From bugzilla at redhat.com Mon Oct 4 18:29:07 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 4 Oct 2010 14:29:07 -0400 Subject: [RHSA-2010:0736-01] Important: freetype security update Message-ID: <201010041829.o94IT9h5011668@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: freetype security update Advisory ID: RHSA-2010:0736-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0736.html Issue date: 2010-10-04 CVE Names: CVE-2010-2806 CVE-2010-3054 CVE-2010-3311 ===================================================================== 1. Summary: Updated freetype packages that fix three security issues are now available for Red Hat Enterprise Linux 3. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. The freetype packages for Red Hat Enterprise Linux 3 provide both the FreeType 1 and FreeType 2 font engines. It was discovered that the FreeType font rendering engine improperly validated certain position values when processing input streams. If a user loaded a specially-crafted font file with an application linked against FreeType, and the relevant font glyphs were subsequently rendered with the X FreeType library (libXft), it could trigger a heap-based buffer overflow in the libXft library, causing the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-3311) An array index error was found in the way the FreeType font rendering engine processed certain PostScript Type 42 font files. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2806) A stack overflow flaw was found in the way the FreeType font rendering engine processed PostScript Type 1 font files that contain nested Standard Encoding Accented Character (seac) calls. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash. (CVE-2010-3054) Note: All of the issues in this erratum only affect the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 621980 - CVE-2010-2806 FreeType: Heap-based buffer overflow by processing FontType42 fonts with negative length of SFNT strings (FT bug #30656) 623625 - CVE-2010-3311 freetype: Input stream position error by processing Compact Font Format (CFF) font files 625632 - CVE-2010-3054 freetype: DoS via nested "seac" calls 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/freetype-2.1.4-18.el3.src.rpm i386: freetype-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-devel-2.1.4-18.el3.i386.rpm ia64: freetype-2.1.4-18.el3.i386.rpm freetype-2.1.4-18.el3.ia64.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.ia64.rpm freetype-devel-2.1.4-18.el3.ia64.rpm ppc: freetype-2.1.4-18.el3.ppc.rpm freetype-2.1.4-18.el3.ppc64.rpm freetype-debuginfo-2.1.4-18.el3.ppc.rpm freetype-debuginfo-2.1.4-18.el3.ppc64.rpm freetype-devel-2.1.4-18.el3.ppc.rpm s390: freetype-2.1.4-18.el3.s390.rpm freetype-debuginfo-2.1.4-18.el3.s390.rpm freetype-devel-2.1.4-18.el3.s390.rpm s390x: freetype-2.1.4-18.el3.s390.rpm freetype-2.1.4-18.el3.s390x.rpm freetype-debuginfo-2.1.4-18.el3.s390.rpm freetype-debuginfo-2.1.4-18.el3.s390x.rpm freetype-devel-2.1.4-18.el3.s390x.rpm x86_64: freetype-2.1.4-18.el3.i386.rpm freetype-2.1.4-18.el3.x86_64.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.x86_64.rpm freetype-devel-2.1.4-18.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/freetype-2.1.4-18.el3.src.rpm i386: freetype-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-devel-2.1.4-18.el3.i386.rpm x86_64: freetype-2.1.4-18.el3.i386.rpm freetype-2.1.4-18.el3.x86_64.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.x86_64.rpm freetype-devel-2.1.4-18.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/freetype-2.1.4-18.el3.src.rpm i386: freetype-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-devel-2.1.4-18.el3.i386.rpm ia64: freetype-2.1.4-18.el3.i386.rpm freetype-2.1.4-18.el3.ia64.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.ia64.rpm freetype-devel-2.1.4-18.el3.ia64.rpm x86_64: freetype-2.1.4-18.el3.i386.rpm freetype-2.1.4-18.el3.x86_64.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.x86_64.rpm freetype-devel-2.1.4-18.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/freetype-2.1.4-18.el3.src.rpm i386: freetype-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-devel-2.1.4-18.el3.i386.rpm ia64: freetype-2.1.4-18.el3.i386.rpm freetype-2.1.4-18.el3.ia64.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.ia64.rpm freetype-devel-2.1.4-18.el3.ia64.rpm x86_64: freetype-2.1.4-18.el3.i386.rpm freetype-2.1.4-18.el3.x86_64.rpm freetype-debuginfo-2.1.4-18.el3.i386.rpm freetype-debuginfo-2.1.4-18.el3.x86_64.rpm freetype-devel-2.1.4-18.el3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-2806.html https://www.redhat.com/security/data/cve/CVE-2010-3054.html https://www.redhat.com/security/data/cve/CVE-2010-3311.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert at redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMqhzeXlSAg2UNWIIRAigJAKCWY/6BhTJ7jiWMbZ00e75Np98CawCfUIDJ AG98w9dJHuL9kVVDXgumCYE= =aU10 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 4 18:29:52 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 4 Oct 2010 14:29:52 -0400 Subject: [RHSA-2010:0737-01] Important: freetype security update Message-ID: <201010041829.o94ITrUp011903@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: freetype security update Advisory ID: RHSA-2010:0737-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0737.html Issue date: 2010-10-04 CVE Names: CVE-2010-2806 CVE-2010-2808 CVE-2010-3054 CVE-2010-3311 ===================================================================== 1. Summary: Updated freetype packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. The freetype packages for Red Hat Enterprise Linux 4 provide both the FreeType 1 and FreeType 2 font engines. The freetype packages for Red Hat Enterprise Linux 5 provide only the FreeType 2 font engine. It was discovered that the FreeType font rendering engine improperly validated certain position values when processing input streams. If a user loaded a specially-crafted font file with an application linked against FreeType, and the relevant font glyphs were subsequently rendered with the X FreeType library (libXft), it could trigger a heap-based buffer overflow in the libXft library, causing the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-3311) A stack-based buffer overflow flaw was found in the way the FreeType font rendering engine processed some PostScript Type 1 fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2808) An array index error was found in the way the FreeType font rendering engine processed certain PostScript Type 42 font files. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2806) A stack overflow flaw was found in the way the FreeType font rendering engine processed PostScript Type 1 font files that contain nested Standard Encoding Accented Character (seac) calls. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash. (CVE-2010-3054) Note: All of the issues in this erratum only affect the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 621907 - CVE-2010-2808 FreeType: Stack-based buffer overflow by processing certain LWFN fonts 621980 - CVE-2010-2806 FreeType: Heap-based buffer overflow by processing FontType42 fonts with negative length of SFNT strings (FT bug #30656) 623625 - CVE-2010-3311 freetype: Input stream position error by processing Compact Font Format (CFF) font files 625632 - CVE-2010-3054 freetype: DoS via nested "seac" calls 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/freetype-2.1.9-17.el4.8.src.rpm i386: freetype-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-demos-2.1.9-17.el4.8.i386.rpm freetype-devel-2.1.9-17.el4.8.i386.rpm freetype-utils-2.1.9-17.el4.8.i386.rpm ia64: freetype-2.1.9-17.el4.8.i386.rpm freetype-2.1.9-17.el4.8.ia64.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.ia64.rpm freetype-demos-2.1.9-17.el4.8.ia64.rpm freetype-devel-2.1.9-17.el4.8.ia64.rpm freetype-utils-2.1.9-17.el4.8.ia64.rpm ppc: freetype-2.1.9-17.el4.8.ppc.rpm freetype-2.1.9-17.el4.8.ppc64.rpm freetype-debuginfo-2.1.9-17.el4.8.ppc.rpm freetype-debuginfo-2.1.9-17.el4.8.ppc64.rpm freetype-demos-2.1.9-17.el4.8.ppc.rpm freetype-devel-2.1.9-17.el4.8.ppc.rpm freetype-utils-2.1.9-17.el4.8.ppc.rpm s390: freetype-2.1.9-17.el4.8.s390.rpm freetype-debuginfo-2.1.9-17.el4.8.s390.rpm freetype-demos-2.1.9-17.el4.8.s390.rpm freetype-devel-2.1.9-17.el4.8.s390.rpm freetype-utils-2.1.9-17.el4.8.s390.rpm s390x: freetype-2.1.9-17.el4.8.s390.rpm freetype-2.1.9-17.el4.8.s390x.rpm freetype-debuginfo-2.1.9-17.el4.8.s390.rpm freetype-debuginfo-2.1.9-17.el4.8.s390x.rpm freetype-demos-2.1.9-17.el4.8.s390x.rpm freetype-devel-2.1.9-17.el4.8.s390x.rpm freetype-utils-2.1.9-17.el4.8.s390x.rpm x86_64: freetype-2.1.9-17.el4.8.i386.rpm freetype-2.1.9-17.el4.8.x86_64.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.x86_64.rpm freetype-demos-2.1.9-17.el4.8.x86_64.rpm freetype-devel-2.1.9-17.el4.8.x86_64.rpm freetype-utils-2.1.9-17.el4.8.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/freetype-2.1.9-17.el4.8.src.rpm i386: freetype-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-demos-2.1.9-17.el4.8.i386.rpm freetype-devel-2.1.9-17.el4.8.i386.rpm freetype-utils-2.1.9-17.el4.8.i386.rpm x86_64: freetype-2.1.9-17.el4.8.i386.rpm freetype-2.1.9-17.el4.8.x86_64.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.x86_64.rpm freetype-demos-2.1.9-17.el4.8.x86_64.rpm freetype-devel-2.1.9-17.el4.8.x86_64.rpm freetype-utils-2.1.9-17.el4.8.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/freetype-2.1.9-17.el4.8.src.rpm i386: freetype-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-demos-2.1.9-17.el4.8.i386.rpm freetype-devel-2.1.9-17.el4.8.i386.rpm freetype-utils-2.1.9-17.el4.8.i386.rpm ia64: freetype-2.1.9-17.el4.8.i386.rpm freetype-2.1.9-17.el4.8.ia64.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.ia64.rpm freetype-demos-2.1.9-17.el4.8.ia64.rpm freetype-devel-2.1.9-17.el4.8.ia64.rpm freetype-utils-2.1.9-17.el4.8.ia64.rpm x86_64: freetype-2.1.9-17.el4.8.i386.rpm freetype-2.1.9-17.el4.8.x86_64.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.x86_64.rpm freetype-demos-2.1.9-17.el4.8.x86_64.rpm freetype-devel-2.1.9-17.el4.8.x86_64.rpm freetype-utils-2.1.9-17.el4.8.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/freetype-2.1.9-17.el4.8.src.rpm i386: freetype-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-demos-2.1.9-17.el4.8.i386.rpm freetype-devel-2.1.9-17.el4.8.i386.rpm freetype-utils-2.1.9-17.el4.8.i386.rpm ia64: freetype-2.1.9-17.el4.8.i386.rpm freetype-2.1.9-17.el4.8.ia64.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.ia64.rpm freetype-demos-2.1.9-17.el4.8.ia64.rpm freetype-devel-2.1.9-17.el4.8.ia64.rpm freetype-utils-2.1.9-17.el4.8.ia64.rpm x86_64: freetype-2.1.9-17.el4.8.i386.rpm freetype-2.1.9-17.el4.8.x86_64.rpm freetype-debuginfo-2.1.9-17.el4.8.i386.rpm freetype-debuginfo-2.1.9-17.el4.8.x86_64.rpm freetype-demos-2.1.9-17.el4.8.x86_64.rpm freetype-devel-2.1.9-17.el4.8.x86_64.rpm freetype-utils-2.1.9-17.el4.8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/freetype-2.2.1-28.el5_5.src.rpm i386: freetype-2.2.1-28.el5_5.i386.rpm freetype-debuginfo-2.2.1-28.el5_5.i386.rpm x86_64: freetype-2.2.1-28.el5_5.i386.rpm freetype-2.2.1-28.el5_5.x86_64.rpm freetype-debuginfo-2.2.1-28.el5_5.i386.rpm freetype-debuginfo-2.2.1-28.el5_5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/freetype-2.2.1-28.el5_5.src.rpm i386: freetype-debuginfo-2.2.1-28.el5_5.i386.rpm freetype-demos-2.2.1-28.el5_5.i386.rpm freetype-devel-2.2.1-28.el5_5.i386.rpm x86_64: freetype-debuginfo-2.2.1-28.el5_5.i386.rpm freetype-debuginfo-2.2.1-28.el5_5.x86_64.rpm freetype-demos-2.2.1-28.el5_5.x86_64.rpm freetype-devel-2.2.1-28.el5_5.i386.rpm freetype-devel-2.2.1-28.el5_5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/freetype-2.2.1-28.el5_5.src.rpm i386: freetype-2.2.1-28.el5_5.i386.rpm freetype-debuginfo-2.2.1-28.el5_5.i386.rpm freetype-demos-2.2.1-28.el5_5.i386.rpm freetype-devel-2.2.1-28.el5_5.i386.rpm ia64: freetype-2.2.1-28.el5_5.i386.rpm freetype-2.2.1-28.el5_5.ia64.rpm freetype-debuginfo-2.2.1-28.el5_5.i386.rpm freetype-debuginfo-2.2.1-28.el5_5.ia64.rpm freetype-demos-2.2.1-28.el5_5.ia64.rpm freetype-devel-2.2.1-28.el5_5.ia64.rpm ppc: freetype-2.2.1-28.el5_5.ppc.rpm freetype-2.2.1-28.el5_5.ppc64.rpm freetype-debuginfo-2.2.1-28.el5_5.ppc.rpm freetype-debuginfo-2.2.1-28.el5_5.ppc64.rpm freetype-demos-2.2.1-28.el5_5.ppc.rpm freetype-devel-2.2.1-28.el5_5.ppc.rpm freetype-devel-2.2.1-28.el5_5.ppc64.rpm s390x: freetype-2.2.1-28.el5_5.s390.rpm freetype-2.2.1-28.el5_5.s390x.rpm freetype-debuginfo-2.2.1-28.el5_5.s390.rpm freetype-debuginfo-2.2.1-28.el5_5.s390x.rpm freetype-demos-2.2.1-28.el5_5.s390x.rpm freetype-devel-2.2.1-28.el5_5.s390.rpm freetype-devel-2.2.1-28.el5_5.s390x.rpm x86_64: freetype-2.2.1-28.el5_5.i386.rpm freetype-2.2.1-28.el5_5.x86_64.rpm freetype-debuginfo-2.2.1-28.el5_5.i386.rpm freetype-debuginfo-2.2.1-28.el5_5.x86_64.rpm freetype-demos-2.2.1-28.el5_5.x86_64.rpm freetype-devel-2.2.1-28.el5_5.i386.rpm freetype-devel-2.2.1-28.el5_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-2806.html https://www.redhat.com/security/data/cve/CVE-2010-2808.html https://www.redhat.com/security/data/cve/CVE-2010-3054.html https://www.redhat.com/security/data/cve/CVE-2010-3311.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert at redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMqh0PXlSAg2UNWIIRAkzOAJoDm790+SyOmwcX0TdRlB0EWRbscQCgmULL IgxgcopOxWzDfxpZ+rzQ5Pk= =uf1Q -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 6 10:38:31 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 6 Oct 2010 06:38:31 -0400 Subject: [RHSA-2010:0742-01] Moderate: postgresql and postgresql84 security update Message-ID: <201010061039.o96AdS1e025047@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: postgresql and postgresql84 security update Advisory ID: RHSA-2010:0742-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0742.html Issue date: 2010-10-06 CVE Names: CVE-2010-3433 ===================================================================== 1. Summary: Updated postgresql and postgresql84 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the Perl and Tcl languages. The PostgreSQL SECURITY DEFINER parameter, which can be used when creating a new PostgreSQL function, specifies that the function will be executed with the privileges of the user that created it. It was discovered that a user could utilize the features of the PL/Perl and PL/Tcl languages to modify the behavior of a SECURITY DEFINER function created by a different user. If the PL/Perl or PL/Tcl language was used to implement a SECURITY DEFINER function, an authenticated database user could use a PL/Perl or PL/Tcl script to modify the behavior of that function during subsequent calls in the same session. This would result in the modified or injected code also being executed with the privileges of the user who created the SECURITY DEFINER function, possibly leading to privilege escalation. (CVE-2010-3433) For Red Hat Enterprise Linux 4, the updated postgresql packages upgrade PostgreSQL to version 7.4.30. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/7.4/static/release.html For Red Hat Enterprise Linux 5, the updated postgresql packages upgrade PostgreSQL to version 8.1.22, and the updated postgresql84 packages upgrade PostgreSQL to version 8.4.5. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/8.1/static/release.html http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 639371 - CVE-2010-3433 PostgreSQL (PL/Perl, PL/Tcl): SECURITY DEFINER function keyword bypass 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/postgresql-7.4.30-1.el4_8.1.src.rpm i386: postgresql-7.4.30-1.el4_8.1.i386.rpm postgresql-contrib-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-devel-7.4.30-1.el4_8.1.i386.rpm postgresql-docs-7.4.30-1.el4_8.1.i386.rpm postgresql-jdbc-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-pl-7.4.30-1.el4_8.1.i386.rpm postgresql-python-7.4.30-1.el4_8.1.i386.rpm postgresql-server-7.4.30-1.el4_8.1.i386.rpm postgresql-tcl-7.4.30-1.el4_8.1.i386.rpm postgresql-test-7.4.30-1.el4_8.1.i386.rpm ia64: postgresql-7.4.30-1.el4_8.1.ia64.rpm postgresql-contrib-7.4.30-1.el4_8.1.ia64.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.ia64.rpm postgresql-devel-7.4.30-1.el4_8.1.ia64.rpm postgresql-docs-7.4.30-1.el4_8.1.ia64.rpm postgresql-jdbc-7.4.30-1.el4_8.1.ia64.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.ia64.rpm postgresql-pl-7.4.30-1.el4_8.1.ia64.rpm postgresql-python-7.4.30-1.el4_8.1.ia64.rpm postgresql-server-7.4.30-1.el4_8.1.ia64.rpm postgresql-tcl-7.4.30-1.el4_8.1.ia64.rpm postgresql-test-7.4.30-1.el4_8.1.ia64.rpm ppc: postgresql-7.4.30-1.el4_8.1.ppc.rpm postgresql-contrib-7.4.30-1.el4_8.1.ppc.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.ppc.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.ppc64.rpm postgresql-devel-7.4.30-1.el4_8.1.ppc.rpm postgresql-docs-7.4.30-1.el4_8.1.ppc.rpm postgresql-jdbc-7.4.30-1.el4_8.1.ppc.rpm postgresql-libs-7.4.30-1.el4_8.1.ppc.rpm postgresql-libs-7.4.30-1.el4_8.1.ppc64.rpm postgresql-pl-7.4.30-1.el4_8.1.ppc.rpm postgresql-python-7.4.30-1.el4_8.1.ppc.rpm postgresql-server-7.4.30-1.el4_8.1.ppc.rpm postgresql-tcl-7.4.30-1.el4_8.1.ppc.rpm postgresql-test-7.4.30-1.el4_8.1.ppc.rpm s390: postgresql-7.4.30-1.el4_8.1.s390.rpm postgresql-contrib-7.4.30-1.el4_8.1.s390.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.s390.rpm postgresql-devel-7.4.30-1.el4_8.1.s390.rpm postgresql-docs-7.4.30-1.el4_8.1.s390.rpm postgresql-jdbc-7.4.30-1.el4_8.1.s390.rpm postgresql-libs-7.4.30-1.el4_8.1.s390.rpm postgresql-pl-7.4.30-1.el4_8.1.s390.rpm postgresql-python-7.4.30-1.el4_8.1.s390.rpm postgresql-server-7.4.30-1.el4_8.1.s390.rpm postgresql-tcl-7.4.30-1.el4_8.1.s390.rpm postgresql-test-7.4.30-1.el4_8.1.s390.rpm s390x: postgresql-7.4.30-1.el4_8.1.s390x.rpm postgresql-contrib-7.4.30-1.el4_8.1.s390x.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.s390.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.s390x.rpm postgresql-devel-7.4.30-1.el4_8.1.s390x.rpm postgresql-docs-7.4.30-1.el4_8.1.s390x.rpm postgresql-jdbc-7.4.30-1.el4_8.1.s390x.rpm postgresql-libs-7.4.30-1.el4_8.1.s390.rpm postgresql-libs-7.4.30-1.el4_8.1.s390x.rpm postgresql-pl-7.4.30-1.el4_8.1.s390x.rpm postgresql-python-7.4.30-1.el4_8.1.s390x.rpm postgresql-server-7.4.30-1.el4_8.1.s390x.rpm postgresql-tcl-7.4.30-1.el4_8.1.s390x.rpm postgresql-test-7.4.30-1.el4_8.1.s390x.rpm x86_64: postgresql-7.4.30-1.el4_8.1.x86_64.rpm postgresql-contrib-7.4.30-1.el4_8.1.x86_64.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.x86_64.rpm postgresql-devel-7.4.30-1.el4_8.1.x86_64.rpm postgresql-docs-7.4.30-1.el4_8.1.x86_64.rpm postgresql-jdbc-7.4.30-1.el4_8.1.x86_64.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.x86_64.rpm postgresql-pl-7.4.30-1.el4_8.1.x86_64.rpm postgresql-python-7.4.30-1.el4_8.1.x86_64.rpm postgresql-server-7.4.30-1.el4_8.1.x86_64.rpm postgresql-tcl-7.4.30-1.el4_8.1.x86_64.rpm postgresql-test-7.4.30-1.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/postgresql-7.4.30-1.el4_8.1.src.rpm i386: postgresql-7.4.30-1.el4_8.1.i386.rpm postgresql-contrib-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-devel-7.4.30-1.el4_8.1.i386.rpm postgresql-docs-7.4.30-1.el4_8.1.i386.rpm postgresql-jdbc-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-pl-7.4.30-1.el4_8.1.i386.rpm postgresql-python-7.4.30-1.el4_8.1.i386.rpm postgresql-server-7.4.30-1.el4_8.1.i386.rpm postgresql-tcl-7.4.30-1.el4_8.1.i386.rpm postgresql-test-7.4.30-1.el4_8.1.i386.rpm x86_64: postgresql-7.4.30-1.el4_8.1.x86_64.rpm postgresql-contrib-7.4.30-1.el4_8.1.x86_64.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.x86_64.rpm postgresql-devel-7.4.30-1.el4_8.1.x86_64.rpm postgresql-docs-7.4.30-1.el4_8.1.x86_64.rpm postgresql-jdbc-7.4.30-1.el4_8.1.x86_64.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.x86_64.rpm postgresql-pl-7.4.30-1.el4_8.1.x86_64.rpm postgresql-python-7.4.30-1.el4_8.1.x86_64.rpm postgresql-server-7.4.30-1.el4_8.1.x86_64.rpm postgresql-tcl-7.4.30-1.el4_8.1.x86_64.rpm postgresql-test-7.4.30-1.el4_8.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/postgresql-7.4.30-1.el4_8.1.src.rpm i386: postgresql-7.4.30-1.el4_8.1.i386.rpm postgresql-contrib-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-devel-7.4.30-1.el4_8.1.i386.rpm postgresql-docs-7.4.30-1.el4_8.1.i386.rpm postgresql-jdbc-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-pl-7.4.30-1.el4_8.1.i386.rpm postgresql-python-7.4.30-1.el4_8.1.i386.rpm postgresql-server-7.4.30-1.el4_8.1.i386.rpm postgresql-tcl-7.4.30-1.el4_8.1.i386.rpm postgresql-test-7.4.30-1.el4_8.1.i386.rpm ia64: postgresql-7.4.30-1.el4_8.1.ia64.rpm postgresql-contrib-7.4.30-1.el4_8.1.ia64.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.ia64.rpm postgresql-devel-7.4.30-1.el4_8.1.ia64.rpm postgresql-docs-7.4.30-1.el4_8.1.ia64.rpm postgresql-jdbc-7.4.30-1.el4_8.1.ia64.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.ia64.rpm postgresql-pl-7.4.30-1.el4_8.1.ia64.rpm postgresql-python-7.4.30-1.el4_8.1.ia64.rpm postgresql-server-7.4.30-1.el4_8.1.ia64.rpm postgresql-tcl-7.4.30-1.el4_8.1.ia64.rpm postgresql-test-7.4.30-1.el4_8.1.ia64.rpm x86_64: postgresql-7.4.30-1.el4_8.1.x86_64.rpm postgresql-contrib-7.4.30-1.el4_8.1.x86_64.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.x86_64.rpm postgresql-devel-7.4.30-1.el4_8.1.x86_64.rpm postgresql-docs-7.4.30-1.el4_8.1.x86_64.rpm postgresql-jdbc-7.4.30-1.el4_8.1.x86_64.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.x86_64.rpm postgresql-pl-7.4.30-1.el4_8.1.x86_64.rpm postgresql-python-7.4.30-1.el4_8.1.x86_64.rpm postgresql-server-7.4.30-1.el4_8.1.x86_64.rpm postgresql-tcl-7.4.30-1.el4_8.1.x86_64.rpm postgresql-test-7.4.30-1.el4_8.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/postgresql-7.4.30-1.el4_8.1.src.rpm i386: postgresql-7.4.30-1.el4_8.1.i386.rpm postgresql-contrib-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-devel-7.4.30-1.el4_8.1.i386.rpm postgresql-docs-7.4.30-1.el4_8.1.i386.rpm postgresql-jdbc-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-pl-7.4.30-1.el4_8.1.i386.rpm postgresql-python-7.4.30-1.el4_8.1.i386.rpm postgresql-server-7.4.30-1.el4_8.1.i386.rpm postgresql-tcl-7.4.30-1.el4_8.1.i386.rpm postgresql-test-7.4.30-1.el4_8.1.i386.rpm ia64: postgresql-7.4.30-1.el4_8.1.ia64.rpm postgresql-contrib-7.4.30-1.el4_8.1.ia64.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.ia64.rpm postgresql-devel-7.4.30-1.el4_8.1.ia64.rpm postgresql-docs-7.4.30-1.el4_8.1.ia64.rpm postgresql-jdbc-7.4.30-1.el4_8.1.ia64.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.ia64.rpm postgresql-pl-7.4.30-1.el4_8.1.ia64.rpm postgresql-python-7.4.30-1.el4_8.1.ia64.rpm postgresql-server-7.4.30-1.el4_8.1.ia64.rpm postgresql-tcl-7.4.30-1.el4_8.1.ia64.rpm postgresql-test-7.4.30-1.el4_8.1.ia64.rpm x86_64: postgresql-7.4.30-1.el4_8.1.x86_64.rpm postgresql-contrib-7.4.30-1.el4_8.1.x86_64.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.i386.rpm postgresql-debuginfo-7.4.30-1.el4_8.1.x86_64.rpm postgresql-devel-7.4.30-1.el4_8.1.x86_64.rpm postgresql-docs-7.4.30-1.el4_8.1.x86_64.rpm postgresql-jdbc-7.4.30-1.el4_8.1.x86_64.rpm postgresql-libs-7.4.30-1.el4_8.1.i386.rpm postgresql-libs-7.4.30-1.el4_8.1.x86_64.rpm postgresql-pl-7.4.30-1.el4_8.1.x86_64.rpm postgresql-python-7.4.30-1.el4_8.1.x86_64.rpm postgresql-server-7.4.30-1.el4_8.1.x86_64.rpm postgresql-tcl-7.4.30-1.el4_8.1.x86_64.rpm postgresql-test-7.4.30-1.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql-8.1.22-1.el5_5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql84-8.4.5-1.el5_5.1.src.rpm i386: postgresql-8.1.22-1.el5_5.1.i386.rpm postgresql-contrib-8.1.22-1.el5_5.1.i386.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.i386.rpm postgresql-docs-8.1.22-1.el5_5.1.i386.rpm postgresql-libs-8.1.22-1.el5_5.1.i386.rpm postgresql-python-8.1.22-1.el5_5.1.i386.rpm postgresql-tcl-8.1.22-1.el5_5.1.i386.rpm postgresql84-8.4.5-1.el5_5.1.i386.rpm postgresql84-contrib-8.4.5-1.el5_5.1.i386.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.i386.rpm postgresql84-docs-8.4.5-1.el5_5.1.i386.rpm postgresql84-libs-8.4.5-1.el5_5.1.i386.rpm postgresql84-python-8.4.5-1.el5_5.1.i386.rpm postgresql84-tcl-8.4.5-1.el5_5.1.i386.rpm x86_64: postgresql-8.1.22-1.el5_5.1.x86_64.rpm postgresql-contrib-8.1.22-1.el5_5.1.x86_64.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.i386.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.x86_64.rpm postgresql-docs-8.1.22-1.el5_5.1.x86_64.rpm postgresql-libs-8.1.22-1.el5_5.1.i386.rpm postgresql-libs-8.1.22-1.el5_5.1.x86_64.rpm postgresql-python-8.1.22-1.el5_5.1.x86_64.rpm postgresql-tcl-8.1.22-1.el5_5.1.x86_64.rpm postgresql84-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-contrib-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.i386.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-docs-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-libs-8.4.5-1.el5_5.1.i386.rpm postgresql84-libs-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-python-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-tcl-8.4.5-1.el5_5.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql-8.1.22-1.el5_5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql84-8.4.5-1.el5_5.1.src.rpm i386: postgresql-debuginfo-8.1.22-1.el5_5.1.i386.rpm postgresql-devel-8.1.22-1.el5_5.1.i386.rpm postgresql-pl-8.1.22-1.el5_5.1.i386.rpm postgresql-server-8.1.22-1.el5_5.1.i386.rpm postgresql-test-8.1.22-1.el5_5.1.i386.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.i386.rpm postgresql84-devel-8.4.5-1.el5_5.1.i386.rpm postgresql84-plperl-8.4.5-1.el5_5.1.i386.rpm postgresql84-plpython-8.4.5-1.el5_5.1.i386.rpm postgresql84-pltcl-8.4.5-1.el5_5.1.i386.rpm postgresql84-server-8.4.5-1.el5_5.1.i386.rpm postgresql84-test-8.4.5-1.el5_5.1.i386.rpm x86_64: postgresql-debuginfo-8.1.22-1.el5_5.1.i386.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.x86_64.rpm postgresql-devel-8.1.22-1.el5_5.1.i386.rpm postgresql-devel-8.1.22-1.el5_5.1.x86_64.rpm postgresql-pl-8.1.22-1.el5_5.1.x86_64.rpm postgresql-server-8.1.22-1.el5_5.1.x86_64.rpm postgresql-test-8.1.22-1.el5_5.1.x86_64.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.i386.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-devel-8.4.5-1.el5_5.1.i386.rpm postgresql84-devel-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-plperl-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-plpython-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-pltcl-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-server-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-test-8.4.5-1.el5_5.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/postgresql-8.1.22-1.el5_5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/postgresql84-8.4.5-1.el5_5.1.src.rpm i386: postgresql-8.1.22-1.el5_5.1.i386.rpm postgresql-contrib-8.1.22-1.el5_5.1.i386.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.i386.rpm postgresql-devel-8.1.22-1.el5_5.1.i386.rpm postgresql-docs-8.1.22-1.el5_5.1.i386.rpm postgresql-libs-8.1.22-1.el5_5.1.i386.rpm postgresql-pl-8.1.22-1.el5_5.1.i386.rpm postgresql-python-8.1.22-1.el5_5.1.i386.rpm postgresql-server-8.1.22-1.el5_5.1.i386.rpm postgresql-tcl-8.1.22-1.el5_5.1.i386.rpm postgresql-test-8.1.22-1.el5_5.1.i386.rpm postgresql84-8.4.5-1.el5_5.1.i386.rpm postgresql84-contrib-8.4.5-1.el5_5.1.i386.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.i386.rpm postgresql84-devel-8.4.5-1.el5_5.1.i386.rpm postgresql84-docs-8.4.5-1.el5_5.1.i386.rpm postgresql84-libs-8.4.5-1.el5_5.1.i386.rpm postgresql84-plperl-8.4.5-1.el5_5.1.i386.rpm postgresql84-plpython-8.4.5-1.el5_5.1.i386.rpm postgresql84-pltcl-8.4.5-1.el5_5.1.i386.rpm postgresql84-python-8.4.5-1.el5_5.1.i386.rpm postgresql84-server-8.4.5-1.el5_5.1.i386.rpm postgresql84-tcl-8.4.5-1.el5_5.1.i386.rpm postgresql84-test-8.4.5-1.el5_5.1.i386.rpm ia64: postgresql-8.1.22-1.el5_5.1.ia64.rpm postgresql-contrib-8.1.22-1.el5_5.1.ia64.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.i386.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.ia64.rpm postgresql-devel-8.1.22-1.el5_5.1.ia64.rpm postgresql-docs-8.1.22-1.el5_5.1.ia64.rpm postgresql-libs-8.1.22-1.el5_5.1.i386.rpm postgresql-libs-8.1.22-1.el5_5.1.ia64.rpm postgresql-pl-8.1.22-1.el5_5.1.ia64.rpm postgresql-python-8.1.22-1.el5_5.1.ia64.rpm postgresql-server-8.1.22-1.el5_5.1.ia64.rpm postgresql-tcl-8.1.22-1.el5_5.1.ia64.rpm postgresql-test-8.1.22-1.el5_5.1.ia64.rpm postgresql84-8.4.5-1.el5_5.1.ia64.rpm postgresql84-contrib-8.4.5-1.el5_5.1.ia64.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.ia64.rpm postgresql84-devel-8.4.5-1.el5_5.1.ia64.rpm postgresql84-docs-8.4.5-1.el5_5.1.ia64.rpm postgresql84-libs-8.4.5-1.el5_5.1.ia64.rpm postgresql84-plperl-8.4.5-1.el5_5.1.ia64.rpm postgresql84-plpython-8.4.5-1.el5_5.1.ia64.rpm postgresql84-pltcl-8.4.5-1.el5_5.1.ia64.rpm postgresql84-python-8.4.5-1.el5_5.1.ia64.rpm postgresql84-server-8.4.5-1.el5_5.1.ia64.rpm postgresql84-tcl-8.4.5-1.el5_5.1.ia64.rpm postgresql84-test-8.4.5-1.el5_5.1.ia64.rpm ppc: postgresql-8.1.22-1.el5_5.1.ppc.rpm postgresql-8.1.22-1.el5_5.1.ppc64.rpm postgresql-contrib-8.1.22-1.el5_5.1.ppc.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.ppc.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.ppc64.rpm postgresql-devel-8.1.22-1.el5_5.1.ppc.rpm postgresql-devel-8.1.22-1.el5_5.1.ppc64.rpm postgresql-docs-8.1.22-1.el5_5.1.ppc.rpm postgresql-libs-8.1.22-1.el5_5.1.ppc.rpm postgresql-libs-8.1.22-1.el5_5.1.ppc64.rpm postgresql-pl-8.1.22-1.el5_5.1.ppc.rpm postgresql-python-8.1.22-1.el5_5.1.ppc.rpm postgresql-server-8.1.22-1.el5_5.1.ppc.rpm postgresql-tcl-8.1.22-1.el5_5.1.ppc.rpm postgresql-test-8.1.22-1.el5_5.1.ppc.rpm postgresql84-8.4.5-1.el5_5.1.ppc.rpm postgresql84-8.4.5-1.el5_5.1.ppc64.rpm postgresql84-contrib-8.4.5-1.el5_5.1.ppc.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.ppc.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.ppc64.rpm postgresql84-devel-8.4.5-1.el5_5.1.ppc.rpm postgresql84-devel-8.4.5-1.el5_5.1.ppc64.rpm postgresql84-docs-8.4.5-1.el5_5.1.ppc.rpm postgresql84-libs-8.4.5-1.el5_5.1.ppc.rpm postgresql84-libs-8.4.5-1.el5_5.1.ppc64.rpm postgresql84-plperl-8.4.5-1.el5_5.1.ppc.rpm postgresql84-plpython-8.4.5-1.el5_5.1.ppc.rpm postgresql84-pltcl-8.4.5-1.el5_5.1.ppc.rpm postgresql84-python-8.4.5-1.el5_5.1.ppc.rpm postgresql84-server-8.4.5-1.el5_5.1.ppc.rpm postgresql84-tcl-8.4.5-1.el5_5.1.ppc.rpm postgresql84-test-8.4.5-1.el5_5.1.ppc.rpm s390x: postgresql-8.1.22-1.el5_5.1.s390x.rpm postgresql-contrib-8.1.22-1.el5_5.1.s390x.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.s390.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.s390x.rpm postgresql-devel-8.1.22-1.el5_5.1.s390.rpm postgresql-devel-8.1.22-1.el5_5.1.s390x.rpm postgresql-docs-8.1.22-1.el5_5.1.s390x.rpm postgresql-libs-8.1.22-1.el5_5.1.s390.rpm postgresql-libs-8.1.22-1.el5_5.1.s390x.rpm postgresql-pl-8.1.22-1.el5_5.1.s390x.rpm postgresql-python-8.1.22-1.el5_5.1.s390x.rpm postgresql-server-8.1.22-1.el5_5.1.s390x.rpm postgresql-tcl-8.1.22-1.el5_5.1.s390x.rpm postgresql-test-8.1.22-1.el5_5.1.s390x.rpm postgresql84-8.4.5-1.el5_5.1.s390x.rpm postgresql84-contrib-8.4.5-1.el5_5.1.s390x.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.s390.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.s390x.rpm postgresql84-devel-8.4.5-1.el5_5.1.s390.rpm postgresql84-devel-8.4.5-1.el5_5.1.s390x.rpm postgresql84-docs-8.4.5-1.el5_5.1.s390x.rpm postgresql84-libs-8.4.5-1.el5_5.1.s390.rpm postgresql84-libs-8.4.5-1.el5_5.1.s390x.rpm postgresql84-plperl-8.4.5-1.el5_5.1.s390x.rpm postgresql84-plpython-8.4.5-1.el5_5.1.s390x.rpm postgresql84-pltcl-8.4.5-1.el5_5.1.s390x.rpm postgresql84-python-8.4.5-1.el5_5.1.s390x.rpm postgresql84-server-8.4.5-1.el5_5.1.s390x.rpm postgresql84-tcl-8.4.5-1.el5_5.1.s390x.rpm postgresql84-test-8.4.5-1.el5_5.1.s390x.rpm x86_64: postgresql-8.1.22-1.el5_5.1.x86_64.rpm postgresql-contrib-8.1.22-1.el5_5.1.x86_64.