From bugzilla at redhat.com Tue Oct 2 17:47:30 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 2 Oct 2012 17:47:30 +0000 Subject: [RHSA-2012:1323-01] Important: kernel security and bug fix update Message-ID: <201210021747.q92HlVqD020199@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2012:1323-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1323.html Issue date: 2012-10-02 CVE Names: CVE-2012-2319 CVE-2012-3412 CVE-2012-3430 CVE-2012-3510 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw was found in the way socket buffers (skb) requiring TSO (TCP segment offloading) were handled by the sfc driver. If the skb did not fit within the minimum-size of the transmission queue, the network card could repeatedly reset itself. A remote attacker could use this flaw to cause a denial of service. (CVE-2012-3412, Important) * A use-after-free flaw was found in the xacct_add_tsk() function in the Linux kernel's taskstats subsystem. A local, unprivileged user could use this flaw to cause an information leak or a denial of service. (CVE-2012-3510, Moderate) * A buffer overflow flaw was found in the hfs_bnode_read() function in the HFS Plus (HFS+) file system implementation in the Linux kernel. A local user able to mount a specially-crafted HFS+ file system image could use this flaw to cause a denial of service or escalate their privileges. (CVE-2012-2319, Low) * A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space. (CVE-2012-3430, Low) Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting CVE-2012-3412, and Alexander Peslyak for reporting CVE-2012-3510. The CVE-2012-3430 issue was discovered by the Red Hat InfiniBand team. This update also fixes the following bugs: * The cpuid_whitelist() function, masking the Enhanced Intel SpeedStep (EST) flag from all guests, prevented the "cpuspeed" service from working in the privileged Xen domain (dom0). CPU scaling was therefore not possible. With this update, cpuid_whitelist() is aware whether the domain executing CPUID is privileged or not, and enables the EST flag for dom0. (BZ#846125) * If a delayed-allocation write was performed before quota was enabled, the kernel displayed the following warning message: WARNING: at fs/quota/dquot.c:988 dquot_claim_space+0x77/0x112() This was because information about the delayed allocation was not recorded in the quota structure. With this update, writes prior to enabling quota are properly accounted for, and the message is not displayed. (BZ#847326) * In Red Hat Enterprise Linux 5.9, the DSCP (Differentiated Services Code Point) netfilter module now supports mangling of the DSCP field. (BZ#847327) * Some subsystems clear the TIF_SIGPENDING flag during error handling in fork() paths. Previously, if the flag was cleared, the ERESTARTNOINTR error code could be returned. The underlying source code has been modified so that the error code is no longer returned. (BZ#847359) * An unnecessary check for the RXCW.CW bit could cause the Intel e1000e NIC (Network Interface Controller) to not work properly. The check has been removed so that the Intel e1000e NIC works as expected. (BZ#852448) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 819471 - CVE-2012-2319 kernel: Buffer overflow in the HFS plus filesystem (different issue than CVE-2009-4020) 820039 - CVE-2012-3430 kernel: recv{from,msg}() on an rds socket can leak kernel memory 844714 - CVE-2012-3412 kernel: sfc: potential remote denial of service through TCP MSS option 847326 - WARNING: at fs/dquot.c:814 dquot_claim_reserved_space() in dmesg [rhel-5.8.z] 849722 - CVE-2012-3510 kernel: taskstats: use-after-free in xacct_add_tsk() 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-308.16.1.el5.src.rpm i386: kernel-2.6.18-308.16.1.el5.i686.rpm kernel-PAE-2.6.18-308.16.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-308.16.1.el5.i686.rpm kernel-PAE-devel-2.6.18-308.16.1.el5.i686.rpm kernel-debug-2.6.18-308.16.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-308.16.1.el5.i686.rpm kernel-debug-devel-2.6.18-308.16.1.el5.i686.rpm kernel-debuginfo-2.6.18-308.16.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-308.16.1.el5.i686.rpm kernel-devel-2.6.18-308.16.1.el5.i686.rpm kernel-headers-2.6.18-308.16.1.el5.i386.rpm kernel-xen-2.6.18-308.16.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-308.16.1.el5.i686.rpm kernel-xen-devel-2.6.18-308.16.1.el5.i686.rpm noarch: kernel-doc-2.6.18-308.16.1.el5.noarch.rpm x86_64: kernel-2.6.18-308.16.1.el5.x86_64.rpm kernel-debug-2.6.18-308.16.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-308.16.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-308.16.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-308.16.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-308.16.1.el5.x86_64.rpm kernel-devel-2.6.18-308.16.1.el5.x86_64.rpm kernel-headers-2.6.18-308.16.1.el5.x86_64.rpm kernel-xen-2.6.18-308.16.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-308.16.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-308.16.1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-308.16.1.el5.src.rpm i386: kernel-2.6.18-308.16.1.el5.i686.rpm kernel-PAE-2.6.18-308.16.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-308.16.1.el5.i686.rpm kernel-PAE-devel-2.6.18-308.16.1.el5.i686.rpm kernel-debug-2.6.18-308.16.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-308.16.1.el5.i686.rpm kernel-debug-devel-2.6.18-308.16.1.el5.i686.rpm kernel-debuginfo-2.6.18-308.16.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-308.16.1.el5.i686.rpm kernel-devel-2.6.18-308.16.1.el5.i686.rpm kernel-headers-2.6.18-308.16.1.el5.i386.rpm kernel-xen-2.6.18-308.16.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-308.16.1.el5.i686.rpm kernel-xen-devel-2.6.18-308.16.1.el5.i686.rpm ia64: kernel-2.6.18-308.16.1.el5.ia64.rpm kernel-debug-2.6.18-308.16.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-308.16.1.el5.ia64.rpm kernel-debug-devel-2.6.18-308.16.1.el5.ia64.rpm kernel-debuginfo-2.6.18-308.16.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-308.16.1.el5.ia64.rpm kernel-devel-2.6.18-308.16.1.el5.ia64.rpm kernel-headers-2.6.18-308.16.1.el5.ia64.rpm kernel-xen-2.6.18-308.16.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-308.16.1.el5.ia64.rpm kernel-xen-devel-2.6.18-308.16.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-308.16.1.el5.noarch.rpm ppc: kernel-2.6.18-308.16.1.el5.ppc64.rpm kernel-debug-2.6.18-308.16.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-308.16.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-308.16.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-308.16.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-308.16.1.el5.ppc64.rpm kernel-devel-2.6.18-308.16.1.el5.ppc64.rpm kernel-headers-2.6.18-308.16.1.el5.ppc.rpm kernel-headers-2.6.18-308.16.1.el5.ppc64.rpm kernel-kdump-2.6.18-308.16.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-308.16.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-308.16.1.el5.ppc64.rpm s390x: kernel-2.6.18-308.16.1.el5.s390x.rpm kernel-debug-2.6.18-308.16.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-308.16.1.el5.s390x.rpm kernel-debug-devel-2.6.18-308.16.1.el5.s390x.rpm kernel-debuginfo-2.6.18-308.16.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-308.16.1.el5.s390x.rpm kernel-devel-2.6.18-308.16.1.el5.s390x.rpm kernel-headers-2.6.18-308.16.1.el5.s390x.rpm kernel-kdump-2.6.18-308.16.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-308.16.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-308.16.1.el5.s390x.rpm x86_64: kernel-2.6.18-308.16.1.el5.x86_64.rpm kernel-debug-2.6.18-308.16.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-308.16.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-308.16.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-308.16.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-308.16.1.el5.x86_64.rpm kernel-devel-2.6.18-308.16.1.el5.x86_64.rpm kernel-headers-2.6.18-308.16.1.el5.x86_64.rpm kernel-xen-2.6.18-308.16.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-308.16.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-308.16.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2319.html https://www.redhat.com/security/data/cve/CVE-2012-3412.html https://www.redhat.com/security/data/cve/CVE-2012-3430.html https://www.redhat.com/security/data/cve/CVE-2012-3510.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQayiUXlSAg2UNWIIRAuc/AJ96yBfuvZR3dTz6vhDOVNoj5948fACgnKRN jwgb6DDUwo+UIJjjF8oSr8U= =+ZWG -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 2 17:50:47 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 2 Oct 2012 17:50:47 +0000 Subject: [RHSA-2012:1326-01] Moderate: freeradius security update Message-ID: <201210021750.q92HolkI011254@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: freeradius security update Advisory ID: RHSA-2012:1326-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1326.html Issue date: 2012-10-02 CVE Names: CVE-2012-3547 ===================================================================== 1. Summary: Updated freeradius packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. A buffer overflow flaw was discovered in the way radiusd handled the expiration date field in X.509 client certificates. A remote attacker could possibly use this flaw to crash radiusd if it were configured to use the certificate or TLS tunnelled authentication methods (such as EAP-TLS, EAP-TTLS, and PEAP). (CVE-2012-3547) Red Hat would like to thank Timo Warns of PRESENSE Technologies GmbH for reporting this issue. Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 852752 - CVE-2012-3547 freeradius: stack-based buffer overflow via long expiration date fields in client X509 certificates 6. Package List: Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/freeradius-2.1.12-4.el6_3.src.rpm i386: freeradius-2.1.12-4.el6_3.i686.rpm freeradius-debuginfo-2.1.12-4.el6_3.i686.rpm ppc64: freeradius-2.1.12-4.el6_3.ppc64.rpm freeradius-debuginfo-2.1.12-4.el6_3.ppc64.rpm s390x: freeradius-2.1.12-4.el6_3.s390x.rpm freeradius-debuginfo-2.1.12-4.el6_3.s390x.rpm x86_64: freeradius-2.1.12-4.el6_3.x86_64.rpm freeradius-debuginfo-2.1.12-4.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/freeradius-2.1.12-4.el6_3.src.rpm i386: freeradius-debuginfo-2.1.12-4.el6_3.i686.rpm freeradius-krb5-2.1.12-4.el6_3.i686.rpm freeradius-ldap-2.1.12-4.el6_3.i686.rpm freeradius-mysql-2.1.12-4.el6_3.i686.rpm freeradius-perl-2.1.12-4.el6_3.i686.rpm freeradius-postgresql-2.1.12-4.el6_3.i686.rpm freeradius-python-2.1.12-4.el6_3.i686.rpm freeradius-unixODBC-2.1.12-4.el6_3.i686.rpm freeradius-utils-2.1.12-4.el6_3.i686.rpm ppc64: freeradius-debuginfo-2.1.12-4.el6_3.ppc64.rpm freeradius-krb5-2.1.12-4.el6_3.ppc64.rpm freeradius-ldap-2.1.12-4.el6_3.ppc64.rpm freeradius-mysql-2.1.12-4.el6_3.ppc64.rpm freeradius-perl-2.1.12-4.el6_3.ppc64.rpm freeradius-postgresql-2.1.12-4.el6_3.ppc64.rpm freeradius-python-2.1.12-4.el6_3.ppc64.rpm freeradius-unixODBC-2.1.12-4.el6_3.ppc64.rpm freeradius-utils-2.1.12-4.el6_3.ppc64.rpm s390x: freeradius-debuginfo-2.1.12-4.el6_3.s390x.rpm freeradius-krb5-2.1.12-4.el6_3.s390x.rpm freeradius-ldap-2.1.12-4.el6_3.s390x.rpm freeradius-mysql-2.1.12-4.el6_3.s390x.rpm freeradius-perl-2.1.12-4.el6_3.s390x.rpm freeradius-postgresql-2.1.12-4.el6_3.s390x.rpm freeradius-python-2.1.12-4.el6_3.s390x.rpm freeradius-unixODBC-2.1.12-4.el6_3.s390x.rpm freeradius-utils-2.1.12-4.el6_3.s390x.rpm x86_64: freeradius-debuginfo-2.1.12-4.el6_3.x86_64.rpm freeradius-krb5-2.1.12-4.el6_3.x86_64.rpm freeradius-ldap-2.1.12-4.el6_3.x86_64.rpm freeradius-mysql-2.1.12-4.el6_3.x86_64.rpm freeradius-perl-2.1.12-4.el6_3.x86_64.rpm freeradius-postgresql-2.1.12-4.el6_3.x86_64.rpm freeradius-python-2.1.12-4.el6_3.x86_64.rpm freeradius-unixODBC-2.1.12-4.el6_3.x86_64.rpm freeradius-utils-2.1.12-4.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/freeradius-2.1.12-4.el6_3.src.rpm i386: freeradius-2.1.12-4.el6_3.i686.rpm freeradius-debuginfo-2.1.12-4.el6_3.i686.rpm x86_64: freeradius-2.1.12-4.el6_3.x86_64.rpm freeradius-debuginfo-2.1.12-4.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/freeradius-2.1.12-4.el6_3.src.rpm i386: freeradius-debuginfo-2.1.12-4.el6_3.i686.rpm freeradius-krb5-2.1.12-4.el6_3.i686.rpm freeradius-ldap-2.1.12-4.el6_3.i686.rpm freeradius-mysql-2.1.12-4.el6_3.i686.rpm freeradius-perl-2.1.12-4.el6_3.i686.rpm freeradius-postgresql-2.1.12-4.el6_3.i686.rpm freeradius-python-2.1.12-4.el6_3.i686.rpm freeradius-unixODBC-2.1.12-4.el6_3.i686.rpm freeradius-utils-2.1.12-4.el6_3.i686.rpm x86_64: freeradius-debuginfo-2.1.12-4.el6_3.x86_64.rpm freeradius-krb5-2.1.12-4.el6_3.x86_64.rpm freeradius-ldap-2.1.12-4.el6_3.x86_64.rpm freeradius-mysql-2.1.12-4.el6_3.x86_64.rpm freeradius-perl-2.1.12-4.el6_3.x86_64.rpm freeradius-postgresql-2.1.12-4.el6_3.x86_64.rpm freeradius-python-2.1.12-4.el6_3.x86_64.rpm freeradius-unixODBC-2.1.12-4.el6_3.x86_64.rpm freeradius-utils-2.1.12-4.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3547.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQayldXlSAg2UNWIIRAi0wAJ43yoeeFj/DFASH7i8W0L3YPGELmACgtkmd Y7wwyV0md0Hf3G2p6DsOxX8= =BYVX -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 2 17:51:36 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 2 Oct 2012 17:51:36 +0000 Subject: [RHSA-2012:1327-01] Moderate: freeradius2 security update Message-ID: <201210021751.q92HpaUH021826@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: freeradius2 security update Advisory ID: RHSA-2012:1327-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1327.html Issue date: 2012-10-02 CVE Names: CVE-2012-3547 ===================================================================== 1. Summary: Updated freeradius2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. A buffer overflow flaw was discovered in the way radiusd handled the expiration date field in X.509 client certificates. A remote attacker could possibly use this flaw to crash radiusd if it were configured to use the certificate or TLS tunnelled authentication methods (such as EAP-TLS, EAP-TTLS, and PEAP). (CVE-2012-3547) Red Hat would like to thank Timo Warns of PRESENSE Technologies GmbH for reporting this issue. Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 852752 - CVE-2012-3547 freeradius: stack-based buffer overflow via long expiration date fields in client X509 certificates 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/freeradius2-2.1.12-4.el5_8.src.rpm i386: freeradius2-2.1.12-4.el5_8.i386.rpm freeradius2-debuginfo-2.1.12-4.el5_8.i386.rpm freeradius2-krb5-2.1.12-4.el5_8.i386.rpm freeradius2-ldap-2.1.12-4.el5_8.i386.rpm freeradius2-mysql-2.1.12-4.el5_8.i386.rpm freeradius2-perl-2.1.12-4.el5_8.i386.rpm freeradius2-postgresql-2.1.12-4.el5_8.i386.rpm freeradius2-python-2.1.12-4.el5_8.i386.rpm freeradius2-unixODBC-2.1.12-4.el5_8.i386.rpm freeradius2-utils-2.1.12-4.el5_8.i386.rpm x86_64: freeradius2-2.1.12-4.el5_8.x86_64.rpm freeradius2-debuginfo-2.1.12-4.el5_8.x86_64.rpm freeradius2-krb5-2.1.12-4.el5_8.x86_64.rpm freeradius2-ldap-2.1.12-4.el5_8.x86_64.rpm freeradius2-mysql-2.1.12-4.el5_8.x86_64.rpm freeradius2-perl-2.1.12-4.el5_8.x86_64.rpm freeradius2-postgresql-2.1.12-4.el5_8.x86_64.rpm freeradius2-python-2.1.12-4.el5_8.x86_64.rpm freeradius2-unixODBC-2.1.12-4.el5_8.x86_64.rpm freeradius2-utils-2.1.12-4.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/freeradius2-2.1.12-4.el5_8.src.rpm i386: freeradius2-2.1.12-4.el5_8.i386.rpm freeradius2-debuginfo-2.1.12-4.el5_8.i386.rpm freeradius2-krb5-2.1.12-4.el5_8.i386.rpm freeradius2-ldap-2.1.12-4.el5_8.i386.rpm freeradius2-mysql-2.1.12-4.el5_8.i386.rpm freeradius2-perl-2.1.12-4.el5_8.i386.rpm freeradius2-postgresql-2.1.12-4.el5_8.i386.rpm freeradius2-python-2.1.12-4.el5_8.i386.rpm freeradius2-unixODBC-2.1.12-4.el5_8.i386.rpm freeradius2-utils-2.1.12-4.el5_8.i386.rpm ia64: freeradius2-2.1.12-4.el5_8.ia64.rpm freeradius2-debuginfo-2.1.12-4.el5_8.ia64.rpm freeradius2-krb5-2.1.12-4.el5_8.ia64.rpm freeradius2-ldap-2.1.12-4.el5_8.ia64.rpm freeradius2-mysql-2.1.12-4.el5_8.ia64.rpm freeradius2-perl-2.1.12-4.el5_8.ia64.rpm freeradius2-postgresql-2.1.12-4.el5_8.ia64.rpm freeradius2-python-2.1.12-4.el5_8.ia64.rpm freeradius2-unixODBC-2.1.12-4.el5_8.ia64.rpm freeradius2-utils-2.1.12-4.el5_8.ia64.rpm ppc: freeradius2-2.1.12-4.el5_8.ppc.rpm freeradius2-debuginfo-2.1.12-4.el5_8.ppc.rpm freeradius2-krb5-2.1.12-4.el5_8.ppc.rpm freeradius2-ldap-2.1.12-4.el5_8.ppc.rpm freeradius2-mysql-2.1.12-4.el5_8.ppc.rpm freeradius2-perl-2.1.12-4.el5_8.ppc.rpm freeradius2-postgresql-2.1.12-4.el5_8.ppc.rpm freeradius2-python-2.1.12-4.el5_8.ppc.rpm freeradius2-unixODBC-2.1.12-4.el5_8.ppc.rpm freeradius2-utils-2.1.12-4.el5_8.ppc.rpm s390x: freeradius2-2.1.12-4.el5_8.s390x.rpm freeradius2-debuginfo-2.1.12-4.el5_8.s390x.rpm freeradius2-krb5-2.1.12-4.el5_8.s390x.rpm freeradius2-ldap-2.1.12-4.el5_8.s390x.rpm freeradius2-mysql-2.1.12-4.el5_8.s390x.rpm freeradius2-perl-2.1.12-4.el5_8.s390x.rpm freeradius2-postgresql-2.1.12-4.el5_8.s390x.rpm freeradius2-python-2.1.12-4.el5_8.s390x.rpm freeradius2-unixODBC-2.1.12-4.el5_8.s390x.rpm freeradius2-utils-2.1.12-4.el5_8.s390x.rpm x86_64: freeradius2-2.1.12-4.el5_8.x86_64.rpm freeradius2-debuginfo-2.1.12-4.el5_8.x86_64.rpm freeradius2-krb5-2.1.12-4.el5_8.x86_64.rpm freeradius2-ldap-2.1.12-4.el5_8.x86_64.rpm freeradius2-mysql-2.1.12-4.el5_8.x86_64.rpm freeradius2-perl-2.1.12-4.el5_8.x86_64.rpm freeradius2-postgresql-2.1.12-4.el5_8.x86_64.rpm freeradius2-python-2.1.12-4.el5_8.x86_64.rpm freeradius2-unixODBC-2.1.12-4.el5_8.x86_64.rpm freeradius2-utils-2.1.12-4.el5_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3547.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQaymGXlSAg2UNWIIRAngnAKCq0SHW8mZ2pquRyjNGC42RbTwsaQCcCbiJ i0Ife1iwEBtiNtz6Za1nIt4= =jl3I -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 9 07:52:22 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 Oct 2012 07:52:22 +0000 Subject: [RHSA-2012:1346-01] Critical: flash-plugin security update Message-ID: <201210090759.q997xhl2005729@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:1346-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1346.html Issue date: 2012-10-09 CVE Names: CVE-2012-5248 CVE-2012-5249 CVE-2012-5250 CVE-2012-5251 CVE-2012-5252 CVE-2012-5253 CVE-2012-5254 CVE-2012-5255 CVE-2012-5256 CVE-2012-5257 CVE-2012-5258 CVE-2012-5259 CVE-2012-5260 CVE-2012-5261 CVE-2012-5262 CVE-2012-5263 CVE-2012-5264 CVE-2012-5265 CVE-2012-5266 CVE-2012-5267 CVE-2012-5268 CVE-2012-5269 CVE-2012-5270 CVE-2012-5271 CVE-2012-5272 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-22, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. (CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.243. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 864284 - flash-plugin: multiple code-execution flaws (APSB12-22) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.243-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.243-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.243-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.243-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.243-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.243-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.243-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.243-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.243-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.243-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5248.html https://www.redhat.com/security/data/cve/CVE-2012-5249.html https://www.redhat.com/security/data/cve/CVE-2012-5250.html https://www.redhat.com/security/data/cve/CVE-2012-5251.html https://www.redhat.com/security/data/cve/CVE-2012-5252.html https://www.redhat.com/security/data/cve/CVE-2012-5253.html https://www.redhat.com/security/data/cve/CVE-2012-5254.html https://www.redhat.com/security/data/cve/CVE-2012-5255.html https://www.redhat.com/security/data/cve/CVE-2012-5256.html https://www.redhat.com/security/data/cve/CVE-2012-5257.html https://www.redhat.com/security/data/cve/CVE-2012-5258.html https://www.redhat.com/security/data/cve/CVE-2012-5259.html https://www.redhat.com/security/data/cve/CVE-2012-5260.html https://www.redhat.com/security/data/cve/CVE-2012-5261.html https://www.redhat.com/security/data/cve/CVE-2012-5262.html https://www.redhat.com/security/data/cve/CVE-2012-5263.html https://www.redhat.com/security/data/cve/CVE-2012-5264.html https://www.redhat.com/security/data/cve/CVE-2012-5265.html https://www.redhat.com/security/data/cve/CVE-2012-5266.html https://www.redhat.com/security/data/cve/CVE-2012-5267.html https://www.redhat.com/security/data/cve/CVE-2012-5268.html https://www.redhat.com/security/data/cve/CVE-2012-5269.html https://www.redhat.com/security/data/cve/CVE-2012-5270.html https://www.redhat.com/security/data/cve/CVE-2012-5271.html https://www.redhat.com/security/data/cve/CVE-2012-5272.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-22.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQc9lAXlSAg2UNWIIRAmMNAJ9/iz3/6iGteMGTU4y9VZCDnIuTcgCgwHYI Ueh0ulQGOXSNmABZxKn8d5c= =0ify -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 9 10:51:11 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 Oct 2012 10:51:11 +0000 Subject: [RHSA-2012:1347-01] Important: kernel security and bug fix update Message-ID: <201210091051.q99ApCBI012474@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2012:1347-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1347.html Issue date: 2012-10-09 CVE Names: CVE-2012-2319 CVE-2012-3412 ===================================================================== 1. Summary: Updated kernel packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux EUS (v. 5.6 server) - i386, ia64, noarch, ppc, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw was found in the way socket buffers (skb) requiring TSO (TCP segment offloading) were handled by the sfc driver. If the skb did not fit within the minimum-size of the transmission queue, the network card could repeatedly reset itself. A remote attacker could use this flaw to cause a denial of service. (CVE-2012-3412, Important) * A buffer overflow flaw was found in the hfs_bnode_read() function in the HFS Plus (HFS+) file system implementation in the Linux kernel. A local user able to mount a specially-crafted HFS+ file system image could use this flaw to cause a denial of service or escalate their privileges. (CVE-2012-2319, Low) Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting CVE-2012-3412. This update also fixes the following bug: * Some subsystems clear the TIF_SIGPENDING flag during error handling in fork() paths. Previously, if the flag was cleared, the ERESTARTNOINTR error code could be returned. The underlying source code has been modified so that the error code is no longer returned. (BZ#855754) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 819471 - CVE-2012-2319 kernel: Buffer overflow in the HFS plus filesystem (different issue than CVE-2009-4020) 844714 - CVE-2012-3412 kernel: sfc: potential remote denial of service through TCP MSS option 6. Package List: Red Hat Enterprise Linux EUS (v. 5.6 server): Source: kernel-2.6.18-238.45.1.el5.src.rpm i386: kernel-2.6.18-238.45.1.el5.i686.rpm kernel-PAE-2.6.18-238.45.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-238.45.1.el5.i686.rpm kernel-PAE-devel-2.6.18-238.45.1.el5.i686.rpm kernel-debug-2.6.18-238.45.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-238.45.1.el5.i686.rpm kernel-debug-devel-2.6.18-238.45.1.el5.i686.rpm kernel-debuginfo-2.6.18-238.45.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-238.45.1.el5.i686.rpm kernel-devel-2.6.18-238.45.1.el5.i686.rpm kernel-headers-2.6.18-238.45.1.el5.i386.rpm kernel-xen-2.6.18-238.45.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-238.45.1.el5.i686.rpm kernel-xen-devel-2.6.18-238.45.1.el5.i686.rpm ia64: kernel-2.6.18-238.45.1.el5.ia64.rpm kernel-debug-2.6.18-238.45.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-238.45.1.el5.ia64.rpm kernel-debug-devel-2.6.18-238.45.1.el5.ia64.rpm kernel-debuginfo-2.6.18-238.45.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-238.45.1.el5.ia64.rpm kernel-devel-2.6.18-238.45.1.el5.ia64.rpm kernel-headers-2.6.18-238.45.1.el5.ia64.rpm kernel-xen-2.6.18-238.45.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-238.45.1.el5.ia64.rpm kernel-xen-devel-2.6.18-238.45.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-238.45.1.el5.noarch.rpm ppc: kernel-2.6.18-238.45.1.el5.ppc64.rpm kernel-debug-2.6.18-238.45.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-238.45.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-238.45.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-238.45.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-238.45.1.el5.ppc64.rpm kernel-devel-2.6.18-238.45.1.el5.ppc64.rpm kernel-headers-2.6.18-238.45.1.el5.ppc.rpm kernel-headers-2.6.18-238.45.1.el5.ppc64.rpm kernel-kdump-2.6.18-238.45.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-238.45.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-238.45.1.el5.ppc64.rpm s390x: kernel-2.6.18-238.45.1.el5.s390x.rpm kernel-debug-2.6.18-238.45.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-238.45.1.el5.s390x.rpm kernel-debug-devel-2.6.18-238.45.1.el5.s390x.rpm kernel-debuginfo-2.6.18-238.45.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-238.45.1.el5.s390x.rpm kernel-devel-2.6.18-238.45.1.el5.s390x.rpm kernel-headers-2.6.18-238.45.1.el5.s390x.rpm kernel-kdump-2.6.18-238.45.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-238.45.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-238.45.1.el5.s390x.rpm x86_64: kernel-2.6.18-238.45.1.el5.x86_64.rpm kernel-debug-2.6.18-238.45.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-238.45.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-238.45.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-238.45.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-238.45.1.el5.x86_64.rpm kernel-devel-2.6.18-238.45.1.el5.x86_64.rpm kernel-headers-2.6.18-238.45.1.el5.x86_64.rpm kernel-xen-2.6.18-238.45.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-238.45.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-238.45.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2319.html https://www.redhat.com/security/data/cve/CVE-2012-3412.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQdAFXXlSAg2UNWIIRAmtrAJ4yUd3yYbh5rvQeaKGG/PxQANSKHgCgnSgA tSLZaKb0Jn/gx9w67mExRp4= =resj -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 9 23:42:18 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 Oct 2012 23:42:18 +0000 Subject: [RHSA-2012:1350-01] Critical: firefox security and bug fix update Message-ID: <201210092342.q99NgItL028802@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security and bug fix update Advisory ID: RHSA-2012:1350-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1350.html Issue date: 2012-10-09 CVE Names: CVE-2012-1956 CVE-2012-3982 CVE-2012-3986 CVE-2012-3988 CVE-2012-3990 CVE-2012-3991 CVE-2012-3992 CVE-2012-3993 CVE-2012-3994 CVE-2012-3995 CVE-2012-4179 CVE-2012-4180 CVE-2012-4181 CVE-2012-4182 CVE-2012-4183 CVE-2012-4184 CVE-2012-4185 CVE-2012-4186 CVE-2012-4187 CVE-2012-4188 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188) Two flaws in Firefox could allow a malicious website to bypass intended restrictions, possibly leading to information disclosure, or Firefox executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution. (CVE-2012-3986, CVE-2012-3991) Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, script injection, or spoofing attacks. (CVE-2012-1956, CVE-2012-3992, CVE-2012-3994) Two flaws were found in the way Chrome Object Wrappers were implemented. Malicious content could be used to perform cross-site scripting attacks or cause Firefox to execute arbitrary code. (CVE-2012-3993, CVE-2012-4184) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.8 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Jesse Ruderman, Soroush Dalili, miaubiz, Abhishek Arya, Atte Kettunen, Johnny Stenback, Alice White, moz_bug_r_a4, and Mariusz Mlynski as the original reporters of these issues. This update also fixes the following bug: * In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue. If you experience this issue: 1) Start Firefox. 2) Type "about:config" (without quotes) into the URL bar and press the Enter key. 3) If prompted with "This might void your warranty!", click the "I'll be careful, I promise!" button. 4) Right-click in the Preference Name list. In the menu that opens, select New -> Boolean. 5) Type "storage.nfs_filesystem" (without quotes) for the preference name and then click the OK button. 6) Select "true" for the boolean value and then press the OK button. (BZ#809571, BZ#816234) All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.8 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 851912 - CVE-2012-1956 Mozilla: Location object can be shadowed using Object.defineProperty (MFSA 2012-59) 863614 - CVE-2012-3982 Mozilla: Miscellaneous memory safety hazards (rv:10.0.8) (MFSA 2012-74) 863618 - CVE-2012-3986 Mozilla: Some DOMWindowUtils methods bypass security checks (MFSA 2012-77) 863619 - CVE-2012-3988 Mozilla: DOS and crash with full screen and history navigation (MFSA 2012-79) 863621 - CVE-2012-3991 Mozilla: GetProperty function can bypass security checks (MFSA 2012-81) 863622 - CVE-2012-3994 Mozilla: top object and location property accessible by plugins (MFSA 2012-82) 863623 - CVE-2012-3993 CVE-2012-4184 Mozilla: Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties (MFSA 2012-83) 863624 - CVE-2012-3992 Mozilla: Spoofing and script injection through location.hash (MFSA 2012-84) 863625 - CVE-2012-3995 CVE-2012-4179 CVE-2012-4180 CVE-2012-4181 CVE-2012-4182 CVE-2012-4183 Mozilla: Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer (MFSA 2012-85) 863626 - CVE-2012-4185 CVE-2012-4186 CVE-2012-4187 CVE-2012-4188 Mozilla: Heap memory corruption issues found using Address Sanitizer (MFSA 2012-86) 863628 - CVE-2012-3990 Mozilla: Use-after-free in the IME State Manager (MFSA 2012-87) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-10.0.8-1.el5_8.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-10.0.8-1.el5_8.src.rpm i386: firefox-10.0.8-1.el5_8.i386.rpm firefox-debuginfo-10.0.8-1.el5_8.i386.rpm xulrunner-10.0.8-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-1.el5_8.i386.rpm x86_64: firefox-10.0.8-1.el5_8.i386.rpm firefox-10.0.8-1.el5_8.x86_64.rpm firefox-debuginfo-10.0.8-1.el5_8.i386.rpm firefox-debuginfo-10.0.8-1.el5_8.x86_64.rpm xulrunner-10.0.8-1.el5_8.i386.rpm xulrunner-10.0.8-1.el5_8.x86_64.rpm xulrunner-debuginfo-10.0.8-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-1.el5_8.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-10.0.8-1.el5_8.src.rpm i386: xulrunner-debuginfo-10.0.8-1.el5_8.i386.rpm xulrunner-devel-10.0.8-1.el5_8.i386.rpm x86_64: xulrunner-debuginfo-10.0.8-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-1.el5_8.x86_64.rpm xulrunner-devel-10.0.8-1.el5_8.i386.rpm xulrunner-devel-10.0.8-1.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-10.0.8-1.el5_8.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-10.0.8-1.el5_8.src.rpm i386: firefox-10.0.8-1.el5_8.i386.rpm firefox-debuginfo-10.0.8-1.el5_8.i386.rpm xulrunner-10.0.8-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-1.el5_8.i386.rpm xulrunner-devel-10.0.8-1.el5_8.i386.rpm ia64: firefox-10.0.8-1.el5_8.ia64.rpm firefox-debuginfo-10.0.8-1.el5_8.ia64.rpm xulrunner-10.0.8-1.el5_8.ia64.rpm xulrunner-debuginfo-10.0.8-1.el5_8.ia64.rpm xulrunner-devel-10.0.8-1.el5_8.ia64.rpm ppc: firefox-10.0.8-1.el5_8.ppc.rpm firefox-debuginfo-10.0.8-1.el5_8.ppc.rpm xulrunner-10.0.8-1.el5_8.ppc.rpm xulrunner-10.0.8-1.el5_8.ppc64.rpm xulrunner-debuginfo-10.0.8-1.el5_8.ppc.rpm xulrunner-debuginfo-10.0.8-1.el5_8.ppc64.rpm xulrunner-devel-10.0.8-1.el5_8.ppc.rpm xulrunner-devel-10.0.8-1.el5_8.ppc64.rpm s390x: firefox-10.0.8-1.el5_8.s390.rpm firefox-10.0.8-1.el5_8.s390x.rpm firefox-debuginfo-10.0.8-1.el5_8.s390.rpm firefox-debuginfo-10.0.8-1.el5_8.s390x.rpm xulrunner-10.0.8-1.el5_8.s390.rpm xulrunner-10.0.8-1.el5_8.s390x.rpm xulrunner-debuginfo-10.0.8-1.el5_8.s390.rpm xulrunner-debuginfo-10.0.8-1.el5_8.s390x.rpm xulrunner-devel-10.0.8-1.el5_8.s390.rpm xulrunner-devel-10.0.8-1.el5_8.s390x.rpm x86_64: firefox-10.0.8-1.el5_8.i386.rpm firefox-10.0.8-1.el5_8.x86_64.rpm firefox-debuginfo-10.0.8-1.el5_8.i386.rpm firefox-debuginfo-10.0.8-1.el5_8.x86_64.rpm xulrunner-10.0.8-1.el5_8.i386.rpm xulrunner-10.0.8-1.el5_8.x86_64.rpm xulrunner-debuginfo-10.0.8-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-1.el5_8.x86_64.rpm xulrunner-devel-10.0.8-1.el5_8.i386.rpm xulrunner-devel-10.0.8-1.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-10.0.8-1.el6_3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-10.0.8-1.el6_3.src.rpm i386: firefox-10.0.8-1.el6_3.i686.rpm firefox-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm x86_64: firefox-10.0.8-1.el6_3.i686.rpm firefox-10.0.8-1.el6_3.x86_64.rpm firefox-debuginfo-10.0.8-1.el6_3.i686.rpm firefox-debuginfo-10.0.8-1.el6_3.x86_64.rpm xulrunner-10.0.8-1.el6_3.i686.rpm xulrunner-10.0.8-1.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-10.0.8-1.el6_3.src.rpm i386: xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-devel-10.0.8-1.el6_3.i686.rpm x86_64: xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.x86_64.rpm xulrunner-devel-10.0.8-1.el6_3.i686.rpm xulrunner-devel-10.0.8-1.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-10.0.8-1.el6_3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-10.0.8-1.el6_3.src.rpm x86_64: firefox-10.0.8-1.el6_3.i686.rpm firefox-10.0.8-1.el6_3.x86_64.rpm firefox-debuginfo-10.0.8-1.el6_3.i686.rpm firefox-debuginfo-10.0.8-1.el6_3.x86_64.rpm xulrunner-10.0.8-1.el6_3.i686.rpm xulrunner-10.0.8-1.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.x86_64.rpm xulrunner-devel-10.0.8-1.el6_3.i686.rpm xulrunner-devel-10.0.8-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-10.0.8-1.el6_3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-10.0.8-1.el6_3.src.rpm i386: firefox-10.0.8-1.el6_3.i686.rpm firefox-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm ppc64: firefox-10.0.8-1.el6_3.ppc.rpm firefox-10.0.8-1.el6_3.ppc64.rpm firefox-debuginfo-10.0.8-1.el6_3.ppc.rpm firefox-debuginfo-10.0.8-1.el6_3.ppc64.rpm xulrunner-10.0.8-1.el6_3.ppc.rpm xulrunner-10.0.8-1.el6_3.ppc64.rpm xulrunner-debuginfo-10.0.8-1.el6_3.ppc.rpm xulrunner-debuginfo-10.0.8-1.el6_3.ppc64.rpm s390x: firefox-10.0.8-1.el6_3.s390.rpm firefox-10.0.8-1.el6_3.s390x.rpm firefox-debuginfo-10.0.8-1.el6_3.s390.rpm firefox-debuginfo-10.0.8-1.el6_3.s390x.rpm xulrunner-10.0.8-1.el6_3.s390.rpm xulrunner-10.0.8-1.el6_3.s390x.rpm xulrunner-debuginfo-10.0.8-1.el6_3.s390.rpm xulrunner-debuginfo-10.0.8-1.el6_3.s390x.rpm x86_64: firefox-10.0.8-1.el6_3.i686.rpm firefox-10.0.8-1.el6_3.x86_64.rpm firefox-debuginfo-10.0.8-1.el6_3.i686.rpm firefox-debuginfo-10.0.8-1.el6_3.x86_64.rpm xulrunner-10.0.8-1.el6_3.i686.rpm xulrunner-10.0.8-1.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-10.0.8-1.el6_3.src.rpm i386: xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-devel-10.0.8-1.el6_3.i686.rpm ppc64: xulrunner-debuginfo-10.0.8-1.el6_3.ppc.rpm xulrunner-debuginfo-10.0.8-1.el6_3.ppc64.rpm xulrunner-devel-10.0.8-1.el6_3.ppc.rpm xulrunner-devel-10.0.8-1.el6_3.ppc64.rpm s390x: xulrunner-debuginfo-10.0.8-1.el6_3.s390.rpm xulrunner-debuginfo-10.0.8-1.el6_3.s390x.rpm xulrunner-devel-10.0.8-1.el6_3.s390.rpm xulrunner-devel-10.0.8-1.el6_3.s390x.rpm x86_64: xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.x86_64.rpm xulrunner-devel-10.0.8-1.el6_3.i686.rpm xulrunner-devel-10.0.8-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-10.0.8-1.el6_3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-10.0.8-1.el6_3.src.rpm i386: firefox-10.0.8-1.el6_3.i686.rpm firefox-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm x86_64: firefox-10.0.8-1.el6_3.i686.rpm firefox-10.0.8-1.el6_3.x86_64.rpm firefox-debuginfo-10.0.8-1.el6_3.i686.rpm firefox-debuginfo-10.0.8-1.el6_3.x86_64.rpm xulrunner-10.0.8-1.el6_3.i686.rpm xulrunner-10.0.8-1.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-10.0.8-1.el6_3.src.rpm i386: xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-devel-10.0.8-1.el6_3.i686.rpm x86_64: xulrunner-debuginfo-10.0.8-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-1.el6_3.x86_64.rpm xulrunner-devel-10.0.8-1.el6_3.i686.rpm xulrunner-devel-10.0.8-1.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1956.html https://www.redhat.com/security/data/cve/CVE-2012-3982.html https://www.redhat.com/security/data/cve/CVE-2012-3986.html https://www.redhat.com/security/data/cve/CVE-2012-3988.html https://www.redhat.com/security/data/cve/CVE-2012-3990.html https://www.redhat.com/security/data/cve/CVE-2012-3991.html https://www.redhat.com/security/data/cve/CVE-2012-3992.html https://www.redhat.com/security/data/cve/CVE-2012-3993.html https://www.redhat.com/security/data/cve/CVE-2012-3994.html https://www.redhat.com/security/data/cve/CVE-2012-3995.html https://www.redhat.com/security/data/cve/CVE-2012-4179.html https://www.redhat.com/security/data/cve/CVE-2012-4180.html https://www.redhat.com/security/data/cve/CVE-2012-4181.html https://www.redhat.com/security/data/cve/CVE-2012-4182.html https://www.redhat.com/security/data/cve/CVE-2012-4183.html https://www.redhat.com/security/data/cve/CVE-2012-4184.html https://www.redhat.com/security/data/cve/CVE-2012-4185.html https://www.redhat.com/security/data/cve/CVE-2012-4186.html https://www.redhat.com/security/data/cve/CVE-2012-4187.html https://www.redhat.com/security/data/cve/CVE-2012-4188.