769 - CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947) 575772 - CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) 575775 - CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807) 575808 - CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653) 575818 - CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299) 575846 - CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) 575865 - CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) 575871 - CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability (6914866) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.11.b16.el5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.11.b16.el5.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.11.b16.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.11.b16.el5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.11.b16.el5.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.11.b16.el5.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.11.b16.el5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.11.b16.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3555.html https://www.redhat.com/security/data/cve/CVE-2010-0082.html https://www.redhat.com/security/data/cve/CVE-2010-0084.html https://www.redhat.com/security/data/cve/CVE-2010-0085.html https://www.redhat.com/security/data/cve/CVE-2010-0088.html https://www.redhat.com/security/data/cve/CVE-2010-0091.html https://www.redhat.com/security/data/cve/CVE-2010-0092.html https://www.redhat.com/security/data/cve/CVE-2010-0093.html https://www.redhat.com/security/data/cve/CVE-2010-0094.html https://www.redhat.com/security/data/cve/CVE-2010-0095.html https://www.redhat.com/security/data/cve/CVE-2010-0837.html https://www.redhat.com/security/data/cve/CVE-2010-0838.html https://www.redhat.com/security/data/cve/CVE-2010-0840.html https://www.redhat.com/security/data/cve/CVE-2010-0845.html https://www.redhat.com/security/data/cve/CVE-2010-0847.html https://www.redhat.com/security/data/cve/CVE-2010-0848.html http://www.redhat.com/security/updates/classification/#important http://kbase.redhat.com/faq/docs/DOC-20491 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLtBAgXlSAg2UNWIIRAt2mAJ4klxIvRWik1FJYPs8FUrMLZrmWBQCgm+iF b4ZTkfaf8Sz7v/xU89JhShE= =dEPT -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 6 23:11:03 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 6 Apr 2010 17:11:03 -0600 Subject: [RHSA-2010:0342-01] Important: kernel security and bug fix update Message-ID: <201004062311.o36NB3UV027227@int-mx08.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2010:0342-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0342.html Issue date: 2010-04-06 CVE Names: CVE-2010-0008 ===================================================================== 1. Summary: Updated kernel packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 4.7 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4.7.z - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 4.7.z - i386, ia64, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * a flaw was found in the sctp_rcv_ootb() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008, Important) This update also fixes the following bug: * the fix for CVE-2009-4538 provided by RHSA-2010:0111 introduced a regression, preventing Wake on LAN (WoL) working for network devices using the Intel PRO/1000 Linux driver, e1000e. Attempting to configure WoL for such devices resulted in the following error, even when configuring valid options: "Cannot set new wake-on-lan settings: Operation not supported not setting wol" This update resolves this regression, and WoL now works as expected for network devices using the e1000e driver. (BZ#565495) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 555658 - CVE-2010-0008 kernel: sctp remote denial of service 565495 - e1000e: wol is broken in kernel 2.6.9-89.19 [rhel-4.7.z] 6. Package List: Red Hat Enterprise Linux AS version 4.7.z: Source: kernel-2.6.9-78.0.30.EL.src.rpm kernel-2.6.9-78.0.30.EL.src.rpm i386: kernel-2.6.9-78.0.30.EL.i686.rpm kernel-2.6.9-78.0.30.EL.i686.rpm kernel-debuginfo-2.6.9-78.0.30.EL.i686.rpm kernel-debuginfo-2.6.9-78.0.30.EL.i686.rpm kernel-devel-2.6.9-78.0.30.EL.i686.rpm kernel-devel-2.6.9-78.0.30.EL.i686.rpm kernel-hugemem-2.6.9-78.0.30.EL.i686.rpm kernel-hugemem-2.6.9-78.0.30.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.0.30.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.0.30.EL.i686.rpm kernel-smp-2.6.9-78.0.30.EL.i686.rpm kernel-smp-2.6.9-78.0.30.EL.i686.rpm kernel-smp-devel-2.6.9-78.0.30.EL.i686.rpm kernel-smp-devel-2.6.9-78.0.30.EL.i686.rpm kernel-xenU-2.6.9-78.0.30.EL.i686.rpm kernel-xenU-2.6.9-78.0.30.EL.i686.rpm kernel-xenU-devel-2.6.9-78.0.30.EL.i686.rpm kernel-xenU-devel-2.6.9-78.0.30.EL.i686.rpm ia64: kernel-2.6.9-78.0.30.EL.ia64.rpm kernel-2.6.9-78.0.30.EL.ia64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.ia64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.ia64.rpm kernel-devel-2.6.9-78.0.30.EL.ia64.rpm kernel-devel-2.6.9-78.0.30.EL.ia64.rpm kernel-largesmp-2.6.9-78.0.30.EL.ia64.rpm kernel-largesmp-2.6.9-78.0.30.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.ia64.rpm noarch: kernel-doc-2.6.9-78.0.30.EL.noarch.rpm kernel-doc-2.6.9-78.0.30.EL.noarch.rpm ppc: kernel-2.6.9-78.0.30.EL.ppc64.rpm kernel-2.6.9-78.0.30.EL.ppc64.rpm kernel-2.6.9-78.0.30.EL.ppc64iseries.rpm kernel-2.6.9-78.0.30.EL.ppc64iseries.rpm kernel-debuginfo-2.6.9-78.0.30.EL.ppc64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.ppc64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.ppc64iseries.rpm kernel-debuginfo-2.6.9-78.0.30.EL.ppc64iseries.rpm kernel-devel-2.6.9-78.0.30.EL.ppc64.rpm kernel-devel-2.6.9-78.0.30.EL.ppc64.rpm kernel-devel-2.6.9-78.0.30.EL.ppc64iseries.rpm kernel-devel-2.6.9-78.0.30.EL.ppc64iseries.rpm kernel-largesmp-2.6.9-78.0.30.EL.ppc64.rpm kernel-largesmp-2.6.9-78.0.30.EL.ppc64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.ppc64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.ppc64.rpm s390: kernel-2.6.9-78.0.30.EL.s390.rpm kernel-2.6.9-78.0.30.EL.s390.rpm kernel-debuginfo-2.6.9-78.0.30.EL.s390.rpm kernel-debuginfo-2.6.9-78.0.30.EL.s390.rpm kernel-devel-2.6.9-78.0.30.EL.s390.rpm kernel-devel-2.6.9-78.0.30.EL.s390.rpm s390x: kernel-2.6.9-78.0.30.EL.s390x.rpm kernel-2.6.9-78.0.30.EL.s390x.rpm kernel-debuginfo-2.6.9-78.0.30.EL.s390x.rpm kernel-debuginfo-2.6.9-78.0.30.EL.s390x.rpm kernel-devel-2.6.9-78.0.30.EL.s390x.rpm kernel-devel-2.6.9-78.0.30.EL.s390x.rpm x86_64: kernel-2.6.9-78.0.30.EL.x86_64.rpm kernel-2.6.9-78.0.30.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.x86_64.rpm kernel-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-largesmp-2.6.9-78.0.30.EL.x86_64.rpm kernel-largesmp-2.6.9-78.0.30.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-smp-2.6.9-78.0.30.EL.x86_64.rpm kernel-smp-2.6.9-78.0.30.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-xenU-2.6.9-78.0.30.EL.x86_64.rpm kernel-xenU-2.6.9-78.0.30.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.0.30.EL.x86_64.rpm Red Hat Enterprise Linux ES version 4.7.z: Source: kernel-2.6.9-78.0.30.EL.src.rpm kernel-2.6.9-78.0.30.EL.src.rpm i386: kernel-2.6.9-78.0.30.EL.i686.rpm kernel-2.6.9-78.0.30.EL.i686.rpm kernel-debuginfo-2.6.9-78.0.30.EL.i686.rpm kernel-debuginfo-2.6.9-78.0.30.EL.i686.rpm kernel-devel-2.6.9-78.0.30.EL.i686.rpm kernel-devel-2.6.9-78.0.30.EL.i686.rpm kernel-hugemem-2.6.9-78.0.30.EL.i686.rpm kernel-hugemem-2.6.9-78.0.30.