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.i386.rpm postgresql-debuginfo-8.1.22-1.el5_5.1.x86_64.rpm postgresql-devel-8.1.22-1.el5_5.1.i386.rpm postgresql-devel-8.1.22-1.el5_5.1.x86_64.rpm postgresql-docs-8.1.22-1.el5_5.1.x86_64.rpm postgresql-libs-8.1.22-1.el5_5.1.i386.rpm postgresql-libs-8.1.22-1.el5_5.1.x86_64.rpm postgresql-pl-8.1.22-1.el5_5.1.x86_64.rpm postgresql-python-8.1.22-1.el5_5.1.x86_64.rpm postgresql-server-8.1.22-1.el5_5.1.x86_64.rpm postgresql-tcl-8.1.22-1.el5_5.1.x86_64.rpm postgresql-test-8.1.22-1.el5_5.1.x86_64.rpm postgresql84-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-contrib-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.i386.rpm postgresql84-debuginfo-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-devel-8.4.5-1.el5_5.1.i386.rpm postgresql84-devel-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-docs-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-libs-8.4.5-1.el5_5.1.i386.rpm postgresql84-libs-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-plperl-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-plpython-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-pltcl-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-python-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-server-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-tcl-8.4.5-1.el5_5.1.x86_64.rpm postgresql84-test-8.4.5-1.el5_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3433.html http://www.redhat.com/security/updates/classification/#moderate http://www.postgresql.org/docs/8.1/interactive/sql-createfunction.html 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMrFGFXlSAg2UNWIIRApZ5AKCA1PR8dK8gmxepk8uV6BRgU2br0gCdHeUo SR9PHF7cRJADKZYDqz0csjM= =4RXv -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 6 10:40:08 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 6 Oct 2010 06:40:08 -0400 Subject: [RHSA-2010:0743-01] Critical: acroread security update Message-ID: <201010061041.o96Af5iQ020618@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: acroread security update Advisory ID: RHSA-2010:0743-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0743.html Issue date: 2010-10-06 CVE Names: CVE-2010-2883 CVE-2010-2884 CVE-2010-2887 CVE-2010-2889 CVE-2010-2890 CVE-2010-3619 CVE-2010-3620 CVE-2010-3621 CVE-2010-3622 CVE-2010-3625 CVE-2010-3626 CVE-2010-3627 CVE-2010-3628 CVE-2010-3629 CVE-2010-3630 CVE-2010-3632 CVE-2010-3656 CVE-2010-3657 CVE-2010-3658 ===================================================================== 1. Summary: Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes multiple vulnerabilities in Adobe Reader. These vulnerabilities are detailed on the Adobe security page APSB10-21, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-2883, CVE-2010-2884, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3632, CVE-2010-3658) An insecure relative RPATH (runtime library search path) set in some Adobe Reader libraries could allow a local attacker, who is able to convince another user to run Adobe Reader in an attacker-controlled directory, to execute arbitrary code with the privileges of the victim. (CVE-2010-2887) A specially-crafted PDF file could cause Adobe Reader to crash when opened. (CVE-2010-3656, CVE-2010-3657) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.4, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 632267 - CVE-2010-2883 Acroread: Stack-based buffer overflow by processing certain fonts (APSA10-02) 633917 - CVE-2010-2884 Adobe Flash: crash or potential arbitrary code execution (APSB10-22) 639890 - acroread: multiple code execution flaws (APSB10-21) 639903 - acroread: denial of service flaws (APSB10-21) 639913 - CVE-2010-2887 acroread: use of insecure RPATH (APSB10-21) 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: acroread-9.4.0-1.el4.i386.rpm acroread-plugin-9.4.0-1.el4.i386.rpm x86_64: acroread-9.4.0-1.el4.i386.rpm Red Hat Desktop version 4 Extras: i386: acroread-9.4.0-1.el4.i386.rpm acroread-plugin-9.4.0-1.el4.i386.rpm x86_64: acroread-9.4.0-1.el4.i386.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: acroread-9.4.0-1.el4.i386.rpm acroread-plugin-9.4.0-1.el4.i386.rpm x86_64: acroread-9.4.0-1.el4.i386.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: acroread-9.4.0-1.el4.i386.rpm acroread-plugin-9.4.0-1.el4.i386.rpm x86_64: acroread-9.4.0-1.el4.i386.rpm RHEL Desktop Supplementary (v. 5 client): i386: acroread-9.4.0-1.el5.i386.rpm acroread-plugin-9.4.0-1.el5.i386.rpm x86_64: acroread-9.4.0-1.el5.i386.rpm acroread-plugin-9.4.0-1.el5.i386.rpm RHEL Supplementary (v. 5 server): i386: acroread-9.4.0-1.el5.i386.rpm acroread-plugin-9.4.0-1.el5.i386.rpm x86_64: acroread-9.4.0-1.el5.i386.rpm acroread-plugin-9.4.0-1.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-2883.html https://www.redhat.com/security/data/cve/CVE-2010-2884.html https://www.redhat.com/security/data/cve/CVE-2010-2887.html https://www.redhat.com/security/data/cve/CVE-2010-2889.html https://www.redhat.com/security/data/cve/CVE-2010-2890.html https://www.redhat.com/security/data/cve/CVE-2010-3619.html https://www.redhat.com/security/data/cve/CVE-2010-3620.html https://www.redhat.com/security/data/cve/CVE-2010-3621.html https://www.redhat.com/security/data/cve/CVE-2010-3622.html https://www.redhat.com/security/data/cve/CVE-2010-3625.html https://www.redhat.com/security/data/cve/CVE-2010-3626.html https://www.redhat.com/security/data/cve/CVE-2010-3627.html https://www.redhat.com/security/data/cve/CVE-2010-3628.html https://www.redhat.com/security/data/cve/CVE-2010-3629.html https://www.redhat.com/security/data/cve/CVE-2010-3630.html https://www.redhat.com/security/data/cve/CVE-2010-3632.html https://www.redhat.com/security/data/cve/CVE-2010-3656.html https://www.redhat.com/security/data/cve/CVE-2010-3657.html https://www.redhat.com/security/data/cve/CVE-2010-3658.html http://www.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb10-21.html 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMrFHrXlSAg2UNWIIRAibiAJ0ac6juC8Wccft4w45c3AtmfYEhSwCfWABr 24piJ73WMhl/Lqq7VU+d0+c= =N5VX -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 7 15:47:38 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 11:47:38 -0400 Subject: [RHSA-2010:0749-01] Important: poppler security update Message-ID: <201010071549.o97Fn1bl007095@int-mx08.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: poppler security update Advisory ID: RHSA-2010:0749-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0749.html Issue date: 2010-10-07 CVE Names: CVE-2010-3702 CVE-2010-3704 ===================================================================== 1. Summary: Updated poppler packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. An uninitialized pointer use flaw was discovered in poppler. An attacker could create a malicious PDF file that, when opened, would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code. (CVE-2010-3702) An array index error was found in the way poppler parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code. (CVE-2010-3704) Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 595245 - CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference 638960 - CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse() 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/poppler-0.5.4-4.4.el5_5.14.src.rpm i386: poppler-0.5.4-4.4.el5_5.14.i386.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.i386.rpm poppler-utils-0.5.4-4.4.el5_5.14.i386.rpm x86_64: poppler-0.5.4-4.4.el5_5.14.i386.rpm poppler-0.5.4-4.4.el5_5.14.x86_64.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.i386.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.x86_64.rpm poppler-utils-0.5.4-4.4.el5_5.14.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/poppler-0.5.4-4.4.el5_5.14.src.rpm i386: poppler-debuginfo-0.5.4-4.4.el5_5.14.i386.rpm poppler-devel-0.5.4-4.4.el5_5.14.i386.rpm x86_64: poppler-debuginfo-0.5.4-4.4.el5_5.14.i386.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.x86_64.rpm poppler-devel-0.5.4-4.4.el5_5.14.i386.rpm poppler-devel-0.5.4-4.4.el5_5.14.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/poppler-0.5.4-4.4.el5_5.14.src.rpm i386: poppler-0.5.4-4.4.el5_5.14.i386.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.i386.rpm poppler-devel-0.5.4-4.4.el5_5.14.i386.rpm poppler-utils-0.5.4-4.4.el5_5.14.i386.rpm ia64: poppler-0.5.4-4.4.el5_5.14.ia64.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.ia64.rpm poppler-devel-0.5.4-4.4.el5_5.14.ia64.rpm poppler-utils-0.5.4-4.4.el5_5.14.ia64.rpm ppc: poppler-0.5.4-4.4.el5_5.14.ppc.rpm poppler-0.5.4-4.4.el5_5.14.ppc64.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.ppc.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.ppc64.rpm poppler-devel-0.5.4-4.4.el5_5.14.ppc.rpm poppler-devel-0.5.4-4.4.el5_5.14.ppc64.rpm poppler-utils-0.5.4-4.4.el5_5.14.ppc.rpm s390x: poppler-0.5.4-4.4.el5_5.14.s390.rpm poppler-0.5.4-4.4.el5_5.14.s390x.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.s390.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.s390x.rpm poppler-devel-0.5.4-4.4.el5_5.14.s390.rpm poppler-devel-0.5.4-4.4.el5_5.14.s390x.rpm poppler-utils-0.5.4-4.4.el5_5.14.s390x.rpm x86_64: poppler-0.5.4-4.4.el5_5.14.i386.rpm poppler-0.5.4-4.4.el5_5.14.x86_64.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.i386.rpm poppler-debuginfo-0.5.4-4.4.el5_5.14.x86_64.rpm poppler-devel-0.5.4-4.4.el5_5.14.i386.rpm poppler-devel-0.5.4-4.4.el5_5.14.x86_64.rpm poppler-utils-0.5.4-4.4.el5_5.14.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3702.html https://www.redhat.com/security/data/cve/CVE-2010-3704.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMreupXlSAg2UNWIIRAlUWAJ0W7dV0Yc75C6uOybZ5t5je6QIF4ACeKA4/ yAwT8JvYiJ/qeWwaWeg0BZY= =w2N1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 7 15:51:55 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 11:51:55 -0400 Subject: [RHSA-2010:0750-01] Important: xpdf security update Message-ID: <201010071553.o97FrIbZ027947@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: xpdf security update Advisory ID: RHSA-2010:0750-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0750.html Issue date: 2010-10-07 CVE Names: CVE-2010-3702 ===================================================================== 1. Summary: An updated xpdf package that fixes one security issue is now available for Red Hat Enterprise Linux 3. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. An uninitialized pointer use flaw was discovered in Xpdf. An attacker could create a malicious PDF file that, when opened, would cause Xpdf to crash or, potentially, execute arbitrary code. (CVE-2010-3702) Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 595245 - CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/xpdf-2.02-19.el3.src.rpm i386: xpdf-2.02-19.el3.i386.rpm xpdf-debuginfo-2.02-19.el3.i386.rpm ia64: xpdf-2.02-19.el3.ia64.rpm xpdf-debuginfo-2.02-19.el3.ia64.rpm ppc: xpdf-2.02-19.el3.ppc.rpm xpdf-debuginfo-2.02-19.el3.ppc.rpm s390: xpdf-2.02-19.el3.s390.rpm xpdf-debuginfo-2.02-19.el3.s390.rpm s390x: xpdf-2.02-19.el3.s390x.rpm xpdf-debuginfo-2.02-19.el3.s390x.rpm x86_64: xpdf-2.02-19.el3.x86_64.rpm xpdf-debuginfo-2.02-19.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/xpdf-2.02-19.el3.src.rpm i386: xpdf-2.02-19.el3.i386.rpm xpdf-debuginfo-2.02-19.el3.i386.rpm x86_64: xpdf-2.02-19.el3.x86_64.rpm xpdf-debuginfo-2.02-19.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/xpdf-2.02-19.el3.src.rpm i386: xpdf-2.02-19.el3.i386.rpm xpdf-debuginfo-2.02-19.el3.i386.rpm ia64: xpdf-2.02-19.el3.ia64.rpm xpdf-debuginfo-2.02-19.el3.ia64.rpm x86_64: xpdf-2.02-19.el3.x86_64.rpm xpdf-debuginfo-2.02-19.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/xpdf-2.02-19.el3.src.rpm i386: xpdf-2.02-19.el3.i386.rpm xpdf-debuginfo-2.02-19.el3.i386.rpm ia64: xpdf-2.02-19.el3.ia64.rpm xpdf-debuginfo-2.02-19.el3.ia64.rpm x86_64: xpdf-2.02-19.el3.x86_64.rpm xpdf-debuginfo-2.02-19.el3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3702.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMreyxXlSAg2UNWIIRAucQAJ4qAh11D4UMq4naRU6u6RkWpOWO2ACeMqf/ VqFl0xR1QOLGJNitdYK0/cg= =AH27 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 7 15:55:40 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 11:55:40 -0400 Subject: [RHSA-2010:0751-01] Important: xpdf security update Message-ID: <201010071557.o97Fv325009062@int-mx08.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: xpdf security update Advisory ID: RHSA-2010:0751-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0751.html Issue date: 2010-10-07 CVE Names: CVE-2010-3702 CVE-2010-3704 ===================================================================== 1. Summary: An updated xpdf package that fixes two security issues is now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. An uninitialized pointer use flaw was discovered in Xpdf. An attacker could create a malicious PDF file that, when opened, would cause Xpdf to crash or, potentially, execute arbitrary code. (CVE-2010-3702) An array index error was found in the way Xpdf parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause Xpdf to crash or, potentially, execute arbitrary code. (CVE-2010-3704) Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 595245 - CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference 638960 - CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse() 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/xpdf-3.00-24.el4_8.1.src.rpm i386: xpdf-3.00-24.el4_8.1.i386.rpm xpdf-debuginfo-3.00-24.el4_8.1.i386.rpm ia64: xpdf-3.00-24.el4_8.1.ia64.rpm xpdf-debuginfo-3.00-24.el4_8.1.ia64.rpm ppc: xpdf-3.00-24.el4_8.1.ppc.rpm xpdf-debuginfo-3.00-24.el4_8.1.ppc.rpm s390: xpdf-3.00-24.el4_8.1.s390.rpm xpdf-debuginfo-3.00-24.el4_8.1.s390.rpm s390x: xpdf-3.00-24.el4_8.1.s390x.rpm xpdf-debuginfo-3.00-24.el4_8.1.s390x.rpm x86_64: xpdf-3.00-24.el4_8.1.x86_64.rpm xpdf-debuginfo-3.00-24.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/xpdf-3.00-24.el4_8.1.src.rpm i386: xpdf-3.00-24.el4_8.1.i386.rpm xpdf-debuginfo-3.00-24.el4_8.1.i386.rpm x86_64: xpdf-3.00-24.el4_8.1.x86_64.rpm xpdf-debuginfo-3.00-24.el4_8.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/xpdf-3.00-24.el4_8.1.src.rpm i386: xpdf-3.00-24.el4_8.1.i386.rpm xpdf-debuginfo-3.00-24.el4_8.1.i386.rpm ia64: xpdf-3.00-24.el4_8.1.ia64.rpm xpdf-debuginfo-3.00-24.el4_8.1.ia64.rpm x86_64: xpdf-3.00-24.el4_8.1.x86_64.rpm xpdf-debuginfo-3.00-24.el4_8.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/xpdf-3.00-24.el4_8.1.src.rpm i386: xpdf-3.00-24.el4_8.1.i386.rpm xpdf-debuginfo-3.00-24.el4_8.1.i386.rpm ia64: xpdf-3.00-24.el4_8.1.ia64.rpm xpdf-debuginfo-3.00-24.el4_8.1.ia64.rpm x86_64: xpdf-3.00-24.el4_8.1.x86_64.rpm xpdf-debuginfo-3.00-24.el4_8.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3702.html https://www.redhat.com/security/data/cve/CVE-2010-3704.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMre2YXlSAg2UNWIIRAtGCAKChqLmva4MkhwsnFhkZNgmLo915UQCcDYHN +nRX9dvMv1LdmPcL6IUFL2k= =DQDN -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 7 16:01:43 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 12:01:43 -0400 Subject: [RHSA-2010:0752-01] Important: gpdf security update Message-ID: <201010071603.o97G369J010823@int-mx08.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gpdf security update Advisory ID: RHSA-2010:0752-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0752.html Issue date: 2010-10-07 CVE Names: CVE-2010-3702 CVE-2010-3704 ===================================================================== 1. Summary: An updated gpdf package that fixes two security issues is now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: GPdf is a viewer for Portable Document Format (PDF) files. An uninitialized pointer use flaw was discovered in GPdf. An attacker could create a malicious PDF file that, when opened, would cause GPdf to crash or, potentially, execute arbitrary code. (CVE-2010-3702) An array index error was found in the way GPdf parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause GPdf to crash or, potentially, execute arbitrary code. (CVE-2010-3704) Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 595245 - CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference 638960 - CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse() 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/gpdf-2.8.2-7.7.2.el4_8.7.src.rpm i386: gpdf-2.8.2-7.7.2.el4_8.7.i386.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.i386.rpm ia64: gpdf-2.8.2-7.7.2.el4_8.7.ia64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.ia64.rpm ppc: gpdf-2.8.2-7.7.2.el4_8.7.ppc.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.ppc.rpm s390: gpdf-2.8.2-7.7.2.el4_8.7.s390.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.s390.rpm s390x: gpdf-2.8.2-7.7.2.el4_8.7.s390x.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.s390x.rpm x86_64: gpdf-2.8.2-7.7.2.el4_8.7.x86_64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/gpdf-2.8.2-7.7.2.el4_8.7.src.rpm i386: gpdf-2.8.2-7.7.2.el4_8.7.i386.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.i386.rpm x86_64: gpdf-2.8.2-7.7.2.el4_8.7.x86_64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/gpdf-2.8.2-7.7.2.el4_8.7.src.rpm i386: gpdf-2.8.2-7.7.2.el4_8.7.i386.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.i386.rpm ia64: gpdf-2.8.2-7.7.2.el4_8.7.ia64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.ia64.rpm x86_64: gpdf-2.8.2-7.7.2.el4_8.7.x86_64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/gpdf-2.8.2-7.7.2.el4_8.7.src.rpm i386: gpdf-2.8.2-7.7.2.el4_8.7.i386.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.i386.rpm ia64: gpdf-2.8.2-7.7.2.el4_8.7.ia64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.ia64.rpm x86_64: gpdf-2.8.2-7.7.2.el4_8.7.x86_64.rpm gpdf-debuginfo-2.8.2-7.7.2.el4_8.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3702.html https://www.redhat.com/security/data/cve/CVE-2010-3704.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMre79XlSAg2UNWIIRArGmAJ0QrURm6TD2+aziUDDX3NExJPKSPACfY4NQ AcyqjJqWLSIzdunOYKIkbaI= =3R27 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 7 16:05:39 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 12:05:39 -0400 Subject: [RHSA-2010:0753-01] Important: kdegraphics security update Message-ID: <201010071607.o97G72X0032378@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kdegraphics security update Advisory ID: RHSA-2010:0753-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0753.html Issue date: 2010-10-07 CVE Names: CVE-2010-3702 CVE-2010-3704 ===================================================================== 1. Summary: Updated kdegraphics packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. An uninitialized pointer use flaw was discovered in KPDF. An attacker could create a malicious PDF file that, when opened, would cause KPDF to crash or, potentially, execute arbitrary code. (CVE-2010-3702) An array index error was found in the way KPDF parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause KPDF to crash or, potentially, execute arbitrary code. (CVE-2010-3704) Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 595245 - CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference 638960 - CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse() 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kdegraphics-3.3.1-18.el4_8.1.src.rpm i386: kdegraphics-3.3.1-18.el4_8.1.i386.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.i386.rpm kdegraphics-devel-3.3.1-18.el4_8.1.i386.rpm ia64: kdegraphics-3.3.1-18.el4_8.1.ia64.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.ia64.rpm kdegraphics-devel-3.3.1-18.el4_8.1.ia64.rpm ppc: kdegraphics-3.3.1-18.el4_8.1.ppc.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.ppc.rpm kdegraphics-devel-3.3.1-18.el4_8.1.ppc.rpm s390: kdegraphics-3.3.1-18.el4_8.1.s390.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.s390.rpm kdegraphics-devel-3.3.1-18.el4_8.1.s390.rpm s390x: kdegraphics-3.3.1-18.el4_8.1.s390x.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.s390x.rpm kdegraphics-devel-3.3.1-18.el4_8.1.s390x.rpm x86_64: kdegraphics-3.3.1-18.el4_8.1.x86_64.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.x86_64.rpm kdegraphics-devel-3.3.1-18.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kdegraphics-3.3.1-18.el4_8.1.src.rpm i386: kdegraphics-3.3.1-18.el4_8.1.i386.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.i386.rpm kdegraphics-devel-3.3.1-18.el4_8.1.i386.rpm x86_64: kdegraphics-3.3.1-18.el4_8.1.x86_64.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.x86_64.rpm kdegraphics-devel-3.3.1-18.el4_8.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kdegraphics-3.3.1-18.el4_8.1.src.rpm i386: kdegraphics-3.3.1-18.el4_8.1.i386.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.i386.rpm kdegraphics-devel-3.3.1-18.el4_8.1.i386.rpm ia64: kdegraphics-3.3.1-18.el4_8.1.ia64.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.ia64.rpm kdegraphics-devel-3.3.1-18.el4_8.1.ia64.rpm x86_64: kdegraphics-3.3.1-18.el4_8.1.x86_64.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.x86_64.rpm kdegraphics-devel-3.3.1-18.el4_8.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kdegraphics-3.3.1-18.el4_8.1.src.rpm i386: kdegraphics-3.3.1-18.el4_8.1.i386.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.i386.rpm kdegraphics-devel-3.3.1-18.el4_8.1.i386.rpm ia64: kdegraphics-3.3.1-18.el4_8.1.ia64.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.ia64.rpm kdegraphics-devel-3.3.1-18.el4_8.1.ia64.rpm x86_64: kdegraphics-3.3.1-18.el4_8.1.x86_64.rpm kdegraphics-debuginfo-3.3.1-18.el4_8.1.x86_64.rpm kdegraphics-devel-3.3.1-18.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdegraphics-3.5.4-17.el5_5.1.src.rpm i386: kdegraphics-3.5.4-17.el5_5.1.i386.rpm kdegraphics-debuginfo-3.5.4-17.el5_5.1.i386.rpm x86_64: kdegraphics-3.5.4-17.el5_5.1.x86_64.rpm kdegraphics-debuginfo-3.5.4-17.el5_5.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdegraphics-3.5.4-17.el5_5.1.src.rpm i386: kdegraphics-debuginfo-3.5.4-17.el5_5.1.i386.rpm kdegraphics-devel-3.5.4-17.el5_5.1.i386.rpm x86_64: kdegraphics-debuginfo-3.5.4-17.el5_5.1.i386.rpm kdegraphics-debuginfo-3.5.4-17.el5_5.1.x86_64.rpm kdegraphics-devel-3.5.4-17.el5_5.1.i386.rpm kdegraphics-devel-3.5.4-17.el5_5.1.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kdegraphics-3.5.4-17.el5_5.1.src.rpm i386: kdegraphics-3.5.4-17.el5_5.1.i386.rpm kdegraphics-debuginfo-3.5.4-17.el5_5.1.i386.rpm kdegraphics-devel-3.5.4-17.el5_5.1.i386.rpm x86_64: kdegraphics-3.5.4-17.el5_5.1.x86_64.rpm kdegraphics-debuginfo-3.5.4-17.el5_5.1.i386.rpm kdegraphics-debuginfo-3.5.4-17.el5_5.1.x86_64.rpm kdegraphics-devel-3.5.4-17.el5_5.1.i386.rpm kdegraphics-devel-3.5.4-17.el5_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3702.html https://www.redhat.com/security/data/cve/CVE-2010-3704.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMre/oXlSAg2UNWIIRAqVkAJ94ZjMEDOnK09NeIqI9ppHuC0RbgwCgk40+ h1+GwY5YwEPr0FqbrxsrErk= =zuAV -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 7 17:32:29 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 13:32:29 -0400 Subject: [RHSA-2010:0754-01] Important: cups security update Message-ID: <201010071733.o97HXtiI000649@int-mx08.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: cups security update Advisory ID: RHSA-2010:0754-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0754.html Issue date: 2010-10-07 CVE Names: CVE-2010-3702 ===================================================================== 1. Summary: Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 3. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Description: The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript. An uninitialized pointer use flaw was discovered in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that, when printed, would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user. (CVE-2010-3702) Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the cupsd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 595245 - CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cups-1.1.17-13.3.70.src.rpm i386: cups-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-devel-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.i386.rpm ia64: cups-1.1.17-13.3.70.ia64.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.ia64.rpm cups-devel-1.1.17-13.3.70.ia64.rpm cups-libs-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.ia64.rpm ppc: cups-1.1.17-13.3.70.ppc.rpm cups-debuginfo-1.1.17-13.3.70.ppc.rpm cups-debuginfo-1.1.17-13.3.70.ppc64.rpm cups-devel-1.1.17-13.3.70.ppc.rpm cups-libs-1.1.17-13.3.70.ppc.rpm cups-libs-1.1.17-13.3.70.ppc64.rpm s390: cups-1.1.17-13.3.70.s390.rpm cups-debuginfo-1.1.17-13.3.70.s390.rpm cups-devel-1.1.17-13.3.70.s390.rpm cups-libs-1.1.17-13.3.70.s390.rpm s390x: cups-1.1.17-13.3.70.s390x.rpm cups-debuginfo-1.1.17-13.3.70.s390.rpm cups-debuginfo-1.1.17-13.3.70.s390x.rpm cups-devel-1.1.17-13.3.70.s390x.rpm cups-libs-1.1.17-13.3.70.s390.rpm cups-libs-1.1.17-13.3.70.s390x.rpm x86_64: cups-1.1.17-13.3.70.x86_64.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.x86_64.rpm cups-devel-1.1.17-13.3.70.x86_64.rpm cups-libs-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cups-1.1.17-13.3.70.src.rpm i386: cups-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-devel-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.i386.rpm x86_64: cups-1.1.17-13.3.70.x86_64.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.x86_64.rpm cups-devel-1.1.17-13.3.70.x86_64.rpm cups-libs-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cups-1.1.17-13.3.70.src.rpm i386: cups-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-devel-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.i386.rpm ia64: cups-1.1.17-13.3.70.ia64.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.ia64.rpm cups-devel-1.1.17-13.3.70.ia64.rpm cups-libs-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.ia64.rpm x86_64: cups-1.1.17-13.3.70.x86_64.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.x86_64.rpm cups-devel-1.1.17-13.3.70.x86_64.rpm cups-libs-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cups-1.1.17-13.3.70.src.rpm i386: cups-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-devel-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.i386.rpm ia64: cups-1.1.17-13.3.70.ia64.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.ia64.rpm cups-devel-1.1.17-13.3.70.ia64.rpm cups-libs-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.ia64.rpm x86_64: cups-1.1.17-13.3.70.x86_64.rpm cups-debuginfo-1.1.17-13.3.70.i386.rpm cups-debuginfo-1.1.17-13.3.70.x86_64.rpm cups-devel-1.1.17-13.3.70.x86_64.rpm cups-libs-1.1.17-13.3.70.i386.rpm cups-libs-1.1.17-13.3.70.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3702.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMrgQgXlSAg2UNWIIRAtaeAKCX9lO/7SS4dUbuHffEs/z+A8JpugCfeOFn Oh/kTdoodh7GV1zs//e+MPU= =6RHz -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 7 17:51:49 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 13:51:49 -0400 Subject: [RHSA-2010:0755-01] Important: cups security update Message-ID: <201010071753.o97HrEGB026875@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: cups security update Advisory ID: RHSA-2010:0755-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0755.html Issue date: 2010-10-07 CVE Names: CVE-2009-3609 CVE-2010-3702 ===================================================================== 1. Summary: Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript. Multiple flaws were discovered in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that, when printed, would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user. (CVE-2010-3702, CVE-2009-3609) Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 526893 - CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow 595245 - CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/cups-1.1.22-0.rc1.9.32.el4_8.10.src.rpm i386: cups-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm ia64: cups-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm ppc: cups-1.1.22-0.rc1.9.32.el4_8.10.ppc.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.ppc.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.ppc64.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.ppc.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.ppc.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.ppc64.rpm s390: cups-1.1.22-0.rc1.9.32.el4_8.10.s390.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.s390.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.s390.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.s390.rpm s390x: cups-1.1.22-0.rc1.9.32.el4_8.10.s390x.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.s390.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.s390x.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.s390x.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.s390.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.s390x.rpm x86_64: cups-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/cups-1.1.22-0.rc1.9.32.el4_8.10.src.rpm i386: cups-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm x86_64: cups-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/cups-1.1.22-0.rc1.9.32.el4_8.10.src.rpm i386: cups-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm ia64: cups-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm x86_64: cups-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/cups-1.1.22-0.rc1.9.32.el4_8.10.src.rpm i386: cups-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm ia64: cups-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.ia64.rpm x86_64: cups-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-debuginfo-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-devel-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.i386.rpm cups-libs-1.1.22-0.rc1.9.32.el4_8.10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3609.html https://www.redhat.com/security/data/cve/CVE-2010-3702.