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQdLY5XlSAg2UNWIIRAnUqAJ9FqrMrVYnAK3BMSWKCymdzOlzQ5QCfWUID kHcy4qAvdwVc9y68bU/dleM= =bsu8 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 9 23:43:02 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 Oct 2012 23:43:02 +0000 Subject: [RHSA-2012:1351-01] Critical: thunderbird security update Message-ID: <201210092343.q99Nh2KT007956@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2012:1351-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1351.html Issue date: 2012-10-09 CVE Names: CVE-2012-1956 CVE-2012-3982 CVE-2012-3986 CVE-2012-3988 CVE-2012-3990 CVE-2012-3991 CVE-2012-3992 CVE-2012-3993 CVE-2012-3994 CVE-2012-3995 CVE-2012-4179 CVE-2012-4180 CVE-2012-4181 CVE-2012-4182 CVE-2012-4183 CVE-2012-4184 CVE-2012-4185 CVE-2012-4186 CVE-2012-4187 CVE-2012-4188 ===================================================================== 1. Summary: An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188) Two flaws in Thunderbird could allow malicious content to bypass intended restrictions, possibly leading to information disclosure, or Thunderbird executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution. (CVE-2012-3986, CVE-2012-3991) Multiple flaws were found in the location object implementation in Thunderbird. Malicious content could be used to perform cross-site scripting attacks, script injection, or spoofing attacks. (CVE-2012-1956, CVE-2012-3992, CVE-2012-3994) Two flaws were found in the way Chrome Object Wrappers were implemented. Malicious content could be used to perform cross-site scripting attacks or cause Thunderbird to execute arbitrary code. (CVE-2012-3993, CVE-2012-4184) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Jesse Ruderman, Soroush Dalili, miaubiz, Abhishek Arya, Atte Kettunen, Johnny Stenback, Alice White, moz_bug_r_a4, and Mariusz Mlynski as the original reporters of these issues. Note: None of the issues in this advisory can be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.8 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 851912 - CVE-2012-1956 Mozilla: Location object can be shadowed using Object.defineProperty (MFSA 2012-59) 863614 - CVE-2012-3982 Mozilla: Miscellaneous memory safety hazards (rv:10.0.8) (MFSA 2012-74) 863618 - CVE-2012-3986 Mozilla: Some DOMWindowUtils methods bypass security checks (MFSA 2012-77) 863619 - CVE-2012-3988 Mozilla: DOS and crash with full screen and history navigation (MFSA 2012-79) 863621 - CVE-2012-3991 Mozilla: GetProperty function can bypass security checks (MFSA 2012-81) 863622 - CVE-2012-3994 Mozilla: top object and location property accessible by plugins (MFSA 2012-82) 863623 - CVE-2012-3993 CVE-2012-4184 Mozilla: Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties (MFSA 2012-83) 863624 - CVE-2012-3992 Mozilla: Spoofing and script injection through location.hash (MFSA 2012-84) 863625 - CVE-2012-3995 CVE-2012-4179 CVE-2012-4180 CVE-2012-4181 CVE-2012-4182 CVE-2012-4183 Mozilla: Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer (MFSA 2012-85) 863626 - CVE-2012-4185 CVE-2012-4186 CVE-2012-4187 CVE-2012-4188 Mozilla: Heap memory corruption issues found using Address Sanitizer (MFSA 2012-86) 863628 - CVE-2012-3990 Mozilla: Use-after-free in the IME State Manager (MFSA 2012-87) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-10.0.8-1.el5_8.src.rpm i386: thunderbird-10.0.8-1.el5_8.i386.rpm thunderbird-debuginfo-10.0.8-1.el5_8.i386.rpm x86_64: thunderbird-10.0.8-1.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.8-1.el5_8.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-10.0.8-1.el5_8.src.rpm i386: thunderbird-10.0.8-1.el5_8.i386.rpm thunderbird-debuginfo-10.0.8-1.el5_8.i386.rpm x86_64: thunderbird-10.0.8-1.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.8-1.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-10.0.8-1.el6_3.src.rpm i386: thunderbird-10.0.8-1.el6_3.i686.rpm thunderbird-debuginfo-10.0.8-1.el6_3.i686.rpm x86_64: thunderbird-10.0.8-1.el6_3.x86_64.rpm thunderbird-debuginfo-10.0.8-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-10.0.8-1.el6_3.src.rpm i386: thunderbird-10.0.8-1.el6_3.i686.rpm thunderbird-debuginfo-10.0.8-1.el6_3.i686.rpm ppc64: thunderbird-10.0.8-1.el6_3.ppc64.rpm thunderbird-debuginfo-10.0.8-1.el6_3.ppc64.rpm s390x: thunderbird-10.0.8-1.el6_3.s390x.rpm thunderbird-debuginfo-10.0.8-1.el6_3.s390x.rpm x86_64: thunderbird-10.0.8-1.el6_3.x86_64.rpm thunderbird-debuginfo-10.0.8-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-10.0.8-1.el6_3.src.rpm i386: thunderbird-10.0.8-1.el6_3.i686.rpm thunderbird-debuginfo-10.0.8-1.el6_3.i686.rpm x86_64: thunderbird-10.0.8-1.el6_3.x86_64.rpm thunderbird-debuginfo-10.0.8-1.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1956.html https://www.redhat.com/security/data/cve/CVE-2012-3982.html https://www.redhat.com/security/data/cve/CVE-2012-3986.html https://www.redhat.com/security/data/cve/CVE-2012-3988.html https://www.redhat.com/security/data/cve/CVE-2012-3990.html https://www.redhat.com/security/data/cve/CVE-2012-3991.html https://www.redhat.com/security/data/cve/CVE-2012-3992.html https://www.redhat.com/security/data/cve/CVE-2012-3993.html https://www.redhat.com/security/data/cve/CVE-2012-3994.html https://www.redhat.com/security/data/cve/CVE-2012-3995.html https://www.redhat.com/security/data/cve/CVE-2012-4179.html https://www.redhat.com/security/data/cve/CVE-2012-4180.html https://www.redhat.com/security/data/cve/CVE-2012-4181.html https://www.redhat.com/security/data/cve/CVE-2012-4182.html https://www.redhat.com/security/data/cve/CVE-2012-4183.html https://www.redhat.com/security/data/cve/CVE-2012-4184.html https://www.redhat.com/security/data/cve/CVE-2012-4185.html https://www.redhat.com/security/data/cve/CVE-2012-4186.html https://www.redhat.com/security/data/cve/CVE-2012-4187.html https://www.redhat.com/security/data/cve/CVE-2012-4188.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQdLZtXlSAg2UNWIIRAvlkAJwNZ7KJZ6lm/CgVeVAn488bf6+prACfZUtV abY4iBz1FPtCJiITcZJrJtE= =TCE4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 11 13:31:13 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 11 Oct 2012 13:31:13 +0000 Subject: [RHSA-2012:1359-01] Moderate: libvirt security and bug fix update Message-ID: <201210111331.q9BDVDYv023549@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libvirt security and bug fix update Advisory ID: RHSA-2012:1359-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1359.html Issue date: 2012-10-11 CVE Names: CVE-2012-4423 ===================================================================== 1. Summary: Updated libvirt packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64 3. Description: The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A flaw was found in libvirtd's RPC call handling. An attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd by sending an RPC message that has an event as the RPC number, or an RPC number that falls into a gap in the RPC dispatch table. (CVE-2012-4423) This issue was discovered by Wenlong Huang of the Red Hat Virtualization QE Team. This update also fixes the following bugs: * When the host_uuid option was present in the libvirtd.conf file, the augeas libvirt lens was unable to parse the file. This bug has been fixed and the augeas libvirt lens now parses libvirtd.conf as expected in the described scenario. (BZ#858988) * Disk hot plug is a two-part action: the qemuMonitorAddDrive() call is followed by the qemuMonitorAddDevice() call. When the first part succeeded but the second one failed, libvirt failed to roll back the first part and the device remained in use even though the disk hot plug failed. With this update, the rollback for the drive addition is properly performed in the described scenario and disk hot plug now works as expected. (BZ#859376) * When a virtual machine was started with an image chain using block devices and a block rebase operation was issued, the operation failed on completion in the blockJobAbort() function. This update relabels and configures cgroups for the backing files and the rebase operation now succeeds. (BZ#860720) All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 857133 - CVE-2012-4423 libvirt: null function pointer invocation in virNetServerProgramDispatchCall() 858988 - The libvirt augeas lens can't parse a libvirtd.conf file where host_uuid is present 859376 - after failed hotplug qemu keeps the file descriptor open 860720 - Relabel and configure cgroups for the backing files on VIR_DOMAIN_BLOCK_JOB_ABORT_PIVOT 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libvirt-0.9.10-21.el6_3.5.src.rpm i386: libvirt-0.9.10-21.el6_3.5.i686.rpm libvirt-client-0.9.10-21.el6_3.5.i686.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-python-0.9.10-21.el6_3.5.i686.rpm x86_64: libvirt-0.9.10-21.el6_3.5.x86_64.rpm libvirt-client-0.9.10-21.el6_3.5.i686.rpm libvirt-client-0.9.10-21.el6_3.5.x86_64.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.x86_64.rpm libvirt-python-0.9.10-21.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libvirt-0.9.10-21.el6_3.5.src.rpm i386: libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-devel-0.9.10-21.el6_3.5.i686.rpm x86_64: libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.x86_64.rpm libvirt-devel-0.9.10-21.el6_3.5.i686.rpm libvirt-devel-0.9.10-21.el6_3.5.x86_64.rpm libvirt-lock-sanlock-0.9.10-21.el6_3.5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libvirt-0.9.10-21.el6_3.5.src.rpm x86_64: libvirt-0.9.10-21.el6_3.5.x86_64.rpm libvirt-client-0.9.10-21.el6_3.5.i686.rpm libvirt-client-0.9.10-21.el6_3.5.x86_64.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.x86_64.rpm libvirt-python-0.9.10-21.el6_3.5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libvirt-0.9.10-21.el6_3.5.src.rpm x86_64: libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.x86_64.rpm libvirt-devel-0.9.10-21.el6_3.5.i686.rpm libvirt-devel-0.9.10-21.el6_3.5.x86_64.rpm libvirt-lock-sanlock-0.9.10-21.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libvirt-0.9.10-21.el6_3.5.src.rpm i386: libvirt-0.9.10-21.el6_3.5.i686.rpm libvirt-client-0.9.10-21.el6_3.5.i686.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-devel-0.9.10-21.el6_3.5.i686.rpm libvirt-python-0.9.10-21.el6_3.5.i686.rpm ppc64: libvirt-0.9.10-21.el6_3.5.ppc64.rpm libvirt-client-0.9.10-21.el6_3.5.ppc.rpm libvirt-client-0.9.10-21.el6_3.5.ppc64.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.ppc.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.ppc64.rpm libvirt-devel-0.9.10-21.el6_3.5.ppc.rpm libvirt-devel-0.9.10-21.el6_3.5.ppc64.rpm libvirt-python-0.9.10-21.el6_3.5.ppc64.rpm s390x: libvirt-0.9.10-21.el6_3.5.s390x.rpm libvirt-client-0.9.10-21.el6_3.5.s390.rpm libvirt-client-0.9.10-21.el6_3.5.s390x.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.s390.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.s390x.rpm libvirt-devel-0.9.10-21.el6_3.5.s390.rpm libvirt-devel-0.9.10-21.el6_3.5.s390x.rpm libvirt-python-0.9.10-21.el6_3.5.s390x.rpm x86_64: libvirt-0.9.10-21.el6_3.5.x86_64.rpm libvirt-client-0.9.10-21.el6_3.5.i686.rpm libvirt-client-0.9.10-21.el6_3.5.x86_64.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.x86_64.rpm libvirt-devel-0.9.10-21.el6_3.5.i686.rpm libvirt-devel-0.9.10-21.el6_3.5.x86_64.rpm libvirt-python-0.9.10-21.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libvirt-0.9.10-21.el6_3.5.src.rpm x86_64: libvirt-debuginfo-0.9.10-21.el6_3.5.x86_64.rpm libvirt-lock-sanlock-0.9.10-21.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libvirt-0.9.10-21.el6_3.5.src.rpm i386: libvirt-0.9.10-21.el6_3.5.i686.rpm libvirt-client-0.9.10-21.el6_3.5.i686.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-devel-0.9.10-21.el6_3.5.i686.rpm libvirt-python-0.9.10-21.el6_3.5.i686.rpm x86_64: libvirt-0.9.10-21.el6_3.5.x86_64.rpm libvirt-client-0.9.10-21.el6_3.5.i686.rpm libvirt-client-0.9.10-21.el6_3.5.x86_64.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.i686.rpm libvirt-debuginfo-0.9.10-21.el6_3.5.x86_64.rpm libvirt-devel-0.9.10-21.el6_3.5.i686.rpm libvirt-devel-0.9.10-21.el6_3.5.x86_64.rpm libvirt-python-0.9.10-21.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libvirt-0.9.10-21.el6_3.5.src.rpm x86_64: libvirt-debuginfo-0.9.10-21.el6_3.5.x86_64.rpm libvirt-lock-sanlock-0.9.10-21.el6_3.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4423.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQdsnMXlSAg2UNWIIRAu4dAJ9+GjZw8oawTlRk7hO8CHg8o55BYgCfdW61 pgDEiHRfDIwNm4/l4w3U3gE= =rs7W -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 12 20:17:34 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 12 Oct 2012 20:17:34 +0000 Subject: [RHSA-2012:1361-01] Critical: xulrunner security update Message-ID: <201210122017.q9CKHZ2C020799@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: xulrunner security update Advisory ID: RHSA-2012:1361-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1361.html Issue date: 2012-10-12 CVE Names: CVE-2012-4193 ===================================================================== 1. Summary: Updated xulrunner packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: XULRunner provides the XUL Runtime environment for applications using the Gecko layout engine. A flaw was found in the way XULRunner handled security wrappers. A web page containing malicious content could possibly cause an application linked against XULRunner (such as Mozilla Firefox) to execute arbitrary code with the privileges of the user running the application. (CVE-2012-4193) For technical details regarding this flaw, refer to the Mozilla security advisories. You can find a link to the Mozilla advisories in the References section of this erratum. Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges moz_bug_r_a4 as the original reporter. All XULRunner users should upgrade to these updated packages, which correct this issue. After installing the update, applications using XULRunner must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 865215 - CVE-2012-4193 Mozilla: defaultValue security checks not applied (MFSA 2012-89) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-10.0.8-2.el5_8.src.rpm i386: xulrunner-10.0.8-2.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-2.el5_8.i386.rpm x86_64: xulrunner-10.0.8-2.el5_8.i386.rpm xulrunner-10.0.8-2.el5_8.x86_64.rpm xulrunner-debuginfo-10.0.8-2.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-2.el5_8.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-10.0.8-2.el5_8.src.rpm i386: xulrunner-debuginfo-10.0.8-2.el5_8.i386.rpm xulrunner-devel-10.0.8-2.el5_8.i386.rpm x86_64: xulrunner-debuginfo-10.0.8-2.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-2.el5_8.x86_64.rpm xulrunner-devel-10.0.8-2.el5_8.i386.rpm xulrunner-devel-10.0.8-2.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-10.0.8-2.el5_8.src.rpm i386: xulrunner-10.0.8-2.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-2.el5_8.i386.rpm xulrunner-devel-10.0.8-2.el5_8.i386.rpm ia64: xulrunner-10.0.8-2.el5_8.ia64.rpm xulrunner-debuginfo-10.0.8-2.el5_8.ia64.rpm xulrunner-devel-10.0.8-2.el5_8.ia64.rpm ppc: xulrunner-10.0.8-2.el5_8.ppc.rpm xulrunner-10.0.8-2.el5_8.ppc64.rpm xulrunner-debuginfo-10.0.8-2.el5_8.ppc.rpm xulrunner-debuginfo-10.0.8-2.el5_8.ppc64.rpm xulrunner-devel-10.0.8-2.el5_8.ppc.rpm xulrunner-devel-10.0.8-2.el5_8.ppc64.rpm s390x: xulrunner-10.0.8-2.el5_8.s390.rpm xulrunner-10.0.8-2.el5_8.s390x.rpm xulrunner-debuginfo-10.0.8-2.el5_8.s390.rpm xulrunner-debuginfo-10.0.8-2.el5_8.s390x.rpm xulrunner-devel-10.0.8-2.el5_8.s390.rpm xulrunner-devel-10.0.8-2.el5_8.s390x.rpm x86_64: xulrunner-10.0.8-2.el5_8.i386.rpm xulrunner-10.0.8-2.el5_8.x86_64.rpm xulrunner-debuginfo-10.0.8-2.el5_8.i386.rpm xulrunner-debuginfo-10.0.8-2.el5_8.x86_64.rpm xulrunner-devel-10.0.8-2.el5_8.i386.rpm xulrunner-devel-10.0.8-2.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-10.0.8-2.el6_3.src.rpm i386: xulrunner-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm x86_64: xulrunner-10.0.8-2.el6_3.i686.rpm xulrunner-10.0.8-2.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-10.0.8-2.el6_3.src.rpm i386: xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-devel-10.0.8-2.el6_3.i686.rpm x86_64: xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.x86_64.rpm xulrunner-devel-10.0.8-2.el6_3.i686.rpm xulrunner-devel-10.0.8-2.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-10.0.8-2.el6_3.src.rpm x86_64: xulrunner-10.0.8-2.el6_3.i686.rpm xulrunner-10.0.8-2.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.x86_64.rpm xulrunner-devel-10.0.8-2.el6_3.i686.rpm xulrunner-devel-10.0.8-2.el6_3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-10.0.8-2.el6_3.src.rpm i386: xulrunner-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm ppc64: xulrunner-10.0.8-2.el6_3.ppc.rpm xulrunner-10.0.8-2.el6_3.ppc64.rpm xulrunner-debuginfo-10.0.8-2.el6_3.ppc.rpm xulrunner-debuginfo-10.0.8-2.el6_3.ppc64.rpm s390x: xulrunner-10.0.8-2.el6_3.s390.rpm xulrunner-10.0.8-2.el6_3.s390x.rpm xulrunner-debuginfo-10.0.8-2.el6_3.s390.rpm xulrunner-debuginfo-10.0.8-2.el6_3.s390x.rpm x86_64: xulrunner-10.0.8-2.el6_3.i686.rpm xulrunner-10.0.8-2.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-10.0.8-2.el6_3.src.rpm i386: xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-devel-10.0.8-2.el6_3.i686.rpm ppc64: xulrunner-debuginfo-10.0.8-2.el6_3.ppc.rpm xulrunner-debuginfo-10.0.8-2.el6_3.ppc64.rpm xulrunner-devel-10.0.8-2.el6_3.ppc.rpm xulrunner-devel-10.0.8-2.el6_3.ppc64.rpm s390x: xulrunner-debuginfo-10.0.8-2.el6_3.s390.rpm xulrunner-debuginfo-10.0.8-2.el6_3.s390x.rpm xulrunner-devel-10.0.8-2.el6_3.s390.rpm xulrunner-devel-10.0.8-2.el6_3.s390x.rpm x86_64: xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.x86_64.rpm xulrunner-devel-10.0.8-2.el6_3.i686.rpm xulrunner-devel-10.0.8-2.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-10.0.8-2.el6_3.src.rpm i386: xulrunner-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm x86_64: xulrunner-10.0.8-2.el6_3.i686.rpm xulrunner-10.0.8-2.