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.0.30.EL.i686.rpm kernel-hugemem-devel-2.6.9-78.0.30.EL.i686.rpm kernel-smp-2.6.9-78.0.30.EL.i686.rpm kernel-smp-2.6.9-78.0.30.EL.i686.rpm kernel-smp-devel-2.6.9-78.0.30.EL.i686.rpm kernel-smp-devel-2.6.9-78.0.30.EL.i686.rpm kernel-xenU-2.6.9-78.0.30.EL.i686.rpm kernel-xenU-2.6.9-78.0.30.EL.i686.rpm kernel-xenU-devel-2.6.9-78.0.30.EL.i686.rpm kernel-xenU-devel-2.6.9-78.0.30.EL.i686.rpm ia64: kernel-2.6.9-78.0.30.EL.ia64.rpm kernel-2.6.9-78.0.30.EL.ia64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.ia64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.ia64.rpm kernel-devel-2.6.9-78.0.30.EL.ia64.rpm kernel-devel-2.6.9-78.0.30.EL.ia64.rpm kernel-largesmp-2.6.9-78.0.30.EL.ia64.rpm kernel-largesmp-2.6.9-78.0.30.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.ia64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.ia64.rpm noarch: kernel-doc-2.6.9-78.0.30.EL.noarch.rpm kernel-doc-2.6.9-78.0.30.EL.noarch.rpm x86_64: kernel-2.6.9-78.0.30.EL.x86_64.rpm kernel-2.6.9-78.0.30.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.x86_64.rpm kernel-debuginfo-2.6.9-78.0.30.EL.x86_64.rpm kernel-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-largesmp-2.6.9-78.0.30.EL.x86_64.rpm kernel-largesmp-2.6.9-78.0.30.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-smp-2.6.9-78.0.30.EL.x86_64.rpm kernel-smp-2.6.9-78.0.30.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-smp-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-xenU-2.6.9-78.0.30.EL.x86_64.rpm kernel-xenU-2.6.9-78.0.30.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.0.30.EL.x86_64.rpm kernel-xenU-devel-2.6.9-78.0.30.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0008.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLu79uXlSAg2UNWIIRAjsDAJ9UcS8xM09U/gVqvv5UgUAVDUVw5wCgud8b AtNNUqUKZBKAegR195M0bpc= =Lq0B -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 6 23:11:55 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 6 Apr 2010 17:11:55 -0600 Subject: [RHSA-2010:0343-01] Important: krb5 security and bug fix update Message-ID: <201004062311.o36NBtCx028950@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: krb5 security and bug fix update Advisory ID: RHSA-2010:0343-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0343.html Issue date: 2010-04-06 CVE Names: CVE-2010-0629 ===================================================================== 1. Summary: Updated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug: * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client's, cross-realm authentication is required. Using a combination of client configuration and guesswork, the client determines the trust relationship sequence which forms the trusted path between the client's realm and the service's realm. This may include one or more intermediate realms. Anticipating the KDC has better knowledge of extant trust relationships, the client then requests a ticket from the service's KDC, indicating it will accept guidance from the service's KDC by setting a special flag in the request. A KDC which recognizes the flag can, at its option, return a ticket-granting ticket for the next realm along the trust path the client should be following. If the ticket-granting ticket returned by the service's KDC is for use with a realm the client has already determined was in the trusted path, the client accepts this as an optimization and continues. If, however, the ticket is for use in a realm the client is not expecting, the client responds incorrectly: it treats the case as an error rather than continuing along the path suggested by the service's KDC. For this update, the krb5 1.7 modifications which allow the client to trust such KDCs to send them along the correct path, resulting in the client obtaining the tickets it originally desired, were backported to krb 1.6.1 (the version shipped with Red Hat Enterprise Linux 5.5). (BZ#578540) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. All running KDC services must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 576011 - CVE-2010-0629 krb5: kadmind use-after-free remote crash (MITKRB5-SA-2010-003) 578540 - [RFE] Backport referral-chasing code within krb5-1.7 to RHEL5 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/krb5-1.6.1-36.el5_5.2.src.rpm i386: krb5-debuginfo-1.6.1-36.el5_5.2.i386.rpm krb5-libs-1.6.1-36.el5_5.2.i386.rpm krb5-workstation-1.6.1-36.el5_5.2.i386.rpm x86_64: krb5-debuginfo-1.6.1-36.el5_5.2.i386.rpm krb5-debuginfo-1.6.1-36.el5_5.2.x86_64.rpm krb5-libs-1.6.1-36.el5_5.2.i386.rpm krb5-libs-1.6.1-36.el5_5.2.x86_64.rpm krb5-workstation-1.6.1-36.el5_5.2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/krb5-1.6.1-36.el5_5.2.src.rpm i386: krb5-debuginfo-1.6.1-36.el5_5.2.i386.rpm krb5-devel-1.6.1-36.el5_5.2.i386.rpm krb5-server-1.6.1-36.el5_5.2.i386.rpm x86_64: krb5-debuginfo-1.6.1-36.el5_5.2.i386.rpm krb5-debuginfo-1.6.1-36.el5_5.2.x86_64.rpm krb5-devel-1.6.1-36.el5_5.2.i386.rpm krb5-devel-1.6.1-36.el5_5.2.x86_64.rpm krb5-server-1.6.1-36.el5_5.2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/krb5-1.6.1-36.el5_5.2.src.rpm i386: krb5-debuginfo-1.6.1-36.el5_5.2.i386.rpm krb5-devel-1.6.1-36.el5_5.2.i386.rpm krb5-libs-1.6.1-36.el5_5.2.i386.rpm krb5-server-1.6.1-36.el5_5.2.i386.rpm krb5-workstation-1.6.1-36.el5_5.2.i386.rpm ia64: krb5-debuginfo-1.6.1-36.el5_5.2.i386.rpm krb5-debuginfo-1.6.1-36.el5_5.2.ia64.rpm krb5-devel-1.6.1-36.el5_5.2.ia64.rpm krb5-libs-1.6.1-36.el5_5.2.i386.rpm krb5-libs-1.6.1-36.el5_5.2.ia64.rpm krb5-server-1.6.1-36.el5_5.2.ia64.rpm krb5-workstation-1.6.1-36.el5_5.2.ia64.rpm ppc: krb5-debuginfo-1.6.1-36.el5_5.2.ppc.rpm krb5-debuginfo-1.6.1-36.el5_5.2.ppc64.rpm krb5-devel-1.6.1-36.el5_5.2.ppc.rpm krb5-devel-1.6.1-36.el5_5.2.ppc64.rpm krb5-libs-1.6.1-36.el5_5.2.ppc.rpm krb5-libs-1.6.1-36.el5_5.2.ppc64.rpm krb5-server-1.6.1-36.el5_5.2.ppc.rpm krb5-workstation-1.6.1-36.el5_5.2.ppc.rpm s390x: krb5-debuginfo-1.6.1-36.el5_5.2.s390.rpm krb5-debuginfo-1.6.1-36.el5_5.2.s390x.rpm krb5-devel-1.6.1-36.el5_5.2.s390.rpm krb5-devel-1.6.1-36.el5_5.2.s390x.rpm krb5-libs-1.6.1-36.el5_5.2.s390.rpm krb5-libs-1.6.1-36.el5_5.2.s390x.rpm krb5-server-1.6.1-36.el5_5.2.s390x.rpm krb5-workstation-1.6.1-36.el5_5.2.s390x.rpm x86_64: krb5-debuginfo-1.6.1-36.el5_5.2.i386.rpm krb5-debuginfo-1.6.1-36.el5_5.2.x86_64.rpm krb5-devel-1.6.1-36.el5_5.2.i386.rpm krb5-devel-1.6.1-36.el5_5.2.x86_64.rpm krb5-libs-1.6.1-36.el5_5.2.i386.rpm krb5-libs-1.6.1-36.el5_5.2.x86_64.rpm krb5-server-1.6.1-36.el5_5.2.x86_64.rpm krb5-workstation-1.6.1-36.el5_5.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0629.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLu7+ZXlSAg2UNWIIRApjsAJ93XHDDW4hJRWKduwl+5ArUKZrlGgCgs7RU 7EdrL9YNleFuddEdlArDMEU= =Navz -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 13 21:25:16 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 13 Apr 2010 15:25:16 -0600 Subject: [RHSA-2010:0347-01] Moderate: nss_db security update Message-ID: <201004132125.o3DLPGZp011475@int-mx05.