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMrgiaXlSAg2UNWIIRAmthAKC8N80K1tz68AiHfDbIooswqZjdUwCfbi/M ZSKNDVoqStV6rXaPCiAKOVk= =cV8S -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 8 02:00:53 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 20:00:53 -0600 Subject: [RHSA-2010:0756-01] Moderate: Red Hat Enterprise MRG Messaging security and bug fix update 1.2.2 Message-ID: <201010080200.o9820r5s014411@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Enterprise MRG Messaging security and bug fix update 1.2.2 Advisory ID: RHSA-2010:0756-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0756.html Issue date: 2010-10-07 CVE Names: CVE-2010-3083 CVE-2010-3701 ===================================================================== 1. Summary: Updated Red Hat Enterprise MRG Messaging packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat MRG Messaging Base for RHEL 5 Server - i386, x86_64 Red Hat MRG Messaging for RHEL 5 Server - i386, x86_64 3. Description: Red Hat Enterprise MRG (Messaging, Realtime and Grid) is a real-time IT infrastructure for enterprise computing. MRG Messaging implements the Advanced Message Queuing Protocol (AMQP) standard, adding persistence options, kernel optimizations, and operating system services. A flaw was found in the way SSL connections to the MRG Messaging broker were handled. A connection (from a user or client application) to the broker's SSL port would prevent the broker from responding to any other connections on that port, until the first connection's SSL handshake completed or failed. A remote user could use this flaw to block connections from legitimate clients. Note that this issue only affected connections to the SSL port. The broker does not listen for SSL connections by default. (CVE-2010-3083) A flaw was found in the way the MRG Messaging broker handled the receipt of large persistent messages. If a remote, authenticated user sent a very large persistent message, the broker could exhaust stack memory, causing the broker to crash. (CVE-2010-3701) This update also includes a number of MRG Messaging bug fixes, including updated qpidc and rhm packages: * The Messaging broker failed when first a new durable exchange was supplied by a plug-in, and then the broker was restarted. The startup sequence has been reordered so that the plug-in modules are loaded before the store is recovered. With this update, the new exchange is now recognized and recovered successfully and the broker starts up. (BZ#550151) * qpid-route could not delete an existing route due to a problem with the management object for the bridge. With this update, qpid-route follows the normal path. (BZ#560696) * Previously, clients connecting over SSL needed to use some other username to authenticate themselves to have permission granted via ACLs. This update adds the option to use the client identity as authenticated by SSL. (BZ#601222) * New brokers did not see a durable exchange even though it existed in a cluster. This update checks for any durable exchanges to be replicated when a new broker is added to the cluster. Now, the exchange is visible on the new broker. (BZ#601230) * Cluster members occasionally failed when a new member was added to a cluster with active consumers, because some of the consumer information was not being replicated to new members joining a cluster. With this update, the missing information is replicated to new members when joining a cluster. (BZ#601236) * Performance decreased when reading messages from a queue sequentially without taking them off the queue. With this update, the algorithm for traversing through messages has been changed, and the next message is found more quickly, even for large queues. (BZ#611907) * Wire level protocol violation or segmentation faults occurred when adding tags due to possible modification of the message concurrent with its encoding. This update clones messages before adding tags to prevent concurrent modification as they are being delivered and encoded. (BZ#619919) All Red Hat Enterprise MRG users are advised to upgrade to these updated packages, which correct these issues. After installing the updated packages, the qpidd service must be restarted ("service qpidd restart") for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 550151 - If an XML exchange is declared durable, the broker crashes on recovery 560696 - qpid-route route del - fails 601222 - Feature Request: support for SASL EXTERNAL with TLS/SSL 601230 - clustered qpid: durable exchange state not replicated to broker joining cluster 601236 - Persistent cluster problems after reboot -f 611907 - Browse mode performance in a queue degrades as queue gets larger 619919 - Concurrent tagging of message with trace id while message is delivered from another queue causes segfault 632657 - CVE-2010-3083 MRG: SSL connections to MRG broker can be blocked 634014 - Large persistent messages cause seg fault 640006 - CVE-2010-3701 MRG: remote authenticated DoS in broker 6. Package List: Red Hat MRG Messaging for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpidc-0.5.752581-42.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/rhm-0.5.3206-36.el5.src.rpm i386: qmf-0.5.752581-42.el5.i386.rpm qmf-devel-0.5.752581-42.el5.i386.rpm qpidc-0.5.752581-42.el5.i386.rpm qpidc-debuginfo-0.5.752581-42.el5.i386.rpm qpidc-devel-0.5.752581-42.el5.i386.rpm qpidc-perftest-0.5.752581-42.el5.i386.rpm qpidc-rdma-0.5.752581-42.el5.i386.rpm qpidc-ssl-0.5.752581-42.el5.i386.rpm qpidd-0.5.752581-42.el5.i386.rpm qpidd-acl-0.5.752581-42.el5.i386.rpm qpidd-cluster-0.5.752581-42.el5.i386.rpm qpidd-devel-0.5.752581-42.el5.i386.rpm qpidd-rdma-0.5.752581-42.el5.i386.rpm qpidd-ssl-0.5.752581-42.el5.i386.rpm qpidd-xml-0.5.752581-42.el5.i386.rpm rhm-0.5.3206-36.el5.i386.rpm rhm-debuginfo-0.5.3206-36.el5.i386.rpm x86_64: qmf-0.5.752581-42.el5.x86_64.rpm qmf-devel-0.5.752581-42.el5.x86_64.rpm qpidc-0.5.752581-42.el5.x86_64.rpm qpidc-debuginfo-0.5.752581-42.el5.x86_64.rpm qpidc-devel-0.5.752581-42.el5.x86_64.rpm qpidc-perftest-0.5.752581-42.el5.x86_64.rpm qpidc-rdma-0.5.752581-42.el5.x86_64.rpm qpidc-ssl-0.5.752581-42.el5.x86_64.rpm qpidd-0.5.752581-42.el5.x86_64.rpm qpidd-acl-0.5.752581-42.el5.x86_64.rpm qpidd-cluster-0.5.752581-42.el5.x86_64.rpm qpidd-devel-0.5.752581-42.el5.x86_64.rpm qpidd-rdma-0.5.752581-42.el5.x86_64.rpm qpidd-ssl-0.5.752581-42.el5.x86_64.rpm qpidd-xml-0.5.752581-42.el5.x86_64.rpm rhm-0.5.3206-36.el5.x86_64.rpm rhm-debuginfo-0.5.3206-36.el5.x86_64.rpm Red Hat MRG Messaging Base for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpidc-0.5.752581-42.el5.src.rpm i386: qmf-0.5.752581-42.el5.i386.rpm qmf-devel-0.5.752581-42.el5.i386.rpm qpidc-0.5.752581-42.el5.i386.rpm qpidc-debuginfo-0.5.752581-42.el5.i386.rpm qpidc-devel-0.5.752581-42.el5.i386.rpm qpidc-ssl-0.5.752581-42.el5.i386.rpm qpidd-0.5.752581-42.el5.i386.rpm qpidd-devel-0.5.752581-42.el5.i386.rpm qpidd-ssl-0.5.752581-42.el5.i386.rpm x86_64: qmf-0.5.752581-42.el5.x86_64.rpm qmf-devel-0.5.752581-42.el5.x86_64.rpm qpidc-0.5.752581-42.el5.x86_64.rpm qpidc-debuginfo-0.5.752581-42.el5.x86_64.rpm qpidc-devel-0.5.752581-42.el5.x86_64.rpm qpidc-ssl-0.5.752581-42.el5.x86_64.rpm qpidd-0.5.752581-42.el5.x86_64.rpm qpidd-devel-0.5.752581-42.el5.x86_64.rpm qpidd-ssl-0.5.752581-42.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3083.html https://www.redhat.com/security/data/cve/CVE-2010-3701.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMrnsfXlSAg2UNWIIRAl6PAKCg4/IZv+z9pF7cRms7qYAhrWRjYQCgxIWy /VgzPZnKhCOdFjWySMLuhh4= =365G -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 8 02:01:42 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 20:01:42 -0600 Subject: [RHSA-2010:0757-01] Moderate: Red Hat Enterprise MRG Messaging security and bug fix update 1.2.2 Message-ID: <201010080201.o9821gWU021760@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Enterprise MRG Messaging security and bug fix update 1.2.2 Advisory ID: RHSA-2010:0757-01 Product: Red Hat Enterprise MRG for RHEL-4 Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0757.html Issue date: 2010-10-07 CVE Names: CVE-2010-3083 CVE-2010-3701 ===================================================================== 1. Summary: Updated Red Hat Enterprise MRG Messaging packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat MRG Messaging Base for RHEL-4 AS - i386, x86_64 Red Hat MRG Messaging Base for RHEL-4 ES - i386, x86_64 Red Hat MRG Messaging for RHEL-4 AS - i386, x86_64 Red Hat MRG Messaging for RHEL-4 ES - i386, x86_64 3. Description: Red Hat Enterprise MRG (Messaging, Realtime and Grid) is a real-time IT infrastructure for enterprise computing. MRG Messaging implements the Advanced Message Queuing Protocol (AMQP) standard, adding persistence options, kernel optimizations, and operating system services. A flaw was found in the way SSL connections to the MRG Messaging broker were handled. A connection (from a user or client application) to the broker's SSL port would prevent the broker from responding to any other connections on that port, until the first connection's SSL handshake completed or failed. A remote user could use this flaw to block connections from legitimate clients. Note that this issue only affected connections to the SSL port. The broker does not listen for SSL connections by default. (CVE-2010-3083) A flaw was found in the way the MRG Messaging broker handled the receipt of large persistent messages. If a remote, authenticated user sent a very large persistent message, the broker could exhaust stack memory, causing the broker to crash. (CVE-2010-3701) This update also includes a number of MRG Messaging bug fixes, including updated qpidc and rhm packages: * The Messaging broker failed when first a new durable exchange was supplied by a plug-in, and then the broker was restarted. The startup sequence has been reordered so that the plug-in modules are loaded before the store is recovered. With this update, the new exchange is now recognized and recovered successfully and the broker starts up. (BZ#550151) * qpid-route could not delete an existing route due to a problem with the management object for the bridge. With this update, qpid-route follows the normal path. (BZ#560696) * Previously, clients connecting over SSL needed to use some other username to authenticate themselves to have permission granted via ACLs. This update adds the option to use the client identity as authenticated by SSL. (BZ#601222) * New brokers did not see a durable exchange even though it existed in a cluster. This update checks for any durable exchanges to be replicated when a new broker is added to the cluster. Now, the exchange is visible on the new broker. (BZ#601230) * Cluster members occasionally failed when a new member was added to a cluster with active consumers, because some of the consumer information was not being replicated to new members joining a cluster. With this update, the missing information is replicated to new members when joining a cluster. (BZ#601236) * Performance decreased when reading messages from a queue sequentially without taking them off the queue. With this update, the algorithm for traversing through messages has been changed, and the next message is found more quickly, even for large queues. (BZ#611907) * Wire level protocol violation or segmentation faults occurred when adding tags due to possible modification of the message concurrent with its encoding. This update clones messages before adding tags to prevent concurrent modification as they are being delivered and encoded. (BZ#619919) All Red Hat Enterprise MRG users are advised to upgrade to these updated packages, which correct these issues. After installing the updated packages, the qpidd service must be restarted ("service qpidd restart") for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 632657 - CVE-2010-3083 MRG: SSL connections to MRG broker can be blocked 639054 - Build 1.2.2 release for RHEL-4 errata 640006 - CVE-2010-3701 MRG: remote authenticated DoS in broker 6. Package List: Red Hat MRG Messaging for RHEL-4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/qpidc-0.5.752581-42.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/rhm-0.5.3206-36.el4.src.rpm i386: qmf-0.5.752581-42.el4.i386.rpm qmf-devel-0.5.752581-42.el4.i386.rpm qpidc-0.5.752581-42.el4.i386.rpm qpidc-debuginfo-0.5.752581-42.el4.i386.rpm qpidc-devel-0.5.752581-42.el4.i386.rpm qpidc-perftest-0.5.752581-42.el4.i386.rpm qpidc-ssl-0.5.752581-42.el4.i386.rpm qpidd-0.5.752581-42.el4.i386.rpm qpidd-acl-0.5.752581-42.el4.i386.rpm qpidd-devel-0.5.752581-42.el4.i386.rpm qpidd-ssl-0.5.752581-42.el4.i386.rpm qpidd-xml-0.5.752581-42.el4.i386.rpm rhm-0.5.3206-36.el4.i386.rpm rhm-debuginfo-0.5.3206-36.el4.i386.rpm x86_64: qmf-0.5.752581-42.el4.x86_64.rpm qmf-devel-0.5.752581-42.el4.x86_64.rpm qpidc-0.5.752581-42.el4.x86_64.rpm qpidc-debuginfo-0.5.752581-42.el4.x86_64.rpm qpidc-devel-0.5.752581-42.el4.x86_64.rpm qpidc-perftest-0.5.752581-42.el4.x86_64.rpm qpidc-ssl-0.5.752581-42.el4.x86_64.rpm qpidd-0.5.752581-42.el4.x86_64.rpm qpidd-acl-0.5.752581-42.el4.x86_64.rpm qpidd-devel-0.5.752581-42.el4.x86_64.rpm qpidd-ssl-0.5.752581-42.el4.x86_64.rpm qpidd-xml-0.5.752581-42.el4.x86_64.rpm rhm-0.5.3206-36.el4.x86_64.rpm rhm-debuginfo-0.5.3206-36.el4.x86_64.rpm Red Hat MRG Messaging Base for RHEL-4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/qpidc-0.5.752581-42.el4.src.rpm i386: qmf-0.5.752581-42.el4.i386.rpm qmf-devel-0.5.752581-42.el4.i386.rpm qpidc-0.5.752581-42.el4.i386.rpm qpidc-debuginfo-0.5.752581-42.el4.i386.rpm qpidc-devel-0.5.752581-42.el4.i386.rpm qpidc-ssl-0.5.752581-42.el4.i386.rpm qpidd-0.5.752581-42.el4.i386.rpm qpidd-devel-0.5.752581-42.el4.i386.rpm qpidd-ssl-0.5.752581-42.el4.i386.rpm x86_64: qmf-0.5.752581-42.el4.x86_64.rpm qmf-devel-0.5.752581-42.el4.x86_64.rpm qpidc-0.5.752581-42.el4.x86_64.rpm qpidc-debuginfo-0.5.752581-42.el4.x86_64.rpm qpidc-devel-0.5.752581-42.el4.x86_64.rpm qpidc-ssl-0.5.752581-42.el4.x86_64.rpm qpidd-0.5.752581-42.el4.x86_64.rpm qpidd-devel-0.5.752581-42.el4.x86_64.rpm qpidd-ssl-0.5.752581-42.el4.x86_64.rpm Red Hat MRG Messaging for RHEL-4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/qpidc-0.5.752581-42.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/rhm-0.5.3206-36.el4.src.rpm i386: qmf-0.5.752581-42.el4.i386.rpm qmf-devel-0.5.752581-42.el4.i386.rpm qpidc-0.5.752581-42.el4.i386.rpm qpidc-debuginfo-0.5.752581-42.el4.i386.rpm qpidc-devel-0.5.752581-42.el4.i386.rpm qpidc-perftest-0.5.752581-42.el4.i386.rpm qpidc-ssl-0.5.752581-42.el4.i386.rpm qpidd-0.5.752581-42.el4.i386.rpm qpidd-acl-0.5.752581-42.el4.i386.rpm qpidd-devel-0.5.752581-42.el4.i386.rpm qpidd-ssl-0.5.752581-42.el4.i386.rpm qpidd-xml-0.5.752581-42.el4.i386.rpm rhm-0.5.3206-36.el4.i386.rpm rhm-debuginfo-0.5.3206-36.el4.i386.rpm x86_64: qmf-0.5.752581-42.el4.x86_64.rpm qmf-devel-0.5.752581-42.el4.x86_64.rpm qpidc-0.5.752581-42.el4.x86_64.rpm qpidc-debuginfo-0.5.752581-42.el4.x86_64.rpm qpidc-devel-0.5.752581-42.el4.x86_64.rpm qpidc-perftest-0.5.752581-42.el4.x86_64.rpm qpidc-ssl-0.5.752581-42.el4.x86_64.rpm qpidd-0.5.752581-42.el4.x86_64.rpm qpidd-acl-0.5.752581-42.el4.x86_64.rpm qpidd-devel-0.5.752581-42.el4.x86_64.rpm qpidd-ssl-0.5.752581-42.el4.x86_64.rpm qpidd-xml-0.5.752581-42.el4.x86_64.rpm rhm-0.5.3206-36.el4.x86_64.rpm rhm-debuginfo-0.5.3206-36.el4.x86_64.rpm Red Hat MRG Messaging Base for RHEL-4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/qpidc-0.5.752581-42.el4.src.rpm i386: qmf-0.5.752581-42.el4.i386.rpm qmf-devel-0.5.752581-42.el4.i386.rpm qpidc-0.5.752581-42.el4.i386.rpm qpidc-debuginfo-0.5.752581-42.el4.i386.rpm qpidc-devel-0.5.752581-42.el4.i386.rpm qpidc-ssl-0.5.752581-42.el4.i386.rpm qpidd-0.5.752581-42.el4.i386.rpm qpidd-devel-0.5.752581-42.el4.i386.rpm qpidd-ssl-0.5.752581-42.el4.i386.rpm x86_64: qmf-0.5.752581-42.el4.x86_64.rpm qmf-devel-0.5.752581-42.el4.x86_64.rpm qpidc-0.5.752581-42.el4.x86_64.rpm qpidc-debuginfo-0.5.752581-42.el4.x86_64.rpm qpidc-devel-0.5.752581-42.el4.x86_64.rpm qpidc-ssl-0.5.752581-42.el4.x86_64.rpm qpidd-0.5.752581-42.el4.x86_64.rpm qpidd-devel-0.5.752581-42.el4.x86_64.rpm qpidd-ssl-0.5.752581-42.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3083.html https://www.redhat.com/security/data/cve/CVE-2010-3701.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMrntoXlSAg2UNWIIRAj5dAJ9w9k2HIt3TLE2Wspzf//CMhnd5CwCgiMmV knlAqKw2wvAiA0JoIleUKOA= =Zkg2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 8 02:14:36 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Oct 2010 20:14:36 -0600 Subject: [RHSA-2010:0758-01] Important: kernel-rt security and bug fix update Message-ID: <201010080214.o982EbS6024047@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2010:0758-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0758.html Issue date: 2010-10-07 CVE Names: CVE-2010-3067 CVE-2010-3081 ===================================================================== 1. Summary: Updated kernel-rt packages that fix two security issues and three bugs are now available for Red Hat Enterprise MRG 1.2. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: MRG Realtime for RHEL 5 Server - i386, noarch, x86_64 3. Description: The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) * A missing upper bound integer check was found in the sys_io_submit() function in the Linux kernel asynchronous I/O implementation. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3067, Low) Red Hat would like to thank Ben Hawkes for reporting CVE-2010-3081, and Tavis Ormandy for reporting CVE-2010-3067. This update also fixes the following bugs: * The RHSA-2010:0631 kernel-rt update resolved an issue (CVE-2010-2240) where, when an application has a stack overflow, the stack could silently overwrite another memory mapped area instead of a segmentation fault occurring. This update implements the official upstream fixes for that issue. Note: This is not a security regression. The original fix was complete. (BZ#624604) * In certain circumstances, under heavy load, certain network interface cards using the bnx2 driver, and configured to use MSI-X, could stop processing interrupts and then network connectivity would cease. (BZ#622952) * This update upgrades the tg3 driver to version 3.110. (BZ#640334) Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 624604 - Backport official CVE-2010-2240 fixes 629441 - CVE-2010-3067 kernel: do_io_submit() infoleak 634457 - CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow 640334 - update MRG 1.2 tg3 driver to latest upstream driver 6. Package List: MRG Realtime for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/kernel-rt-2.6.24.7-169.el5rt.src.rpm i386: kernel-rt-2.6.24.7-169.el5rt.i686.rpm kernel-rt-debug-2.6.24.7-169.el5rt.i686.rpm kernel-rt-debug-debuginfo-2.6.24.7-169.el5rt.i686.rpm kernel-rt-debug-devel-2.6.24.7-169.el5rt.i686.rpm kernel-rt-debuginfo-2.6.24.7-169.el5rt.i686.rpm kernel-rt-debuginfo-common-2.6.24.7-169.el5rt.i686.rpm kernel-rt-devel-2.6.24.7-169.el5rt.i686.rpm kernel-rt-trace-2.6.24.7-169.el5rt.i686.rpm kernel-rt-trace-debuginfo-2.6.24.7-169.el5rt.i686.rpm kernel-rt-trace-devel-2.6.24.7-169.el5rt.i686.rpm kernel-rt-vanilla-2.6.24.7-169.el5rt.i686.rpm kernel-rt-vanilla-debuginfo-2.6.24.7-169.el5rt.i686.rpm kernel-rt-vanilla-devel-2.6.24.7-169.el5rt.i686.rpm noarch: kernel-rt-doc-2.6.24.7-169.el5rt.noarch.rpm x86_64: kernel-rt-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-debug-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-debug-debuginfo-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-debug-devel-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-debuginfo-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-debuginfo-common-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-devel-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-trace-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-trace-debuginfo-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-trace-devel-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-vanilla-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-vanilla-debuginfo-2.6.24.7-169.el5rt.x86_64.rpm kernel-rt-vanilla-devel-2.6.24.7-169.el5rt.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3067.html https://www.redhat.com/security/data/cve/CVE-2010-3081.html http://www.redhat.com/security/updates/classification/#important https://access.redhat.com/kb/docs/DOC-40265 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMrn5rXlSAg2UNWIIRAtkJAJ9zViQx8rPkLhA3aIbxKKFtAq4MDQCdFhum FEsRHkaDDFvvezLqEtWG1Lc= =fh3M -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 13 17:53:36 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 13 Oct 2010 13:53:36 -0400 Subject: [RHSA-2010:0768-01] Important: java-1.6.0-openjdk security and bug fix update Message-ID: <201010131752.o9DHqtda011317@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.6.0-openjdk security and bug fix update Advisory ID: RHSA-2010:0768-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0768.html Issue date: 2010-10-13 CVE Names: CVE-2009-3555 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3551 CVE-2010-3553 CVE-2010-3554 CVE-2010-3557 CVE-2010-3561 CVE-2010-3562 CVE-2010-3564 CVE-2010-3565 CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3573 CVE-2010-3574 ===================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix several security issues and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. defaultReadObject of the Serialization API could be tricked into setting a volatile field multiple times, which could allow a remote attacker to execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3569) Race condition in the way objects were deserialized could allow an untrusted applet or application to misuse the privileges of the user running the applet or application. (CVE-2010-3568) Miscalculation in the OpenType font rendering implementation caused out-of-bounds memory access, which could allow remote attackers to execute code with the privileges of the user running the java process. (CVE-2010-3567) JPEGImageWriter.writeImage in the imageio API improperly checked certain image metadata, which could allow a remote attacker to execute arbitrary code in the context of the user running the applet or application. (CVE-2010-3565) Double free in IndexColorModel could cause an untrusted applet or application to crash or, possibly, execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3562) The privileged accept method of the ServerSocket class in the Common Object Request Broker Architecture (CORBA) implementation in OpenJDK allowed it to receive connections from any host, instead of just the host of the current connection. An attacker could use this flaw to bypass restrictions defined by network permissions. (CVE-2010-3561) Flaws in the Swing library could allow an untrusted application to modify the behavior and state of certain JDK classes. (CVE-2010-3557) Flaws in the CORBA implementation could allow an attacker to execute arbitrary code by misusing permissions granted to certain system objects. (CVE-2010-3554) UIDefault.ProxyLazyValue had unsafe reflection usage, allowing untrusted callers to create objects via ProxyLazyValue values. (CVE-2010-3553) HttpURLConnection improperly handled the "chunked" transfer encoding method, which could allow remote attackers to conduct HTTP response splitting attacks. (CVE-2010-3549) HttpURLConnection improperly checked whether the calling code was granted the "allowHttpTrace" permission, allowing untrusted code to create HTTP TRACE requests. (CVE-2010-3574) HttpURLConnection did not validate request headers set by applets, which could allow remote attackers to trigger actions otherwise restricted to HTTP clients. (CVE-2010-3541, CVE-2010-3573) The Kerberos implementation improperly checked the sanity of AP-REQ requests, which could cause a denial of service condition in the receiving Java Virtual Machine. (CVE-2010-3564) The RHSA-2010:0339 update mitigated a man-in-the-middle attack in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation by disabling renegotiation. This update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, allowing secure renegotiation between updated clients and servers. (CVE-2009-3555) The NetworkInterface class improperly checked the network "connect" permissions for local network addresses, which could allow remote attackers to read local network addresses. (CVE-2010-3551) Information leak flaw in the Java Naming and Directory Interface (JNDI) could allow a remote attacker to access information about otherwise-protected internal network names. (CVE-2010-3548) Note: Flaws concerning applets in this advisory (CVE-2010-3568, CVE-2010-3554, CVE-2009-3555, CVE-2010-3562, CVE-2010-3557, CVE-2010-3548, CVE-2010-3564, CVE-2010-3565, CVE-2010-3569) can only be triggered in OpenJDK by calling the "appletviewer" application. Bug fixes: * This update provides one defense in depth patch. (BZ#639922) * Problems for certain SSL connections. In a reported case, this prevented the JBoss JAAS modules from connecting over SSL to Microsoft Active Directory servers. (BZ#618290) 4. Solution: All java-1.6.0-openjdk users are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 618290 - Error connecting to Active Directory (AD) over SSL. 639876 - CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) 639880 - CVE-2010-3554 CVE-2010-3561 OpenJDK corba reflection vulnerabilities (6891766,6925672) 639897 - CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) 639904 - CVE-2010-3557 OpenJDK Swing mutable static (6938813) 639909 - CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) 639914 - CVE-2010-3564 OpenJDK kerberos vulnerability (6958060) 639920 - CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) 639922 - CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) 639925 - CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) 642167 - CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) 642180 - CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) 642187 - CVE-2010-3551 OpenJDK local network address disclosure (6952603) 642197 - CVE-2010-3567 OpenJDK ICU Opentype layout engine crash (6963285) 642202 - CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) 642215 - CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.16.b17.el5.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.16.b17.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.16.b17.el5.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.16.b17.el5.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.16.b17.el5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.16.b17.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3555.html https://www.redhat.com/security/data/cve/CVE-2010-3541.html https://www.redhat.com/security/data/cve/CVE-2010-3548.html https://www.redhat.com/security/data/cve/CVE-2010-3549.html https://www.redhat.com/security/data/cve/CVE-2010-3551.html https://www.redhat.com/security/data/cve/CVE-2010-3553.html https://www.redhat.com/security/data/cve/CVE-2010-3554.html https://www.redhat.com/security/data/cve/CVE-2010-3557.html https://www.redhat.com/security/data/cve/CVE-2010-3561.html https://www.redhat.com/security/data/cve/CVE-2010-3562.html https://www.redhat.com/security/data/cve/CVE-2010-3564.html https://www.redhat.com/security/data/cve/CVE-2010-3565.html https://www.redhat.com/security/data/cve/CVE-2010-3567.html https://www.redhat.com/security/data/cve/CVE-2010-3568.html https://www.redhat.com/security/data/cve/CVE-2010-3569.html https://www.redhat.com/security/data/cve/CVE-2010-3573.html https://www.redhat.com/security/data/cve/CVE-2010-3574.html http://www.redhat.com/security/updates/classification/#important https://access.redhat.com/kb/docs/DOC-20491 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMtfGmXlSAg2UNWIIRAvJRAJ9t2/d3H5JnHZJJytAvkBbwqFB1ewCdGHEd jZpESZWtq1ROXY0Vs14lJRs= =QLL9 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 14 13:59:25 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Oct 2010 09:59:25 -0400 Subject: [RHSA-2010:0770-01] Critical: java-1.6.0-sun security update Message-ID: <201010141358.o9EDwWOK032331@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-sun security update Advisory ID: RHSA-2010:0770-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0770.html Issue date: 2010-10-14 CVE Names: CVE-2009-3555 CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3550 CVE-2010-3551 CVE-2010-3552 CVE-2010-3553 CVE-2010-3554 CVE-2010-3555 CVE-2010-3556 CVE-2010-3557 CVE-2010-3558 CVE-2010-3559 CVE-2010-3560 CVE-2010-3561 CVE-2010-3562 CVE-2010-3563 CVE-2010-3565 CVE-2010-3566 CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3570 CVE-2010-3571 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574 ===================================================================== 1. Summary: Updated java-1.6.0-sun packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the "Oracle Java SE and Java for Business Critical Patch Update Advisory" page, listed in the References section. (CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574) The RHSA-2010:0337 update mitigated a man-in-the-middle attack in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation by disabling renegotiation. This update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, allowing secure renegotiation between updated clients and servers. (CVE-2009-3555) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 582466 - CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) 639876 - CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) 639880 - CVE-2010-3554 CVE-2010-3561 OpenJDK corba reflection vulnerabilities (6891766,6925672) 639897 - CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) 639904 - CVE-2010-3557 OpenJDK Swing mutable static (6938813) 639909 - CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) 639920 - CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) 639922 - CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) 639925 - CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) 642167 - CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) 642180 - CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) 642187 - CVE-2010-3551 OpenJDK local network address disclosure (6952603) 642197 - CVE-2010-3567 OpenJDK ICU Opentype layout engine crash (6963285) 642202 - CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) 642215 - CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) 642558 - CVE-2010-3555 JDK unspecified vulnerability in Deployment component 642559 - CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component 642561 - CVE-2010-3570 JDK unspecified vulnerability in Deployment Toolkit 642573 - CVE-2010-3560 JDK unspecified vulnerability in Networking component 642576 - CVE-2010-3556 JDK unspecified vulnerability in 2D component 642585 - CVE-2010-3571 JDK unspecified vulnerability in 2D component 642589 - CVE-2010-3563 JDK unspecified vulnerability in Deployment component 642593 - CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component 642600 - CVE-2010-3552 JDK unspecified vulnerability in New Java Plugin component 642606 - CVE-2010-3559 JDK unspecified vulnerability in Sound component 642611 - CVE-2010-3572 JDK unspecified vulnerability in Sound component 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.6.0-sun-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.6.0-sun-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.6.0-sun-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.6.0-sun-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el4.i586.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el4.i586.rpm x86_64: java-1.6.0-sun-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el4.x86_64.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.6.0-sun-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.6.0-sun-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el5.i586.rpm x86_64: java-1.6.0-sun-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-demo-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-jdbc-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-plugin-1.6.0.22-1jpp.1.el5.x86_64.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el5.i586.rpm java-1.6.0-sun-src-1.6.0.22-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3555.html https://www.redhat.com/security/data/cve/CVE-2010-1321.html https://www.redhat.com/security/data/cve/CVE-2010-3541.html https://www.redhat.com/security/data/cve/CVE-2010-3548.html https://www.redhat.com/security/data/cve/CVE-2010-3549.html https://www.redhat.com/security/data/cve/CVE-2010-3550.html https://www.redhat.com/security/data/cve/CVE-2010-3551.html https://www.redhat.com/security/data/cve/CVE-2010-3552.html https://www.redhat.com/security/data/cve/CVE-2010-3553.html https://www.redhat.com/security/data/cve/CVE-2010-3554.html https://www.redhat.com/security/data/cve/CVE-2010-3555.html https://www.redhat.com/security/data/cve/CVE-2010-3556.html https://www.redhat.com/security/data/cve/CVE-2010-3557.html https://www.redhat.com/security/data/cve/CVE-2010-3558.html https://www.redhat.com/security/data/cve/CVE-2010-3559.html https://www.redhat.com/security/data/cve/CVE-2010-3560.html https://www.redhat.com/security/data/cve/CVE-2010-3561.html https://www.redhat.com/security/data/cve/CVE-2010-3562.html https://www.redhat.com/security/data/cve/CVE-2010-3563.html https://www.redhat.com/security/data/cve/CVE-2010-3565.html https://www.redhat.com/security/data/cve/CVE-2010-3566.html https://www.redhat.com/security/data/cve/CVE-2010-3567.html https://www.redhat.com/security/data/cve/CVE-2010-3568.html https://www.redhat.com/security/data/cve/CVE-2010-3569.html https://www.redhat.com/security/data/cve/CVE-2010-3570.html https://www.redhat.com/security/data/cve/CVE-2010-3571.html https://www.redhat.com/security/data/cve/CVE-2010-3572.html https://www.redhat.com/security/data/cve/CVE-2010-3573.html https://www.redhat.com/security/data/cve/CVE-2010-3574.html http://www.redhat.com/security/updates/classification/#critical http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html https://access.redhat.com/kb/docs/DOC-20491 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMtwxKXlSAg2UNWIIRAlgwAJ9KMcd1PVkEGwsitqZSg+uotdwRNQCZAeDJ BX63d4j9vqwHVwEjpwl90pY= =2GD2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 14 15:49:47 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Oct 2010 11:49:47 -0400 Subject: [RHSA-2010:0771-01] Moderate: kernel-rt security and bug fix update Message-ID: <201010141548.o9EFmr4N021948@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel-rt security and bug fix update Advisory ID: RHSA-2010:0771-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0771.html Issue date: 2010-10-14 CVE Names: CVE-2010-0307 CVE-2010-2942 CVE-2010-2955 CVE-2010-3297 ===================================================================== 1. Summary: Updated kernel-rt packages that fix multiple security issues and upgrade the kernel-rt kernel to version 2.6.33.7-rt29 are now available for Red Hat Enterprise MRG 1.3. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: MRG Realtime for RHEL 5 Server - i386, noarch, x86_64 3. Description: The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * On AMD64 systems, it was discovered that the kernel did not ensure the ELF interpreter was available before making a call to the SET_PERSONALITY macro. A local attacker could use this flaw to cause a denial of service by running a 32-bit application that attempts to execute a 64-bit application. (CVE-2010-0307, Moderate) * Information leak flaws were found in the Linux kernel Traffic Control Unit implementation. A local attacker could use these flaws to cause the kernel to leak kernel memory to user-space, possibly leading to the disclosure of sensitive information. (CVE-2010-2942, Moderate) * It was found that wireless drivers might not always clear allocated buffers when handling a driver-specific IOCTL information request. A local user could trigger this flaw to cause kernel memory to leak from the heap to user-space, leading to an information leak. (CVE-2010-2955, Moderate) * A flaw was found in the eql_g_master_cfg() function in the Linux kernel equalizer load-balancer for serial network interfaces implementation. A data structure in eql_g_master_cfg() was not initialized properly before being copied to user-space. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3297, Moderate) Red Hat would like to thank Mathias Krause for reporting CVE-2010-0307, and Dan Rosenberg for reporting CVE-2010-3297. This update also fixes the following bugs: * The mkinitrd utility reported the following warning message when creating an initial ramdisk: No module dm-mem-cache found for kernel [version], aborting. This was caused by an erroneous dependency on dmraid-related modules. This update removes these dependencies with the result that mkinitrd does not issue a spurious warning about the dm-mem-cache module not being found. (BZ#482753) * The ibm_rtl kernel module now performs more exhaustive checking to ensure it only loads on correct IBM hardware. (BZ#612275) * The realtime Linux kernel has been upgraded to upstream version 2.6.33.7-rt29, which provides a number of bug fixes and enhancements for Red Hat Enterprise MRG 1.3. (BZ#638672) Users should upgrade to these updated packages, which upgrade the kernel-rt kernel to version 2.6.33.7-rt29 to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 482753 - mkinitrd erroneously inserts dependencies to dm-mem-cache (not present on MRG) 560547 - CVE-2010-0307 kernel: DoS on x86_64 612275 - WARNING: at arch/x86/mm/ioremap.c:148 __ioremap_caller+0x160/0x30e() 624903 - CVE-2010-2942 kernel: net sched: fix some kernel memory leaks 628434 - CVE-2010-2955 kernel: wireless: fix 64K kernel heap content leak via ioctl 633145 - CVE-2010-3297 kernel: drivers/net/eql.c: reading uninitialized stack memory 638672 - Need to move the MRG RT source base to upstream RT (2.6.33) 6. Package List: MRG Realtime for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/kernel-rt-2.6.33.7-rt29.45.el5rt.src.rpm i386: kernel-rt-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-debug-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-debug-debuginfo-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-debug-devel-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-debuginfo-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-debuginfo-common-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-devel-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-trace-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-trace-debuginfo-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-trace-devel-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-vanilla-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-vanilla-debuginfo-2.6.33.7-rt29.45.el5rt.i686.rpm kernel-rt-vanilla-devel-2.6.33.7-rt29.45.el5rt.i686.rpm perf-2.6.33.7-rt29.45.el5rt.i686.rpm perf-debuginfo-2.6.33.7-rt29.45.el5rt.i686.rpm noarch: kernel-rt-doc-2.6.33.7-rt29.45.el5rt.noarch.rpm x86_64: kernel-rt-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-debug-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-debug-debuginfo-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-debug-devel-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-debuginfo-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-debuginfo-common-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-devel-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-trace-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-trace-debuginfo-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-trace-devel-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-vanilla-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-vanilla-debuginfo-2.6.33.7-rt29.45.el5rt.x86_64.rpm kernel-rt-vanilla-devel-2.6.33.7-rt29.45.el5rt.x86_64.rpm perf-2.6.33.7-rt29.45.el5rt.x86_64.rpm perf-debuginfo-2.6.33.7-rt29.45.el5rt.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-0307.html https://www.redhat.com/security/data/cve/CVE-2010-2942.html https://www.redhat.com/security/data/cve/CVE-2010-2955.html https://www.redhat.com/security/data/cve/CVE-2010-3297.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMtyY1XlSAg2UNWIIRAnPuAJ9D7y9FA2DNluu+aaPZgOPbg2hE1QCfULTI S+kkGSMbPa3nTYxNvFVFEI8= =h2XV -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 14 16:26:37 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Oct 2010 12:26:37 -0400 Subject: [RHSA-2010:0773-01] Moderate: Red Hat Enterprise MRG Messaging and Grid Version 1.3 Message-ID: <201010141625.o9EGPget012676@int-mx03.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Enterprise MRG Messaging and Grid Version 1.3 Advisory ID: RHSA-2010:0773-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0773.html Issue date: 2010-10-14 CVE Names: CVE-2009-5005 CVE-2009-5006 ===================================================================== 1. Summary: Updated packages that fix two security issues, several bugs, and add multiple enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise MRG Messaging and Grid for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: MRG Grid Execute Node for RHEL 5 Server - i386, noarch, x86_64 MRG Grid for RHEL 5 Server - i386, noarch, x86_64 MRG Management for RHEL 5 Server - i386, noarch, x86_64 MRG Realtime for RHEL 5 Server - noarch Red Hat MRG Messaging Base for RHEL 5 Server - i386, noarch, x86_64 Red Hat MRG Messaging for RHEL 5 Server - i386, noarch, x86_64 3. Description: Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a realtime IT infrastructure for enterprise computing. MRG Messaging uses Apache Qpid to implement the Advanced Message Queuing Protocol (AMQP) standard, adding persistence options, kernel optimizations, and operating system services. This update moves Red Hat Enterprise MRG to version 1.3. A flaw was found in the way Apache Qpid handled the receipt of invalid AMQP data. A remote user could send invalid AMQP data to the server, causing it to crash, resulting in the cluster shutting down. (CVE-2009-5005) A flaw was found in the way Apache Qpid handled a request to redeclare an existing exchange while adding a new alternate exchange. If a remote, authenticated user issued such a request, the server would crash, resulting in the cluster shutting down. (CVE-2009-5006) This update also adds the following enhancements: * This update introduces a protocol-independent C++ API. The extra layer of indirection will make it easy to support new versions of the AMQP protocol, as well as multiple versions simultaneously. (BZ#497747) * The management component is now capable of working in a cluster. (BZ#501015) * The Messaging Client Python API is now protocol-independent. (BZ#497748) * This update allows a JMS client to subscribe to the failover exchange to retrieve cluster membership information and subsequently to receive updates. (BZ#483753) * With this update, the qpidd service can be run without additional authentication options. (BZ#515513) * This update adds an OpenMPI wrapper script to Condor. It adds support for OpenMPI jobs. (BZ#537232) * The Messaging Client Python API now provides a failover mechanism for clustered brokers. (BZ#495718) * The Python Messaging API now includes support for Simple Authentication and Security Layer (SASL), which allows authentication support to be added to connection-based protocols. (BZ#548493) * The qpid-tool is now able to determine which session a queue consumer belongs to. (BZ#504325) * This update handles backward/forward compatibility for QMF and its components. (BZ#506698) * Both Secure Sockets Layer (SSL) and Remote Direct Memory Access (RDMA) entries can now appear in the list of known URLs. (BZ#471632) * This update allows for the scheduler daemon to run without swap. (BZ#548090) * This update introduces a mechanism that specifies the queue size of a queue that is setup via the Java API. (BZ#534008) * Previously, a collector could not be remotely restarted. With this update, the restart is possible and works as expected. (BZ#543021) * The usage information for the qpid-config utility (that is, the output of the "qpid-config -h" command) has been updated to include a brief explanation of the exchange type. (BZ#506420) These updated packages include many other bug fixes and enhancements. Users are directed to the Red Hat Enterprise MRG 1.3 Technical Notes for information on these changes: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/1/html/Technical_N otes/index.html All Red Hat Enterprise MRG users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements, as well as resolving the issues and adding the enhancements noted in the Red Hat Enterprise MRG 1.3 Technical Notes. After installing the updated packages, the qpidd service must be restarted ("service qpidd restart") for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 445749 - [python client] kerberos based authentication 452546 - No way to determine if session/connection is established 455318 - A tx commit fails without a proper error message when a queue runs out of capacity 456482 - submit -spool and transfer_executable = false 458344 - Messages are not released on rollback 462461 - Clustering broker fail-over must replicate federation links 469919 - qpidd init script over-rides user option settings. 470080 - Cluster integration with security. 471054 - focus linking of gsoap, X11 and pq into daemons and tools 471286 - Grid Statistics Job Activity Graphics doesn't update correctly 471315 - Grid, Parse error on Hold a job reason entry. 471326 - Grid: It appears that the default for jobs is to show up as held in the boxed graphic 471632 - Add support for SSL/RDMA URLs in cluster's know urls list 479031 - Cluster member can't be added while management session open 479326 - cluster broker crashes with race condition in DispatchHandle 482944 - Management messages can get staged - which breaks management 483666 - Dynamic Slots and STARTD_JOB_EXPRS, invalid attribute name 483753 - Add failover exchange support for the java client 484048 - qpidd+store flush() failed: jexception 0x0106 slock::slo ck() threw JERR__PTHREAD: pthread failure. (pthread_mutex_lock failed: errno=22 (Invalid argument)) (MessageStoreImpl.cpp:1331) 485091 - "Unknown Publisher" when installing Windows grid client 485429 - qpidd stopped by critical Broker start-up failed: Cannot lock ... Resource temporarily unavailable 486595 - condor_configuration_node input validation 486779 - [RFE] configurable sesame publish rate (sesame publishing too often) 487023 - UID&FILESYSTEM_DOMAIN mis-configuration causing unintended side-effects 488942 - c++ client aborts when session and connection not closed 489315 - perftest shutdown seems to be not clean 'Error in shutdown: Connection closed' 489537 - Cluster - Bogus(?) messages in log file when a new broker joins a cluster 489540 - Memory leak in SASL client code. 490170 - qpidd init script does not implement condrestart though the rpm has a script to call it 490855 - clustered qpidd segfaults in qpid::broker::Exchange::propagateFedOp 491203 - "Timed out waiting for daemon" if recovery from journal takes a long time 491305 - clustered qpidd - replicating non-acked messages is not made visible for managent tools qpid-tool/cumin 491313 - Subscribing sessions should be terminated with exception if the queue they are subscribed to is deleted 492334 - qpidd+store startup crash in mrg::msgstore::MessageStoreImpl::init() 493710 - condor_configure_node: delete not inverse of add 494393 - First two nodes join 'simultaneously'; no node can reach the 'ready' state. 494399 - Bindings from durable queues to the default exchange are not shown after restore 494651 - sesame README points to old apache SVN location 495718 - Python client needs to have failover for clustering 497747 - Feature: Protocol independent API for c++ 497748 - Feature: Protocol independent API for python 498056 - SASL/GSSAPI - Connection hangs when GSSAPI context expires 498247 - CLI utilities display Python back-traces in some error cases 500712 - QMF queries to the broker may return records for deleted objects 500779 - Feature: Provide access to the Connection a Session corresponds to 501015 - Management and cluster do not work together. 501305 - Cluster node gets stuck as updatee and 'hangs' cluster 501749 - If an XML exchange is declared durable, the broker crashes on recovery 504000 - qpid-config's altern-ex option doesn't work 504325 - Enhancement: it should be possible to determine through qpid-tool which sessions a queues consumers belong to 504691 - alternate-exchange proprty of exchange and queue are not persisted 505287 - Messages with no content that 'flow to disk' result in protocol errors on delivery 505314 - qpid-tool crashes down after input wrong command list query 505923 - dedicated scheduler may be inappropriately reusing claims 506420 - qpid-config -h does not explain exchange type 506553 - sesame - memory bloat over time 506556 - c++ client may not timeout accurately where multiple connections exist in the process 506698 - Handle backward/forward compatibility for QMF 507363 - clustered qpidd fails to start - gather loop causes openais_dispatch_recv() to block 507413 - Broker with single IO thread gets stuck looping if it runs out of file handles 507421 - Cluster flow control does not appear to be working properly. 507538 - method exchange_declare is missing in ruby qpid session class 507586 - qpid-config ends with failure 508137 - C++ QMF agent not connecting to broker under valgrind 508144 - A broker stopped and restarted does not remember 'redelivered' status correctly 508675 - Unresponsive qpidd process hangs the cluster 508959 - Attempt to propagate binding info over dynamic link can crash broker if link is concurrently destroyed 509395 - The JMS Client does not default to the correct priority as specified in the spec 509437 - Failure in failover_soak 509449 - JMS client releases messages in an unpredictable order on recover 509454 - [RFE] Add validation for the '--cluster-url' qpidd option 509800 - If journal capacity is exceeded as a result of cluster-durable mode being invoked, last man standing exits 509892 - byte credit calculation inconsistent for messages transfered to new joiner 510241 - clustered qpidd crash in qpid::sys::Poller::run() 510475 - clustered qpidd startup - abort because of unhandled exception 510583 - Unhandled exception when running qpid-cluster against a standalone broker. 510747 - Out of Bounds exception when sending large QMF response 511066 - Replication exchange type should record the usual management stats 511292 - Unexpected connection shows up for qpid-stat -c 513426 - string to double conversion results in questionable precision 513641 - qpid-config gives error "Failed: ()" when creating persistent queue 514054 - [store] Journal can fill under some conditions, and recover from full condition not possible 514751 - QMF agent logging to file, no stdout 515513 - Make cluster update work out of the box without special authentication options 517836 - exclusive parameter ignored in JMS url binding, if durable attribute is present 518291 - Python management tools must handle SystemExit exception properly 518394 - Creating durable and cluster-durable queue which has bad --file-count and/or --file-size parameter causes an exception only for first time 518872 - [FEATURE] exchange flag auto-delete is not recognizable 519183 - Matchmaker code doesn't implement fair share correctly 519476 - Invalid accept data sent by Java client after failover. 519505 - Broker strips domain from userID, causes mismatch on GSSAPI id checking 520600 - Intermittent leak in client library, connector thread not joined. 522267 - Windows: Qpid C++ pid_t and ssize_t 3rd-party compat 526299 - the clustered broker seems to sometimes not send a close-ok before shutting down the socket 526680 - Exchanges named "amq." are declarable, but amqp spec 527233 - shadow process bloat 529670 - qpid-config - inappropriate error message if trying to authenticate with non-existing user 530594 - restart of libvirtd causes condor_vm-gahp to hang. 531561 - alternate exchange not visible on a queue via QMF 531833 - FailoverExchangeMethod getNextBrokerDetails() loops infinitely after a total cluster failure or if the inital connect node is down 531837 - Java client should set the process ID in the client properties during Connection open 531842 - When kerberos auth is used, Java client should use the kerberos user_id & domain when setting the user_id in messages 533045 - Feature Request: support for SASL EXTERNAL with TLS/SSL 533173 - --max-connectoins has no effect 534008 - Need mechanism to specify the queue size of a queue that is setup via the Java API. 537232 - PU: need OpenMPI wrapper script 537481 - qpid-stat needs option to link sesion to queue via subscription object 538188 - connection.start() hangs if connection is not accepted 540545 - WANT_SUSPEND evaluating to UNDEFIEND causes condor_startd exception 541927 - Persistent cluster problems after reboot -f 543021 - Unable to restart collector with condor_restart on remote node 543524 - Cluster with --cluster-size should not hold up init scripts. 543560 - VM Universe libvirt script issues 544092 - message store should not delete backups when qpidd starts 544306 - clustered broker does not retry CPG calls that return TRY_AGAIN 545436 - Cluster node shutsdown with inconsistent error 546736 - Schedd performs unnecessary file operations on SPOOL, targeting mpp.X.Y files 546770 - condor_schedd performance, job removal fsync for each job 547295 - qpid-stat -b threading exception during shutdown 'exceptions.TypeError: 'NoneType' object is not callable' 547397 - Compile with -O2 547769 - clustered qpidd: qpid-cluster/qpid-stat -b reports different widths on different nodes while replication is working well on all nodes 548090 - RESERVED_SWAP doesn't default to 0 as stated in docs 548137 - TIMEOUT_MULTIPLIER only available in _ form 548493 - SASL support missing for Python messaging API 549389 - condor_master -pidfile will stomp pidfile of running master 549432 - Parallel Universe jobs require job spool directory 549443 - qpid-config cannot create bindings for the XML or Headers exchange types 549956 - Clustered broker crashes with inconsistency error 552330 - qpid-config from trunk causes exception in broker 552407 - classad debug() function doesn't work with IfThenElse 554980 - [qpidd+store] broker rarely aborts when stressed by perftest 555716 - [qpidd+store] broker rarely segfaults when stressed by perftest 556351 - clustered qpidd - durable exchanges do not survive cluster restart. 557159 - Queue-Purge does not send messages to alternate-exchange 557896 - The ttl of messages is not adjusted when forwarding on to other brokers in a federation. 558526 - clustered qpidd shutdowns during start-up with 'Authentication failed: SASL(-1): generic failure: Unable to find a callback: 32775' 558864 - JMS_QPID_DESTTYPE is not set making getJMSDestination unusable. 558968 - initscript lsb compliance 559014 - clustered qpid: durable exchange state not replicated to broker joining cluster 559071 - VM_MEMORY handled inconsistently between Startd and VMGahp 559625 - Segfault if FailoverManager is closed before being opened. 560005 - Broker options "--auth" and "--require-encryption" can fail when used with SSL/TLS 561955 - PREPARE hook invoked as condor, not as user. cannot access $PWD. 561958 - PREPARE hook invocation failure does not abort job execution 565618 - condor_submit fsync()s UserLog for each job 566825 - Grid with no slots throws exception in MRG Management Console 568502 - Collector should advertise itself immediately 568661 - JMS client does not verify that the hostname connected to matches that specified in the servers certificate 568718 - Is acl reload safe to use? 568838 - Dynamic federation duplicates messages 568863 - Dynamic federation tears links down incorrectly 570756 - DtxSetTimeout sent after XID has already been committed 572574 - Error reported from execute node incomplete for IWD access failure 572668 - Potential shadow/schedd protocol error 575147 - condor_master can't start additional schedd's without a restart 575150 - Need to be able to configure maximum cluster id 575177 - Messages set with a TTL expire immediately when sent on qpid queues with LVQ ordering 575748 - broker exits with "critical Broker start-up failed: St9bad_alloc" when ran with --worker-threads 0|-1 575777 - scheduler universe jobs can start during schedd shutdown 575784 - improper RELEASE_CLAIM after REQUEST_CLAIM rejection 576693 - qpid-cluster -d does not close the client connection 578216 - condor_schedd reuses claims to partitioned slots inappropriately 578600 - Dyanamic Slot INVALIDATE_STARTD_ADS causes collector pegging 579681 - Topic exchange duplicates messages 582366 - When reloading a large acl file , the broker core dumps 583131 - Fix Java Client logging 583526 - Management methods disallowed in Clusters must be re-enabled 584089 - ACL module core dumps if management is disabled 591292 - MRG-M Heartbeat causes core 592861 - Recovered messages larger than 65523 bytes result in framing violation 597362 - Sporadic failure of check-long in cluster_tests.py test_failover 601828 - QMF Agent returning STATUS_USER returns error 7 to QMF Console 603201 - condor-7.4.3-0.17.el5 postuninstall uses invalid init script option 603839 - Concurrent tagging of message with trace id while message is delivered from another queue causes segfault 605311 - condor_schedd double free on SOAP transaction timeout 606824 - Acquired but Not Accepted Messages Not Sent to Alterntate Exchange 614993 - Using Memory or RequestMemory in job requirements drops both default RequestMemory and Memory requirements 615313 - condor_chirp fails when querying the value of a non-existing attribute 615492 - starter hooks, HOOK_UPDATE_JOB_INFO and HOOK_JOB_EXIT not run as job owner 615504 - condor_chirp relies on getenv("_CONDOR_SCRATCH_DIR") 615510 - Job hooks environment does not contain _CONDOR_SCRATCH_DIR and the like 615633 - condor_chirp get_job_attr can return garbage 617709 - fix hfs accountant stats 619552 - negotiator hfs incorrect remaining and infinite loop 621902 - Permissions not set correctly on key pair file 623684 - condor_userlog core dumps when unable to open log file r/o 625205 - shadows create a spool directory per job 628034 - negotiator core on quota_dynamic =0 628086 - GROUP_DYNAMIC_MACH_CONSTRAINT unused with HFS 642373 - CVE-2009-5005 qpid: crash on receipt of invalid AMQP data 642377 - CVE-2009-5006 qpid: crash when redeclaring the exchange with specified alternate_exchange 6. Package List: MRG Grid for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/PyYAML-3.08-5.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/classads-1.0.8-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-7.4.4-0.16.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-ec2-enhanced-1.1-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-ec2-enhanced-hooks-1.1-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-job-hooks-1.4-5.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-low-latency-1.1-0.2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-wallaby-3.6-6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-wallaby-base-db-1.4-5.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/libyaml-0.1.2-4.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-grid-docs-1.3-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-rhubarb-0.2.7-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-spqr-0.3.2-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-sqlite3-1.2.4-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/wallaby-0.9.18-2.el5.src.rpm i386: PyYAML-3.08-5.el5.i386.rpm PyYAML-debuginfo-3.08-5.el5.i386.rpm classads-1.0.8-1.el5.i386.rpm classads-debuginfo-1.0.8-1.el5.i386.rpm classads-devel-1.0.8-1.el5.i386.rpm classads-static-1.0.8-1.el5.i386.rpm condor-7.4.4-0.16.el5.i386.rpm condor-debuginfo-7.4.4-0.16.el5.i386.rpm condor-kbdd-7.4.4-0.16.el5.i386.rpm condor-qmf-7.4.4-0.16.el5.i386.rpm condor-vm-gahp-7.4.4-0.16.el5.i386.rpm libyaml-0.1.2-4.el5.i386.rpm libyaml-debuginfo-0.1.2-4.el5.i386.rpm libyaml-devel-0.1.2-4.el5.i386.rpm ruby-sqlite3-1.2.4-1.el5.i386.rpm ruby-sqlite3-debuginfo-1.2.4-1.el5.i386.rpm noarch: condor-ec2-enhanced-1.1-1.el5.noarch.rpm condor-ec2-enhanced-hooks-1.1-1.el5.noarch.rpm condor-job-hooks-1.4-5.el5.noarch.rpm condor-low-latency-1.1-0.2.el5.noarch.rpm condor-wallaby-base-db-1.4-5.el5.noarch.rpm condor-wallaby-client-3.6-6.el5.noarch.rpm condor-wallaby-tools-3.6-6.el5.noarch.rpm mrg-grid-docs-1.3-1.el5.noarch.rpm mrg-release-1.3-2.el5.noarch.rpm python-condorec2e-1.1-1.el5.noarch.rpm python-condorutils-1.4-5.el5.noarch.rpm python-wallabyclient-3.6-6.el5.noarch.rpm ruby-rhubarb-0.2.7-1.el5.noarch.rpm ruby-spqr-0.3.2-1.el5.noarch.rpm ruby-wallaby-0.9.18-2.el5.noarch.rpm spqr-gen-0.3.2-1.el5.noarch.rpm wallaby-0.9.18-2.el5.noarch.rpm wallaby-utils-0.9.18-2.el5.noarch.rpm x86_64: PyYAML-3.08-5.el5.x86_64.rpm PyYAML-debuginfo-3.08-5.el5.x86_64.rpm classads-1.0.8-1.el5.x86_64.rpm classads-debuginfo-1.0.8-1.el5.x86_64.rpm classads-devel-1.0.8-1.el5.x86_64.rpm classads-static-1.0.8-1.el5.x86_64.rpm condor-7.4.4-0.16.el5.x86_64.rpm condor-debuginfo-7.4.4-0.16.el5.x86_64.rpm condor-kbdd-7.4.4-0.16.el5.x86_64.rpm condor-qmf-7.4.4-0.16.el5.x86_64.rpm condor-vm-gahp-7.4.4-0.16.el5.x86_64.rpm libyaml-0.1.2-4.el5.x86_64.rpm libyaml-debuginfo-0.1.2-4.el5.x86_64.rpm libyaml-devel-0.1.2-4.el5.x86_64.rpm ruby-sqlite3-1.2.4-1.el5.x86_64.rpm ruby-sqlite3-debuginfo-1.2.4-1.el5.x86_64.rpm MRG Grid Execute Node for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/PyYAML-3.08-5.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/classads-1.0.8-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-7.4.4-0.16.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-ec2-enhanced-1.1-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-ec2-enhanced-hooks-1.1-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-job-hooks-1.4-5.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-low-latency-1.1-0.2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-wallaby-3.6-6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-wallaby-base-db-1.4-5.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/libyaml-0.1.2-4.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-grid-docs-1.3-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-rhubarb-0.2.7-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-spqr-0.3.2-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-sqlite3-1.2.4-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/wallaby-0.9.18-2.el5.src.rpm i386: PyYAML-3.08-5.el5.i386.rpm PyYAML-debuginfo-3.08-5.el5.i386.rpm classads-1.0.8-1.el5.i386.rpm classads-debuginfo-1.0.8-1.el5.i386.rpm classads-devel-1.0.8-1.el5.i386.rpm classads-static-1.0.8-1.el5.i386.rpm condor-7.4.4-0.16.el5.i386.rpm condor-debuginfo-7.4.4-0.16.el5.i386.rpm condor-kbdd-7.4.4-0.16.el5.i386.rpm condor-qmf-7.4.4-0.16.el5.i386.rpm condor-vm-gahp-7.4.4-0.16.el5.i386.rpm libyaml-0.1.2-4.el5.i386.rpm libyaml-debuginfo-0.1.2-4.el5.i386.rpm libyaml-devel-0.1.2-4.el5.i386.rpm ruby-sqlite3-1.2.4-1.el5.i386.rpm ruby-sqlite3-debuginfo-1.2.4-1.el5.i386.rpm noarch: condor-ec2-enhanced-1.1-1.el5.noarch.rpm condor-ec2-enhanced-hooks-1.1-1.el5.noarch.rpm condor-job-hooks-1.4-5.el5.noarch.rpm condor-low-latency-1.1-0.2.el5.noarch.rpm condor-wallaby-base-db-1.4-5.el5.noarch.rpm condor-wallaby-client-3.6-6.el5.noarch.rpm condor-wallaby-tools-3.6-6.el5.noarch.rpm mrg-grid-docs-1.3-1.el5.noarch.rpm mrg-release-1.3-2.el5.noarch.rpm python-condorec2e-1.1-1.el5.noarch.rpm python-condorutils-1.4-5.el5.noarch.rpm python-wallabyclient-3.6-6.el5.noarch.rpm ruby-rhubarb-0.2.7-1.el5.noarch.rpm ruby-spqr-0.3.2-1.el5.noarch.rpm ruby-wallaby-0.9.18-2.el5.noarch.rpm spqr-gen-0.3.2-1.el5.noarch.rpm wallaby-0.9.18-2.el5.noarch.rpm wallaby-utils-0.9.18-2.el5.noarch.rpm x86_64: PyYAML-3.08-5.el5.x86_64.rpm PyYAML-debuginfo-3.08-5.el5.x86_64.rpm classads-1.0.8-1.el5.x86_64.rpm classads-debuginfo-1.0.8-1.el5.x86_64.rpm classads-devel-1.0.8-1.el5.x86_64.rpm classads-static-1.0.8-1.el5.x86_64.rpm condor-7.4.4-0.16.el5.x86_64.rpm condor-debuginfo-7.4.4-0.16.el5.x86_64.rpm condor-kbdd-7.4.4-0.16.el5.x86_64.rpm condor-qmf-7.4.4-0.16.el5.x86_64.rpm condor-vm-gahp-7.4.4-0.16.el5.x86_64.rpm libyaml-0.1.2-4.el5.x86_64.rpm libyaml-debuginfo-0.1.2-4.el5.x86_64.rpm libyaml-devel-0.1.2-4.el5.x86_64.rpm ruby-sqlite3-1.2.4-1.el5.x86_64.rpm ruby-sqlite3-debuginfo-1.2.4-1.el5.x86_64.rpm MRG Management for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/cumin-0.1.4369-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/python-psycopg2-2.0.14-2.el5.src.rpm i386: python-psycopg2-2.0.14-2.el5.i386.rpm python-psycopg2-debuginfo-2.0.14-2.el5.i386.rpm python-psycopg2-doc-2.0.14-2.el5.i386.rpm noarch: cumin-0.1.4369-1.el5.noarch.rpm mrg-release-1.3-2.el5.noarch.rpm x86_64: python-psycopg2-2.0.14-2.el5.x86_64.rpm python-psycopg2-debuginfo-2.0.14-2.el5.x86_64.rpm python-psycopg2-doc-2.0.14-2.el5.x86_64.rpm Red Hat MRG Messaging for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/python-qmf-0.7.946106-13.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/python-qpid-0.7.946106-14.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpid-cpp-mrg-0.7.946106-17.