From bugzilla at redhat.com Thu Mar 1 15:24:49 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 1 Mar 2012 15:24:49 +0000 Subject: [RHSA-2012:0349-01] Low: Red Hat Enterprise Linux 4 - Transition to Extended Life Phase Notice Message-ID: <201203011524.q21FOnfp028133@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise Linux 4 - Transition to Extended Life Phase Notice Advisory ID: RHSA-2012:0349-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0349.html Issue date: 2012-03-01 ===================================================================== 1. Summary: Red Hat Enterprise Linux 4 reaches end of Production Phase and transitions to Extended Life Phase. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: On March 01, 2012, all Red Hat Enterprise Linux 4-based products listed below transition from the Production Phase to the Extended Life Phase: Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux ES 4 Red Hat Enterprise Linux WS 4 Red Hat Desktop 4 Red Hat Global File System 4 Red Hat Cluster Suite 4 Red Hat offers support and services for each major release of Red Hat Enterprise Linux throughout four phases ? Production 1, 2, and 3, and Extended Life Phase. For Red Hat Enterprise Linux 4, the Production Phase spans seven years, followed by a three-year Extended Life Phase. Together, these four phases constitute the "life cycle". The specific support and services provided during each phase is described in detail at: http://redhat.com/rhel/lifecycle On March 01, 2012, Red Hat Enterprise Linux 4 systems continue to be subscribed to Red Hat Enterprise Linux 4 channels on Red Hat Network (RHN), continue to require a Red Hat Enterprise Linux entitlement, and continue to have access to: * Limited technical support for existing Red Hat Enterprise Linux 4 deployments (for customers with Basic, Premium, or Standard support). * Previously released bug fixes (RHBAs), security errata (RHSAs), and product enhancements (RHEAs) via RHN. Software maintenance (new bug fix and security errata) are no longer provided for the Red Hat Enterprise Linux 4 product family. * Red Hat Knowledgebase and other content (white papers, reference architectures, etc.) found in the Red Hat Customer Portal. * Red Hat Enterprise Linux 4 documentation. Please also note that new bug fix, security, or product enhancements advisories (RHBAs, RHSAs, and RHEAs) are no longer provided for the Red Hat Enterprise Linux 4 Add-Ons after March 01. After March 01, you have several options. Your Red Hat subscription gives you continuous access to all active versions of the Red Hat software in both binary and source form, including all security updates and bug fixes. As Red Hat Enterprise Linux 4 transitions out of the Production Phase, we strongly recommend that you take full advantage of your subscription services and upgrade to Red Hat Enterprise Linux 5 or 6, which contain compelling new features and enablement for modern hardware platforms and ISV applications. If you must remain on Red Hat Enterprise Linux 4, we recommend that you add the Red Hat Enterprise Linux Extended Life Cycle Support (ELS) Add-On subscription to your current Red Hat Enterprise Linux subscription. The ELS Add-On complements your Red Hat Enterprise Linux subscription and provides software maintenance services not otherwise available in the Extended Life Phase. Customers who purchase the ELS Add-On continue to receive software maintenance (critical impact security and urgent priority bug fixes) and technical support as provided in the Production 3 Phase. ELS is available for up to three years and requires that you have an existing Red Hat Enterprise Linux subscription with equivalent subscription terms and support level. For more information on the Red Hat Enterprise Linux ELS Add-On, visit: http://www.redhat.com/products/enterprise-linux-add-ons/extended-lifecycle-support/ 4. Solution: This advisory contains an updated redhat-release package, that provides a copy of this end of life notice in the "/usr/share/doc/" directory. 5. Bugs fixed (http://bugzilla.redhat.com/): 786375 - Send Out RHEL 4 Transition to Extended Life Phase Notice 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/redhat-release-4AS-10.10.src.rpm i386: redhat-release-4AS-10.10.i386.rpm ia64: redhat-release-4AS-10.10.ia64.rpm ppc: redhat-release-4AS-10.10.ppc.rpm s390: redhat-release-4AS-10.10.s390.rpm s390x: redhat-release-4AS-10.10.s390x.rpm x86_64: redhat-release-4AS-10.10.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/redhat-release-4Desktop-10.10.src.rpm i386: redhat-release-4Desktop-10.10.i386.rpm x86_64: redhat-release-4Desktop-10.10.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/redhat-release-4ES-10.10.src.rpm i386: redhat-release-4ES-10.10.i386.rpm ia64: redhat-release-4ES-10.10.ia64.rpm x86_64: redhat-release-4ES-10.10.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/redhat-release-4WS-10.10.src.rpm i386: redhat-release-4WS-10.10.i386.rpm ia64: redhat-release-4WS-10.10.ia64.rpm x86_64: redhat-release-4WS-10.10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/updates/classification/#low http://www.redhat.com/products/enterprise-linux-add-ons/extended-lifecycle-support/ http://redhat.com/rhel/lifecycle 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPT5ScXlSAg2UNWIIRAkagAKDCtqoZIIXEohr4SM2Bj9+hqjUzrACfWUE4 XDaLoNJcxGb2rD48E+aBJr8= =5k7N -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 6 18:48:38 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 6 Mar 2012 18:48:38 +0000 Subject: [RHSA-2012:0350-01] Moderate: kernel security and bug fix update Message-ID: <201203061848.q26Imdw1017912@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel security and bug fix update Advisory ID: RHSA-2012:0350-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0350.html Issue date: 2012-03-06 CVE Names: CVE-2011-4077 CVE-2011-4081 CVE-2011-4132 CVE-2011-4347 CVE-2011-4594 CVE-2011-4611 CVE-2011-4622 CVE-2012-0038 CVE-2012-0045 CVE-2012-0207 ===================================================================== 1. Summary: Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A buffer overflow flaw was found in the way the Linux kernel's XFS file system implementation handled links with overly long path names. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. (CVE-2011-4077, Moderate) * Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-4081, Moderate) * A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local, unprivileged user could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate) * It was found that the kvm_vm_ioctl_assign_device() function in the KVM (Kernel-based Virtual Machine) subsystem of a Linux kernel did not check if the user requesting device assignment was privileged or not. A local, unprivileged user on the host could assign unused PCI devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers, which could result in the host crashing. (CVE-2011-4347, Moderate) * Two flaws were found in the way the Linux kernel's __sys_sendmsg() function, when invoked via the sendmmsg() system call, accessed user-space memory. A local, unprivileged user could use these flaws to cause a denial of service. (CVE-2011-4594, Moderate) * The RHSA-2011:1530 kernel update introduced an integer overflow flaw in the Linux kernel. On PowerPC systems, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4611, Moderate) * A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A local, unprivileged user on the host could force this situation to occur, resulting in the host crashing. (CVE-2011-4622, Moderate) * A flaw was found in the way the Linux kernel's XFS file system implementation handled on-disk Access Control Lists (ACLs). A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. (CVE-2012-0038, Moderate) * A flaw was found in the way the Linux kernel's KVM hypervisor implementation emulated the syscall instruction for 32-bit guests. An unprivileged guest user could trigger this flaw to crash the guest. (CVE-2012-0045, Moderate) * A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service. (CVE-2012-0207, Moderate) Red Hat would like to thank Nick Bowler for reporting CVE-2011-4081; Sasha Levin for reporting CVE-2011-4347; Tetsuo Handa for reporting CVE-2011-4594; Maynard Johnson for reporting CVE-2011-4611; Wang Xi for reporting CVE-2012-0038; Stephan B?rwolf for reporting CVE-2012-0045; and Simon McVittie for reporting CVE-2012-0207. Upstream acknowledges Mathieu Desnoyers as the original reporter of CVE-2011-4594. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 749156 - CVE-2011-4077 kernel: xfs: potential buffer overflow in xfs_readlink() 749475 - CVE-2011-4081 kernel: crypto: ghash: null pointer deref if no key is set 753341 - CVE-2011-4132 kernel: jbd/jbd2: invalid value of first log block leads to oops 756084 - CVE-2011-4347 kernel: kvm: device assignment DoS 761646 - CVE-2011-4594 kernel: send(m)msg: user pointer dereferences 767914 - CVE-2011-4611 kernel: perf, powerpc: Handle events that raise an exception without overflowing 769721 - CVE-2011-4622 kernel: kvm: pit timer with no irqchip crashes the system 772867 - CVE-2012-0207 kernel: igmp: Avoid zero delay when receiving odd mixture of IGMP queries 773280 - CVE-2012-0038 kernel: xfs heap overflow 773370 - CVE-2012-0045 kernel: kvm: syscall instruction induced guest panic 789058 - cifs: i/o error on copying file > 102336 bytes [rhel-6.2.z] 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-220.7.1.el6.src.rpm i386: kernel-2.6.32-220.7.1.el6.i686.rpm kernel-debug-2.6.32-220.7.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debug-devel-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.7.1.el6.i686.rpm kernel-devel-2.6.32-220.7.1.el6.i686.rpm kernel-headers-2.6.32-220.7.1.el6.i686.rpm perf-2.6.32-220.7.1.el6.i686.rpm perf-debuginfo-2.6.32-220.7.1.el6.i686.rpm noarch: kernel-doc-2.6.32-220.7.1.el6.noarch.rpm kernel-firmware-2.6.32-220.7.1.el6.noarch.rpm x86_64: kernel-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.7.1.el6.x86_64.rpm kernel-devel-2.6.32-220.7.1.el6.x86_64.rpm kernel-headers-2.6.32-220.7.1.el6.x86_64.rpm perf-2.6.32-220.7.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-220.7.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.7.1.el6.i686.rpm perf-debuginfo-2.6.32-220.7.1.el6.i686.rpm python-perf-2.6.32-220.7.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.7.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm python-perf-2.6.32-220.7.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-220.7.1.el6.src.rpm noarch: kernel-doc-2.6.32-220.7.1.el6.noarch.rpm kernel-firmware-2.6.32-220.7.1.el6.noarch.rpm x86_64: kernel-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.7.1.el6.x86_64.rpm kernel-devel-2.6.32-220.7.1.el6.x86_64.rpm kernel-headers-2.6.32-220.7.1.el6.x86_64.rpm perf-2.6.32-220.7.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-220.7.1.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.7.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm python-perf-2.6.32-220.7.1.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.7.1.el6.src.rpm i386: kernel-2.6.32-220.7.1.el6.i686.rpm kernel-debug-2.6.32-220.7.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debug-devel-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.7.1.el6.i686.rpm kernel-devel-2.6.32-220.7.1.el6.i686.rpm kernel-headers-2.6.32-220.7.1.el6.i686.rpm perf-2.6.32-220.7.1.el6.i686.rpm perf-debuginfo-2.6.32-220.7.1.el6.i686.rpm noarch: kernel-doc-2.6.32-220.7.1.el6.noarch.rpm kernel-firmware-2.6.32-220.7.1.el6.noarch.rpm ppc64: kernel-2.6.32-220.7.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-220.7.1.el6.ppc64.rpm kernel-debug-2.6.32-220.7.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-220.7.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-220.7.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-220.7.1.el6.ppc64.rpm kernel-devel-2.6.32-220.7.1.el6.ppc64.rpm kernel-headers-2.6.32-220.7.1.el6.ppc64.rpm perf-2.6.32-220.7.1.el6.ppc64.rpm perf-debuginfo-2.6.32-220.7.1.el6.ppc64.rpm s390x: kernel-2.6.32-220.7.1.el6.s390x.rpm kernel-debug-2.6.32-220.7.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-220.7.1.el6.s390x.rpm kernel-debug-devel-2.6.32-220.7.1.el6.s390x.rpm kernel-debuginfo-2.6.32-220.7.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-220.7.1.el6.s390x.rpm kernel-devel-2.6.32-220.7.1.el6.s390x.rpm kernel-headers-2.6.32-220.7.1.el6.s390x.rpm kernel-kdump-2.6.32-220.7.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-220.7.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-220.7.1.el6.s390x.rpm perf-2.6.32-220.7.1.el6.s390x.rpm perf-debuginfo-2.6.32-220.7.1.el6.s390x.rpm x86_64: kernel-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.7.1.el6.x86_64.rpm kernel-devel-2.6.32-220.7.1.el6.x86_64.rpm kernel-headers-2.6.32-220.7.1.el6.x86_64.rpm perf-2.6.32-220.7.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.7.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.7.1.el6.i686.rpm perf-debuginfo-2.6.32-220.7.1.el6.i686.rpm python-perf-2.6.32-220.7.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-220.7.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-220.7.1.el6.ppc64.rpm perf-debuginfo-2.6.32-220.7.1.el6.ppc64.rpm python-perf-2.6.32-220.7.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-220.7.1.el6.s390x.rpm kernel-debuginfo-2.6.32-220.7.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-220.7.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-220.7.1.el6.s390x.rpm perf-debuginfo-2.6.32-220.7.1.el6.s390x.rpm python-perf-2.6.32-220.7.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.7.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm python-perf-2.6.32-220.7.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-220.7.1.el6.src.rpm i386: kernel-2.6.32-220.7.1.el6.i686.rpm kernel-debug-2.6.32-220.7.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debug-devel-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.7.1.el6.i686.rpm kernel-devel-2.6.32-220.7.1.el6.i686.rpm kernel-headers-2.6.32-220.7.1.el6.i686.rpm perf-2.6.32-220.7.1.el6.i686.rpm perf-debuginfo-2.6.32-220.7.1.el6.i686.rpm noarch: kernel-doc-2.6.32-220.7.1.el6.noarch.rpm kernel-firmware-2.6.32-220.7.1.el6.noarch.rpm x86_64: kernel-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.7.1.el6.x86_64.rpm kernel-devel-2.6.32-220.7.1.el6.x86_64.rpm kernel-headers-2.6.32-220.7.1.el6.x86_64.rpm perf-2.6.32-220.7.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-220.7.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.7.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.7.1.el6.i686.rpm perf-debuginfo-2.6.32-220.7.1.el6.i686.rpm python-perf-2.6.32-220.7.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.7.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.7.1.el6.x86_64.rpm python-perf-2.6.32-220.7.