From bugzilla at redhat.com Mon Aug 5 17:13:00 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Aug 2013 17:13:00 +0000 Subject: [RHSA-2013:1135-01] Moderate: nss and nspr security, bug fix, and enhancement update Message-ID: <201308051713.r75HD3hT013584@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nss and nspr security, bug fix, and enhancement update Advisory ID: RHSA-2013:1135-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1135.html Issue date: 2013-08-05 CVE Names: CVE-2013-0791 CVE-2013-1620 ===================================================================== 1. Summary: Updated nss and nspr packages that fix two security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791. This update also fixes the following bugs: * A defect in the FreeBL library implementation of the Diffie-Hellman (DH) protocol previously caused Openswan to drop connections. (BZ#958023) * A memory leak in the nssutil_ReadSecmodDB() function has been fixed. (BZ#986969) In addition, the nss package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#949845, BZ#924741) Note that while upstream NSS version 3.14 prevents the use of certificates that have an MD5 signature, this erratum includes a patch that allows such certificates by default. To prevent the use of certificates that have an MD5 signature, set the "NSS_HASH_ALG_SUPPORT" environment variable to "-MD5". Users of NSS and NSPR are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 908234 - CVE-2013-1620 nss: TLS CBC padding timing attack 924741 - Rebase to nspr-4.9.5 946947 - CVE-2013-0791 Mozilla: Out-of-bounds array read in CERT_DecodeCertPackage (MFSA 2013-40) 949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue 986969 - nssutil_ReadSecmodDB() leaks memory 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nspr-4.9.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.14.3-6.el5_9.src.rpm i386: nspr-4.9.5-1.el5_9.i386.rpm nspr-debuginfo-4.9.5-1.el5_9.i386.rpm nss-3.14.3-6.el5_9.i386.rpm nss-debuginfo-3.14.3-6.el5_9.i386.rpm nss-tools-3.14.3-6.el5_9.i386.rpm x86_64: nspr-4.9.5-1.el5_9.i386.rpm nspr-4.9.5-1.el5_9.x86_64.rpm nspr-debuginfo-4.9.5-1.el5_9.i386.rpm nspr-debuginfo-4.9.5-1.el5_9.x86_64.rpm nss-3.14.3-6.el5_9.i386.rpm nss-3.14.3-6.el5_9.x86_64.rpm nss-debuginfo-3.14.3-6.el5_9.i386.rpm nss-debuginfo-3.14.3-6.el5_9.x86_64.rpm nss-tools-3.14.3-6.el5_9.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nspr-4.9.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.14.3-6.el5_9.src.rpm i386: nspr-debuginfo-4.9.5-1.el5_9.i386.rpm nspr-devel-4.9.5-1.el5_9.i386.rpm nss-debuginfo-3.14.3-6.el5_9.i386.rpm nss-devel-3.14.3-6.el5_9.i386.rpm nss-pkcs11-devel-3.14.3-6.el5_9.i386.rpm x86_64: nspr-debuginfo-4.9.5-1.el5_9.i386.rpm nspr-debuginfo-4.9.5-1.el5_9.x86_64.rpm nspr-devel-4.9.5-1.el5_9.i386.rpm nspr-devel-4.9.5-1.el5_9.x86_64.rpm nss-debuginfo-3.14.3-6.el5_9.i386.rpm nss-debuginfo-3.14.3-6.el5_9.x86_64.rpm nss-devel-3.14.3-6.el5_9.i386.rpm nss-devel-3.14.3-6.el5_9.x86_64.rpm nss-pkcs11-devel-3.14.3-6.el5_9.i386.rpm nss-pkcs11-devel-3.14.3-6.el5_9.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nspr-4.9.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nss-3.14.3-6.el5_9.src.rpm i386: nspr-4.9.5-1.el5_9.i386.rpm nspr-debuginfo-4.9.5-1.el5_9.i386.rpm nspr-devel-4.9.5-1.el5_9.i386.rpm nss-3.14.3-6.el5_9.i386.rpm nss-debuginfo-3.14.3-6.el5_9.i386.rpm nss-devel-3.14.3-6.el5_9.i386.rpm nss-pkcs11-devel-3.14.3-6.el5_9.i386.rpm nss-tools-3.14.3-6.el5_9.i386.rpm ia64: nspr-4.9.5-1.el5_9.i386.rpm nspr-4.9.5-1.el5_9.ia64.rpm nspr-debuginfo-4.9.5-1.el5_9.i386.rpm nspr-debuginfo-4.9.5-1.el5_9.ia64.rpm nspr-devel-4.9.5-1.el5_9.ia64.rpm nss-3.14.3-6.el5_9.i386.rpm nss-3.14.3-6.el5_9.ia64.rpm nss-debuginfo-3.14.3-6.el5_9.i386.rpm nss-debuginfo-3.14.3-6.el5_9.ia64.rpm nss-devel-3.14.3-6.el5_9.ia64.rpm nss-pkcs11-devel-3.14.3-6.el5_9.ia64.rpm