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-10.0.8-2.el6_3.src.rpm i386: xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-devel-10.0.8-2.el6_3.i686.rpm x86_64: xulrunner-debuginfo-10.0.8-2.el6_3.i686.rpm xulrunner-debuginfo-10.0.8-2.el6_3.x86_64.rpm xulrunner-devel-10.0.8-2.el6_3.i686.rpm xulrunner-devel-10.0.8-2.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4193.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQeHqeXlSAg2UNWIIRAk79AKC3KhWJGNgQCDkDBZ0KUwoiPscdEwCfWK90 McNsasTYXKl//P0LQiuK+o4= =Dkgo -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 12 20:18:16 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 12 Oct 2012 20:18:16 +0000 Subject: [RHSA-2012:1362-01] Critical: thunderbird security update Message-ID: <201210122018.q9CKIGV9004883@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: thunderbird security update Advisory ID: RHSA-2012:1362-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1362.html Issue date: 2012-10-12 CVE Names: CVE-2012-4193 ===================================================================== 1. Summary: An updated thunderbird package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the way Thunderbird handled security wrappers. Malicious content could cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-4193) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges moz_bug_r_a4 as the original reporter. Note: This issue cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which corrects this issue. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 865215 - CVE-2012-4193 Mozilla: defaultValue security checks not applied (MFSA 2012-89) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-10.0.8-2.el5_8.src.rpm i386: thunderbird-10.0.8-2.el5_8.i386.rpm thunderbird-debuginfo-10.0.8-2.el5_8.i386.rpm thunderbird-debuginfo-10.0.8-2.el5_8.i386.rpm x86_64: thunderbird-10.0.8-2.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.8-2.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.8-2.el5_8.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-10.0.8-2.el5_8.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-10.0.8-2.el5_8.src.rpm i386: thunderbird-10.0.8-2.el5_8.i386.rpm thunderbird-10.0.8-2.el5_8.i386.rpm thunderbird-debuginfo-10.0.8-2.el5_8.i386.rpm thunderbird-debuginfo-10.0.8-2.el5_8.i386.rpm x86_64: thunderbird-10.0.8-2.el5_8.x86_64.rpm thunderbird-10.0.8-2.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.8-2.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.8-2.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-10.0.8-2.el6_3.src.rpm i386: thunderbird-10.0.8-2.el6_3.i686.rpm thunderbird-debuginfo-10.0.8-2.el6_3.i686.rpm x86_64: thunderbird-10.0.8-2.el6_3.x86_64.rpm thunderbird-debuginfo-10.0.8-2.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-10.0.8-2.el6_3.src.rpm i386: thunderbird-10.0.8-2.el6_3.i686.rpm thunderbird-debuginfo-10.0.8-2.el6_3.i686.rpm ppc64: thunderbird-10.0.8-2.el6_3.ppc64.rpm thunderbird-debuginfo-10.0.8-2.el6_3.ppc64.rpm s390x: thunderbird-10.0.8-2.el6_3.s390x.rpm thunderbird-debuginfo-10.0.8-2.el6_3.s390x.rpm x86_64: thunderbird-10.0.8-2.el6_3.x86_64.rpm thunderbird-debuginfo-10.0.8-2.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-10.0.8-2.el6_3.src.rpm i386: thunderbird-10.0.8-2.el6_3.i686.rpm thunderbird-debuginfo-10.0.8-2.el6_3.i686.rpm x86_64: thunderbird-10.0.8-2.el6_3.x86_64.rpm thunderbird-debuginfo-10.0.8-2.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4193.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQeHrtXlSAg2UNWIIRAn+kAJ0YntY/ax/L4wLEJdnMWadUODjQiACgiXfU obqxflHUozkZurfnFeBYQeQ= =3hsw -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 12 20:19:11 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 12 Oct 2012 20:19:11 +0000 Subject: [RHSA-2012:1363-01] Important: bind security update Message-ID: <201210122019.q9CKJCe6021175@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: bind security update Advisory ID: RHSA-2012:1363-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1363.html Issue date: 2012-10-12 CVE Names: CVE-2012-5166 ===================================================================== 1. Summary: Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup. (CVE-2012-5166) Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 864273 - CVE-2012-5166 bind: Specially crafted DNS data can cause a lockup in named 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bind-9.3.6-20.P1.el5_8.5.src.rpm i386: bind-9.3.6-20.P1.el5_8.5.i386.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.i386.rpm bind-libs-9.3.6-20.P1.el5_8.5.i386.rpm bind-sdb-9.3.6-20.P1.el5_8.5.i386.rpm bind-utils-9.3.6-20.P1.el5_8.5.i386.rpm x86_64: bind-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.i386.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-libs-9.3.6-20.P1.el5_8.5.i386.rpm bind-libs-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-sdb-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-utils-9.3.6-20.P1.el5_8.5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bind-9.3.6-20.P1.el5_8.5.src.rpm i386: bind-chroot-9.3.6-20.P1.el5_8.5.i386.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.i386.rpm bind-devel-9.3.6-20.P1.el5_8.5.i386.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.i386.rpm caching-nameserver-9.3.6-20.P1.el5_8.5.i386.rpm x86_64: bind-chroot-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.i386.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-devel-9.3.6-20.P1.el5_8.5.i386.rpm bind-devel-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.i386.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.x86_64.rpm caching-nameserver-9.3.6-20.P1.el5_8.5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bind-9.3.6-20.P1.el5_8.5.src.rpm i386: bind-9.3.6-20.P1.el5_8.5.i386.rpm bind-chroot-9.3.6-20.P1.el5_8.5.i386.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.i386.rpm bind-devel-9.3.6-20.P1.el5_8.5.i386.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.i386.rpm bind-libs-9.3.6-20.P1.el5_8.5.i386.rpm bind-sdb-9.3.6-20.P1.el5_8.5.i386.rpm bind-utils-9.3.6-20.P1.el5_8.5.i386.rpm caching-nameserver-9.3.6-20.P1.el5_8.5.i386.rpm ia64: bind-9.3.6-20.P1.el5_8.5.ia64.rpm bind-chroot-9.3.6-20.P1.el5_8.5.ia64.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.i386.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.ia64.rpm bind-devel-9.3.6-20.P1.el5_8.5.ia64.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.ia64.rpm bind-libs-9.3.6-20.P1.el5_8.5.i386.rpm bind-libs-9.3.6-20.P1.el5_8.5.ia64.rpm bind-sdb-9.3.6-20.P1.el5_8.5.ia64.rpm bind-utils-9.3.6-20.P1.el5_8.5.ia64.rpm caching-nameserver-9.3.6-20.P1.el5_8.5.ia64.rpm ppc: bind-9.3.6-20.P1.el5_8.5.ppc.rpm bind-chroot-9.3.6-20.P1.el5_8.5.ppc.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.ppc.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.ppc64.rpm bind-devel-9.3.6-20.P1.el5_8.5.ppc.rpm bind-devel-9.3.6-20.P1.el5_8.5.ppc64.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.ppc.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.ppc64.rpm bind-libs-9.3.6-20.P1.el5_8.5.ppc.rpm bind-libs-9.3.6-20.P1.el5_8.5.ppc64.rpm bind-sdb-9.3.6-20.P1.el5_8.5.ppc.rpm bind-utils-9.3.6-20.P1.el5_8.5.ppc.rpm caching-nameserver-9.3.6-20.P1.el5_8.5.ppc.rpm s390x: bind-9.3.6-20.P1.el5_8.5.s390x.rpm bind-chroot-9.3.6-20.P1.el5_8.5.s390x.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.s390.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.s390x.rpm bind-devel-9.3.6-20.P1.el5_8.5.s390.rpm bind-devel-9.3.6-20.P1.el5_8.5.s390x.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.s390.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.s390x.rpm bind-libs-9.3.6-20.P1.el5_8.5.s390.rpm bind-libs-9.3.6-20.P1.el5_8.5.s390x.rpm bind-sdb-9.3.6-20.P1.el5_8.5.s390x.rpm bind-utils-9.3.6-20.P1.el5_8.5.s390x.rpm caching-nameserver-9.3.6-20.P1.el5_8.5.s390x.rpm x86_64: bind-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-chroot-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.i386.rpm bind-debuginfo-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-devel-9.3.6-20.P1.el5_8.5.i386.rpm bind-devel-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.i386.rpm bind-libbind-devel-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-libs-9.3.6-20.P1.el5_8.5.i386.rpm bind-libs-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-sdb-9.3.6-20.P1.el5_8.5.x86_64.rpm bind-utils-9.3.6-20.P1.el5_8.5.x86_64.rpm caching-nameserver-9.3.6-20.P1.el5_8.5.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.5.src.rpm i386: bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-utils-9.8.2-0.10.rc1.el6_3.5.i686.rpm x86_64: bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-utils-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.5.src.rpm i386: bind-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-chroot-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-sdb-9.8.2-0.10.rc1.el6_3.5.i686.rpm x86_64: bind-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-chroot-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-sdb-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.5.src.rpm x86_64: bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-utils-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.5.src.rpm x86_64: bind-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-chroot-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-sdb-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.5.src.rpm i386: bind-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-chroot-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-utils-9.8.2-0.10.rc1.el6_3.5.i686.rpm ppc64: bind-9.8.2-0.10.rc1.el6_3.5.ppc64.rpm bind-chroot-9.8.2-0.10.rc1.el6_3.5.ppc64.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.ppc.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.ppc64.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.ppc.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.ppc64.rpm bind-utils-9.8.2-0.10.rc1.el6_3.5.ppc64.rpm s390x: bind-9.8.2-0.10.rc1.el6_3.5.s390x.rpm bind-chroot-9.8.2-0.10.rc1.el6_3.5.s390x.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.s390.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.s390x.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.s390.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.s390x.rpm bind-utils-9.8.2-0.10.rc1.el6_3.5.s390x.rpm x86_64: bind-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-chroot-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-utils-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.5.src.rpm i386: bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-sdb-9.8.2-0.10.rc1.el6_3.5.i686.rpm ppc64: bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.ppc.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.ppc64.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.ppc.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.ppc64.rpm bind-sdb-9.8.2-0.10.rc1.el6_3.5.ppc64.rpm s390x: bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.s390.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.s390x.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.s390.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.s390x.rpm bind-sdb-9.8.2-0.10.rc1.el6_3.5.s390x.rpm x86_64: bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-sdb-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.5.src.rpm i386: bind-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-chroot-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-utils-9.8.2-0.10.rc1.el6_3.5.i686.rpm x86_64: bind-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-chroot-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-libs-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-utils-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/bind-9.8.2-0.10.rc1.el6_3.5.src.rpm i386: bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-sdb-9.8.2-0.10.rc1.el6_3.5.i686.rpm x86_64: bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-debuginfo-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.i686.rpm bind-devel-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm bind-sdb-9.8.2-0.10.rc1.el6_3.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5166.html https://access.redhat.com/security/updates/classification/#important http://www.isc.org/software/bind/advisories/cve-2012-5166 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQeHsjXlSAg2UNWIIRAh5WAKCrcGYeGKxZlUpFiV7+CdpBVf7kWQCfbDMu 9mwEOEhLkEOAFKKQxmYZyOc= =W+gi -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 12 20:19:52 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 12 Oct 2012 20:19:52 +0000 Subject: [RHSA-2012:1364-01] Important: bind97 security update Message-ID: <201210122019.q9CKJqdC021276@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: bind97 security update Advisory ID: RHSA-2012:1364-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1364.html Issue date: 2012-10-12 CVE Names: CVE-2012-5166 ===================================================================== 1. Summary: Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup. (CVE-2012-5166) Users of bind97 are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 864273 - CVE-2012-5166 bind: Specially crafted DNS data can cause a lockup in named 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bind97-9.7.0-10.P2.el5_8.4.src.rpm i386: bind97-9.7.0-10.P2.el5_8.4.i386.rpm bind97-chroot-9.7.0-10.P2.el5_8.4.i386.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.i386.rpm bind97-devel-9.7.0-10.P2.el5_8.4.i386.rpm bind97-libs-9.7.0-10.P2.el5_8.4.i386.rpm bind97-utils-9.7.0-10.P2.el5_8.4.i386.rpm x86_64: bind97-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-chroot-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.i386.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-devel-9.7.0-10.P2.el5_8.4.i386.rpm bind97-devel-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-libs-9.7.0-10.P2.el5_8.4.i386.rpm bind97-libs-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-utils-9.7.0-10.P2.el5_8.4.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bind97-9.7.0-10.P2.el5_8.4.src.rpm i386: bind97-9.7.0-10.P2.el5_8.4.i386.rpm bind97-chroot-9.7.0-10.P2.el5_8.4.i386.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.i386.rpm bind97-devel-9.7.0-10.P2.el5_8.4.i386.rpm bind97-libs-9.7.0-10.P2.el5_8.4.i386.rpm bind97-utils-9.7.0-10.P2.el5_8.4.i386.rpm ia64: bind97-9.7.0-10.P2.el5_8.4.ia64.rpm bind97-chroot-9.7.0-10.P2.el5_8.4.ia64.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.ia64.rpm bind97-devel-9.7.0-10.P2.el5_8.4.ia64.rpm bind97-libs-9.7.0-10.P2.el5_8.4.ia64.rpm bind97-utils-9.7.0-10.P2.el5_8.4.ia64.rpm ppc: bind97-9.7.0-10.P2.el5_8.4.ppc.rpm bind97-chroot-9.7.0-10.P2.el5_8.4.ppc.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.ppc.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.ppc64.rpm bind97-devel-9.7.0-10.P2.el5_8.4.ppc.rpm bind97-devel-9.7.0-10.P2.el5_8.4.ppc64.rpm bind97-libs-9.7.0-10.P2.el5_8.4.ppc.rpm bind97-libs-9.7.0-10.P2.el5_8.4.ppc64.rpm bind97-utils-9.7.0-10.P2.el5_8.4.ppc.rpm s390x: bind97-9.7.0-10.P2.el5_8.4.s390x.rpm bind97-chroot-9.7.0-10.P2.el5_8.4.s390x.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.s390.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.s390x.rpm bind97-devel-9.7.0-10.P2.el5_8.4.s390.rpm bind97-devel-9.7.0-10.P2.el5_8.4.s390x.rpm bind97-libs-9.7.0-10.P2.el5_8.4.s390.rpm bind97-libs-9.7.0-10.P2.el5_8.4.s390x.rpm bind97-utils-9.7.0-10.P2.el5_8.4.s390x.rpm x86_64: bind97-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-chroot-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.i386.rpm bind97-debuginfo-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-devel-9.7.0-10.P2.el5_8.4.i386.rpm bind97-devel-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-libs-9.7.0-10.P2.el5_8.4.i386.rpm bind97-libs-9.7.0-10.P2.el5_8.4.x86_64.rpm bind97-utils-9.7.0-10.P2.el5_8.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5166.html https://access.redhat.com/security/updates/classification/#important http://www.isc.org/software/bind/advisories/cve-2012-5166 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQeHtLXlSAg2UNWIIRAuueAKCewT5BA/GjZiVutV/M61HyIJEXeACbBKqw 29tUCdQ2XRVdYTL9FmHO1eg= =sKkE -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 12 20:20:35 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 12 Oct 2012 20:20:35 +0000 Subject: [RHSA-2012:1365-01] Important: bind security update Message-ID: <201210122020.q9CKKZpK019070@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: bind security update Advisory ID: RHSA-2012:1365-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1365.html Issue date: 2012-10-12 CVE Names: CVE-2012-4244 CVE-2012-5166 ===================================================================== 1. Summary: Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 4 ELS) - i386, ia64, x86_64 Red Hat Enterprise Linux ES (v. 4 ELS) - i386, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure. (CVE-2012-4244) A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup. (CVE-2012-5166) Users of bind are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 856754 - CVE-2012-4244 bind: specially crafted resource record causes named to exit 864273 - CVE-2012-5166 bind: Specially crafted DNS data can cause a lockup in named 6. Package List: Red Hat Enterprise Linux AS (v. 4 ELS): Source: bind-9.2.4-41.el4.src.rpm i386: bind-9.2.4-41.el4.i386.rpm bind-chroot-9.2.4-41.el4.i386.rpm bind-debuginfo-9.2.4-41.el4.i386.rpm bind-devel-9.2.4-41.el4.i386.rpm bind-libs-9.2.4-41.el4.i386.rpm bind-utils-9.2.4-41.el4.i386.rpm ia64: bind-9.2.4-41.el4.ia64.rpm bind-chroot-9.2.4-41.el4.ia64.rpm bind-debuginfo-9.2.4-41.el4.i386.rpm bind-debuginfo-9.2.4-41.el4.ia64.rpm bind-devel-9.2.4-41.el4.ia64.rpm bind-libs-9.2.4-41.el4.i386.rpm bind-libs-9.2.4-41.el4.ia64.rpm bind-utils-9.2.4-41.el4.ia64.rpm x86_64: bind-9.2.4-41.el4.x86_64.rpm bind-chroot-9.2.4-41.el4.x86_64.rpm bind-debuginfo-9.2.4-41.el4.i386.rpm bind-debuginfo-9.2.4-41.el4.x86_64.rpm bind-devel-9.2.4-41.el4.x86_64.rpm bind-libs-9.2.4-41.el4.i386.rpm bind-libs-9.2.4-41.el4.x86_64.rpm bind-utils-9.2.4-41.el4.x86_64.rpm Red Hat Enterprise Linux ES (v. 4 ELS): Source: bind-9.2.4-41.el4.src.rpm i386: bind-9.2.4-41.el4.i386.rpm bind-chroot-9.2.4-41.el4.i386.rpm bind-debuginfo-9.2.4-41.el4.i386.rpm bind-devel-9.2.4-41.el4.i386.rpm bind-libs-9.2.4-41.el4.i386.rpm bind-utils-9.2.4-41.el4.i386.rpm x86_64: bind-9.2.4-41.el4.x86_64.rpm bind-chroot-9.2.4-41.el4.x86_64.rpm bind-debuginfo-9.2.4-41.el4.i386.rpm bind-debuginfo-9.2.4-41.el4.x86_64.rpm bind-devel-9.2.4-41.el4.x86_64.rpm bind-libs-9.2.4-41.el4.i386.rpm bind-libs-9.2.4-41.el4.x86_64.rpm bind-utils-9.2.4-41.