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4077.html https://www.redhat.com/security/data/cve/CVE-2011-4081.html https://www.redhat.com/security/data/cve/CVE-2011-4132.html https://www.redhat.com/security/data/cve/CVE-2011-4347.html https://www.redhat.com/security/data/cve/CVE-2011-4594.html https://www.redhat.com/security/data/cve/CVE-2011-4611.html https://www.redhat.com/security/data/cve/CVE-2011-4622.html https://www.redhat.com/security/data/cve/CVE-2012-0038.html https://www.redhat.com/security/data/cve/CVE-2012-0045.html https://www.redhat.com/security/data/cve/CVE-2012-0207.html https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHSA-2011-1530.html https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Technical_Notes/kernel.html#RHSA-2012-0350 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPVlvgXlSAg2UNWIIRAs+VAKDAOxZ7M5s2GTOoHpYSCb+8O6S7xgCgr64c 78iO5Dc5O0zDpxGyRUZiSvI= =OcxS -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 6 18:49:26 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 6 Mar 2012 18:49:26 +0000 Subject: [RHSA-2012:0358-01] Important: kernel security and bug fix update Message-ID: <201203061849.q26InRlF018555@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2012:0358-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0358.html Issue date: 2012-03-06 CVE Names: CVE-2011-1898 CVE-2011-2699 CVE-2011-4127 CVE-2011-4330 CVE-2012-0028 ===================================================================== 1. Summary: Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux EUS (v. 5.6 server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * Using PCI passthrough without interrupt remapping support allowed Xen hypervisor guests to generate MSI interrupts and thus potentially inject traps. A privileged guest user could use this flaw to crash the host or possibly escalate their privileges on the host. The fix for this issue can prevent PCI passthrough working and guests starting. Refer to Red Hat Bugzilla bug 715555 for details. (CVE-2011-1898, Important) * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important) * Using the SG_IO ioctl to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device. Refer to Red Hat Knowledgebase article 67869, linked to in the References, for further details about this issue. (CVE-2011-4127, Important) * A flaw was found in the way the Linux kernel handled robust list pointers of user-space held futexes across exec() calls. A local, unprivileged user could use this flaw to cause a denial of service or, eventually, escalate their privileges. (CVE-2012-0028, Important) * A missing boundary check was found in the Linux kernel's HFS file system implementation. A local attacker could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. (CVE-2011-4330, Moderate) Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699, and Clement Lecigne for reporting CVE-2011-4330. This update also fixes the following bugs: * Previously, all timers for a Xen fully-virtualized domain were based on the time stamp counter (TSC) of the underlying physical CPU. This could cause observed time to go backwards on some hosts. This update moves all timers except HPET to the Xen monotonic system time, which fixes the bug as long as the HPET is removed from the configuration of the domain. (BZ#773359) * Previously, tests of the Microsoft Server Virtualization Validation Program (SVVP) detected unreliability of the emulated HPET (High Performance Event Timer) on some hosts. Now, HPET can be configured as a per-domain configuration option; if it is disabled, the guest chooses a more reliable timer source. Disabling HPET is suggested for Windows guests, as well as fully-virtualized Linux guests that show occasional "time went backwards" errors in the console. (BZ#773360) * SG_IO ioctls were not implemented correctly in the Red Hat Enterprise Linux 5 virtio-blk driver. Sending an SG_IO ioctl request to a virtio-blk disk caused the sending thread to enter an uninterruptible sleep state ("D" state). With this update, SG_IO ioctls are rejected by the virtio-blk driver; the ioctl system call simply returns an ENOTTY ("Inappropriate ioctl for device") error and the thread continues normally. (BZ#784658) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 715555 - CVE-2011-1898 virt: VT-d (PCI passthrough) MSI trap injection 723429 - CVE-2011-2699 kernel: ipv6: make fragment identifications less predictable 752375 - CVE-2011-4127 kernel: possible privilege escalation via SG_IO ioctl 755431 - CVE-2011-4330 kernel: hfs: add sanity check for file name length 771764 - CVE-2012-0028 kernel: futex: clear robust_list on execve 773360 - provide option to disable HPET [rhel-5.6.z] 784658 - Install RHEV-H to virtual machine cause VM kernel panic when boot [rhel-5.6.z] 6. Package List: Red Hat Enterprise Linux EUS (v. 5.6 server): Source: kernel-2.6.18-238.35.1.el5.src.rpm i386: kernel-2.6.18-238.35.1.el5.i686.rpm kernel-PAE-2.6.18-238.35.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-238.35.1.el5.i686.rpm kernel-PAE-devel-2.6.18-238.35.1.el5.i686.rpm kernel-debug-2.6.18-238.35.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-238.35.1.el5.i686.rpm kernel-debug-devel-2.6.18-238.35.1.el5.i686.rpm kernel-debuginfo-2.6.18-238.35.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-238.35.1.el5.i686.rpm kernel-devel-2.6.18-238.35.1.el5.i686.rpm kernel-headers-2.6.18-238.35.1.el5.i386.rpm kernel-xen-2.6.18-238.35.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-238.35.1.el5.i686.rpm kernel-xen-devel-2.6.18-238.35.1.el5.i686.rpm ia64: kernel-2.6.18-238.35.1.el5.ia64.rpm kernel-debug-2.6.18-238.35.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-238.35.1.el5.ia64.rpm kernel-debug-devel-2.6.18-238.35.1.el5.ia64.rpm kernel-debuginfo-2.6.18-238.35.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-238.35.1.el5.ia64.rpm kernel-devel-2.6.18-238.35.1.el5.ia64.rpm kernel-headers-2.6.18-238.35.1.el5.ia64.rpm kernel-xen-2.6.18-238.35.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-238.35.1.el5.ia64.rpm kernel-xen-devel-2.6.18-238.35.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-238.35.1.el5.noarch.rpm ppc: kernel-2.6.18-238.35.1.el5.ppc64.rpm kernel-debug-2.6.18-238.35.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-238.35.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-238.35.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-238.35.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-238.35.1.el5.ppc64.rpm kernel-devel-2.6.18-238.35.1.el5.ppc64.rpm kernel-headers-2.6.18-238.35.1.el5.ppc.rpm kernel-headers-2.6.18-238.35.1.el5.ppc64.rpm kernel-kdump-2.6.18-238.35.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-238.35.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-238.35.1.el5.ppc64.rpm s390x: kernel-2.6.18-238.35.1.el5.s390x.rpm kernel-debug-2.6.18-238.35.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-238.35.1.el5.s390x.rpm kernel-debug-devel-2.6.18-238.35.1.el5.s390x.rpm kernel-debuginfo-2.6.18-238.35.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-238.35.1.el5.s390x.rpm kernel-devel-2.6.18-238.35.1.el5.s390x.rpm kernel-headers-2.6.18-238.35.1.el5.s390x.rpm kernel-kdump-2.6.18-238.35.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-238.35.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-238.35.1.el5.s390x.rpm x86_64: kernel-2.6.18-238.35.1.el5.x86_64.rpm kernel-debug-2.6.18-238.35.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-238.35.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-238.35.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-238.35.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-238.35.1.el5.x86_64.rpm kernel-devel-2.6.18-238.35.1.el5.x86_64.rpm kernel-headers-2.6.18-238.35.1.el5.x86_64.rpm kernel-xen-2.6.18-238.35.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-238.35.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-238.35.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-1898.html https://www.redhat.com/security/data/cve/CVE-2011-2699.html https://www.redhat.com/security/data/cve/CVE-2011-4127.html https://www.redhat.com/security/data/cve/CVE-2011-4330.html https://www.redhat.com/security/data/cve/CVE-2012-0028.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/knowledge/articles/66747 https://bugzilla.redhat.com/show_bug.cgi?id=715555 https://access.redhat.com/knowledge/articles/67869 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPVlwUXlSAg2UNWIIRArbgAJ4nS24vqdMhzVidOIv5agZAbgtZ2ACgqSov quQhiIgGEEc0llcwVVSof/c= =Rcn6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 6 18:49:59 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 6 Mar 2012 18:49:59 +0000 Subject: [RHSA-2012:0359-01] Critical: flash-plugin security update Message-ID: <201203061850.q26Io0ku018328@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0359-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0359.html Issue date: 2012-03-06 CVE Names: CVE-2012-0768 CVE-2012-0769 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes two vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-05, listed in the References section. A flaw was found in the way flash-plugin displayed certain SWF content. An attacker could use this flaw to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-0768) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. (CVE-2012-0769) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.16. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 800160 - CVE-2012-0768 flash-plugin: code execution flaw (APSB12-05) 800182 - CVE-2012-0769 flash-plugin: information disclosure flaw (APSB12-05) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.16-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.16-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.16-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.16-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.16-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.16-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.16-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.16-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.16-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.16-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0768.html https://www.redhat.com/security/data/cve/CVE-2012-0769.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-05.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPVlxDXlSAg2UNWIIRAsGIAKCQ4ukSxga3PZBs4a8dSOq0csTF4ACdHC3v J2MTx2tXEjMEeOA8LWGPxaY= =FiH1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 7 14:35:23 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 7 Mar 2012 14:35:23 +0000 Subject: [RHSA-2012:0369-01] Moderate: python-sqlalchemy security update Message-ID: <201203071435.q27EZOaC004639@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python-sqlalchemy security update Advisory ID: RHSA-2012:0369-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0369.html Issue date: 2012-03-07 CVE Names: CVE-2012-0805 ===================================================================== 1. Summary: An updated python-sqlalchemy package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - noarch 3. Description: SQLAlchemy is an Object Relational Mapper (ORM) that provides a flexible, high-level interface to SQL databases. It was discovered that SQLAlchemy did not sanitize values for the limit and offset keywords for SQL select statements. If an application using SQLAlchemy accepted values for these keywords, and did not filter or sanitize them before passing them to SQLAlchemy, it could allow an attacker to perform an SQL injection attack against the application. (CVE-2012-0805) All users of python-sqlalchemy are advised to upgrade to this updated package, which contains a patch to correct this issue. All running applications using SQLAlchemy must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 783305 - CVE-2012-0805 python-sqlalchemy: SQL injection flaw due to not checking LIMIT input for correct type 6. Package List: Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/python-sqlalchemy-0.5.5-3.el6_2.src.rpm noarch: python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/python-sqlalchemy-0.5.5-3.el6_2.src.rpm noarch: python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0805.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPV3HxXlSAg2UNWIIRArtJAKCrAMKqUNWWK49IvHBPzqI9dE9EmgCeP+pD Pid9IBfgRRF5wes87heuHec= =IJ1b -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 7 14:43:01 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 7 Mar 2012 14:43:01 +0000 Subject: [RHSA-2012:0370-01] Important: xen security and bug fix update Message-ID: <201203071443.q27Eh2la015592@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: xen security and bug fix update Advisory ID: RHSA-2012:0370-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0370.html Issue date: 2012-03-07 CVE Names: CVE-2012-0029 ===================================================================== 1. Summary: Updated xen packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Multi OS (v. 5 client) - i386, x86_64 RHEL Virtualization (v. 5 server) - i386, ia64, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A heap overflow flaw was found in the way QEMU emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash QEMU or, possibly, escalate their privileges on the host. (CVE-2012-0029) Red Hat would like to thank Nicolae Mogoreanu for reporting this issue. This update also fixes the following bugs: * Adding support for jumbo frames introduced incorrect network device expansion when a bridge is created. The expansion worked correctly with the default configuration, but could have caused network setup failures when a user-defined network script was used. This update changes the expansion so network setup will not fail, even when a user-defined network script is used. (BZ#797191) * A bug was found in xenconsoled, the Xen hypervisor console daemon. If timestamp logging for this daemon was enabled (using both the XENCONSOLED_TIMESTAMP_HYPERVISOR_LOG and XENCONSOLED_TIMESTAMP_GUEST_LOG options in "/etc/sysconfig/xend"), xenconsoled could crash if the guest emitted a lot of information to its serial console in a short period of time. Eventually, the guest would freeze after the console buffer was filled due to the crashed xenconsoled. Timestamp logging is disabled by default. (BZ#797836) All xen users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 772075 - CVE-2012-0029 qemu: e1000: process_tx_desc legacy mode packets heap overflow 797191 - xen-network-common.sh scripting typo 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xen-3.0.3-135.el5_8.2.src.rpm i386: xen-debuginfo-3.0.3-135.el5_8.2.i386.rpm xen-libs-3.0.3-135.el5_8.2.i386.rpm x86_64: xen-debuginfo-3.0.3-135.el5_8.2.i386.rpm xen-debuginfo-3.0.3-135.el5_8.2.x86_64.rpm xen-libs-3.0.3-135.el5_8.2.i386.rpm xen-libs-3.0.3-135.el5_8.2.x86_64.rpm RHEL Desktop Multi OS (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xen-3.0.3-135.el5_8.2.src.rpm i386: xen-3.0.3-135.el5_8.2.i386.rpm xen-debuginfo-3.0.3-135.el5_8.2.i386.rpm xen-devel-3.0.3-135.el5_8.2.i386.rpm x86_64: xen-3.0.3-135.el5_8.2.x86_64.rpm xen-debuginfo-3.0.3-135.el5_8.2.i386.rpm xen-debuginfo-3.0.3-135.el5_8.2.x86_64.rpm xen-devel-3.0.3-135.el5_8.2.i386.rpm xen-devel-3.0.3-135.el5_8.2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xen-3.0.3-135.el5_8.2.src.rpm i386: xen-debuginfo-3.0.3-135.el5_8.2.i386.rpm xen-libs-3.0.3-135.el5_8.2.i386.rpm ia64: xen-debuginfo-3.0.3-135.el5_8.2.ia64.rpm xen-libs-3.0.3-135.el5_8.2.ia64.rpm x86_64: xen-debuginfo-3.0.3-135.el5_8.2.i386.rpm xen-debuginfo-3.0.3-135.el5_8.2.x86_64.rpm xen-libs-3.0.3-135.el5_8.2.i386.rpm xen-libs-3.0.3-135.el5_8.2.x86_64.rpm RHEL Virtualization (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xen-3.0.3-135.el5_8.2.src.rpm i386: xen-3.0.3-135.el5_8.2.i386.rpm xen-debuginfo-3.0.3-135.el5_8.2.i386.rpm xen-devel-3.0.3-135.el5_8.2.i386.rpm ia64: xen-3.0.3-135.el5_8.2.ia64.rpm xen-debuginfo-3.0.3-135.el5_8.2.ia64.rpm xen-devel-3.0.3-135.el5_8.2.ia64.rpm x86_64: xen-3.0.3-135.el5_8.2.x86_64.rpm xen-debuginfo-3.0.3-135.el5_8.2.i386.rpm xen-debuginfo-3.0.3-135.el5_8.2.x86_64.rpm xen-devel-3.0.3-135.el5_8.2.i386.rpm xen-devel-3.0.3-135.el5_8.