From bugzilla at redhat.com Wed Feb 1 01:15:59 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 01:15:59 +0000 Subject: [RHSA-2012:0079-01] Critical: firefox security update Message-ID: <201202010116.q111Fxs5012927@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2012:0079-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0079.html Issue date: 2012-01-31 CVE Names: CVE-2011-3659 CVE-2011-3670 CVE-2012-0442 CVE-2012-0444 CVE-2012-0449 ===================================================================== 1. Summary: Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A use-after-free flaw was found in the way Firefox removed nsDOMAttribute child nodes. In certain circumstances, due to the premature notification of AttributeChildRemoved, a malicious script could possibly use this flaw to cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3659) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0442) A flaw was found in the way Firefox parsed Ogg Vorbis media files. A web page containing a malicious Ogg Vorbis media file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0444) A flaw was found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files that contained eXtensible Style Sheet Language Transformations (XSLT). A web page containing a malicious SVG image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0449) The same-origin policy in Firefox treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets. (CVE-2011-3670) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.26. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.26, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 785085 - CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01) 785464 - CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02) 785966 - CVE-2012-0449 Mozilla: Crash when rendering SVG+XSLT (MFSA 2012-08) 786026 - CVE-2012-0444 Firefox: Ogg Vorbis Decoding Memory Corruption (MFSA 2012-07) 786258 - CVE-2011-3659 Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04) 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-3.6.26-2.el4.src.rpm i386: firefox-3.6.26-2.el4.i386.rpm firefox-debuginfo-3.6.26-2.el4.i386.rpm ia64: firefox-3.6.26-2.el4.ia64.rpm firefox-debuginfo-3.6.26-2.el4.ia64.rpm ppc: firefox-3.6.26-2.el4.ppc.rpm firefox-debuginfo-3.6.26-2.el4.ppc.rpm s390: firefox-3.6.26-2.el4.s390.rpm firefox-debuginfo-3.6.26-2.el4.s390.rpm s390x: firefox-3.6.26-2.el4.s390x.rpm firefox-debuginfo-3.6.26-2.el4.s390x.rpm x86_64: firefox-3.6.26-2.el4.x86_64.rpm firefox-debuginfo-3.6.26-2.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-3.6.26-2.el4.src.rpm i386: firefox-3.6.26-2.el4.i386.rpm firefox-debuginfo-3.6.26-2.el4.i386.rpm x86_64: firefox-3.6.26-2.el4.x86_64.rpm firefox-debuginfo-3.6.26-2.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-3.6.26-2.el4.src.rpm i386: firefox-3.6.26-2.el4.i386.rpm firefox-debuginfo-3.6.26-2.el4.i386.rpm ia64: firefox-3.6.26-2.el4.ia64.rpm firefox-debuginfo-3.6.26-2.el4.ia64.rpm x86_64: firefox-3.6.26-2.el4.x86_64.rpm firefox-debuginfo-3.6.26-2.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-3.6.26-2.el4.src.rpm i386: firefox-3.6.26-2.el4.i386.rpm firefox-debuginfo-3.6.26-2.el4.i386.rpm ia64: firefox-3.6.26-2.el4.ia64.rpm firefox-debuginfo-3.6.26-2.el4.ia64.rpm x86_64: firefox-3.6.26-2.el4.x86_64.rpm firefox-debuginfo-3.6.26-2.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-3.6.26-1.el5_7.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.2.26-1.el5_7.src.rpm i386: firefox-3.6.26-1.el5_7.i386.rpm firefox-debuginfo-3.6.26-1.el5_7.i386.rpm xulrunner-1.9.2.26-1.el5_7.i386.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.i386.rpm x86_64: firefox-3.6.26-1.el5_7.i386.rpm firefox-3.6.26-1.el5_7.x86_64.rpm firefox-debuginfo-3.6.26-1.el5_7.i386.rpm firefox-debuginfo-3.6.26-1.el5_7.x86_64.rpm xulrunner-1.9.2.26-1.el5_7.i386.rpm xulrunner-1.9.2.26-1.el5_7.x86_64.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.i386.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.2.26-1.el5_7.src.rpm i386: xulrunner-debuginfo-1.9.2.26-1.el5_7.i386.rpm xulrunner-devel-1.9.2.26-1.el5_7.i386.rpm x86_64: xulrunner-debuginfo-1.9.2.26-1.el5_7.i386.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.x86_64.rpm xulrunner-devel-1.9.2.26-1.el5_7.i386.rpm xulrunner-devel-1.9.2.26-1.el5_7.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-3.6.26-1.el5_7.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9.2.26-1.el5_7.src.rpm i386: firefox-3.6.26-1.el5_7.i386.rpm firefox-debuginfo-3.6.26-1.el5_7.i386.rpm xulrunner-1.9.2.26-1.el5_7.i386.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.i386.rpm xulrunner-devel-1.9.2.26-1.el5_7.i386.rpm ia64: firefox-3.6.26-1.el5_7.ia64.rpm firefox-debuginfo-3.6.26-1.el5_7.ia64.rpm xulrunner-1.9.2.26-1.el5_7.ia64.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.ia64.rpm xulrunner-devel-1.9.2.26-1.el5_7.ia64.rpm ppc: firefox-3.6.26-1.el5_7.ppc.rpm firefox-debuginfo-3.6.26-1.el5_7.ppc.rpm xulrunner-1.9.2.26-1.el5_7.ppc.rpm xulrunner-1.9.2.26-1.el5_7.ppc64.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.ppc.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.ppc64.rpm xulrunner-devel-1.9.2.26-1.el5_7.ppc.rpm xulrunner-devel-1.9.2.26-1.el5_7.ppc64.rpm s390x: firefox-3.6.26-1.el5_7.s390.rpm firefox-3.6.26-1.el5_7.s390x.rpm firefox-debuginfo-3.6.26-1.el5_7.s390.rpm firefox-debuginfo-3.6.26-1.el5_7.s390x.rpm xulrunner-1.9.2.26-1.el5_7.s390.rpm xulrunner-1.9.2.26-1.el5_7.s390x.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.s390.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.s390x.rpm xulrunner-devel-1.9.2.26-1.el5_7.s390.rpm xulrunner-devel-1.9.2.26-1.el5_7.s390x.rpm x86_64: firefox-3.6.26-1.el5_7.i386.rpm firefox-3.6.26-1.el5_7.x86_64.rpm firefox-debuginfo-3.6.26-1.el5_7.i386.rpm firefox-debuginfo-3.6.26-1.el5_7.x86_64.rpm xulrunner-1.9.2.26-1.el5_7.i386.rpm xulrunner-1.9.2.26-1.el5_7.x86_64.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.i386.rpm xulrunner-debuginfo-1.9.2.26-1.el5_7.x86_64.rpm xulrunner-devel-1.9.2.26-1.el5_7.i386.rpm xulrunner-devel-1.9.2.26-1.el5_7.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-3.6.26-1.el6_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-1.9.2.26-1.el6_2.src.rpm i386: firefox-3.6.26-1.el6_2.i686.rpm firefox-debuginfo-3.6.26-1.el6_2.i686.rpm xulrunner-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm x86_64: firefox-3.6.26-1.el6_2.i686.rpm firefox-3.6.26-1.el6_2.x86_64.rpm firefox-debuginfo-3.6.26-1.el6_2.i686.rpm firefox-debuginfo-3.6.26-1.el6_2.x86_64.rpm xulrunner-1.9.2.26-1.el6_2.i686.rpm xulrunner-1.9.2.26-1.el6_2.x86_64.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-1.9.2.26-1.el6_2.src.rpm i386: xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-devel-1.9.2.26-1.el6_2.i686.rpm x86_64: xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.x86_64.rpm xulrunner-devel-1.9.2.26-1.el6_2.i686.rpm xulrunner-devel-1.9.2.26-1.el6_2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-3.6.26-1.el6_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-1.9.2.26-1.el6_2.src.rpm x86_64: firefox-3.6.26-1.el6_2.i686.rpm firefox-3.6.26-1.el6_2.x86_64.rpm firefox-debuginfo-3.6.26-1.el6_2.i686.rpm firefox-debuginfo-3.6.26-1.el6_2.x86_64.rpm xulrunner-1.9.2.26-1.el6_2.i686.rpm xulrunner-1.9.2.26-1.el6_2.x86_64.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.x86_64.rpm xulrunner-devel-1.9.2.26-1.el6_2.i686.rpm xulrunner-devel-1.9.2.26-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-3.6.26-1.el6_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-1.9.2.26-1.el6_2.src.rpm i386: firefox-3.6.26-1.el6_2.i686.rpm firefox-debuginfo-3.6.26-1.el6_2.i686.rpm xulrunner-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm ppc64: firefox-3.6.26-1.el6_2.ppc.rpm firefox-3.6.26-1.el6_2.ppc64.rpm firefox-debuginfo-3.6.26-1.el6_2.ppc.rpm firefox-debuginfo-3.6.26-1.el6_2.ppc64.rpm xulrunner-1.9.2.26-1.el6_2.ppc.rpm xulrunner-1.9.2.26-1.el6_2.ppc64.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.ppc.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.ppc64.rpm s390x: firefox-3.6.26-1.el6_2.s390.rpm firefox-3.6.26-1.el6_2.s390x.rpm firefox-debuginfo-3.6.26-1.el6_2.s390.rpm firefox-debuginfo-3.6.26-1.el6_2.s390x.rpm xulrunner-1.9.2.26-1.el6_2.s390.rpm xulrunner-1.9.2.26-1.el6_2.s390x.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.s390.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.s390x.rpm x86_64: firefox-3.6.26-1.el6_2.i686.rpm firefox-3.6.26-1.el6_2.x86_64.rpm firefox-debuginfo-3.6.26-1.el6_2.i686.rpm firefox-debuginfo-3.6.26-1.el6_2.x86_64.rpm xulrunner-1.9.2.26-1.el6_2.i686.rpm xulrunner-1.9.2.26-1.el6_2.x86_64.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-1.9.2.26-1.el6_2.src.rpm i386: xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-devel-1.9.2.26-1.el6_2.i686.rpm ppc64: xulrunner-debuginfo-1.9.2.26-1.el6_2.ppc.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.ppc64.rpm xulrunner-devel-1.9.2.26-1.el6_2.ppc.rpm xulrunner-devel-1.9.2.26-1.el6_2.ppc64.rpm s390x: xulrunner-debuginfo-1.9.2.26-1.el6_2.s390.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.s390x.rpm xulrunner-devel-1.9.2.26-1.el6_2.s390.rpm xulrunner-devel-1.9.2.26-1.el6_2.s390x.rpm x86_64: xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.x86_64.rpm xulrunner-devel-1.9.2.26-1.el6_2.i686.rpm xulrunner-devel-1.9.2.26-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-3.6.26-1.el6_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-1.9.2.26-1.el6_2.src.rpm i386: firefox-3.6.26-1.el6_2.i686.rpm firefox-debuginfo-3.6.26-1.el6_2.i686.rpm xulrunner-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm x86_64: firefox-3.6.26-1.el6_2.i686.rpm firefox-3.6.26-1.el6_2.x86_64.rpm firefox-debuginfo-3.6.26-1.el6_2.i686.rpm firefox-debuginfo-3.6.26-1.el6_2.x86_64.rpm xulrunner-1.9.2.26-1.el6_2.i686.rpm xulrunner-1.9.2.26-1.el6_2.x86_64.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-1.9.2.26-1.el6_2.src.rpm i386: xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-devel-1.9.2.26-1.el6_2.i686.rpm x86_64: xulrunner-debuginfo-1.9.2.26-1.el6_2.i686.rpm xulrunner-debuginfo-1.9.2.26-1.el6_2.x86_64.rpm xulrunner-devel-1.9.2.26-1.el6_2.i686.rpm xulrunner-devel-1.9.2.26-1.el6_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3659.html https://www.redhat.com/security/data/cve/CVE-2011-3670.html https://www.redhat.com/security/data/cve/CVE-2012-0442.html https://www.redhat.com/security/data/cve/CVE-2012-0444.html https://www.redhat.com/security/data/cve/CVE-2012-0449.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.26 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKJI4XlSAg2UNWIIRAu86AJ90vRQABz4iAP8lTwpgWhitoNBuVgCeP4u+ iCHNxUGgZ8ljJAn819lOK5I= =W7UK -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 1 01:17:39 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 01:17:39 +0000 Subject: [RHSA-2012:0080-01] Critical: thunderbird security update Message-ID: <201202010117.q111HeVp013138@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2012:0080-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0080.html Issue date: 2012-01-31 CVE Names: CVE-2011-3659 CVE-2011-3670 CVE-2012-0442 CVE-2012-0449 ===================================================================== 1. Summary: An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. A use-after-free flaw was found in the way Thunderbird removed nsDOMAttribute child nodes. In certain circumstances, due to the premature notification of AttributeChildRemoved, a malicious script could possibly use this flaw to cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3659) Several flaws were found in the processing of malformed content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0442) A flaw was found in the way Thunderbird parsed certain Scalable Vector Graphics (SVG) image files that contained eXtensible Style Sheet Language Transformations (XSLT). An HTML mail message containing a malicious SVG image file could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0449) The same-origin policy in Thunderbird treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets. (CVE-2011-3670) Note: The CVE-2011-3659 and CVE-2011-3670 issues cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 3.1.18. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to these updated packages, which contain Thunderbird version 3.1.18, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 785085 - CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01) 785464 - CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02) 785966 - CVE-2012-0449 Mozilla: Crash when rendering SVG+XSLT (MFSA 2012-08) 786258 - CVE-2011-3659 Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-3.1.18-1.el6_2.src.rpm i386: thunderbird-3.1.18-1.el6_2.i686.rpm thunderbird-debuginfo-3.1.18-1.el6_2.i686.rpm x86_64: thunderbird-3.1.18-1.el6_2.x86_64.rpm thunderbird-debuginfo-3.1.18-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-3.1.18-1.el6_2.src.rpm i386: thunderbird-3.1.18-1.el6_2.i686.rpm thunderbird-debuginfo-3.1.18-1.el6_2.i686.rpm ppc64: thunderbird-3.1.18-1.el6_2.ppc64.rpm thunderbird-debuginfo-3.1.18-1.el6_2.ppc64.rpm s390x: thunderbird-3.1.18-1.el6_2.s390x.rpm thunderbird-debuginfo-3.1.18-1.el6_2.s390x.rpm x86_64: thunderbird-3.1.18-1.el6_2.x86_64.rpm thunderbird-debuginfo-3.1.18-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-3.1.18-1.el6_2.src.rpm i386: thunderbird-3.1.18-1.el6_2.i686.rpm thunderbird-debuginfo-3.1.18-1.el6_2.i686.rpm x86_64: thunderbird-3.1.18-1.el6_2.x86_64.rpm thunderbird-debuginfo-3.1.18-1.el6_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3659.html https://www.redhat.com/security/data/cve/CVE-2011-3670.html https://www.redhat.com/security/data/cve/CVE-2012-0442.html https://www.redhat.com/security/data/cve/CVE-2012-0449.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/thunderbird31.html#thunderbird3.1.18 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKJJeXlSAg2UNWIIRAo22AJ92rnMSo9268Ru5qdVW4lVN9jcNCQCffNMm 9V4dzf5ngj2prbDVOEqaekE= =jWO/ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 1 08:26:25 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 08:26:25 +0000 Subject: [RHSA-2012:0084-01] Critical: seamonkey security update Message-ID: <201202010826.q118QPpK013132@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: seamonkey security update Advisory ID: RHSA-2012:0084-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0084.html Issue date: 2012-02-01 CVE Names: CVE-2011-3670 CVE-2012-0442 ===================================================================== 1. Summary: Updated seamonkey packages that fix two security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: SeaMonkey is an open source web browser, e-mail and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2012-0442) The same-origin policy in SeaMonkey treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets. (CVE-2011-3670) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 785085 - CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01) 785464 - CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02) 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/seamonkey-1.0.9-78.el4.src.rpm i386: seamonkey-1.0.9-78.el4.i386.rpm seamonkey-chat-1.0.9-78.el4.i386.rpm seamonkey-debuginfo-1.0.9-78.el4.i386.rpm seamonkey-devel-1.0.9-78.el4.i386.rpm seamonkey-dom-inspector-1.0.9-78.el4.i386.rpm seamonkey-js-debugger-1.0.9-78.el4.i386.rpm seamonkey-mail-1.0.9-78.el4.i386.rpm ia64: seamonkey-1.0.9-78.el4.ia64.rpm seamonkey-chat-1.0.9-78.el4.ia64.rpm seamonkey-debuginfo-1.0.9-78.el4.ia64.rpm seamonkey-devel-1.0.9-78.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-78.el4.ia64.rpm seamonkey-js-debugger-1.0.9-78.el4.ia64.rpm seamonkey-mail-1.0.9-78.el4.ia64.rpm ppc: seamonkey-1.0.9-78.el4.ppc.rpm seamonkey-chat-1.0.9-78.el4.ppc.rpm seamonkey-debuginfo-1.0.9-78.el4.ppc.rpm seamonkey-devel-1.0.9-78.el4.ppc.rpm seamonkey-dom-inspector-1.0.9-78.el4.ppc.rpm seamonkey-js-debugger-1.0.9-78.el4.ppc.rpm seamonkey-mail-1.0.9-78.el4.ppc.rpm s390: seamonkey-1.0.9-78.el4.s390.rpm seamonkey-chat-1.0.9-78.el4.s390.rpm seamonkey-debuginfo-1.0.9-78.el4.s390.rpm seamonkey-devel-1.0.9-78.el4.s390.rpm seamonkey-dom-inspector-1.0.9-78.el4.s390.rpm seamonkey-js-debugger-1.0.9-78.el4.s390.rpm seamonkey-mail-1.0.9-78.el4.s390.rpm s390x: seamonkey-1.0.9-78.el4.s390x.rpm seamonkey-chat-1.0.9-78.el4.s390x.rpm seamonkey-debuginfo-1.0.9-78.el4.s390x.rpm seamonkey-devel-1.0.9-78.el4.s390x.rpm seamonkey-dom-inspector-1.0.9-78.el4.s390x.rpm seamonkey-js-debugger-1.0.9-78.el4.s390x.rpm seamonkey-mail-1.0.9-78.el4.s390x.rpm x86_64: seamonkey-1.0.9-78.el4.x86_64.rpm seamonkey-chat-1.0.9-78.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-78.el4.x86_64.rpm seamonkey-devel-1.0.9-78.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-78.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-78.el4.x86_64.rpm seamonkey-mail-1.0.9-78.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/seamonkey-1.0.9-78.el4.src.rpm i386: seamonkey-1.0.9-78.el4.i386.rpm seamonkey-chat-1.0.9-78.el4.i386.rpm seamonkey-debuginfo-1.0.9-78.el4.i386.rpm seamonkey-devel-1.0.9-78.el4.i386.rpm seamonkey-dom-inspector-1.0.9-78.el4.i386.rpm seamonkey-js-debugger-1.0.9-78.el4.i386.rpm seamonkey-mail-1.0.9-78.el4.i386.rpm x86_64: seamonkey-1.0.9-78.el4.x86_64.rpm seamonkey-chat-1.0.9-78.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-78.el4.x86_64.rpm seamonkey-devel-1.0.9-78.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-78.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-78.el4.x86_64.rpm seamonkey-mail-1.0.9-78.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/seamonkey-1.0.9-78.el4.src.rpm i386: seamonkey-1.0.9-78.el4.i386.rpm seamonkey-chat-1.0.9-78.el4.i386.rpm seamonkey-debuginfo-1.0.9-78.el4.i386.rpm seamonkey-devel-1.0.9-78.el4.i386.rpm seamonkey-dom-inspector-1.0.9-78.el4.i386.rpm seamonkey-js-debugger-1.0.9-78.el4.i386.rpm seamonkey-mail-1.0.9-78.el4.i386.rpm ia64: seamonkey-1.0.9-78.el4.ia64.rpm seamonkey-chat-1.0.9-78.el4.ia64.rpm seamonkey-debuginfo-1.0.9-78.el4.ia64.rpm seamonkey-devel-1.0.9-78.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-78.el4.ia64.rpm seamonkey-js-debugger-1.0.9-78.el4.ia64.rpm seamonkey-mail-1.0.9-78.el4.ia64.rpm x86_64: seamonkey-1.0.9-78.el4.x86_64.rpm seamonkey-chat-1.0.9-78.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-78.el4.x86_64.rpm seamonkey-devel-1.0.9-78.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-78.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-78.el4.x86_64.rpm seamonkey-mail-1.0.9-78.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/seamonkey-1.0.9-78.el4.src.rpm i386: seamonkey-1.0.9-78.el4.i386.rpm seamonkey-chat-1.0.9-78.el4.i386.rpm seamonkey-debuginfo-1.0.9-78.el4.i386.rpm seamonkey-devel-1.0.9-78.el4.i386.rpm seamonkey-dom-inspector-1.0.9-78.el4.i386.rpm seamonkey-js-debugger-1.0.9-78.el4.i386.rpm seamonkey-mail-1.0.9-78.el4.i386.rpm ia64: seamonkey-1.0.9-78.el4.ia64.rpm seamonkey-chat-1.0.9-78.el4.ia64.rpm seamonkey-debuginfo-1.0.9-78.el4.ia64.rpm seamonkey-devel-1.0.9-78.el4.ia64.rpm seamonkey-dom-inspector-1.0.9-78.el4.ia64.rpm seamonkey-js-debugger-1.0.9-78.el4.ia64.rpm seamonkey-mail-1.0.9-78.el4.ia64.rpm x86_64: seamonkey-1.0.9-78.el4.x86_64.rpm seamonkey-chat-1.0.9-78.el4.x86_64.rpm seamonkey-debuginfo-1.0.9-78.el4.x86_64.rpm seamonkey-devel-1.0.9-78.el4.x86_64.rpm seamonkey-dom-inspector-1.0.9-78.el4.x86_64.rpm seamonkey-js-debugger-1.0.9-78.el4.x86_64.rpm seamonkey-mail-1.0.9-78.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3670.html https://www.redhat.com/security/data/cve/CVE-2012-0442.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKPcoXlSAg2UNWIIRAtqTAKC3n9KoTOm2t/qukrnH+cd04iswBgCeIu8r IceFLSepAEZDsTcaPufEfgc= =QPg3 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 1 08:35:50 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 08:35:50 +0000 Subject: [RHSA-2012:0085-01] Critical: thunderbird security update Message-ID: <201202010835.q118Zpxp026340@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2012:0085-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0085.html Issue date: 2012-02-01 CVE Names: CVE-2011-3670 CVE-2012-0442 ===================================================================== 1. Summary: An updated thunderbird package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the processing of malformed content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0442) The same-origin policy in Thunderbird treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets. (CVE-2011-3670) Note: The CVE-2011-3670 issue cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 785085 - CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01) 785464 - CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02) 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/thunderbird-1.5.0.12-46.el4.src.rpm i386: thunderbird-1.5.0.12-46.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm ia64: thunderbird-1.5.0.12-46.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-46.el4.ia64.rpm ppc: thunderbird-1.5.0.12-46.el4.ppc.rpm thunderbird-debuginfo-1.5.0.12-46.el4.ppc.rpm s390: thunderbird-1.5.0.12-46.el4.s390.rpm thunderbird-debuginfo-1.5.0.12-46.el4.s390.rpm s390x: thunderbird-1.5.0.12-46.el4.s390x.rpm thunderbird-debuginfo-1.5.0.12-46.el4.s390x.rpm x86_64: thunderbird-1.5.0.12-46.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/thunderbird-1.5.0.12-46.el4.src.rpm i386: thunderbird-1.5.0.12-46.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm x86_64: thunderbird-1.5.0.12-46.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/thunderbird-1.5.0.12-46.el4.src.rpm i386: thunderbird-1.5.0.12-46.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm ia64: thunderbird-1.5.0.12-46.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-46.el4.ia64.rpm x86_64: thunderbird-1.5.0.12-46.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/thunderbird-1.5.0.12-46.el4.src.rpm i386: thunderbird-1.5.0.12-46.el4.i386.rpm thunderbird-debuginfo-1.5.0.12-46.el4.i386.rpm ia64: thunderbird-1.5.0.12-46.el4.ia64.rpm thunderbird-debuginfo-1.5.0.12-46.el4.ia64.rpm x86_64: thunderbird-1.5.0.12-46.el4.x86_64.rpm thunderbird-debuginfo-1.5.0.12-46.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-2.0.0.24-28.el5_7.src.rpm i386: thunderbird-2.0.0.24-28.el5_7.i386.rpm thunderbird-debuginfo-2.0.0.24-28.el5_7.i386.rpm x86_64: thunderbird-2.0.0.24-28.el5_7.x86_64.rpm thunderbird-debuginfo-2.0.0.24-28.el5_7.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-2.0.0.24-28.el5_7.src.rpm i386: thunderbird-2.0.0.24-28.el5_7.i386.rpm thunderbird-debuginfo-2.0.0.24-28.el5_7.i386.rpm x86_64: thunderbird-2.0.0.24-28.el5_7.x86_64.rpm thunderbird-debuginfo-2.0.0.24-28.el5_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3670.html https://www.redhat.com/security/data/cve/CVE-2012-0442.