nss-tools-3.14.3-6.el5_9.ia64.rpm ppc: nspr-4.9.5-1.el5_9.ppc.rpm nspr-4.9.5-1.el5_9.ppc64.rpm nspr-debuginfo-4.9.5-1.el5_9.ppc.rpm nspr-debuginfo-4.9.5-1.el5_9.ppc64.rpm nspr-devel-4.9.5-1.el5_9.ppc.rpm nspr-devel-4.9.5-1.el5_9.ppc64.rpm nss-3.14.3-6.el5_9.ppc.rpm nss-3.14.3-6.el5_9.ppc64.rpm nss-debuginfo-3.14.3-6.el5_9.ppc.rpm nss-debuginfo-3.14.3-6.el5_9.ppc64.rpm nss-devel-3.14.3-6.el5_9.ppc.rpm nss-devel-3.14.3-6.el5_9.ppc64.rpm nss-pkcs11-devel-3.14.3-6.el5_9.ppc.rpm nss-pkcs11-devel-3.14.3-6.el5_9.ppc64.rpm nss-tools-3.14.3-6.el5_9.ppc.rpm s390x: nspr-4.9.5-1.el5_9.s390.rpm nspr-4.9.5-1.el5_9.s390x.rpm nspr-debuginfo-4.9.5-1.el5_9.s390.rpm nspr-debuginfo-4.9.5-1.el5_9.s390x.rpm nspr-devel-4.9.5-1.el5_9.s390.rpm nspr-devel-4.9.5-1.el5_9.s390x.rpm nss-3.14.3-6.el5_9.s390.rpm nss-3.14.3-6.el5_9.s390x.rpm nss-debuginfo-3.14.3-6.el5_9.s390.rpm nss-debuginfo-3.14.3-6.el5_9.s390x.rpm nss-devel-3.14.3-6.el5_9.s390.rpm nss-devel-3.14.3-6.el5_9.s390x.rpm nss-pkcs11-devel-3.14.3-6.el5_9.s390.rpm nss-pkcs11-devel-3.14.3-6.el5_9.s390x.rpm nss-tools-3.14.3-6.el5_9.s390x.rpm x86_64: nspr-4.9.5-1.el5_9.i386.rpm nspr-4.9.5-1.el5_9.x86_64.rpm nspr-debuginfo-4.9.5-1.el5_9.i386.rpm nspr-debuginfo-4.9.5-1.el5_9.x86_64.rpm nspr-devel-4.9.5-1.el5_9.i386.rpm nspr-devel-4.9.5-1.el5_9.x86_64.rpm nss-3.14.3-6.el5_9.i386.rpm nss-3.14.3-6.el5_9.x86_64.rpm nss-debuginfo-3.14.3-6.el5_9.i386.rpm nss-debuginfo-3.14.3-6.el5_9.x86_64.rpm nss-devel-3.14.3-6.el5_9.i386.rpm nss-devel-3.14.3-6.el5_9.x86_64.rpm nss-pkcs11-devel-3.14.3-6.el5_9.i386.rpm nss-pkcs11-devel-3.14.3-6.el5_9.x86_64.rpm nss-tools-3.14.3-6.el5_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-0791.html https://www.redhat.com/security/data/cve/CVE-2013-1620.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR/90XXlSAg2UNWIIRAulnAKDAYg4qxDuS6ViLw+pKWJZoE8b0XQCfSH9c XLTaJwiUnwZFYPjh7CUAcug= =1z5z -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 5 17:13:21 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Aug 2013 17:13:21 +0000 Subject: [RHSA-2013:1136-01] Moderate: rubygem-passenger security update Message-ID: <201308051713.r75HDOGS029730@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rubygem-passenger security update Advisory ID: RHSA-2013:1136-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1136.html Issue date: 2013-08-05 CVE Names: CVE-2013-2119 CVE-2013-4136 ===================================================================== 1. Summary: Updated rubygem-passenger packages that fix two security issues are now available for Red Hat OpenShift Enterprise 1.2.2. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHOSE Infrastructure 2.1 - noarch, x86_64 RHOSE Node 1.2 - noarch, x86_64 3. Description: rubygem-passenger is a web server for Ruby, Python and Node.js applications. The rubygem-passenger gem created and re-used temporary directories and files in an insecure fashion. A local attacker could use these flaws to conduct a denial of service attack, take over the operation of the application or, potentially, execute arbitrary code with the privileges of the user running rubygem-passenger. (CVE-2013-2119, CVE-2013-4136) Note: By default, OpenShift Enterprise uses polyinstantiation (per user) for the /tmp/ directory, thereby minimizing the risk and impact of exploitation by local attackers of both CVE-2013-2119 and CVE-2013-4136. The CVE-2013-2119 issue was discovered by Michael Scherer of the Red Hat Regional IT team. The following packages are included with this update as dependencies of the updated Ruby 1.8 passenger packages: rubygem-spruz-0.2.5-4.el6op rubygem-file-tail-1.0.5-4.el6op Users of Red Hat OpenShift Enterprise 1.2.2 are advised to upgrade to these updated packages, which correct these issues. After installing the updated packages, manual action is required before the update takes effect. Refer to the Solution section for details. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 Manual action is required for this update to take effect. In order for the updated passenger packages to be loaded by Ruby applications in the PaaS, the applications must be restarted with oo-admin-ctl-gears. One way to accomplish this is by running the following command, as a single line without the line break, on all OpenShift Nodes: for rubyapp in `ls -d /var/lib/openshift/*/ruby | cut -f5 -d/`; do oo-admin-ctl-gears restartgear $rubyapp; done If there are no Ruby applications on a Node it will simply fail with the message "No such file or directory". Another option is to run the following on all OpenShift Nodes; however, it will result in non-Ruby applications also being restarted: oo-admin-ctl-gears restartall (Note that without the manual action, if a user attempts to restart their Ruby application via the rhc command line, it will fail to start with a "Passenger could not be initialized..." error.) 5. Bugs fixed (http://bugzilla.redhat.com/): 892813 - CVE-2013-2119 rubygem-passenger: incorrect temporary file usage 985633 - CVE-2013-4136 rubygem-passenger: insecure temporary directory usage due to reuse of existing server instance directories 6. Package List: RHOSE Infrastructure 2.1: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/ruby193-rubygem-passenger-3.0.21-3.el6op.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygem-file-tail-1.0.5-4.el6op.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygem-passenger-3.0.21-3.el6op.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygem-spruz-0.2.5-4.el6op.src.rpm noarch: rubygem-file-tail-1.0.5-4.el6op.noarch.rpm rubygem-file-tail-doc-1.0.5-4.el6op.noarch.rpm rubygem-spruz-0.2.5-4.el6op.noarch.rpm rubygem-spruz-doc-0.2.5-4.el6op.noarch.rpm x86_64: mod_passenger-3.0.21-3.el6op.x86_64.rpm ruby193-mod_passenger-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-debuginfo-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-devel-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-doc-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-native-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-native-libs-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-debuginfo-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-devel-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-doc-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-native-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-native-libs-3.0.21-3.el6op.x86_64.rpm RHOSE Node 1.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/ruby193-rubygem-passenger-3.0.21-3.el6op.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygem-file-tail-1.0.5-4.el6op.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygem-passenger-3.0.21-3.el6op.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygem-spruz-0.2.5-4.el6op.src.rpm noarch: rubygem-file-tail-1.0.5-4.el6op.noarch.rpm rubygem-file-tail-doc-1.0.5-4.el6op.noarch.rpm rubygem-spruz-0.2.5-4.el6op.noarch.rpm rubygem-spruz-doc-0.2.5-4.el6op.noarch.rpm x86_64: mod_passenger-3.0.21-3.el6op.x86_64.rpm ruby193-mod_passenger-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-debuginfo-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-devel-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-doc-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-native-3.0.21-3.el6op.x86_64.rpm ruby193-rubygem-passenger-native-libs-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-debuginfo-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-devel-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-doc-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-native-3.0.21-3.el6op.x86_64.rpm rubygem-passenger-native-libs-3.0.21-3.el6op.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2119.html https://www.redhat.com/security/data/cve/CVE-2013-4136.