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0029.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPV3OJXlSAg2UNWIIRAmW9AJ9fJNBoRl53OF0j7rYcIObn33DHJgCgsUJ8 5lwaUxxjnVeHwQo3Xj78Yjg= =Qq2v -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 8 21:16:14 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 8 Mar 2012 21:16:14 +0000 Subject: [RHSA-2012:0376-01] Moderate: systemtap security update Message-ID: <201203082116.q28LGGh5005685@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: systemtap security update Advisory ID: RHSA-2012:0376-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0376.html Issue date: 2012-03-08 CVE Names: CVE-2012-0875 ===================================================================== 1. Summary: Updated systemtap packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: SystemTap is an instrumentation system for systems running the Linux kernel. The system allows developers to write scripts to collect data on the operation of the system. An invalid pointer read flaw was found in the way SystemTap handled malformed debugging information in DWARF format. When SystemTap unprivileged mode was enabled, an unprivileged user in the stapusr group could use this flaw to crash the system or, potentially, read arbitrary kernel memory. Additionally, a privileged user (root, or a member of the stapdev group) could trigger this flaw when tricked into instrumenting a specially-crafted ELF binary, even when unprivileged mode was not enabled. (CVE-2012-0875) SystemTap users should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 795913 - CVE-2012-0875 systemtap: kernel panic when processing malformed DWARF unwind data 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/systemtap-1.6-7.el5_8.src.rpm i386: systemtap-1.6-7.el5_8.i386.rpm systemtap-debuginfo-1.6-7.el5_8.i386.rpm systemtap-initscript-1.6-7.el5_8.i386.rpm systemtap-runtime-1.6-7.el5_8.i386.rpm systemtap-sdt-devel-1.6-7.el5_8.i386.rpm systemtap-server-1.6-7.el5_8.i386.rpm systemtap-testsuite-1.6-7.el5_8.i386.rpm x86_64: systemtap-1.6-7.el5_8.x86_64.rpm systemtap-debuginfo-1.6-7.el5_8.i386.rpm systemtap-debuginfo-1.6-7.el5_8.x86_64.rpm systemtap-initscript-1.6-7.el5_8.x86_64.rpm systemtap-runtime-1.6-7.el5_8.x86_64.rpm systemtap-sdt-devel-1.6-7.el5_8.i386.rpm systemtap-sdt-devel-1.6-7.el5_8.x86_64.rpm systemtap-server-1.6-7.el5_8.x86_64.rpm systemtap-testsuite-1.6-7.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/systemtap-1.6-7.el5_8.src.rpm i386: systemtap-1.6-7.el5_8.i386.rpm systemtap-debuginfo-1.6-7.el5_8.i386.rpm systemtap-initscript-1.6-7.el5_8.i386.rpm systemtap-runtime-1.6-7.el5_8.i386.rpm systemtap-sdt-devel-1.6-7.el5_8.i386.rpm systemtap-server-1.6-7.el5_8.i386.rpm systemtap-testsuite-1.6-7.el5_8.i386.rpm ia64: systemtap-1.6-7.el5_8.ia64.rpm systemtap-debuginfo-1.6-7.el5_8.ia64.rpm systemtap-initscript-1.6-7.el5_8.ia64.rpm systemtap-runtime-1.6-7.el5_8.ia64.rpm systemtap-sdt-devel-1.6-7.el5_8.ia64.rpm systemtap-server-1.6-7.el5_8.ia64.rpm systemtap-testsuite-1.6-7.el5_8.ia64.rpm ppc: systemtap-1.6-7.el5_8.ppc64.rpm systemtap-debuginfo-1.6-7.el5_8.ppc64.rpm systemtap-initscript-1.6-7.el5_8.ppc64.rpm systemtap-runtime-1.6-7.el5_8.ppc64.rpm systemtap-sdt-devel-1.6-7.el5_8.ppc64.rpm systemtap-server-1.6-7.el5_8.ppc64.rpm systemtap-testsuite-1.6-7.el5_8.ppc64.rpm s390x: systemtap-1.6-7.el5_8.s390x.rpm systemtap-debuginfo-1.6-7.el5_8.s390.rpm systemtap-debuginfo-1.6-7.el5_8.s390x.rpm systemtap-initscript-1.6-7.el5_8.s390x.rpm systemtap-runtime-1.6-7.el5_8.s390x.rpm systemtap-sdt-devel-1.6-7.el5_8.s390.rpm systemtap-sdt-devel-1.6-7.el5_8.s390x.rpm systemtap-server-1.6-7.el5_8.s390x.rpm systemtap-testsuite-1.6-7.el5_8.s390x.rpm x86_64: systemtap-1.6-7.el5_8.x86_64.rpm systemtap-debuginfo-1.6-7.el5_8.i386.rpm systemtap-debuginfo-1.6-7.el5_8.x86_64.rpm systemtap-initscript-1.6-7.el5_8.x86_64.rpm systemtap-runtime-1.6-7.el5_8.x86_64.rpm systemtap-sdt-devel-1.6-7.el5_8.i386.rpm systemtap-sdt-devel-1.6-7.el5_8.x86_64.rpm systemtap-server-1.6-7.el5_8.x86_64.rpm systemtap-testsuite-1.6-7.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/systemtap-1.6-5.el6_2.src.rpm i386: systemtap-1.6-5.el6_2.i686.rpm systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-grapher-1.6-5.el6_2.i686.rpm systemtap-initscript-1.6-5.el6_2.i686.rpm systemtap-runtime-1.6-5.el6_2.i686.rpm x86_64: systemtap-1.6-5.el6_2.x86_64.rpm systemtap-debuginfo-1.6-5.el6_2.x86_64.rpm systemtap-grapher-1.6-5.el6_2.x86_64.rpm systemtap-initscript-1.6-5.el6_2.x86_64.rpm systemtap-runtime-1.6-5.el6_2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/systemtap-1.6-5.el6_2.src.rpm i386: systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-sdt-devel-1.6-5.el6_2.i686.rpm systemtap-server-1.6-5.el6_2.i686.rpm systemtap-testsuite-1.6-5.el6_2.i686.rpm x86_64: systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-debuginfo-1.6-5.el6_2.x86_64.rpm systemtap-sdt-devel-1.6-5.el6_2.i686.rpm systemtap-sdt-devel-1.6-5.el6_2.x86_64.rpm systemtap-server-1.6-5.el6_2.x86_64.rpm systemtap-testsuite-1.6-5.el6_2.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/systemtap-1.6-5.el6_2.src.rpm x86_64: systemtap-1.6-5.el6_2.x86_64.rpm systemtap-debuginfo-1.6-5.el6_2.x86_64.rpm systemtap-initscript-1.6-5.el6_2.x86_64.rpm systemtap-runtime-1.6-5.el6_2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/systemtap-1.6-5.el6_2.src.rpm x86_64: systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-debuginfo-1.6-5.el6_2.x86_64.rpm systemtap-grapher-1.6-5.el6_2.x86_64.rpm systemtap-sdt-devel-1.6-5.el6_2.i686.rpm systemtap-sdt-devel-1.6-5.el6_2.x86_64.rpm systemtap-server-1.6-5.el6_2.x86_64.rpm systemtap-testsuite-1.6-5.el6_2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/systemtap-1.6-5.el6_2.src.rpm i386: systemtap-1.6-5.el6_2.i686.rpm systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-grapher-1.6-5.el6_2.i686.rpm systemtap-initscript-1.6-5.el6_2.i686.rpm systemtap-runtime-1.6-5.el6_2.i686.rpm systemtap-sdt-devel-1.6-5.el6_2.i686.rpm systemtap-server-1.6-5.el6_2.i686.rpm ppc64: systemtap-1.6-5.el6_2.ppc64.rpm systemtap-debuginfo-1.6-5.el6_2.ppc.rpm systemtap-debuginfo-1.6-5.el6_2.ppc64.rpm systemtap-grapher-1.6-5.el6_2.ppc64.rpm systemtap-initscript-1.6-5.el6_2.ppc64.rpm systemtap-runtime-1.6-5.el6_2.ppc64.rpm systemtap-sdt-devel-1.6-5.el6_2.ppc.rpm systemtap-sdt-devel-1.6-5.el6_2.ppc64.rpm systemtap-server-1.6-5.el6_2.ppc64.rpm s390x: systemtap-1.6-5.el6_2.s390x.rpm systemtap-debuginfo-1.6-5.el6_2.s390.rpm systemtap-debuginfo-1.6-5.el6_2.s390x.rpm systemtap-grapher-1.6-5.el6_2.s390x.rpm systemtap-initscript-1.6-5.el6_2.s390x.rpm systemtap-runtime-1.6-5.el6_2.s390x.rpm systemtap-sdt-devel-1.6-5.el6_2.s390.rpm systemtap-sdt-devel-1.6-5.el6_2.s390x.rpm systemtap-server-1.6-5.el6_2.s390x.rpm x86_64: systemtap-1.6-5.el6_2.x86_64.rpm systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-debuginfo-1.6-5.el6_2.x86_64.rpm systemtap-grapher-1.6-5.el6_2.x86_64.rpm systemtap-initscript-1.6-5.el6_2.x86_64.rpm systemtap-runtime-1.6-5.el6_2.x86_64.rpm systemtap-sdt-devel-1.6-5.el6_2.i686.rpm systemtap-sdt-devel-1.6-5.el6_2.x86_64.rpm systemtap-server-1.6-5.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/systemtap-1.6-5.el6_2.src.rpm i386: systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-testsuite-1.6-5.el6_2.i686.rpm ppc64: systemtap-debuginfo-1.6-5.el6_2.ppc64.rpm systemtap-testsuite-1.6-5.el6_2.ppc64.rpm s390x: systemtap-debuginfo-1.6-5.el6_2.s390x.rpm systemtap-testsuite-1.6-5.el6_2.s390x.rpm x86_64: systemtap-debuginfo-1.6-5.el6_2.x86_64.rpm systemtap-testsuite-1.6-5.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/systemtap-1.6-5.el6_2.src.rpm i386: systemtap-1.6-5.el6_2.i686.rpm systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-grapher-1.6-5.el6_2.i686.rpm systemtap-initscript-1.6-5.el6_2.i686.rpm systemtap-runtime-1.6-5.el6_2.i686.rpm systemtap-sdt-devel-1.6-5.el6_2.i686.rpm systemtap-server-1.6-5.el6_2.i686.rpm x86_64: systemtap-1.6-5.el6_2.x86_64.rpm systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-debuginfo-1.6-5.el6_2.x86_64.rpm systemtap-grapher-1.6-5.el6_2.x86_64.rpm systemtap-initscript-1.6-5.el6_2.x86_64.rpm systemtap-runtime-1.6-5.el6_2.x86_64.rpm systemtap-sdt-devel-1.6-5.el6_2.i686.rpm systemtap-sdt-devel-1.6-5.el6_2.x86_64.rpm systemtap-server-1.6-5.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/systemtap-1.6-5.el6_2.src.rpm i386: systemtap-debuginfo-1.6-5.el6_2.i686.rpm systemtap-testsuite-1.6-5.el6_2.i686.rpm x86_64: systemtap-debuginfo-1.6-5.el6_2.x86_64.rpm systemtap-testsuite-1.6-5.el6_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0875.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPWSGKXlSAg2UNWIIRAvFAAJwIXfxBUSPZQbu7tseyUmuzepisuQCdHQyF MPx37nmQkLrkKdztSb19fYA= =VgOA -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 14 07:44:31 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Mar 2012 07:44:31 +0000 Subject: [RHSA-2012:0387-01] Critical: firefox security and bug fix update Message-ID: <201203140744.q2E7iV97024204@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security and bug fix update Advisory ID: RHSA-2012:0387-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0387.html Issue date: 2012-03-14 CVE Names: CVE-2012-0451 CVE-2012-0455 CVE-2012-0456 CVE-2012-0457 CVE-2012-0458 CVE-2012-0459 CVE-2012-0460 CVE-2012-0461 CVE-2012-0462 CVE-2012-0464 ===================================================================== 1. Summary: Updated firefox packages that fix multiple security issues and three bugs are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464) Two flaws were found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files. A web page containing a malicious SVG image file could cause an information leak, or cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0456, CVE-2012-0457) A flaw could allow a malicious site to bypass intended restrictions, possibly leading to a cross-site scripting (XSS) attack if a user were tricked into dropping a "javascript:" link onto a frame. (CVE-2012-0455) It was found that the home page could be set to a "javascript:" link. If a user were tricked into setting such a home page by dragging a link to the home button, it could cause Firefox to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the user running Firefox. (CVE-2012-0458) A flaw was found in the way Firefox parsed certain web content containing "cssText". A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0459) It was found that by using the DOM fullscreen API, untrusted content could bypass the mozRequestFullscreen security protections. A web page containing malicious web content could exploit this API flaw to cause user interface spoofing. (CVE-2012-0460) A flaw was found in the way Firefox handled pages with multiple Content Security Policy (CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a website that has a header injection flaw. (CVE-2012-0451) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.3 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. This update also fixes the following bugs: * When using the Traditional Chinese locale (zh-TW), a segmentation fault sometimes occurred when closing Firefox. (BZ#729632) * Inputting any text in the Web Console (Tools -> Web Developer -> Web Console) caused Firefox to crash. (BZ#784048) * The java-1.6.0-ibm-plugin and java-1.6.0-sun-plugin packages require the "/usr/lib/mozilla/plugins/" directory on 32-bit systems, and the "/usr/lib64/mozilla/plugins/" directory on 64-bit systems. These directories are created by the xulrunner package; however, they were missing from the xulrunner package provided by the RHEA-2012:0327 update. Therefore, upgrading to RHEA-2012:0327 removed those directories, causing dependency errors when attempting to install the java-1.6.0-ibm-plugin or java-1.6.0-sun-plugin package. With this update, xulrunner once again creates the plugins directory. This issue did not affect users of Red Hat Enterprise Linux 6. (BZ#799042) All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.3 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 729632 - Segfault on quit with Chinese locale [ @ gdk_display_close() ] 784048 - Typing into Web Console in Firefox causes crashing - gcc 4.4.3 799042 - not able to install java-plugin 803109 - CVE-2012-0461 CVE-2012-0462 CVE-2012-0464 Mozilla: Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) (MFSA 2012-19) 803111 - CVE-2012-0460 Mozilla: window.fullScreen writeable by untrusted content (MFSA 2012-18) 803112 - CVE-2012-0459 Mozilla: Crash when accessing keyframe cssText after dynamic modification (MFSA 2012-17) 803113 - CVE-2012-0458 Mozilla: Escalation of privilege with Javascript: URL as home page (MFSA 2012-16) 803114 - CVE-2012-0451 Mozilla: XSS with multiple Content Security Policy headers (MFSA 2012-15) 803116 - CVE-2012-0456 CVE-2012-0457 Mozilla: SVG issues found with Address Sanitizer (MFSA 2012-14) 803119 - CVE-2012-0455 Mozilla: XSS with Drag and Drop and Javascript: URL (MFSA 2012-13) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-10.0.3-1.el5_8.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-10.0.3-1.el5_8.src.rpm i386: firefox-10.0.3-1.el5_8.i386.rpm firefox-debuginfo-10.0.3-1.el5_8.i386.rpm xulrunner-10.0.3-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.3-1.el5_8.i386.rpm x86_64: firefox-10.0.3-1.el5_8.i386.rpm firefox-10.0.3-1.el5_8.x86_64.rpm firefox-debuginfo-10.0.3-1.el5_8.i386.rpm firefox-debuginfo-10.0.3-1.el5_8.x86_64.rpm xulrunner-10.0.3-1.el5_8.i386.rpm xulrunner-10.0.3-1.el5_8.x86_64.rpm xulrunner-debuginfo-10.0.3-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.3-1.el5_8.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-10.0.3-1.el5_8.src.rpm i386: xulrunner-debuginfo-10.0.3-1.el5_8.i386.rpm xulrunner-devel-10.0.3-1.el5_8.i386.rpm x86_64: xulrunner-debuginfo-10.0.3-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.3-1.el5_8.x86_64.rpm xulrunner-devel-10.0.3-1.el5_8.i386.rpm xulrunner-devel-10.0.3-1.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-10.0.3-1.el5_8.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-10.0.3-1.el5_8.src.rpm i386: firefox-10.0.3-1.el5_8.i386.rpm firefox-debuginfo-10.0.3-1.el5_8.i386.rpm xulrunner-10.0.3-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.3-1.el5_8.i386.rpm xulrunner-devel-10.0.3-1.el5_8.i386.rpm ia64: firefox-10.0.3-1.el5_8.ia64.rpm firefox-debuginfo-10.0.3-1.el5_8.ia64.rpm xulrunner-10.0.3-1.el5_8.ia64.rpm xulrunner-debuginfo-10.0.3-1.el5_8.ia64.rpm xulrunner-devel-10.0.3-1.el5_8.ia64.rpm ppc: firefox-10.0.3-1.el5_8.ppc.rpm firefox-debuginfo-10.0.3-1.el5_8.ppc.rpm xulrunner-10.0.3-1.el5_8.ppc.rpm xulrunner-10.0.3-1.el5_8.ppc64.rpm xulrunner-debuginfo-10.0.3-1.el5_8.ppc.rpm xulrunner-debuginfo-10.0.3-1.el5_8.ppc64.rpm xulrunner-devel-10.0.3-1.el5_8.ppc.rpm xulrunner-devel-10.0.3-1.el5_8.ppc64.rpm s390x: firefox-10.0.3-1.el5_8.s390.rpm firefox-10.0.3-1.el5_8.s390x.rpm firefox-debuginfo-10.0.3-1.el5_8.s390.rpm firefox-debuginfo-10.0.3-1.el5_8.s390x.rpm xulrunner-10.0.3-1.el5_8.s390.rpm xulrunner-10.0.3-1.el5_8.s390x.rpm xulrunner-debuginfo-10.0.3-1.el5_8.s390.rpm xulrunner-debuginfo-10.0.3-1.el5_8.s390x.rpm xulrunner-devel-10.0.3-1.el5_8.s390.rpm xulrunner-devel-10.0.3-1.el5_8.s390x.rpm x86_64: firefox-10.0.3-1.el5_8.i386.rpm firefox-10.0.3-1.el5_8.x86_64.rpm firefox-debuginfo-10.0.3-1.el5_8.i386.rpm firefox-debuginfo-10.0.3-1.el5_8.x86_64.rpm xulrunner-10.0.3-1.el5_8.i386.rpm xulrunner-10.0.3-1.el5_8.x86_64.rpm xulrunner-debuginfo-10.0.3-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.3-1.el5_8.x86_64.rpm xulrunner-devel-10.0.3-1.el5_8.i386.rpm xulrunner-devel-10.0.3-1.