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKPlfXlSAg2UNWIIRAj7DAJ425t5S9nJRkfeY1oPvrN/OQaGOrACfU6iV 712SAKrX5EcTO/eFlMZnSVU= =T5dN -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 1 18:58:05 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Feb 2012 18:58:05 +0000 Subject: [RHSA-2012:0086-01] Moderate: openssl security update Message-ID: <201202011858.q11Iw5lu010460@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openssl security update Advisory ID: RHSA-2012:0086-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0086.html Issue date: 2012-02-01 CVE Names: CVE-2011-4576 CVE-2011-4619 ===================================================================== 1. Summary: Updated openssl packages that fix two security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 771775 - CVE-2011-4576 openssl: uninitialized SSL 3.0 padding 771780 - CVE-2011-4619 openssl: SGC restart DoS attack 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/openssl-0.9.7a-43.18.el4.src.rpm i386: openssl-0.9.7a-43.18.el4.i386.rpm openssl-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.i386.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-devel-0.9.7a-43.18.el4.i386.rpm openssl-perl-0.9.7a-43.18.el4.i386.rpm ia64: openssl-0.9.7a-43.18.el4.i686.rpm openssl-0.9.7a-43.18.el4.ia64.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.ia64.rpm openssl-devel-0.9.7a-43.18.el4.ia64.rpm openssl-perl-0.9.7a-43.18.el4.ia64.rpm ppc: openssl-0.9.7a-43.18.el4.ppc.rpm openssl-0.9.7a-43.18.el4.ppc64.rpm openssl-debuginfo-0.9.7a-43.18.el4.ppc.rpm openssl-debuginfo-0.9.7a-43.18.el4.ppc64.rpm openssl-devel-0.9.7a-43.18.el4.ppc.rpm openssl-devel-0.9.7a-43.18.el4.ppc64.rpm openssl-perl-0.9.7a-43.18.el4.ppc.rpm s390: openssl-0.9.7a-43.18.el4.s390.rpm openssl-debuginfo-0.9.7a-43.18.el4.s390.rpm openssl-devel-0.9.7a-43.18.el4.s390.rpm openssl-perl-0.9.7a-43.18.el4.s390.rpm s390x: openssl-0.9.7a-43.18.el4.s390.rpm openssl-0.9.7a-43.18.el4.s390x.rpm openssl-debuginfo-0.9.7a-43.18.el4.s390.rpm openssl-debuginfo-0.9.7a-43.18.el4.s390x.rpm openssl-devel-0.9.7a-43.18.el4.s390.rpm openssl-devel-0.9.7a-43.18.el4.s390x.rpm openssl-perl-0.9.7a-43.18.el4.s390x.rpm x86_64: openssl-0.9.7a-43.18.el4.i686.rpm openssl-0.9.7a-43.18.el4.x86_64.rpm openssl-debuginfo-0.9.7a-43.18.el4.i386.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.x86_64.rpm openssl-devel-0.9.7a-43.18.el4.i386.rpm openssl-devel-0.9.7a-43.18.el4.x86_64.rpm openssl-perl-0.9.7a-43.18.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/openssl-0.9.7a-43.18.el4.src.rpm i386: openssl-0.9.7a-43.18.el4.i386.rpm openssl-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.i386.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-devel-0.9.7a-43.18.el4.i386.rpm openssl-perl-0.9.7a-43.18.el4.i386.rpm x86_64: openssl-0.9.7a-43.18.el4.i686.rpm openssl-0.9.7a-43.18.el4.x86_64.rpm openssl-debuginfo-0.9.7a-43.18.el4.i386.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.x86_64.rpm openssl-devel-0.9.7a-43.18.el4.i386.rpm openssl-devel-0.9.7a-43.18.el4.x86_64.rpm openssl-perl-0.9.7a-43.18.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/openssl-0.9.7a-43.18.el4.src.rpm i386: openssl-0.9.7a-43.18.el4.i386.rpm openssl-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.i386.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-devel-0.9.7a-43.18.el4.i386.rpm openssl-perl-0.9.7a-43.18.el4.i386.rpm ia64: openssl-0.9.7a-43.18.el4.i686.rpm openssl-0.9.7a-43.18.el4.ia64.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.ia64.rpm openssl-devel-0.9.7a-43.18.el4.ia64.rpm openssl-perl-0.9.7a-43.18.el4.ia64.rpm x86_64: openssl-0.9.7a-43.18.el4.i686.rpm openssl-0.9.7a-43.18.el4.x86_64.rpm openssl-debuginfo-0.9.7a-43.18.el4.i386.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.x86_64.rpm openssl-devel-0.9.7a-43.18.el4.i386.rpm openssl-devel-0.9.7a-43.18.el4.x86_64.rpm openssl-perl-0.9.7a-43.18.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/openssl-0.9.7a-43.18.el4.src.rpm i386: openssl-0.9.7a-43.18.el4.i386.rpm openssl-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.i386.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-devel-0.9.7a-43.18.el4.i386.rpm openssl-perl-0.9.7a-43.18.el4.i386.rpm ia64: openssl-0.9.7a-43.18.el4.i686.rpm openssl-0.9.7a-43.18.el4.ia64.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.ia64.rpm openssl-devel-0.9.7a-43.18.el4.ia64.rpm openssl-perl-0.9.7a-43.18.el4.ia64.rpm x86_64: openssl-0.9.7a-43.18.el4.i686.rpm openssl-0.9.7a-43.18.el4.x86_64.rpm openssl-debuginfo-0.9.7a-43.18.el4.i386.rpm openssl-debuginfo-0.9.7a-43.18.el4.i686.rpm openssl-debuginfo-0.9.7a-43.18.el4.x86_64.rpm openssl-devel-0.9.7a-43.18.el4.i386.rpm openssl-devel-0.9.7a-43.18.el4.x86_64.rpm openssl-perl-0.9.7a-43.18.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4576.html https://www.redhat.com/security/data/cve/CVE-2011-4619.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKYstXlSAg2UNWIIRAr/pAJ9Te6gGVLKF/deTvbc7P5nMOmqijgCgrJ1B bdrF1JtstAdGlvaE4lWsNrQ= =1X3a -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 2 22:53:30 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Feb 2012 22:53:30 +0000 Subject: [RHSA-2012:0092-01] Critical: php53 security update Message-ID: <201202022253.q12MrUcs024242@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: php53 security update Advisory ID: RHSA-2012:0092-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0092.html Issue date: 2012-02-02 CVE Names: CVE-2012-0830 ===================================================================== 1. Summary: Updated php53 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0019 for php53 packages in Red Hat Enterprise Linux 5) introduced an uninitialized memory use flaw. A remote attacker could send a specially- crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-0830) All php53 users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 786686 - CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/php53-5.3.3-1.el5_7.6.src.rpm i386: php53-5.3.3-1.el5_7.6.i386.rpm php53-bcmath-5.3.3-1.el5_7.6.i386.rpm php53-cli-5.3.3-1.el5_7.6.i386.rpm php53-common-5.3.3-1.el5_7.6.i386.rpm php53-dba-5.3.3-1.el5_7.6.i386.rpm php53-debuginfo-5.3.3-1.el5_7.6.i386.rpm php53-devel-5.3.3-1.el5_7.6.i386.rpm php53-gd-5.3.3-1.el5_7.6.i386.rpm php53-imap-5.3.3-1.el5_7.6.i386.rpm php53-intl-5.3.3-1.el5_7.6.i386.rpm php53-ldap-5.3.3-1.el5_7.6.i386.rpm php53-mbstring-5.3.3-1.el5_7.6.i386.rpm php53-mysql-5.3.3-1.el5_7.6.i386.rpm php53-odbc-5.3.3-1.el5_7.6.i386.rpm php53-pdo-5.3.3-1.el5_7.6.i386.rpm php53-pgsql-5.3.3-1.el5_7.6.i386.rpm php53-process-5.3.3-1.el5_7.6.i386.rpm php53-pspell-5.3.3-1.el5_7.6.i386.rpm php53-snmp-5.3.3-1.el5_7.6.i386.rpm php53-soap-5.3.3-1.el5_7.6.i386.rpm php53-xml-5.3.3-1.el5_7.6.i386.rpm php53-xmlrpc-5.3.3-1.el5_7.6.i386.rpm x86_64: php53-5.3.3-1.el5_7.6.x86_64.rpm php53-bcmath-5.3.3-1.el5_7.6.x86_64.rpm php53-cli-5.3.3-1.el5_7.6.x86_64.rpm php53-common-5.3.3-1.el5_7.6.x86_64.rpm php53-dba-5.3.3-1.el5_7.6.x86_64.rpm php53-debuginfo-5.3.3-1.el5_7.6.x86_64.rpm php53-devel-5.3.3-1.el5_7.6.x86_64.rpm php53-gd-5.3.3-1.el5_7.6.x86_64.rpm php53-imap-5.3.3-1.el5_7.6.x86_64.rpm php53-intl-5.3.3-1.el5_7.6.x86_64.rpm php53-ldap-5.3.3-1.el5_7.6.x86_64.rpm php53-mbstring-5.3.3-1.el5_7.6.x86_64.rpm php53-mysql-5.3.3-1.el5_7.6.x86_64.rpm php53-odbc-5.3.3-1.el5_7.6.x86_64.rpm php53-pdo-5.3.3-1.el5_7.6.x86_64.rpm php53-pgsql-5.3.3-1.el5_7.6.x86_64.rpm php53-process-5.3.3-1.el5_7.6.x86_64.rpm php53-pspell-5.3.3-1.el5_7.6.x86_64.rpm php53-snmp-5.3.3-1.el5_7.6.x86_64.rpm php53-soap-5.3.3-1.el5_7.6.x86_64.rpm php53-xml-5.3.3-1.el5_7.6.x86_64.rpm php53-xmlrpc-5.3.3-1.el5_7.6.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/php53-5.3.3-1.el5_7.6.src.rpm i386: php53-5.3.3-1.el5_7.6.i386.rpm php53-bcmath-5.3.3-1.el5_7.6.i386.rpm php53-cli-5.3.3-1.el5_7.6.i386.rpm php53-common-5.3.3-1.el5_7.6.i386.rpm php53-dba-5.3.3-1.el5_7.6.i386.rpm php53-debuginfo-5.3.3-1.el5_7.6.i386.rpm php53-devel-5.3.3-1.el5_7.6.i386.rpm php53-gd-5.3.3-1.el5_7.6.i386.rpm php53-imap-5.3.3-1.el5_7.6.i386.rpm php53-intl-5.3.3-1.el5_7.6.i386.rpm php53-ldap-5.3.3-1.el5_7.6.i386.rpm php53-mbstring-5.3.3-1.el5_7.6.i386.rpm php53-mysql-5.3.3-1.el5_7.6.i386.rpm php53-odbc-5.3.3-1.el5_7.6.i386.rpm php53-pdo-5.3.3-1.el5_7.6.i386.rpm php53-pgsql-5.3.3-1.el5_7.6.i386.rpm php53-process-5.3.3-1.el5_7.6.i386.rpm php53-pspell-5.3.3-1.el5_7.6.i386.rpm php53-snmp-5.3.3-1.el5_7.6.i386.rpm php53-soap-5.3.3-1.el5_7.6.i386.rpm php53-xml-5.3.3-1.el5_7.6.i386.rpm php53-xmlrpc-5.3.3-1.el5_7.6.i386.rpm ia64: php53-5.3.3-1.el5_7.6.ia64.rpm php53-bcmath-5.3.3-1.el5_7.6.ia64.rpm php53-cli-5.3.3-1.el5_7.6.ia64.rpm php53-common-5.3.3-1.el5_7.6.ia64.rpm php53-dba-5.3.3-1.el5_7.6.ia64.rpm php53-debuginfo-5.3.3-1.el5_7.6.ia64.rpm php53-devel-5.3.3-1.el5_7.6.ia64.rpm php53-gd-5.3.3-1.el5_7.6.ia64.rpm php53-imap-5.3.3-1.el5_7.6.ia64.rpm php53-intl-5.3.3-1.el5_7.6.ia64.rpm php53-ldap-5.3.3-1.el5_7.6.ia64.rpm php53-mbstring-5.3.3-1.el5_7.6.ia64.rpm php53-mysql-5.3.3-1.el5_7.6.ia64.rpm php53-odbc-5.3.3-1.el5_7.6.ia64.rpm php53-pdo-5.3.3-1.el5_7.6.ia64.rpm php53-pgsql-5.3.3-1.el5_7.6.ia64.rpm php53-process-5.3.3-1.el5_7.6.ia64.rpm php53-pspell-5.3.3-1.el5_7.6.ia64.rpm php53-snmp-5.3.3-1.el5_7.6.ia64.rpm php53-soap-5.3.3-1.el5_7.6.ia64.rpm php53-xml-5.3.3-1.el5_7.6.ia64.rpm php53-xmlrpc-5.3.3-1.el5_7.6.ia64.rpm ppc: php53-5.3.3-1.el5_7.6.ppc.rpm php53-bcmath-5.3.3-1.el5_7.6.ppc.rpm php53-cli-5.3.3-1.el5_7.6.ppc.rpm php53-common-5.3.3-1.el5_7.6.ppc.rpm php53-dba-5.3.3-1.el5_7.6.ppc.rpm php53-debuginfo-5.3.3-1.el5_7.6.ppc.rpm php53-devel-5.3.3-1.el5_7.6.ppc.rpm php53-gd-5.3.3-1.el5_7.6.ppc.rpm php53-imap-5.3.3-1.el5_7.6.ppc.rpm php53-intl-5.3.3-1.el5_7.6.ppc.rpm php53-ldap-5.3.3-1.el5_7.6.ppc.rpm php53-mbstring-5.3.3-1.el5_7.6.ppc.rpm php53-mysql-5.3.3-1.el5_7.6.ppc.rpm php53-odbc-5.3.3-1.el5_7.6.ppc.rpm php53-pdo-5.3.3-1.el5_7.6.ppc.rpm php53-pgsql-5.3.3-1.el5_7.6.ppc.rpm php53-process-5.3.3-1.el5_7.6.ppc.rpm php53-pspell-5.3.3-1.el5_7.6.ppc.rpm php53-snmp-5.3.3-1.el5_7.6.ppc.rpm php53-soap-5.3.3-1.el5_7.6.ppc.rpm php53-xml-5.3.3-1.el5_7.6.ppc.rpm php53-xmlrpc-5.3.3-1.el5_7.6.ppc.rpm s390x: php53-5.3.3-1.el5_7.6.s390x.rpm php53-bcmath-5.3.3-1.el5_7.6.s390x.rpm php53-cli-5.3.3-1.el5_7.6.s390x.rpm php53-common-5.3.3-1.el5_7.6.s390x.rpm php53-dba-5.3.3-1.el5_7.6.s390x.rpm php53-debuginfo-5.3.3-1.el5_7.6.s390x.rpm php53-devel-5.3.3-1.el5_7.6.s390x.rpm php53-gd-5.3.3-1.el5_7.6.s390x.rpm php53-imap-5.3.3-1.el5_7.6.s390x.rpm php53-intl-5.3.3-1.el5_7.6.s390x.rpm php53-ldap-5.3.3-1.el5_7.6.s390x.rpm php53-mbstring-5.3.3-1.el5_7.6.s390x.rpm php53-mysql-5.3.3-1.el5_7.6.s390x.rpm php53-odbc-5.3.3-1.el5_7.6.s390x.rpm php53-pdo-5.3.3-1.el5_7.6.s390x.rpm php53-pgsql-5.3.3-1.el5_7.6.s390x.rpm php53-process-5.3.3-1.el5_7.6.s390x.rpm php53-pspell-5.3.3-1.el5_7.6.s390x.rpm php53-snmp-5.3.3-1.el5_7.6.s390x.rpm php53-soap-5.3.3-1.el5_7.6.s390x.rpm php53-xml-5.3.3-1.el5_7.6.s390x.rpm php53-xmlrpc-5.3.3-1.el5_7.6.s390x.rpm x86_64: php53-5.3.3-1.el5_7.6.x86_64.rpm php53-bcmath-5.3.3-1.el5_7.6.x86_64.rpm php53-cli-5.3.3-1.el5_7.6.x86_64.rpm php53-common-5.3.3-1.el5_7.6.x86_64.rpm php53-dba-5.3.3-1.el5_7.6.x86_64.rpm php53-debuginfo-5.3.3-1.el5_7.6.x86_64.rpm php53-devel-5.3.3-1.el5_7.6.x86_64.rpm php53-gd-5.3.3-1.el5_7.6.x86_64.rpm php53-imap-5.3.3-1.el5_7.6.x86_64.rpm php53-intl-5.3.3-1.el5_7.6.x86_64.rpm php53-ldap-5.3.3-1.el5_7.6.x86_64.rpm php53-mbstring-5.3.3-1.el5_7.6.x86_64.rpm php53-mysql-5.3.3-1.el5_7.6.x86_64.rpm php53-odbc-5.3.3-1.el5_7.6.x86_64.rpm php53-pdo-5.3.3-1.el5_7.6.x86_64.rpm php53-pgsql-5.3.3-1.el5_7.6.x86_64.rpm php53-process-5.3.3-1.el5_7.6.x86_64.rpm php53-pspell-5.3.3-1.el5_7.6.x86_64.rpm php53-snmp-5.3.3-1.el5_7.6.x86_64.rpm php53-soap-5.3.3-1.el5_7.6.x86_64.rpm php53-xml-5.3.3-1.el5_7.6.x86_64.rpm php53-xmlrpc-5.3.3-1.el5_7.6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0830.