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR/90sXlSAg2UNWIIRAmOiAJ4l/iy9fxxENCPbLWr57Vx4/Lkm0QCfe7Fd QYuctA45oRUzBa8NffuyR4k= =odac -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 5 17:13:46 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Aug 2013 17:13:46 +0000 Subject: [RHSA-2013:1137-01] Moderate: ruby193-ruby security update Message-ID: <201308051713.r75HDnH1024598@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ruby193-ruby security update Advisory ID: RHSA-2013:1137-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1137.html Issue date: 2013-08-05 CVE Names: CVE-2013-4073 ===================================================================== 1. Summary: Updated ruby193-ruby packages that fix one security issue are now available for Red Hat OpenShift Enterprise 1.2.2. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHOSE Infrastructure 2.1 - noarch, x86_64 RHOSE Node 1.2 - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. (CVE-2013-4073) All users of Red Hat OpenShift Enterprise 1.2.2 are advised to upgrade to these updated packages, which resolve this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 979251 - CVE-2013-4073 ruby: hostname check bypassing vulnerability in SSL client 6. Package List: RHOSE Infrastructure 2.1: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/ruby193-ruby-1.9.3.448-38.el6.src.rpm noarch: ruby193-ruby-irb-1.9.3.448-38.el6.noarch.rpm ruby193-rubygem-rake-0.9.2.2-38.el6.noarch.rpm ruby193-rubygems-1.8.23-38.el6.noarch.rpm ruby193-rubygems-devel-1.8.23-38.el6.noarch.rpm x86_64: ruby193-ruby-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-debuginfo-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-devel-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-doc-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-libs-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-tcltk-1.9.3.448-38.el6.x86_64.rpm ruby193-rubygem-bigdecimal-1.1.0-38.el6.x86_64.rpm ruby193-rubygem-io-console-0.3-38.el6.x86_64.rpm ruby193-rubygem-json-1.5.5-38.el6.x86_64.rpm ruby193-rubygem-rdoc-3.9.5-38.el6.x86_64.rpm RHOSE Node 1.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/ruby193-ruby-1.9.3.448-38.el6.src.rpm noarch: ruby193-ruby-irb-1.9.3.448-38.el6.noarch.rpm ruby193-rubygem-rake-0.9.2.2-38.el6.noarch.rpm ruby193-rubygems-1.8.23-38.el6.noarch.rpm ruby193-rubygems-devel-1.8.23-38.el6.noarch.rpm x86_64: ruby193-ruby-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-debuginfo-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-devel-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-doc-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-libs-1.9.3.448-38.el6.x86_64.rpm ruby193-ruby-tcltk-1.9.3.448-38.el6.x86_64.rpm ruby193-rubygem-bigdecimal-1.1.0-38.el6.x86_64.rpm ruby193-rubygem-io-console-0.3-38.el6.x86_64.rpm ruby193-rubygem-json-1.5.5-38.el6.x86_64.rpm ruby193-rubygem-rdoc-3.9.5-38.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4073.html https://access.redhat.com/security/updates/classification/#moderate http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR/91BXlSAg2UNWIIRArPtAKDFLmkbG8HJytXxjiS7A6hPPK2fRwCfZAZZ QeMvGIOG4a7Ye0s7SLU1b/g= =ldCT -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 7 08:32:19 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 7 Aug 2013 08:32:19 +0000 Subject: [RHSA-2013:1140-01] Critical: firefox security update Message-ID: <201308070830.r778UOL5013592@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2013:1140-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1140.html Issue date: 2013-08-07 CVE Names: CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-1701) A flaw was found in the way Firefox generated Certificate Request Message Format (CRMF) requests. An attacker could use this flaw to perform cross-site scripting (XSS) attacks or execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-1710) A