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-10.0.3-1.el6_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-10.0.3-1.el6_2.src.rpm i386: firefox-10.0.3-1.el6_2.i686.rpm firefox-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm x86_64: firefox-10.0.3-1.el6_2.i686.rpm firefox-10.0.3-1.el6_2.x86_64.rpm firefox-debuginfo-10.0.3-1.el6_2.i686.rpm firefox-debuginfo-10.0.3-1.el6_2.x86_64.rpm xulrunner-10.0.3-1.el6_2.i686.rpm xulrunner-10.0.3-1.el6_2.x86_64.rpm xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-10.0.3-1.el6_2.src.rpm i386: xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-devel-10.0.3-1.el6_2.i686.rpm x86_64: xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.x86_64.rpm xulrunner-devel-10.0.3-1.el6_2.i686.rpm xulrunner-devel-10.0.3-1.el6_2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-10.0.3-1.el6_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-10.0.3-1.el6_2.src.rpm x86_64: firefox-10.0.3-1.el6_2.i686.rpm firefox-10.0.3-1.el6_2.x86_64.rpm firefox-debuginfo-10.0.3-1.el6_2.i686.rpm firefox-debuginfo-10.0.3-1.el6_2.x86_64.rpm xulrunner-10.0.3-1.el6_2.i686.rpm xulrunner-10.0.3-1.el6_2.x86_64.rpm xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.x86_64.rpm xulrunner-devel-10.0.3-1.el6_2.i686.rpm xulrunner-devel-10.0.3-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-10.0.3-1.el6_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-10.0.3-1.el6_2.src.rpm i386: firefox-10.0.3-1.el6_2.i686.rpm firefox-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm ppc64: firefox-10.0.3-1.el6_2.ppc.rpm firefox-10.0.3-1.el6_2.ppc64.rpm firefox-debuginfo-10.0.3-1.el6_2.ppc.rpm firefox-debuginfo-10.0.3-1.el6_2.ppc64.rpm xulrunner-10.0.3-1.el6_2.ppc.rpm xulrunner-10.0.3-1.el6_2.ppc64.rpm xulrunner-debuginfo-10.0.3-1.el6_2.ppc.rpm xulrunner-debuginfo-10.0.3-1.el6_2.ppc64.rpm s390x: firefox-10.0.3-1.el6_2.s390.rpm firefox-10.0.3-1.el6_2.s390x.rpm firefox-debuginfo-10.0.3-1.el6_2.s390.rpm firefox-debuginfo-10.0.3-1.el6_2.s390x.rpm xulrunner-10.0.3-1.el6_2.s390.rpm xulrunner-10.0.3-1.el6_2.s390x.rpm xulrunner-debuginfo-10.0.3-1.el6_2.s390.rpm xulrunner-debuginfo-10.0.3-1.el6_2.s390x.rpm x86_64: firefox-10.0.3-1.el6_2.i686.rpm firefox-10.0.3-1.el6_2.x86_64.rpm firefox-debuginfo-10.0.3-1.el6_2.i686.rpm firefox-debuginfo-10.0.3-1.el6_2.x86_64.rpm xulrunner-10.0.3-1.el6_2.i686.rpm xulrunner-10.0.3-1.el6_2.x86_64.rpm xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-10.0.3-1.el6_2.src.rpm i386: xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-devel-10.0.3-1.el6_2.i686.rpm ppc64: xulrunner-debuginfo-10.0.3-1.el6_2.ppc.rpm xulrunner-debuginfo-10.0.3-1.el6_2.ppc64.rpm xulrunner-devel-10.0.3-1.el6_2.ppc.rpm xulrunner-devel-10.0.3-1.el6_2.ppc64.rpm s390x: xulrunner-debuginfo-10.0.3-1.el6_2.s390.rpm xulrunner-debuginfo-10.0.3-1.el6_2.s390x.rpm xulrunner-devel-10.0.3-1.el6_2.s390.rpm xulrunner-devel-10.0.3-1.el6_2.s390x.rpm x86_64: xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.x86_64.rpm xulrunner-devel-10.0.3-1.el6_2.i686.rpm xulrunner-devel-10.0.3-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-10.0.3-1.el6_2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-10.0.3-1.el6_2.src.rpm i386: firefox-10.0.3-1.el6_2.i686.rpm firefox-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm x86_64: firefox-10.0.3-1.el6_2.i686.rpm firefox-10.0.3-1.el6_2.x86_64.rpm firefox-debuginfo-10.0.3-1.el6_2.i686.rpm firefox-debuginfo-10.0.3-1.el6_2.x86_64.rpm xulrunner-10.0.3-1.el6_2.i686.rpm xulrunner-10.0.3-1.el6_2.x86_64.rpm xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-10.0.3-1.el6_2.src.rpm i386: xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-devel-10.0.3-1.el6_2.i686.rpm x86_64: xulrunner-debuginfo-10.0.3-1.el6_2.i686.rpm xulrunner-debuginfo-10.0.3-1.el6_2.x86_64.rpm xulrunner-devel-10.0.3-1.el6_2.i686.rpm xulrunner-devel-10.0.3-1.el6_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0451.html https://www.redhat.com/security/data/cve/CVE-2012-0455.html https://www.redhat.com/security/data/cve/CVE-2012-0456.html https://www.redhat.com/security/data/cve/CVE-2012-0457.html https://www.redhat.com/security/data/cve/CVE-2012-0458.html https://www.redhat.com/security/data/cve/CVE-2012-0459.html https://www.redhat.com/security/data/cve/CVE-2012-0460.html https://www.redhat.com/security/data/cve/CVE-2012-0461.html https://www.redhat.com/security/data/cve/CVE-2012-0462.html https://www.redhat.com/security/data/cve/CVE-2012-0464.html https://access.redhat.com/security/updates/classification/#critical https://rhn.redhat.com/errata/RHEA-2012-0327.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPYExEXlSAg2UNWIIRAl3KAJ0UslLdaYWIolwpT6csPkWDjMyTkwCeOHwo cLK5sMt09dnWnURf1otj1G4= =f6gE -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 14 07:45:04 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Mar 2012 07:45:04 +0000 Subject: [RHSA-2012:0388-01] Critical: thunderbird security update Message-ID: <201203140745.q2E7j50K005858@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2012:0388-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0388.html Issue date: 2012-03-14 CVE Names: CVE-2012-0451 CVE-2012-0455 CVE-2012-0456 CVE-2012-0457 CVE-2012-0458 CVE-2012-0459 CVE-2012-0460 CVE-2012-0461 CVE-2012-0462 CVE-2012-0464 ===================================================================== 1. Summary: An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464) Two flaws were found in the way Thunderbird parsed certain Scalable Vector Graphics (SVG) image files. An HTML mail message containing a malicious SVG image file could cause an information leak, or cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0456, CVE-2012-0457) A flaw could allow malicious content to bypass intended restrictions, possibly leading to a cross-site scripting (XSS) attack if a user were tricked into dropping a "javascript:" link onto a frame. (CVE-2012-0455) It was found that the home page could be set to a "javascript:" link. If a user were tricked into setting such a home page by dragging a link to the home button, it could cause Firefox to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the user running Firefox. A similar flaw was found and fixed in Thunderbird. (CVE-2012-0458) A flaw was found in the way Thunderbird parsed certain, remote content containing "cssText". Malicious, remote content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0459) It was found that by using the DOM fullscreen API, untrusted content could bypass the mozRequestFullscreen security protections. Malicious content could exploit this API flaw to cause user interface spoofing. (CVE-2012-0460) A flaw was found in the way Thunderbird handled content with multiple Content Security Policy (CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a website that has a header injection flaw. (CVE-2012-0451) Note: All issues except CVE-2012-0456 and CVE-2012-0457 cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.3 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 803109 - CVE-2012-0461 CVE-2012-0462 CVE-2012-0464 Mozilla: Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) (MFSA 2012-19) 803111 - CVE-2012-0460 Mozilla: window.fullScreen writeable by untrusted content (MFSA 2012-18) 803112 - CVE-2012-0459 Mozilla: Crash when accessing keyframe cssText after dynamic modification (MFSA 2012-17) 803113 - CVE-2012-0458 Mozilla: Escalation of privilege with Javascript: URL as home page (MFSA 2012-16) 803114 - CVE-2012-0451 Mozilla: XSS with multiple Content Security Policy headers (MFSA 2012-15) 803116 - CVE-2012-0456 CVE-2012-0457 Mozilla: SVG issues found with Address Sanitizer (MFSA 2012-14) 803119 - CVE-2012-0455 Mozilla: XSS with Drag and Drop and Javascript: URL (MFSA 2012-13) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-10.0.3-1.el5_8.src.rpm i386: thunderbird-10.0.3-1.el5_8.i386.rpm thunderbird-debuginfo-10.0.3-1.el5_8.i386.rpm x86_64: thunderbird-10.0.3-1.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.3-1.el5_8.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-10.0.3-1.el5_8.src.rpm i386: thunderbird-10.0.3-1.el5_8.i386.rpm thunderbird-debuginfo-10.0.3-1.el5_8.i386.rpm x86_64: thunderbird-10.0.3-1.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.3-1.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-10.0.3-1.el6_2.src.rpm i386: thunderbird-10.0.3-1.el6_2.i686.rpm thunderbird-debuginfo-10.0.3-1.el6_2.i686.rpm x86_64: thunderbird-10.0.3-1.el6_2.x86_64.rpm thunderbird-debuginfo-10.0.3-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-10.0.3-1.el6_2.src.rpm i386: thunderbird-10.0.3-1.el6_2.i686.rpm thunderbird-debuginfo-10.0.3-1.el6_2.i686.rpm ppc64: thunderbird-10.0.3-1.el6_2.ppc64.rpm thunderbird-debuginfo-10.0.3-1.el6_2.ppc64.rpm s390x: thunderbird-10.0.3-1.el6_2.s390x.rpm thunderbird-debuginfo-10.0.3-1.el6_2.s390x.rpm x86_64: thunderbird-10.0.3-1.el6_2.x86_64.rpm thunderbird-debuginfo-10.0.3-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-10.0.3-1.el6_2.src.rpm i386: thunderbird-10.0.3-1.el6_2.i686.rpm thunderbird-debuginfo-10.0.3-1.el6_2.i686.rpm x86_64: thunderbird-10.0.3-1.el6_2.x86_64.rpm thunderbird-debuginfo-10.0.3-1.el6_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0451.html https://www.redhat.com/security/data/cve/CVE-2012-0455.html https://www.redhat.com/security/data/cve/CVE-2012-0456.html https://www.redhat.com/security/data/cve/CVE-2012-0457.html https://www.redhat.com/security/data/cve/CVE-2012-0458.html https://www.redhat.com/security/data/cve/CVE-2012-0459.html https://www.redhat.com/security/data/cve/CVE-2012-0460.html https://www.redhat.com/security/data/cve/CVE-2012-0461.html https://www.redhat.com/security/data/cve/CVE-2012-0462.html https://www.redhat.com/security/data/cve/CVE-2012-0464.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPYExyXlSAg2UNWIIRAgS8AKCBeh3VE/vXbqSkKg6RLuZRJTjxMACfTEy7 YTkkW3HV1VSHdtq79sNEQ58= =HBus -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 15 16:39:16 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 15 Mar 2012 16:39:16 +0000 Subject: [RHSA-2012:0393-01] Moderate: glibc security and bug fix update Message-ID: <201203151639.q2FGdHUB028639@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: glibc security and bug fix update Advisory ID: RHSA-2012:0393-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0393.html Issue date: 2012-03-15 CVE Names: CVE-2012-0864 ===================================================================== 1. Summary: Updated glibc packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-0864) This update also fixes the following bugs: * Previously, the dynamic loader generated an incorrect ordering for initialization according to the ELF specification. This could result in incorrect ordering of DSO constructors and destructors. With this update, dependency resolution has been fixed. (BZ#783999) * Previously, locking of the main malloc arena was incorrect in the retry path. This could result in a deadlock if an sbrk request failed. With this update, locking of the main arena in the retry path has been fixed. This issue was exposed by a bug fix provided in the RHSA-2012:0058 update. (BZ#795328) * Calling memcpy with overlapping arguments on certain processors would generate unexpected results. While such code is a clear violation of ANSI/ISO standards, this update restores prior memcpy behavior. (BZ#799259) All users of glibc are advised to upgrade to these updated packages, which contain patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 794766 - CVE-2012-0864 glibc: FORTIFY_SOURCE format string protection bypass via "nargs" integer overflow 799259 - Change in memcpy behavior for overlapping arguments breaks existing applications 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/glibc-2.12-1.47.el6_2.9.src.rpm i386: glibc-2.12-1.47.el6_2.9.i686.rpm glibc-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-devel-2.12-1.47.el6_2.9.i686.rpm glibc-headers-2.12-1.47.el6_2.9.i686.rpm glibc-utils-2.12-1.47.el6_2.9.i686.rpm nscd-2.12-1.47.el6_2.9.i686.rpm x86_64: glibc-2.12-1.47.el6_2.9.i686.rpm glibc-2.12-1.47.el6_2.9.x86_64.rpm glibc-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-devel-2.12-1.47.el6_2.9.i686.rpm glibc-devel-2.12-1.47.el6_2.9.x86_64.rpm glibc-headers-2.12-1.47.el6_2.9.x86_64.rpm glibc-utils-2.12-1.47.el6_2.9.x86_64.rpm nscd-2.12-1.47.el6_2.9.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/glibc-2.12-1.47.el6_2.9.src.rpm i386: glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-static-2.12-1.47.el6_2.9.i686.rpm x86_64: glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-static-2.12-1.47.el6_2.9.i686.rpm glibc-static-2.12-1.47.el6_2.9.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/glibc-2.12-1.47.el6_2.9.src.rpm x86_64: glibc-2.12-1.47.el6_2.9.i686.rpm glibc-2.12-1.47.el6_2.9.x86_64.rpm glibc-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-devel-2.12-1.47.el6_2.9.i686.rpm glibc-devel-2.12-1.47.el6_2.9.x86_64.rpm glibc-headers-2.12-1.47.el6_2.9.x86_64.rpm glibc-utils-2.12-1.47.el6_2.9.x86_64.rpm nscd-2.12-1.47.el6_2.9.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/glibc-2.12-1.47.el6_2.9.src.rpm x86_64: glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-static-2.12-1.47.el6_2.9.i686.rpm glibc-static-2.12-1.47.el6_2.9.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/glibc-2.12-1.47.el6_2.9.src.rpm i386: glibc-2.12-1.47.el6_2.9.i686.rpm glibc-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-devel-2.12-1.47.el6_2.9.i686.rpm glibc-headers-2.12-1.47.el6_2.9.i686.rpm glibc-utils-2.12-1.47.el6_2.9.i686.rpm nscd-2.12-1.47.el6_2.9.i686.rpm ppc64: glibc-2.12-1.47.el6_2.9.ppc.rpm glibc-2.12-1.47.el6_2.9.ppc64.rpm glibc-common-2.12-1.47.el6_2.9.ppc64.rpm glibc-debuginfo-2.12-1.47.el6_2.9.ppc.rpm glibc-debuginfo-2.12-1.47.el6_2.9.ppc64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.ppc.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.ppc64.rpm glibc-devel-2.12-1.47.el6_2.9.ppc.rpm glibc-devel-2.12-1.47.el6_2.9.ppc64.rpm glibc-headers-2.12-1.47.el6_2.9.ppc64.rpm glibc-utils-2.12-1.47.el6_2.9.ppc64.rpm nscd-2.12-1.47.el6_2.9.ppc64.rpm s390x: glibc-2.12-1.47.el6_2.9.s390.rpm glibc-2.12-1.47.el6_2.9.s390x.rpm glibc-common-2.12-1.47.el6_2.9.s390x.rpm glibc-debuginfo-2.12-1.47.el6_2.9.s390.rpm glibc-debuginfo-2.12-1.47.el6_2.9.s390x.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.s390.