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKxPZXlSAg2UNWIIRAndsAJ4uqB2rZOLnQSgwRGqU2/AU3knpBQCgxTT4 z+boK1XW2LM6avGF4IAJ6ak= =suBA -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 2 22:53:55 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Feb 2012 22:53:55 +0000 Subject: [RHSA-2012:0094-01] Important: freetype security update Message-ID: <201202022253.q12MrtrS026157@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: freetype security update Advisory ID: RHSA-2012:0094-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0094.html Issue date: 2012-02-02 CVE Names: CVE-2011-3256 CVE-2011-3439 ===================================================================== 1. Summary: Updated freetype packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux EUS (v. 5.6 server) - i386, ia64, ppc, s390x, x86_64 3. Description: FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. Multiple input validation flaws were found in the way FreeType processed bitmap font files. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3256) Multiple input validation flaws were found in the way FreeType processed CID-keyed fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3439) Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 746226 - CVE-2011-3256 FreeType FT_Bitmap_New integer overflow to buffer overflow, FreeType TT_Vary_Get_Glyph_Deltas improper input validation 753799 - CVE-2011-3439 freetype: Multiple security flaws when loading CID-keyed Type 1 fonts 6. Package List: Red Hat Enterprise Linux EUS (v. 5.6 server): Source: freetype-2.2.1-28.el5_6.1.src.rpm i386: freetype-2.2.1-28.el5_6.1.i386.rpm freetype-debuginfo-2.2.1-28.el5_6.1.i386.rpm freetype-demos-2.2.1-28.el5_6.1.i386.rpm freetype-devel-2.2.1-28.el5_6.1.i386.rpm ia64: freetype-2.2.1-28.el5_6.1.i386.rpm freetype-2.2.1-28.el5_6.1.ia64.rpm freetype-debuginfo-2.2.1-28.el5_6.1.i386.rpm freetype-debuginfo-2.2.1-28.el5_6.1.ia64.rpm freetype-demos-2.2.1-28.el5_6.1.ia64.rpm freetype-devel-2.2.1-28.el5_6.1.ia64.rpm ppc: freetype-2.2.1-28.el5_6.1.ppc.rpm freetype-2.2.1-28.el5_6.1.ppc64.rpm freetype-debuginfo-2.2.1-28.el5_6.1.ppc.rpm freetype-debuginfo-2.2.1-28.el5_6.1.ppc64.rpm freetype-demos-2.2.1-28.el5_6.1.ppc.rpm freetype-devel-2.2.1-28.el5_6.1.ppc.rpm freetype-devel-2.2.1-28.el5_6.1.ppc64.rpm s390x: freetype-2.2.1-28.el5_6.1.s390.rpm freetype-2.2.1-28.el5_6.1.s390x.rpm freetype-debuginfo-2.2.1-28.el5_6.1.s390.rpm freetype-debuginfo-2.2.1-28.el5_6.1.s390x.rpm freetype-demos-2.2.1-28.el5_6.1.s390x.rpm freetype-devel-2.2.1-28.el5_6.1.s390.rpm freetype-devel-2.2.1-28.el5_6.1.s390x.rpm x86_64: freetype-2.2.1-28.el5_6.1.i386.rpm freetype-2.2.1-28.el5_6.1.x86_64.rpm freetype-debuginfo-2.2.1-28.el5_6.1.i386.rpm freetype-debuginfo-2.2.1-28.el5_6.1.x86_64.rpm freetype-demos-2.2.1-28.el5_6.1.x86_64.rpm freetype-devel-2.2.1-28.el5_6.1.i386.rpm freetype-devel-2.2.1-28.el5_6.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3256.html https://www.redhat.com/security/data/cve/CVE-2011-3439.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKxP2XlSAg2UNWIIRAjurAJwKoNnO3kO/eCYy/Ik2qr5FFglEwgCfeGfz wuUKAtusuteQw1anUlEZSTI= =Z2Z4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 2 22:54:35 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Feb 2012 22:54:35 +0000 Subject: [RHSA-2012:0095-01] Moderate: ghostscript security update Message-ID: <201202022254.q12MsZhu024358@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ghostscript security update Advisory ID: RHSA-2012:0095-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0095.html Issue date: 2012-02-02 CVE Names: CVE-2009-3743 CVE-2010-2055 CVE-2010-4054 CVE-2010-4820 ===================================================================== 1. Summary: Updated ghostscript packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. An integer overflow flaw was found in Ghostscript's TrueType bytecode interpreter. An attacker could create a specially-crafted PostScript or PDF file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2009-3743) It was found that Ghostscript always tried to read Ghostscript system initialization files from the current working directory before checking other directories, even if a search path that did not contain the current working directory was specified with the "-I" option, or the "-P-" option was used (to prevent the current working directory being searched first). If a user ran Ghostscript in an attacker-controlled directory containing a system initialization file, it could cause Ghostscript to execute arbitrary PostScript code. (CVE-2010-2055) Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default. (CVE-2010-4820) Note: The fix for CVE-2010-4820 could possibly break existing configurations. To use the previous, vulnerable behavior, run Ghostscript with the "-P" option (to always search the current working directory first). A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type 2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2010-4054) Users of Ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 599564 - CVE-2010-2055 ghostscript: gs_init.ps searched in current directory despite -P- 627902 - CVE-2009-3743 ghostscript: TrueType bytecode intepreter integer overflow or wraparound 646086 - CVE-2010-4054 ghostscript: glyph data access improper input validation 771853 - CVE-2010-4820 ghostscript: CWD included in the default library search path 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ghostscript-8.70-6.el5_7.6.src.rpm i386: ghostscript-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-gtk-8.70-6.el5_7.6.i386.rpm x86_64: ghostscript-8.70-6.el5_7.6.i386.rpm ghostscript-8.70-6.el5_7.6.x86_64.rpm ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.x86_64.rpm ghostscript-gtk-8.70-6.el5_7.6.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ghostscript-8.70-6.el5_7.6.src.rpm i386: ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-devel-8.70-6.el5_7.6.i386.rpm x86_64: ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.x86_64.rpm ghostscript-devel-8.70-6.el5_7.6.i386.rpm ghostscript-devel-8.70-6.el5_7.6.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/ghostscript-8.70-6.el5_7.6.src.rpm i386: ghostscript-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-devel-8.70-6.el5_7.6.i386.rpm ghostscript-gtk-8.70-6.el5_7.6.i386.rpm ia64: ghostscript-8.70-6.el5_7.6.ia64.rpm ghostscript-debuginfo-8.70-6.el5_7.6.ia64.rpm ghostscript-devel-8.70-6.el5_7.6.ia64.rpm ghostscript-gtk-8.70-6.el5_7.6.ia64.rpm ppc: ghostscript-8.70-6.el5_7.6.ppc.rpm ghostscript-8.70-6.el5_7.6.ppc64.rpm ghostscript-debuginfo-8.70-6.el5_7.6.ppc.rpm ghostscript-debuginfo-8.70-6.el5_7.6.ppc64.rpm ghostscript-devel-8.70-6.el5_7.6.ppc.rpm ghostscript-devel-8.70-6.el5_7.6.ppc64.rpm ghostscript-gtk-8.70-6.el5_7.6.ppc.rpm s390x: ghostscript-8.70-6.el5_7.6.s390.rpm ghostscript-8.70-6.el5_7.6.s390x.rpm ghostscript-debuginfo-8.70-6.el5_7.6.s390.rpm ghostscript-debuginfo-8.70-6.el5_7.6.s390x.rpm ghostscript-devel-8.70-6.el5_7.6.s390.rpm ghostscript-devel-8.70-6.el5_7.6.s390x.rpm ghostscript-gtk-8.70-6.el5_7.6.s390x.rpm x86_64: ghostscript-8.70-6.el5_7.6.i386.rpm ghostscript-8.70-6.el5_7.6.x86_64.rpm ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.x86_64.rpm ghostscript-devel-8.70-6.el5_7.6.i386.rpm ghostscript-devel-8.70-6.el5_7.6.x86_64.rpm ghostscript-gtk-8.70-6.el5_7.6.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm x86_64: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-8.70-11.el6_2.6.x86_64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-doc-8.70-11.el6_2.6.i686.rpm ghostscript-gtk-8.70-11.el6_2.6.i686.rpm x86_64: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.x86_64.rpm ghostscript-doc-8.70-11.el6_2.6.x86_64.rpm ghostscript-gtk-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm x86_64: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-8.70-11.el6_2.6.x86_64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm x86_64: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.x86_64.rpm ghostscript-doc-8.70-11.el6_2.6.x86_64.rpm ghostscript-gtk-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ppc64: ghostscript-8.70-11.el6_2.6.ppc.rpm ghostscript-8.70-11.el6_2.6.ppc64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.ppc.rpm ghostscript-debuginfo-8.70-11.el6_2.6.ppc64.rpm s390x: ghostscript-8.70-11.el6_2.6.s390.rpm ghostscript-8.70-11.el6_2.6.s390x.rpm ghostscript-debuginfo-8.70-11.el6_2.6.s390.rpm ghostscript-debuginfo-8.70-11.el6_2.6.s390x.rpm x86_64: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-8.70-11.el6_2.6.x86_64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-doc-8.70-11.el6_2.6.i686.rpm ghostscript-gtk-8.70-11.el6_2.6.i686.rpm ppc64: ghostscript-debuginfo-8.70-11.el6_2.6.ppc.rpm ghostscript-debuginfo-8.70-11.el6_2.6.ppc64.rpm ghostscript-devel-8.70-11.el6_2.6.ppc.rpm ghostscript-devel-8.70-11.el6_2.6.ppc64.rpm ghostscript-doc-8.70-11.el6_2.6.ppc64.rpm ghostscript-gtk-8.70-11.el6_2.6.ppc64.rpm s390x: ghostscript-debuginfo-8.70-11.el6_2.6.s390.rpm ghostscript-debuginfo-8.70-11.el6_2.6.s390x.rpm ghostscript-devel-8.70-11.el6_2.6.s390.rpm ghostscript-devel-8.70-11.el6_2.6.s390x.rpm ghostscript-doc-8.70-11.el6_2.6.s390x.rpm ghostscript-gtk-8.70-11.el6_2.6.s390x.rpm x86_64: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.x86_64.rpm ghostscript-doc-8.70-11.el6_2.6.x86_64.rpm ghostscript-gtk-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm x86_64: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-8.70-11.el6_2.6.x86_64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-doc-8.70-11.el6_2.6.i686.rpm ghostscript-gtk-8.70-11.el6_2.6.i686.rpm x86_64: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.x86_64.rpm ghostscript-doc-8.70-11.el6_2.6.x86_64.rpm ghostscript-gtk-8.70-11.el6_2.6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3743.html https://www.redhat.com/security/data/cve/CVE-2010-2055.html https://www.redhat.com/security/data/cve/CVE-2010-4054.html https://www.redhat.com/security/data/cve/CVE-2010-4820.