flaw was found in the way Firefox handled the interaction between frames and browser history. An attacker could use this flaw to trick Firefox into treating malicious content as if it came from the browser history, allowing for XSS attacks. (CVE-2013-1709) It was found that the same-origin policy could be bypassed due to the way Uniform Resource Identifiers (URI) were checked in JavaScript. An attacker could use this flaw to perform XSS attacks, or install malicious add-ons from third-party pages. (CVE-2013-1713) It was found that web workers could bypass the same-origin policy. An attacker could use this flaw to perform XSS attacks. (CVE-2013-1714) It was found that, in certain circumstances, Firefox incorrectly handled Java applets. If a user launched an untrusted Java applet via Firefox, the applet could use this flaw to obtain read-only access to files on the user's local system. (CVE-2013-1717) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jeff Gilbert, Henrik Skupin, moz_bug_r_a4, Cody Crews, Federico Lanusse, and Georgi Guninski as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 17.0.8 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 17.0.8 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 993598 - CVE-2013-1701 Mozilla: Miscellaneous memory safety hazards (rv:17.0.8) (MFSA 2013-63) 993600 - CVE-2013-1709 Mozilla: Document URI misrepresentation and masquerading (MFSA 2013-68) 993602 - CVE-2013-1710 Mozilla: CRMF requests allow for code execution and XSS attacks (MFSA 2013-69) 993603 - CVE-2013-1713 Mozilla: Wrong principal used for validating URI for some Javascript components (MFSA 2013-72) 993604 - CVE-2013-1714 Mozilla: Same-origin bypass with web workers and XMLHttpRequest (MFSA 2013-73) 993605 - CVE-2013-1717 Mozilla: Local Java applets may read contents of local file system (MFSA 2013-75) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-17.0.8-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.8-3.el5_9.src.rpm i386: firefox-17.0.8-1.el5_9.i386.rpm firefox-debuginfo-17.0.8-1.el5_9.i386.rpm xulrunner-17.0.8-3.el5_9.i386.rpm xulrunner-debuginfo-17.0.8-3.el5_9.i386.rpm x86_64: firefox-17.0.8-1.el5_9.i386.rpm firefox-17.0.8-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.8-1.el5_9.i386.rpm firefox-debuginfo-17.0.8-1.el5_9.x86_64.rpm xulrunner-17.0.8-3.el5_9.i386.rpm xulrunner-17.0.8-3.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.8-3.el5_9.i386.rpm xulrunner-debuginfo-17.0.8-3.el5_9.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.8-3.el5_9.src.rpm i386: xulrunner-debuginfo-17.0.8-3.el5_9.i386.rpm xulrunner-devel-17.0.8-3.el5_9.i386.rpm x86_64: xulrunner-debuginfo-17.0.8-3.el5_9.i386.rpm xulrunner-debuginfo-17.0.8-3.el5_9.x86_64.rpm xulrunner-devel-17.0.8-3.el5_9.i386.rpm xulrunner-devel-17.0.8-3.el5_9.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-17.0.8-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-17.0.8-3.el5_9.src.rpm i386: firefox-17.0.8-1.el5_9.i386.rpm firefox-debuginfo-17.0.8-1.el5_9.i386.rpm xulrunner-17.0.8-3.el5_9.i386.rpm xulrunner-debuginfo-17.0.8-3.el5_9.i386.rpm xulrunner-devel-17.0.8-3.el5_9.i386.rpm ia64: firefox-17.0.8-1.el5_9.ia64.rpm firefox-debuginfo-17.0.8-1.el5_9.ia64.rpm xulrunner-17.0.8-3.el5_9.ia64.rpm xulrunner-debuginfo-17.0.8-3.el5_9.ia64.rpm xulrunner-devel-17.0.8-3.el5_9.ia64.rpm ppc: firefox-17.0.8-1.el5_9.ppc.rpm firefox-debuginfo-17.0.8-1.el5_9.ppc.rpm xulrunner-17.0.8-3.el5_9.ppc.rpm xulrunner-17.0.8-3.el5_9.ppc64.rpm xulrunner-debuginfo-17.0.8-3.el5_9.ppc.rpm xulrunner-debuginfo-17.0.8-3.el5_9.ppc64.rpm xulrunner-devel-17.0.8-3.el5_9.ppc.rpm xulrunner-devel-17.0.8-3.el5_9.ppc64.rpm s390x: firefox-17.0.8-1.el5_9.s390.rpm firefox-17.0.8-1.el5_9.s390x.rpm firefox-debuginfo-17.0.8-1.el5_9.s390.rpm firefox-debuginfo-17.0.8-1.el5_9.s390x.rpm xulrunner-17.0.8-3.el5_9.s390.rpm xulrunner-17.0.8-3.el5_9.s390x.rpm xulrunner-debuginfo-17.0.8-3.el5_9.s390.rpm xulrunner-debuginfo-17.0.8-3.el5_9.s390x.rpm xulrunner-devel-17.0.8-3.el5_9.s390.rpm xulrunner-devel-17.0.8-3.el5_9.s390x.rpm x86_64: firefox-17.0.8-1.el5_9.i386.rpm firefox-17.0.8-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.8-1.el5_9.i386.rpm firefox-debuginfo-17.0.8-1.el5_9.x86_64.rpm xulrunner-17.0.8-3.el5_9.i386.rpm xulrunner-17.0.8-3.