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.s390x.rpm glibc-devel-2.12-1.47.el6_2.9.s390.rpm glibc-devel-2.12-1.47.el6_2.9.s390x.rpm glibc-headers-2.12-1.47.el6_2.9.s390x.rpm glibc-utils-2.12-1.47.el6_2.9.s390x.rpm nscd-2.12-1.47.el6_2.9.s390x.rpm x86_64: glibc-2.12-1.47.el6_2.9.i686.rpm glibc-2.12-1.47.el6_2.9.x86_64.rpm glibc-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-devel-2.12-1.47.el6_2.9.i686.rpm glibc-devel-2.12-1.47.el6_2.9.x86_64.rpm glibc-headers-2.12-1.47.el6_2.9.x86_64.rpm glibc-utils-2.12-1.47.el6_2.9.x86_64.rpm nscd-2.12-1.47.el6_2.9.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/glibc-2.12-1.47.el6_2.9.src.rpm i386: glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-static-2.12-1.47.el6_2.9.i686.rpm ppc64: glibc-debuginfo-2.12-1.47.el6_2.9.ppc.rpm glibc-debuginfo-2.12-1.47.el6_2.9.ppc64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.ppc.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.ppc64.rpm glibc-static-2.12-1.47.el6_2.9.ppc.rpm glibc-static-2.12-1.47.el6_2.9.ppc64.rpm s390x: glibc-debuginfo-2.12-1.47.el6_2.9.s390.rpm glibc-debuginfo-2.12-1.47.el6_2.9.s390x.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.s390.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.s390x.rpm glibc-static-2.12-1.47.el6_2.9.s390.rpm glibc-static-2.12-1.47.el6_2.9.s390x.rpm x86_64: glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-static-2.12-1.47.el6_2.9.i686.rpm glibc-static-2.12-1.47.el6_2.9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/glibc-2.12-1.47.el6_2.9.src.rpm i386: glibc-2.12-1.47.el6_2.9.i686.rpm glibc-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-devel-2.12-1.47.el6_2.9.i686.rpm glibc-headers-2.12-1.47.el6_2.9.i686.rpm glibc-utils-2.12-1.47.el6_2.9.i686.rpm nscd-2.12-1.47.el6_2.9.i686.rpm x86_64: glibc-2.12-1.47.el6_2.9.i686.rpm glibc-2.12-1.47.el6_2.9.x86_64.rpm glibc-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-devel-2.12-1.47.el6_2.9.i686.rpm glibc-devel-2.12-1.47.el6_2.9.x86_64.rpm glibc-headers-2.12-1.47.el6_2.9.x86_64.rpm glibc-utils-2.12-1.47.el6_2.9.x86_64.rpm nscd-2.12-1.47.el6_2.9.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/glibc-2.12-1.47.el6_2.9.src.rpm i386: glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-static-2.12-1.47.el6_2.9.i686.rpm x86_64: glibc-debuginfo-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.9.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.9.x86_64.rpm glibc-static-2.12-1.47.el6_2.9.i686.rpm glibc-static-2.12-1.47.el6_2.9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0864.html https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHSA-2012-0058.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPYhsdXlSAg2UNWIIRAp6UAJ9KMWB3Beu2SzdJ3xMRpjDdPcCmhwCdHcTh UvwVKb24VSzaZTqsEU9k0j8= =Vf1g -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 19 22:06:27 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 19 Mar 2012 22:06:27 +0000 Subject: [RHSA-2012:0397-01] Moderate: glibc security update Message-ID: <201203192206.q2JM6R4w005348@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: glibc security update Advisory ID: RHSA-2012:0397-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0397.html Issue date: 2012-03-19 CVE Names: CVE-2012-0864 ===================================================================== 1. Summary: Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-0864) All users of glibc are advised to upgrade to these updated packages, which contain a patch to resolve this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 794766 - CVE-2012-0864 glibc: FORTIFY_SOURCE format string protection bypass via "nargs" integer overflow 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/glibc-2.5-81.el5_8.1.src.rpm i386: glibc-2.5-81.el5_8.1.i386.rpm glibc-2.5-81.el5_8.1.i686.rpm glibc-common-2.5-81.el5_8.1.i386.rpm glibc-debuginfo-2.5-81.el5_8.1.i386.rpm glibc-debuginfo-2.5-81.el5_8.1.i686.rpm glibc-debuginfo-common-2.5-81.el5_8.1.i386.rpm glibc-devel-2.5-81.el5_8.1.i386.rpm glibc-headers-2.5-81.el5_8.1.i386.rpm glibc-utils-2.5-81.el5_8.1.i386.rpm nscd-2.5-81.el5_8.1.i386.rpm x86_64: glibc-2.5-81.el5_8.1.i686.rpm glibc-2.5-81.el5_8.1.x86_64.rpm glibc-common-2.5-81.el5_8.1.x86_64.rpm glibc-debuginfo-2.5-81.el5_8.1.i386.rpm glibc-debuginfo-2.5-81.el5_8.1.i686.rpm glibc-debuginfo-2.5-81.el5_8.1.x86_64.rpm glibc-debuginfo-common-2.5-81.el5_8.1.i386.rpm glibc-devel-2.5-81.el5_8.1.i386.rpm glibc-devel-2.5-81.el5_8.1.x86_64.rpm glibc-headers-2.5-81.el5_8.1.x86_64.rpm glibc-utils-2.5-81.el5_8.1.x86_64.rpm nscd-2.5-81.el5_8.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/glibc-2.5-81.el5_8.1.src.rpm i386: glibc-2.5-81.el5_8.1.i386.rpm glibc-2.5-81.el5_8.1.i686.rpm glibc-common-2.5-81.el5_8.1.i386.rpm glibc-debuginfo-2.5-81.el5_8.1.i386.rpm glibc-debuginfo-2.5-81.el5_8.1.i686.rpm glibc-debuginfo-common-2.5-81.el5_8.1.i386.rpm glibc-devel-2.5-81.el5_8.1.i386.rpm glibc-headers-2.5-81.el5_8.1.i386.rpm glibc-utils-2.5-81.el5_8.1.i386.rpm nscd-2.5-81.el5_8.1.i386.rpm ia64: glibc-2.5-81.el5_8.1.i686.rpm glibc-2.5-81.el5_8.1.ia64.rpm glibc-common-2.5-81.el5_8.1.ia64.rpm glibc-debuginfo-2.5-81.el5_8.1.i686.rpm glibc-debuginfo-2.5-81.el5_8.1.ia64.rpm glibc-devel-2.5-81.el5_8.1.ia64.rpm glibc-headers-2.5-81.el5_8.1.ia64.rpm glibc-utils-2.5-81.el5_8.1.ia64.rpm nscd-2.5-81.el5_8.1.ia64.rpm ppc: glibc-2.5-81.el5_8.1.ppc.rpm glibc-2.5-81.el5_8.1.ppc64.rpm glibc-common-2.5-81.el5_8.1.ppc.rpm glibc-debuginfo-2.5-81.el5_8.1.ppc.rpm glibc-debuginfo-2.5-81.el5_8.1.ppc64.rpm glibc-devel-2.5-81.el5_8.1.ppc.rpm glibc-devel-2.5-81.el5_8.1.ppc64.rpm glibc-headers-2.5-81.el5_8.1.ppc.rpm glibc-utils-2.5-81.el5_8.1.ppc.rpm nscd-2.5-81.el5_8.1.ppc.rpm s390x: glibc-2.5-81.el5_8.1.s390.rpm glibc-2.5-81.el5_8.1.s390x.rpm glibc-common-2.5-81.el5_8.1.s390x.rpm glibc-debuginfo-2.5-81.el5_8.1.s390.rpm glibc-debuginfo-2.5-81.el5_8.1.s390x.rpm glibc-devel-2.5-81.el5_8.1.s390.rpm glibc-devel-2.5-81.el5_8.1.s390x.rpm glibc-headers-2.5-81.el5_8.1.s390x.rpm glibc-utils-2.5-81.el5_8.1.s390x.rpm nscd-2.5-81.el5_8.1.s390x.rpm x86_64: glibc-2.5-81.el5_8.1.i686.rpm glibc-2.5-81.el5_8.1.x86_64.rpm glibc-common-2.5-81.el5_8.1.x86_64.rpm glibc-debuginfo-2.5-81.el5_8.1.i386.rpm glibc-debuginfo-2.5-81.el5_8.1.i686.rpm glibc-debuginfo-2.5-81.el5_8.1.x86_64.rpm glibc-debuginfo-common-2.5-81.el5_8.1.i386.rpm glibc-devel-2.5-81.el5_8.1.i386.rpm glibc-devel-2.5-81.el5_8.1.x86_64.rpm glibc-headers-2.5-81.el5_8.1.x86_64.rpm glibc-utils-2.5-81.el5_8.1.x86_64.rpm nscd-2.5-81.el5_8.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0864.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPZ63QXlSAg2UNWIIRAgIoAKDCfqaaA+1eP/vua+72RT4U4KvSFgCffiPk rPa1rro4gGcJH8prF+aUUCw= =eMZq -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 20 17:25:43 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 20 Mar 2012 17:25:43 +0000 Subject: [RHSA-2012:0407-01] Moderate: libpng security update Message-ID: <201203201725.q2KHPjAp026246@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libpng security update Advisory ID: RHSA-2012:0407-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0407.html Issue date: 2012-03-20 CVE Names: CVE-2011-3045 ===================================================================== 1. Summary: Updated libpng packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A heap-based buffer overflow flaw was found in the way libpng processed compressed chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3045) Users of libpng should upgrade to these updated packages, which correct this issue. For Red Hat Enterprise Linux 5, they contain a backported patch. For Red Hat Enterprise Linux 6, they upgrade libpng to version 1.2.48. All running applications using libpng must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 799000 - CVE-2011-3045 libpng: buffer overflow in png_inflate caused by invalid type conversions 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libpng-1.2.10-16.el5_8.src.rpm i386: libpng-1.2.10-16.el5_8.i386.rpm libpng-debuginfo-1.2.10-16.el5_8.i386.rpm x86_64: libpng-1.2.10-16.el5_8.i386.rpm libpng-1.2.10-16.el5_8.x86_64.rpm libpng-debuginfo-1.2.10-16.el5_8.i386.rpm libpng-debuginfo-1.2.10-16.el5_8.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libpng-1.2.10-16.el5_8.src.rpm i386: libpng-debuginfo-1.2.10-16.el5_8.i386.rpm libpng-devel-1.2.10-16.el5_8.i386.rpm x86_64: libpng-debuginfo-1.2.10-16.el5_8.i386.rpm libpng-debuginfo-1.2.10-16.el5_8.x86_64.rpm libpng-devel-1.2.10-16.el5_8.i386.rpm libpng-devel-1.2.10-16.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/libpng-1.2.10-16.el5_8.src.rpm i386: libpng-1.2.10-16.el5_8.i386.rpm libpng-debuginfo-1.2.10-16.el5_8.i386.rpm libpng-devel-1.2.10-16.el5_8.i386.rpm ia64: libpng-1.2.10-16.el5_8.i386.rpm libpng-1.2.10-16.el5_8.ia64.rpm libpng-debuginfo-1.2.10-16.el5_8.i386.rpm libpng-debuginfo-1.2.10-16.el5_8.ia64.rpm libpng-devel-1.2.10-16.el5_8.ia64.rpm ppc: libpng-1.2.10-16.el5_8.ppc.rpm libpng-1.2.10-16.el5_8.ppc64.rpm libpng-debuginfo-1.2.10-16.el5_8.ppc.rpm libpng-debuginfo-1.2.10-16.el5_8.ppc64.rpm libpng-devel-1.2.10-16.el5_8.ppc.rpm libpng-devel-1.2.10-16.el5_8.ppc64.rpm s390x: libpng-1.2.10-16.el5_8.s390.rpm libpng-1.2.10-16.el5_8.s390x.rpm libpng-debuginfo-1.2.10-16.el5_8.s390.rpm libpng-debuginfo-1.2.10-16.el5_8.s390x.rpm libpng-devel-1.2.10-16.el5_8.s390.rpm libpng-devel-1.2.10-16.el5_8.s390x.rpm x86_64: libpng-1.2.10-16.el5_8.i386.rpm libpng-1.2.10-16.el5_8.x86_64.rpm libpng-debuginfo-1.2.10-16.el5_8.i386.rpm libpng-debuginfo-1.2.10-16.el5_8.x86_64.rpm libpng-devel-1.2.10-16.el5_8.i386.rpm libpng-devel-1.2.10-16.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libpng-1.2.48-1.el6_2.src.rpm i386: libpng-1.2.48-1.el6_2.i686.rpm libpng-debuginfo-1.2.48-1.el6_2.i686.rpm x86_64: libpng-1.2.48-1.el6_2.i686.rpm libpng-1.2.48-1.el6_2.x86_64.rpm libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-debuginfo-1.2.48-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libpng-1.2.48-1.el6_2.src.rpm i386: libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-devel-1.2.48-1.el6_2.i686.rpm libpng-static-1.2.48-1.el6_2.i686.rpm x86_64: libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-debuginfo-1.2.48-1.el6_2.x86_64.rpm libpng-devel-1.2.48-1.el6_2.i686.rpm libpng-devel-1.2.48-1.el6_2.x86_64.rpm libpng-static-1.2.48-1.el6_2.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libpng-1.2.48-1.el6_2.src.rpm x86_64: libpng-1.2.48-1.el6_2.i686.rpm libpng-1.2.48-1.el6_2.x86_64.rpm libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-debuginfo-1.2.48-1.el6_2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libpng-1.2.48-1.el6_2.src.rpm x86_64: libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-debuginfo-1.2.48-1.el6_2.x86_64.rpm libpng-devel-1.2.48-1.el6_2.i686.rpm libpng-devel-1.2.48-1.el6_2.x86_64.rpm libpng-static-1.2.48-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libpng-1.2.48-1.el6_2.src.rpm i386: libpng-1.2.48-1.el6_2.i686.rpm libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-devel-1.2.48-1.el6_2.i686.rpm ppc64: libpng-1.2.48-1.el6_2.ppc.rpm libpng-1.2.48-1.el6_2.ppc64.rpm libpng-debuginfo-1.2.48-1.el6_2.ppc.rpm libpng-debuginfo-1.2.48-1.el6_2.ppc64.rpm libpng-devel-1.2.48-1.el6_2.ppc.rpm libpng-devel-1.2.48-1.el6_2.ppc64.rpm s390x: libpng-1.2.48-1.el6_2.s390.rpm libpng-1.2.48-1.el6_2.s390x.rpm libpng-debuginfo-1.2.48-1.el6_2.s390.rpm libpng-debuginfo-1.2.48-1.el6_2.s390x.rpm libpng-devel-1.2.48-1.el6_2.s390.rpm libpng-devel-1.2.48-1.el6_2.s390x.rpm x86_64: libpng-1.2.48-1.el6_2.i686.rpm libpng-1.2.48-1.el6_2.x86_64.rpm libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-debuginfo-1.2.48-1.el6_2.x86_64.rpm libpng-devel-1.2.48-1.el6_2.i686.rpm libpng-devel-1.2.48-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libpng-1.2.48-1.el6_2.src.rpm i386: libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-static-1.2.48-1.el6_2.i686.rpm ppc64: libpng-debuginfo-1.2.48-1.el6_2.ppc64.rpm libpng-static-1.2.48-1.el6_2.ppc64.rpm s390x: libpng-debuginfo-1.2.48-1.el6_2.s390x.rpm libpng-static-1.2.48-1.el6_2.s390x.rpm x86_64: libpng-debuginfo-1.2.48-1.el6_2.x86_64.rpm libpng-static-1.2.48-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libpng-1.2.48-1.el6_2.src.rpm i386: libpng-1.2.48-1.el6_2.i686.rpm libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-devel-1.2.48-1.el6_2.i686.rpm x86_64: libpng-1.2.48-1.el6_2.i686.rpm libpng-1.2.48-1.el6_2.x86_64.rpm libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-debuginfo-1.2.48-1.el6_2.x86_64.rpm libpng-devel-1.2.48-1.el6_2.i686.rpm libpng-devel-1.2.48-1.el6_2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libpng-1.2.48-1.el6_2.src.rpm i386: libpng-debuginfo-1.2.48-1.el6_2.i686.rpm libpng-static-1.2.48-1.el6_2.i686.rpm x86_64: libpng-debuginfo-1.2.48-1.el6_2.x86_64.rpm libpng-static-1.2.48-1.el6_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3045.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPaL1+XlSAg2UNWIIRAqRZAJ9NYPg0un5H/EdyhuF0xU1WM+Cr4ACeJfoA lsMwkyv3x//47zz7casLy7A= =Z/09 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 22 18:53:04 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 22 Mar 2012 18:53:04 +0000 Subject: [RHSA-2012:0410-01] Important: raptor security update Message-ID: <201203221853.q2MIr5YS012749@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: raptor security update Advisory ID: RHSA-2012:0410-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0410.html Issue date: 2012-03-22 CVE Names: CVE-2012-0037 ===================================================================== 1. Summary: Updated raptor packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Raptor provides parsers for Resource Description Framework (RDF) files. An XML External Entity expansion flaw was found in the way Raptor processed RDF files. If an application linked against Raptor were to open a specially-crafted RDF file, it could possibly allow a remote attacker to obtain a copy of an arbitrary local file that the user running the application had access to. A bug in the way Raptor handled external entities could cause that application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2012-0037) Red Hat would like to thank Timothy D. Morgan of VSR for reporting this issue. All Raptor users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications linked against Raptor must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 791296 - CVE-2012-0037 raptor: XML External Entity (XXE) attack via RDF files 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/raptor-1.4.18-5.el6_2.1.src.rpm i386: raptor-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm x86_64: raptor-1.4.18-5.el6_2.1.i686.rpm raptor-1.4.18-5.el6_2.1.x86_64.rpm raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/raptor-1.4.18-5.el6_2.1.src.rpm i386: raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-devel-1.4.18-5.el6_2.1.i686.rpm x86_64: raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.x86_64.rpm raptor-devel-1.4.18-5.el6_2.1.i686.rpm raptor-devel-1.4.18-5.el6_2.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/raptor-1.4.18-5.el6_2.1.src.rpm x86_64: raptor-1.4.18-5.el6_2.1.i686.rpm raptor-1.4.18-5.el6_2.1.x86_64.rpm raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.x86_64.rpm raptor-devel-1.4.18-5.el6_2.1.i686.rpm raptor-devel-1.4.18-5.