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD4DBQFPKxQeXlSAg2UNWIIRArqLAJYndAdU+gEQ5Ki//vi/wh7KgAtYAJ9NwToi Ov6GX/QA+l4EOfr9Yj/1Qg== =6sZd -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 2 22:55:15 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Feb 2012 22:55:15 +0000 Subject: [RHSA-2012:0096-01] Moderate: ghostscript security update Message-ID: <201202022255.q12MtFXc002052@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ghostscript security update Advisory ID: RHSA-2012:0096-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0096.html Issue date: 2012-02-02 CVE Names: CVE-2010-4054 CVE-2010-4820 ===================================================================== 1. Summary: Updated ghostscript packages that fix two security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default. (CVE-2010-4820) Note: The fix for CVE-2010-4820 could possibly break existing configurations. To use the previous, vulnerable behavior, run Ghostscript with the "-P" option (to always search the current working directory first). A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type 2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2010-4054) Users of Ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 646086 - CVE-2010-4054 ghostscript: glyph data access improper input validation 771853 - CVE-2010-4820 ghostscript: CWD included in the default library search path 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/ghostscript-7.07-33.13.el4.src.rpm i386: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-devel-7.07-33.13.el4.i386.rpm ghostscript-gtk-7.07-33.13.el4.i386.rpm ia64: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-7.07-33.13.el4.ia64.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.ia64.rpm ghostscript-devel-7.07-33.13.el4.ia64.rpm ghostscript-gtk-7.07-33.13.el4.ia64.rpm ppc: ghostscript-7.07-33.13.el4.ppc.rpm ghostscript-7.07-33.13.el4.ppc64.rpm ghostscript-debuginfo-7.07-33.13.el4.ppc.rpm ghostscript-debuginfo-7.07-33.13.el4.ppc64.rpm ghostscript-devel-7.07-33.13.el4.ppc.rpm ghostscript-gtk-7.07-33.13.el4.ppc.rpm s390: ghostscript-7.07-33.13.el4.s390.rpm ghostscript-debuginfo-7.07-33.13.el4.s390.rpm ghostscript-devel-7.07-33.13.el4.s390.rpm ghostscript-gtk-7.07-33.13.el4.s390.rpm s390x: ghostscript-7.07-33.13.el4.s390.rpm ghostscript-7.07-33.13.el4.s390x.rpm ghostscript-debuginfo-7.07-33.13.el4.s390.rpm ghostscript-debuginfo-7.07-33.13.el4.s390x.rpm ghostscript-devel-7.07-33.13.el4.s390x.rpm ghostscript-gtk-7.07-33.13.el4.s390x.rpm x86_64: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-7.07-33.13.el4.x86_64.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.x86_64.rpm ghostscript-devel-7.07-33.13.el4.x86_64.rpm ghostscript-gtk-7.07-33.13.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/ghostscript-7.07-33.13.el4.src.rpm i386: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-devel-7.07-33.13.el4.i386.rpm ghostscript-gtk-7.07-33.13.el4.i386.rpm x86_64: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-7.07-33.13.el4.x86_64.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.x86_64.rpm ghostscript-devel-7.07-33.13.el4.x86_64.rpm ghostscript-gtk-7.07-33.13.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/ghostscript-7.07-33.13.el4.src.rpm i386: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-devel-7.07-33.13.el4.i386.rpm ghostscript-gtk-7.07-33.13.el4.i386.rpm ia64: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-7.07-33.13.el4.ia64.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.ia64.rpm ghostscript-devel-7.07-33.13.el4.ia64.rpm ghostscript-gtk-7.07-33.13.el4.ia64.rpm x86_64: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-7.07-33.13.el4.x86_64.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.x86_64.rpm ghostscript-devel-7.07-33.13.el4.x86_64.rpm ghostscript-gtk-7.07-33.13.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/ghostscript-7.07-33.13.el4.src.rpm i386: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-devel-7.07-33.13.el4.i386.rpm ghostscript-gtk-7.07-33.13.el4.i386.rpm ia64: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-7.07-33.13.el4.ia64.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.ia64.rpm ghostscript-devel-7.07-33.13.el4.ia64.rpm ghostscript-gtk-7.07-33.13.el4.ia64.rpm x86_64: ghostscript-7.07-33.13.el4.i386.rpm ghostscript-7.07-33.13.el4.x86_64.rpm ghostscript-debuginfo-7.07-33.13.el4.i386.rpm ghostscript-debuginfo-7.07-33.13.el4.x86_64.rpm ghostscript-devel-7.07-33.13.el4.x86_64.rpm ghostscript-gtk-7.07-33.13.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-4054.html https://www.redhat.com/security/data/cve/CVE-2010-4820.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKxQ7XlSAg2UNWIIRAjNGAKCB0hy3ETmh4O6CkzSzUlUJu2ERhACdGXlu xskQrEPGEade4HdxafmR0vs= =zRPc -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 2 23:03:12 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Feb 2012 23:03:12 +0000 Subject: [RHSA-2012:0093-01] Critical: php security update Message-ID: <201202022303.q12N3DrD010200@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: php security update Advisory ID: RHSA-2012:0093-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0093.html Issue date: 2012-02-02 CVE Names: CVE-2012-0830 ===================================================================== 1. Summary: Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0071, RHSA-2012:0033, and RHSA-2012:0019 for php packages in Red Hat Enterprise Linux 4, 5, and 6 respectively) introduced an uninitialized memory use flaw. A remote attacker could send a specially-crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-0830) All php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 786686 - CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/php-4.3.9-3.36.src.rpm i386: php-4.3.9-3.36.i386.rpm php-debuginfo-4.3.9-3.36.i386.rpm php-devel-4.3.9-3.36.i386.rpm php-domxml-4.3.9-3.36.i386.rpm php-gd-4.3.9-3.36.i386.rpm php-imap-4.3.9-3.36.i386.rpm php-ldap-4.3.9-3.36.i386.rpm php-mbstring-4.3.9-3.36.i386.rpm php-mysql-4.3.9-3.36.i386.rpm php-ncurses-4.3.9-3.36.i386.rpm php-odbc-4.3.9-3.36.i386.rpm php-pear-4.3.9-3.36.i386.rpm php-pgsql-4.3.9-3.36.i386.rpm php-snmp-4.3.9-3.36.i386.rpm php-xmlrpc-4.3.9-3.36.i386.rpm ia64: php-4.3.9-3.36.ia64.rpm php-debuginfo-4.3.9-3.36.ia64.rpm php-devel-4.3.9-3.36.ia64.rpm php-domxml-4.3.9-3.36.ia64.rpm php-gd-4.3.9-3.36.ia64.rpm php-imap-4.3.9-3.36.ia64.rpm php-ldap-4.3.9-3.36.ia64.rpm php-mbstring-4.3.9-3.36.ia64.rpm php-mysql-4.3.9-3.36.ia64.rpm php-ncurses-4.3.9-3.36.ia64.rpm php-odbc-4.3.9-3.36.ia64.rpm php-pear-4.3.9-3.36.ia64.rpm php-pgsql-4.3.9-3.36.ia64.rpm php-snmp-4.3.9-3.36.ia64.rpm php-xmlrpc-4.3.9-3.36.ia64.rpm ppc: php-4.3.9-3.36.ppc.rpm php-debuginfo-4.3.9-3.36.ppc.rpm php-devel-4.3.9-3.36.ppc.rpm php-domxml-4.3.9-3.36.ppc.rpm php-gd-4.3.9-3.36.ppc.rpm php-imap-4.3.9-3.36.ppc.rpm php-ldap-4.3.9-3.36.ppc.rpm php-mbstring-4.3.9-3.36.ppc.rpm php-mysql-4.3.9-3.36.ppc.rpm php-ncurses-4.3.9-3.36.ppc.rpm php-odbc-4.3.9-3.36.ppc.rpm php-pear-4.3.9-3.36.ppc.rpm php-pgsql-4.3.9-3.36.ppc.rpm php-snmp-4.3.9-3.36.ppc.rpm php-xmlrpc-4.3.9-3.36.ppc.rpm s390: php-4.3.9-3.36.s390.rpm php-debuginfo-4.3.9-3.36.s390.rpm php-devel-4.3.9-3.36.s390.rpm php-domxml-4.3.9-3.36.s390.rpm php-gd-4.3.9-3.36.s390.rpm php-imap-4.3.9-3.36.s390.rpm php-ldap-4.3.9-3.36.s390.rpm php-mbstring-4.3.9-3.36.s390.rpm php-mysql-4.3.9-3.36.s390.rpm php-ncurses-4.3.9-3.36.s390.rpm php-odbc-4.3.9-3.36.s390.rpm php-pear-4.3.9-3.36.s390.rpm php-pgsql-4.3.9-3.36.s390.rpm php-snmp-4.3.9-3.36.s390.rpm php-xmlrpc-4.3.9-3.36.s390.rpm s390x: php-4.3.9-3.36.s390x.rpm php-debuginfo-4.3.9-3.36.s390x.rpm php-devel-4.3.9-3.36.s390x.rpm php-domxml-4.3.9-3.36.s390x.rpm php-gd-4.3.9-3.36.s390x.rpm php-imap-4.3.9-3.36.s390x.rpm php-ldap-4.3.9-3.36.s390x.rpm php-mbstring-4.3.9-3.36.s390x.rpm php-mysql-4.3.9-3.36.s390x.rpm php-ncurses-4.3.9-3.36.s390x.rpm php-odbc-4.3.9-3.36.s390x.rpm php-pear-4.3.9-3.36.s390x.rpm php-pgsql-4.3.9-3.36.s390x.rpm php-snmp-4.3.9-3.36.s390x.rpm php-xmlrpc-4.3.9-3.36.s390x.rpm x86_64: php-4.3.9-3.36.x86_64.rpm php-debuginfo-4.3.9-3.36.x86_64.rpm php-devel-4.3.9-3.36.x86_64.rpm php-domxml-4.3.9-3.36.x86_64.rpm php-gd-4.3.9-3.36.x86_64.rpm php-imap-4.3.9-3.36.x86_64.rpm php-ldap-4.3.9-3.36.x86_64.rpm php-mbstring-4.3.9-3.36.x86_64.rpm php-mysql-4.3.9-3.36.x86_64.rpm php-ncurses-4.3.9-3.36.x86_64.rpm php-odbc-4.3.9-3.36.x86_64.rpm php-pear-4.3.9-3.36.x86_64.rpm php-pgsql-4.3.9-3.36.x86_64.rpm php-snmp-4.3.9-3.36.x86_64.rpm php-xmlrpc-4.3.9-3.36.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/php-4.3.9-3.36.src.rpm i386: php-4.3.9-3.36.i386.rpm php-debuginfo-4.3.9-3.36.i386.rpm php-devel-4.3.9-3.36.i386.rpm php-domxml-4.3.9-3.36.i386.rpm php-gd-4.3.9-3.36.i386.rpm php-imap-4.3.9-3.36.i386.rpm php-ldap-4.3.9-3.36.i386.rpm php-mbstring-4.3.9-3.36.i386.rpm php-mysql-4.3.9-3.36.i386.rpm php-ncurses-4.3.9-3.36.i386.rpm php-odbc-4.3.9-3.36.i386.rpm php-pear-4.3.9-3.36.i386.rpm php-pgsql-4.3.9-3.36.i386.rpm php-snmp-4.3.9-3.36.i386.rpm php-xmlrpc-4.3.9-3.36.i386.rpm x86_64: php-4.3.9-3.36.x86_64.rpm php-debuginfo-4.3.9-3.36.x86_64.rpm php-devel-4.3.9-3.36.x86_64.rpm php-domxml-4.3.9-3.36.x86_64.rpm php-gd-4.3.9-3.36.x86_64.rpm php-imap-4.3.9-3.36.x86_64.rpm php-ldap-4.3.9-3.36.x86_64.rpm php-mbstring-4.3.9-3.36.x86_64.rpm php-mysql-4.3.9-3.36.x86_64.rpm php-ncurses-4.3.9-3.36.x86_64.rpm php-odbc-4.3.9-3.36.x86_64.rpm php-pear-4.3.9-3.36.x86_64.rpm php-pgsql-4.3.9-3.36.x86_64.rpm php-snmp-4.3.9-3.36.x86_64.rpm php-xmlrpc-4.3.9-3.36.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/php-4.3.9-3.36.src.rpm i386: php-4.3.9-3.36.i386.rpm php-debuginfo-4.3.9-3.36.i386.rpm php-devel-4.3.9-3.36.i386.rpm php-domxml-4.3.9-3.36.i386.rpm php-gd-4.3.9-3.36.i386.rpm php-imap-4.3.9-3.36.i386.rpm php-ldap-4.3.9-3.36.i386.rpm php-mbstring-4.3.9-3.36.i386.rpm php-mysql-4.3.9-3.36.i386.rpm php-ncurses-4.3.9-3.36.i386.rpm php-odbc-4.3.9-3.36.i386.rpm php-pear-4.3.9-3.36.i386.rpm php-pgsql-4.3.9-3.36.i386.rpm php-snmp-4.3.9-3.36.i386.rpm php-xmlrpc-4.3.9-3.36.i386.rpm ia64: php-4.3.9-3.36.ia64.rpm php-debuginfo-4.3.9-3.36.ia64.rpm php-devel-4.3.9-3.36.ia64.rpm php-domxml-4.3.9-3.36.ia64.rpm php-gd-4.3.9-3.36.ia64.rpm php-imap-4.3.9-3.36.ia64.rpm php-ldap-4.3.9-3.36.ia64.rpm php-mbstring-4.3.9-3.36.ia64.rpm php-mysql-4.3.9-3.36.ia64.rpm php-ncurses-4.3.9-3.36.ia64.rpm php-odbc-4.3.9-3.36.ia64.rpm php-pear-4.3.9-3.36.ia64.rpm php-pgsql-4.3.9-3.36.ia64.rpm php-snmp-4.3.9-3.36.ia64.rpm php-xmlrpc-4.3.9-3.36.ia64.rpm x86_64: php-4.3.9-3.36.x86_64.rpm php-debuginfo-4.3.9-3.36.x86_64.rpm php-devel-4.3.9-3.36.x86_64.rpm php-domxml-4.3.9-3.36.x86_64.rpm php-gd-4.3.9-3.36.x86_64.rpm php-imap-4.3.9-3.36.x86_64.rpm php-ldap-4.3.9-3.36.x86_64.rpm php-mbstring-4.3.9-3.36.x86_64.rpm php-mysql-4.3.9-3.36.x86_64.rpm php-ncurses-4.3.9-3.36.x86_64.rpm php-odbc-4.3.9-3.36.x86_64.rpm php-pear-4.3.9-3.36.x86_64.rpm php-pgsql-4.3.9-3.36.x86_64.rpm php-snmp-4.3.9-3.36.x86_64.rpm php-xmlrpc-4.3.9-3.36.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/php-4.3.9-3.36.src.rpm i386: php-4.3.9-3.36.i386.rpm php-debuginfo-4.3.9-3.36.i386.rpm php-devel-4.3.9-3.36.i386.rpm php-domxml-4.3.9-3.36.i386.rpm php-gd-4.3.9-3.36.i386.rpm php-imap-4.3.9-3.36.i386.rpm php-ldap-4.3.9-3.36.i386.rpm php-mbstring-4.3.9-3.36.i386.rpm php-mysql-4.3.9-3.36.i386.rpm php-ncurses-4.3.9-3.36.i386.rpm php-odbc-4.3.9-3.36.i386.rpm php-pear-4.3.9-3.36.i386.rpm php-pgsql-4.3.9-3.36.i386.rpm php-snmp-4.3.9-3.36.i386.rpm php-xmlrpc-4.3.9-3.36.i386.rpm ia64: php-4.3.9-3.36.ia64.rpm php-debuginfo-4.3.9-3.36.ia64.rpm php-devel-4.3.9-3.36.ia64.rpm php-domxml-4.3.9-3.36.ia64.rpm php-gd-4.3.9-3.36.ia64.rpm php-imap-4.3.9-3.36.ia64.rpm php-ldap-4.3.9-3.36.ia64.rpm php-mbstring-4.3.9-3.36.ia64.rpm php-mysql-4.3.9-3.36.ia64.rpm php-ncurses-4.3.9-3.36.ia64.rpm php-odbc-4.3.9-3.36.ia64.rpm php-pear-4.3.9-3.36.ia64.rpm php-pgsql-4.3.9-3.36.ia64.rpm php-snmp-4.3.9-3.36.ia64.rpm php-xmlrpc-4.3.9-3.36.ia64.rpm x86_64: php-4.3.9-3.36.x86_64.rpm php-debuginfo-4.3.9-3.36.x86_64.rpm php-devel-4.3.9-3.36.x86_64.rpm php-domxml-4.3.9-3.36.x86_64.rpm php-gd-4.3.9-3.36.x86_64.rpm php-imap-4.3.9-3.36.x86_64.rpm php-ldap-4.3.9-3.36.x86_64.rpm php-mbstring-4.3.9-3.36.x86_64.rpm php-mysql-4.3.9-3.36.x86_64.rpm php-ncurses-4.3.9-3.36.x86_64.rpm php-odbc-4.3.9-3.36.x86_64.rpm php-pear-4.3.9-3.36.x86_64.rpm php-pgsql-4.3.9-3.36.x86_64.rpm php-snmp-4.3.9-3.36.x86_64.rpm php-xmlrpc-4.3.9-3.36.