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4244.html https://www.redhat.com/security/data/cve/CVE-2012-5166.html https://access.redhat.com/security/updates/classification/#important http://www.isc.org/software/bind/advisories/cve-2012-4244 http://www.isc.org/software/bind/advisories/cve-2012-5166 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQeHtxXlSAg2UNWIIRAlYXAKCZ0FE0aPJH4BVSifwFTiFvVnrjmQCfamRD ITUYngHHNDIVcotxSY0b56w= =pvFb -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 16 15:13:45 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 16 Oct 2012 15:13:45 +0000 Subject: [RHSA-2012:1366-01] Important: kernel security and bug fix update Message-ID: <201210161513.q9GFDjP2020132@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2012:1366-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1366.html Issue date: 2012-10-16 CVE Names: CVE-2012-3412 ===================================================================== 1. Summary: Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * A flaw was found in the way socket buffers (skb) requiring TSO (TCP segment offloading) were handled by the sfc driver. If the skb did not fit within the minimum-size of the transmission queue, the network card could repeatedly reset itself. A remote attacker could use this flaw to cause a denial of service. (CVE-2012-3412, Important) Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting this issue. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct this issue, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 844714 - CVE-2012-3412 kernel: sfc: potential remote denial of service through TCP MSS option 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-279.11.1.el6.src.rpm i386: kernel-2.6.32-279.11.1.el6.i686.rpm kernel-debug-2.6.32-279.11.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debug-devel-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-279.11.1.el6.i686.rpm kernel-devel-2.6.32-279.11.1.el6.i686.rpm kernel-headers-2.6.32-279.11.1.el6.i686.rpm perf-2.6.32-279.11.1.el6.i686.rpm perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm noarch: kernel-doc-2.6.32-279.11.1.el6.noarch.rpm kernel-firmware-2.6.32-279.11.1.el6.noarch.rpm x86_64: kernel-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.11.1.el6.x86_64.rpm kernel-devel-2.6.32-279.11.1.el6.x86_64.rpm kernel-headers-2.6.32-279.11.1.el6.x86_64.rpm perf-2.6.32-279.11.1.el6.x86_64.rpm perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-279.11.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-279.11.1.el6.i686.rpm perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm python-perf-2.6.32-279.11.1.el6.i686.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.11.1.el6.x86_64.rpm perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm python-perf-2.6.32-279.11.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-279.11.1.el6.src.rpm noarch: kernel-doc-2.6.32-279.11.1.el6.noarch.rpm kernel-firmware-2.6.32-279.11.1.el6.noarch.rpm x86_64: kernel-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.11.1.el6.x86_64.rpm kernel-devel-2.6.32-279.11.1.el6.x86_64.rpm kernel-headers-2.6.32-279.11.1.el6.x86_64.rpm perf-2.6.32-279.11.1.el6.x86_64.rpm perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-279.11.1.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.11.1.el6.x86_64.rpm perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm python-perf-2.6.32-279.11.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-279.11.1.el6.src.rpm i386: kernel-2.6.32-279.11.1.el6.i686.rpm kernel-debug-2.6.32-279.11.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debug-devel-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-279.11.1.el6.i686.rpm kernel-devel-2.6.32-279.11.1.el6.i686.rpm kernel-headers-2.6.32-279.11.1.el6.i686.rpm perf-2.6.32-279.11.1.el6.i686.rpm perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm noarch: kernel-doc-2.6.32-279.11.1.el6.noarch.rpm kernel-firmware-2.6.32-279.11.1.el6.noarch.rpm ppc64: kernel-2.6.32-279.11.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-279.11.1.el6.ppc64.rpm kernel-debug-2.6.32-279.11.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-279.11.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-279.11.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-279.11.1.el6.ppc64.rpm kernel-devel-2.6.32-279.11.1.el6.ppc64.rpm kernel-headers-2.6.32-279.11.1.el6.ppc64.rpm perf-2.6.32-279.11.1.el6.ppc64.rpm perf-debuginfo-2.6.32-279.11.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.ppc64.rpm s390x: kernel-2.6.32-279.11.1.el6.s390x.rpm kernel-debug-2.6.32-279.11.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-279.11.1.el6.s390x.rpm kernel-debug-devel-2.6.32-279.11.1.el6.s390x.rpm kernel-debuginfo-2.6.32-279.11.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-279.11.1.el6.s390x.rpm kernel-devel-2.6.32-279.11.1.el6.s390x.rpm kernel-headers-2.6.32-279.11.1.el6.s390x.rpm kernel-kdump-2.6.32-279.11.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-279.11.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-279.11.1.el6.s390x.rpm perf-2.6.32-279.11.1.el6.s390x.rpm perf-debuginfo-2.6.32-279.11.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.s390x.rpm x86_64: kernel-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.11.1.el6.x86_64.rpm kernel-devel-2.6.32-279.11.1.el6.x86_64.rpm kernel-headers-2.6.32-279.11.1.el6.x86_64.rpm perf-2.6.32-279.11.1.el6.x86_64.rpm perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-279.11.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-279.11.1.el6.i686.rpm perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm python-perf-2.6.32-279.11.1.el6.i686.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-279.11.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-279.11.1.el6.ppc64.rpm perf-debuginfo-2.6.32-279.11.1.el6.ppc64.rpm python-perf-2.6.32-279.11.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-279.11.1.el6.s390x.rpm kernel-debuginfo-2.6.32-279.11.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-279.11.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-279.11.1.el6.s390x.rpm perf-debuginfo-2.6.32-279.11.1.el6.s390x.rpm python-perf-2.6.32-279.11.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.11.1.el6.x86_64.rpm perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm python-perf-2.6.32-279.11.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-279.11.1.el6.src.rpm i386: kernel-2.6.32-279.11.1.el6.i686.rpm kernel-debug-2.6.32-279.11.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debug-devel-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-279.11.1.el6.i686.rpm kernel-devel-2.6.32-279.11.1.el6.i686.rpm kernel-headers-2.6.32-279.11.1.el6.i686.rpm perf-2.6.32-279.11.1.el6.i686.rpm perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm noarch: kernel-doc-2.6.32-279.11.1.el6.noarch.rpm kernel-firmware-2.6.32-279.11.1.el6.noarch.rpm x86_64: kernel-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.11.1.el6.x86_64.rpm kernel-devel-2.6.32-279.11.1.el6.x86_64.rpm kernel-headers-2.6.32-279.11.1.el6.x86_64.rpm perf-2.6.32-279.11.1.el6.x86_64.rpm perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-279.11.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-2.6.32-279.11.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-279.11.1.el6.i686.rpm perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm python-perf-2.6.32-279.11.1.el6.i686.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.11.1.el6.x86_64.rpm perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm python-perf-2.6.32-279.11.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.11.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3412.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.3_Technical_Notes/kernel.html#RHSA-2012-1366 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQfXl0XlSAg2UNWIIRAjznAJ42hJPNKpm2PRWnFAncyQ015McPTACeLGkd ReEFJy9WRv1Ja/4GGDo6Tnk= =Bq90 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 16 17:58:38 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 16 Oct 2012 17:58:38 +0000 Subject: [RHSA-2012:1378-01] Important: openstack-keystone security update Message-ID: <201210161758.q9GHwcNq024999@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openstack-keystone security update Advisory ID: RHSA-2012:1378-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1378.html Issue date: 2012-10-16 CVE Names: CVE-2012-3542 CVE-2012-4413 CVE-2012-4456 CVE-2012-4457 ===================================================================== 1. Summary: Updated openstack-keystone packages that fix multiple security issues are now available for Red Hat OpenStack Essex. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHOS Essex Release - noarch 3. Description: Keystone is a Python implementation of the OpenStack (http://www.openstack.org) identity service API. It was found that Keystone incorrectly handled authorization failures. If a client attempted to change their tenant membership to one they are not authorized to join, Keystone correctly returned a not authorized error; however, the client was still added to the tenant. Users able to access the Keystone administrative API could use this flaw to add any user to any tenant. (CVE-2012-3542) When logging into Keystone, the user receives a token to use for authentication with other services managed by Keystone. It was found that Keystone failed to revoke tokens if privileges were revoked, allowing users to retain access to resources they should no longer be able to access while their token remains valid. (CVE-2012-4413) It was found that the Keystone administrative API was missing authentication for certain actions. Users able to access the Keystone administrative API could use this flaw to add, start, and stop services, as well as list the roles for any user. (CVE-2012-4456) It was found that Keystone incorrectly handled disabled tenants. A user belonging to a disabled tenant could use this flaw to continue accessing resources as if the tenant were not disabled. (CVE-2012-4457) Red Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and CVE-2012-4413. All users of openstack-keystone are advised to upgrade to these updated packages, which upgrade openstack-keystone to upstream version 2012.1.2 and correct these issues. After installing the updated packages, the Keystone service (openstack-keystone) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 852510 - CVE-2012-3542 OpenStack Keystone: Lack of authorization for adding users to tenants 855491 - CVE-2012-4413 OpenStack-Keystone: role revocation token issues 861179 - CVE-2012-4456 Openstack Keystone 2012.1.1: fails to validate tokens in Admin API 861180 - CVE-2012-4457 OpenStack Keystone 2012.1.1: fails to raise Unauthorized user error for disabled tenant 6. Package List: RHOS Essex Release: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-keystone-2012.1.2-4.el6.src.rpm noarch: openstack-keystone-2012.1.2-4.el6.noarch.rpm openstack-keystone-doc-2012.1.2-4.el6.noarch.rpm python-keystone-2012.1.2-4.el6.noarch.rpm python-keystone-auth-token-2012.1.2-4.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3542.html https://www.redhat.com/security/data/cve/CVE-2012-4413.html https://www.redhat.com/security/data/cve/CVE-2012-4456.html https://www.redhat.com/security/data/cve/CVE-2012-4457.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQfaASXlSAg2UNWIIRAlmyAJ9YE/4jNRDDrU18rjynELDlw52hgACeOp5r e2Q/ySsu1TmMhaCBp8zJVtg= =7DOl -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 16 17:59:28 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 16 Oct 2012 17:59:28 +0000 Subject: [RHSA-2012:1379-01] Important: openstack-swift security update Message-ID: <201210161759.q9GHxSU2018159@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openstack-swift security update Advisory ID: RHSA-2012:1379-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1379.html Issue date: 2012-10-16 CVE Names: CVE-2012-4406 ===================================================================== 1. Summary: Updated openstack-swift packages that fix one security issue are now available for Red Hat OpenStack Essex. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHOS Essex Release - noarch 3. Description: OpenStack Swift (http://swift.openstack.org) is a highly available, distributed, eventually consistent object/blob store. It was found that OpenStack Swift used the Python pickle module in an insecure way to serialize and deserialize data from memcached. As memcached does not have authentication, an attacker on the local network, or possibly an unprivileged user in a virtual machine hosted on OpenStack, could use this flaw to inject specially-crafted data that would lead to arbitrary code execution. (CVE-2012-4406) Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue. Note: The fix for CVE-2012-4406 is not enabled by default, and requires manual action on the affected Proxy nodes. This update adds a "memcache_serialization_support" option. It is configured in "/etc/swift/proxy-server.conf" and is set to "0" by default. This default setting is vulnerable to CVE-2012-4406. To enable the fix, this option must be changed; however, the required changes can have a temporary, large performance impact. The following instructions aim to minimize performance issues: 1) Install the updated openstack-swift packages. 2) In "/etc/swift/proxy-server.conf", set the "memcache_serialization_support" option in the memcache/[filter:cache] section to "1". (The default value, "0", leaves you vulnerable to CVE-2012-4406.) When set to "1", the JSON (JavaScript Object Notation) format is used but pickle is still supported. This configuration is still vulnerable, but new data will be stored in JSON format. 3) After setting the option to "1", run "service openstack-swift-proxy restart". 4) After 24 hours, set the "memcache_serialization_support" option in "/etc/swift/proxy-server.conf" to "2". "2" is the secure option: only JSON is used. 5) After setting the option to "2", run "service openstack-swift-proxy restart". If "memcache_serialization_support" is set directly from "0" to "2", all data in memcached will be flushed and re-created. This can lead to a temporary, large performance impact. All users of openstack-swift are advised to upgrade to these updated packages, which correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 854757 - CVE-2012-4406 Openstack-Swift: insecure use of python pickle() 6. Package List: RHOS Essex Release: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-swift-1.4.8-5.el6.src.rpm noarch: openstack-swift-1.4.8-5.el6.noarch.rpm openstack-swift-account-1.4.8-5.el6.noarch.rpm openstack-swift-container-1.4.8-5.el6.noarch.rpm openstack-swift-doc-1.4.8-5.el6.noarch.rpm openstack-swift-object-1.4.8-5.el6.noarch.rpm openstack-swift-proxy-1.4.8-5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4406.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQfaBXXlSAg2UNWIIRAvLbAKColdZiv5oB0VKjkGi6qVuBcoC/9gCeKACf nS6/o9bHcfhFdiQvnwsIxdE= =420G -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 16 18:00:02 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 16 Oct 2012 18:00:02 +0000 Subject: [RHSA-2012:1380-01] Low: python-django-horizon security update Message-ID: <201210161800.q9GI02al031318@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: python-django-horizon security update Advisory ID: RHSA-2012:1380-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1380.html Issue date: 2012-10-16 CVE Names: CVE-2012-3540 ===================================================================== 1. Summary: Updated python-django-horizon packages that fix one security issue are now available for Red Hat OpenStack Essex. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHOS Essex Release - noarch 3. Description: Horizon is the OpenStack Dashboard (http://www.openstack.org), a web interface for managing OpenStack services. An open redirect flaw was found in the way Horizon handled authentication. A remote attacker able to trick a victim into opening the Horizon login page using a specially-crafted link could redirect the victim to an arbitrary web page, and conduct phishing attacks, after the victim successfully logs in. (CVE-2012-3540) Red Hat would like to thank Thomas Biege of SUSE for reporting this issue. All users of Horizon are advised to upgrade to these updated packages, which correct this issue. After installing the updated packages, the httpd daemon must be restarted ("service httpd restart") for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 852246 - CVE-2012-3540 OpenStack-Horizon: Open redirect through 'next' parameter 6. Package List: RHOS Essex Release: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/python-django-horizon-2012.1.1-3.el6.src.rpm noarch: openstack-dashboard-2012.1.1-3.el6.noarch.rpm python-django-horizon-2012.1.1-3.el6.noarch.rpm python-django-horizon-doc-2012.1.1-3.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3540.html https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQfaCIXlSAg2UNWIIRAswWAJ9F5A7Wz/G5z5CDcMB7oQoV2vNVKwCfZ12Z Bc5ONjpnfdFdFr5DjA78uMI= =Iach -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 17 16:17:00 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 17 Oct 2012 16:17:00 +0000 Subject: [RHSA-2012:1384-01] Critical: java-1.6.0-openjdk security update Message-ID: <201210171617.q9HGH1CZ001162@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-openjdk security update Advisory ID: RHSA-2012:1384-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1384.html Issue date: 2012-10-17 CVE Names: CVE-2012-3216 CVE-2012-4416 CVE-2012-5068 CVE-2012-5069 CVE-2012-5071 CVE-2012-5072 CVE-2012-5073 CVE-2012-5075 CVE-2012-5077 CVE-2012-5079 CVE-2012-5081 CVE-2012-5084 CVE-2012-5085 CVE-2012-5086 CVE-2012-5089 ===================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-5086, CVE-2012-5084, CVE-2012-5089) Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072) It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2012-5079) It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception. (CVE-2012-5081) It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. (CVE-2012-5075) A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory. (CVE-2012-4416) It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. (CVE-2012-5077) It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory. (CVE-2012-3216) This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true. (CVE-2012-5085) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. This erratum also upgrades the OpenJDK package to IcedTea6 1.11.5. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 856124 - CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) 865346 - CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) 865348 - CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) 865354 - CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) 865357 - CVE-2012-5073 OpenJDK: LogManager security bypass (Libraries, 7169884) 865363 - CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) 865365 - CVE-2012-5072 OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522) 865370 - CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286) 865428 - CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) 865511 - CVE-2012-5084 OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194) 865514 - CVE-2012-5089 OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296) 865519 - CVE-2012-5071 OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975) 865531 - CVE-2012-5069 OpenJDK: Executors state handling issues (Concurrency, 7189103) 865541 - CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567) 865568 - CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.src.rpm i386: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.src.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.src.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.src.rpm i386: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.src.rpm i386: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-1.50.1.11.5.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.50.1.11.5.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3216.html https://www.redhat.com/security/data/cve/CVE-2012-4416.html https://www.redhat.com/security/data/cve/CVE-2012-5068.html https://www.redhat.com/security/data/cve/CVE-2012-5069.html https://www.redhat.com/security/data/cve/CVE-2012-5071.html https://www.redhat.com/security/data/cve/CVE-2012-5072.html https://www.redhat.com/security/data/cve/CVE-2012-5073.html https://www.redhat.com/security/data/cve/CVE-2012-5075.html https://www.redhat.com/security/data/cve/CVE-2012-5077.html https://www.redhat.com/security/data/cve/CVE-2012-5079.html https://www.redhat.com/security/data/cve/CVE-2012-5081.html https://www.redhat.com/security/data/cve/CVE-2012-5084.html https://www.redhat.com/security/data/cve/CVE-2012-5085.html https://www.redhat.com/security/data/cve/CVE-2012-5086.html https://www.redhat.com/security/data/cve/CVE-2012-5089.html https://access.redhat.com/security/updates/classification/#critical http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/icedtea6-1.11.5/NEWS http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQftnqXlSAg2UNWIIRAjiMAJ9fURghELdTR+Cc8Y57xJQNW0E6RACfaKRO sA1k2caLD2R40zVc9Rc7HIY= =1eL6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 17 16:17:35 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 17 Oct 2012 16:17:35 +0000 Subject: [RHSA-2012:1385-01] Important: java-1.6.0-openjdk security update Message-ID: <201210171617.q9HGHZfH028465@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.6.0-openjdk security update Advisory ID: RHSA-2012:1385-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1385.html Issue date: 2012-10-17 CVE Names: CVE-2012-3216 CVE-2012-4416 CVE-2012-5068 CVE-2012-5069 CVE-2012-5071 CVE-2012-5072 CVE-2012-5073 CVE-2012-5075 CVE-2012-5077 CVE-2012-5079 CVE-2012-5081 CVE-2012-5084 CVE-2012-5085 CVE-2012-5086 CVE-2012-5089 ===================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-5086, CVE-2012-5084, CVE-2012-5089) Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072) It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2012-5079) It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception. (CVE-2012-5081) It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. (CVE-2012-5075) A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory. (CVE-2012-4416) It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. (CVE-2012-5077) It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory. (CVE-2012-3216) This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true. (CVE-2012-5085) This erratum also upgrades the OpenJDK package to IcedTea6 1.10.10. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 856124 - CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) 865346 - CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) 865348 - CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) 865354 - CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) 865357 - CVE-2012-5073 OpenJDK: LogManager security bypass (Libraries, 7169884) 865363 - CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) 865365 - CVE-2012-5072 OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522) 865370 - CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286) 865428 - CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) 865511 - CVE-2012-5084 OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194) 865514 - CVE-2012-5089 OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296) 865519 - CVE-2012-5071 OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975) 865531 - CVE-2012-5069 OpenJDK: Executors state handling issues (Concurrency, 7189103) 865541 - CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567) 865568 - CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.28.1.10.10.el5_8.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.28.1.10.10.el5_8.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.10.el5_8.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.10.el5_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3216.html https://www.redhat.com/security/data/cve/CVE-2012-4416.html https://www.redhat.com/security/data/cve/CVE-2012-5068.html https://www.redhat.com/security/data/cve/CVE-2012-5069.html https://www.redhat.com/security/data/cve/CVE-2012-5071.html https://www.redhat.com/security/data/cve/CVE-2012-5072.html https://www.redhat.com/security/data/cve/CVE-2012-5073.html https://www.redhat.com/security/data/cve/CVE-2012-5075.html https://www.redhat.com/security/data/cve/CVE-2012-5077.html https://www.redhat.com/security/data/cve/CVE-2012-5079.html https://www.redhat.com/security/data/cve/CVE-2012-5081.html https://www.redhat.com/security/data/cve/CVE-2012-5084.html https://www.redhat.com/security/data/cve/CVE-2012-5085.html https://www.redhat.com/security/data/cve/CVE-2012-5086.html https://www.redhat.com/security/data/cve/CVE-2012-5089.html https://access.redhat.com/security/updates/classification/#important http://icedtea.classpath.org/hg/release/icedtea6-1.10/file/icedtea6-1.10.10/NEWS http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQftoKXlSAg2UNWIIRAlxMAJ4+4H1sLrKcMHwCn+Dlg2sZc4GxwACfVAI/ p/e+cXPH/rQkcx4meVul1Ro= =o5MM -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 17 16:18:11 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 17 Oct 2012 16:18:11 +0000 Subject: [RHSA-2012:1386-01] Important: java-1.7.0-openjdk security update Message-ID: <201210171618.q9HGIBxn001992@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.7.0-openjdk security update Advisory ID: RHSA-2012:1386-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1386.html Issue date: 2012-10-17 CVE Names: CVE-2012-3216 CVE-2012-4416 CVE-2012-5068 CVE-2012-5069 CVE-2012-5070 CVE-2012-5071 CVE-2012-5072 CVE-2012-5073 CVE-2012-5074 CVE-2012-5075 CVE-2012-5076 CVE-2012-5077 CVE-2012-5079 CVE-2012-5081 CVE-2012-5084 CVE-2012-5085 CVE-2012-5086 CVE-2012-5087 CVE-2012-5088 CVE-2012-5089 ===================================================================== 1. Summary: Updated java-1.7.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64 3. Description: These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. Multiple improper permission check issues were discovered in the Beans, Libraries, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5084, CVE-2012-5089) The default Java security properties configuration did not restrict access to certain com.sun.org.glassfish packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. This update lists those packages as restricted. (CVE-2012-5076, CVE-2012-5074) Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072) It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2012-5079) It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception. (CVE-2012-5081) It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use these flaws to disclose sensitive information. (CVE-2012-5070, CVE-2012-5075) A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory. (CVE-2012-4416) It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. (CVE-2012-5077) It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory. (CVE-2012-3216) This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true. (CVE-2012-5085) This erratum also upgrades the OpenJDK package to IcedTea7 2.3.3. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 856124 - CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) 865346 - CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) 865348 - CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) 865350 - CVE-2012-5070 OpenJDK: EnvHelp information disclosure (JMX, 7158796) 865352 - CVE-2012-5076 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198) 865354 - CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) 865357 - CVE-2012-5073 OpenJDK: LogManager security bypass (Libraries, 7169884) 865359 - CVE-2012-5074 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887) 865363 - CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) 865365 - CVE-2012-5072 OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522) 865370 - CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286) 865428 - CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) 865434 - CVE-2012-5087 OpenJDK: PropertyElementHandler insufficient access checks (Beans, 7195549) 865471 - CVE-2012-5088 OpenJDK: MethodHandle insufficient access control checks (Libraries, 7196190) 865511 - CVE-2012-5084 OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194) 865514 - CVE-2012-5089 OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296) 865519 - CVE-2012-5071 OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975) 865531 - CVE-2012-5069 OpenJDK: Executors state handling issues (Concurrency, 7189103) 865541 - CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567) 865568 - CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.src.rpm i386: java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-src-1.7.0.9-2.3.3.el6_3.1.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.3.el6_3.1.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.src.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.3.el6_3.1.noarch.rpm x86_64: java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.src.rpm i386: java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-src-1.7.0.9-2.3.3.el6_3.1.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.3.el6_3.1.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.src.rpm i386: java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.el6_3.1.i686.rpm java-1.7.0-openjdk-src-1.7.0.9-2.3.3.el6_3.1.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.3.el6_3.1.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.9-2.3.3.el6_3.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3216.html https://www.redhat.com/security/data/cve/CVE-2012-4416.html https://www.redhat.com/security/data/cve/CVE-2012-5068.html https://www.redhat.com/security/data/cve/CVE-2012-5069.html https://www.redhat.com/security/data/cve/CVE-2012-5070.html https://www.redhat.com/security/data/cve/CVE-2012-5071.html https://www.redhat.com/security/data/cve/CVE-2012-5072.html https://www.redhat.com/security/data/cve/CVE-2012-5073.html https://www.redhat.com/security/data/cve/CVE-2012-5074.html https://www.redhat.com/security/data/cve/CVE-2012-5075.html https://www.redhat.com/security/data/cve/CVE-2012-5076.html https://www.redhat.com/security/data/cve/CVE-2012-5077.html https://www.redhat.com/security/data/cve/CVE-2012-5079.html https://www.redhat.com/security/data/cve/CVE-2012-5081.html https://www.redhat.com/security/data/cve/CVE-2012-5084.html https://www.redhat.com/security/data/cve/CVE-2012-5085.html https://www.redhat.com/security/data/cve/CVE-2012-5086.html https://www.redhat.com/security/data/cve/CVE-2012-5087.html https://www.redhat.com/security/data/cve/CVE-2012-5088.html https://www.redhat.com/security/data/cve/CVE-2012-5089.html https://access.redhat.com/security/updates/classification/#important http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2.3.3/NEWS http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQftouXlSAg2UNWIIRAu4QAJ9oluAxlU3ZC8CvezRk4Erm08HD+QCeNlqf GG07IH3dgJiG+gj47Cm1WNQ= =8X+P -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 18 16:59:55 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 Oct 2012 16:59:55 +0000 Subject: [RHSA-2012:1391-01] Critical: java-1.7.0-oracle security update Message-ID: <201210181659.q9IGxtme009705@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-oracle security update Advisory ID: RHSA-2012:1391-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1391.html Issue date: 2012-10-18 CVE Names: CVE-2012-1531 CVE-2012-1532 CVE-2012-1533 CVE-2012-3143 CVE-2012-3159 CVE-2012-3216 CVE-2012-4416 CVE-2012-5067 CVE-2012-5068 CVE-2012-5069 CVE-2012-5070 CVE-2012-5071 CVE-2012-5072 CVE-2012-5073 CVE-2012-5074 CVE-2012-5075 CVE-2012-5076 CVE-2012-5077 CVE-2012-5079 CVE-2012-5081 CVE-2012-5083 CVE-2012-5084 CVE-2012-5085 CVE-2012-5086 CVE-2012-5087 CVE-2012-5088 CVE-2012-5089 ===================================================================== 1. Summary: Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089) All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 9. All running instances of Oracle Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 856124 - CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) 865346 - CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) 865348 - CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) 865350 - CVE-2012-5070 OpenJDK: EnvHelp information disclosure (JMX, 7158796) 865352 - CVE-2012-5076 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198) 865354 - CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) 865357 - CVE-2012-5073 OpenJDK: LogManager security bypass (Libraries, 7169884) 865359 - CVE-2012-5074 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887) 865363 - CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) 865365 - CVE-2012-5072 OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522) 865370 - CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286) 865428 - CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) 865434 - CVE-2012-5087 OpenJDK: PropertyElementHandler insufficient access checks (Beans, 7195549) 865471 - CVE-2012-5088 OpenJDK: MethodHandle insufficient access control checks (Libraries, 7196190) 865511 - CVE-2012-5084 OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194) 865514 - CVE-2012-5089 OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296) 865519 - CVE-2012-5071 OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975) 865531 - CVE-2012-5069 OpenJDK: Executors state handling issues (Concurrency, 7189103) 865541 - CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567) 865568 - CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) 867185 - CVE-2012-1531 Oracle JDK: unspecified vulnerability (2D) 867186 - CVE-2012-1532 Oracle JDK: unspecified vulnerability (Deployment) 867187 - CVE-2012-1533 Oracle JDK: unspecified vulnerability (Deployment) 867189 - CVE-2012-3143 Oracle JDK: unspecified vulnerability (JMX) 867190 - CVE-2012-3159 Oracle JDK: unspecified vulnerability (Deployment) 867192 - CVE-2012-5067 Oracle JDK: unspecified vulnerability (Deployment) 867193 - CVE-2012-5083 Oracle JDK: unspecified vulnerability (2D) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.7.0-oracle-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-devel-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-javafx-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-plugin-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-src-1.7.0.9-1jpp.3.el6_3.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-src-1.7.0.9-1jpp.3.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.7.0-oracle-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-src-1.7.0.9-1jpp.3.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.7.0-oracle-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-devel-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-javafx-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-plugin-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-src-1.7.0.9-1jpp.3.el6_3.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-src-1.7.0.9-1jpp.3.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.7.0-oracle-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-devel-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-javafx-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-plugin-1.7.0.9-1jpp.3.el6_3.i686.rpm java-1.7.0-oracle-src-1.7.0.9-1jpp.3.el6_3.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.9-1jpp.3.el6_3.x86_64.rpm java-1.7.0-oracle-src-1.7.0.9-1jpp.3.