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.8-3.el5_9.i386.rpm xulrunner-debuginfo-17.0.8-3.el5_9.x86_64.rpm xulrunner-devel-17.0.8-3.el5_9.i386.rpm xulrunner-devel-17.0.8-3.el5_9.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-17.0.8-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.8-3.el6_4.src.rpm i386: firefox-17.0.8-1.el6_4.i686.rpm firefox-debuginfo-17.0.8-1.el6_4.i686.rpm xulrunner-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm x86_64: firefox-17.0.8-1.el6_4.i686.rpm firefox-17.0.8-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.8-1.el6_4.i686.rpm firefox-debuginfo-17.0.8-1.el6_4.x86_64.rpm xulrunner-17.0.8-3.el6_4.i686.rpm xulrunner-17.0.8-3.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.8-3.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-devel-17.0.8-3.el6_4.i686.rpm x86_64: xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.x86_64.rpm xulrunner-devel-17.0.8-3.el6_4.i686.rpm xulrunner-devel-17.0.8-3.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-17.0.8-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-17.0.8-3.el6_4.src.rpm x86_64: firefox-17.0.8-1.el6_4.i686.rpm firefox-17.0.8-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.8-1.el6_4.i686.rpm firefox-debuginfo-17.0.8-1.el6_4.x86_64.rpm xulrunner-17.0.8-3.el6_4.i686.rpm xulrunner-17.0.8-3.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.x86_64.rpm xulrunner-devel-17.0.8-3.el6_4.i686.rpm xulrunner-devel-17.0.8-3.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-17.0.8-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.8-3.el6_4.src.rpm i386: firefox-17.0.8-1.el6_4.i686.rpm firefox-debuginfo-17.0.8-1.el6_4.i686.rpm xulrunner-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm ppc64: firefox-17.0.8-1.el6_4.ppc.rpm firefox-17.0.8-1.el6_4.ppc64.rpm firefox-debuginfo-17.0.8-1.el6_4.ppc.rpm firefox-debuginfo-17.0.8-1.el6_4.ppc64.rpm xulrunner-17.0.8-3.el6_4.ppc.rpm xulrunner-17.0.8-3.el6_4.ppc64.rpm xulrunner-debuginfo-17.0.8-3.el6_4.ppc.rpm xulrunner-debuginfo-17.0.8-3.el6_4.ppc64.rpm s390x: firefox-17.0.8-1.el6_4.s390.rpm firefox-17.0.8-1.el6_4.s390x.rpm firefox-debuginfo-17.0.8-1.el6_4.s390.rpm firefox-debuginfo-17.0.8-1.el6_4.s390x.rpm xulrunner-17.0.8-3.el6_4.s390.rpm xulrunner-17.0.8-3.el6_4.s390x.rpm xulrunner-debuginfo-17.0.8-3.el6_4.s390.rpm xulrunner-debuginfo-17.0.8-3.el6_4.s390x.rpm x86_64: firefox-17.0.8-1.el6_4.i686.rpm firefox-17.0.8-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.8-1.el6_4.i686.rpm firefox-debuginfo-17.0.8-1.el6_4.x86_64.rpm xulrunner-17.0.8-3.el6_4.i686.rpm xulrunner-17.0.8-3.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.8-3.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-devel-17.0.8-3.el6_4.i686.rpm ppc64: xulrunner-debuginfo-17.0.8-3.el6_4.ppc.rpm xulrunner-debuginfo-17.0.8-3.el6_4.ppc64.rpm xulrunner-devel-17.0.8-3.el6_4.ppc.rpm xulrunner-devel-17.0.8-3.el6_4.ppc64.rpm s390x: xulrunner-debuginfo-17.0.8-3.el6_4.s390.rpm xulrunner-debuginfo-17.0.8-3.el6_4.s390x.rpm xulrunner-devel-17.0.8-3.el6_4.s390.rpm xulrunner-devel-17.0.8-3.el6_4.s390x.rpm x86_64: xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.x86_64.rpm xulrunner-devel-17.0.8-3.el6_4.i686.rpm xulrunner-devel-17.0.8-3.