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/raptor-1.4.18-5.el6_2.1.src.rpm i386: raptor-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm ppc64: raptor-1.4.18-5.el6_2.1.ppc.rpm raptor-1.4.18-5.el6_2.1.ppc64.rpm raptor-debuginfo-1.4.18-5.el6_2.1.ppc.rpm raptor-debuginfo-1.4.18-5.el6_2.1.ppc64.rpm s390x: raptor-1.4.18-5.el6_2.1.s390.rpm raptor-1.4.18-5.el6_2.1.s390x.rpm raptor-debuginfo-1.4.18-5.el6_2.1.s390.rpm raptor-debuginfo-1.4.18-5.el6_2.1.s390x.rpm x86_64: raptor-1.4.18-5.el6_2.1.i686.rpm raptor-1.4.18-5.el6_2.1.x86_64.rpm raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/raptor-1.4.18-5.el6_2.1.src.rpm i386: raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-devel-1.4.18-5.el6_2.1.i686.rpm ppc64: raptor-debuginfo-1.4.18-5.el6_2.1.ppc.rpm raptor-debuginfo-1.4.18-5.el6_2.1.ppc64.rpm raptor-devel-1.4.18-5.el6_2.1.ppc.rpm raptor-devel-1.4.18-5.el6_2.1.ppc64.rpm s390x: raptor-debuginfo-1.4.18-5.el6_2.1.s390.rpm raptor-debuginfo-1.4.18-5.el6_2.1.s390x.rpm raptor-devel-1.4.18-5.el6_2.1.s390.rpm raptor-devel-1.4.18-5.el6_2.1.s390x.rpm x86_64: raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.x86_64.rpm raptor-devel-1.4.18-5.el6_2.1.i686.rpm raptor-devel-1.4.18-5.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/raptor-1.4.18-5.el6_2.1.src.rpm i386: raptor-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm x86_64: raptor-1.4.18-5.el6_2.1.i686.rpm raptor-1.4.18-5.el6_2.1.x86_64.rpm raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/raptor-1.4.18-5.el6_2.1.src.rpm i386: raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-devel-1.4.18-5.el6_2.1.i686.rpm x86_64: raptor-debuginfo-1.4.18-5.el6_2.1.i686.rpm raptor-debuginfo-1.4.18-5.el6_2.1.x86_64.rpm raptor-devel-1.4.18-5.el6_2.1.i686.rpm raptor-devel-1.4.18-5.el6_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0037.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPa3UFXlSAg2UNWIIRAr9nAKCQ3poDHbfbn1sf6mi1aa6oRxe5wQCdEbAk A6cb/Q92RbM5lWsd1YIJyZU= =2MYq -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 22 18:53:46 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 22 Mar 2012 18:53:46 +0000 Subject: [RHSA-2012:0411-01] Important: openoffice.org security update Message-ID: <201203221853.q2MIrlI0014965@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openoffice.org security update Advisory ID: RHSA-2012:0411-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0411.html Issue date: 2012-03-22 CVE Names: CVE-2012-0037 ===================================================================== 1. Summary: Updated openoffice.org packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. OpenOffice.org embeds a copy of Raptor, which provides parsers for Resource Description Framework (RDF) files. An XML External Entity expansion flaw was found in the way Raptor processed RDF files. If OpenOffice.org were to open a specially-crafted file (such as an OpenDocument Format or OpenDocument Presentation file), it could possibly allow a remote attacker to obtain a copy of an arbitrary local file that the user running OpenOffice.org had access to. A bug in the way Raptor handled external entities could cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2012-0037) Red Hat would like to thank Timothy D. Morgan of VSR for reporting this issue. All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct this issue. All running instances of OpenOffice.org applications must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 791296 - CVE-2012-0037 raptor: XML External Entity (XXE) attack via RDF files 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openoffice.org-3.1.1-19.10.el5_8.1.src.rpm i386: openoffice.org-base-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-calc-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-core-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-debuginfo-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-draw-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-emailmerge-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-graphicfilter-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-headless-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-impress-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-javafilter-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-af_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ar-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-as_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-bg_BG-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-bn-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ca_ES-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-cs_CZ-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-cy_GB-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-da_DK-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-de-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-el_GR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-es-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-et_EE-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-eu_ES-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-fi_FI-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-fr-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ga_IE-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-gl_ES-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-gu_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-he_IL-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-hi_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-hr_HR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-hu_HU-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-it-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ja_JP-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-kn_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ko_KR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-lt_LT-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ml_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-mr_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ms_MY-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nb_NO-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nl-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nn_NO-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nr_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nso_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-or_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-pa_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-pl_PL-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-pt_BR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-pt_PT-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ru-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-sk_SK-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-sl_SI-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-sr_CS-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ss_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-st_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-sv-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ta_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-te_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-th_TH-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-tn_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-tr_TR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ts_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ur-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ve_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-xh_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-zh_CN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-zh_TW-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-zu_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-math-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-pyuno-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-testtools-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-ure-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-writer-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-xsltfilter-3.1.1-19.10.el5_8.1.i386.rpm x86_64: openoffice.org-base-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-calc-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-core-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-debuginfo-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-draw-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-emailmerge-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-graphicfilter-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-headless-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-impress-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-javafilter-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-af_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ar-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-as_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-bg_BG-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-bn-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ca_ES-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-cs_CZ-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-cy_GB-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-da_DK-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-de-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-el_GR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-es-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-et_EE-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-eu_ES-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-fi_FI-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-fr-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ga_IE-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-gl_ES-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-gu_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-he_IL-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-hi_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-hr_HR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-hu_HU-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-it-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ja_JP-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-kn_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ko_KR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-lt_LT-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ml_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-mr_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ms_MY-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nb_NO-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nl-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nn_NO-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nr_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nso_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-or_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-pa_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-pl_PL-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-pt_BR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-pt_PT-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ru-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-sk_SK-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-sl_SI-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-sr_CS-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ss_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-st_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-sv-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ta_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-te_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-th_TH-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-tn_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-tr_TR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ts_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ur-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ve_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-xh_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-zh_CN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-zh_TW-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-zu_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-math-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-pyuno-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-testtools-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-ure-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-writer-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-xsltfilter-3.1.1-19.10.el5_8.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openoffice.org-3.1.1-19.10.el5_8.1.src.rpm i386: openoffice.org-debuginfo-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-sdk-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-sdk-doc-3.1.1-19.10.el5_8.1.i386.rpm x86_64: openoffice.org-debuginfo-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-sdk-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-sdk-doc-3.1.1-19.10.el5_8.1.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/openoffice.org-3.1.1-19.10.el5_8.1.src.rpm i386: openoffice.org-base-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-calc-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-core-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-debuginfo-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-draw-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-emailmerge-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-graphicfilter-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-headless-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-impress-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-javafilter-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-af_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ar-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-as_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-bg_BG-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-bn-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ca_ES-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-cs_CZ-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-cy_GB-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-da_DK-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-de-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-el_GR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-es-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-et_EE-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-eu_ES-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-fi_FI-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-fr-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ga_IE-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-gl_ES-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-gu_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-he_IL-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-hi_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-hr_HR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-hu_HU-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-it-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ja_JP-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-kn_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ko_KR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-lt_LT-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ml_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-mr_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ms_MY-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nb_NO-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nl-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nn_NO-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nr_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-nso_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-or_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-pa_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-pl_PL-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-pt_BR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-pt_PT-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ru-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-sk_SK-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-sl_SI-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-sr_CS-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ss_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-st_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-sv-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ta_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-te_IN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-th_TH-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-tn_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-tr_TR-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ts_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ur-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-ve_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-xh_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-zh_CN-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-zh_TW-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-langpack-zu_ZA-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-math-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-pyuno-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-sdk-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-sdk-doc-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-testtools-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-ure-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-writer-3.1.1-19.10.el5_8.1.i386.rpm