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1531.html https://www.redhat.com/security/data/cve/CVE-2012-1532.html https://www.redhat.com/security/data/cve/CVE-2012-1533.html https://www.redhat.com/security/data/cve/CVE-2012-3143.html https://www.redhat.com/security/data/cve/CVE-2012-3159.html https://www.redhat.com/security/data/cve/CVE-2012-3216.html https://www.redhat.com/security/data/cve/CVE-2012-4416.html https://www.redhat.com/security/data/cve/CVE-2012-5067.html https://www.redhat.com/security/data/cve/CVE-2012-5068.html https://www.redhat.com/security/data/cve/CVE-2012-5069.html https://www.redhat.com/security/data/cve/CVE-2012-5070.html https://www.redhat.com/security/data/cve/CVE-2012-5071.html https://www.redhat.com/security/data/cve/CVE-2012-5072.html https://www.redhat.com/security/data/cve/CVE-2012-5073.html https://www.redhat.com/security/data/cve/CVE-2012-5074.html https://www.redhat.com/security/data/cve/CVE-2012-5075.html https://www.redhat.com/security/data/cve/CVE-2012-5076.html https://www.redhat.com/security/data/cve/CVE-2012-5077.html https://www.redhat.com/security/data/cve/CVE-2012-5079.html https://www.redhat.com/security/data/cve/CVE-2012-5081.html https://www.redhat.com/security/data/cve/CVE-2012-5083.html https://www.redhat.com/security/data/cve/CVE-2012-5084.html https://www.redhat.com/security/data/cve/CVE-2012-5085.html https://www.redhat.com/security/data/cve/CVE-2012-5086.html https://www.redhat.com/security/data/cve/CVE-2012-5087.html https://www.redhat.com/security/data/cve/CVE-2012-5088.html https://www.redhat.com/security/data/cve/CVE-2012-5089.html https://access.redhat.com/security/updates/classification/#critical http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQgDVsXlSAg2UNWIIRAqj5AKCA5Zr5QZ5yQMZDzKvsEKIByp5lowCfbyrO qyBnUuauQSs26TM3pJC47M4= =NckS -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 18 17:00:52 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 Oct 2012 17:00:52 +0000 Subject: [RHSA-2012:1392-01] Critical: java-1.6.0-sun security update Message-ID: <201210181700.q9IH0q83004356@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-sun security update Advisory ID: RHSA-2012:1392-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1392.html Issue date: 2012-10-18 CVE Names: CVE-2012-0547 CVE-2012-1531 CVE-2012-1532 CVE-2012-1533 CVE-2012-3143 CVE-2012-3159 CVE-2012-3216 CVE-2012-4416 CVE-2012-5068 CVE-2012-5069 CVE-2012-5071 CVE-2012-5072 CVE-2012-5073 CVE-2012-5075 CVE-2012-5077 CVE-2012-5079 CVE-2012-5081 CVE-2012-5083 CVE-2012-5084 CVE-2012-5085 CVE-2012-5086 CVE-2012-5089 ===================================================================== 1. Summary: Updated java-1.6.0-sun packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory and Oracle Security Alert pages, listed in the References section. (CVE-2012-0547, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5089) All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 37. All running instances of Oracle Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 853228 - CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201) 856124 - CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) 865346 - CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) 865348 - CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) 865354 - CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) 865357 - CVE-2012-5073 OpenJDK: LogManager security bypass (Libraries, 7169884) 865363 - CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) 865365 - CVE-2012-5072 OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522) 865370 - CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286) 865428 - CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) 865511 - CVE-2012-5084 OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194) 865514 - CVE-2012-5089 OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296) 865519 - CVE-2012-5071 OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975) 865531 - CVE-2012-5069 OpenJDK: Executors state handling issues (Concurrency, 7189103) 865541 - CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567) 865568 - CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) 867185 - CVE-2012-1531 Oracle JDK: unspecified vulnerability (2D) 867186 - CVE-2012-1532 Oracle JDK: unspecified vulnerability (Deployment) 867187 - CVE-2012-1533 Oracle JDK: unspecified vulnerability (Deployment) 867189 - CVE-2012-3143 Oracle JDK: unspecified vulnerability (JMX) 867190 - CVE-2012-3159 Oracle JDK: unspecified vulnerability (Deployment) 867193 - CVE-2012-5083 Oracle JDK: unspecified vulnerability (2D) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.6.0-sun-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el5_8.i586.rpm x86_64: java-1.6.0-sun-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el5_8.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.6.0-sun-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el5_8.i586.rpm x86_64: java-1.6.0-sun-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el5_8.x86_64.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el5_8.i586.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el6_3.i686.rpm x86_64: java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el6_3.i686.rpm x86_64: java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el6_3.i686.rpm x86_64: java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-demo-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.i686.rpm java-1.6.0-sun-devel-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-jdbc-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-plugin-1.6.0.37-1jpp.1.el6_3.x86_64.rpm java-1.6.0-sun-src-1.6.0.37-1jpp.1.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0547.html https://www.redhat.com/security/data/cve/CVE-2012-1531.html https://www.redhat.com/security/data/cve/CVE-2012-1532.html https://www.redhat.com/security/data/cve/CVE-2012-1533.html https://www.redhat.com/security/data/cve/CVE-2012-3143.html https://www.redhat.com/security/data/cve/CVE-2012-3159.html https://www.redhat.com/security/data/cve/CVE-2012-3216.html https://www.redhat.com/security/data/cve/CVE-2012-4416.html https://www.redhat.com/security/data/cve/CVE-2012-5068.html https://www.redhat.com/security/data/cve/CVE-2012-5069.html https://www.redhat.com/security/data/cve/CVE-2012-5071.html https://www.redhat.com/security/data/cve/CVE-2012-5072.html https://www.redhat.com/security/data/cve/CVE-2012-5073.html https://www.redhat.com/security/data/cve/CVE-2012-5075.html https://www.redhat.com/security/data/cve/CVE-2012-5077.html https://www.redhat.com/security/data/cve/CVE-2012-5079.html https://www.redhat.com/security/data/cve/CVE-2012-5081.html https://www.redhat.com/security/data/cve/CVE-2012-5083.html https://www.redhat.com/security/data/cve/CVE-2012-5084.html https://www.redhat.com/security/data/cve/CVE-2012-5085.html https://www.redhat.com/security/data/cve/CVE-2012-5086.html https://www.redhat.com/security/data/cve/CVE-2012-5089.html https://access.redhat.com/security/updates/classification/#critical http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQgDWiXlSAg2UNWIIRAqJaAJ9JgbhUTiBVnoxljsrFIdgNbno3bACgu3Yu 2L/xJjdCuObuBeSubEBbjpo= =p6Cl -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 23 18:15:56 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 23 Oct 2012 18:15:56 +0000 Subject: [RHSA-2012:1401-01] Important: kernel security and bug fix update Message-ID: <201210231815.q9NIFvV2002255@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2012:1401-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1401.html Issue date: 2012-10-23 CVE Names: CVE-2012-3412 ===================================================================== 1. Summary: Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6.2 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server EUS (v. 6.2) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.2) - i386, ppc64, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * A flaw was found in the way socket buffers (skb) requiring TSO (TCP segment offloading) were handled by the sfc driver. If the skb did not fit within the minimum-size of the transmission queue, the network card could repeatedly reset itself. A remote attacker could use this flaw to cause a denial of service. (CVE-2012-3412, Important) Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting CVE-2012-3412. This update also fixes the following bugs: * Previously, when a server attempted to shut down a socket, the svc_tcp_sendto() function set the XPT_CLOSE variable if the entire reply failed to be transmitted. However, before XPT_CLOSE could be acted upon, other threads could send further replies before the socket was really shut down. Consequently, data corruption could occur in the RPC record marker. With this update, send operations on a closed socket are stopped immediately, thus preventing this bug. (BZ#853256) * When a PIT (Programmable Interval Timer) MSB (Most Significant Byte) transition occurred very close to an SMI (System Management Interrupt) execution, the pit_verify_msb() function did not see the MSB transition. Consequently, the pit_expect_msb() function returned success incorrectly, eventually causing a large clock drift in the quick_pit_calibrate() function. As a result, the TSC (Time Stamp Counter) calibration on some systems was off by ? 20 MHz, which led to inaccurate timekeeping or ntp synchronization failures. This update fixes pit_expect_msb() and the clock drift no longer occurs in the described scenario. (BZ#853952) * Sometimes, the crypto allocation code could become unresponsive for 60 seconds or multiples thereof due to an incorrect notification mechanism. This could cause applications, like Openswan, to become unresponsive. The notification mechanism has been improved to avoid such hangs. (BZ#854475) * Traffic to the NFS server could trigger a kernel oops in the svc_tcp_clear_pages() function. The source code has been modified, and the kernel oops no longer occurs in this scenario. (BZ#856105) * Under certain circumstances, a system crash could result in data loss on XFS file systems. If files were created immediately before the file system was left to idle for a long period of time and then the system crashed, those files could appear as zero-length once the file system was remounted. This occurred even if a sync or fsync was run on the files. This was because XFS was not correctly idling the journal, and therefore it incorrectly replayed the inode allocation transactions upon mounting after the system crash, which zeroed the file size. This problem has been fixed by re-instating the periodic journal idling logic to ensure that all metadata is flushed within 30 seconds of modification, and the journal is updated to prevent incorrect recovery operations from occurring. (BZ#856685) * On architectures with the 64-bit cputime_t type, it was possible to trigger the "divide by zero" error, namely, on long-lived processes. A patch has been applied to address this problem, and the "divide by zero" error no longer occurs under these circumstances. (BZ#856702) Users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 844714 - CVE-2012-3412 kernel: sfc: potential remote denial of service through TCP MSS option 6. Package List: Red Hat Enterprise Linux Server EUS (v. 6.2): Source: kernel-2.6.32-220.28.1.el6.src.rpm i386: kernel-2.6.32-220.28.1.el6.i686.rpm kernel-debug-2.6.32-220.28.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-220.28.1.el6.i686.rpm kernel-debug-devel-2.6.32-220.28.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.28.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.28.1.el6.i686.rpm kernel-devel-2.6.32-220.28.1.el6.i686.rpm kernel-headers-2.6.32-220.28.1.el6.i686.rpm perf-2.6.32-220.28.1.el6.i686.rpm perf-debuginfo-2.6.32-220.28.1.el6.i686.rpm python-perf-debuginfo-2.6.32-220.28.1.el6.i686.rpm noarch: kernel-doc-2.6.32-220.28.1.el6.noarch.rpm kernel-firmware-2.6.32-220.28.1.el6.noarch.rpm ppc64: kernel-2.6.32-220.28.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-220.28.1.el6.ppc64.rpm kernel-debug-2.6.32-220.28.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-220.28.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-220.28.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-220.28.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-220.28.1.el6.ppc64.rpm kernel-devel-2.6.32-220.28.1.el6.ppc64.rpm kernel-headers-2.6.32-220.28.1.el6.ppc64.rpm perf-2.6.32-220.28.1.el6.ppc64.rpm perf-debuginfo-2.6.32-220.28.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-220.28.1.el6.ppc64.rpm s390x: kernel-2.6.32-220.28.1.el6.s390x.rpm kernel-debug-2.6.32-220.28.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-220.28.1.el6.s390x.rpm kernel-debug-devel-2.6.32-220.28.1.el6.s390x.rpm kernel-debuginfo-2.6.32-220.28.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-220.28.1.el6.s390x.rpm kernel-devel-2.6.32-220.28.1.el6.s390x.rpm kernel-headers-2.6.32-220.28.1.el6.s390x.rpm kernel-kdump-2.6.32-220.28.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-220.28.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-220.28.1.el6.s390x.rpm perf-2.6.32-220.28.1.el6.s390x.rpm perf-debuginfo-2.6.32-220.28.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-220.28.1.el6.s390x.rpm x86_64: kernel-2.6.32-220.28.1.el6.x86_64.rpm kernel-debug-2.6.32-220.28.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-220.28.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-220.28.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.28.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.28.1.el6.x86_64.rpm kernel-devel-2.6.32-220.28.1.el6.x86_64.rpm kernel-headers-2.6.32-220.28.1.el6.x86_64.rpm perf-2.6.32-220.28.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.28.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.28.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.2): Source: kernel-2.6.32-220.28.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-220.28.1.el6.i686.rpm kernel-debuginfo-2.6.32-220.28.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-220.28.1.el6.i686.rpm perf-debuginfo-2.6.32-220.28.1.el6.i686.rpm python-perf-2.6.32-220.28.1.el6.i686.rpm python-perf-debuginfo-2.6.32-220.28.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-220.28.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-220.28.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-220.28.1.el6.ppc64.rpm perf-debuginfo-2.6.32-220.28.1.el6.ppc64.rpm python-perf-2.6.32-220.28.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-220.28.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-220.28.1.el6.s390x.rpm kernel-debuginfo-2.6.32-220.28.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-220.28.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-220.28.1.el6.s390x.rpm perf-debuginfo-2.6.32-220.28.1.el6.s390x.rpm python-perf-2.6.32-220.28.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-220.28.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-220.28.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-220.28.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-220.28.1.el6.x86_64.rpm perf-debuginfo-2.6.32-220.28.1.el6.x86_64.rpm python-perf-2.6.32-220.28.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-220.28.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3412.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQht7OXlSAg2UNWIIRAmQNAJ4wmQiIxCJkDaIrUvQCM+FXnSqFZACfbwUB cA8cfvAngKsXQ2Q7LGqrLNA= =C1O/ -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Oct 26 23:52:04 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 26 Oct 2012 23:52:04 +0000 Subject: [RHSA-2012:1407-01] Critical: firefox security update Message-ID: <201210262352.q9QNq5VI020268@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2012:1407-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1407.html Issue date: 2012-10-26 CVE Names: CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 ===================================================================== 1. Summary: Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, bypass the same-origin policy, or cause Firefox to execute arbitrary code. (CVE-2012-4194, CVE-2012-4195, CVE-2012-4196) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.10 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Mariusz Mlynski, moz_bug_r_a4, and Antoine Delignat-Lavaud as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.10 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 869893 - CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 Mozilla: Fixes for Location object issues (MFSA 2012-90) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-10.0.10-1.el5_8.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-10.0.10-1.el5_8.src.rpm i386: firefox-10.0.10-1.el5_8.i386.rpm firefox-debuginfo-10.0.10-1.el5_8.i386.rpm xulrunner-10.0.10-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.10-1.el5_8.i386.rpm x86_64: firefox-10.0.10-1.el5_8.i386.rpm firefox-10.0.10-1.el5_8.x86_64.rpm firefox-debuginfo-10.0.10-1.el5_8.i386.rpm firefox-debuginfo-10.0.10-1.el5_8.x86_64.rpm xulrunner-10.0.10-1.el5_8.i386.rpm xulrunner-10.0.10-1.el5_8.x86_64.rpm xulrunner-debuginfo-10.0.10-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.10-1.el5_8.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-10.0.10-1.el5_8.src.rpm i386: xulrunner-debuginfo-10.0.10-1.el5_8.i386.rpm xulrunner-devel-10.0.10-1.el5_8.i386.rpm x86_64: xulrunner-debuginfo-10.0.10-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.10-1.el5_8.x86_64.rpm xulrunner-devel-10.0.10-1.el5_8.i386.rpm xulrunner-devel-10.0.10-1.el5_8.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-10.0.10-1.el5_8.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-10.0.10-1.el5_8.src.rpm i386: firefox-10.0.10-1.el5_8.i386.rpm firefox-debuginfo-10.0.10-1.el5_8.i386.rpm xulrunner-10.0.10-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.10-1.el5_8.i386.rpm xulrunner-devel-10.0.10-1.el5_8.i386.rpm ia64: firefox-10.0.10-1.el5_8.ia64.rpm firefox-debuginfo-10.0.10-1.el5_8.ia64.rpm xulrunner-10.0.10-1.el5_8.ia64.rpm xulrunner-debuginfo-10.0.10-1.el5_8.ia64.rpm xulrunner-devel-10.0.10-1.el5_8.ia64.rpm ppc: firefox-10.0.10-1.el5_8.ppc.rpm firefox-debuginfo-10.0.10-1.el5_8.ppc.rpm xulrunner-10.0.10-1.el5_8.ppc.rpm xulrunner-10.0.10-1.el5_8.ppc64.rpm xulrunner-debuginfo-10.0.10-1.el5_8.ppc.rpm xulrunner-debuginfo-10.0.10-1.el5_8.ppc64.rpm xulrunner-devel-10.0.10-1.el5_8.ppc.rpm xulrunner-devel-10.0.10-1.el5_8.ppc64.rpm s390x: firefox-10.0.10-1.el5_8.s390.rpm firefox-10.0.10-1.el5_8.s390x.rpm firefox-debuginfo-10.0.10-1.el5_8.s390.rpm firefox-debuginfo-10.0.10-1.el5_8.s390x.rpm xulrunner-10.0.10-1.el5_8.s390.rpm xulrunner-10.0.10-1.el5_8.s390x.rpm xulrunner-debuginfo-10.0.10-1.el5_8.s390.rpm xulrunner-debuginfo-10.0.10-1.el5_8.s390x.rpm xulrunner-devel-10.0.10-1.el5_8.s390.rpm xulrunner-devel-10.0.10-1.el5_8.s390x.rpm x86_64: firefox-10.0.10-1.el5_8.i386.rpm firefox-10.0.10-1.el5_8.x86_64.rpm firefox-debuginfo-10.0.10-1.el5_8.i386.rpm firefox-debuginfo-10.0.10-1.el5_8.x86_64.rpm xulrunner-10.0.10-1.el5_8.i386.rpm xulrunner-10.0.10-1.el5_8.x86_64.rpm xulrunner-debuginfo-10.0.10-1.el5_8.i386.rpm xulrunner-debuginfo-10.0.10-1.el5_8.x86_64.rpm xulrunner-devel-10.0.10-1.el5_8.i386.rpm xulrunner-devel-10.0.10-1.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-10.0.10-1.el6_3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-10.0.10-1.el6_3.src.rpm i386: firefox-10.0.10-1.el6_3.i686.rpm firefox-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm x86_64: firefox-10.0.10-1.el6_3.i686.rpm firefox-10.0.10-1.el6_3.x86_64.rpm firefox-debuginfo-10.0.10-1.el6_3.i686.rpm firefox-debuginfo-10.0.10-1.el6_3.x86_64.rpm xulrunner-10.0.10-1.el6_3.i686.rpm xulrunner-10.0.10-1.