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-17.0.8-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.8-3.el6_4.src.rpm i386: firefox-17.0.8-1.el6_4.i686.rpm firefox-debuginfo-17.0.8-1.el6_4.i686.rpm xulrunner-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm x86_64: firefox-17.0.8-1.el6_4.i686.rpm firefox-17.0.8-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.8-1.el6_4.i686.rpm firefox-debuginfo-17.0.8-1.el6_4.x86_64.rpm xulrunner-17.0.8-3.el6_4.i686.rpm xulrunner-17.0.8-3.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.8-3.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-devel-17.0.8-3.el6_4.i686.rpm x86_64: xulrunner-debuginfo-17.0.8-3.el6_4.i686.rpm xulrunner-debuginfo-17.0.8-3.el6_4.x86_64.rpm xulrunner-devel-17.0.8-3.el6_4.i686.rpm xulrunner-devel-17.0.8-3.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1701.html https://www.redhat.com/security/data/cve/CVE-2013-1709.html https://www.redhat.com/security/data/cve/CVE-2013-1710.html https://www.redhat.com/security/data/cve/CVE-2013-1713.html https://www.redhat.com/security/data/cve/CVE-2013-1714.html https://www.redhat.com/security/data/cve/CVE-2013-1717.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSAgV/XlSAg2UNWIIRAun9AKC8+yY2YQGMujtCJo6bcmyPHZMKqwCfUPpZ M2Loa8e1PxnSYV7i1NACoOQ= =plfy -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 7 18:18:04 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 7 Aug 2013 18:18:04 +0000 Subject: [RHSA-2013:1142-01] Important: thunderbird security update Message-ID: <201308071818.r77II4ia008968@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2013:1142-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1142.html Issue date: 2013-08-07 CVE Names: CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 ===================================================================== 1. Summary: An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-1701) A flaw was found in the way Thunderbird generated Certificate Request Message Format (CRMF) requests. An attacker could use this flaw to perform cross-site scripting (XSS) attacks or execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-1710) A flaw was found in the way Thunderbird handled the interaction between frames and browser history. An attacker could use this flaw to trick Thunderbird into treating malicious content as if it came from the browser history, allowing for XSS attacks. (CVE-2013-1709) It was found that the same-origin policy could be bypassed due to the way Uniform Resource Identifiers (URI) were checked in JavaScript. An attacker could use this flaw to perform XSS attacks, or install malicious add-ons from third-party pages. (CVE-2013-1713) It was found that web workers could bypass the same-origin policy. An attacker could use this flaw to perform XSS attacks. (CVE-2013-1714) It was found that, in certain circumstances, Thunderbird incorrectly handled Java applets. If a user launched an untrusted Java applet via Thunderbird, the applet could use this flaw to obtain read-only access to files on the user's local system. (CVE-2013-1717) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jeff Gilbert, Henrik Skupin, moz_bug_r_a4, Cody Crews, Federico Lanusse, and Georgi Guninski as the original reporters of these issues. Note: All of the above issues cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 17.0.8 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 993598 - CVE-2013-1701 Mozilla: Miscellaneous memory safety hazards (rv:17.0.8) (MFSA 2013-63) 993600 - CVE-2013-1709 Mozilla: Document URI misrepresentation and masquerading (MFSA 2013-68) 993602 - CVE-2013-1710 Mozilla: CRMF requests allow for code execution and XSS attacks (MFSA 2013-69) 993603 - CVE-2013-1713 Mozilla: Wrong principal used for validating URI for some Javascript components (MFSA 2013-72) 993604 - CVE-2013-1714 Mozilla: Same-origin bypass with web workers and XMLHttpRequest (MFSA 2013-73) 993605 - CVE-2013-1717 Mozilla: Local Java applets may read contents of local file system (MFSA 2013-75) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-17.0.8-5.el5_9.src.rpm i386: thunderbird-17.0.8-5.el5_9.i386.rpm thunderbird-debuginfo-17.0.8-5.el5_9.i386.rpm x86_64: thunderbird-17.0.8-5.el5_9.x86_64.rpm thunderbird-debuginfo-17.0.8-5.el5_9.