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/php-5.1.6-27.el5_7.5.src.rpm i386: php-5.1.6-27.el5_7.5.i386.rpm php-bcmath-5.1.6-27.el5_7.5.i386.rpm php-cli-5.1.6-27.el5_7.5.i386.rpm php-common-5.1.6-27.el5_7.5.i386.rpm php-dba-5.1.6-27.el5_7.5.i386.rpm php-debuginfo-5.1.6-27.el5_7.5.i386.rpm php-devel-5.1.6-27.el5_7.5.i386.rpm php-gd-5.1.6-27.el5_7.5.i386.rpm php-imap-5.1.6-27.el5_7.5.i386.rpm php-ldap-5.1.6-27.el5_7.5.i386.rpm php-mbstring-5.1.6-27.el5_7.5.i386.rpm php-mysql-5.1.6-27.el5_7.5.i386.rpm php-ncurses-5.1.6-27.el5_7.5.i386.rpm php-odbc-5.1.6-27.el5_7.5.i386.rpm php-pdo-5.1.6-27.el5_7.5.i386.rpm php-pgsql-5.1.6-27.el5_7.5.i386.rpm php-snmp-5.1.6-27.el5_7.5.i386.rpm php-soap-5.1.6-27.el5_7.5.i386.rpm php-xml-5.1.6-27.el5_7.5.i386.rpm php-xmlrpc-5.1.6-27.el5_7.5.i386.rpm x86_64: php-5.1.6-27.el5_7.5.x86_64.rpm php-bcmath-5.1.6-27.el5_7.5.x86_64.rpm php-cli-5.1.6-27.el5_7.5.x86_64.rpm php-common-5.1.6-27.el5_7.5.x86_64.rpm php-dba-5.1.6-27.el5_7.5.x86_64.rpm php-debuginfo-5.1.6-27.el5_7.5.x86_64.rpm php-devel-5.1.6-27.el5_7.5.x86_64.rpm php-gd-5.1.6-27.el5_7.5.x86_64.rpm php-imap-5.1.6-27.el5_7.5.x86_64.rpm php-ldap-5.1.6-27.el5_7.5.x86_64.rpm php-mbstring-5.1.6-27.el5_7.5.x86_64.rpm php-mysql-5.1.6-27.el5_7.5.x86_64.rpm php-ncurses-5.1.6-27.el5_7.5.x86_64.rpm php-odbc-5.1.6-27.el5_7.5.x86_64.rpm php-pdo-5.1.6-27.el5_7.5.x86_64.rpm php-pgsql-5.1.6-27.el5_7.5.x86_64.rpm php-snmp-5.1.6-27.el5_7.5.x86_64.rpm php-soap-5.1.6-27.el5_7.5.x86_64.rpm php-xml-5.1.6-27.el5_7.5.x86_64.rpm php-xmlrpc-5.1.6-27.el5_7.5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/php-5.1.6-27.el5_7.5.src.rpm i386: php-5.1.6-27.el5_7.5.i386.rpm php-bcmath-5.1.6-27.el5_7.5.i386.rpm php-cli-5.1.6-27.el5_7.5.i386.rpm php-common-5.1.6-27.el5_7.5.i386.rpm php-dba-5.1.6-27.el5_7.5.i386.rpm php-debuginfo-5.1.6-27.el5_7.5.i386.rpm php-devel-5.1.6-27.el5_7.5.i386.rpm php-gd-5.1.6-27.el5_7.5.i386.rpm php-imap-5.1.6-27.el5_7.5.i386.rpm php-ldap-5.1.6-27.el5_7.5.i386.rpm php-mbstring-5.1.6-27.el5_7.5.i386.rpm php-mysql-5.1.6-27.el5_7.5.i386.rpm php-ncurses-5.1.6-27.el5_7.5.i386.rpm php-odbc-5.1.6-27.el5_7.5.i386.rpm php-pdo-5.1.6-27.el5_7.5.i386.rpm php-pgsql-5.1.6-27.el5_7.5.i386.rpm php-snmp-5.1.6-27.el5_7.5.i386.rpm php-soap-5.1.6-27.el5_7.5.i386.rpm php-xml-5.1.6-27.el5_7.5.i386.rpm php-xmlrpc-5.1.6-27.el5_7.5.i386.rpm ia64: php-5.1.6-27.el5_7.5.ia64.rpm php-bcmath-5.1.6-27.el5_7.5.ia64.rpm php-cli-5.1.6-27.el5_7.5.ia64.rpm php-common-5.1.6-27.el5_7.5.ia64.rpm php-dba-5.1.6-27.el5_7.5.ia64.rpm php-debuginfo-5.1.6-27.el5_7.5.ia64.rpm php-devel-5.1.6-27.el5_7.5.ia64.rpm php-gd-5.1.6-27.el5_7.5.ia64.rpm php-imap-5.1.6-27.el5_7.5.ia64.rpm php-ldap-5.1.6-27.el5_7.5.ia64.rpm php-mbstring-5.1.6-27.el5_7.5.ia64.rpm php-mysql-5.1.6-27.el5_7.5.ia64.rpm php-ncurses-5.1.6-27.el5_7.5.ia64.rpm php-odbc-5.1.6-27.el5_7.5.ia64.rpm php-pdo-5.1.6-27.el5_7.5.ia64.rpm php-pgsql-5.1.6-27.el5_7.5.ia64.rpm php-snmp-5.1.6-27.el5_7.5.ia64.rpm php-soap-5.1.6-27.el5_7.5.ia64.rpm php-xml-5.1.6-27.el5_7.5.ia64.rpm php-xmlrpc-5.1.6-27.el5_7.5.ia64.rpm ppc: php-5.1.6-27.el5_7.5.ppc.rpm php-bcmath-5.1.6-27.el5_7.5.ppc.rpm php-cli-5.1.6-27.el5_7.5.ppc.rpm php-common-5.1.6-27.el5_7.5.ppc.rpm php-dba-5.1.6-27.el5_7.5.ppc.rpm php-debuginfo-5.1.6-27.el5_7.5.ppc.rpm php-devel-5.1.6-27.el5_7.5.ppc.rpm php-gd-5.1.6-27.el5_7.5.ppc.rpm php-imap-5.1.6-27.el5_7.5.ppc.rpm php-ldap-5.1.6-27.el5_7.5.ppc.rpm php-mbstring-5.1.6-27.el5_7.5.ppc.rpm php-mysql-5.1.6-27.el5_7.5.ppc.rpm php-ncurses-5.1.6-27.el5_7.5.ppc.rpm php-odbc-5.1.6-27.el5_7.5.ppc.rpm php-pdo-5.1.6-27.el5_7.5.ppc.rpm php-pgsql-5.1.6-27.el5_7.5.ppc.rpm php-snmp-5.1.6-27.el5_7.5.ppc.rpm php-soap-5.1.6-27.el5_7.5.ppc.rpm php-xml-5.1.6-27.el5_7.5.ppc.rpm php-xmlrpc-5.1.6-27.el5_7.5.ppc.rpm s390x: php-5.1.6-27.el5_7.5.s390x.rpm php-bcmath-5.1.6-27.el5_7.5.s390x.rpm php-cli-5.1.6-27.el5_7.5.s390x.rpm php-common-5.1.6-27.el5_7.5.s390x.rpm php-dba-5.1.6-27.el5_7.5.s390x.rpm php-debuginfo-5.1.6-27.el5_7.5.s390x.rpm php-devel-5.1.6-27.el5_7.5.s390x.rpm php-gd-5.1.6-27.el5_7.5.s390x.rpm php-imap-5.1.6-27.el5_7.5.s390x.rpm php-ldap-5.1.6-27.el5_7.5.s390x.rpm php-mbstring-5.1.6-27.el5_7.5.s390x.rpm php-mysql-5.1.6-27.el5_7.5.s390x.rpm php-ncurses-5.1.6-27.el5_7.5.s390x.rpm php-odbc-5.1.6-27.el5_7.5.s390x.rpm php-pdo-5.1.6-27.el5_7.5.s390x.rpm php-pgsql-5.1.6-27.el5_7.5.s390x.rpm php-snmp-5.1.6-27.el5_7.5.s390x.rpm php-soap-5.1.6-27.el5_7.5.s390x.rpm php-xml-5.1.6-27.el5_7.5.s390x.rpm php-xmlrpc-5.1.6-27.el5_7.5.s390x.rpm x86_64: php-5.1.6-27.el5_7.5.x86_64.rpm php-bcmath-5.1.6-27.el5_7.5.x86_64.rpm php-cli-5.1.6-27.el5_7.5.x86_64.rpm php-common-5.1.6-27.el5_7.5.x86_64.rpm php-dba-5.1.6-27.el5_7.5.x86_64.rpm php-debuginfo-5.1.6-27.el5_7.5.x86_64.rpm php-devel-5.1.6-27.el5_7.5.x86_64.rpm php-gd-5.1.6-27.el5_7.5.x86_64.rpm php-imap-5.1.6-27.el5_7.5.x86_64.rpm php-ldap-5.1.6-27.el5_7.5.x86_64.rpm php-mbstring-5.1.6-27.el5_7.5.x86_64.rpm php-mysql-5.1.6-27.el5_7.5.x86_64.rpm php-ncurses-5.1.6-27.el5_7.5.x86_64.rpm php-odbc-5.1.6-27.el5_7.5.x86_64.rpm php-pdo-5.1.6-27.el5_7.5.x86_64.rpm php-pgsql-5.1.6-27.el5_7.5.x86_64.rpm php-snmp-5.1.6-27.el5_7.5.x86_64.rpm php-soap-5.1.6-27.el5_7.5.x86_64.rpm php-xml-5.1.6-27.el5_7.5.x86_64.rpm php-xmlrpc-5.1.6-27.el5_7.5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/php-5.3.3-3.el6_2.6.src.rpm i386: php-5.3.3-3.el6_2.6.i686.rpm php-bcmath-5.3.3-3.el6_2.6.i686.rpm php-cli-5.3.3-3.el6_2.6.i686.rpm php-common-5.3.3-3.el6_2.6.i686.rpm php-dba-5.3.3-3.el6_2.6.i686.rpm php-debuginfo-5.3.3-3.el6_2.6.i686.rpm php-devel-5.3.3-3.el6_2.6.i686.rpm php-embedded-5.3.3-3.el6_2.6.i686.rpm php-enchant-5.3.3-3.el6_2.6.i686.rpm php-gd-5.3.3-3.el6_2.6.i686.rpm php-imap-5.3.3-3.el6_2.6.i686.rpm php-intl-5.3.3-3.el6_2.6.i686.rpm php-ldap-5.3.3-3.el6_2.6.i686.rpm php-mbstring-5.3.3-3.el6_2.6.i686.rpm php-mysql-5.3.3-3.el6_2.6.i686.rpm php-odbc-5.3.3-3.el6_2.6.i686.rpm php-pdo-5.3.3-3.el6_2.6.i686.rpm php-pgsql-5.3.3-3.el6_2.6.i686.rpm php-process-5.3.3-3.el6_2.6.i686.rpm php-pspell-5.3.3-3.el6_2.6.i686.rpm php-recode-5.3.3-3.el6_2.6.i686.rpm php-snmp-5.3.3-3.el6_2.6.i686.rpm php-soap-5.3.3-3.el6_2.6.i686.rpm php-tidy-5.3.3-3.el6_2.6.i686.rpm php-xml-5.3.3-3.el6_2.6.i686.rpm php-xmlrpc-5.3.3-3.el6_2.6.i686.rpm php-zts-5.3.3-3.el6_2.6.i686.rpm x86_64: php-5.3.3-3.el6_2.6.x86_64.rpm php-bcmath-5.3.3-3.el6_2.6.x86_64.rpm php-cli-5.3.3-3.el6_2.6.x86_64.rpm php-common-5.3.3-3.el6_2.6.x86_64.rpm php-dba-5.3.3-3.el6_2.6.x86_64.rpm php-debuginfo-5.3.3-3.el6_2.6.x86_64.rpm php-devel-5.3.3-3.el6_2.6.x86_64.rpm php-embedded-5.3.3-3.el6_2.6.x86_64.rpm php-enchant-5.3.3-3.el6_2.6.x86_64.rpm php-gd-5.3.3-3.el6_2.6.x86_64.rpm php-imap-5.3.3-3.el6_2.6.x86_64.rpm php-intl-5.3.3-3.el6_2.6.x86_64.rpm php-ldap-5.3.3-3.el6_2.6.x86_64.rpm php-mbstring-5.3.3-3.el6_2.6.x86_64.rpm php-mysql-5.3.3-3.el6_2.6.x86_64.rpm php-odbc-5.3.3-3.el6_2.6.x86_64.rpm php-pdo-5.3.3-3.el6_2.6.x86_64.rpm php-pgsql-5.3.3-3.el6_2.6.x86_64.rpm php-process-5.3.3-3.el6_2.6.x86_64.rpm php-pspell-5.3.3-3.el6_2.6.x86_64.rpm php-recode-5.3.3-3.el6_2.6.x86_64.rpm php-snmp-5.3.3-3.el6_2.6.x86_64.rpm php-soap-5.3.3-3.el6_2.6.x86_64.rpm php-tidy-5.3.3-3.el6_2.6.x86_64.rpm php-xml-5.3.3-3.el6_2.6.x86_64.rpm php-xmlrpc-5.3.3-3.el6_2.6.x86_64.rpm php-zts-5.3.3-3.el6_2.6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/php-5.3.3-3.el6_2.6.src.rpm x86_64: php-cli-5.3.3-3.el6_2.6.x86_64.rpm php-common-5.3.3-3.el6_2.6.x86_64.rpm php-debuginfo-5.3.3-3.el6_2.6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/php-5.3.3-3.el6_2.6.src.rpm x86_64: php-5.3.3-3.el6_2.6.x86_64.rpm php-bcmath-5.3.3-3.el6_2.6.x86_64.rpm php-dba-5.3.3-3.el6_2.6.x86_64.rpm php-debuginfo-5.3.3-3.el6_2.6.x86_64.rpm php-devel-5.3.3-3.el6_2.6.x86_64.rpm php-embedded-5.3.3-3.el6_2.6.x86_64.rpm php-enchant-5.3.3-3.el6_2.6.x86_64.rpm php-gd-5.3.3-3.el6_2.6.x86_64.rpm php-imap-5.3.3-3.el6_2.6.x86_64.rpm php-intl-5.3.3-3.el6_2.6.x86_64.rpm php-ldap-5.3.3-3.el6_2.6.x86_64.rpm php-mbstring-5.3.3-3.el6_2.6.x86_64.rpm php-mysql-5.3.3-3.el6_2.6.x86_64.rpm php-odbc-5.3.3-3.el6_2.6.x86_64.rpm php-pdo-5.3.3-3.el6_2.6.x86_64.rpm php-pgsql-5.3.3-3.el6_2.6.x86_64.rpm php-process-5.3.3-3.el6_2.6.x86_64.rpm php-pspell-5.3.3-3.el6_2.6.x86_64.rpm php-recode-5.3.3-3.el6_2.6.x86_64.rpm php-snmp-5.3.3-3.el6_2.6.x86_64.rpm php-soap-5.3.3-3.el6_2.6.x86_64.rpm php-tidy-5.3.3-3.el6_2.6.x86_64.rpm php-xml-5.3.3-3.el6_2.6.x86_64.rpm php-xmlrpc-5.3.3-3.el6_2.6.x86_64.rpm php-zts-5.3.3-3.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/php-5.3.3-3.el6_2.6.src.rpm i386: php-5.3.3-3.el6_2.6.i686.rpm php-cli-5.3.3-3.el6_2.6.i686.rpm php-common-5.3.3-3.el6_2.6.i686.rpm php-debuginfo-5.3.3-3.el6_2.6.i686.rpm php-gd-5.3.3-3.el6_2.6.i686.rpm php-ldap-5.3.3-3.el6_2.6.i686.rpm php-mysql-5.3.3-3.el6_2.6.i686.rpm php-odbc-5.3.3-3.el6_2.6.i686.rpm php-pdo-5.3.3-3.el6_2.6.i686.rpm php-pgsql-5.3.3-3.el6_2.6.i686.rpm php-soap-5.3.3-3.el6_2.6.i686.rpm php-xml-5.3.3-3.el6_2.6.i686.rpm php-xmlrpc-5.3.3-3.el6_2.6.i686.rpm ppc64: php-5.3.3-3.el6_2.6.ppc64.rpm php-cli-5.3.3-3.el6_2.6.ppc64.rpm php-common-5.3.3-3.el6_2.6.ppc64.rpm php-debuginfo-5.3.3-3.el6_2.6.ppc64.rpm php-gd-5.3.3-3.el6_2.6.ppc64.rpm php-ldap-5.3.3-3.el6_2.6.ppc64.rpm php-mysql-5.3.3-3.el6_2.6.ppc64.rpm php-odbc-5.3.3-3.el6_2.6.ppc64.rpm php-pdo-5.3.3-3.el6_2.6.ppc64.rpm php-pgsql-5.3.3-3.el6_2.6.ppc64.rpm php-soap-5.3.3-3.el6_2.6.ppc64.rpm php-xml-5.3.3-3.el6_2.6.ppc64.rpm php-xmlrpc-5.3.3-3.el6_2.6.ppc64.rpm s390x: php-5.3.3-3.el6_2.6.s390x.rpm php-cli-5.3.3-3.el6_2.6.s390x.rpm php-common-5.3.3-3.el6_2.6.s390x.rpm php-debuginfo-5.3.3-3.el6_2.6.s390x.rpm php-gd-5.3.3-3.el6_2.6.s390x.rpm php-ldap-5.3.3-3.el6_2.6.s390x.rpm php-mysql-5.3.3-3.el6_2.6.s390x.rpm php-odbc-5.3.3-3.el6_2.6.s390x.rpm php-pdo-5.3.3-3.el6_2.6.s390x.rpm php-pgsql-5.3.3-3.el6_2.6.s390x.rpm php-soap-5.3.3-3.el6_2.6.s390x.rpm php-xml-5.3.3-3.el6_2.6.s390x.rpm php-xmlrpc-5.3.3-3.el6_2.6.s390x.rpm x86_64: php-5.3.3-3.el6_2.6.x86_64.rpm php-cli-5.3.3-3.el6_2.6.x86_64.rpm php-common-5.3.3-3.el6_2.6.x86_64.rpm php-debuginfo-5.3.3-3.el6_2.6.x86_64.rpm php-gd-5.3.3-3.el6_2.6.x86_64.rpm php-ldap-5.3.3-3.el6_2.6.x86_64.rpm php-mysql-5.3.3-3.el6_2.6.x86_64.rpm php-odbc-5.3.3-3.el6_2.6.x86_64.rpm php-pdo-5.3.3-3.el6_2.6.x86_64.rpm php-pgsql-5.3.3-3.el6_2.6.x86_64.rpm php-soap-5.3.3-3.el6_2.6.x86_64.rpm php-xml-5.3.3-3.el6_2.6.x86_64.rpm php-xmlrpc-5.3.3-3.