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpid-java-0.7.946106-11.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpid-tests-0.7.946106-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpid-tools-0.7.946106-11.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/rhm-docs-0.7.946106-8.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-qpid-0.7.946106-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/saslwrapper-0.1.934605-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/sesame-0.7.4297-2.el5.src.rpm i386: python-saslwrapper-0.1.934605-2.el5.i386.rpm qmf-0.7.946106-17.el5.i386.rpm qmf-devel-0.7.946106-17.el5.i386.rpm qpid-cpp-client-0.7.946106-17.el5.i386.rpm qpid-cpp-client-devel-0.7.946106-17.el5.i386.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el5.i386.rpm qpid-cpp-client-rdma-0.7.946106-17.el5.i386.rpm qpid-cpp-client-ssl-0.7.946106-17.el5.i386.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el5.i386.rpm qpid-cpp-server-0.7.946106-17.el5.i386.rpm qpid-cpp-server-cluster-0.7.946106-17.el5.i386.rpm qpid-cpp-server-devel-0.7.946106-17.el5.i386.rpm qpid-cpp-server-rdma-0.7.946106-17.el5.i386.rpm qpid-cpp-server-ssl-0.7.946106-17.el5.i386.rpm qpid-cpp-server-store-0.7.946106-17.el5.i386.rpm qpid-cpp-server-xml-0.7.946106-17.el5.i386.rpm rh-qpid-cpp-tests-0.7.946106-17.el5.i386.rpm ruby-qmf-0.7.946106-17.el5.i386.rpm ruby-qpid-0.7.946106-2.el5.i386.rpm ruby-saslwrapper-0.1.934605-2.el5.i386.rpm saslwrapper-0.1.934605-2.el5.i386.rpm saslwrapper-debuginfo-0.1.934605-2.el5.i386.rpm saslwrapper-devel-0.1.934605-2.el5.i386.rpm sesame-0.7.4297-2.el5.i386.rpm sesame-debuginfo-0.7.4297-2.el5.i386.rpm noarch: mrg-release-1.3-2.el5.noarch.rpm python-qmf-0.7.946106-13.el5.noarch.rpm python-qpid-0.7.946106-14.el5.noarch.rpm qpid-java-client-0.7.946106-11.el5.noarch.rpm qpid-java-common-0.7.946106-11.el5.noarch.rpm qpid-java-example-0.7.946106-11.el5.noarch.rpm qpid-tests-0.7.946106-1.el5.noarch.rpm qpid-tools-0.7.946106-11.el5.noarch.rpm rhm-docs-0.7.946106-8.el5.noarch.rpm x86_64: python-saslwrapper-0.1.934605-2.el5.x86_64.rpm qmf-0.7.946106-17.el5.x86_64.rpm qmf-devel-0.7.946106-17.el5.x86_64.rpm qpid-cpp-client-0.7.946106-17.el5.x86_64.rpm qpid-cpp-client-devel-0.7.946106-17.el5.x86_64.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el5.x86_64.rpm qpid-cpp-client-rdma-0.7.946106-17.el5.x86_64.rpm qpid-cpp-client-ssl-0.7.946106-17.el5.x86_64.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-cluster-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-devel-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-rdma-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-ssl-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-store-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-xml-0.7.946106-17.el5.x86_64.rpm rh-qpid-cpp-tests-0.7.946106-17.el5.x86_64.rpm ruby-qmf-0.7.946106-17.el5.x86_64.rpm ruby-qpid-0.7.946106-2.el5.x86_64.rpm ruby-saslwrapper-0.1.934605-2.el5.x86_64.rpm saslwrapper-0.1.934605-2.el5.x86_64.rpm saslwrapper-debuginfo-0.1.934605-2.el5.x86_64.rpm saslwrapper-devel-0.1.934605-2.el5.x86_64.rpm sesame-0.7.4297-2.el5.x86_64.rpm sesame-debuginfo-0.7.4297-2.el5.x86_64.rpm Red Hat MRG Messaging Base for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/python-qmf-0.7.946106-13.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/python-qpid-0.7.946106-14.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpid-cpp-mrg-0.7.946106-17.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpid-java-0.7.946106-11.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpid-tests-0.7.946106-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/qpid-tools-0.7.946106-11.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-qpid-0.7.946106-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/saslwrapper-0.1.934605-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/sesame-0.7.4297-2.el5.src.rpm i386: python-saslwrapper-0.1.934605-2.el5.i386.rpm qmf-0.7.946106-17.el5.i386.rpm qmf-devel-0.7.946106-17.el5.i386.rpm qpid-cpp-client-0.7.946106-17.el5.i386.rpm qpid-cpp-client-devel-0.7.946106-17.el5.i386.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el5.i386.rpm qpid-cpp-client-ssl-0.7.946106-17.el5.i386.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el5.i386.rpm qpid-cpp-server-0.7.946106-17.el5.i386.rpm qpid-cpp-server-devel-0.7.946106-17.el5.i386.rpm qpid-cpp-server-ssl-0.7.946106-17.el5.i386.rpm ruby-qmf-0.7.946106-17.el5.i386.rpm ruby-qpid-0.7.946106-2.el5.i386.rpm ruby-saslwrapper-0.1.934605-2.el5.i386.rpm saslwrapper-0.1.934605-2.el5.i386.rpm saslwrapper-debuginfo-0.1.934605-2.el5.i386.rpm saslwrapper-devel-0.1.934605-2.el5.i386.rpm sesame-0.7.4297-2.el5.i386.rpm sesame-debuginfo-0.7.4297-2.el5.i386.rpm noarch: mrg-release-1.3-2.el5.noarch.rpm python-qmf-0.7.946106-13.el5.noarch.rpm python-qpid-0.7.946106-14.el5.noarch.rpm qpid-java-client-0.7.946106-11.el5.noarch.rpm qpid-java-common-0.7.946106-11.el5.noarch.rpm qpid-java-example-0.7.946106-11.el5.noarch.rpm qpid-tests-0.7.946106-1.el5.noarch.rpm qpid-tools-0.7.946106-11.el5.noarch.rpm x86_64: python-saslwrapper-0.1.934605-2.el5.x86_64.rpm qmf-0.7.946106-17.el5.x86_64.rpm qmf-devel-0.7.946106-17.el5.x86_64.rpm qpid-cpp-client-0.7.946106-17.el5.x86_64.rpm qpid-cpp-client-devel-0.7.946106-17.el5.x86_64.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el5.x86_64.rpm qpid-cpp-client-ssl-0.7.946106-17.el5.x86_64.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-devel-0.7.946106-17.el5.x86_64.rpm qpid-cpp-server-ssl-0.7.946106-17.el5.x86_64.rpm ruby-qmf-0.7.946106-17.el5.x86_64.rpm ruby-qpid-0.7.946106-2.el5.x86_64.rpm ruby-saslwrapper-0.1.934605-2.el5.x86_64.rpm saslwrapper-0.1.934605-2.el5.x86_64.rpm saslwrapper-debuginfo-0.1.934605-2.el5.x86_64.rpm saslwrapper-devel-0.1.934605-2.el5.x86_64.rpm sesame-0.7.4297-2.el5.x86_64.rpm sesame-debuginfo-0.7.4297-2.el5.x86_64.rpm MRG Realtime for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3-2.el5.src.rpm noarch: mrg-release-1.3-2.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-5005.html https://www.redhat.com/security/data/cve/CVE-2009-5006.html http://www.redhat.com/security/updates/classification/#moderate http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/1/html/Technical_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMty7jXlSAg2UNWIIRApsMAJ9/zq22IsM/uNW/jxonZk3V8PM8ygCePXg6 nsAMtqpvtX9mg/p0HLkIUmY= =VVsb -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 14 16:31:03 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Oct 2010 12:31:03 -0400 Subject: [RHSA-2010:0774-01] Moderate: Red Hat Enterprise MRG Messaging and Grid Version 1.3 Message-ID: <201010141630.o9EGU8cA003431@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Enterprise MRG Messaging and Grid Version 1.3 Advisory ID: RHSA-2010:0774-01 Product: Red Hat Enterprise MRG for RHEL-4 Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0774.html Issue date: 2010-10-14 CVE Names: CVE-2009-5005 CVE-2009-5006 ===================================================================== 1. Summary: Updated packages that fix two security issues, several bugs, and add multiple enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise MRG Messaging and Grid for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat MRG Grid Execute Node for RHEL-4 AS - i386, noarch, x86_64 Red Hat MRG Grid Execute Node for RHEL-4 ES - i386, noarch, x86_64 Red Hat MRG Grid for RHEL-4 AS - i386, noarch, x86_64 Red Hat MRG Grid for RHEL-4 ES - i386, noarch, x86_64 Red Hat MRG Messaging Base for RHEL-4 AS - i386, noarch, x86_64 Red Hat MRG Messaging Base for RHEL-4 ES - i386, noarch, x86_64 Red Hat MRG Messaging for RHEL-4 AS - i386, noarch, x86_64 Red Hat MRG Messaging for RHEL-4 ES - i386, noarch, x86_64 3. Description: Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a realtime IT infrastructure for enterprise computing. MRG Messaging uses Apache Qpid to implement the Advanced Message Queuing Protocol (AMQP) standard, adding persistence options, kernel optimizations, and operating system services. This update moves Red Hat Enterprise MRG to version 1.3. A flaw was found in the way Apache Qpid handled the receipt of invalid AMQP data. A remote user could send invalid AMQP data to the server, causing it to crash, resulting in the cluster shutting down. (CVE-2009-5005) A flaw was found in the way Apache Qpid handled a request to redeclare an existing exchange while adding a new alternate exchange. If a remote, authenticated user issued such a request, the server would crash, resulting in the cluster shutting down. (CVE-2009-5006) This update also adds the following enhancements: * This update introduces a protocol-independent C++ API. The extra layer of indirection will make it easy to support new versions of the AMQP protocol, as well as multiple versions simultaneously. (BZ#497747) * The management component is now capable of working in a cluster. (BZ#501015) * The Messaging Client Python API is now protocol-independent. (BZ#497748) * This update allows a JMS client to subscribe to the failover exchange to retrieve cluster membership information and subsequently to receive updates. (BZ#483753) * With this update, the qpidd service can be run without additional authentication options. (BZ#515513) * This update adds an OpenMPI wrapper script to Condor. It adds support for OpenMPI jobs. (BZ#537232) * The Messaging Client Python API now provides a failover mechanism for clustered brokers. (BZ#495718) * The Python Messaging API now includes support for Simple Authentication and Security Layer (SASL), which allows authentication support to be added to connection-based protocols. (BZ#548493) * The qpid-tool is now able to determine which session a queue consumer belongs to. (BZ#504325) * This update handles backward/forward compatibility for QMF and its components. (BZ#506698) * Both Secure Sockets Layer (SSL) and Remote Direct Memory Access (RDMA) entries can now appear in the list of known URLs. (BZ#471632) * This update allows for the scheduler daemon to run without swap. (BZ#548090) * This update introduces a mechanism that specifies the queue size of a queue that is setup via the Java API. (BZ#534008) * Previously, a collector could not be remotely restarted. With this update, the restart is possible and works as expected. (BZ#543021) * The usage information for the qpid-config utility (that is, the output of the "qpid-config -h" command) has been updated to include a brief explanation of the exchange type. (BZ#506420) These updated packages include many other bug fixes and enhancements. Users are directed to the Red Hat Enterprise MRG 1.3 Technical Notes for information on these changes: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/1/html/Technical_N otes/index.html All Red Hat Enterprise MRG users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements, as well as resolving the issues and adding the enhancements noted in the Red Hat Enterprise MRG 1.3 Technical Notes. After installing the updated packages, the qpidd service must be restarted ("service qpidd restart") for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 637944 - MRG 1.3 Released for RHEL4 642373 - CVE-2009-5005 qpid: crash on receipt of invalid AMQP data 642377 - CVE-2009-5006 qpid: crash when redeclaring the exchange with specified alternate_exchange 6. Package List: Red Hat MRG Grid for RHEL-4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/classads-1.0.8-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/condor-low-latency-1.1-0.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/mrg-grid-docs-1.3-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/mrg-release-1.3-2.el4.src.rpm i386: classads-1.0.8-1.el4.i386.rpm classads-debuginfo-1.0.8-1.el4.i386.rpm classads-devel-1.0.8-1.el4.i386.rpm classads-static-1.0.8-1.el4.i386.rpm noarch: condor-low-latency-1.1-0.2.el4.noarch.rpm mrg-grid-docs-1.3-1.el4.noarch.rpm mrg-release-1.3-2.el4.noarch.rpm x86_64: classads-1.0.8-1.el4.x86_64.rpm classads-debuginfo-1.0.8-1.el4.x86_64.rpm classads-devel-1.0.8-1.el4.x86_64.rpm classads-static-1.0.8-1.el4.x86_64.rpm Red Hat MRG Grid Execute Node for RHEL-4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/condor-7.4.4-0.16.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/condor-job-hooks-1.4-5.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/condor-low-latency-1.1-0.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/condor-wallaby-3.6-6.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/mrg-grid-docs-1.3-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/mrg-release-1.3-2.el4.src.rpm i386: condor-7.4.4-0.16.el4.i386.rpm condor-debuginfo-7.4.4-0.16.el4.i386.rpm condor-kbdd-7.4.4-0.16.el4.i386.rpm condor-qmf-7.4.4-0.16.el4.i386.rpm noarch: condor-job-hooks-1.4-5.el4.noarch.rpm condor-low-latency-1.1-0.2.el4.noarch.rpm condor-wallaby-client-3.6-6.el4.noarch.rpm mrg-grid-docs-1.3-1.el4.noarch.rpm mrg-release-1.3-2.el4.noarch.rpm python-condorutils-1.4-5.el4.noarch.rpm x86_64: condor-7.4.4-0.16.el4.x86_64.rpm condor-debuginfo-7.4.4-0.16.el4.x86_64.rpm condor-kbdd-7.4.4-0.16.el4.x86_64.rpm condor-qmf-7.4.4-0.16.el4.x86_64.rpm Red Hat MRG Messaging for RHEL-4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/mrg-release-1.3-2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/python-qmf-0.7.946106-13.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/python-qpid-0.7.946106-14.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/qpid-java-0.7.946106-11.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/qpid-tests-0.7.946106-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/qpid-tools-0.7.946106-11.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/rhm-docs-0.7.946106-8.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/sesame-0.7.4297-3.el4.src.rpm i386: sesame-0.7.4297-3.el4.i386.rpm sesame-debuginfo-0.7.4297-3.el4.i386.rpm noarch: mrg-release-1.3-2.el4.noarch.rpm python-qmf-0.7.946106-13.el4.noarch.rpm python-qpid-0.7.946106-14.el4.noarch.rpm qpid-java-client-0.7.946106-11.el4.noarch.rpm qpid-java-common-0.7.946106-11.el4.noarch.rpm qpid-java-example-0.7.946106-11.el4.noarch.rpm qpid-tests-0.7.946106-1.el4.noarch.rpm qpid-tools-0.7.946106-11.el4.noarch.rpm rhm-docs-0.7.946106-8.el4.noarch.rpm x86_64: sesame-0.7.4297-3.el4.x86_64.rpm sesame-debuginfo-0.7.4297-3.el4.x86_64.rpm Red Hat MRG Messaging Base for RHEL-4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/mrg-release-1.3-2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/python-qmf-0.7.946106-13.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/python-qpid-0.7.946106-14.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/qpid-cpp-mrg-0.7.946106-17.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/qpid-java-0.7.946106-11.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/qpid-tests-0.7.946106-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/qpid-tools-0.7.946106-11.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/RHEMRG/SRPMS/sesame-0.7.4297-3.el4.src.rpm i386: qmf-0.7.946106-17.el4.i386.rpm qmf-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-client-0.7.946106-17.el4.i386.rpm qpid-cpp-client-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el4.i386.rpm qpid-cpp-client-ssl-0.7.946106-17.el4.i386.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el4.i386.rpm qpid-cpp-server-0.7.946106-17.el4.i386.rpm qpid-cpp-server-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-server-ssl-0.7.946106-17.el4.i386.rpm qpid-cpp-server-store-0.7.946106-17.el4.i386.rpm qpid-cpp-server-xml-0.7.946106-17.el4.i386.rpm sesame-0.7.4297-3.el4.i386.rpm sesame-debuginfo-0.7.4297-3.el4.i386.rpm noarch: mrg-release-1.3-2.el4.noarch.rpm python-qmf-0.7.946106-13.el4.noarch.rpm python-qpid-0.7.946106-14.el4.noarch.rpm qpid-java-client-0.7.946106-11.el4.noarch.rpm qpid-java-common-0.7.946106-11.el4.noarch.rpm qpid-java-example-0.7.946106-11.el4.noarch.rpm qpid-tests-0.7.946106-1.el4.noarch.rpm qpid-tools-0.7.946106-11.el4.noarch.rpm x86_64: qmf-0.7.946106-17.el4.x86_64.rpm qmf-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-ssl-0.7.946106-17.el4.x86_64.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-ssl-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-store-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-xml-0.7.946106-17.el4.x86_64.rpm sesame-0.7.4297-3.el4.x86_64.rpm sesame-debuginfo-0.7.4297-3.el4.x86_64.rpm Red Hat MRG Grid for RHEL-4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/classads-1.0.8-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/condor-low-latency-1.1-0.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/mrg-grid-docs-1.3-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/mrg-release-1.3-2.el4.src.rpm i386: classads-1.0.8-1.el4.i386.rpm classads-debuginfo-1.0.8-1.el4.i386.rpm classads-devel-1.0.8-1.el4.i386.rpm classads-static-1.0.8-1.el4.i386.rpm noarch: condor-low-latency-1.1-0.2.el4.noarch.rpm mrg-grid-docs-1.3-1.el4.noarch.rpm mrg-release-1.3-2.el4.noarch.rpm x86_64: classads-1.0.8-1.el4.x86_64.rpm classads-debuginfo-1.0.8-1.el4.x86_64.rpm classads-devel-1.0.8-1.el4.x86_64.rpm classads-static-1.0.8-1.el4.x86_64.rpm Red Hat MRG Grid Execute Node for RHEL-4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/condor-7.4.4-0.16.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/condor-job-hooks-1.4-5.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/condor-low-latency-1.1-0.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/condor-wallaby-3.6-6.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/mrg-grid-docs-1.3-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/mrg-release-1.3-2.el4.src.rpm i386: condor-7.4.4-0.16.el4.i386.rpm condor-debuginfo-7.4.4-0.16.el4.i386.rpm condor-kbdd-7.4.4-0.16.el4.i386.rpm condor-qmf-7.4.4-0.16.el4.i386.rpm noarch: condor-job-hooks-1.4-5.el4.noarch.rpm condor-low-latency-1.1-0.2.el4.noarch.rpm condor-wallaby-client-3.6-6.el4.noarch.rpm mrg-grid-docs-1.3-1.el4.noarch.rpm mrg-release-1.3-2.el4.noarch.rpm python-condorutils-1.4-5.el4.noarch.rpm x86_64: condor-7.4.4-0.16.el4.x86_64.rpm condor-debuginfo-7.4.4-0.16.el4.x86_64.rpm condor-kbdd-7.4.4-0.16.el4.x86_64.rpm condor-qmf-7.4.4-0.16.el4.x86_64.rpm Red Hat MRG Messaging for RHEL-4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/mrg-release-1.3-2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/python-qmf-0.7.946106-13.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/python-qpid-0.7.946106-14.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/qpid-java-0.7.946106-11.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/qpid-tests-0.7.946106-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/qpid-tools-0.7.946106-11.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/rhm-docs-0.7.946106-8.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/sesame-0.7.4297-3.el4.src.rpm i386: sesame-0.7.4297-3.el4.i386.rpm sesame-debuginfo-0.7.4297-3.el4.i386.rpm noarch: mrg-release-1.3-2.el4.noarch.rpm python-qmf-0.7.946106-13.el4.noarch.rpm python-qpid-0.7.946106-14.el4.noarch.rpm qpid-java-client-0.7.946106-11.el4.noarch.rpm qpid-java-common-0.7.946106-11.el4.noarch.rpm qpid-java-example-0.7.946106-11.el4.noarch.rpm qpid-tests-0.7.946106-1.el4.noarch.rpm qpid-tools-0.7.946106-11.el4.noarch.rpm rhm-docs-0.7.946106-8.el4.noarch.rpm x86_64: sesame-0.7.4297-3.el4.x86_64.rpm sesame-debuginfo-0.7.4297-3.el4.x86_64.rpm Red Hat MRG Messaging Base for RHEL-4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/mrg-release-1.3-2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/python-qmf-0.7.946106-13.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/python-qpid-0.7.946106-14.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/qpid-cpp-mrg-0.7.946106-17.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/qpid-java-0.7.946106-11.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/qpid-tests-0.7.946106-1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/qpid-tools-0.7.946106-11.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/RHEMRG/SRPMS/sesame-0.7.4297-3.el4.src.rpm i386: qmf-0.7.946106-17.el4.i386.rpm qmf-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-client-0.7.946106-17.el4.i386.rpm qpid-cpp-client-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el4.i386.rpm qpid-cpp-client-ssl-0.7.946106-17.el4.i386.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el4.i386.rpm qpid-cpp-server-0.7.946106-17.el4.i386.rpm qpid-cpp-server-devel-0.7.946106-17.el4.i386.rpm qpid-cpp-server-ssl-0.7.946106-17.el4.i386.rpm qpid-cpp-server-store-0.7.946106-17.el4.i386.rpm qpid-cpp-server-xml-0.7.946106-17.el4.i386.rpm sesame-0.7.4297-3.el4.i386.rpm sesame-debuginfo-0.7.4297-3.el4.i386.rpm noarch: mrg-release-1.3-2.el4.noarch.rpm python-qmf-0.7.946106-13.el4.noarch.rpm python-qpid-0.7.946106-14.el4.noarch.rpm qpid-java-client-0.7.946106-11.el4.noarch.rpm qpid-java-common-0.7.946106-11.el4.noarch.rpm qpid-java-example-0.7.946106-11.el4.noarch.rpm qpid-tests-0.7.946106-1.el4.noarch.rpm qpid-tools-0.7.946106-11.el4.noarch.rpm x86_64: qmf-0.7.946106-17.el4.x86_64.rpm qmf-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-devel-docs-0.7.946106-17.el4.x86_64.rpm qpid-cpp-client-ssl-0.7.946106-17.el4.x86_64.rpm qpid-cpp-mrg-debuginfo-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-devel-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-ssl-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-store-0.7.946106-17.el4.x86_64.rpm qpid-cpp-server-xml-0.7.946106-17.el4.x86_64.rpm sesame-0.7.4297-3.el4.x86_64.rpm sesame-debuginfo-0.7.4297-3.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-5005.html https://www.redhat.com/security/data/cve/CVE-2009-5006.html http://www.redhat.com/security/updates/classification/#moderate http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/1/html/Technical_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMty/fXlSAg2UNWIIRAjQwAJ9Kyais3AknZWJ604+22TdGvplpRACcCUrJ aRp0UuHecA1rMRXP38zHuTo= =V7IQ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 19 19:04:06 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Oct 2010 15:04:06 -0400 Subject: [RHSA-2010:0779-01] Moderate: kernel security and bug fix update Message-ID: <201010191903.o9JJ3xHv004077@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel security and bug fix update Advisory ID: RHSA-2010:0779-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0779.html Issue date: 2010-10-19 CVE Names: CVE-2010-2942 CVE-2010-3067 CVE-2010-3477 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, noarch, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, noarch, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, noarch, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * Information leak flaws were found in the Linux kernel Traffic Control Unit implementation. A local attacker could use these flaws to cause the kernel to leak kernel memory to user-space, possibly leading to the disclosure of sensitive information. (CVE-2010-2942, Moderate) * A flaw was found in the tcf_act_police_dump() function in the Linux kernel network traffic policing implementation. A data structure in tcf_act_police_dump() was not initialized properly before being copied to user-space. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3477, Moderate) * A missing upper bound integer check was found in the sys_io_submit() function in the Linux kernel asynchronous I/O implementation. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3067, Low) Red Hat would like to thank Tavis Ormandy for reporting CVE-2010-3067. This update also fixes the following bugs: * When two systems using bonding devices in the adaptive load balancing (ALB) mode communicated with each other, an endless loop of ARP replies started between these two systems due to a faulty MAC address update. With this update, the MAC address update no longer creates unneeded ARP replies. (BZ#629239) * When running the Connectathon NFS Testsuite with certain clients and Red Hat Enterprise Linux 4.8 as the server, nfsvers4, lock, and test2 failed the Connectathon test. (BZ#625535) * For UDP/UNIX domain sockets, due to insufficient memory barriers in the network code, a process sleeping in select() may have missed notifications about new data. In rare cases, this bug may have caused a process to sleep forever. (BZ#640117) * In certain situations, a bug found in either the HTB or TBF network packet schedulers in the Linux kernel could have caused a kernel panic when using Broadcom network cards with the bnx2 driver. (BZ#624363) * Previously, allocating fallback cqr for DASD reserve/release IOCTLs failed because it used the memory pool of the respective device. This update preallocates sufficient memory for a single reserve/release request. (BZ#626828) * In some situations a bug prevented "force online" succeeding for a DASD device. (BZ#626827) * Using the "fsstress" utility may have caused a kernel panic. (BZ#633968) * This update introduces additional stack guard patches. (BZ#632515) * A bug was found in the way the megaraid_sas driver handled physical disks and management IOCTLs. All physical disks were exported to the disk layer, allowing an oops in megasas_complete_cmd_dpc() when completing the IOCTL command if a timeout occurred. (BZ#631903) * Previously, a warning message was returned when a large amount of messages was passed through netconsole and a considerable amount of network load was added. With this update, the warning message is no longer displayed. (BZ#637729) * Executing a large "dd" command (1 to 5GB) on an iSCSI device with the qla3xxx driver caused a system crash due to the incorrect storing of a private data structure. With this update, the size of the stored data structure is checked and the system crashes no longer occur. (BZ#624364) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 624363 - bnx2: panic in bnx2_poll_work() [rhel-4.8.z] 624364 - system crashes due to corrupt net_device_wrapper structure [rhel-4.8.z] 624903 - CVE-2010-2942 kernel: net sched: fix some kernel memory leaks 625535 - [Kernel] cthon nfsvers4, lock, test2 failing with rhel6 client vs. rhel4 server [rhel-4.8.z] 626827 - dasd: force online does not work. [rhel-4.8.z] 626828 - dasd: allocate fallback cqr for reserve/release [rhel-4.8.z] 629239 - [4u8] Bonding in ALB mode sends ARP in loop [rhel-4.8.z] 629441 - CVE-2010-3067 kernel: do_io_submit() infoleak 631903 - megaraid_sas: fix physical disk handling [rhel-4.8.z] 632515 - kernel: additional stack guard patches [rhel-4.9] [rhel-4.8.z] 633968 - kernel BUG at fs/mpage.c:417! [rhel-4.8.z] 636386 - CVE-2010-3477 kernel: net/sched/act_police.c infoleak 637729 - netconsole on e1000 cause "Badness in local_bh_enable at kernel/softirq.c:141" [rhel-4.8.z] 640117 - [RHEL4.5] select() cannot return in UDP/UNIX domain socket [rhel-4.8.z] 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kernel-2.6.9-89.31.1.EL.src.rpm i386: kernel-2.6.9-89.31.1.EL.i686.rpm kernel-debuginfo-2.6.9-89.31.1.EL.i686.rpm kernel-devel-2.6.9-89.31.1.EL.i686.rpm kernel-hugemem-2.6.9-89.31.1.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.31.1.EL.i686.rpm kernel-smp-2.6.9-89.31.1.EL.i686.rpm kernel-smp-devel-2.6.9-89.31.1.EL.i686.rpm kernel-xenU-2.6.9-89.31.1.EL.i686.rpm kernel-xenU-devel-2.6.9-89.31.1.EL.i686.rpm ia64: kernel-2.6.9-89.31.1.EL.ia64.rpm kernel-debuginfo-2.6.9-89.31.1.EL.ia64.rpm kernel-devel-2.6.9-89.31.1.EL.ia64.rpm kernel-largesmp-2.6.9-89.31.1.EL.ia64.rpm kernel-largesmp-devel-2.6.9-89.31.1.EL.ia64.rpm noarch: kernel-doc-2.6.9-89.31.1.EL.noarch.rpm ppc: kernel-2.6.9-89.31.1.EL.ppc64.rpm kernel-2.6.9-89.31.1.EL.ppc64iseries.rpm kernel-debuginfo-2.6.9-89.31.1.EL.ppc64.rpm kernel-debuginfo-2.6.9-89.31.1.EL.ppc64iseries.rpm kernel-devel-2.6.9-89.31.1.EL.ppc64.rpm kernel-devel-2.6.9-89.31.1.EL.ppc64iseries.rpm kernel-largesmp-2.6.9-89.31.1.EL.ppc64.rpm kernel-largesmp-devel-2.6.9-89.31.1.EL.ppc64.rpm s390: kernel-2.6.9-89.31.1.EL.s390.rpm kernel-debuginfo-2.6.9-89.31.1.EL.s390.rpm kernel-devel-2.6.9-89.31.1.EL.s390.rpm s390x: kernel-2.6.9-89.31.1.EL.s390x.rpm kernel-debuginfo-2.6.9-89.31.1.EL.s390x.rpm kernel-devel-2.6.9-89.31.1.EL.s390x.rpm x86_64: kernel-2.6.9-89.31.1.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.31.1.EL.x86_64.rpm kernel-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-largesmp-2.6.9-89.31.1.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-smp-2.6.9-89.31.1.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-xenU-2.6.9-89.31.1.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.31.1.EL.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kernel-2.6.9-89.31.1.EL.src.rpm i386: kernel-2.6.9-89.31.1.EL.i686.rpm kernel-debuginfo-2.6.9-89.31.1.EL.i686.rpm kernel-devel-2.6.9-89.31.1.EL.i686.rpm kernel-hugemem-2.6.9-89.31.1.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.31.1.EL.i686.rpm kernel-smp-2.6.9-89.31.1.EL.i686.rpm kernel-smp-devel-2.6.9-89.31.1.EL.i686.rpm kernel-xenU-2.6.9-89.31.1.EL.i686.rpm kernel-xenU-devel-2.6.9-89.31.1.EL.i686.rpm noarch: kernel-doc-2.6.9-89.31.1.EL.noarch.rpm x86_64: kernel-2.6.9-89.31.1.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.31.1.EL.x86_64.rpm kernel-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-largesmp-2.6.9-89.31.1.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-smp-2.6.9-89.31.1.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-xenU-2.6.9-89.31.1.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.31.1.EL.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kernel-2.6.9-89.31.1.EL.src.rpm i386: kernel-2.6.9-89.31.1.EL.i686.rpm kernel-debuginfo-2.6.9-89.31.1.EL.i686.rpm kernel-devel-2.6.9-89.31.1.EL.i686.rpm kernel-hugemem-2.6.9-89.31.1.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.31.1.EL.i686.rpm kernel-smp-2.6.9-89.31.1.EL.i686.rpm kernel-smp-devel-2.6.9-89.31.1.EL.i686.rpm kernel-xenU-2.6.9-89.31.1.EL.i686.rpm kernel-xenU-devel-2.6.9-89.31.1.EL.i686.rpm ia64: kernel-2.6.9-89.31.1.EL.ia64.rpm kernel-debuginfo-2.6.9-89.31.1.EL.ia64.rpm kernel-devel-2.6.9-89.31.1.EL.ia64.rpm kernel-largesmp-2.6.9-89.31.1.EL.ia64.rpm kernel-largesmp-devel-2.6.9-89.31.1.EL.ia64.rpm noarch: kernel-doc-2.6.9-89.31.1.EL.noarch.rpm x86_64: kernel-2.6.9-89.31.1.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.31.1.EL.x86_64.rpm kernel-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-largesmp-2.6.9-89.31.1.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-smp-2.6.9-89.31.1.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-xenU-2.6.9-89.31.1.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.31.1.EL.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kernel-2.6.9-89.31.1.EL.src.rpm i386: kernel-2.6.9-89.31.1.EL.i686.rpm kernel-debuginfo-2.6.9-89.31.1.EL.i686.rpm kernel-devel-2.6.9-89.31.1.EL.i686.rpm kernel-hugemem-2.6.9-89.31.1.EL.i686.rpm kernel-hugemem-devel-2.6.9-89.31.1.EL.i686.rpm kernel-smp-2.6.9-89.31.1.EL.i686.rpm kernel-smp-devel-2.6.9-89.31.1.EL.i686.rpm kernel-xenU-2.6.9-89.31.1.EL.i686.rpm kernel-xenU-devel-2.6.9-89.31.1.EL.i686.rpm ia64: kernel-2.6.9-89.31.1.EL.ia64.rpm kernel-debuginfo-2.6.9-89.31.1.EL.ia64.rpm kernel-devel-2.6.9-89.31.1.EL.ia64.rpm kernel-largesmp-2.6.9-89.31.1.EL.ia64.rpm kernel-largesmp-devel-2.6.9-89.31.1.EL.ia64.rpm noarch: kernel-doc-2.6.9-89.31.1.EL.noarch.rpm x86_64: kernel-2.6.9-89.31.1.EL.x86_64.rpm kernel-debuginfo-2.6.9-89.31.1.EL.x86_64.rpm kernel-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-largesmp-2.6.9-89.31.1.EL.x86_64.rpm kernel-largesmp-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-smp-2.6.9-89.31.1.EL.x86_64.rpm kernel-smp-devel-2.6.9-89.31.1.EL.x86_64.rpm kernel-xenU-2.6.9-89.31.1.EL.x86_64.rpm kernel-xenU-devel-2.6.9-89.31.1.EL.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-2942.html https://www.redhat.com/security/data/cve/CVE-2010-3067.html https://www.redhat.com/security/data/cve/CVE-2010-3477.