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nss_db security update Advisory ID: RHSA-2010:0347-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0347.html Issue date: 2010-04-13 CVE Names: CVE-2010-0826 ===================================================================== 1. Summary: Updated nss_db packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The nss_db packages provide a set of C library extensions which allow Berkeley Database (Berkeley DB) databases to be used as a primary source of aliases, ethers, groups, hosts, networks, protocols, users, RPCs, services, and shadow passwords. These databases are used instead of or in addition to the flat files used by these tools by default. It was discovered that nss_db did not specify a path to the directory to be used as the database environment for the Berkeley Database library, causing it to use the current working directory as the default. This could possibly allow a local attacker to obtain sensitive information. (CVE-2010-0826) Users of nss_db are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 580187 - CVE-2010-0826 nss_db: Information leak due the DB_CONFIG file read from current working directory 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss_db-2.2-35.4.el5_5.src.rpm i386: nss_db-2.2-35.4.el5_5.i386.rpm nss_db-debuginfo-2.2-35.4.el5_5.i386.rpm x86_64: nss_db-2.2-35.4.el5_5.i386.rpm nss_db-2.2-35.4.el5_5.x86_64.rpm nss_db-debuginfo-2.2-35.4.el5_5.i386.rpm nss_db-debuginfo-2.2-35.4.el5_5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nss_db-2.2-35.4.el5_5.src.rpm i386: nss_db-2.2-35.4.el5_5.i386.rpm nss_db-debuginfo-2.2-35.4.el5_5.i386.rpm ia64: nss_db-2.2-35.4.el5_5.i386.rpm nss_db-2.2-35.4.el5_5.ia64.rpm nss_db-debuginfo-2.2-35.4.el5_5.i386.rpm nss_db-debuginfo-2.2-35.4.el5_5.ia64.rpm ppc: nss_db-2.2-35.4.el5_5.ppc.rpm nss_db-2.2-35.4.el5_5.ppc64.rpm nss_db-debuginfo-2.2-35.4.el5_5.ppc.rpm nss_db-debuginfo-2.2-35.4.el5_5.ppc64.rpm s390x: nss_db-2.2-35.4.el5_5.s390.rpm nss_db-2.2-35.4.el5_5.s390x.rpm nss_db-debuginfo-2.2-35.4.el5_5.s390.rpm nss_db-debuginfo-2.2-35.4.el5_5.s390x.rpm x86_64: nss_db-2.2-35.4.el5_5.i386.rpm nss_db-2.2-35.4.el5_5.x86_64.rpm nss_db-debuginfo-2.2-35.4.el5_5.i386.rpm nss_db-debuginfo-2.2-35.4.el5_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0826.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLxOD7XlSAg2UNWIIRAvDPAKDD2t0ubqnhzB0T7R8BzWnY9s0anACgmBdX wuGQz1joDhfOB0gkTiNQQn4= =quE4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 14 10:28:42 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Apr 2010 06:28:42 -0400 Subject: [RHSA-2010:0348-01] Important: kdebase security update Message-ID: <201004141028.o3EASgnF000861@int-mx04.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kdebase security update Advisory ID: RHSA-2010:0348-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0348.html Issue date: 2010-04-14 CVE Names: CVE-2010-0436 ===================================================================== 1. Summary: Updated kdebase packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The K Desktop Environment (KDE) is a graphical desktop environment for the X Window System. The kdebase packages include core applications for KDE. A privilege escalation flaw was found in the KDE Display Manager (KDM). A local user with console access could trigger a race condition, possibly resulting in the permissions of an arbitrary file being set to world writable, allowing privilege escalation. (CVE-2010-0436) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for responsibly reporting this issue. Users of KDE should upgrade to these updated packages, which contain a backported patch to correct this issue. The system should be rebooted for this update to take effect. After the reboot, administrators should manually remove all leftover user-owned dmctl-* directories in "/var/run/xdmctl/". 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 570613 - CVE-2010-0436 kdm privilege escalation flaw 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kdebase-3.3.1-13.el4_8.1.src.rpm i386: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-devel-3.3.1-13.el4_8.1.i386.rpm ia64: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-3.3.1-13.el4_8.1.ia64.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.ia64.rpm kdebase-devel-3.3.1-13.el4_8.1.ia64.rpm ppc: kdebase-3.3.1-13.el4_8.1.ppc.rpm kdebase-3.3.1-13.el4_8.1.ppc64.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.ppc.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.ppc64.rpm kdebase-devel-3.3.1-13.el4_8.1.ppc.rpm s390: kdebase-3.3.1-13.el4_8.1.s390.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.s390.rpm kdebase-devel-3.3.1-13.el4_8.1.s390.rpm s390x: kdebase-3.3.1-13.el4_8.1.s390.rpm kdebase-3.3.1-13.el4_8.1.s390x.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.s390.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.s390x.rpm kdebase-devel-3.3.1-13.el4_8.1.s390x.rpm x86_64: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-3.3.1-13.el4_8.1.x86_64.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.x86_64.rpm kdebase-devel-3.3.1-13.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kdebase-3.3.1-13.el4_8.1.src.rpm i386: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-devel-3.3.1-13.el4_8.1.i386.rpm x86_64: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-3.3.1-13.el4_8.1.x86_64.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.x86_64.rpm kdebase-devel-3.3.1-13.el4_8.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kdebase-3.3.1-13.el4_8.1.src.rpm i386: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-devel-3.3.1-13.el4_8.1.i386.rpm ia64: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-3.3.1-13.el4_8.1.ia64.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.ia64.rpm kdebase-devel-3.3.1-13.el4_8.1.ia64.rpm x86_64: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-3.3.1-13.el4_8.1.x86_64.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.x86_64.rpm kdebase-devel-3.3.1-13.el4_8.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kdebase-3.3.1-13.el4_8.1.src.rpm i386: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-devel-3.3.1-13.el4_8.1.i386.rpm ia64: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-3.3.1-13.el4_8.1.ia64.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.ia64.rpm kdebase-devel-3.3.1-13.el4_8.1.ia64.rpm x86_64: kdebase-3.3.1-13.el4_8.1.i386.rpm kdebase-3.3.1-13.el4_8.1.x86_64.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.i386.rpm kdebase-debuginfo-3.3.1-13.el4_8.1.x86_64.rpm kdebase-devel-3.3.1-13.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdebase-3.5.4-21.el5_5.1.src.rpm i386: kdebase-3.5.4-21.el5_5.1.i386.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.i386.rpm x86_64: kdebase-3.5.4-21.el5_5.1.i386.rpm kdebase-3.5.4-21.el5_5.1.x86_64.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.i386.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdebase-3.5.4-21.el5_5.1.src.rpm i386: kdebase-debuginfo-3.5.4-21.el5_5.1.i386.rpm kdebase-devel-3.5.4-21.el5_5.1.i386.rpm x86_64: kdebase-debuginfo-3.5.4-21.el5_5.1.i386.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.x86_64.rpm kdebase-devel-3.5.4-21.el5_5.1.i386.rpm kdebase-devel-3.5.4-21.el5_5.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kdebase-3.5.4-21.el5_5.1.src.rpm i386: kdebase-3.5.4-21.el5_5.1.i386.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.i386.rpm kdebase-devel-3.5.4-21.el5_5.1.i386.rpm ia64: kdebase-3.5.4-21.el5_5.1.ia64.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.ia64.rpm kdebase-devel-3.5.4-21.el5_5.1.ia64.rpm ppc: kdebase-3.5.4-21.el5_5.1.ppc.rpm kdebase-3.5.4-21.el5_5.1.ppc64.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.ppc.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.ppc64.rpm kdebase-devel-3.5.4-21.el5_5.1.ppc.rpm kdebase-devel-3.5.4-21.el5_5.1.ppc64.rpm s390x: kdebase-3.5.4-21.el5_5.1.s390.rpm kdebase-3.5.4-21.el5_5.1.s390x.