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/php-5.3.3-3.el6_2.6.src.rpm i386: php-bcmath-5.3.3-3.el6_2.6.i686.rpm php-dba-5.3.3-3.el6_2.6.i686.rpm php-debuginfo-5.3.3-3.el6_2.6.i686.rpm php-devel-5.3.3-3.el6_2.6.i686.rpm php-embedded-5.3.3-3.el6_2.6.i686.rpm php-enchant-5.3.3-3.el6_2.6.i686.rpm php-imap-5.3.3-3.el6_2.6.i686.rpm php-intl-5.3.3-3.el6_2.6.i686.rpm php-mbstring-5.3.3-3.el6_2.6.i686.rpm php-process-5.3.3-3.el6_2.6.i686.rpm php-pspell-5.3.3-3.el6_2.6.i686.rpm php-recode-5.3.3-3.el6_2.6.i686.rpm php-snmp-5.3.3-3.el6_2.6.i686.rpm php-tidy-5.3.3-3.el6_2.6.i686.rpm php-zts-5.3.3-3.el6_2.6.i686.rpm ppc64: php-bcmath-5.3.3-3.el6_2.6.ppc64.rpm php-dba-5.3.3-3.el6_2.6.ppc64.rpm php-debuginfo-5.3.3-3.el6_2.6.ppc64.rpm php-devel-5.3.3-3.el6_2.6.ppc64.rpm php-embedded-5.3.3-3.el6_2.6.ppc64.rpm php-enchant-5.3.3-3.el6_2.6.ppc64.rpm php-imap-5.3.3-3.el6_2.6.ppc64.rpm php-intl-5.3.3-3.el6_2.6.ppc64.rpm php-mbstring-5.3.3-3.el6_2.6.ppc64.rpm php-process-5.3.3-3.el6_2.6.ppc64.rpm php-pspell-5.3.3-3.el6_2.6.ppc64.rpm php-recode-5.3.3-3.el6_2.6.ppc64.rpm php-snmp-5.3.3-3.el6_2.6.ppc64.rpm php-tidy-5.3.3-3.el6_2.6.ppc64.rpm php-zts-5.3.3-3.el6_2.6.ppc64.rpm s390x: php-bcmath-5.3.3-3.el6_2.6.s390x.rpm php-dba-5.3.3-3.el6_2.6.s390x.rpm php-debuginfo-5.3.3-3.el6_2.6.s390x.rpm php-devel-5.3.3-3.el6_2.6.s390x.rpm php-embedded-5.3.3-3.el6_2.6.s390x.rpm php-enchant-5.3.3-3.el6_2.6.s390x.rpm php-imap-5.3.3-3.el6_2.6.s390x.rpm php-intl-5.3.3-3.el6_2.6.s390x.rpm php-mbstring-5.3.3-3.el6_2.6.s390x.rpm php-process-5.3.3-3.el6_2.6.s390x.rpm php-pspell-5.3.3-3.el6_2.6.s390x.rpm php-recode-5.3.3-3.el6_2.6.s390x.rpm php-snmp-5.3.3-3.el6_2.6.s390x.rpm php-tidy-5.3.3-3.el6_2.6.s390x.rpm php-zts-5.3.3-3.el6_2.6.s390x.rpm x86_64: php-bcmath-5.3.3-3.el6_2.6.x86_64.rpm php-dba-5.3.3-3.el6_2.6.x86_64.rpm php-debuginfo-5.3.3-3.el6_2.6.x86_64.rpm php-devel-5.3.3-3.el6_2.6.x86_64.rpm php-embedded-5.3.3-3.el6_2.6.x86_64.rpm php-enchant-5.3.3-3.el6_2.6.x86_64.rpm php-imap-5.3.3-3.el6_2.6.x86_64.rpm php-intl-5.3.3-3.el6_2.6.x86_64.rpm php-mbstring-5.3.3-3.el6_2.6.x86_64.rpm php-process-5.3.3-3.el6_2.6.x86_64.rpm php-pspell-5.3.3-3.el6_2.6.x86_64.rpm php-recode-5.3.3-3.el6_2.6.x86_64.rpm php-snmp-5.3.3-3.el6_2.6.x86_64.rpm php-tidy-5.3.3-3.el6_2.6.x86_64.rpm php-zts-5.3.3-3.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/php-5.3.3-3.el6_2.6.src.rpm i386: php-5.3.3-3.el6_2.6.i686.rpm php-cli-5.3.3-3.el6_2.6.i686.rpm php-common-5.3.3-3.el6_2.6.i686.rpm php-debuginfo-5.3.3-3.el6_2.6.i686.rpm php-gd-5.3.3-3.el6_2.6.i686.rpm php-ldap-5.3.3-3.el6_2.6.i686.rpm php-mysql-5.3.3-3.el6_2.6.i686.rpm php-odbc-5.3.3-3.el6_2.6.i686.rpm php-pdo-5.3.3-3.el6_2.6.i686.rpm php-pgsql-5.3.3-3.el6_2.6.i686.rpm php-soap-5.3.3-3.el6_2.6.i686.rpm php-xml-5.3.3-3.el6_2.6.i686.rpm php-xmlrpc-5.3.3-3.el6_2.6.i686.rpm x86_64: php-5.3.3-3.el6_2.6.x86_64.rpm php-cli-5.3.3-3.el6_2.6.x86_64.rpm php-common-5.3.3-3.el6_2.6.x86_64.rpm php-debuginfo-5.3.3-3.el6_2.6.x86_64.rpm php-gd-5.3.3-3.el6_2.6.x86_64.rpm php-ldap-5.3.3-3.el6_2.6.x86_64.rpm php-mysql-5.3.3-3.el6_2.6.x86_64.rpm php-odbc-5.3.3-3.el6_2.6.x86_64.rpm php-pdo-5.3.3-3.el6_2.6.x86_64.rpm php-pgsql-5.3.3-3.el6_2.6.x86_64.rpm php-soap-5.3.3-3.el6_2.6.x86_64.rpm php-xml-5.3.3-3.el6_2.6.x86_64.rpm php-xmlrpc-5.3.3-3.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/php-5.3.3-3.el6_2.6.src.rpm i386: php-bcmath-5.3.3-3.el6_2.6.i686.rpm php-dba-5.3.3-3.el6_2.6.i686.rpm php-debuginfo-5.3.3-3.el6_2.6.i686.rpm php-devel-5.3.3-3.el6_2.6.i686.rpm php-embedded-5.3.3-3.el6_2.6.i686.rpm php-enchant-5.3.3-3.el6_2.6.i686.rpm php-imap-5.3.3-3.el6_2.6.i686.rpm php-intl-5.3.3-3.el6_2.6.i686.rpm php-mbstring-5.3.3-3.el6_2.6.i686.rpm php-process-5.3.3-3.el6_2.6.i686.rpm php-pspell-5.3.3-3.el6_2.6.i686.rpm php-recode-5.3.3-3.el6_2.6.i686.rpm php-snmp-5.3.3-3.el6_2.6.i686.rpm php-tidy-5.3.3-3.el6_2.6.i686.rpm php-zts-5.3.3-3.el6_2.6.i686.rpm x86_64: php-bcmath-5.3.3-3.el6_2.6.x86_64.rpm php-dba-5.3.3-3.el6_2.6.x86_64.rpm php-debuginfo-5.3.3-3.el6_2.6.x86_64.rpm php-devel-5.3.3-3.el6_2.6.x86_64.rpm php-embedded-5.3.3-3.el6_2.6.x86_64.rpm php-enchant-5.3.3-3.el6_2.6.x86_64.rpm php-imap-5.3.3-3.el6_2.6.x86_64.rpm php-intl-5.3.3-3.el6_2.6.x86_64.rpm php-mbstring-5.3.3-3.el6_2.6.x86_64.rpm php-process-5.3.3-3.el6_2.6.x86_64.rpm php-pspell-5.3.3-3.el6_2.6.x86_64.rpm php-recode-5.3.3-3.el6_2.6.x86_64.rpm php-snmp-5.3.3-3.el6_2.6.x86_64.rpm php-tidy-5.3.3-3.el6_2.6.x86_64.rpm php-zts-5.3.3-3.el6_2.6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0830.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPKxYUXlSAg2UNWIIRAlXCAJ4gMpt9i//hO2nAwxNZ9ZfsT+QDUwCfdmm7 2Ad/cq6i8Zf0GHIK79V4z2k= =lOW7 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Feb 6 18:39:28 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Feb 2012 18:39:28 +0000 Subject: [RHSA-2012:0099-01] Moderate: MRG Grid security, bug fix, and enhancement update Message-ID: <201202061839.q16IdTrU020913@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: MRG Grid security, bug fix, and enhancement update Advisory ID: RHSA-2012:0099-01 Product: Red Hat Enterprise MRG for RHEL-6 Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0099.html Issue date: 2012-02-06 Keywords: MRG, Grid, Management, Enhancements, Security, Bug Fix, 2.1.1 CVE Names: CVE-2011-4930 ===================================================================== 1. Summary: Updated Grid component packages that fix multiple security issues, multiple bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2 for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: MRG Grid Execute Node for RHEL 6 ComputeNode v.2 - noarch, x86_64 MRG Grid Execute Node for RHEL 6 Server v.2 - i386, noarch, x86_64 MRG Grid for RHEL 6 Server v.2 - i386, noarch, x86_64 MRG Management for RHEL 6 Server v.2 - noarch 3. Description: Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interoperability, and faster computing for enterprise customers. MRG Grid provides high-throughput computing and enables enterprises to achieve higher peak computing capacity as well as improved infrastructure utilization by leveraging their existing technology to build high performance grids. MRG Grid provides a job-queueing mechanism, scheduling policy, and a priority scheme, as well as resource monitoring and resource management. Users submit their jobs to MRG Grid, where they are placed into a queue. MRG Grid then chooses when and where to run the jobs based upon a policy, carefully monitors their progress, and ultimately informs the user upon completion. Multiple format string flaws were found in Condor. An authenticated Condor service user could use these flaws to prevent other jobs from being scheduled and executed or crash the condor_schedd daemon. (CVE-2011-4930) These updated packages for Red Hat Enterprise Linux 6 provide enhancements and bug fixes for the Grid component of MRG. Some select enhancements and fixes include: * Addition of -sort option to condor_status * Customized output from condor_q -run for EC2 jobs * Enhanced the summary line provided by condor_q * Improved Collector performance around blocking network calls * Fixed a memory leak associated with python-psycopg2 hit by cumin-data Space precludes documenting all of these changes in this advisory. Refer to the Red Hat Enterprise MRG 2 Technical Notes document for information on these changes: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Technical_ Notes/index.html All users of the Grid capabilities of Red Hat Enterprise MRG 2 are advised to upgrade to these updated packages, which resolve the issues and add the enhancements noted in the Red Hat Enterprise MRG 2 Technical Notes. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 759548 - CVE-2011-4930 Condor: Multiple format string flaws 6. Package List: MRG Grid Execute Node for RHEL 6 ComputeNode v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/RHEMRG-RHEL6/SRPMS/condor-7.6.5-0.12.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/RHEMRG-RHEL6/SRPMS/condor-wallaby-base-db-1.19-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/RHEMRG-RHEL6/SRPMS/ruby-spqr-0.3.5-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/RHEMRG-RHEL6/SRPMS/wallaby-0.12.5-1.el6.src.rpm noarch: condor-wallaby-base-db-1.19-1.el6.noarch.rpm ruby-spqr-0.3.5-1.el6.noarch.rpm ruby-wallaby-0.12.5-1.el6.noarch.rpm spqr-gen-0.3.5-1.el6.noarch.rpm wallaby-utils-0.12.5-1.el6.noarch.rpm x86_64: condor-7.6.5-0.12.el6.x86_64.rpm condor-classads-7.6.5-0.12.el6.x86_64.rpm condor-debuginfo-7.6.5-0.12.el6.x86_64.rpm condor-kbdd-7.6.5-0.12.el6.x86_64.rpm condor-qmf-7.6.5-0.12.el6.x86_64.rpm condor-vm-gahp-7.6.5-0.12.el6.x86_64.rpm MRG Grid for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-7.6.5-0.12.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-ec2-enhanced-1.3.0-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-ec2-enhanced-hooks-1.3.0-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-wallaby-base-db-1.19-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/cumin-0.1.5192-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/ruby-spqr-0.3.5-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/wallaby-0.12.5-1.el6.src.rpm i386: condor-7.6.5-0.12.el6.i686.rpm condor-aviary-7.6.5-0.12.el6.i686.rpm condor-classads-7.6.5-0.12.el6.i686.rpm condor-debuginfo-7.6.5-0.12.el6.i686.rpm condor-kbdd-7.6.5-0.12.el6.i686.rpm condor-plumage-7.6.5-0.12.el6.i686.rpm condor-qmf-7.6.5-0.12.el6.i686.rpm noarch: condor-ec2-enhanced-1.3.0-1.el6.noarch.rpm condor-ec2-enhanced-hooks-1.3.0-1.el6.noarch.rpm condor-wallaby-base-db-1.19-1.el6.noarch.rpm cumin-0.1.5192-1.el6.noarch.rpm python-condorec2e-1.3.0-1.el6.noarch.rpm python-wallaby-0.12.5-1.el6.noarch.rpm ruby-spqr-0.3.5-1.el6.noarch.rpm ruby-wallaby-0.12.5-1.el6.noarch.rpm spqr-gen-0.3.5-1.el6.noarch.rpm wallaby-0.12.5-1.el6.noarch.rpm wallaby-utils-0.12.5-1.el6.noarch.rpm x86_64: condor-7.6.5-0.12.el6.x86_64.rpm condor-aviary-7.6.5-0.12.el6.x86_64.rpm condor-classads-7.6.5-0.12.el6.x86_64.rpm condor-debuginfo-7.6.5-0.12.el6.x86_64.rpm condor-kbdd-7.6.5-0.12.el6.x86_64.rpm condor-plumage-7.6.5-0.12.el6.x86_64.rpm condor-qmf-7.6.5-0.12.el6.x86_64.rpm condor-vm-gahp-7.6.5-0.12.el6.x86_64.rpm MRG Grid Execute Node for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-7.6.5-0.12.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-ec2-enhanced-1.3.0-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-ec2-enhanced-hooks-1.3.0-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-wallaby-base-db-1.19-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/ruby-spqr-0.3.5-1.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/wallaby-0.12.5-1.el6.src.rpm i386: condor-7.6.5-0.12.el6.i686.rpm condor-classads-7.6.5-0.12.el6.i686.rpm condor-debuginfo-7.6.5-0.12.el6.i686.rpm condor-kbdd-7.6.5-0.12.el6.i686.rpm condor-qmf-7.6.5-0.12.el6.i686.rpm noarch: condor-ec2-enhanced-1.3.0-1.el6.noarch.rpm condor-wallaby-base-db-1.19-1.el6.noarch.rpm python-condorec2e-1.3.0-1.el6.noarch.rpm ruby-spqr-0.3.5-1.el6.noarch.rpm ruby-wallaby-0.12.5-1.el6.noarch.rpm spqr-gen-0.3.5-1.el6.noarch.rpm wallaby-utils-0.12.5-1.el6.noarch.rpm x86_64: condor-7.6.5-0.12.el6.x86_64.rpm condor-classads-7.6.5-0.12.el6.x86_64.rpm condor-debuginfo-7.6.5-0.12.el6.x86_64.rpm condor-kbdd-7.6.5-0.12.el6.x86_64.rpm condor-qmf-7.6.5-0.12.el6.x86_64.rpm condor-vm-gahp-7.6.5-0.12.el6.x86_64.rpm MRG Management for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/cumin-0.1.5192-1.el6.src.rpm noarch: cumin-0.1.5192-1.