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMvesoXlSAg2UNWIIRAnzVAKC7XGzFKtYbNoPaQ2i26hcM48Iq5wCfewaW 6q9Yrvvd5v3MSK6utOEmrh0= =Y4e3 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 19 23:46:33 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Oct 2010 19:46:33 -0400 Subject: [RHSA-2010:0780-01] Moderate: thunderbird security update Message-ID: <201010192349.o9JNnFQ2022881@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: thunderbird security update Advisory ID: RHSA-2010:0780-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0780.html Issue date: 2010-10-19 CVE Names: CVE-2010-3176 CVE-2010-3180 CVE-2010-3182 ===================================================================== 1. Summary: An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3176, CVE-2010-3180) Note: JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable unless JavaScript is enabled. A flaw was found in the script that launches Thunderbird. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Thunderbird, if that user ran Thunderbird from within an attacker-controlled directory. (CVE-2010-3182) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 642272 - CVE-2010-3176 Mozilla miscellaneous memory safety hazards 642283 - CVE-2010-3180 Mozilla use-after-free error in nsBarProp 642300 - CVE-2010-3182 Mozilla unsafe library loading flaw 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/thunderbird-1.5.0.12-31.el4.src.rpm i386: thunderbird-1.5.0.12-31.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-31.el4.i386.rpm ia64: thunderbird-1.5.0.12-31.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-31.el4.ia64.rpm ppc: thunderbird-1.5.0.12-31.el4.ppc.rpm thunderbird-debuginfo-1.5.0.12-31.el4.ppc.rpm s390: thunderbird-1.5.0.12-31.el4.s390.rpm thunderbird-debuginfo-1.5.0.12-31.el4.s390.rpm s390x: thunderbird-1.5.0.12-31.el4.s390x.rpm thunderbird-debuginfo-1.5.0.12-31.el4.s390x.rpm x86_64: thunderbird-1.5.0.12-31.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-31.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/thunderbird-1.5.0.12-31.el4.src.rpm i386: thunderbird-1.5.0.12-31.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-31.el4.i386.rpm x86_64: thunderbird-1.5.0.12-31.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-31.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/thunderbird-1.5.0.12-31.el4.src.rpm i386: thunderbird-1.5.0.12-31.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-31.el4.i386.rpm ia64: thunderbird-1.5.0.12-31.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-31.el4.ia64.rpm x86_64: thunderbird-1.5.0.12-31.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-31.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/thunderbird-1.5.0.12-31.el4.src.rpm i386: thunderbird-1.5.0.12-31.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-31.el4.i386.rpm ia64: thunderbird-1.5.0.12-31.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-31.el4.ia64.rpm x86_64: thunderbird-1.5.0.12-31.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-31.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-2.0.0.24-9.el5.src.rpm i386: thunderbird-2.0.0.24-9.el5.i386.rpm thunderbird-debuginfo-2.0.0.24-9.el5.i386.rpm x86_64: thunderbird-2.0.0.24-9.el5.x86_64.rpm thunderbird-debuginfo-2.0.0.24-9.el5.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-2.0.0.24-9.el5.src.rpm i386: thunderbird-2.0.0.24-9.el5.i386.rpm thunderbird-debuginfo-2.0.0.24-9.el5.i386.rpm x86_64: thunderbird-2.0.0.24-9.el5.x86_64.rpm thunderbird-debuginfo-2.0.0.24-9.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3176.html https://www.redhat.com/security/data/cve/CVE-2010-3180.html https://www.redhat.com/security/data/cve/CVE-2010-3182.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert at redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMvi5TXlSAg2UNWIIRAmoNAJ93OipyK0JayDvGWv1YQjd1P+0IWgCfUCyd 1g76ebDGy/DdjybkpBNLiyc= =ZKps -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 19 23:47:40 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Oct 2010 19:47:40 -0400 Subject: [RHSA-2010:0781-01] Critical: seamonkey security update Message-ID: <201010192350.o9JNoM4j016553@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2010:0781-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0781.html Issue date: 2010-10-19 CVE Names: CVE-2010-3170 CVE-2010-3173 CVE-2010-3176 CVE-2010-3177 CVE-2010-3180 CVE-2010-3182 ===================================================================== 1. Summary: Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-3176, CVE-2010-3180) A flaw was found in the way the Gopher parser in SeaMonkey converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running SeaMonkey, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A flaw was found in the script that launches SeaMonkey. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running SeaMonkey, if that user ran SeaMonkey from within an attacker-controlled directory. (CVE-2010-3182) It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode implementation for key exchanges in SeaMonkey accepted DHE keys that were 256 bits in length. This update removes support for 256 bit DHE keys, as such keys are easily broken using modern hardware. (CVE-2010-3173) A flaw was found in the way SeaMonkey matched SSL certificates when the certificates had a Common Name containing a wildcard and a partial IP address. SeaMonkey incorrectly accepted connections to IP addresses that fell within the SSL certificate's wildcard range as valid SSL connections, possibly allowing an attacker to conduct a man-in-the-middle attack. (CVE-2010-3170) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 630047 - CVE-2010-3170 firefox/nss: Doesn't handle wildcards in Common Name properly 642272 - CVE-2010-3176 Mozilla miscellaneous memory safety hazards 642283 - CVE-2010-3180 Mozilla use-after-free error in nsBarProp 642290 - CVE-2010-3177 Mozilla XSS in gopher parser when parsing hrefs 642300 - CVE-2010-3182 Mozilla unsafe library loading flaw 642302 - CVE-2010-3173 Mozilla insecure Diffie-Hellman key exchange 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/seamonkey-1.0.9-0.61.el3.src.rpm i386: seamonkey-1.0.9-0.61.el3.i386.rpm seamonkey-chat-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-devel-1.0.9-0.61.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.61.el3.i386.rpm seamonkey-mail-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.61.el3.i386.rpm ia64: seamonkey-1.0.9-0.61.el3.ia64.rpm seamonkey-chat-1.0.9-0.61.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.ia64.rpm seamonkey-devel-1.0.9-0.61.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.61.el3.ia64.rpm seamonkey-mail-1.0.9-0.61.el3.ia64.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.ia64.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.61.el3.ia64.rpm ppc: seamonkey-1.0.9-0.61.el3.ppc.rpm seamonkey-chat-1.0.9-0.61.el3.ppc.rpm seamonkey-debuginfo-1.0.9-0.61.el3.ppc.rpm seamonkey-devel-1.0.9-0.61.el3.ppc.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.ppc.rpm seamonkey-js-debugger-1.0.9-0.61.el3.ppc.rpm seamonkey-mail-1.0.9-0.61.el3.ppc.rpm seamonkey-nspr-1.0.9-0.61.el3.ppc.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.ppc.rpm seamonkey-nss-1.0.9-0.61.el3.ppc.rpm seamonkey-nss-devel-1.0.9-0.61.el3.ppc.rpm s390: seamonkey-1.0.9-0.61.el3.s390.rpm seamonkey-chat-1.0.9-0.61.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.61.el3.s390.rpm seamonkey-devel-1.0.9-0.61.el3.s390.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.s390.rpm seamonkey-js-debugger-1.0.9-0.61.el3.s390.rpm seamonkey-mail-1.0.9-0.61.el3.s390.rpm seamonkey-nspr-1.0.9-0.61.el3.s390.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.s390.rpm seamonkey-nss-1.0.9-0.61.el3.s390.rpm seamonkey-nss-devel-1.0.9-0.61.el3.s390.rpm s390x: seamonkey-1.0.9-0.61.el3.s390x.rpm seamonkey-chat-1.0.9-0.61.el3.s390x.rpm seamonkey-debuginfo-1.0.9-0.61.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.61.el3.s390x.rpm seamonkey-devel-1.0.9-0.61.el3.s390x.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.s390x.rpm seamonkey-js-debugger-1.0.9-0.61.el3.s390x.rpm seamonkey-mail-1.0.9-0.61.el3.s390x.rpm seamonkey-nspr-1.0.9-0.61.el3.s390.rpm seamonkey-nspr-1.0.9-0.61.el3.s390x.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.s390x.rpm seamonkey-nss-1.0.9-0.61.el3.s390.rpm seamonkey-nss-1.0.9-0.61.el3.s390x.rpm seamonkey-nss-devel-1.0.9-0.61.el3.s390x.rpm x86_64: seamonkey-1.0.9-0.61.el3.i386.rpm seamonkey-1.0.9-0.61.el3.x86_64.rpm seamonkey-chat-1.0.9-0.61.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.x86_64.rpm seamonkey-devel-1.0.9-0.61.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.61.el3.x86_64.rpm seamonkey-mail-1.0.9-0.61.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.x86_64.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.61.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/seamonkey-1.0.9-0.61.el3.src.rpm i386: seamonkey-1.0.9-0.61.el3.i386.rpm seamonkey-chat-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-devel-1.0.9-0.61.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.61.el3.i386.rpm seamonkey-mail-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.61.el3.i386.rpm x86_64: seamonkey-1.0.9-0.61.el3.i386.rpm seamonkey-1.0.9-0.61.el3.x86_64.rpm seamonkey-chat-1.0.9-0.61.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.x86_64.rpm seamonkey-devel-1.0.9-0.61.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.61.el3.x86_64.rpm seamonkey-mail-1.0.9-0.61.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.x86_64.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.61.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/seamonkey-1.0.9-0.61.el3.src.rpm i386: seamonkey-1.0.9-0.61.el3.i386.rpm seamonkey-chat-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-devel-1.0.9-0.61.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.61.el3.i386.rpm seamonkey-mail-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.61.el3.i386.rpm ia64: seamonkey-1.0.9-0.61.el3.ia64.rpm seamonkey-chat-1.0.9-0.61.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.ia64.rpm seamonkey-devel-1.0.9-0.61.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.61.el3.ia64.rpm seamonkey-mail-1.0.9-0.61.el3.ia64.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.ia64.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.61.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.61.el3.i386.rpm seamonkey-1.0.9-0.61.el3.x86_64.rpm seamonkey-chat-1.0.9-0.61.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.x86_64.rpm seamonkey-devel-1.0.9-0.61.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.61.el3.x86_64.rpm seamonkey-mail-1.0.9-0.61.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.x86_64.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.61.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/seamonkey-1.0.9-0.61.el3.src.rpm i386: seamonkey-1.0.9-0.61.el3.i386.rpm seamonkey-chat-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-devel-1.0.9-0.61.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.61.el3.i386.rpm seamonkey-mail-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.61.el3.i386.rpm ia64: seamonkey-1.0.9-0.61.el3.ia64.rpm seamonkey-chat-1.0.9-0.61.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.ia64.rpm seamonkey-devel-1.0.9-0.61.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.61.el3.ia64.rpm seamonkey-mail-1.0.9-0.61.el3.ia64.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.ia64.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.61.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.61.el3.i386.rpm seamonkey-1.0.9-0.61.el3.x86_64.rpm seamonkey-chat-1.0.9-0.61.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.61.el3.x86_64.rpm seamonkey-devel-1.0.9-0.61.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.61.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.61.el3.x86_64.rpm seamonkey-mail-1.0.9-0.61.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.61.el3.i386.rpm seamonkey-nspr-1.0.9-0.61.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.61.el3.x86_64.rpm seamonkey-nss-1.0.9-0.61.el3.i386.rpm seamonkey-nss-1.0.9-0.61.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.61.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/seamonkey-1.0.9-64.el4.src.rpm i386: seamonkey-1.0.9-64.el4.i386.rpm seamonkey-chat-1.0.9-64.el4.i386.rpm seamonkey-debuginfo-1.0.9-64.el4.i386.rpm seamonkey-devel-1.0.9-64.el4.i386.rpm seamonkey-dom-inspector-1.0.9-64.el4.i386.rpm seamonkey-js-debugger-1.0.9-64.el4.i386.rpm seamonkey-mail-1.0.9-64.el4.i386.rpm ia64: seamonkey-1.0.9-64.el4.ia64.rpm seamonkey-chat-1.0.9-64.el4.ia64.rpm seamonkey-debuginfo-1.0.9-64.el4.ia64.rpm seamonkey-devel-1.0.9-64.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-64.el4.ia64.rpm seamonkey-js-debugger-1.0.9-64.el4.ia64.rpm seamonkey-mail-1.0.9-64.el4.ia64.rpm ppc: seamonkey-1.0.9-64.el4.ppc.rpm seamonkey-chat-1.0.9-64.el4.ppc.rpm seamonkey-debuginfo-1.0.9-64.el4.ppc.rpm seamonkey-devel-1.0.9-64.el4.ppc.rpm seamonkey-dom-inspector-1.0.9-64.el4.ppc.rpm seamonkey-js-debugger-1.0.9-64.el4.ppc.rpm seamonkey-mail-1.0.9-64.el4.ppc.rpm s390: seamonkey-1.0.9-64.el4.s390.rpm seamonkey-chat-1.0.9-64.el4.s390.rpm seamonkey-debuginfo-1.0.9-64.el4.s390.rpm seamonkey-devel-1.0.9-64.el4.s390.rpm seamonkey-dom-inspector-1.0.9-64.el4.s390.rpm seamonkey-js-debugger-1.0.9-64.el4.s390.rpm seamonkey-mail-1.0.9-64.el4.s390.rpm s390x: seamonkey-1.0.9-64.el4.s390x.rpm seamonkey-chat-1.0.9-64.el4.s390x.rpm seamonkey-debuginfo-1.0.9-64.el4.s390x.rpm seamonkey-devel-1.0.9-64.el4.s390x.rpm seamonkey-dom-inspector-1.0.9-64.el4.s390x.rpm seamonkey-js-debugger-1.0.9-64.el4.s390x.rpm seamonkey-mail-1.0.9-64.el4.s390x.rpm x86_64: seamonkey-1.0.9-64.el4.x86_64.rpm seamonkey-chat-1.0.9-64.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-64.el4.x86_64.rpm seamonkey-devel-1.0.9-64.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-64.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-64.el4.x86_64.rpm seamonkey-mail-1.0.9-64.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/seamonkey-1.0.9-64.el4.src.rpm i386: seamonkey-1.0.9-64.el4.i386.rpm seamonkey-chat-1.0.9-64.el4.i386.rpm seamonkey-debuginfo-1.0.9-64.el4.i386.rpm seamonkey-devel-1.0.9-64.el4.i386.rpm seamonkey-dom-inspector-1.0.9-64.el4.i386.rpm seamonkey-js-debugger-1.0.9-64.el4.i386.rpm seamonkey-mail-1.0.9-64.el4.i386.rpm x86_64: seamonkey-1.0.9-64.el4.x86_64.rpm seamonkey-chat-1.0.9-64.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-64.el4.x86_64.rpm seamonkey-devel-1.0.9-64.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-64.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-64.el4.x86_64.rpm seamonkey-mail-1.0.9-64.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/seamonkey-1.0.9-64.el4.src.rpm i386: seamonkey-1.0.9-64.el4.i386.rpm seamonkey-chat-1.0.9-64.el4.i386.rpm seamonkey-debuginfo-1.0.9-64.el4.i386.rpm seamonkey-devel-1.0.9-64.el4.i386.rpm seamonkey-dom-inspector-1.0.9-64.el4.i386.rpm seamonkey-js-debugger-1.0.9-64.el4.i386.rpm seamonkey-mail-1.0.9-64.el4.i386.rpm ia64: seamonkey-1.0.9-64.el4.ia64.rpm seamonkey-chat-1.0.9-64.el4.ia64.rpm seamonkey-debuginfo-1.0.9-64.el4.ia64.rpm seamonkey-devel-1.0.9-64.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-64.el4.ia64.rpm seamonkey-js-debugger-1.0.9-64.el4.ia64.rpm seamonkey-mail-1.0.9-64.el4.ia64.rpm x86_64: seamonkey-1.0.9-64.el4.x86_64.rpm seamonkey-chat-1.0.9-64.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-64.el4.x86_64.rpm seamonkey-devel-1.0.9-64.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-64.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-64.el4.x86_64.rpm seamonkey-mail-1.0.9-64.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/seamonkey-1.0.9-64.el4.src.rpm i386: seamonkey-1.0.9-64.el4.i386.rpm seamonkey-chat-1.0.9-64.el4.i386.rpm seamonkey-debuginfo-1.0.9-64.el4.i386.rpm seamonkey-devel-1.0.9-64.el4.i386.rpm seamonkey-dom-inspector-1.0.9-64.el4.i386.rpm seamonkey-js-debugger-1.0.9-64.el4.i386.rpm seamonkey-mail-1.0.9-64.el4.i386.rpm ia64: seamonkey-1.0.9-64.el4.ia64.rpm seamonkey-chat-1.0.9-64.el4.ia64.rpm seamonkey-debuginfo-1.0.9-64.el4.ia64.rpm seamonkey-devel-1.0.9-64.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-64.el4.ia64.rpm seamonkey-js-debugger-1.0.9-64.el4.ia64.rpm seamonkey-mail-1.0.9-64.el4.ia64.rpm x86_64: seamonkey-1.0.9-64.el4.x86_64.rpm seamonkey-chat-1.0.9-64.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-64.el4.x86_64.rpm seamonkey-devel-1.0.9-64.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-64.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-64.el4.x86_64.rpm seamonkey-mail-1.0.9-64.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3170.html https://www.redhat.com/security/data/cve/CVE-2010-3173.html https://www.redhat.com/security/data/cve/CVE-2010-3176.html https://www.redhat.com/security/data/cve/CVE-2010-3177.html https://www.redhat.com/security/data/cve/CVE-2010-3180.html https://www.redhat.com/security/data/cve/CVE-2010-3182.html http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert at redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMvi6TXlSAg2UNWIIRAlDRAJ9G+NZULB4jSprAUH1OjfSc/kveaQCfaP00 5skjY2CSuempHTx5UM/L9sg= =Ttmy -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 19 23:48:38 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Oct 2010 19:48:38 -0400 Subject: [RHSA-2010:0782-01] Critical: firefox security update Message-ID: <201010192351.o9JNpMVP008735@int-mx08.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2010:0782-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0782.html Issue date: 2010-10-19 CVE Names: CVE-2010-3170 CVE-2010-3173 CVE-2010-3175 CVE-2010-3176 CVE-2010-3177 CVE-2010-3178 CVE-2010-3179 CVE-2010-3180 CVE-2010-3182 CVE-2010-3183 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Network Security Services (NSS) is a set of libraries designed to support the development of security-enabled client and server applications. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180) A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim has loaded with Firefox. (CVE-2010-3178) A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory. (CVE-2010-3182) This update also provides NSS version 3.12.8 which is required by the updated Firefox version, fixing the following security issues: It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode implementation for key exchanges in Firefox accepted DHE keys that were 256 bits in length. This update removes support for 256 bit DHE keys, as such keys are easily broken using modern hardware. (CVE-2010-3173) A flaw was found in the way NSS matched SSL certificates when the certificates had a Common Name containing a wildcard and a partial IP address. NSS incorrectly accepted connections to IP addresses that fell within the SSL certificate's wildcard range as valid SSL connections, possibly allowing an attacker to conduct a man-in-the-middle attack. (CVE-2010-3170) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.11. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.11, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 630047 - CVE-2010-3170 firefox/nss: Doesn't handle wildcards in Common Name properly 642272 - CVE-2010-3176 Mozilla miscellaneous memory safety hazards 642275 - CVE-2010-3175 Mozilla miscellaneous memory safety hazards 642277 - CVE-2010-3179 Mozilla buffer overflow and memory corruption using document.write 642283 - CVE-2010-3180 Mozilla use-after-free error in nsBarProp 642286 - CVE-2010-3183 Mozilla dangling pointer vulnerability in LookupGetterOrSetter 642290 - CVE-2010-3177 Mozilla XSS in gopher parser when parsing hrefs 642294 - CVE-2010-3178 Mozilla cross-site information disclosure via modal calls 642300 - CVE-2010-3182 Mozilla unsafe library loading flaw 642302 - CVE-2010-3173 Mozilla insecure Diffie-Hellman key exchange 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-3.6.11-2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/nss-3.12.8-1.el4.src.rpm i386: firefox-3.6.11-2.el4.i386.rpm firefox-debuginfo-3.6.11-2.el4.i386.rpm nss-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-devel-3.12.8-1.el4.i386.rpm nss-tools-3.12.8-1.el4.i386.rpm ia64: firefox-3.6.11-2.el4.ia64.rpm firefox-debuginfo-3.6.11-2.el4.ia64.rpm nss-3.12.8-1.el4.i386.rpm nss-3.12.8-1.el4.ia64.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.ia64.rpm nss-devel-3.12.8-1.el4.ia64.rpm nss-tools-3.12.8-1.el4.ia64.rpm ppc: firefox-3.6.11-2.el4.ppc.rpm firefox-debuginfo-3.6.11-2.el4.ppc.rpm nss-3.12.8-1.el4.ppc.rpm nss-3.12.8-1.el4.ppc64.rpm nss-debuginfo-3.12.8-1.el4.ppc.rpm nss-debuginfo-3.12.8-1.el4.ppc64.rpm nss-devel-3.12.8-1.el4.ppc.rpm nss-tools-3.12.8-1.el4.ppc.rpm s390: firefox-3.6.11-2.el4.s390.rpm firefox-debuginfo-3.6.11-2.el4.s390.rpm nss-3.12.8-1.el4.s390.rpm nss-debuginfo-3.12.8-1.el4.s390.rpm nss-devel-3.12.8-1.el4.s390.rpm nss-tools-3.12.8-1.el4.s390.rpm s390x: firefox-3.6.11-2.el4.s390x.rpm firefox-debuginfo-3.6.11-2.el4.s390x.rpm nss-3.12.8-1.el4.s390.rpm nss-3.12.8-1.el4.s390x.rpm nss-debuginfo-3.12.8-1.el4.s390.rpm nss-debuginfo-3.12.8-1.el4.s390x.rpm nss-devel-3.12.8-1.el4.s390x.rpm nss-tools-3.12.8-1.el4.s390x.rpm x86_64: firefox-3.6.11-2.el4.x86_64.rpm firefox-debuginfo-3.6.11-2.el4.x86_64.rpm nss-3.12.8-1.el4.i386.rpm nss-3.12.8-1.el4.x86_64.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.x86_64.rpm nss-devel-3.12.8-1.el4.x86_64.rpm nss-tools-3.12.8-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-3.6.11-2.el4.src.rpm ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/nss-3.12.8-1.el4.src.rpm i386: firefox-3.6.11-2.el4.i386.rpm firefox-debuginfo-3.6.11-2.el4.i386.rpm nss-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-devel-3.12.8-1.el4.i386.rpm nss-tools-3.12.8-1.el4.i386.rpm x86_64: firefox-3.6.11-2.el4.x86_64.rpm firefox-debuginfo-3.6.11-2.el4.x86_64.rpm nss-3.12.8-1.el4.i386.rpm nss-3.12.8-1.el4.x86_64.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.x86_64.rpm nss-devel-3.12.8-1.el4.x86_64.rpm nss-tools-3.12.8-1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-3.6.11-2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/nss-3.12.8-1.el4.src.rpm i386: firefox-3.6.11-2.el4.i386.rpm firefox-debuginfo-3.6.11-2.el4.i386.rpm nss-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-devel-3.12.8-1.el4.i386.rpm nss-tools-3.12.8-1.el4.i386.rpm ia64: firefox-3.6.11-2.el4.ia64.rpm firefox-debuginfo-3.6.11-2.el4.ia64.rpm nss-3.12.8-1.el4.i386.rpm nss-3.12.8-1.el4.ia64.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.ia64.rpm nss-devel-3.12.8-1.el4.ia64.rpm nss-tools-3.12.8-1.el4.ia64.rpm x86_64: firefox-3.6.11-2.el4.x86_64.rpm firefox-debuginfo-3.6.11-2.el4.x86_64.rpm nss-3.12.8-1.el4.i386.rpm nss-3.12.8-1.el4.x86_64.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.x86_64.rpm nss-devel-3.12.8-1.el4.x86_64.rpm nss-tools-3.12.8-1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-3.6.11-2.el4.src.rpm ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/nss-3.12.8-1.el4.src.rpm i386: firefox-3.6.11-2.el4.i386.rpm firefox-debuginfo-3.6.11-2.el4.i386.rpm nss-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-devel-3.12.8-1.el4.i386.rpm nss-tools-3.12.8-1.el4.i386.rpm ia64: firefox-3.6.11-2.el4.ia64.rpm firefox-debuginfo-3.6.11-2.el4.ia64.rpm nss-3.12.8-1.el4.i386.rpm nss-3.12.8-1.el4.ia64.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.ia64.rpm nss-devel-3.12.8-1.el4.ia64.rpm nss-tools-3.12.8-1.el4.ia64.rpm x86_64: firefox-3.6.11-2.el4.x86_64.rpm firefox-debuginfo-3.6.11-2.el4.x86_64.rpm nss-3.12.8-1.el4.i386.rpm nss-3.12.8-1.el4.x86_64.rpm nss-debuginfo-3.12.8-1.el4.i386.rpm nss-debuginfo-3.12.8-1.el4.x86_64.rpm nss-devel-3.12.8-1.el4.x86_64.rpm nss-tools-3.12.8-1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-3.6.11-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.12.8-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.2.11-2.el5.src.rpm i386: firefox-3.6.11-2.el5.i386.rpm firefox-debuginfo-3.6.11-2.el5.i386.rpm nss-3.12.8-1.el5.i386.rpm nss-debuginfo-3.12.8-1.el5.i386.rpm nss-tools-3.12.8-1.el5.i386.rpm xulrunner-1.9.2.11-2.el5.i386.rpm xulrunner-debuginfo-1.9.2.11-2.el5.i386.rpm x86_64: firefox-3.6.11-2.el5.i386.rpm firefox-3.6.11-2.el5.x86_64.rpm firefox-debuginfo-3.6.11-2.el5.i386.rpm firefox-debuginfo-3.6.11-2.el5.x86_64.rpm nss-3.12.8-1.el5.i386.rpm nss-3.12.8-1.el5.x86_64.rpm nss-debuginfo-3.12.8-1.el5.i386.rpm nss-debuginfo-3.12.8-1.el5.x86_64.rpm nss-tools-3.12.8-1.el5.x86_64.rpm xulrunner-1.9.2.11-2.el5.i386.rpm xulrunner-1.9.2.11-2.el5.x86_64.rpm xulrunner-debuginfo-1.9.2.11-2.el5.i386.rpm xulrunner-debuginfo-1.9.2.11-2.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.12.8-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.2.11-2.el5.src.rpm i386: nss-debuginfo-3.12.8-1.el5.i386.rpm nss-devel-3.12.8-1.el5.i386.rpm nss-pkcs11-devel-3.12.8-1.el5.i386.rpm xulrunner-debuginfo-1.9.2.11-2.el5.i386.rpm xulrunner-devel-1.9.2.11-2.el5.i386.rpm x86_64: nss-debuginfo-3.12.8-1.el5.i386.rpm nss-debuginfo-3.12.8-1.el5.x86_64.rpm nss-devel-3.12.8-1.el5.i386.rpm nss-devel-3.12.8-1.el5.x86_64.rpm nss-pkcs11-devel-3.12.8-1.el5.i386.rpm nss-pkcs11-devel-3.12.8-1.el5.x86_64.rpm xulrunner-debuginfo-1.9.2.11-2.el5.i386.rpm xulrunner-debuginfo-1.9.2.11-2.el5.x86_64.rpm xulrunner-devel-1.9.2.11-2.el5.i386.rpm xulrunner-devel-1.9.2.11-2.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-3.6.11-2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nss-3.12.8-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9.2.11-2.el5.src.rpm i386: firefox-3.6.11-2.el5.i386.rpm firefox-debuginfo-3.6.11-2.el5.i386.rpm nss-3.12.8-1.el5.i386.rpm nss-debuginfo-3.12.8-1.el5.i386.rpm nss-devel-3.12.8-1.el5.i386.rpm nss-pkcs11-devel-3.12.8-1.el5.i386.rpm nss-tools-3.12.8-1.el5.i386.rpm xulrunner-1.9.2.11-2.el5.i386.rpm xulrunner-debuginfo-1.9.2.11-2.el5.i386.rpm xulrunner-devel-1.9.2.11-2.el5.i386.rpm ia64: firefox-3.6.11-2.el5.ia64.rpm firefox-debuginfo-3.6.11-2.el5.ia64.rpm nss-3.12.8-1.el5.i386.rpm nss-3.12.8-1.el5.ia64.rpm nss-debuginfo-3.12.8-1.el5.i386.rpm nss-debuginfo-3.12.8-1.el5.ia64.rpm nss-devel-3.12.8-1.el5.ia64.rpm nss-pkcs11-devel-3.12.8-1.el5.ia64.rpm nss-tools-3.12.8-1.el5.ia64.rpm xulrunner-1.9.2.11-2.el5.ia64.rpm xulrunner-debuginfo-1.9.2.11-2.el5.ia64.rpm xulrunner-devel-1.9.2.11-2.el5.ia64.rpm ppc: firefox-3.6.11-2.el5.ppc.rpm firefox-debuginfo-3.6.11-2.el5.ppc.rpm nss-3.12.8-1.el5.ppc.rpm nss-3.12.8-1.el5.ppc64.rpm nss-debuginfo-3.12.8-1.el5.ppc.rpm nss-debuginfo-3.12.8-1.el5.ppc64.rpm nss-devel-3.12.8-1.el5.ppc.rpm nss-devel-3.12.8-1.el5.ppc64.rpm nss-pkcs11-devel-3.12.8-1.el5.ppc.rpm nss-pkcs11-devel-3.12.8-1.el5.ppc64.rpm nss-tools-3.12.8-1.el5.ppc.rpm xulrunner-1.9.2.11-2.el5.ppc.rpm xulrunner-1.9.2.11-2.el5.ppc64.rpm xulrunner-debuginfo-1.9.2.11-2.el5.ppc.rpm xulrunner-debuginfo-1.9.2.11-2.el5.ppc64.rpm xulrunner-devel-1.9.2.11-2.el5.ppc.rpm xulrunner-devel-1.9.2.11-2.el5.ppc64.rpm s390x: firefox-3.6.11-2.el5.s390.rpm firefox-3.6.11-2.el5.s390x.rpm firefox-debuginfo-3.6.11-2.el5.s390.rpm firefox-debuginfo-3.6.11-2.el5.s390x.rpm nss-3.12.8-1.el5.s390.rpm nss-3.12.8-1.el5.s390x.rpm nss-debuginfo-3.12.8-1.el5.s390.rpm nss-debuginfo-3.12.8-1.el5.s390x.rpm nss-devel-3.12.8-1.el5.s390.rpm nss-devel-3.12.8-1.el5.s390x.rpm nss-pkcs11-devel-3.12.8-1.el5.s390.rpm nss-pkcs11-devel-3.12.8-1.el5.s390x.rpm nss-tools-3.12.8-1.el5.s390x.rpm xulrunner-1.9.2.11-2.el5.s390.rpm xulrunner-1.9.2.11-2.el5.s390x.rpm xulrunner-debuginfo-1.9.2.11-2.el5.s390.rpm xulrunner-debuginfo-1.9.2.11-2.el5.s390x.rpm xulrunner-devel-1.9.2.11-2.el5.s390.rpm xulrunner-devel-1.9.2.11-2.el5.s390x.rpm x86_64: firefox-3.6.11-2.el5.i386.rpm firefox-3.6.11-2.el5.x86_64.rpm firefox-debuginfo-3.6.11-2.el5.i386.rpm firefox-debuginfo-3.6.11-2.el5.x86_64.rpm nss-3.12.8-1.el5.i386.rpm nss-3.12.8-1.el5.x86_64.rpm nss-debuginfo-3.12.8-1.el5.i386.rpm nss-debuginfo-3.12.8-1.el5.x86_64.rpm nss-devel-3.12.8-1.el5.i386.rpm nss-devel-3.12.8-1.el5.x86_64.rpm nss-pkcs11-devel-3.12.8-1.el5.i386.rpm nss-pkcs11-devel-3.12.8-1.el5.x86_64.rpm nss-tools-3.12.8-1.el5.x86_64.rpm xulrunner-1.9.2.11-2.el5.i386.rpm xulrunner-1.9.2.11-2.el5.x86_64.rpm xulrunner-debuginfo-1.9.2.11-2.el5.i386.rpm xulrunner-debuginfo-1.9.2.11-2.el5.x86_64.rpm xulrunner-devel-1.9.2.11-2.el5.i386.rpm xulrunner-devel-1.9.2.11-2.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3170.html https://www.redhat.com/security/data/cve/CVE-2010-3173.html https://www.redhat.com/security/data/cve/CVE-2010-3175.html https://www.redhat.com/security/data/cve/CVE-2010-3176.html https://www.redhat.com/security/data/cve/CVE-2010-3177.html https://www.redhat.com/security/data/cve/CVE-2010-3178.html https://www.redhat.com/security/data/cve/CVE-2010-3179.html https://www.redhat.com/security/data/cve/CVE-2010-3180.html https://www.redhat.com/security/data/cve/CVE-2010-3182.html https://www.redhat.com/security/data/cve/CVE-2010-3183.html http://www.redhat.com/security/updates/classification/#critical http://www.mozilla.com/en-US/firefox/3.6.11/releasenotes/ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.11 8. Contact: The Red Hat security contact is <secalert at redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMvi7TXlSAg2UNWIIRAtSlAJoD2ZytU/zUW3G+C5TtyNyouCiOXQCdHhNe IvFupYr7788ORIbfMayaNdQ= =FVkd -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 20 16:48:34 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Oct 2010 12:48:34 -0400 Subject: [RHSA-2010:0785-01] Moderate: quagga security update Message-ID: <201010201648.o9KGmKvL010314@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: quagga security update Advisory ID: RHSA-2010:0785-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0785.html Issue date: 2010-10-20 CVE Names: CVE-2007-4826 CVE-2010-2948 ===================================================================== 1. Summary: Updated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. A stack-based buffer overflow flaw was found in the way the Quagga bgpd daemon processed certain BGP Route Refresh (RR) messages. A configured BGP peer could send a specially-crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. (CVE-2010-2948) Note: On Red Hat Enterprise Linux 5 it is not possible to exploit CVE-2010-2948 to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. Multiple NULL pointer dereference flaws were found in the way the Quagga bgpd daemon processed certain specially-crafted BGP messages. A configured BGP peer could crash bgpd on a target system via specially-crafted BGP messages. (CVE-2007-4826) Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 285691 - CVE-2007-4826 quagga bgpd DoS 626783 - CVE-2010-2948 Quagga (bgpd): Stack buffer overflow by processing certain Route-Refresh messages 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/quagga-0.98.3-4.el4_8.1.src.rpm i386: quagga-0.98.3-4.el4_8.1.i386.rpm quagga-contrib-0.98.3-4.el4_8.1.i386.rpm quagga-debuginfo-0.98.3-4.el4_8.1.i386.rpm quagga-devel-0.98.3-4.el4_8.1.i386.rpm ia64: quagga-0.98.3-4.el4_8.1.ia64.rpm quagga-contrib-0.98.3-4.el4_8.1.ia64.rpm quagga-debuginfo-0.98.3-4.el4_8.1.ia64.rpm quagga-devel-0.98.3-4.el4_8.1.ia64.rpm ppc: quagga-0.98.3-4.el4_8.1.ppc.rpm quagga-contrib-0.98.3-4.el4_8.1.ppc.rpm quagga-debuginfo-0.98.3-4.el4_8.1.ppc.rpm quagga-devel-0.98.3-4.el4_8.1.ppc.rpm s390: quagga-0.98.3-4.el4_8.1.s390.rpm quagga-contrib-0.98.3-4.el4_8.1.s390.rpm quagga-debuginfo-0.98.3-4.el4_8.1.s390.rpm quagga-devel-0.98.3-4.el4_8.1.s390.rpm s390x: quagga-0.98.3-4.el4_8.1.s390x.rpm quagga-contrib-0.98.3-4.el4_8.1.s390x.rpm quagga-debuginfo-0.98.3-4.el4_8.1.s390x.rpm quagga-devel-0.98.3-4.el4_8.1.s390x.rpm x86_64: quagga-0.98.3-4.el4_8.1.x86_64.rpm quagga-contrib-0.98.3-4.el4_8.1.x86_64.rpm quagga-debuginfo-0.98.3-4.el4_8.1.x86_64.rpm quagga-devel-0.98.3-4.