openoffice.org-xsltfilter-3.1.1-19.10.el5_8.1.i386.rpm x86_64: openoffice.org-base-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-calc-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-core-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-debuginfo-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-draw-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-emailmerge-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-graphicfilter-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-headless-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-impress-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-javafilter-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-af_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ar-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-as_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-bg_BG-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-bn-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ca_ES-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-cs_CZ-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-cy_GB-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-da_DK-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-de-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-el_GR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-es-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-et_EE-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-eu_ES-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-fi_FI-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-fr-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ga_IE-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-gl_ES-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-gu_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-he_IL-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-hi_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-hr_HR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-hu_HU-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-it-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ja_JP-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-kn_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ko_KR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-lt_LT-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ml_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-mr_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ms_MY-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nb_NO-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nl-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nn_NO-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nr_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-nso_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-or_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-pa_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-pl_PL-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-pt_BR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-pt_PT-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ru-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-sk_SK-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-sl_SI-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-sr_CS-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ss_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-st_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-sv-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ta_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-te_IN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-th_TH-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-tn_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-tr_TR-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ts_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ur-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-ve_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-xh_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-zh_CN-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-zh_TW-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-langpack-zu_ZA-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-math-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-pyuno-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-sdk-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-sdk-doc-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-testtools-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-ure-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-writer-3.1.1-19.10.el5_8.1.x86_64.rpm openoffice.org-xsltfilter-3.1.1-19.10.el5_8.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0037.html https://access.redhat.com/security/updates/classification/#important http://www.openoffice.org/security/cves/CVE-2012-0037.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPa3UnXlSAg2UNWIIRAuQcAKC/U88zU1NFsUyKEMJxuZB0u+z0lwCgwEzL KVuh6RBPGErFb1pZrM+572I= =kFub -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 27 23:05:05 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 27 Mar 2012 23:05:05 +0000 Subject: [RHSA-2012:0426-01] Moderate: openssl security and bug fix update Message-ID: <201203272305.q2RN55RN017324@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openssl security and bug fix update Advisory ID: RHSA-2012:0426-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0426.html Issue date: 2012-03-27 CVE Names: CVE-2012-0884 CVE-2012-1165 ===================================================================== 1. Summary: Updated openssl packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. (CVE-2012-1165) A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times. (CVE-2012-0884) This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA-2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to fail. All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 802489 - CVE-2012-1165 openssl: mime_param_cmp NULL dereference crash 802725 - CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openssl-0.9.8e-22.el5_8.1.src.rpm i386: openssl-0.9.8e-22.el5_8.1.i386.rpm openssl-0.9.8e-22.el5_8.1.i686.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.i386.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.i686.rpm openssl-perl-0.9.8e-22.el5_8.1.i386.rpm x86_64: openssl-0.9.8e-22.el5_8.1.i686.rpm openssl-0.9.8e-22.el5_8.1.x86_64.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.i686.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.x86_64.rpm openssl-perl-0.9.8e-22.el5_8.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openssl-0.9.8e-22.el5_8.1.src.rpm i386: openssl-debuginfo-0.9.8e-22.el5_8.1.i386.rpm openssl-devel-0.9.8e-22.el5_8.1.i386.rpm x86_64: openssl-debuginfo-0.9.8e-22.el5_8.1.i386.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.x86_64.rpm openssl-devel-0.9.8e-22.el5_8.1.i386.rpm openssl-devel-0.9.8e-22.el5_8.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/openssl-0.9.8e-22.el5_8.1.src.rpm i386: openssl-0.9.8e-22.el5_8.1.i386.rpm openssl-0.9.8e-22.el5_8.1.i686.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.i386.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.i686.rpm openssl-devel-0.9.8e-22.el5_8.1.i386.rpm openssl-perl-0.9.8e-22.el5_8.1.i386.rpm ia64: openssl-0.9.8e-22.el5_8.1.i686.rpm openssl-0.9.8e-22.el5_8.1.ia64.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.i686.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.ia64.rpm openssl-devel-0.9.8e-22.el5_8.1.ia64.rpm openssl-perl-0.9.8e-22.el5_8.1.ia64.rpm ppc: openssl-0.9.8e-22.el5_8.1.ppc.rpm openssl-0.9.8e-22.el5_8.1.ppc64.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.ppc.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.ppc64.rpm openssl-devel-0.9.8e-22.el5_8.1.ppc.rpm openssl-devel-0.9.8e-22.el5_8.1.ppc64.rpm openssl-perl-0.9.8e-22.el5_8.1.ppc.rpm s390x: openssl-0.9.8e-22.el5_8.1.s390.rpm openssl-0.9.8e-22.el5_8.1.s390x.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.s390.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.s390x.rpm openssl-devel-0.9.8e-22.el5_8.1.s390.rpm openssl-devel-0.9.8e-22.el5_8.1.s390x.rpm openssl-perl-0.9.8e-22.el5_8.1.s390x.rpm x86_64: openssl-0.9.8e-22.el5_8.1.i686.rpm openssl-0.9.8e-22.el5_8.1.x86_64.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.i386.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.i686.rpm openssl-debuginfo-0.9.8e-22.el5_8.1.x86_64.rpm openssl-devel-0.9.8e-22.el5_8.1.i386.rpm openssl-devel-0.9.8e-22.el5_8.1.x86_64.rpm openssl-perl-0.9.8e-22.el5_8.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openssl-1.0.0-20.el6_2.3.src.rpm i386: openssl-1.0.0-20.el6_2.3.i686.rpm openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm x86_64: openssl-1.0.0-20.el6_2.3.i686.rpm openssl-1.0.0-20.el6_2.3.x86_64.rpm openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-debuginfo-1.0.0-20.el6_2.3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openssl-1.0.0-20.el6_2.3.src.rpm i386: openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-devel-1.0.0-20.el6_2.3.i686.rpm openssl-perl-1.0.0-20.el6_2.3.i686.rpm openssl-static-1.0.0-20.el6_2.3.i686.rpm x86_64: openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-debuginfo-1.0.0-20.el6_2.3.x86_64.rpm openssl-devel-1.0.0-20.el6_2.3.i686.rpm openssl-devel-1.0.0-20.el6_2.3.x86_64.rpm openssl-perl-1.0.0-20.el6_2.3.x86_64.rpm openssl-static-1.0.0-20.el6_2.3.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/openssl-1.0.0-20.el6_2.3.src.rpm x86_64: openssl-1.0.0-20.el6_2.3.i686.rpm openssl-1.0.0-20.el6_2.3.x86_64.rpm openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-debuginfo-1.0.0-20.el6_2.3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/openssl-1.0.0-20.el6_2.3.src.rpm x86_64: openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-debuginfo-1.0.0-20.el6_2.3.x86_64.rpm openssl-devel-1.0.0-20.el6_2.3.i686.rpm openssl-devel-1.0.0-20.el6_2.3.x86_64.rpm openssl-perl-1.0.0-20.el6_2.3.x86_64.rpm openssl-static-1.0.0-20.el6_2.3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openssl-1.0.0-20.el6_2.3.src.rpm i386: openssl-1.0.0-20.el6_2.3.i686.rpm openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-devel-1.0.0-20.el6_2.3.i686.rpm ppc64: openssl-1.0.0-20.el6_2.3.ppc.rpm openssl-1.0.0-20.el6_2.3.ppc64.rpm openssl-debuginfo-1.0.0-20.el6_2.3.ppc.rpm openssl-debuginfo-1.0.0-20.el6_2.3.ppc64.rpm openssl-devel-1.0.0-20.el6_2.3.ppc.rpm openssl-devel-1.0.0-20.el6_2.3.ppc64.rpm s390x: openssl-1.0.0-20.el6_2.3.s390.rpm openssl-1.0.0-20.el6_2.3.s390x.rpm openssl-debuginfo-1.0.0-20.el6_2.3.s390.rpm openssl-debuginfo-1.0.0-20.el6_2.3.s390x.rpm openssl-devel-1.0.0-20.el6_2.3.s390.rpm openssl-devel-1.0.0-20.el6_2.3.s390x.rpm x86_64: openssl-1.0.0-20.el6_2.3.i686.rpm openssl-1.0.0-20.el6_2.3.x86_64.rpm openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-debuginfo-1.0.0-20.el6_2.3.x86_64.rpm openssl-devel-1.0.0-20.el6_2.3.i686.rpm openssl-devel-1.0.0-20.el6_2.3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openssl-1.0.0-20.el6_2.3.src.rpm i386: openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-perl-1.0.0-20.el6_2.3.i686.rpm openssl-static-1.0.0-20.el6_2.3.i686.rpm ppc64: openssl-debuginfo-1.0.0-20.el6_2.3.ppc64.rpm openssl-perl-1.0.0-20.el6_2.3.ppc64.rpm openssl-static-1.0.0-20.el6_2.3.ppc64.rpm s390x: openssl-debuginfo-1.0.0-20.el6_2.3.s390x.rpm openssl-perl-1.0.0-20.el6_2.3.s390x.rpm openssl-static-1.0.0-20.el6_2.3.s390x.rpm x86_64: openssl-debuginfo-1.0.0-20.el6_2.3.x86_64.rpm openssl-perl-1.0.0-20.el6_2.3.x86_64.rpm openssl-static-1.0.0-20.el6_2.3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openssl-1.0.0-20.el6_2.3.src.rpm i386: openssl-1.0.0-20.el6_2.3.i686.rpm openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-devel-1.0.0-20.el6_2.3.i686.rpm x86_64: openssl-1.0.0-20.el6_2.3.i686.rpm openssl-1.0.0-20.el6_2.3.x86_64.rpm openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-debuginfo-1.0.0-20.el6_2.3.x86_64.rpm openssl-devel-1.0.0-20.el6_2.3.i686.rpm openssl-devel-1.0.0-20.el6_2.3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openssl-1.0.0-20.el6_2.3.src.rpm i386: openssl-debuginfo-1.0.0-20.el6_2.3.i686.rpm openssl-perl-1.0.0-20.el6_2.3.i686.rpm openssl-static-1.0.0-20.el6_2.3.i686.rpm x86_64: openssl-debuginfo-1.0.0-20.el6_2.3.x86_64.rpm openssl-perl-1.0.0-20.el6_2.3.x86_64.rpm openssl-static-1.0.0-20.el6_2.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0884.html https://www.redhat.com/security/data/cve/CVE-2012-1165.html https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHSA-2012-0060.html https://rhn.redhat.com/errata/RHSA-2012-0059.