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4930.html https://access.redhat.com/security/updates/classification/#moderate https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Technical_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPMB4eXlSAg2UNWIIRAl0iAJ4t52Tyclex3qSQKxvwg/5ceB97GACeNtDU 7D53yQGj8XpWN+WQo4dT/y0= =nylT -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Feb 6 18:40:53 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Feb 2012 18:40:53 +0000 Subject: [RHSA-2012:0100-01] Moderate: MRG Grid security, bug fix, and enhancement update Message-ID: <201202061840.q16Iesak027643@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: MRG Grid security, bug fix, and enhancement update Advisory ID: RHSA-2012:0100-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0100.html Issue date: 2012-02-06 Keywords: MRG, Grid, Management, Enhancements, Security, Bug Fix, 2.1.1 CVE Names: CVE-2011-4930 ===================================================================== 1. Summary: Updated Grid component packages that fix multiple security issues, multiple bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2 for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: MRG Grid Execute Node for RHEL 5 Server v.2 - i386, noarch, x86_64 MRG Grid for RHEL 5 Server v.2 - i386, noarch, x86_64 MRG Management for RHEL 5 Server v.2 - noarch Red Hat MRG Messaging for RHEL 5 Server v.2 - i386, x86_64 3. Description: Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interoperability, and faster computing for enterprise customers. MRG Grid provides high-throughput computing and enables enterprises to achieve higher peak computing capacity as well as improved infrastructure utilization by leveraging their existing technology to build high performance grids. MRG Grid provides a job-queueing mechanism, scheduling policy, and a priority scheme, as well as resource monitoring and resource management. Users submit their jobs to MRG Grid, where they are placed into a queue. MRG Grid then chooses when and where to run the jobs based upon a policy, carefully monitors their progress, and ultimately informs the user upon completion. Multiple format string flaws were found in Condor. An authenticated Condor service user could use these flaws to prevent other jobs from being scheduled and executed, crash the condor_schedd daemon, or, possibly, execute arbitrary code with the privileges of the "condor" user. (CVE-2011-4930) These updated packages for Red Hat Enterprise Linux 5 provide enhancements and bug fixes for the Grid component of MRG. Some select enhancements and fixes include: * Addition of -sort option to condor_status * Customized output from condor_q -run for EC2 jobs * Enhanced the summary line provided by condor_q * Improved Collector performance around blocking network calls * Fixed a memory leak associated with python-psycopg2 hit by cumin-data Space precludes documenting all of these changes in this advisory. Refer to the Red Hat Enterprise MRG 2 Technical Notes document for information on these changes: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Technical_ Notes/index.html All users of the Grid capabilities of Red Hat Enterprise MRG 2 are advised to upgrade to these updated packages, which resolve the issues and add the enhancements noted in the Red Hat Enterprise MRG 2 Technical Notes. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 613931 - cannot delete user name from condor_userprio -all and wrong resource number 748735 - Cumin generates application error: TypeError: len() of unsized object from cumin/objectframe.py, line 298 750063 - condor_q -run w/ EC2 should display EC2RemoteVirtualMachine 751072 - Some condor_* commands with valid parameter '-help' return non zero exit code 751779 - Up-time display for Scheduler object is not dd:hh:mm 751834 - Hardcoded resource URL (ec2.amazonaws.com) 752322 - Suspended jobs should be displayed in condor_q summary line 753829 - Dag submissions have incorrect job totals from plugin publisher 754202 - History file and index management during condor_job_server runtime 756401 - SPQR defaults to PLAIN authentication if a username is specified 756402 - SPQR does not support every authentication mechanism available in qmfengine 759154 - Script sshd.sh print 0 as error code of some utilities instead of returned code 759200 - Memory leak in python-psycopg2 759433 - OpenMPI job fails when sshd.sh putting identity keys back. 759548 - CVE-2011-4930 Condor: Multiple format string flaws 761165 - EC2AvailabilityZone misspelled 761588 - condor_schedd.init script isn't removing pidfile 765713 - Memory usage graph - gray collor 765846 - Submit VM job - doesn't work 771642 - Cumin generates application error: AttributeError: 'int' object has no attribute 'name', wallabyoperations.py line 420 773680 - Released job doesn't start 782485 - Exception on Inventory page after wallaby remove-node 782902 - Inventory page with sesame and wallaby data can see values disappear temporarily 6. Package List: MRG Grid for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-7.6.5-0.12.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-ec2-enhanced-1.3.0-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-ec2-enhanced-hooks-1.3.0-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-wallaby-base-db-1.19-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/cumin-0.1.5192-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-spqr-0.3.5-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/wallaby-0.12.5-1.el5.src.rpm i386: condor-7.6.5-0.12.el5.i386.rpm condor-aviary-7.6.5-0.12.el5.i386.rpm condor-classads-7.6.5-0.12.el5.i386.rpm condor-debuginfo-7.6.5-0.12.el5.i386.rpm condor-kbdd-7.6.5-0.12.el5.i386.rpm condor-qmf-7.6.5-0.12.el5.i386.rpm condor-vm-gahp-7.6.5-0.12.el5.i386.rpm noarch: condor-ec2-enhanced-1.3.0-1.el5.noarch.rpm condor-ec2-enhanced-hooks-1.3.0-1.el5.noarch.rpm condor-wallaby-base-db-1.19-1.el5.noarch.rpm cumin-0.1.5192-1.el5.noarch.rpm python-condorec2e-1.3.0-1.el5.noarch.rpm python-wallaby-0.12.5-1.el5.noarch.rpm ruby-spqr-0.3.5-1.el5.noarch.rpm ruby-wallaby-0.12.5-1.el5.noarch.rpm spqr-gen-0.3.5-1.el5.noarch.rpm wallaby-0.12.5-1.el5.noarch.rpm wallaby-utils-0.12.5-1.el5.noarch.rpm x86_64: condor-7.6.5-0.12.el5.x86_64.rpm condor-aviary-7.6.5-0.12.el5.x86_64.rpm condor-classads-7.6.5-0.12.el5.x86_64.rpm condor-debuginfo-7.6.5-0.12.el5.x86_64.rpm condor-kbdd-7.6.5-0.12.el5.x86_64.rpm condor-qmf-7.6.5-0.12.el5.x86_64.rpm condor-vm-gahp-7.6.5-0.12.el5.x86_64.rpm MRG Grid Execute Node for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-7.6.5-0.12.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-ec2-enhanced-1.3.0-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-ec2-enhanced-hooks-1.3.0-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-wallaby-base-db-1.19-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/ruby-spqr-0.3.5-1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/wallaby-0.12.5-1.el5.src.rpm i386: condor-7.6.5-0.12.el5.i386.rpm condor-classads-7.6.5-0.12.el5.i386.rpm condor-debuginfo-7.6.5-0.12.el5.i386.rpm condor-kbdd-7.6.5-0.12.el5.i386.rpm condor-qmf-7.6.5-0.12.el5.i386.rpm condor-vm-gahp-7.6.5-0.12.el5.i386.rpm noarch: condor-ec2-enhanced-1.3.0-1.el5.noarch.rpm condor-wallaby-base-db-1.19-1.el5.noarch.rpm python-condorec2e-1.3.0-1.el5.noarch.rpm ruby-spqr-0.3.5-1.el5.noarch.rpm ruby-wallaby-0.12.5-1.el5.noarch.rpm spqr-gen-0.3.5-1.el5.noarch.rpm wallaby-utils-0.12.5-1.el5.noarch.rpm x86_64: condor-7.6.5-0.12.el5.x86_64.rpm condor-classads-7.6.5-0.12.el5.x86_64.rpm condor-debuginfo-7.6.5-0.12.el5.x86_64.rpm condor-kbdd-7.6.5-0.12.el5.x86_64.rpm condor-qmf-7.6.5-0.12.el5.x86_64.rpm condor-vm-gahp-7.6.5-0.12.el5.x86_64.rpm MRG Management for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/cumin-0.1.5192-1.el5.src.rpm noarch: cumin-0.1.5192-1.el5.noarch.rpm Red Hat MRG Messaging for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/python-psycopg2-2.0.14-3.el5.src.rpm i386: python-psycopg2-2.0.14-3.el5.i386.rpm python-psycopg2-debuginfo-2.0.14-3.el5.i386.rpm x86_64: python-psycopg2-2.0.14-3.el5.x86_64.rpm python-psycopg2-debuginfo-2.0.14-3.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4930.html https://access.redhat.com/security/updates/classification/#moderate https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html/Technical_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPMB5vXlSAg2UNWIIRAgxJAKCGeV8QflM05/8iVjiVZF7JW224LwCgpD+W ugxjXpZfYH4KumiQeH3i1QQ= =MR2q -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 8 20:11:52 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 8 Feb 2012 20:11:52 +0000 Subject: [RHSA-2012:0103-01] Moderate: squirrelmail security update Message-ID: <201202082011.q18KBrtp008154@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: squirrelmail security update Advisory ID: RHSA-2012:0103-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0103.html Issue date: 2012-02-08 CVE Names: CVE-2010-1637 CVE-2010-2813 CVE-2010-4554 CVE-2010-4555 CVE-2011-2023 CVE-2011-2752 CVE-2011-2753 ===================================================================== 1. Summary: An updated squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - noarch Red Hat Enterprise Linux (v. 5 server) - noarch Red Hat Enterprise Linux AS version 4 - noarch Red Hat Enterprise Linux Desktop version 4 - noarch Red Hat Enterprise Linux ES version 4 - noarch Red Hat Enterprise Linux WS version 4 - noarch 3. Description: SquirrelMail is a standards-based webmail package written in PHP. A cross-site scripting (XSS) flaw was found in the way SquirrelMail performed the sanitization of HTML style tag content. A remote attacker could use this flaw to send a specially-crafted Multipurpose Internet Mail Extensions (MIME) message that, when opened by a victim, would lead to arbitrary web script execution in the context of their SquirrelMail session. (CVE-2011-2023) Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. A remote attacker could possibly use these flaws to execute arbitrary web script in the context of a victim's SquirrelMail session. (CVE-2010-4555) An input sanitization flaw was found in the way SquirrelMail handled the content of various HTML input fields. A remote attacker could use this flaw to alter user preference values via a newline character contained in the input for these fields. (CVE-2011-2752) It was found that the SquirrelMail Empty Trash and Index Order pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into SquirrelMail, into visiting a specially-crafted URL, the attacker could empty the victim's trash folder or alter the ordering of the columns on the message index page. (CVE-2011-2753) SquirrelMail was allowed to be loaded into an HTML sub-frame, allowing a remote attacker to perform a clickjacking attack against logged in users and possibly gain access to sensitive user data. With this update, the SquirrelMail main frame can only be loaded into the top most browser frame. (CVE-2010-4554) A flaw was found in the way SquirrelMail handled failed log in attempts. A user preference file was created when attempting to log in with a password containing an 8-bit character, even if the username was not valid. A remote attacker could use this flaw to eventually consume all hard disk space on the target SquirrelMail server. (CVE-2010-2813) A flaw was found in the SquirrelMail Mail Fetch plug-in. If an administrator enabled this plug-in, a SquirrelMail user could use this flaw to port scan the local network the server was on. (CVE-2010-1637) Users of SquirrelMail should upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 606459 - CVE-2010-1637 SquirrelMail: Mail Fetch plugin -- port-scans via non-standard POP3 server ports 618096 - CVE-2010-2813 SquirrelMail: DoS (disk space consumption) by random IMAP login attempts with 8-bit characters in the password 720693 - CVE-2010-4554 SquirrelMail: Prone to clickjacking attacks 720694 - CVE-2010-4555 SquirrelMail: Multiple XSS flaws 720695 - CVE-2011-2023 SquirrelMail: XSS in