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/quagga-0.98.3-4.el4_8.1.src.rpm i386: quagga-0.98.3-4.el4_8.1.i386.rpm quagga-contrib-0.98.3-4.el4_8.1.i386.rpm quagga-debuginfo-0.98.3-4.el4_8.1.i386.rpm quagga-devel-0.98.3-4.el4_8.1.i386.rpm x86_64: quagga-0.98.3-4.el4_8.1.x86_64.rpm quagga-contrib-0.98.3-4.el4_8.1.x86_64.rpm quagga-debuginfo-0.98.3-4.el4_8.1.x86_64.rpm quagga-devel-0.98.3-4.el4_8.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/quagga-0.98.3-4.el4_8.1.src.rpm i386: quagga-0.98.3-4.el4_8.1.i386.rpm quagga-contrib-0.98.3-4.el4_8.1.i386.rpm quagga-debuginfo-0.98.3-4.el4_8.1.i386.rpm quagga-devel-0.98.3-4.el4_8.1.i386.rpm ia64: quagga-0.98.3-4.el4_8.1.ia64.rpm quagga-contrib-0.98.3-4.el4_8.1.ia64.rpm quagga-debuginfo-0.98.3-4.el4_8.1.ia64.rpm quagga-devel-0.98.3-4.el4_8.1.ia64.rpm x86_64: quagga-0.98.3-4.el4_8.1.x86_64.rpm quagga-contrib-0.98.3-4.el4_8.1.x86_64.rpm quagga-debuginfo-0.98.3-4.el4_8.1.x86_64.rpm quagga-devel-0.98.3-4.el4_8.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/quagga-0.98.3-4.el4_8.1.src.rpm i386: quagga-0.98.3-4.el4_8.1.i386.rpm quagga-contrib-0.98.3-4.el4_8.1.i386.rpm quagga-debuginfo-0.98.3-4.el4_8.1.i386.rpm quagga-devel-0.98.3-4.el4_8.1.i386.rpm ia64: quagga-0.98.3-4.el4_8.1.ia64.rpm quagga-contrib-0.98.3-4.el4_8.1.ia64.rpm quagga-debuginfo-0.98.3-4.el4_8.1.ia64.rpm quagga-devel-0.98.3-4.el4_8.1.ia64.rpm x86_64: quagga-0.98.3-4.el4_8.1.x86_64.rpm quagga-contrib-0.98.3-4.el4_8.1.x86_64.rpm quagga-debuginfo-0.98.3-4.el4_8.1.x86_64.rpm quagga-devel-0.98.3-4.el4_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/quagga-0.98.6-5.el5_5.2.src.rpm i386: quagga-contrib-0.98.6-5.el5_5.2.i386.rpm quagga-debuginfo-0.98.6-5.el5_5.2.i386.rpm x86_64: quagga-contrib-0.98.6-5.el5_5.2.x86_64.rpm quagga-debuginfo-0.98.6-5.el5_5.2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/quagga-0.98.6-5.el5_5.2.src.rpm i386: quagga-0.98.6-5.el5_5.2.i386.rpm quagga-debuginfo-0.98.6-5.el5_5.2.i386.rpm quagga-devel-0.98.6-5.el5_5.2.i386.rpm x86_64: quagga-0.98.6-5.el5_5.2.x86_64.rpm quagga-debuginfo-0.98.6-5.el5_5.2.i386.rpm quagga-debuginfo-0.98.6-5.el5_5.2.x86_64.rpm quagga-devel-0.98.6-5.el5_5.2.i386.rpm quagga-devel-0.98.6-5.el5_5.2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/quagga-0.98.6-5.el5_5.2.src.rpm i386: quagga-0.98.6-5.el5_5.2.i386.rpm quagga-contrib-0.98.6-5.el5_5.2.i386.rpm quagga-debuginfo-0.98.6-5.el5_5.2.i386.rpm quagga-devel-0.98.6-5.el5_5.2.i386.rpm ia64: quagga-0.98.6-5.el5_5.2.ia64.rpm quagga-contrib-0.98.6-5.el5_5.2.ia64.rpm quagga-debuginfo-0.98.6-5.el5_5.2.ia64.rpm quagga-devel-0.98.6-5.el5_5.2.ia64.rpm ppc: quagga-0.98.6-5.el5_5.2.ppc.rpm quagga-contrib-0.98.6-5.el5_5.2.ppc.rpm quagga-debuginfo-0.98.6-5.el5_5.2.ppc.rpm quagga-debuginfo-0.98.6-5.el5_5.2.ppc64.rpm quagga-devel-0.98.6-5.el5_5.2.ppc.rpm quagga-devel-0.98.6-5.el5_5.2.ppc64.rpm s390x: quagga-0.98.6-5.el5_5.2.s390x.rpm quagga-contrib-0.98.6-5.el5_5.2.s390x.rpm quagga-debuginfo-0.98.6-5.el5_5.2.s390.rpm quagga-debuginfo-0.98.6-5.el5_5.2.s390x.rpm quagga-devel-0.98.6-5.el5_5.2.s390.rpm quagga-devel-0.98.6-5.el5_5.2.s390x.rpm x86_64: quagga-0.98.6-5.el5_5.2.x86_64.rpm quagga-contrib-0.98.6-5.el5_5.2.x86_64.rpm quagga-debuginfo-0.98.6-5.el5_5.2.i386.rpm quagga-debuginfo-0.98.6-5.el5_5.2.x86_64.rpm quagga-devel-0.98.6-5.el5_5.2.i386.rpm quagga-devel-0.98.6-5.el5_5.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2007-4826.html https://www.redhat.com/security/data/cve/CVE-2010-2948.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMvx0KXlSAg2UNWIIRAmThAJ9x92ZF8VdDKuRYUiICI5GaRYHAUwCfVmTd Ftd0LpjCLlfwB8EDvgtS8pY= =IT6N -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 20 17:29:39 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Oct 2010 13:29:39 -0400 Subject: [RHSA-2010:0786-01] Critical: java-1.4.2-ibm security update Message-ID: <201010201729.o9KHTQGc000475@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.4.2-ibm security update Advisory ID: RHSA-2010:0786-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0786.html Issue date: 2010-10-20 CVE Names: CVE-2009-3555 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3551 CVE-2010-3553 CVE-2010-3556 CVE-2010-3557 CVE-2010-3562 CVE-2010-3565 CVE-2010-3568 CVE-2010-3569 CVE-2010-3571 CVE-2010-3572 ===================================================================== 1. Summary: Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Desktop version 3 Extras - i386, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 3 Extras - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64 3. Description: The IBM 1.4.2 SR13-FP6 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3551, CVE-2010-3553, CVE-2010-3556, CVE-2010-3557, CVE-2010-3562, CVE-2010-3565, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572) The RHSA-2010:0155 update mitigated a man-in-the-middle attack in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation by disabling renegotiation. This update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, allowing secure renegotiation between updated clients and servers. (CVE-2009-3555) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP6 Java release. All running instances of IBM Java must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 639876 - CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) 639897 - CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) 639904 - CVE-2010-3557 OpenJDK Swing mutable static (6938813) 639909 - CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) 639920 - CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) 639925 - CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) 642167 - CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) 642180 - CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) 642187 - CVE-2010-3551 OpenJDK local network address disclosure (6952603) 642202 - CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) 642576 - CVE-2010-3556 JDK unspecified vulnerability in 2D component 642585 - CVE-2010-3571 JDK unspecified vulnerability in 2D component 642611 - CVE-2010-3572 JDK unspecified vulnerability in Sound component 6. Package List: Red Hat Enterprise Linux AS version 3 Extras: i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.ppc.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.ppc.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.ppc.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.3.el3.ppc.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.ppc.rpm s390: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.s390.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.s390.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.s390.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.3.el3.s390.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.s390.rpm s390x: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.s390x.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.s390x.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.s390x.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.x86_64.rpm Red Hat Desktop version 3 Extras: i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3 Extras: i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3 Extras: i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.3.el3.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.3.el3.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.3.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.ppc64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.ppc64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.ppc64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.ppc64.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.ppc.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.ppc64.rpm s390: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.s390.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.s390.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.s390.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el4.s390.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.s390.rpm s390x: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.s390x.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.s390x.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.s390x.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.2.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.ppc64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.ppc64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.ppc64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el5.ppc64.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.ppc.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.ppc64.rpm s390x: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.s390.rpm java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.s390x.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.s390.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.s390x.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.s390.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.s390x.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el5.s390.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.s390.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-1.4.2.13.6-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.6-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.6-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.6-1jpp.2.el5.x86_64.rpm java-1.4.2-ibm-jdbc-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13.6-1jpp.2.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3555.html https://www.redhat.com/security/data/cve/CVE-2010-3541.html https://www.redhat.com/security/data/cve/CVE-2010-3548.html https://www.redhat.com/security/data/cve/CVE-2010-3549.html https://www.redhat.com/security/data/cve/CVE-2010-3551.html https://www.redhat.com/security/data/cve/CVE-2010-3553.html https://www.redhat.com/security/data/cve/CVE-2010-3556.html https://www.redhat.com/security/data/cve/CVE-2010-3557.html https://www.redhat.com/security/data/cve/CVE-2010-3562.html https://www.redhat.com/security/data/cve/CVE-2010-3565.html https://www.redhat.com/security/data/cve/CVE-2010-3568.html https://www.redhat.com/security/data/cve/CVE-2010-3569.html https://www.redhat.com/security/data/cve/CVE-2010-3571.html https://www.redhat.com/security/data/cve/CVE-2010-3572.html http://www.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ https://access.redhat.com/kb/docs/DOC-20491 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMvyaFXlSAg2UNWIIRAqw4AJ48Wl6/eANLkvhoIQST1niHzxEFnACfe6SZ Dl86GjrFk3esjXIC3IzGJP8= =3HrL -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 20 23:31:04 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Oct 2010 17:31:04 -0600 Subject: [RHSA-2010:0787-01] Important: glibc security update Message-ID: <201010202331.o9KNV45E010819@int-mx08.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: glibc security update Advisory ID: RHSA-2010:0787-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0787.html Issue date: 2010-10-20 CVE Names: CVE-2010-3847 ===================================================================== 1. Summary: Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) Red Hat would like to thank Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 643306 - CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/glibc-2.5-49.el5_5.6.src.rpm i386: glibc-2.5-49.el5_5.6.i386.rpm glibc-2.5-49.el5_5.6.i686.rpm glibc-common-2.5-49.el5_5.6.i386.rpm glibc-debuginfo-2.5-49.el5_5.6.i386.rpm glibc-debuginfo-2.5-49.el5_5.6.i686.rpm glibc-debuginfo-common-2.5-49.el5_5.6.i386.rpm glibc-devel-2.5-49.el5_5.6.i386.rpm glibc-headers-2.5-49.el5_5.6.i386.rpm glibc-utils-2.5-49.el5_5.6.i386.rpm nscd-2.5-49.el5_5.6.i386.rpm x86_64: glibc-2.5-49.el5_5.6.i686.rpm glibc-2.5-49.el5_5.6.x86_64.rpm glibc-common-2.5-49.el5_5.6.x86_64.rpm glibc-debuginfo-2.5-49.el5_5.6.i386.rpm glibc-debuginfo-2.5-49.el5_5.6.i686.rpm glibc-debuginfo-2.5-49.el5_5.6.x86_64.rpm glibc-debuginfo-common-2.5-49.el5_5.6.i386.rpm glibc-devel-2.5-49.el5_5.6.i386.rpm glibc-devel-2.5-49.el5_5.6.x86_64.rpm glibc-headers-2.5-49.el5_5.6.x86_64.rpm glibc-utils-2.5-49.el5_5.6.x86_64.rpm nscd-2.5-49.el5_5.6.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/glibc-2.5-49.el5_5.6.src.rpm i386: glibc-2.5-49.el5_5.6.i386.rpm glibc-2.5-49.el5_5.6.i686.rpm glibc-common-2.5-49.el5_5.6.i386.rpm glibc-debuginfo-2.5-49.el5_5.6.i386.rpm glibc-debuginfo-2.5-49.el5_5.6.i686.rpm glibc-debuginfo-common-2.5-49.el5_5.6.i386.rpm glibc-devel-2.5-49.el5_5.6.i386.rpm glibc-headers-2.5-49.el5_5.6.i386.rpm glibc-utils-2.5-49.el5_5.6.i386.rpm nscd-2.5-49.el5_5.6.i386.rpm ia64: glibc-2.5-49.el5_5.6.i686.rpm glibc-2.5-49.el5_5.6.ia64.rpm glibc-common-2.5-49.el5_5.6.ia64.rpm glibc-debuginfo-2.5-49.el5_5.6.i686.rpm glibc-debuginfo-2.5-49.el5_5.6.ia64.rpm glibc-debuginfo-common-2.5-49.el5_5.6.i386.rpm glibc-devel-2.5-49.el5_5.6.ia64.rpm glibc-headers-2.5-49.el5_5.6.ia64.rpm glibc-utils-2.5-49.el5_5.6.ia64.rpm nscd-2.5-49.el5_5.6.ia64.rpm ppc: glibc-2.5-49.el5_5.6.ppc.rpm glibc-2.5-49.el5_5.6.ppc64.rpm glibc-common-2.5-49.el5_5.6.ppc.rpm glibc-debuginfo-2.5-49.el5_5.6.ppc.rpm glibc-debuginfo-2.5-49.el5_5.6.ppc64.rpm glibc-devel-2.5-49.el5_5.6.ppc.rpm glibc-devel-2.5-49.el5_5.6.ppc64.rpm glibc-headers-2.5-49.el5_5.6.ppc.rpm glibc-utils-2.5-49.el5_5.6.ppc.rpm nscd-2.5-49.el5_5.6.ppc.rpm s390x: glibc-2.5-49.el5_5.6.s390.rpm glibc-2.5-49.el5_5.6.s390x.rpm glibc-common-2.5-49.el5_5.6.s390x.rpm glibc-debuginfo-2.5-49.el5_5.6.s390.rpm glibc-debuginfo-2.5-49.el5_5.6.s390x.rpm glibc-devel-2.5-49.el5_5.6.s390.rpm glibc-devel-2.5-49.el5_5.6.s390x.rpm glibc-headers-2.5-49.el5_5.6.s390x.rpm glibc-utils-2.5-49.el5_5.6.s390x.rpm nscd-2.5-49.el5_5.6.s390x.rpm x86_64: glibc-2.5-49.el5_5.6.i686.rpm glibc-2.5-49.el5_5.6.x86_64.rpm glibc-common-2.5-49.el5_5.6.x86_64.rpm glibc-debuginfo-2.5-49.el5_5.6.i386.rpm glibc-debuginfo-2.5-49.el5_5.6.i686.rpm glibc-debuginfo-2.5-49.el5_5.6.x86_64.rpm glibc-debuginfo-common-2.5-49.el5_5.6.i386.rpm glibc-devel-2.5-49.el5_5.6.i386.rpm glibc-devel-2.5-49.el5_5.6.x86_64.rpm glibc-headers-2.5-49.el5_5.6.x86_64.rpm glibc-utils-2.5-49.el5_5.6.x86_64.rpm nscd-2.5-49.el5_5.6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3847.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMv3uSXlSAg2UNWIIRAmI9AJ44IJRBJW+fPulMdAWx0b8Ss6OeTgCdGhi7 LTAnaUtraxS2nd8UnXSUFhc= =ccj+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 21 17:02:28 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 21 Oct 2010 13:02:28 -0400 Subject: [RHSA-2010:0788-01] Moderate: pidgin security update Message-ID: <201010211702.o9LH28iQ027094@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: pidgin security update Advisory ID: RHSA-2010:0788-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0788.html Issue date: 2010-10-21 CVE Names: CVE-2010-1624 CVE-2010-3711 ===================================================================== 1. Summary: Updated pidgin packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. Multiple NULL pointer dereference flaws were found in the way Pidgin handled Base64 decoding. A remote attacker could use these flaws to crash Pidgin if the target Pidgin user was using the Yahoo! Messenger Protocol, MSN, MySpace, or Extensible Messaging and Presence Protocol (XMPP) protocol plug-ins, or using the Microsoft NT LAN Manager (NTLM) protocol for authentication. (CVE-2010-3711) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in processed custom emoticon messages. A remote attacker could use this flaw to crash Pidgin by sending specially-crafted emoticon messages during mutual communication. (CVE-2010-1624) Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Daniel Atallah as the original reporter of CVE-2010-3711, and Pierre Nogu?s of Meta Security as the original reporter of CVE-2010-1624. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 589973 - CVE-2010-1624 Pidgin: MSN SLP emoticon DoS (NULL pointer dereference) 641921 - CVE-2010-3711 Pidgin (libpurple): Multiple DoS (crash) flaws by processing of unsanitized Base64 decoder values 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/pidgin-2.6.6-5.el4_8.src.rpm i386: finch-2.6.6-5.el4_8.i386.rpm finch-devel-2.6.6-5.el4_8.i386.rpm libpurple-2.6.6-5.el4_8.i386.rpm libpurple-devel-2.6.6-5.el4_8.i386.rpm libpurple-perl-2.6.6-5.el4_8.i386.rpm libpurple-tcl-2.6.6-5.el4_8.i386.rpm pidgin-2.6.6-5.el4_8.i386.rpm pidgin-debuginfo-2.6.6-5.el4_8.i386.rpm pidgin-devel-2.6.6-5.el4_8.i386.rpm pidgin-perl-2.6.6-5.el4_8.i386.rpm ia64: finch-2.6.6-5.el4_8.ia64.rpm finch-devel-2.6.6-5.el4_8.ia64.rpm libpurple-2.6.6-5.el4_8.ia64.rpm libpurple-devel-2.6.6-5.el4_8.ia64.rpm libpurple-perl-2.6.6-5.el4_8.ia64.rpm libpurple-tcl-2.6.6-5.el4_8.ia64.rpm pidgin-2.6.6-5.el4_8.ia64.rpm pidgin-debuginfo-2.6.6-5.el4_8.ia64.rpm pidgin-devel-2.6.6-5.el4_8.ia64.rpm pidgin-perl-2.6.6-5.el4_8.ia64.rpm ppc: finch-2.6.6-5.el4_8.ppc.rpm finch-devel-2.6.6-5.el4_8.ppc.rpm libpurple-2.6.6-5.el4_8.ppc.rpm libpurple-devel-2.6.6-5.el4_8.ppc.rpm libpurple-perl-2.6.6-5.el4_8.ppc.rpm libpurple-tcl-2.6.6-5.el4_8.ppc.rpm pidgin-2.6.6-5.el4_8.ppc.rpm pidgin-debuginfo-2.6.6-5.el4_8.ppc.rpm pidgin-devel-2.6.6-5.el4_8.ppc.rpm pidgin-perl-2.6.6-5.el4_8.ppc.rpm x86_64: finch-2.6.6-5.el4_8.x86_64.rpm finch-devel-2.6.6-5.el4_8.x86_64.rpm libpurple-2.6.6-5.el4_8.x86_64.rpm libpurple-devel-2.6.6-5.el4_8.x86_64.rpm libpurple-perl-2.6.6-5.el4_8.x86_64.rpm libpurple-tcl-2.6.6-5.el4_8.x86_64.rpm pidgin-2.6.6-5.el4_8.x86_64.rpm pidgin-debuginfo-2.6.6-5.el4_8.x86_64.rpm pidgin-devel-2.6.6-5.el4_8.x86_64.rpm pidgin-perl-2.6.6-5.el4_8.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/pidgin-2.6.6-5.el4_8.src.rpm i386: finch-2.6.6-5.el4_8.i386.rpm finch-devel-2.6.6-5.el4_8.i386.rpm libpurple-2.6.6-5.el4_8.i386.rpm libpurple-devel-2.6.6-5.el4_8.i386.rpm libpurple-perl-2.6.6-5.el4_8.i386.rpm libpurple-tcl-2.6.6-5.el4_8.i386.rpm pidgin-2.6.6-5.el4_8.i386.rpm pidgin-debuginfo-2.6.6-5.el4_8.i386.rpm pidgin-devel-2.6.6-5.el4_8.i386.rpm pidgin-perl-2.6.6-5.el4_8.i386.rpm x86_64: finch-2.6.6-5.el4_8.x86_64.rpm finch-devel-2.6.6-5.el4_8.x86_64.rpm libpurple-2.6.6-5.el4_8.x86_64.rpm libpurple-devel-2.6.6-5.el4_8.x86_64.rpm libpurple-perl-2.6.6-5.el4_8.x86_64.rpm libpurple-tcl-2.6.6-5.el4_8.x86_64.rpm pidgin-2.6.6-5.el4_8.x86_64.rpm pidgin-debuginfo-2.6.6-5.el4_8.x86_64.rpm pidgin-devel-2.6.6-5.el4_8.x86_64.rpm pidgin-perl-2.6.6-5.el4_8.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/pidgin-2.6.6-5.el4_8.src.rpm i386: finch-2.6.6-5.el4_8.i386.rpm finch-devel-2.6.6-5.el4_8.i386.rpm libpurple-2.6.6-5.el4_8.i386.rpm libpurple-devel-2.6.6-5.el4_8.i386.rpm libpurple-perl-2.6.6-5.el4_8.i386.rpm libpurple-tcl-2.6.6-5.el4_8.i386.rpm pidgin-2.6.6-5.el4_8.i386.rpm pidgin-debuginfo-2.6.6-5.el4_8.i386.rpm pidgin-devel-2.6.6-5.el4_8.i386.rpm pidgin-perl-2.6.6-5.el4_8.i386.rpm ia64: finch-2.6.6-5.el4_8.ia64.rpm finch-devel-2.6.6-5.el4_8.ia64.rpm libpurple-2.6.6-5.el4_8.ia64.rpm libpurple-devel-2.6.6-5.el4_8.ia64.rpm libpurple-perl-2.6.6-5.el4_8.ia64.rpm libpurple-tcl-2.6.6-5.el4_8.ia64.rpm pidgin-2.6.6-5.el4_8.ia64.rpm pidgin-debuginfo-2.6.6-5.el4_8.ia64.rpm pidgin-devel-2.6.6-5.el4_8.ia64.rpm pidgin-perl-2.6.6-5.el4_8.ia64.rpm x86_64: finch-2.6.6-5.el4_8.x86_64.rpm finch-devel-2.6.6-5.el4_8.x86_64.rpm libpurple-2.6.6-5.el4_8.x86_64.rpm libpurple-devel-2.6.6-5.el4_8.x86_64.rpm libpurple-perl-2.6.6-5.el4_8.x86_64.rpm libpurple-tcl-2.6.6-5.el4_8.x86_64.rpm pidgin-2.6.6-5.el4_8.x86_64.rpm pidgin-debuginfo-2.6.6-5.el4_8.x86_64.rpm pidgin-devel-2.6.6-5.el4_8.x86_64.rpm pidgin-perl-2.6.6-5.el4_8.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/pidgin-2.6.6-5.el4_8.src.rpm i386: finch-2.6.6-5.el4_8.i386.rpm finch-devel-2.6.6-5.el4_8.i386.rpm libpurple-2.6.6-5.el4_8.i386.rpm libpurple-devel-2.6.6-5.el4_8.i386.rpm libpurple-perl-2.6.6-5.el4_8.i386.rpm libpurple-tcl-2.6.6-5.el4_8.i386.rpm pidgin-2.6.6-5.el4_8.i386.rpm pidgin-debuginfo-2.6.6-5.el4_8.i386.rpm pidgin-devel-2.6.6-5.el4_8.i386.rpm pidgin-perl-2.6.6-5.el4_8.i386.rpm ia64: finch-2.6.6-5.el4_8.ia64.rpm finch-devel-2.6.6-5.el4_8.ia64.rpm libpurple-2.6.6-5.el4_8.ia64.rpm libpurple-devel-2.6.6-5.el4_8.ia64.rpm libpurple-perl-2.6.6-5.el4_8.ia64.rpm libpurple-tcl-2.6.6-5.el4_8.ia64.rpm pidgin-2.6.6-5.el4_8.ia64.rpm pidgin-debuginfo-2.6.6-5.el4_8.ia64.rpm pidgin-devel-2.6.6-5.el4_8.ia64.rpm pidgin-perl-2.6.6-5.el4_8.ia64.rpm x86_64: finch-2.6.6-5.el4_8.x86_64.rpm finch-devel-2.6.6-5.el4_8.x86_64.rpm libpurple-2.6.6-5.el4_8.x86_64.rpm libpurple-devel-2.6.6-5.el4_8.x86_64.rpm libpurple-perl-2.6.6-5.el4_8.x86_64.rpm libpurple-tcl-2.6.6-5.el4_8.x86_64.rpm pidgin-2.6.6-5.el4_8.x86_64.rpm pidgin-debuginfo-2.6.6-5.el4_8.x86_64.rpm pidgin-devel-2.6.6-5.el4_8.x86_64.rpm pidgin-perl-2.6.6-5.el4_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.6.6-5.el5_5.src.rpm i386: finch-2.6.6-5.el5_5.i386.rpm libpurple-2.6.6-5.el5_5.i386.rpm libpurple-perl-2.6.6-5.el5_5.i386.rpm libpurple-tcl-2.6.6-5.el5_5.i386.rpm pidgin-2.6.6-5.el5_5.i386.rpm pidgin-debuginfo-2.6.6-5.el5_5.i386.rpm pidgin-perl-2.6.6-5.el5_5.i386.rpm x86_64: finch-2.6.6-5.el5_5.i386.rpm finch-2.6.6-5.el5_5.x86_64.rpm libpurple-2.6.6-5.el5_5.i386.rpm libpurple-2.6.6-5.el5_5.x86_64.rpm libpurple-perl-2.6.6-5.el5_5.x86_64.rpm libpurple-tcl-2.6.6-5.el5_5.x86_64.rpm pidgin-2.6.6-5.el5_5.i386.rpm pidgin-2.6.6-5.el5_5.x86_64.rpm pidgin-debuginfo-2.6.6-5.el5_5.i386.rpm pidgin-debuginfo-2.6.6-5.el5_5.x86_64.rpm pidgin-perl-2.6.6-5.el5_5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.6.6-5.el5_5.src.rpm i386: finch-devel-2.6.6-5.el5_5.i386.rpm libpurple-devel-2.6.6-5.el5_5.i386.rpm pidgin-debuginfo-2.6.6-5.el5_5.i386.rpm pidgin-devel-2.6.6-5.el5_5.i386.rpm x86_64: finch-devel-2.6.6-5.el5_5.i386.rpm finch-devel-2.6.6-5.el5_5.x86_64.rpm libpurple-devel-2.6.6-5.el5_5.i386.rpm libpurple-devel-2.6.6-5.el5_5.x86_64.rpm pidgin-debuginfo-2.6.6-5.el5_5.i386.rpm pidgin-debuginfo-2.6.6-5.el5_5.x86_64.rpm pidgin-devel-2.6.6-5.el5_5.i386.rpm pidgin-devel-2.6.6-5.el5_5.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/pidgin-2.6.6-5.el5_5.src.rpm i386: finch-2.6.6-5.el5_5.i386.rpm finch-devel-2.6.6-5.el5_5.i386.rpm libpurple-2.6.6-5.el5_5.i386.rpm libpurple-devel-2.6.6-5.el5_5.i386.rpm libpurple-perl-2.6.6-5.el5_5.i386.rpm libpurple-tcl-2.6.6-5.el5_5.i386.rpm pidgin-2.6.6-5.el5_5.i386.rpm pidgin-debuginfo-2.6.6-5.el5_5.i386.rpm pidgin-devel-2.6.6-5.el5_5.i386.rpm pidgin-perl-2.6.6-5.el5_5.i386.rpm x86_64: finch-2.6.6-5.el5_5.i386.rpm finch-2.6.6-5.el5_5.x86_64.rpm finch-devel-2.6.6-5.el5_5.i386.rpm finch-devel-2.6.6-5.el5_5.x86_64.rpm libpurple-2.6.6-5.el5_5.i386.rpm libpurple-2.6.6-5.el5_5.x86_64.rpm libpurple-devel-2.6.6-5.el5_5.i386.rpm libpurple-devel-2.6.6-5.el5_5.x86_64.rpm libpurple-perl-2.6.6-5.el5_5.x86_64.rpm libpurple-tcl-2.6.6-5.el5_5.x86_64.rpm pidgin-2.6.6-5.el5_5.i386.rpm pidgin-2.6.6-5.el5_5.x86_64.rpm pidgin-debuginfo-2.6.6-5.el5_5.i386.rpm pidgin-debuginfo-2.6.6-5.el5_5.x86_64.rpm pidgin-devel-2.6.6-5.el5_5.i386.rpm pidgin-devel-2.6.6-5.el5_5.x86_64.rpm pidgin-perl-2.6.6-5.el5_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-1624.html https://www.redhat.com/security/data/cve/CVE-2010-3711.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMwHEkXlSAg2UNWIIRAj7tAKC4YsrnCYIDe1WWKVAEGpPVGyZFkQCfZJ8T oFYuCjv1D/QpAJckm78mSww= =PYqo -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 25 18:55:46 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 25 Oct 2010 12:55:46 -0600 Subject: [RHSA-2010:0792-01] Important: kernel security update Message-ID: <201010251855.o9PItkUa002659@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2010:0792-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0792.html Issue date: 2010-10-25 CVE Names: CVE-2010-3904 ===================================================================== 1. Summary: Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * The rds_page_copy_user() function in the Linux kernel Reliable Datagram Sockets (RDS) protocol implementation was missing sanity checks. A local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3904, Important) Red Hat would like to thank Dan Rosenberg of Virtual Security Research for reporting this issue. Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 642896 - CVE-2010-3904 RDS sockets local privilege escalation 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-194.17.4.el5.src.rpm i386: kernel-2.6.18-194.17.4.el5.i686.rpm kernel-PAE-2.6.18-194.17.4.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-194.17.4.el5.i686.rpm kernel-PAE-devel-2.6.18-194.17.4.el5.i686.rpm kernel-debug-2.6.18-194.17.4.el5.i686.rpm kernel-debug-debuginfo-2.6.18-194.17.4.el5.i686.rpm kernel-debug-devel-2.6.18-194.17.4.el5.i686.rpm kernel-debuginfo-2.6.18-194.17.4.el5.i686.rpm kernel-debuginfo-common-2.6.18-194.17.4.el5.i686.rpm kernel-devel-2.6.18-194.17.4.el5.i686.rpm kernel-headers-2.6.18-194.17.4.el5.i386.rpm kernel-xen-2.6.18-194.17.4.el5.i686.rpm kernel-xen-debuginfo-2.6.18-194.17.4.el5.i686.rpm kernel-xen-devel-2.6.18-194.17.4.el5.i686.rpm noarch: kernel-doc-2.6.18-194.17.4.el5.noarch.rpm x86_64: kernel-2.6.18-194.17.4.el5.x86_64.rpm kernel-debug-2.6.18-194.17.4.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-194.17.4.el5.x86_64.rpm kernel-debug-devel-2.6.18-194.17.4.el5.x86_64.rpm kernel-debuginfo-2.6.18-194.17.4.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-194.17.4.el5.x86_64.rpm kernel-devel-2.6.18-194.17.4.el5.x86_64.rpm kernel-headers-2.6.18-194.17.4.el5.x86_64.rpm kernel-xen-2.6.18-194.17.4.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-194.17.4.el5.x86_64.rpm kernel-xen-devel-2.6.18-194.17.4.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-194.17.4.el5.src.rpm i386: kernel-2.6.18-194.17.4.el5.i686.rpm kernel-PAE-2.6.18-194.17.4.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-194.17.4.el5.i686.rpm kernel-PAE-devel-2.6.18-194.17.4.el5.i686.rpm kernel-debug-2.6.18-194.17.4.el5.i686.rpm kernel-debug-debuginfo-2.6.18-194.17.4.el5.i686.rpm kernel-debug-devel-2.6.18-194.17.4.el5.i686.rpm kernel-debuginfo-2.6.18-194.17.4.el5.i686.rpm kernel-debuginfo-common-2.6.18-194.17.4.el5.i686.rpm kernel-devel-2.6.18-194.17.4.el5.i686.rpm kernel-headers-2.6.18-194.17.4.el5.i386.rpm kernel-xen-2.6.18-194.17.4.el5.i686.rpm kernel-xen-debuginfo-2.6.18-194.17.4.el5.i686.rpm kernel-xen-devel-2.6.18-194.17.4.el5.i686.rpm ia64: kernel-2.6.18-194.17.4.el5.ia64.rpm kernel-debug-2.6.18-194.17.4.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-194.17.4.el5.ia64.rpm kernel-debug-devel-2.6.18-194.17.4.el5.ia64.rpm kernel-debuginfo-2.6.18-194.17.4.el5.ia64.rpm kernel-debuginfo-common-2.6.18-194.17.4.el5.ia64.rpm kernel-devel-2.6.18-194.17.4.el5.ia64.rpm kernel-headers-2.6.18-194.17.4.el5.ia64.rpm kernel-xen-2.6.18-194.17.4.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-194.17.4.el5.ia64.rpm kernel-xen-devel-2.6.18-194.17.4.el5.ia64.rpm noarch: kernel-doc-2.6.18-194.17.4.el5.noarch.rpm ppc: kernel-2.6.18-194.17.4.el5.ppc64.rpm kernel-debug-2.6.18-194.17.4.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-194.17.4.el5.ppc64.rpm kernel-debug-devel-2.6.18-194.17.4.el5.ppc64.rpm kernel-debuginfo-2.6.18-194.17.4.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-194.17.4.el5.ppc64.rpm kernel-devel-2.6.18-194.17.4.el5.ppc64.rpm kernel-headers-2.6.18-194.17.4.el5.ppc.rpm kernel-headers-2.6.18-194.17.4.el5.ppc64.rpm kernel-kdump-2.6.18-194.17.4.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-194.17.4.el5.ppc64.rpm kernel-kdump-devel-2.6.18-194.17.4.el5.ppc64.rpm s390x: kernel-2.6.18-194.17.4.el5.s390x.rpm kernel-debug-2.6.18-194.17.4.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-194.17.4.el5.s390x.rpm kernel-debug-devel-2.6.18-194.17.4.el5.s390x.rpm kernel-debuginfo-2.6.18-194.17.4.el5.s390x.rpm kernel-debuginfo-common-2.6.18-194.17.4.el5.s390x.rpm kernel-devel-2.6.18-194.17.4.el5.s390x.rpm kernel-headers-2.6.18-194.17.4.el5.s390x.rpm kernel-kdump-2.6.18-194.17.4.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-194.17.4.el5.s390x.rpm kernel-kdump-devel-2.6.18-194.17.4.el5.s390x.rpm x86_64: kernel-2.6.18-194.17.4.el5.x86_64.rpm kernel-debug-2.6.18-194.17.4.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-194.17.4.el5.x86_64.rpm kernel-debug-devel-2.6.18-194.17.4.el5.x86_64.rpm kernel-debuginfo-2.6.18-194.17.4.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-194.17.4.el5.x86_64.rpm kernel-devel-2.6.18-194.17.4.el5.x86_64.rpm kernel-headers-2.6.18-194.17.4.el5.x86_64.rpm kernel-xen-2.6.18-194.17.4.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-194.17.4.el5.x86_64.rpm kernel-xen-devel-2.6.18-194.17.4.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3904.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMxdKRXlSAg2UNWIIRAvkpAKC4dyJkHSuCbdOVea2hmgoYxka3ygCfVKJX mRnDQ4vvacwEWqQW/KNkWaY= =X1JD -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 25 18:56:22 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 25 Oct 2010 12:56:22 -0600 Subject: [RHSA-2010:0793-01] Important: glibc security update Message-ID: <201010251856.o9PIuMkf010760@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: glibc security update Advisory ID: RHSA-2010:0793-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0793.html Issue date: 2010-10-25 CVE Names: CVE-2010-3856 ===================================================================== 1. Summary: Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Ben Hawkes and Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 645672 - CVE-2010-3856 glibc: ld.so arbitrary DSO loading via LD_AUDIT in setuid/setgid programs 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/glibc-2.5-49.el5_5.7.src.rpm i386: glibc-2.5-49.el5_5.7.i386.rpm glibc-2.5-49.el5_5.7.i686.rpm glibc-common-2.5-49.el5_5.7.i386.rpm glibc-debuginfo-2.5-49.el5_5.7.i386.rpm glibc-debuginfo-2.5-49.el5_5.7.i686.rpm glibc-debuginfo-common-2.5-49.el5_5.7.i386.rpm glibc-devel-2.5-49.el5_5.7.i386.rpm glibc-headers-2.5-49.el5_5.7.i386.rpm glibc-utils-2.5-49.el5_5.7.i386.rpm nscd-2.5-49.el5_5.7.i386.rpm x86_64: glibc-2.5-49.el5_5.7.i686.rpm glibc-2.5-49.el5_5.7.x86_64.rpm glibc-common-2.5-49.el5_5.7.x86_64.rpm glibc-debuginfo-2.5-49.el5_5.7.i386.rpm glibc-debuginfo-2.5-49.el5_5.7.i686.rpm glibc-debuginfo-2.5-49.el5_5.7.x86_64.rpm glibc-debuginfo-common-2.5-49.el5_5.7.i386.rpm glibc-devel-2.5-49.el5_5.7.i386.rpm glibc-devel-2.5-49.el5_5.7.x86_64.rpm glibc-headers-2.5-49.el5_5.7.x86_64.rpm glibc-utils-2.5-49.el5_5.7.x86_64.rpm nscd-2.5-49.el5_5.7.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/glibc-2.5-49.el5_5.7.src.rpm i386: glibc-2.5-49.el5_5.7.i386.rpm glibc-2.5-49.el5_5.7.i686.rpm glibc-common-2.5-49.el5_5.7.i386.rpm glibc-debuginfo-2.5-49.el5_5.7.i386.rpm glibc-debuginfo-2.5-49.el5_5.7.i686.rpm glibc-debuginfo-common-2.5-49.el5_5.7.i386.rpm glibc-devel-2.5-49.el5_5.7.i386.rpm glibc-headers-2.5-49.el5_5.7.i386.rpm glibc-utils-2.5-49.el5_5.7.i386.rpm nscd-2.5-49.el5_5.7.i386.rpm ia64: glibc-2.5-49.el5_5.7.i686.rpm glibc-2.5-49.el5_5.7.ia64.rpm glibc-common-2.5-49.el5_5.7.ia64.rpm glibc-debuginfo-2.5-49.el5_5.7.i686.rpm glibc-debuginfo-2.5-49.el5_5.7.ia64.rpm glibc-debuginfo-common-2.5-49.el5_5.7.i386.rpm glibc-devel-2.5-49.el5_5.7.ia64.rpm glibc-headers-2.5-49.el5_5.7.ia64.rpm glibc-utils-2.5-49.el5_5.7.ia64.rpm nscd-2.5-49.el5_5.7.ia64.rpm ppc: glibc-2.5-49.el5_5.7.ppc.rpm glibc-2.5-49.el5_5.7.ppc64.rpm glibc-common-2.5-49.el5_5.7.ppc.rpm glibc-debuginfo-2.5-49.el5_5.7.ppc.rpm glibc-debuginfo-2.5-49.el5_5.7.ppc64.rpm glibc-devel-2.5-49.el5_5.7.ppc.rpm glibc-devel-2.5-49.el5_5.7.ppc64.rpm glibc-headers-2.5-49.el5_5.7.ppc.rpm glibc-utils-2.5-49.el5_5.7.ppc.rpm nscd-2.5-49.el5_5.7.ppc.rpm s390x: glibc-2.5-49.el5_5.7.s390.rpm glibc-2.5-49.el5_5.7.s390x.rpm glibc-common-2.5-49.el5_5.7.s390x.rpm glibc-debuginfo-2.5-49.el5_5.7.s390.rpm glibc-debuginfo-2.5-49.el5_5.7.s390x.rpm glibc-devel-2.5-49.el5_5.7.s390.rpm glibc-devel-2.5-49.el5_5.7.s390x.rpm glibc-headers-2.5-49.el5_5.7.s390x.rpm glibc-utils-2.5-49.el5_5.7.s390x.rpm nscd-2.5-49.el5_5.7.s390x.rpm x86_64: glibc-2.5-49.el5_5.7.i686.rpm glibc-2.5-49.el5_5.7.x86_64.rpm glibc-common-2.5-49.el5_5.7.x86_64.rpm glibc-debuginfo-2.5-49.el5_5.7.i386.rpm glibc-debuginfo-2.5-49.el5_5.7.i686.rpm glibc-debuginfo-2.5-49.el5_5.7.x86_64.rpm glibc-debuginfo-common-2.5-49.el5_5.7.i386.rpm glibc-devel-2.5-49.el5_5.7.i386.rpm glibc-devel-2.5-49.el5_5.7.x86_64.rpm glibc-headers-2.5-49.el5_5.7.x86_64.rpm glibc-utils-2.5-49.el5_5.7.x86_64.rpm nscd-2.5-49.el5_5.