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.s390.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.s390x.rpm kdebase-devel-3.5.4-21.el5_5.1.s390.rpm kdebase-devel-3.5.4-21.el5_5.1.s390x.rpm x86_64: kdebase-3.5.4-21.el5_5.1.i386.rpm kdebase-3.5.4-21.el5_5.1.x86_64.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.i386.rpm kdebase-debuginfo-3.5.4-21.el5_5.1.x86_64.rpm kdebase-devel-3.5.4-21.el5_5.1.i386.rpm kdebase-devel-3.5.4-21.el5_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0436.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLxZiqXlSAg2UNWIIRAhBSAJ9pYuPgLzlyRW2LBGTgvuYxUECX+gCfdaNV P8wzH8WYJmLeSsSzohvpCGI= =d7rH -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 14 10:29:13 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Apr 2010 06:29:13 -0400 Subject: [RHSA-2010:0349-01] Critical: acroread security update Message-ID: <201004141029.o3EATDwm029178@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: acroread security update Advisory ID: RHSA-2010:0349-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0349.html Issue date: 2010-04-14 CVE Names: CVE-2010-0190 CVE-2010-0191 CVE-2010-0192 CVE-2010-0193 CVE-2010-0194 CVE-2010-0195 CVE-2010-0196 CVE-2010-0197 CVE-2010-0198 CVE-2010-0199 CVE-2010-0201 CVE-2010-0202 CVE-2010-0203 CVE-2010-0204 CVE-2010-1241 ===================================================================== 1. Summary: Updated acroread packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes several vulnerabilities in Adobe Reader. These vulnerabilities are summarized on the Adobe Security Advisory APSB10-09 page listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-0190, CVE-2010-0191, CVE-2010-0192, CVE-2010-0193, CVE-2010-0194, CVE-2010-0195, CVE-2010-0196, CVE-2010-0197, CVE-2010-0198, CVE-2010-0199, CVE-2010-0201, CVE-2010-0202, CVE-2010-0203, CVE-2010-0204, CVE-2010-1241) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.3.2, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 579213 - CVE-2010-1241 Acroread: Heap-based overflow by opening a specially-crafted PDF file (FG-VD-10-005) 581417 - Acroread: Multiple code execution flaws (APSB10-09) 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: acroread-9.3.2-1.el4.i386.rpm acroread-plugin-9.3.2-1.el4.i386.rpm x86_64: acroread-9.3.2-1.el4.i386.rpm Red Hat Desktop version 4 Extras: i386: acroread-9.3.2-1.el4.i386.rpm acroread-plugin-9.3.2-1.el4.i386.rpm x86_64: acroread-9.3.2-1.el4.i386.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: acroread-9.3.2-1.el4.i386.rpm acroread-plugin-9.3.2-1.el4.i386.rpm x86_64: acroread-9.3.2-1.el4.i386.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: acroread-9.3.2-1.el4.i386.rpm acroread-plugin-9.3.2-1.el4.i386.rpm x86_64: acroread-9.3.2-1.el4.i386.rpm RHEL Desktop Supplementary (v. 5 client): i386: acroread-9.3.2-1.el5.i386.rpm acroread-plugin-9.3.2-1.el5.i386.rpm x86_64: acroread-9.3.2-1.el5.i386.rpm acroread-plugin-9.3.2-1.el5.i386.rpm RHEL Supplementary (v. 5 server): i386: acroread-9.3.2-1.el5.i386.rpm acroread-plugin-9.3.2-1.el5.i386.rpm x86_64: acroread-9.3.2-1.el5.i386.rpm acroread-plugin-9.3.2-1.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0190.html https://www.redhat.com/security/data/cve/CVE-2010-0191.html https://www.redhat.com/security/data/cve/CVE-2010-0192.html https://www.redhat.com/security/data/cve/CVE-2010-0193.html https://www.redhat.com/security/data/cve/CVE-2010-0194.html https://www.redhat.com/security/data/cve/CVE-2010-0195.html https://www.redhat.com/security/data/cve/CVE-2010-0196.html https://www.redhat.com/security/data/cve/CVE-2010-0197.html https://www.redhat.com/security/data/cve/CVE-2010-0198.html https://www.redhat.com/security/data/cve/CVE-2010-0199.html https://www.redhat.com/security/data/cve/CVE-2010-0201.html https://www.redhat.com/security/data/cve/CVE-2010-0202.html https://www.redhat.com/security/data/cve/CVE-2010-0203.html https://www.redhat.com/security/data/cve/CVE-2010-0204.html https://www.redhat.com/security/data/cve/CVE-2010-1241.html http://www.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb10-09.html 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLxZjiXlSAg2UNWIIRAq+zAJ9TYPcl+zHLFJitV7KZIU5OR6L4sQCgkiA1 pTdlxDqt1XZLqxoY11B4edk= =cuEI -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Apr 19 22:59:56 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 19 Apr 2010 16:59:56 -0600 Subject: [RHSA-2010:0356-02] Critical: java-1.6.0-sun security update Message-ID: <201004192259.o3JMxu6J019216@int-mx05.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-sun security update Advisory ID: RHSA-2010:0356-02 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0356.html Issue date: 2010-04-19 CVE Names: CVE-2010-0886 CVE-2010-0887 ===================================================================== 1. Summary: Updated java-1.6.0-sun packages that fix two security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes two vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Security Alert page listed in the References section. (CVE-2010-0886, CVE-2010-0887) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 581237 - CVE-2010-0886 CVE-2010-0887 Sun Java: Java Web Start arbitrary command line injection 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.6.0-sun-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.6.0-sun-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.6.0-sun-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.6.0-sun-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.6.0-sun-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.6.0-sun-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.20-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-src-1.6.0.20-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0886.html https://www.redhat.com/security/data/cve/CVE-2010-0887.html http://www.redhat.com/security/updates/classification/#critical http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLzOBdXlSAg2UNWIIRAgH3AJ9eIAGVDngSiWwXNoE1qa0PzxMIuACgpSny vrMeBq6hmgHRalCN7XE4fI4= =Aohb -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 20 15:57:32 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 20 Apr 2010 09:57:32 -0600 Subject: [RHSA-2010:0360-01] Moderate: wireshark security update Message-ID: <201004201557.o3KFvX5s027279@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: wireshark security update Advisory ID: RHSA-2010:0360-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0360.html Issue date: 2010-04-20 CVE Names: CVE-2009-2560 CVE-2009-2562 CVE-2009-2563 CVE-2009-3550 CVE-2009-3829 CVE-2009-4377 CVE-2010-0304 ===================================================================== 1. Summary: Updated wireshark packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. An invalid pointer dereference flaw was found in the Wireshark SMB and SMB2 dissectors. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2009-4377) Several buffer overflow flaws were found in the Wireshark LWRES dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2010-0304) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2009-2560, CVE-2009-2562, CVE-2009-2563, CVE-2009-3550, CVE-2009-3829) Users of Wireshark should upgrade to these updated packages, which contain Wireshark version 1.0.11, and resolve these issues. All running instances of Wireshark must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 512987 - CVE-2009-2562 Wireshark: Integer overflow in the AFS dissector 512992 - CVE-2009-2563 Wireshark: Null-ptr dereference in the InfiniBand dissector 513008 - CVE-2009-2560 Wireshark: various flaws in a) RADIUS, b) Bluetooth L2CAP, c) MIOP dissectors (DoS) 531260 - CVE-2009-3550 Wireshark: NULL pointer dereference in the DCERPC over SMB packet disassembly 532479 - CVE-2009-3829 wireshark: unsigned integer wrap vulnerability in ERF reader (VU#676492) 549578 - CVE-2009-4377 wireshark: invalid pointer dereference in SMB/SMB2 dissectors 559793 - CVE-2010-0304 wireshark: crash in LWRES dissector 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/wireshark-1.0.11-EL3.6.src.rpm i386: wireshark-1.0.11-EL3.6.i386.rpm wireshark-debuginfo-1.0.11-EL3.6.i386.rpm wireshark-gnome-1.0.11-EL3.6.i386.rpm ia64: wireshark-1.0.11-EL3.6.ia64.rpm wireshark-debuginfo-1.0.11-EL3.6.ia64.rpm wireshark-gnome-1.0.11-EL3.6.ia64.rpm ppc: wireshark-1.0.11-EL3.6.ppc.rpm wireshark-debuginfo-1.0.11-EL3.6.ppc.rpm wireshark-gnome-1.0.11-EL3.6.ppc.rpm s390: wireshark-1.0.11-EL3.6.s390.rpm wireshark-debuginfo-1.0.11-EL3.6.s390.rpm wireshark-gnome-1.0.11-EL3.6.s390.rpm s390x: wireshark-1.0.11-EL3.6.s390x.rpm wireshark-debuginfo-1.0.11-EL3.6.s390x.rpm wireshark-gnome-1.0.11-EL3.6.s390x.rpm x86_64: wireshark-1.0.11-EL3.6.x86_64.rpm wireshark-debuginfo-1.0.11-EL3.6.x86_64.rpm wireshark-gnome-1.0.11-EL3.6.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/wireshark-1.0.11-EL3.6.src.rpm i386: wireshark-1.0.11-EL3.6.i386.rpm wireshark-debuginfo-1.0.11-EL3.6.i386.rpm wireshark-gnome-1.0.11-EL3.6.i386.rpm x86_64: wireshark-1.0.11-EL3.6.x86_64.rpm wireshark-debuginfo-1.0.11-EL3.6.x86_64.rpm wireshark-gnome-1.0.11-EL3.6.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/wireshark-1.0.11-EL3.6.src.rpm i386: wireshark-1.0.11-EL3.6.i386.rpm wireshark-debuginfo-1.0.11-EL3.6.i386.rpm wireshark-gnome-1.0.11-EL3.6.i386.rpm ia64: wireshark-1.0.11-EL3.6.ia64.rpm wireshark-debuginfo-1.0.11-EL3.6.ia64.rpm wireshark-gnome-1.0.11-EL3.6.ia64.rpm x86_64: wireshark-1.0.11-EL3.6.x86_64.rpm wireshark-debuginfo-1.0.11-EL3.6.x86_64.rpm wireshark-gnome-1.0.11-EL3.6.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/wireshark-1.0.11-EL3.6.src.rpm i386: wireshark-1.0.11-EL3.6.i386.rpm wireshark-debuginfo-1.0.11-EL3.6.i386.rpm wireshark-gnome-1.0.11-EL3.6.i386.rpm ia64: wireshark-1.0.11-EL3.6.ia64.rpm wireshark-debuginfo-1.0.11-EL3.6.ia64.rpm wireshark-gnome-1.0.11-EL3.6.ia64.rpm x86_64: wireshark-1.0.11-EL3.6.x86_64.rpm wireshark-debuginfo-1.0.11-EL3.6.x86_64.rpm wireshark-gnome-1.0.11-EL3.6.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/wireshark-1.0.11-1.el4_8.5.src.rpm i386: wireshark-1.0.11-1.el4_8.5.i386.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.i386.rpm wireshark-gnome-1.0.11-1.el4_8.5.i386.rpm ia64: wireshark-1.0.11-1.el4_8.5.ia64.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.ia64.rpm wireshark-gnome-1.0.11-1.el4_8.5.ia64.rpm ppc: wireshark-1.0.11-1.el4_8.5.ppc.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.ppc.rpm wireshark-gnome-1.0.11-1.el4_8.5.ppc.rpm s390: wireshark-1.0.11-1.el4_8.5.s390.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.s390.rpm wireshark-gnome-1.0.11-1.el4_8.5.s390.rpm s390x: wireshark-1.0.11-1.el4_8.5.s390x.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.s390x.rpm wireshark-gnome-1.0.11-1.el4_8.5.s390x.rpm x86_64: wireshark-1.0.11-1.el4_8.5.x86_64.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.x86_64.rpm wireshark-gnome-1.0.11-1.el4_8.5.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/wireshark-1.0.11-1.el4_8.5.src.rpm i386: wireshark-1.0.11-1.el4_8.5.i386.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.i386.rpm wireshark-gnome-1.0.11-1.el4_8.5.i386.rpm x86_64: wireshark-1.0.11-1.el4_8.5.x86_64.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.x86_64.rpm wireshark-gnome-1.0.11-1.el4_8.5.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/wireshark-1.0.11-1.el4_8.5.src.rpm i386: wireshark-1.0.11-1.el4_8.5.i386.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.i386.rpm wireshark-gnome-1.0.11-1.el4_8.5.i386.rpm ia64: wireshark-1.0.11-1.el4_8.5.ia64.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.ia64.rpm wireshark-gnome-1.0.11-1.el4_8.5.ia64.rpm x86_64: wireshark-1.0.11-1.el4_8.5.x86_64.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.x86_64.rpm wireshark-gnome-1.0.11-1.el4_8.5.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/wireshark-1.0.11-1.el4_8.5.src.rpm i386: wireshark-1.0.11-1.el4_8.5.i386.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.i386.rpm wireshark-gnome-1.0.11-1.el4_8.5.i386.rpm ia64: wireshark-1.0.11-1.el4_8.5.ia64.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.ia64.rpm wireshark-gnome-1.0.11-1.el4_8.5.ia64.rpm x86_64: wireshark-1.0.11-1.el4_8.5.x86_64.rpm wireshark-debuginfo-1.0.11-1.el4_8.5.x86_64.rpm wireshark-gnome-1.0.11-1.el4_8.5.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/wireshark-1.0.11-1.el5_5.5.src.rpm i386: wireshark-1.0.11-1.el5_5.5.i386.rpm wireshark-debuginfo-1.0.11-1.el5_5.5.i386.rpm x86_64: wireshark-1.0.11-1.el5_5.5.x86_64.rpm wireshark-debuginfo-1.0.11-1.el5_5.5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/wireshark-1.0.11-1.el5_5.5.src.rpm i386: wireshark-debuginfo-1.0.11-1.el5_5.5.i386.rpm wireshark-gnome-1.0.11-1.el5_5.5.i386.rpm x86_64: wireshark-debuginfo-1.0.11-1.el5_5.5.x86_64.rpm wireshark-gnome-1.0.11-1.el5_5.5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/wireshark-1.0.11-1.el5_5.5.src.rpm i386: wireshark-1.0.11-1.el5_5.5.i386.rpm wireshark-debuginfo-1.0.11-1.el5_5.5.i386.rpm wireshark-gnome-1.0.11-1.el5_5.5.i386.rpm ia64: wireshark-1.0.11-1.el5_5.5.ia64.rpm wireshark-debuginfo-1.0.11-1.el5_5.5.ia64.rpm wireshark-gnome-1.0.11-1.el5_5.5.ia64.rpm ppc: wireshark-1.0.11-1.el5_5.5.ppc.rpm wireshark-debuginfo-1.0.11-1.el5_5.5.ppc.rpm wireshark-gnome-1.0.11-1.el5_5.5.ppc.rpm s390x: wireshark-1.0.11-1.el5_5.5.s390x.rpm wireshark-debuginfo-1.0.11-1.el5_5.5.s390x.rpm wireshark-gnome-1.0.11-1.el5_5.5.s390x.rpm x86_64: wireshark-1.0.11-1.el5_5.5.x86_64.rpm wireshark-debuginfo-1.0.11-1.el5_5.5.x86_64.rpm wireshark-gnome-1.0.11-1.el5_5.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-2560.html https://www.redhat.com/security/data/cve/CVE-2009-2562.html https://www.redhat.com/security/data/cve/CVE-2009-2563.html https://www.redhat.com/security/data/cve/CVE-2009-3550.html https://www.redhat.com/security/data/cve/CVE-2009-3829.html https://www.redhat.com/security/data/cve/CVE-2009-4377.html https://www.redhat.com/security/data/cve/CVE-2010-0304.html http://www.redhat.com/security/updates/classification/#moderate http://www.wireshark.org/security/wnpa-sec-2009-05.html http://www.wireshark.org/security/wnpa-sec-2009-08.html http://www.wireshark.org/security/wnpa-sec-2010-01.html 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLzc7jXlSAg2UNWIIRAmGgAJsHuHcY9OMW1mtzYynhKVuww6M8TwCfTHfp +Iw3kfRqw99aUCt6R7LreD4= =B3ix -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 20 15:58:15 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 20 Apr 2010 09:58:15 -0600 Subject: [RHSA-2010:0361-01] Moderate: sudo security update Message-ID: <201004201558.o3KFwFKF027549@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: sudo security update Advisory ID: RHSA-2010:0361-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0361.html Issue date: 2010-04-20 CVE Names: CVE-2010-1163 ===================================================================== 1. Summary: An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. The RHBA-2010:0212 sudo update released as part of Red Hat Enterprise Linux 5.5 added the ability to change the value of the ignore_dot option in the "/etc/sudoers" configuration file. This ability introduced a regression in the upstream fix for CVE-2010-0426. In configurations where the ignore_dot option was set to off (the default is on for the Red Hat Enterprise Linux 5 sudo package), a local user authorized to use the sudoedit pseudo-command could possibly run arbitrary commands with the privileges of the users sudoedit was authorized to run as. (CVE-2010-1163) Red Hat would like to thank Todd C. Miller, the upstream sudo maintainer, for responsibly reporting this issue. Upstream acknowledges Valerio Costamagna as the original reporter. Users of sudo should upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 580441 - CVE-2010-1163 sudo: incomplete fix for the sudoedit privilege escalation issue CVE-2010-0426 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/sudo-1.7.2p1-6.el5_5.src.rpm i386: sudo-1.7.2p1-6.el5_5.i386.rpm sudo-debuginfo-1.7.2p1-6.el5_5.i386.rpm x86_64: sudo-1.7.2p1-6.el5_5.x86_64.rpm sudo-debuginfo-1.7.2p1-6.el5_5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/sudo-1.7.2p1-6.el5_5.src.rpm i386: sudo-1.7.2p1-6.el5_5.i386.rpm sudo-debuginfo-1.7.2p1-6.el5_5.i386.rpm ia64: sudo-1.7.2p1-6.el5_5.ia64.rpm sudo-debuginfo-1.7.2p1-6.el5_5.ia64.rpm ppc: sudo-1.7.2p1-6.el5_5.ppc.rpm sudo-debuginfo-1.7.2p1-6.el5_5.ppc.rpm s390x: sudo-1.7.2p1-6.el5_5.s390x.rpm sudo-debuginfo-1.7.2p1-6.el5_5.s390x.rpm x86_64: sudo-1.7.2p1-6.el5_5.x86_64.rpm sudo-debuginfo-1.7.2p1-6.el5_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-1163.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLzc73XlSAg2UNWIIRAnniAJ9iY39+J7RhK7TWgHXICo7Rkq5lmQCfUgx1 KJKew23YYEHmHruTAi8xFFo= =Y/kR -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 20 15:58:41 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 20 Apr 2010 09:58:41 -0600 Subject: [RHSA-2010:0362-01] Important: scsi-target-utils security update Message-ID: <201004201558.o3KFwfKS004873@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: scsi-target-utils security update Advisory ID: RHSA-2010:0362-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0362.html Issue date: 2010-04-20 CVE Names: CVE-2010-0743 ===================================================================== 1. Summary: An updated scsi-target-utils package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Cluster-Storage (v. 5 server) - i386, ia64, ppc, x86_64 3. Description: The scsi-target-utils package contains the daemon and tools to set up and monitor SCSI targets. Currently, iSCSI software and iSER targets are supported. A format string flaw was found in scsi-target-utils' tgtd daemon. A remote attacker could trigger this flaw by sending a carefully-crafted Internet Storage Name Service (iSNS) request, causing the tgtd daemon to crash. (CVE-2010-0743) All scsi-target-utils users should upgrade to this updated package, which contains a backported patch to correct this issue. All running scsi-target-utils services must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 576359 - CVE-2010-0743 scsi-target-utils: format string vulnerability 6. Package List: RHEL Cluster-Storage (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/scsi-target-utils-0.0-6.20091205snap.el5_5.2.src.rpm i386: scsi-target-utils-0.0-6.20091205snap.el5_5.2.i386.rpm scsi-target-utils-debuginfo-0.0-6.20091205snap.el5_5.2.i386.rpm ia64: scsi-target-utils-0.0-6.20091205snap.el5_5.2.ia64.rpm scsi-target-utils-debuginfo-0.0-6.20091205snap.el5_5.2.ia64.rpm ppc: scsi-target-utils-0.0-6.20091205snap.el5_5.2.ppc.rpm scsi-target-utils-debuginfo-0.0-6.20091205snap.el5_5.2.ppc.rpm x86_64: scsi-target-utils-0.0-6.20091205snap.el5_5.2.x86_64.rpm scsi-target-utils-debuginfo-0.0-6.20091205snap.el5_5.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0743.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLzc8hXlSAg2UNWIIRAmVwAJ9hMFToD11H4WnezfL/+SY9K0jr/ACgm+ad AByacWFtACU+GmhmA0Ojsqo= =iKfO -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Apr 27 13:01:49 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 27 Apr 2010 09:01:49 -0400 Subject: [RHSA-2010:0380-01] Important: kernel security and bug fix update Message-ID: <201004271301.o3RD1ng3011496@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2010:0380-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0380.html Issue date: 2010-04-27 CVE Names: CVE-2009-4027 CVE-2009-4307 CVE-2010-0727 CVE-2010-1188 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5.4.z server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * a race condition was found in the mac80211 implementation, a framework used for writing drivers for wireless devices. An attacker could trigger this flaw by sending a Delete Block ACK (DELBA) packet to a target system, resulting in a remote denial of service. Note: This issue only affected users on 802.11n networks, and that also use the iwlagn driver with Intel wireless hardware. (CVE-2009-4027, Important) * a use-after-free flaw was found in the tcp_rcv_state_process() function in the Linux kernel TCP/IP protocol suite implementation. If a system using IPv6 had the IPV6_RECVPKTINFO option set on a listening socket, a remote attacker could send an IPv6 packet to that system, causing a kernel panic (denial of service). (CVE-2010-1188, Important) * a flaw was found in the gfs2_lock() implementation. The GFS2 locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS2 file system mounted could use this flaw to cause a kernel panic (denial of service). (CVE-2010-0727, Moderate) * a divide-by-zero flaw was found in the ext4 file system code. A local attacker could use this flaw to cause a denial of service by mounting a specially-crafted ext4 file system. (CVE-2009-4307, Low) Bug fixes: * if a program that calls posix_fadvise() were compiled on x86, and then run on a 64-bit system, that program could experience various problems, including performance issues and the call to posix_fadvise() failing, causing the program to not run as expected or even abort. With this update, when such programs attempt to call posix_fadvise() on 64-bit systems, sys32_fadvise64() is called instead, which resolves this issue. This update also fixes other 32-bit system calls that were mistakenly called on 64-bit systems (including systems running the kernel-xen kernel). (BZ#569597) * on some systems able to set a P-State limit via the BIOS, it was not possible to set the limit to a higher frequency if the system was rebooted while a low limit was set: "/sys/devices/system/cpu/cpu[x]/cpufreq/scaling_max_freq" would retain the low limit in these situations. With this update, limits are correctly set, even after being changed after a system reboot. (BZ#569727) * certain Intel ICH hardware (using the e1000e driver) has an NFS filtering capability that did not work as expected, causing memory corruption, which could lead to kernel panics, or other unexpected behavior. In a reported case, a panic occurred when running NFS connection tests. This update resolves this issue by disabling the filtering capability. (BZ#569797) * if "open(/proc/[PID]/[xxxx])" was called at the same time the process was exiting, the call would fail with