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-10.0.10-1.el6_3.src.rpm i386: xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-devel-10.0.10-1.el6_3.i686.rpm x86_64: xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.x86_64.rpm xulrunner-devel-10.0.10-1.el6_3.i686.rpm xulrunner-devel-10.0.10-1.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-10.0.10-1.el6_3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-10.0.10-1.el6_3.src.rpm x86_64: firefox-10.0.10-1.el6_3.i686.rpm firefox-10.0.10-1.el6_3.x86_64.rpm firefox-debuginfo-10.0.10-1.el6_3.i686.rpm firefox-debuginfo-10.0.10-1.el6_3.x86_64.rpm xulrunner-10.0.10-1.el6_3.i686.rpm xulrunner-10.0.10-1.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.x86_64.rpm xulrunner-devel-10.0.10-1.el6_3.i686.rpm xulrunner-devel-10.0.10-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-10.0.10-1.el6_3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-10.0.10-1.el6_3.src.rpm i386: firefox-10.0.10-1.el6_3.i686.rpm firefox-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm ppc64: firefox-10.0.10-1.el6_3.ppc.rpm firefox-10.0.10-1.el6_3.ppc64.rpm firefox-debuginfo-10.0.10-1.el6_3.ppc.rpm firefox-debuginfo-10.0.10-1.el6_3.ppc64.rpm xulrunner-10.0.10-1.el6_3.ppc.rpm xulrunner-10.0.10-1.el6_3.ppc64.rpm xulrunner-debuginfo-10.0.10-1.el6_3.ppc.rpm xulrunner-debuginfo-10.0.10-1.el6_3.ppc64.rpm s390x: firefox-10.0.10-1.el6_3.s390.rpm firefox-10.0.10-1.el6_3.s390x.rpm firefox-debuginfo-10.0.10-1.el6_3.s390.rpm firefox-debuginfo-10.0.10-1.el6_3.s390x.rpm xulrunner-10.0.10-1.el6_3.s390.rpm xulrunner-10.0.10-1.el6_3.s390x.rpm xulrunner-debuginfo-10.0.10-1.el6_3.s390.rpm xulrunner-debuginfo-10.0.10-1.el6_3.s390x.rpm x86_64: firefox-10.0.10-1.el6_3.i686.rpm firefox-10.0.10-1.el6_3.x86_64.rpm firefox-debuginfo-10.0.10-1.el6_3.i686.rpm firefox-debuginfo-10.0.10-1.el6_3.x86_64.rpm xulrunner-10.0.10-1.el6_3.i686.rpm xulrunner-10.0.10-1.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-10.0.10-1.el6_3.src.rpm i386: xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-devel-10.0.10-1.el6_3.i686.rpm ppc64: xulrunner-debuginfo-10.0.10-1.el6_3.ppc.rpm xulrunner-debuginfo-10.0.10-1.el6_3.ppc64.rpm xulrunner-devel-10.0.10-1.el6_3.ppc.rpm xulrunner-devel-10.0.10-1.el6_3.ppc64.rpm s390x: xulrunner-debuginfo-10.0.10-1.el6_3.s390.rpm xulrunner-debuginfo-10.0.10-1.el6_3.s390x.rpm xulrunner-devel-10.0.10-1.el6_3.s390.rpm xulrunner-devel-10.0.10-1.el6_3.s390x.rpm x86_64: xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.x86_64.rpm xulrunner-devel-10.0.10-1.el6_3.i686.rpm xulrunner-devel-10.0.10-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-10.0.10-1.el6_3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-10.0.10-1.el6_3.src.rpm i386: firefox-10.0.10-1.el6_3.i686.rpm firefox-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm x86_64: firefox-10.0.10-1.el6_3.i686.rpm firefox-10.0.10-1.el6_3.x86_64.rpm firefox-debuginfo-10.0.10-1.el6_3.i686.rpm firefox-debuginfo-10.0.10-1.el6_3.x86_64.rpm xulrunner-10.0.10-1.el6_3.i686.rpm xulrunner-10.0.10-1.el6_3.x86_64.rpm xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-10.0.10-1.el6_3.src.rpm i386: xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-devel-10.0.10-1.el6_3.i686.rpm x86_64: xulrunner-debuginfo-10.0.10-1.el6_3.i686.rpm xulrunner-debuginfo-10.0.10-1.el6_3.x86_64.rpm xulrunner-devel-10.0.10-1.el6_3.i686.rpm xulrunner-devel-10.0.10-1.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4194.html https://www.redhat.com/security/data/cve/CVE-2012-4195.html https://www.redhat.com/security/data/cve/CVE-2012-4196.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQiyISXlSAg2UNWIIRAnTTAKDAhkPDML+NguQiOvLE0qgJkecm1QCeOGys yRnIn9vziIgfXFUFC5ni3os= =Skkd -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 29 23:49:50 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 29 Oct 2012 23:49:50 +0000 Subject: [RHSA-2012:1413-01] Important: thunderbird security update Message-ID: <201210292349.q9TNnodU028035@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2012:1413-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1413.html Issue date: 2012-10-29 CVE Names: CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 ===================================================================== 1. Summary: An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Multiple flaws were found in the location object implementation in Thunderbird. Malicious content could be used to perform cross-site scripting attacks, bypass the same-origin policy, or cause Thunderbird to execute arbitrary code. (CVE-2012-4194, CVE-2012-4195, CVE-2012-4196) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Mariusz Mlynski, moz_bug_r_a4, and Antoine Delignat-Lavaud as the original reporters of these issues. Note: None of the issues in this advisory can be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.10 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 869893 - CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 Mozilla: Fixes for Location object issues (MFSA 2012-90) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-10.0.10-1.el5_8.src.rpm i386: thunderbird-10.0.10-1.el5_8.i386.rpm thunderbird-debuginfo-10.0.10-1.el5_8.i386.rpm x86_64: thunderbird-10.0.10-1.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.10-1.el5_8.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-10.0.10-1.el5_8.src.rpm i386: thunderbird-10.0.10-1.el5_8.i386.rpm thunderbird-debuginfo-10.0.10-1.el5_8.i386.rpm x86_64: thunderbird-10.0.10-1.el5_8.x86_64.rpm thunderbird-debuginfo-10.0.10-1.el5_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-10.0.10-1.el6_3.src.rpm i386: thunderbird-10.0.10-1.el6_3.i686.rpm thunderbird-debuginfo-10.0.10-1.el6_3.i686.rpm x86_64: thunderbird-10.0.10-1.el6_3.x86_64.rpm thunderbird-debuginfo-10.0.10-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-10.0.10-1.el6_3.src.rpm i386: thunderbird-10.0.10-1.el6_3.i686.rpm thunderbird-debuginfo-10.0.10-1.el6_3.i686.rpm ppc64: thunderbird-10.0.10-1.el6_3.ppc64.rpm thunderbird-debuginfo-10.0.10-1.el6_3.ppc64.rpm s390x: thunderbird-10.0.10-1.el6_3.s390x.rpm thunderbird-debuginfo-10.0.10-1.el6_3.s390x.rpm x86_64: thunderbird-10.0.10-1.el6_3.x86_64.rpm thunderbird-debuginfo-10.0.10-1.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-10.0.10-1.el6_3.src.rpm i386: thunderbird-10.0.10-1.el6_3.i686.rpm thunderbird-debuginfo-10.0.10-1.el6_3.i686.rpm x86_64: thunderbird-10.0.10-1.el6_3.x86_64.rpm thunderbird-debuginfo-10.0.10-1.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4194.html https://www.redhat.com/security/data/cve/CVE-2012-4195.html https://www.redhat.com/security/data/cve/CVE-2012-4196.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQjxX7XlSAg2UNWIIRAnKWAJ9fK36o9BLqgG+5oJH/BZCQqc3DugCgi/IS tLLmk7O99ThHKGLLFOCjBhc= =Bu48 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 30 17:40:22 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 30 Oct 2012 17:40:22 +0000 Subject: [RHSA-2012:1416-01] Critical: kdelibs security update Message-ID: <201210301740.q9UHeMeV029505@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: kdelibs security update Advisory ID: RHSA-2012:1416-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1416.html Issue date: 2012-10-30 CVE Names: CVE-2012-4512 CVE-2012-4513 ===================================================================== 1. Summary: Updated kdelibs packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 3. Description: The kdelibs packages provide libraries for the K Desktop Environment (KDE). Konqueror is a web browser. A heap-based buffer overflow flaw was found in the way the CSS (Cascading Style Sheets) parser in kdelibs parsed the location of the source for font faces. A web page containing malicious content could cause an application using kdelibs (such as Konqueror) to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-4512) A heap-based buffer over-read flaw was found in the way kdelibs calculated canvas dimensions for large images. A web page containing malicious content could cause an application using kdelibs to crash or disclose portions of its memory. (CVE-2012-4513) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 865741 - CVE-2012-4513 kdelibs: Heap-based buffer over-read when calculating dimensions of the canvas within the scale loop 865779 - CVE-2012-4512 kdelibs: Heap-based buffer overflow when parsing location of a font face source 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kdelibs-4.3.4-14.el6_3.2.src.rpm i386: kdelibs-4.3.4-14.el6_3.2.i686.rpm kdelibs-common-4.3.4-14.el6_3.2.i686.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.i686.rpm x86_64: kdelibs-4.3.4-14.el6_3.2.i686.rpm kdelibs-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-common-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.i686.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kdelibs-4.3.4-14.el6_3.2.src.rpm i386: kdelibs-debuginfo-4.3.4-14.el6_3.2.i686.rpm kdelibs-devel-4.3.4-14.el6_3.2.i686.rpm noarch: kdelibs-apidocs-4.3.4-14.el6_3.2.noarch.rpm x86_64: kdelibs-debuginfo-4.3.4-14.el6_3.2.i686.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-devel-4.3.4-14.el6_3.2.i686.rpm kdelibs-devel-4.3.4-14.el6_3.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kdelibs-4.3.4-14.el6_3.2.src.rpm noarch: kdelibs-apidocs-4.3.4-14.el6_3.2.noarch.rpm x86_64: kdelibs-4.3.4-14.el6_3.2.i686.rpm kdelibs-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-common-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.i686.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-devel-4.3.4-14.el6_3.2.i686.rpm kdelibs-devel-4.3.4-14.el6_3.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kdelibs-4.3.4-14.el6_3.2.src.rpm i386: kdelibs-4.3.4-14.el6_3.2.i686.rpm kdelibs-common-4.3.4-14.el6_3.2.i686.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.i686.rpm kdelibs-devel-4.3.4-14.el6_3.2.i686.rpm noarch: kdelibs-apidocs-4.3.4-14.el6_3.2.noarch.rpm ppc64: kdelibs-4.3.4-14.el6_3.2.ppc.rpm kdelibs-4.3.4-14.el6_3.2.ppc64.rpm kdelibs-common-4.3.4-14.el6_3.2.ppc64.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.ppc.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.ppc64.rpm kdelibs-devel-4.3.4-14.el6_3.2.ppc.rpm kdelibs-devel-4.3.4-14.el6_3.2.ppc64.rpm s390x: kdelibs-4.3.4-14.el6_3.2.s390.rpm kdelibs-4.3.4-14.el6_3.2.s390x.rpm kdelibs-common-4.3.4-14.el6_3.2.s390x.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.s390.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.s390x.rpm kdelibs-devel-4.3.4-14.el6_3.2.s390.rpm kdelibs-devel-4.3.4-14.el6_3.2.s390x.rpm x86_64: kdelibs-4.3.4-14.el6_3.2.i686.rpm kdelibs-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-common-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.i686.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-devel-4.3.4-14.el6_3.2.i686.rpm kdelibs-devel-4.3.4-14.el6_3.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kdelibs-4.3.4-14.el6_3.2.src.rpm i386: kdelibs-4.3.4-14.el6_3.2.i686.rpm kdelibs-common-4.3.4-14.el6_3.2.i686.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.i686.rpm kdelibs-devel-4.3.4-14.el6_3.2.i686.rpm noarch: kdelibs-apidocs-4.3.4-14.el6_3.2.noarch.rpm x86_64: kdelibs-4.3.4-14.el6_3.2.i686.rpm kdelibs-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-common-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.i686.rpm kdelibs-debuginfo-4.3.4-14.el6_3.2.x86_64.rpm kdelibs-devel-4.3.4-14.el6_3.2.i686.rpm kdelibs-devel-4.3.4-14.el6_3.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4512.html https://www.redhat.com/security/data/cve/CVE-2012-4513.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQkBDUXlSAg2UNWIIRAtUvAJ4y4u45mh+EEyPjqhVoO2wB0AA3IgCeLOmL uDneP79emrFYUn7F6E1RtWk= =p+MA -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 30 17:41:30 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 30 Oct 2012 17:41:30 +0000 Subject: [RHSA-2012:1417-01] Low: Red Hat Enterprise Linux Extended Update Support 6.0 1-Month EOL Notice Message-ID: <201210301741.q9UHfUfC015980@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise Linux Extended Update Support 6.0 1-Month EOL Notice Advisory ID: RHSA-2012:1417-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1417.html Issue date: 2012-10-30 ===================================================================== 1. Summary: This is the 1-Month notification of the End Of Life plans for Red Hat Enterprise Linux Extended Update Support Add-On (EUS) 6.0. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server EUS (v. 6.0) - i386, ppc64, s390x, x86_64 3. Description: In accordance with the Red Hat Enterprise Linux Errata Support Policy, the Extended Update Support for Red Hat Enterprise Linux 6.0 will end on 30th November, 2012. Note: This does not impact you unless you are subscribed to the Extended Update Support (EUS) channel for Red Hat Enterprise Linux 6.0. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: https://access.redhat.com/support/policy/updates/errata/ 4. Solution: This advisory contains an updated redhat-release-server package that provides a copy of this end of life notice in the "/usr/share/doc/" directory. 5. Package List: Red Hat Enterprise Linux Server EUS (v. 6.0): Source: redhat-release-server-6Server-6.0.0.40.el6_0.src.rpm i386: redhat-release-server-6Server-6.0.0.40.el6_0.i686.rpm ppc64: redhat-release-server-6Server-6.0.0.40.el6_0.ppc64.rpm s390x: redhat-release-server-6Server-6.0.0.40.el6_0.s390x.rpm x86_64: redhat-release-server-6Server-6.0.0.40.el6_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/support/policy/updates/errata/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQkBETXlSAg2UNWIIRAlVPAJ4troWGdi5/hoI9Zaz8qtnBO2D97gCeMdQy VnYzOP+o+rAcpfDGK1k2jtk= =LpmP -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 30 17:42:14 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 30 Oct 2012 17:42:14 +0000 Subject: [RHSA-2012:1418-01] Critical: kdelibs security update Message-ID: <201210301742.q9UHgEDJ016164@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: kdelibs security update Advisory ID: RHSA-2012:1418-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1418.html Issue date: 2012-10-30 CVE Names: CVE-2012-4512 CVE-2012-4513 ===================================================================== 1. Summary: Updated kdelibs packages that fix two security issues are now available for Red Hat Enterprise Linux 6 FasTrack. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 3. Description: The kdelibs packages provide libraries for the K Desktop Environment (KDE). Konqueror is a web browser. A heap-based buffer overflow flaw was found in the way the CSS (Cascading Style Sheets) parser in kdelibs parsed the location of the source for font faces. A web page containing malicious content could cause an application using kdelibs (such as Konqueror) to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-4512) A heap-based buffer over-read flaw was found in the way kdelibs calculated canvas dimensions for large images. A web page containing malicious content could cause an application using kdelibs to crash or disclose portions of its memory. (CVE-2012-4513) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 865741 - CVE-2012-4513 kdelibs: Heap-based buffer over-read when calculating dimensions of the canvas within the scale loop 865779 - CVE-2012-4512 kdelibs: Heap-based buffer overflow when parsing location of a font face source 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kdelibs-4.3.4-19.el6.src.rpm i386: kdelibs-4.3.4-19.el6.i686.rpm kdelibs-common-4.3.4-19.el6.i686.rpm kdelibs-debuginfo-4.3.4-19.el6.i686.rpm x86_64: kdelibs-4.3.4-19.el6.i686.rpm kdelibs-4.3.4-19.el6.x86_64.rpm kdelibs-common-4.3.4-19.el6.x86_64.rpm kdelibs-debuginfo-4.3.4-19.el6.i686.rpm kdelibs-debuginfo-4.3.4-19.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kdelibs-4.3.4-19.el6.src.rpm i386: kdelibs-debuginfo-4.3.4-19.el6.i686.rpm kdelibs-devel-4.3.4-19.el6.i686.rpm noarch: kdelibs-apidocs-4.3.4-19.el6.noarch.rpm x86_64: kdelibs-debuginfo-4.3.4-19.el6.i686.rpm kdelibs-debuginfo-4.3.4-19.el6.x86_64.rpm kdelibs-devel-4.3.4-19.el6.i686.rpm kdelibs-devel-4.3.4-19.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kdelibs-4.3.4-19.el6.src.rpm noarch: kdelibs-apidocs-4.3.4-19.el6.noarch.rpm x86_64: kdelibs-4.3.4-19.el6.i686.rpm kdelibs-4.3.4-19.el6.x86_64.rpm kdelibs-common-4.3.4-19.el6.x86_64.rpm kdelibs-debuginfo-4.3.4-19.el6.i686.rpm kdelibs-debuginfo-4.3.4-19.el6.x86_64.rpm kdelibs-devel-4.3.4-19.el6.i686.rpm kdelibs-devel-4.3.4-19.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kdelibs-4.3.4-19.el6.src.rpm i386: kdelibs-4.3.4-19.el6.i686.rpm kdelibs-common-4.3.4-19.el6.i686.rpm kdelibs-debuginfo-4.3.4-19.el6.i686.rpm kdelibs-devel-4.3.4-19.el6.i686.rpm noarch: kdelibs-apidocs-4.3.4-19.el6.noarch.rpm ppc64: kdelibs-4.3.4-19.el6.ppc.rpm kdelibs-4.3.4-19.el6.ppc64.rpm kdelibs-common-4.3.4-19.el6.ppc64.rpm kdelibs-debuginfo-4.3.4-19.el6.ppc.rpm kdelibs-debuginfo-4.3.4-19.el6.ppc64.rpm kdelibs-devel-4.3.4-19.el6.ppc.rpm kdelibs-devel-4.3.4-19.el6.ppc64.rpm s390x: kdelibs-4.3.4-19.el6.s390.rpm kdelibs-4.3.4-19.el6.s390x.rpm kdelibs-common-4.3.4-19.el6.s390x.rpm kdelibs-debuginfo-4.3.4-19.el6.s390.rpm kdelibs-debuginfo-4.3.4-19.el6.s390x.rpm kdelibs-devel-4.3.4-19.el6.s390.rpm kdelibs-devel-4.3.4-19.el6.s390x.rpm x86_64: kdelibs-4.3.4-19.el6.i686.rpm kdelibs-4.3.4-19.el6.x86_64.rpm kdelibs-common-4.3.4-19.el6.x86_64.rpm kdelibs-debuginfo-4.3.4-19.el6.i686.rpm kdelibs-debuginfo-4.3.4-19.el6.x86_64.rpm kdelibs-devel-4.3.4-19.el6.i686.rpm kdelibs-devel-4.3.4-19.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kdelibs-4.3.4-19.el6.src.rpm i386: kdelibs-4.3.4-19.el6.i686.rpm kdelibs-common-4.3.4-19.el6.i686.rpm kdelibs-debuginfo-4.3.4-19.el6.i686.rpm kdelibs-devel-4.3.4-19.el6.i686.rpm noarch: kdelibs-apidocs-4.3.4-19.el6.noarch.rpm x86_64: kdelibs-4.3.4-19.el6.i686.rpm kdelibs-4.3.4-19.el6.x86_64.rpm kdelibs-common-4.3.4-19.el6.x86_64.rpm kdelibs-debuginfo-4.3.4-19.el6.i686.rpm kdelibs-debuginfo-4.3.4-19.el6.x86_64.rpm kdelibs-devel-4.3.4-19.el6.i686.rpm kdelibs-devel-4.3.4-19.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4512.html https://www.redhat.com/security/data/cve/CVE-2012-4513.html https://access.redhat.com/security/updates/classification/#critical http://www.redhat.com/rhn/rhndetails/fastrack/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQkBFgXlSAg2UNWIIRAp6wAKCBWXKF5HtIWZujmZfueAX48KkAbACfalp3 tke6laFIrNcZOt9WtCLBxiE= =M8Ki -----END PGP SIGNATURE-----