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3856.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMxdLBXlSAg2UNWIIRAnUeAJ9R8B7Mgs+1sOl+ByM/ssIqSJPz8wCdFFGK 7y5eVteArIpsnjXFHAJEjZQ= =lAPO -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 27 23:56:53 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 27 Oct 2010 17:56:53 -0600 Subject: [RHSA-2010:0807-01] Critical: java-1.5.0-ibm security update Message-ID: <201010272356.o9RNurgd008370@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.5.0-ibm security update Advisory ID: RHSA-2010:0807-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0807.html Issue date: 2010-10-27 CVE Names: CVE-2009-3555 CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3550 CVE-2010-3551 CVE-2010-3556 CVE-2010-3559 CVE-2010-3562 CVE-2010-3565 CVE-2010-3566 CVE-2010-3568 CVE-2010-3569 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574 ===================================================================== 1. Summary: Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ppc, s390x, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3556, CVE-2010-3559, CVE-2010-3562, CVE-2010-3565, CVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574) The RHSA-2010:0130 update mitigated a man-in-the-middle attack in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation by disabling renegotiation. This update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, allowing secure renegotiation between updated clients and servers. (CVE-2009-3555) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR12-FP2 Java release. All running instances of IBM Java must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 582466 - CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) 639876 - CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) 639897 - CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) 639909 - CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) 639920 - CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) 639922 - CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) 639925 - CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) 642180 - CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) 642187 - CVE-2010-3551 OpenJDK local network address disclosure (6952603) 642202 - CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) 642215 - CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) 642559 - CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component 642576 - CVE-2010-3556 JDK unspecified vulnerability in 2D component 642606 - CVE-2010-3559 JDK unspecified vulnerability in Sound component 642611 - CVE-2010-3572 JDK unspecified vulnerability in Sound component 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.i386.rpm ppc: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.ppc64.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.ppc.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.ppc64.rpm s390: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.s390.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.s390.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.s390.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el4.s390.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.s390.rpm s390x: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.s390x.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.s390x.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.s390x.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el4.x86_64.rpm RHEL Desktop Supplementary (v. 5 client): i386: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.x86_64.rpm RHEL Supplementary (v. 5 server): i386: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.i386.rpm ppc: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-accessibility-1.5.0.12.2-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.ppc64.rpm s390x: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.s390.rpm java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-accessibility-1.5.0.12.2-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.s390.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.s390.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.12.2-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.12.2-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3555.html https://www.redhat.com/security/data/cve/CVE-2010-1321.html https://www.redhat.com/security/data/cve/CVE-2010-3541.html https://www.redhat.com/security/data/cve/CVE-2010-3548.html https://www.redhat.com/security/data/cve/CVE-2010-3549.html https://www.redhat.com/security/data/cve/CVE-2010-3550.html https://www.redhat.com/security/data/cve/CVE-2010-3551.html https://www.redhat.com/security/data/cve/CVE-2010-3556.html https://www.redhat.com/security/data/cve/CVE-2010-3559.html https://www.redhat.com/security/data/cve/CVE-2010-3562.html https://www.redhat.com/security/data/cve/CVE-2010-3565.html https://www.redhat.com/security/data/cve/CVE-2010-3566.html https://www.redhat.com/security/data/cve/CVE-2010-3568.html https://www.redhat.com/security/data/cve/CVE-2010-3569.html https://www.redhat.com/security/data/cve/CVE-2010-3572.html https://www.redhat.com/security/data/cve/CVE-2010-3573.html https://www.redhat.com/security/data/cve/CVE-2010-3574.html http://www.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ https://access.redhat.com/kb/docs/DOC-20491 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMyLwrXlSAg2UNWIIRAmjhAKCNkLuyHs3DyVz0hjNa9Uw9SbwE0QCdEf6a q1Xhvxe/kIF2wVpeqQ4hlIY= =r2SH -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 27 23:58:39 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 27 Oct 2010 17:58:39 -0600 Subject: [RHSA-2010:0808-01] Critical: firefox security update Message-ID: <201010272358.o9RNweJC008624@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2010:0808-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0808.html Issue date: 2010-10-27 CVE Names: CVE-2010-3765 ===================================================================== 1. Summary: An updated firefox package that fixes one security issue is now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Mozilla Firefox is an open source web browser. A race condition flaw was found in the way Firefox handled Document Object Model (DOM) element properties. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3765) For technical details regarding this flaw, refer to the Mozilla security advisories for Firefox 3.6.12. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to this updated package, which contains a backported patch to correct this issue. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 646997 - CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-3.6.11-4.el4_8.src.rpm i386: firefox-3.6.11-4.el4_8.i386.rpm firefox-debuginfo-3.6.11-4.el4_8.i386.rpm ia64: firefox-3.6.11-4.el4_8.ia64.rpm firefox-debuginfo-3.6.11-4.el4_8.ia64.rpm ppc: firefox-3.6.11-4.el4_8.ppc.rpm firefox-debuginfo-3.6.11-4.el4_8.ppc.rpm s390: firefox-3.6.11-4.el4_8.s390.rpm firefox-debuginfo-3.6.11-4.el4_8.s390.rpm s390x: firefox-3.6.11-4.el4_8.s390x.rpm firefox-debuginfo-3.6.11-4.el4_8.s390x.rpm x86_64: firefox-3.6.11-4.el4_8.x86_64.rpm firefox-debuginfo-3.6.11-4.el4_8.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-3.6.11-4.el4_8.src.rpm i386: firefox-3.6.11-4.el4_8.i386.rpm firefox-debuginfo-3.6.11-4.el4_8.i386.rpm x86_64: firefox-3.6.11-4.el4_8.x86_64.rpm firefox-debuginfo-3.6.11-4.el4_8.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-3.6.11-4.el4_8.src.rpm i386: firefox-3.6.11-4.el4_8.i386.rpm firefox-debuginfo-3.6.11-4.el4_8.i386.rpm ia64: firefox-3.6.11-4.el4_8.ia64.rpm firefox-debuginfo-3.6.11-4.el4_8.ia64.rpm x86_64: firefox-3.6.11-4.el4_8.x86_64.rpm firefox-debuginfo-3.6.11-4.el4_8.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-3.6.11-4.el4_8.src.rpm i386: firefox-3.6.11-4.el4_8.i386.rpm firefox-debuginfo-3.6.11-4.el4_8.i386.rpm ia64: firefox-3.6.11-4.el4_8.ia64.rpm firefox-debuginfo-3.6.11-4.el4_8.ia64.rpm x86_64: firefox-3.6.11-4.el4_8.x86_64.rpm firefox-debuginfo-3.6.11-4.el4_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3765.html http://www.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.12 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMyLx7XlSAg2UNWIIRAlI6AKC0R6EVZgUr/F1GQDcy4DBhWQsk/gCcDNEW NUfuYoGzzGHIZeapwSoFqdY= =cAW1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 27 23:59:11 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 27 Oct 2010 17:59:11 -0600 Subject: [RHSA-2010:0809-01] Critical: xulrunner security update Message-ID: <201010272359.o9RNxBZJ002681@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: xulrunner security update Advisory ID: RHSA-2010:0809-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0809.html Issue date: 2010-10-27 CVE Names: CVE-2010-3765 ===================================================================== 1. Summary: Updated xulrunner packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: XULRunner provides the XUL Runtime environment for applications using the Gecko layout engine. A race condition flaw was found in the way XULRunner handled Document Object Model (DOM) element properties. Malicious HTML content could cause an application linked against XULRunner (such as Firefox) to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-3765) For technical details regarding this flaw, refer to the Mozilla security advisories for Firefox 3.6.12. You can find a link to the Mozilla advisories in the References section of this erratum. All XULRunner users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, applications using XULRunner must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 646997 - CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.2.11-4.el5_5.src.rpm i386: xulrunner-1.9.2.11-4.el5_5.i386.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.i386.rpm x86_64: xulrunner-1.9.2.11-4.el5_5.i386.rpm xulrunner-1.9.2.11-4.el5_5.x86_64.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.i386.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.2.11-4.el5_5.src.rpm i386: xulrunner-debuginfo-1.9.2.11-4.el5_5.i386.rpm xulrunner-devel-1.9.2.11-4.el5_5.i386.rpm x86_64: xulrunner-debuginfo-1.9.2.11-4.el5_5.i386.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.x86_64.rpm xulrunner-devel-1.9.2.11-4.el5_5.i386.rpm xulrunner-devel-1.9.2.11-4.el5_5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9.2.11-4.el5_5.src.rpm i386: xulrunner-1.9.2.11-4.el5_5.i386.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.i386.rpm xulrunner-devel-1.9.2.11-4.el5_5.i386.rpm ia64: xulrunner-1.9.2.11-4.el5_5.ia64.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.ia64.rpm xulrunner-devel-1.9.2.11-4.el5_5.ia64.rpm ppc: xulrunner-1.9.2.11-4.el5_5.ppc.rpm xulrunner-1.9.2.11-4.el5_5.ppc64.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.ppc.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.ppc64.rpm xulrunner-devel-1.9.2.11-4.el5_5.ppc.rpm xulrunner-devel-1.9.2.11-4.el5_5.ppc64.rpm s390x: xulrunner-1.9.2.11-4.el5_5.s390.rpm xulrunner-1.9.2.11-4.el5_5.s390x.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.s390.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.s390x.rpm xulrunner-devel-1.9.2.11-4.el5_5.s390.rpm xulrunner-devel-1.9.2.11-4.el5_5.s390x.rpm x86_64: xulrunner-1.9.2.11-4.el5_5.i386.rpm xulrunner-1.9.2.11-4.el5_5.x86_64.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.i386.rpm xulrunner-debuginfo-1.9.2.11-4.el5_5.x86_64.rpm xulrunner-devel-1.9.2.11-4.el5_5.i386.rpm xulrunner-devel-1.9.2.11-4.el5_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3765.html http://www.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.12 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMyLy8XlSAg2UNWIIRAkN0AKCsdvI6KkQhz3tMHCkiDw2iOCaJnwCggJDY MHz4JbybUyOU8LI/4WrPi70= =wcUc -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 28 00:01:15 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 27 Oct 2010 18:01:15 -0600 Subject: [RHSA-2010:0810-01] Critical: seamonkey security update Message-ID: <201010280001.o9S01I9c003135@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2010:0810-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0810.html Issue date: 2010-10-27 CVE Names: CVE-2010-3765 ===================================================================== 1. Summary: Updated seamonkey packages that fix one security issue are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. A race condition flaw was found in the way SeaMonkey handled Document Object Model (DOM) element properties. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-3765) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 646997 - CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) 6. Package List: Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/seamonkey-1.0.9-0.62.el3.src.rpm i386: seamonkey-1.0.9-0.62.el3.i386.rpm seamonkey-chat-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-devel-1.0.9-0.62.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.62.el3.i386.rpm seamonkey-mail-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.62.el3.i386.rpm ia64: seamonkey-1.0.9-0.62.el3.ia64.rpm seamonkey-chat-1.0.9-0.62.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.ia64.rpm seamonkey-devel-1.0.9-0.62.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.62.el3.ia64.rpm seamonkey-mail-1.0.9-0.62.el3.ia64.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.ia64.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.62.el3.ia64.rpm ppc: seamonkey-1.0.9-0.62.el3.ppc.rpm seamonkey-chat-1.0.9-0.62.el3.ppc.rpm seamonkey-debuginfo-1.0.9-0.62.el3.ppc.rpm seamonkey-devel-1.0.9-0.62.el3.ppc.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.ppc.rpm seamonkey-js-debugger-1.0.9-0.62.el3.ppc.rpm seamonkey-mail-1.0.9-0.62.el3.ppc.rpm seamonkey-nspr-1.0.9-0.62.el3.ppc.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.ppc.rpm seamonkey-nss-1.0.9-0.62.el3.ppc.rpm seamonkey-nss-devel-1.0.9-0.62.el3.ppc.rpm s390: seamonkey-1.0.9-0.62.el3.s390.rpm seamonkey-chat-1.0.9-0.62.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.62.el3.s390.rpm seamonkey-devel-1.0.9-0.62.el3.s390.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.s390.rpm seamonkey-js-debugger-1.0.9-0.62.el3.s390.rpm seamonkey-mail-1.0.9-0.62.el3.s390.rpm seamonkey-nspr-1.0.9-0.62.el3.s390.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.s390.rpm seamonkey-nss-1.0.9-0.62.el3.s390.rpm seamonkey-nss-devel-1.0.9-0.62.el3.s390.rpm s390x: seamonkey-1.0.9-0.62.el3.s390x.rpm seamonkey-chat-1.0.9-0.62.el3.s390x.rpm seamonkey-debuginfo-1.0.9-0.62.el3.s390.rpm seamonkey-debuginfo-1.0.9-0.62.el3.s390x.rpm seamonkey-devel-1.0.9-0.62.el3.s390x.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.s390x.rpm seamonkey-js-debugger-1.0.9-0.62.el3.s390x.rpm seamonkey-mail-1.0.9-0.62.el3.s390x.rpm seamonkey-nspr-1.0.9-0.62.el3.s390.rpm seamonkey-nspr-1.0.9-0.62.el3.s390x.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.s390x.rpm seamonkey-nss-1.0.9-0.62.el3.s390.rpm seamonkey-nss-1.0.9-0.62.el3.s390x.rpm seamonkey-nss-devel-1.0.9-0.62.el3.s390x.rpm x86_64: seamonkey-1.0.9-0.62.el3.i386.rpm seamonkey-1.0.9-0.62.el3.x86_64.rpm seamonkey-chat-1.0.9-0.62.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.x86_64.rpm seamonkey-devel-1.0.9-0.62.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.62.el3.x86_64.rpm seamonkey-mail-1.0.9-0.62.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.x86_64.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.62.el3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/seamonkey-1.0.9-0.62.el3.src.rpm i386: seamonkey-1.0.9-0.62.el3.i386.rpm seamonkey-chat-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-devel-1.0.9-0.62.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.62.el3.i386.rpm seamonkey-mail-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.62.el3.i386.rpm x86_64: seamonkey-1.0.9-0.62.el3.i386.rpm seamonkey-1.0.9-0.62.el3.x86_64.rpm seamonkey-chat-1.0.9-0.62.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.x86_64.rpm seamonkey-devel-1.0.9-0.62.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.62.el3.x86_64.rpm seamonkey-mail-1.0.9-0.62.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.x86_64.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.62.el3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/seamonkey-1.0.9-0.62.el3.src.rpm i386: seamonkey-1.0.9-0.62.el3.i386.rpm seamonkey-chat-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-devel-1.0.9-0.62.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.62.el3.i386.rpm seamonkey-mail-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.62.el3.i386.rpm ia64: seamonkey-1.0.9-0.62.el3.ia64.rpm seamonkey-chat-1.0.9-0.62.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.ia64.rpm seamonkey-devel-1.0.9-0.62.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.62.el3.ia64.rpm seamonkey-mail-1.0.9-0.62.el3.ia64.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.ia64.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.62.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.62.el3.i386.rpm seamonkey-1.0.9-0.62.el3.x86_64.rpm seamonkey-chat-1.0.9-0.62.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.x86_64.rpm seamonkey-devel-1.0.9-0.62.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.62.el3.x86_64.rpm seamonkey-mail-1.0.9-0.62.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.x86_64.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.62.el3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/seamonkey-1.0.9-0.62.el3.src.rpm i386: seamonkey-1.0.9-0.62.el3.i386.rpm seamonkey-chat-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-devel-1.0.9-0.62.el3.i386.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.i386.rpm seamonkey-js-debugger-1.0.9-0.62.el3.i386.rpm seamonkey-mail-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-devel-1.0.9-0.62.el3.i386.rpm ia64: seamonkey-1.0.9-0.62.el3.ia64.rpm seamonkey-chat-1.0.9-0.62.el3.ia64.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.ia64.rpm seamonkey-devel-1.0.9-0.62.el3.ia64.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.ia64.rpm seamonkey-js-debugger-1.0.9-0.62.el3.ia64.rpm seamonkey-mail-1.0.9-0.62.el3.ia64.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.ia64.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.ia64.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.ia64.rpm seamonkey-nss-devel-1.0.9-0.62.el3.ia64.rpm x86_64: seamonkey-1.0.9-0.62.el3.i386.rpm seamonkey-1.0.9-0.62.el3.x86_64.rpm seamonkey-chat-1.0.9-0.62.el3.x86_64.rpm seamonkey-debuginfo-1.0.9-0.62.el3.i386.rpm seamonkey-debuginfo-1.0.9-0.62.el3.x86_64.rpm seamonkey-devel-1.0.9-0.62.el3.x86_64.rpm seamonkey-dom-inspector-1.0.9-0.62.el3.x86_64.rpm seamonkey-js-debugger-1.0.9-0.62.el3.x86_64.rpm seamonkey-mail-1.0.9-0.62.el3.x86_64.rpm seamonkey-nspr-1.0.9-0.62.el3.i386.rpm seamonkey-nspr-1.0.9-0.62.el3.x86_64.rpm seamonkey-nspr-devel-1.0.9-0.62.el3.x86_64.rpm seamonkey-nss-1.0.9-0.62.el3.i386.rpm seamonkey-nss-1.0.9-0.62.el3.x86_64.rpm seamonkey-nss-devel-1.0.9-0.62.el3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/seamonkey-1.0.9-65.el4_8.src.rpm i386: seamonkey-1.0.9-65.el4_8.i386.rpm seamonkey-chat-1.0.9-65.el4_8.i386.rpm seamonkey-debuginfo-1.0.9-65.el4_8.i386.rpm seamonkey-devel-1.0.9-65.el4_8.i386.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.i386.rpm seamonkey-js-debugger-1.0.9-65.el4_8.i386.rpm seamonkey-mail-1.0.9-65.el4_8.i386.rpm ia64: seamonkey-1.0.9-65.el4_8.ia64.rpm seamonkey-chat-1.0.9-65.el4_8.ia64.rpm seamonkey-debuginfo-1.0.9-65.el4_8.ia64.rpm seamonkey-devel-1.0.9-65.el4_8.ia64.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.ia64.rpm seamonkey-js-debugger-1.0.9-65.el4_8.ia64.rpm seamonkey-mail-1.0.9-65.el4_8.ia64.rpm ppc: seamonkey-1.0.9-65.el4_8.ppc.rpm seamonkey-chat-1.0.9-65.el4_8.ppc.rpm seamonkey-debuginfo-1.0.9-65.el4_8.ppc.rpm seamonkey-devel-1.0.9-65.el4_8.ppc.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.ppc.rpm seamonkey-js-debugger-1.0.9-65.el4_8.ppc.rpm seamonkey-mail-1.0.9-65.el4_8.ppc.rpm s390: seamonkey-1.0.9-65.el4_8.s390.rpm seamonkey-chat-1.0.9-65.el4_8.s390.rpm seamonkey-debuginfo-1.0.9-65.el4_8.s390.rpm seamonkey-devel-1.0.9-65.el4_8.s390.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.s390.rpm seamonkey-js-debugger-1.0.9-65.el4_8.s390.rpm seamonkey-mail-1.0.9-65.el4_8.s390.rpm s390x: seamonkey-1.0.9-65.el4_8.s390x.rpm seamonkey-chat-1.0.9-65.el4_8.s390x.rpm seamonkey-debuginfo-1.0.9-65.el4_8.s390x.rpm seamonkey-devel-1.0.9-65.el4_8.s390x.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.s390x.rpm seamonkey-js-debugger-1.0.9-65.el4_8.s390x.rpm seamonkey-mail-1.0.9-65.el4_8.s390x.rpm x86_64: seamonkey-1.0.9-65.el4_8.x86_64.rpm seamonkey-chat-1.0.9-65.el4_8.x86_64.rpm seamonkey-debuginfo-1.0.9-65.el4_8.x86_64.rpm seamonkey-devel-1.0.9-65.el4_8.x86_64.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.x86_64.rpm seamonkey-js-debugger-1.0.9-65.el4_8.x86_64.rpm seamonkey-mail-1.0.9-65.el4_8.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/seamonkey-1.0.9-65.el4_8.src.rpm i386: seamonkey-1.0.9-65.el4_8.i386.rpm seamonkey-chat-1.0.9-65.el4_8.i386.rpm seamonkey-debuginfo-1.0.9-65.el4_8.i386.rpm seamonkey-devel-1.0.9-65.el4_8.i386.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.i386.rpm seamonkey-js-debugger-1.0.9-65.el4_8.i386.rpm seamonkey-mail-1.0.9-65.el4_8.i386.rpm x86_64: seamonkey-1.0.9-65.el4_8.x86_64.rpm seamonkey-chat-1.0.9-65.el4_8.x86_64.rpm seamonkey-debuginfo-1.0.9-65.el4_8.x86_64.rpm seamonkey-devel-1.0.9-65.el4_8.x86_64.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.x86_64.rpm seamonkey-js-debugger-1.0.9-65.el4_8.x86_64.rpm seamonkey-mail-1.0.9-65.el4_8.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/seamonkey-1.0.9-65.el4_8.src.rpm i386: seamonkey-1.0.9-65.el4_8.i386.rpm seamonkey-chat-1.0.9-65.el4_8.i386.rpm seamonkey-debuginfo-1.0.9-65.el4_8.i386.rpm seamonkey-devel-1.0.9-65.el4_8.i386.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.i386.rpm seamonkey-js-debugger-1.0.9-65.el4_8.i386.rpm seamonkey-mail-1.0.9-65.el4_8.i386.rpm ia64: seamonkey-1.0.9-65.el4_8.ia64.rpm seamonkey-chat-1.0.9-65.el4_8.ia64.rpm seamonkey-debuginfo-1.0.9-65.el4_8.ia64.rpm seamonkey-devel-1.0.9-65.el4_8.ia64.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.ia64.rpm seamonkey-js-debugger-1.0.9-65.el4_8.ia64.rpm seamonkey-mail-1.0.9-65.el4_8.ia64.rpm x86_64: seamonkey-1.0.9-65.el4_8.x86_64.rpm seamonkey-chat-1.0.9-65.el4_8.x86_64.rpm seamonkey-debuginfo-1.0.9-65.el4_8.x86_64.rpm seamonkey-devel-1.0.9-65.el4_8.x86_64.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.x86_64.rpm seamonkey-js-debugger-1.0.9-65.el4_8.x86_64.rpm seamonkey-mail-1.0.9-65.el4_8.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/seamonkey-1.0.9-65.el4_8.src.rpm i386: seamonkey-1.0.9-65.el4_8.i386.rpm seamonkey-chat-1.0.9-65.el4_8.i386.rpm seamonkey-debuginfo-1.0.9-65.el4_8.i386.rpm seamonkey-devel-1.0.9-65.el4_8.i386.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.i386.rpm seamonkey-js-debugger-1.0.9-65.el4_8.i386.rpm seamonkey-mail-1.0.9-65.el4_8.i386.rpm ia64: seamonkey-1.0.9-65.el4_8.ia64.rpm seamonkey-chat-1.0.9-65.el4_8.ia64.rpm seamonkey-debuginfo-1.0.9-65.el4_8.ia64.rpm seamonkey-devel-1.0.9-65.el4_8.ia64.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.ia64.rpm seamonkey-js-debugger-1.0.9-65.el4_8.ia64.rpm seamonkey-mail-1.0.9-65.el4_8.ia64.rpm x86_64: seamonkey-1.0.9-65.el4_8.x86_64.rpm seamonkey-chat-1.0.9-65.el4_8.x86_64.rpm seamonkey-debuginfo-1.0.9-65.el4_8.x86_64.rpm seamonkey-devel-1.0.9-65.el4_8.x86_64.rpm seamonkey-dom-inspector-1.0.9-65.el4_8.x86_64.rpm seamonkey-js-debugger-1.0.9-65.el4_8.x86_64.rpm seamonkey-mail-1.0.9-65.el4_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3765.html http://www.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMyLznXlSAg2UNWIIRAgjsAJ9/C4DreKvv7+Pf9ZEdpq2uEB+1cwCglTWd n0HKvkopPLk7/SLkYujLDg8= =kfrd -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 29 02:21:11 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 28 Oct 2010 20:21:11 -0600 Subject: [RHSA-2010:0811-01] Important: cups security update Message-ID: <201010290221.o9T2LBD8015451@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: cups security update Advisory ID: RHSA-2010:0811-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0811.html Issue date: 2010-10-28 CVE Names: CVE-2010-2431 CVE-2010-2941 ===================================================================== 1. Summary: Updated cups packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way the CUPS server parsed Internet Printing Protocol (IPP) packets. A malicious user able to send IPP requests to the CUPS server could use this flaw to crash the CUPS server or, potentially, execute arbitrary code with the privileges of the CUPS server. (CVE-2010-2941) A possible privilege escalation flaw was found in CUPS. An unprivileged process running as the "lp" user (such as a compromised external filter program spawned by the CUPS server) could trick the CUPS server into overwriting arbitrary files as the root user. (CVE-2010-2431) Red Hat would like to thank Emmanuel Bouillon of NATO C3 Agency for reporting the CVE-2010-2941 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 605397 - CVE-2010-2431 cups: latent privilege escalation vulnerability 624438 - CVE-2010-2941 cups: cupsd memory corruption vulnerability 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/cups-1.3.7-18.el5_5.8.src.rpm i386: cups-1.3.7-18.el5_5.8.i386.rpm cups-debuginfo-1.3.7-18.el5_5.8.i386.rpm cups-libs-1.3.7-18.el5_5.8.i386.rpm cups-lpd-1.3.7-18.el5_5.8.i386.rpm x86_64: cups-1.3.7-18.el5_5.8.x86_64.rpm cups-debuginfo-1.3.7-18.el5_5.8.i386.rpm cups-debuginfo-1.3.7-18.el5_5.8.x86_64.rpm cups-libs-1.3.7-18.el5_5.8.i386.rpm cups-libs-1.3.7-18.el5_5.8.x86_64.rpm cups-lpd-1.3.7-18.el5_5.8.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/cups-1.3.7-18.el5_5.8.src.rpm i386: cups-debuginfo-1.3.7-18.el5_5.8.i386.rpm cups-devel-1.3.7-18.el5_5.8.i386.rpm x86_64: cups-debuginfo-1.3.7-18.el5_5.8.i386.rpm cups-debuginfo-1.3.7-18.el5_5.8.x86_64.rpm cups-devel-1.3.7-18.el5_5.8.i386.rpm cups-devel-1.3.7-18.el5_5.8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/cups-1.3.7-18.el5_5.8.src.rpm i386: cups-1.3.7-18.el5_5.8.i386.rpm cups-debuginfo-1.3.7-18.el5_5.8.i386.rpm cups-devel-1.3.7-18.el5_5.8.i386.rpm cups-libs-1.3.7-18.el5_5.8.i386.rpm cups-lpd-1.3.7-18.el5_5.8.i386.rpm ia64: cups-1.3.7-18.el5_5.8.ia64.rpm cups-debuginfo-1.3.7-18.el5_5.8.i386.rpm cups-debuginfo-1.3.7-18.el5_5.8.ia64.rpm cups-devel-1.3.7-18.el5_5.8.ia64.rpm cups-libs-1.3.7-18.el5_5.8.i386.rpm cups-libs-1.3.7-18.el5_5.8.ia64.rpm cups-lpd-1.3.7-18.el5_5.8.ia64.rpm ppc: cups-1.3.7-18.el5_5.8.ppc.rpm cups-debuginfo-1.3.7-18.el5_5.8.ppc.rpm cups-debuginfo-1.3.7-18.el5_5.8.ppc64.rpm cups-devel-1.3.7-18.el5_5.8.ppc.rpm cups-devel-1.3.7-18.el5_5.8.ppc64.rpm cups-libs-1.3.7-18.el5_5.8.ppc.rpm cups-libs-1.3.7-18.el5_5.8.ppc64.rpm cups-lpd-1.3.7-18.el5_5.8.ppc.rpm s390x: cups-1.3.7-18.el5_5.8.s390x.rpm cups-debuginfo-1.3.7-18.el5_5.8.s390.rpm cups-debuginfo-1.3.7-18.el5_5.8.s390x.rpm cups-devel-1.3.7-18.el5_5.8.s390.rpm cups-devel-1.3.7-18.el5_5.8.s390x.rpm cups-libs-1.3.7-18.el5_5.8.s390.rpm cups-libs-1.3.7-18.el5_5.8.s390x.rpm cups-lpd-1.3.7-18.el5_5.8.s390x.rpm x86_64: cups-1.3.7-18.el5_5.8.x86_64.rpm cups-debuginfo-1.3.7-18.el5_5.8.i386.rpm cups-debuginfo-1.3.7-18.el5_5.8.x86_64.rpm cups-devel-1.3.7-18.el5_5.8.i386.rpm cups-devel-1.3.7-18.el5_5.8.x86_64.rpm cups-libs-1.3.7-18.el5_5.8.i386.rpm cups-libs-1.3.7-18.el5_5.8.x86_64.rpm cups-lpd-1.3.7-18.el5_5.8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-2431.html https://www.redhat.com/security/data/cve/CVE-2010-2941.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMyi99XlSAg2UNWIIRAqnDAJwLX9UceMEIUpFP8srwaTCGPGgOUgCfe8Kc XLNcaBXtyQTWGMaYio2uVXY= =JDnN -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 29 02:53:33 2010 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 28 Oct 2010 20:53:33 -0600 Subject: [RHSA-2010:0812-01] Moderate: thunderbird security update Message-ID: <201010290253.o9T2rXfC004522@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: thunderbird security update Advisory ID: RHSA-2010:0812-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0812.html Issue date: 2010-10-28 CVE Names: CVE-2010-3765 ===================================================================== 1. Summary: An updated thunderbird package that fixes one security issue is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. A race condition flaw was found in the way Thunderbird handled Document Object Model (DOM) element properties. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3765) Note: JavaScript support is disabled by default in Thunderbird. The CVE-2010-3765 issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to this updated package, which resolves this issue. All running instances of Thunderbird must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 646997 - CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/thunderbird-1.5.0.12-33.el4.src.rpm i386: thunderbird-1.5.0.12-33.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-33.el4.i386.rpm ia64: thunderbird-1.5.0.12-33.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-33.el4.ia64.rpm ppc: thunderbird-1.5.0.12-33.el4.ppc.rpm thunderbird-debuginfo-1.5.0.12-33.el4.ppc.rpm s390: thunderbird-1.5.0.12-33.el4.s390.rpm thunderbird-debuginfo-1.5.0.12-33.el4.s390.rpm s390x: thunderbird-1.5.0.12-33.el4.s390x.rpm thunderbird-debuginfo-1.5.0.12-33.el4.s390x.rpm x86_64: thunderbird-1.5.0.12-33.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-33.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/thunderbird-1.5.0.12-33.el4.src.rpm i386: thunderbird-1.5.0.12-33.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-33.el4.i386.rpm x86_64: thunderbird-1.5.0.12-33.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-33.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/thunderbird-1.5.0.12-33.el4.src.rpm i386: thunderbird-1.5.0.12-33.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-33.el4.i386.rpm ia64: thunderbird-1.5.0.12-33.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-33.el4.ia64.rpm x86_64: thunderbird-1.5.0.12-33.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-33.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/thunderbird-1.5.0.12-33.el4.src.rpm i386: thunderbird-1.5.0.12-33.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-33.el4.i386.rpm ia64: thunderbird-1.5.0.12-33.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-33.el4.ia64.rpm x86_64: thunderbird-1.5.0.12-33.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-33.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-2.0.0.24-10.el5_5.src.rpm i386: thunderbird-2.0.0.24-10.el5_5.i386.rpm thunderbird-debuginfo-2.0.0.24-10.el5_5.i386.rpm x86_64: thunderbird-2.0.0.24-10.el5_5.x86_64.rpm thunderbird-debuginfo-2.0.0.24-10.el5_5.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-2.0.0.24-10.el5_5.src.rpm i386: thunderbird-2.0.0.24-10.el5_5.i386.rpm thunderbird-debuginfo-2.0.0.24-10.el5_5.i386.rpm x86_64: thunderbird-2.0.0.24-10.el5_5.x86_64.rpm thunderbird-debuginfo-2.0.0.24-10.el5_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-3765.html http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFMyjceXlSAg2UNWIIRAtKhAJ0fbrUpUJ9baLzwa+/pIN6H68UpzwCfSeNc lYKznrUh3EuuWKiRdlFTkHI= =LUg8 -----END PGP SIGNATURE-----