an EINVAL error (an incorrect error for this situation). With this update, the correct error, ENOENT, is returned in this situation. (BZ#571362) * multiqueue is used for transmitting data, but a single queue transmit ON/OFF scheme was used. This led to a race condition on systems with the bnx2x driver in situations where one queue became full, but not stopped, and the other queue enabled transmission. With this update, only a single queue is used. (BZ#576951) * the "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The sysctl value for mmap_min_addr could be changed by a process or user that has an effective user ID (euid) of 0, even if the process or user does not have the CAP_SYS_RAWIO capability. This update adds a capability check for the CAP_SYS_RAWIO capability before allowing the mmap_min_addr value to be changed. (BZ#577206) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 541149 - CVE-2009-4026 CVE-2009-4027 kernel: mac80211: fix spurious delBA handling 547251 - CVE-2009-4307 kernel: ext4: avoid divide by zero when trying to mount a corrupted file system 569597 - posix_fadvise() handles its arguments incorrectly in 32-bit compat mode. [rhel-5.4.z] 569727 - when booted with P-state limit, limit can never be increased [rhel-5.4.z] 569797 - e1000 & e1000e: Memory corruption/paging error when tx hang occurs [rhel-5.4.z] 570863 - CVE-2010-0727 bug in GFS/GFS2 locking code leads to dos 571362 - [5.4] open(/proc/PID/xxx) fails with EINVAL even though it should be ENOENT. [rhel-5.4.z] 576951 - [Broadcom 5.4.z bug] bnx2x: net device is in XON state while the Tx ring is full [rhel-5.4.z] 577206 - kernel: sysctl: require CAP_SYS_RAWIO to set mmap_min_addr [rhel-5.4.z] 577711 - CVE-2010-1188 kernel: ipv6: skb is unexpectedly freed 6. Package List: Red Hat Enterprise Linux (v. 5.4.z server): Source: kernel-2.6.18-164.17.1.el5.src.rpm i386: kernel-2.6.18-164.17.1.el5.i686.rpm kernel-PAE-2.6.18-164.17.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-164.17.1.el5.i686.rpm kernel-PAE-devel-2.6.18-164.17.1.el5.i686.rpm kernel-debug-2.6.18-164.17.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-164.17.1.el5.i686.rpm kernel-debug-devel-2.6.18-164.17.1.el5.i686.rpm kernel-debuginfo-2.6.18-164.17.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-164.17.1.el5.i686.rpm kernel-devel-2.6.18-164.17.1.el5.i686.rpm kernel-headers-2.6.18-164.17.1.el5.i386.rpm kernel-xen-2.6.18-164.17.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-164.17.1.el5.i686.rpm kernel-xen-devel-2.6.18-164.17.1.el5.i686.rpm ia64: kernel-2.6.18-164.17.1.el5.ia64.rpm kernel-debug-2.6.18-164.17.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-164.17.1.el5.ia64.rpm kernel-debug-devel-2.6.18-164.17.1.el5.ia64.rpm kernel-debuginfo-2.6.18-164.17.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-164.17.1.el5.ia64.rpm kernel-devel-2.6.18-164.17.1.el5.ia64.rpm kernel-headers-2.6.18-164.17.1.el5.ia64.rpm kernel-xen-2.6.18-164.17.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-164.17.1.el5.ia64.rpm kernel-xen-devel-2.6.18-164.17.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-164.17.1.el5.noarch.rpm ppc: kernel-2.6.18-164.17.1.el5.ppc64.rpm kernel-debug-2.6.18-164.17.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-164.17.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-164.17.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-164.17.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-164.17.1.el5.ppc64.rpm kernel-devel-2.6.18-164.17.1.el5.ppc64.rpm kernel-headers-2.6.18-164.17.1.el5.ppc.rpm kernel-headers-2.6.18-164.17.1.el5.ppc64.rpm kernel-kdump-2.6.18-164.17.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-164.17.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-164.17.1.el5.ppc64.rpm s390x: kernel-2.6.18-164.17.1.el5.s390x.rpm kernel-debug-2.6.18-164.17.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-164.17.1.el5.s390x.rpm kernel-debug-devel-2.6.18-164.17.1.el5.s390x.rpm kernel-debuginfo-2.6.18-164.17.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-164.17.1.el5.s390x.rpm kernel-devel-2.6.18-164.17.1.el5.s390x.rpm kernel-headers-2.6.18-164.17.1.el5.s390x.rpm kernel-kdump-2.6.18-164.17.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-164.17.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-164.17.1.el5.s390x.rpm x86_64: kernel-2.6.18-164.17.1.el5.x86_64.rpm kernel-debug-2.6.18-164.17.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-164.17.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-164.17.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-164.17.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-164.17.1.el5.x86_64.rpm kernel-devel-2.6.18-164.17.1.el5.x86_64.rpm kernel-headers-2.6.18-164.17.1.el5.x86_64.rpm kernel-xen-2.6.18-164.17.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-164.17.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-164.17.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-4027.html https://www.redhat.com/security/data/cve/CVE-2009-4307.html https://www.redhat.com/security/data/cve/CVE-2010-0727.html https://www.redhat.com/security/data/cve/CVE-2010-1188.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFL1uAbXlSAg2UNWIIRAgxvAJ4nkPn7ld1oKOzVpBVrPQOMLXWQCgCdHj8v XfJgMvZ4f/Zh1dnAqCB659g= =8YwC -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 28 12:11:16 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 28 Apr 2010 08:11:16 -0400 Subject: [RHSA-2010:0382-01] Important: xorg-x11-server security update Message-ID: <201004281211.o3SCBHLX012624@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: xorg-x11-server security update Advisory ID: RHSA-2010:0382-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0382.html Issue date: 2010-04-28 CVE Names: CVE-2010-1166 ===================================================================== 1. Summary: Updated xorg-x11-server packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. An incorrect calculation flaw was discovered in the X.Org Render extension. A malicious, authorized client could exploit this issue to crash the X.Org server or, potentially, execute arbitrary code with root privileges. (CVE-2010-1166) Users of xorg-x11-server should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running X.Org server instances must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 495733 - Xorg crashes with latest firefox 582601 - CVE-2010-1166 Xorg: X server Render extension memory corruption 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xorg-x11-server-1.1.1-48.76.el5_5.1.src.rpm i386: xorg-x11-server-Xdmx-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xephyr-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xnest-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xorg-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xvfb-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xvnc-source-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-debuginfo-1.1.1-48.76.el5_5.1.i386.rpm x86_64: xorg-x11-server-Xdmx-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xephyr-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xnest-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xorg-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xvfb-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xvnc-source-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-debuginfo-1.1.1-48.76.el5_5.