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPckeOXlSAg2UNWIIRAiuAAJwJtwOyG2ldWCcB8DmORAmwf3xoQgCdEoC/ 6BmQSeCNdE1MFUGdw4NcYWw= =bMnG -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 27 23:05:58 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 27 Mar 2012 23:05:58 +0000 Subject: [RHSA-2012:0427-01] Important: libtasn1 security update Message-ID: <201203272305.q2RN5xWD014003@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: libtasn1 security update Advisory ID: RHSA-2012:0427-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0427.html Issue date: 2012-03-27 CVE Names: CVE-2012-1569 ===================================================================== 1. Summary: Updated libtasn1 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: libtasn1 is a library developed for ASN.1 (Abstract Syntax Notation One) structures management that includes DER (Distinguished Encoding Rules) encoding and decoding. A flaw was found in the way libtasn1 decoded DER data. An attacker could create carefully-crafted DER encoded input (such as an X.509 certificate) that, when parsed by an application that uses libtasn1 (such as applications using GnuTLS), could cause the application to crash. (CVE-2012-1569) Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting this issue. Users of libtasn1 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications linked to the libtasn1 library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 804920 - CVE-2012-1569 libtasn1: DER decoding buffer overflow (GNUTLS-SA-2012-3, MU-201202-02) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libtasn1-2.3-3.el6_2.1.src.rpm i386: libtasn1-2.3-3.el6_2.1.i686.rpm libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm x86_64: libtasn1-2.3-3.el6_2.1.i686.rpm libtasn1-2.3-3.el6_2.1.x86_64.rpm libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-debuginfo-2.3-3.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libtasn1-2.3-3.el6_2.1.src.rpm i386: libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-devel-2.3-3.el6_2.1.i686.rpm libtasn1-tools-2.3-3.el6_2.1.i686.rpm x86_64: libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-debuginfo-2.3-3.el6_2.1.x86_64.rpm libtasn1-devel-2.3-3.el6_2.1.i686.rpm libtasn1-devel-2.3-3.el6_2.1.x86_64.rpm libtasn1-tools-2.3-3.el6_2.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libtasn1-2.3-3.el6_2.1.src.rpm x86_64: libtasn1-2.3-3.el6_2.1.i686.rpm libtasn1-2.3-3.el6_2.1.x86_64.rpm libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-debuginfo-2.3-3.el6_2.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libtasn1-2.3-3.el6_2.1.src.rpm x86_64: libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-debuginfo-2.3-3.el6_2.1.x86_64.rpm libtasn1-devel-2.3-3.el6_2.1.i686.rpm libtasn1-devel-2.3-3.el6_2.1.x86_64.rpm libtasn1-tools-2.3-3.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libtasn1-2.3-3.el6_2.1.src.rpm i386: libtasn1-2.3-3.el6_2.1.i686.rpm libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-devel-2.3-3.el6_2.1.i686.rpm ppc64: libtasn1-2.3-3.el6_2.1.ppc.rpm libtasn1-2.3-3.el6_2.1.ppc64.rpm libtasn1-debuginfo-2.3-3.el6_2.1.ppc.rpm libtasn1-debuginfo-2.3-3.el6_2.1.ppc64.rpm libtasn1-devel-2.3-3.el6_2.1.ppc.rpm libtasn1-devel-2.3-3.el6_2.1.ppc64.rpm s390x: libtasn1-2.3-3.el6_2.1.s390.rpm libtasn1-2.3-3.el6_2.1.s390x.rpm libtasn1-debuginfo-2.3-3.el6_2.1.s390.rpm libtasn1-debuginfo-2.3-3.el6_2.1.s390x.rpm libtasn1-devel-2.3-3.el6_2.1.s390.rpm libtasn1-devel-2.3-3.el6_2.1.s390x.rpm x86_64: libtasn1-2.3-3.el6_2.1.i686.rpm libtasn1-2.3-3.el6_2.1.x86_64.rpm libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-debuginfo-2.3-3.el6_2.1.x86_64.rpm libtasn1-devel-2.3-3.el6_2.1.i686.rpm libtasn1-devel-2.3-3.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libtasn1-2.3-3.el6_2.1.src.rpm i386: libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-tools-2.3-3.el6_2.1.i686.rpm ppc64: libtasn1-debuginfo-2.3-3.el6_2.1.ppc64.rpm libtasn1-tools-2.3-3.el6_2.1.ppc64.rpm s390x: libtasn1-debuginfo-2.3-3.el6_2.1.s390x.rpm libtasn1-tools-2.3-3.el6_2.1.s390x.rpm x86_64: libtasn1-debuginfo-2.3-3.el6_2.1.x86_64.rpm libtasn1-tools-2.3-3.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libtasn1-2.3-3.el6_2.1.src.rpm i386: libtasn1-2.3-3.el6_2.1.i686.rpm libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-devel-2.3-3.el6_2.1.i686.rpm x86_64: libtasn1-2.3-3.el6_2.1.i686.rpm libtasn1-2.3-3.el6_2.1.x86_64.rpm libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-debuginfo-2.3-3.el6_2.1.x86_64.rpm libtasn1-devel-2.3-3.el6_2.1.i686.rpm libtasn1-devel-2.3-3.el6_2.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libtasn1-2.3-3.el6_2.1.src.rpm i386: libtasn1-debuginfo-2.3-3.el6_2.1.i686.rpm libtasn1-tools-2.3-3.el6_2.1.i686.rpm x86_64: libtasn1-debuginfo-2.3-3.el6_2.1.x86_64.rpm libtasn1-tools-2.3-3.el6_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1569.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPckfEXlSAg2UNWIIRAumfAJ9lYfh8YlmLv5ol2riqAatFv6eeUQCeL8vK V/Kus6tXgLoVDY6T8LSKNLA= =VgYO -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 27 23:07:03 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 27 Mar 2012 23:07:03 +0000 Subject: [RHSA-2012:0428-01] Important: gnutls security update Message-ID: <201203272307.q2RN74Me014192@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gnutls security update Advisory ID: RHSA-2012:0428-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0428.html Issue date: 2012-03-27 CVE Names: CVE-2011-4128 CVE-2012-1569 CVE-2012-1573 ===================================================================== 1. Summary: Updated gnutls packages that fix three security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). GnuTLS includes libtasn1, a library developed for ASN.1 (Abstract Syntax Notation One) structures management that includes DER (Distinguished Encoding Rules) encoding and decoding. A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer. (CVE-2012-1573) A flaw was found in the way libtasn1 decoded DER data. An attacker could create a carefully-crafted X.509 certificate that, when parsed by an application that uses GnuTLS, could cause the application to crash. (CVE-2012-1569) A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server. (CVE-2011-4128) Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting CVE-2012-1573 and CVE-2012-1569. Users of GnuTLS are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 752308 - CVE-2011-4128 gnutls: buffer overflow in gnutls_session_get_data() (GNUTLS-SA-2011-2) 804920 - CVE-2012-1569 libtasn1: DER decoding buffer overflow (GNUTLS-SA-2012-3, MU-201202-02) 805432 - CVE-2012-1573 gnutls: TLS record handling issue (GNUTLS-SA-2012-2, MU-201202-01) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gnutls-1.4.1-7.el5_8.2.src.rpm i386: gnutls-1.4.1-7.el5_8.2.i386.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.i386.rpm gnutls-utils-1.4.1-7.el5_8.2.i386.rpm x86_64: gnutls-1.4.1-7.el5_8.2.i386.rpm gnutls-1.4.1-7.el5_8.2.x86_64.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.i386.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.x86_64.rpm gnutls-utils-1.4.1-7.el5_8.2.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gnutls-1.4.1-7.el5_8.2.src.rpm i386: gnutls-debuginfo-1.4.1-7.el5_8.2.i386.rpm gnutls-devel-1.4.1-7.el5_8.2.i386.rpm x86_64: gnutls-debuginfo-1.4.1-7.el5_8.2.i386.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.x86_64.rpm gnutls-devel-1.4.1-7.el5_8.2.i386.rpm gnutls-devel-1.4.1-7.el5_8.2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/gnutls-1.4.1-7.el5_8.2.src.rpm i386: gnutls-1.4.1-7.el5_8.2.i386.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.i386.rpm gnutls-devel-1.4.1-7.el5_8.2.i386.rpm gnutls-utils-1.4.1-7.el5_8.2.i386.rpm ia64: gnutls-1.4.1-7.el5_8.2.i386.rpm gnutls-1.4.1-7.el5_8.2.ia64.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.i386.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.ia64.rpm gnutls-devel-1.4.1-7.el5_8.2.ia64.rpm gnutls-utils-1.4.1-7.el5_8.2.ia64.rpm ppc: gnutls-1.4.1-7.el5_8.2.ppc.rpm gnutls-1.4.1-7.el5_8.2.ppc64.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.ppc.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.ppc64.rpm gnutls-devel-1.4.1-7.el5_8.2.ppc.rpm gnutls-devel-1.4.1-7.el5_8.2.ppc64.rpm gnutls-utils-1.4.1-7.el5_8.2.ppc.rpm s390x: gnutls-1.4.1-7.el5_8.2.s390.rpm gnutls-1.4.1-7.el5_8.2.s390x.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.s390.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.s390x.rpm gnutls-devel-1.4.1-7.el5_8.2.s390.rpm gnutls-devel-1.4.1-7.el5_8.2.s390x.rpm gnutls-utils-1.4.1-7.el5_8.2.s390x.rpm x86_64: gnutls-1.4.1-7.el5_8.2.i386.rpm gnutls-1.4.1-7.el5_8.2.x86_64.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.i386.rpm gnutls-debuginfo-1.4.1-7.el5_8.2.x86_64.rpm gnutls-devel-1.4.1-7.el5_8.2.i386.rpm gnutls-devel-1.4.1-7.el5_8.2.x86_64.rpm gnutls-utils-1.4.1-7.el5_8.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4128.html https://www.redhat.com/security/data/cve/CVE-2012-1569.html https://www.redhat.com/security/data/cve/CVE-2012-1573.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPckgHXlSAg2UNWIIRAp9/AKCNAvxeYkqSIZsRjH7H0oymhSCOhQCfZyQF tmK7vHPL9UA4mOTEYlCkoVg= =vUmN -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 27 23:08:00 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 27 Mar 2012 23:08:00 +0000 Subject: [RHSA-2012:0429-01] Important: gnutls security update Message-ID: <201203272308.q2RN80cH028358@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gnutls security update Advisory ID: RHSA-2012:0429-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0429.html Issue date: 2012-03-27 CVE Names: CVE-2011-4128 CVE-2012-1573 ===================================================================== 1. Summary: Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer. (CVE-2012-1573) A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server. (CVE-2011-4128) Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting CVE-2012-1573. Users of GnuTLS are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 752308 - CVE-2011-4128 gnutls: buffer overflow in gnutls_session_get_data() (GNUTLS-SA-2011-2) 805432 - CVE-2012-1573 gnutls: TLS record handling issue (GNUTLS-SA-2012-2, MU-201202-01) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/gnutls-2.8.5-4.el6_2.2.src.rpm i386: gnutls-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-utils-2.8.5-4.el6_2.2.i686.rpm x86_64: gnutls-2.8.5-4.el6_2.2.i686.rpm gnutls-2.8.5-4.el6_2.2.x86_64.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.x86_64.rpm gnutls-utils-2.8.5-4.el6_2.2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/gnutls-2.8.5-4.el6_2.2.src.rpm i386: gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-devel-2.8.5-4.el6_2.2.i686.rpm gnutls-guile-2.8.5-4.el6_2.2.i686.rpm x86_64: gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.x86_64.rpm gnutls-devel-2.8.5-4.el6_2.2.i686.rpm gnutls-devel-2.8.5-4.el6_2.2.x86_64.rpm gnutls-guile-2.8.5-4.el6_2.2.i686.rpm gnutls-guile-2.8.5-4.el6_2.2.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/gnutls-2.8.5-4.el6_2.2.src.rpm x86_64: gnutls-2.8.5-4.el6_2.2.i686.rpm gnutls-2.8.5-4.el6_2.2.x86_64.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.x86_64.rpm gnutls-utils-2.8.5-4.el6_2.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/gnutls-2.8.5-4.el6_2.2.src.rpm x86_64: gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.x86_64.rpm gnutls-devel-2.8.5-4.el6_2.2.i686.rpm gnutls-devel-2.8.5-4.el6_2.2.x86_64.rpm gnutls-guile-2.8.5-4.el6_2.2.i686.rpm gnutls-guile-2.8.5-4.el6_2.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/gnutls-2.8.5-4.el6_2.2.src.rpm i386: gnutls-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-devel-2.8.5-4.el6_2.2.i686.rpm gnutls-utils-2.8.5-4.el6_2.2.i686.rpm ppc64: gnutls-2.8.5-4.el6_2.2.ppc.rpm gnutls-2.8.5-4.el6_2.2.ppc64.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.ppc.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.ppc64.rpm gnutls-devel-2.8.5-4.el6_2.2.ppc.rpm gnutls-devel-2.8.5-4.el6_2.2.ppc64.rpm gnutls-utils-2.8.5-4.el6_2.2.ppc64.rpm s390x: gnutls-2.8.5-4.el6_2.2.s390.rpm gnutls-2.8.5-4.el6_2.2.s390x.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.s390.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.s390x.rpm gnutls-devel-2.8.5-4.el6_2.2.s390.rpm gnutls-devel-2.8.5-4.el6_2.2.s390x.rpm gnutls-utils-2.8.5-4.el6_2.2.s390x.rpm x86_64: gnutls-2.8.5-4.el6_2.2.i686.rpm gnutls-2.8.5-4.el6_2.2.x86_64.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.x86_64.rpm gnutls-devel-2.8.5-4.el6_2.2.i686.rpm gnutls-devel-2.8.5-4.el6_2.2.x86_64.rpm gnutls-utils-2.8.5-4.el6_2.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/gnutls-2.8.5-4.el6_2.2.src.rpm i386: gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-guile-2.8.5-4.el6_2.2.i686.rpm ppc64: gnutls-debuginfo-2.8.5-4.el6_2.2.ppc.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.ppc64.rpm gnutls-guile-2.8.5-4.el6_2.2.ppc.rpm gnutls-guile-2.8.5-4.el6_2.2.ppc64.rpm s390x: gnutls-debuginfo-2.8.5-4.el6_2.2.s390.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.s390x.rpm gnutls-guile-2.8.5-4.el6_2.2.s390.rpm gnutls-guile-2.8.5-4.el6_2.2.s390x.rpm x86_64: gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.x86_64.rpm gnutls-guile-2.8.5-4.el6_2.2.i686.rpm gnutls-guile-2.8.5-4.el6_2.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/gnutls-2.8.5-4.el6_2.2.src.rpm i386: gnutls-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-devel-2.8.5-4.el6_2.2.i686.rpm gnutls-utils-2.8.5-4.el6_2.2.i686.rpm x86_64: gnutls-2.8.5-4.el6_2.2.i686.rpm gnutls-2.8.5-4.el6_2.2.x86_64.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.x86_64.rpm gnutls-devel-2.8.5-4.el6_2.2.i686.rpm gnutls-devel-2.8.5-4.el6_2.2.x86_64.rpm gnutls-utils-2.8.5-4.el6_2.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/gnutls-2.8.5-4.el6_2.2.src.rpm i386: gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-guile-2.8.5-4.el6_2.2.i686.rpm x86_64: gnutls-debuginfo-2.8.5-4.el6_2.2.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.2.x86_64.rpm gnutls-guile-2.8.5-4.el6_2.2.i686.rpm gnutls-guile-2.8.5-4.el6_2.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4128.html https://www.redhat.com/security/data/cve/CVE-2012-1573.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPckhAXlSAg2UNWIIRAmbfAKCMppVGB5qRgedlOLAE+QUB2mFMSgCgjXwd O8Tv6zUt/Ssdd4Asx5dfUvQ= =ghoO -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 29 07:51:37 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 29 Mar 2012 07:51:37 +0000 Subject: [RHSA-2012:0434-01] Critical: flash-plugin security update Message-ID: <201203290751.q2T7pcHS010888@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:0434-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0434.html Issue date: 2012-03-29 CVE Names: CVE-2012-0773 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-07, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content. (CVE-2012-0773) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.18. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 807707 - CVE-2012-0773 flash-plugin: arbitrary code execution via memory corruption flaw in NetStream class (APSB12-07) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-10.3.183.18-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.18-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-10.3.183.18-1.el5.i386.rpm x86_64: flash-plugin-10.3.183.18-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-10.3.183.18-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.18-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-10.3.183.18-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.18-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-10.3.183.18-1.el6.i686.rpm x86_64: flash-plugin-10.3.183.18-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0773.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-07.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPdBSFXlSAg2UNWIIRArd2AKCBKTfNknPvG1mKHmpb2GgtgBY1zACgvFKG lvZRVvElunVrz8W954tuAHw= =Nvc6 -----END PGP SIGNATURE-----