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xorg-x11-server-1.1.1-48.76.el5_5.1.src.rpm i386: xorg-x11-server-debuginfo-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-sdk-1.1.1-48.76.el5_5.1.i386.rpm x86_64: xorg-x11-server-debuginfo-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-sdk-1.1.1-48.76.el5_5.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xorg-x11-server-1.1.1-48.76.el5_5.1.src.rpm i386: xorg-x11-server-Xdmx-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xephyr-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xnest-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xorg-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xvfb-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-Xvnc-source-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-debuginfo-1.1.1-48.76.el5_5.1.i386.rpm xorg-x11-server-sdk-1.1.1-48.76.el5_5.1.i386.rpm ia64: xorg-x11-server-Xdmx-1.1.1-48.76.el5_5.1.ia64.rpm xorg-x11-server-Xephyr-1.1.1-48.76.el5_5.1.ia64.rpm xorg-x11-server-Xnest-1.1.1-48.76.el5_5.1.ia64.rpm xorg-x11-server-Xorg-1.1.1-48.76.el5_5.1.ia64.rpm xorg-x11-server-Xvfb-1.1.1-48.76.el5_5.1.ia64.rpm xorg-x11-server-Xvnc-source-1.1.1-48.76.el5_5.1.ia64.rpm xorg-x11-server-debuginfo-1.1.1-48.76.el5_5.1.ia64.rpm xorg-x11-server-sdk-1.1.1-48.76.el5_5.1.ia64.rpm ppc: xorg-x11-server-Xdmx-1.1.1-48.76.el5_5.1.ppc.rpm xorg-x11-server-Xephyr-1.1.1-48.76.el5_5.1.ppc.rpm xorg-x11-server-Xnest-1.1.1-48.76.el5_5.1.ppc.rpm xorg-x11-server-Xorg-1.1.1-48.76.el5_5.1.ppc.rpm xorg-x11-server-Xvfb-1.1.1-48.76.el5_5.1.ppc.rpm xorg-x11-server-Xvnc-source-1.1.1-48.76.el5_5.1.ppc.rpm xorg-x11-server-debuginfo-1.1.1-48.76.el5_5.1.ppc.rpm xorg-x11-server-sdk-1.1.1-48.76.el5_5.1.ppc.rpm s390x: xorg-x11-server-Xephyr-1.1.1-48.76.el5_5.1.s390x.rpm xorg-x11-server-Xnest-1.1.1-48.76.el5_5.1.s390x.rpm xorg-x11-server-Xvfb-1.1.1-48.76.el5_5.1.s390x.rpm xorg-x11-server-Xvnc-source-1.1.1-48.76.el5_5.1.s390x.rpm xorg-x11-server-debuginfo-1.1.1-48.76.el5_5.1.s390x.rpm x86_64: xorg-x11-server-Xdmx-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xephyr-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xnest-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xorg-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xvfb-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-Xvnc-source-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-debuginfo-1.1.1-48.76.el5_5.1.x86_64.rpm xorg-x11-server-sdk-1.1.1-48.76.el5_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-1166.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFL2CXgXlSAg2UNWIIRAg+HAKChHeN5WH2zq65twyEXszbTn5pd1wCePCbB FAFdO5elSYvcrucGzj8pEVU= =xhpT -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Apr 29 17:53:43 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 29 Apr 2010 11:53:43 -0600 Subject: [RHSA-2010:0383-01] Critical: java-1.6.0-ibm security update Message-ID: <201004291753.o3THrhep011120@int-mx04.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-ibm security update Advisory ID: RHSA-2010:0383-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0383.html Issue date: 2010-04-29 CVE Names: CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0090 CVE-2010-0091 CVE-2010-0092 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0839 CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0846 CVE-2010-0848 CVE-2010-0849 ===================================================================== 1. Summary: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ppc, s390x, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0846, CVE-2010-0848, CVE-2010-0849) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR8 Java release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 575740 - CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) 575747 - CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) 575755 - CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) 575756 - CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) 575760 - CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149) 575769 - CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947) 575772 - CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) 575808 - CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653) 575818 - CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299) 575846 - CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) 575854 - CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597) 575865 - CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) 578430 - CVE-2010-0846 JDK unspecified vulnerability in ImageIO component 578432 - CVE-2010-0849 JDK unspecified vulnerability in Java2D component 578433 - CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component 578436 - CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities 578437 - CVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin component 578440 - CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.i386.rpm ppc: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.ppc.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.ppc64.rpm s390: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.s390.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.s390.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.s390.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.s390.rpm s390x: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.s390x.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.s390x.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.s390x.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.i386.rpm ppc: java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-accessibility-1.6.0.8-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.s390.rpm java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-accessibility-1.6.0.8-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.s390.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.s390.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.s390.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.8-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.8-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0084.html https://www.redhat.com/security/data/cve/CVE-2010-0085.html https://www.redhat.com/security/data/cve/CVE-2010-0087.html https://www.redhat.com/security/data/cve/CVE-2010-0088.html https://www.redhat.com/security/data/cve/CVE-2010-0089.html https://www.redhat.com/security/data/cve/CVE-2010-0090.html https://www.redhat.com/security/data/cve/CVE-2010-0091.html https://www.redhat.com/security/data/cve/CVE-2010-0092.html https://www.redhat.com/security/data/cve/CVE-2010-0094.html https://www.redhat.com/security/data/cve/CVE-2010-0095.html https://www.redhat.com/security/data/cve/CVE-2010-0837.html https://www.redhat.com/security/data/cve/CVE-2010-0838.html https://www.redhat.com/security/data/cve/CVE-2010-0839.html https://www.redhat.com/security/data/cve/CVE-2010-0840.html https://www.redhat.com/security/data/cve/CVE-2010-0841.html https://www.redhat.com/security/data/cve/CVE-2010-0842.html https://www.redhat.com/security/data/cve/CVE-2010-0843.html https://www.redhat.com/security/data/cve/CVE-2010-0844.html https://www.redhat.com/security/data/cve/CVE-2010-0846.html https://www.redhat.com/security/data/cve/CVE-2010-0848.html https://www.redhat.com/security/data/cve/CVE-2010-0849.html http://www.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFL2ceIXlSAg2UNWIIRAqT7AJ4r+sds+h9kyWMXt5265WdK9JYWTACghJ9Y spwKgxyjw+2K8r5tDEcQ6Gw= =Zops -----END PGP SIGNATURE-----