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server) : Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-17.0.8-5.el5_9.src.rpm i386: thunderbird-17.0.8-5.el5_9.i386.rpm thunderbird-debuginfo-17.0.8-5.el5_9.i386.rpm x86_64: thunderbird-17.0.8-5.el5_9.x86_64.rpm thunderbird-debuginfo-17.0.8-5.el5_9.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-17.0.8-5.el6_4.src.rpm i386: thunderbird-17.0.8-5.el6_4.i686.rpm thunderbird-debuginfo-17.0.8-5.el6_4.i686.rpm x86_64: thunderbird-17.0.8-5.el6_4.x86_64.rpm thunderbird-debuginfo-17.0.8-5.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-17.0.8-5.el6_4.src.rpm i386: thunderbird-17.0.8-5.el6_4.i686.rpm thunderbird-debuginfo-17.0.8-5.el6_4.i686.rpm ppc64: thunderbird-17.0.8-5.el6_4.ppc64.rpm thunderbird-debuginfo-17.0.8-5.el6_4.ppc64.rpm s390x: thunderbird-17.0.8-5.el6_4.s390x.rpm thunderbird-debuginfo-17.0.8-5.el6_4.s390x.rpm x86_64: thunderbird-17.0.8-5.el6_4.x86_64.rpm thunderbird-debuginfo-17.0.8-5.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-17.0.8-5.el6_4.src.rpm i386: thunderbird-17.0.8-5.el6_4.i686.rpm thunderbird-debuginfo-17.0.8-5.el6_4.i686.rpm x86_64: thunderbird-17.0.8-5.el6_4.x86_64.rpm thunderbird-debuginfo-17.0.8-5.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1701.html https://www.redhat.com/security/data/cve/CVE-2013-1709.html https://www.redhat.com/security/data/cve/CVE-2013-1710.html https://www.redhat.com/security/data/cve/CVE-2013-1713.html https://www.redhat.com/security/data/cve/CVE-2013-1714.html https://www.redhat.com/security/data/cve/CVE-2013-1717.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSAo79XlSAg2UNWIIRAs2mAJ9vGX2e6HhZ7o/viag1TpD8+qprFQCgnPlN bPJnI1l0lSKwRMBgRKtL/bM= =8Yi7 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 7 18:19:42 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 7 Aug 2013 18:19:42 +0000 Subject: [RHSA-2013:1144-01] Moderate: nss, nss-util, nss-softokn, and nspr security update Message-ID: <201308071819.r77IJhKe009592@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nss, nss-util, nss-softokn, and nspr security update Advisory ID: RHSA-2013:1144-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1144.html Issue date: 2013-08-07 CVE Names: CVE-2013-0791 CVE-2013-1620 ===================================================================== 1. Summary: Updated nss, nss-util, nss-softokn, and nspr packages that fix two security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. nss-softokn provides an NSS softoken cryptographic module. It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791. This update also fixes the following bugs: * The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented the use of certificates that have an MD5 signature. This caused problems in certain environments. With this update, certificates that have an MD5 signature are once again allowed. To prevent the use of certificates that have an MD5 signature, set the "NSS_HASH_ALG_SUPPORT" environment variable to "-MD5". (BZ#957603) * Previously, the sechash.h header file was missing, preventing certain source RPMs (such as firefox and xulrunner) from building. (BZ#948715) * A memory leak in the nssutil_ReadSecmodDB() function has been fixed. (BZ#984967) In addition, the nss package has been upgraded to upstream version 3.14.3, the nss-util package has been upgraded to upstream version 3.14.3, the nss-softokn package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#927157, BZ#927171, BZ#927158, BZ#927186) Users of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS, NSPR, nss-util, or nss-softokn must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 908234 - CVE-2013-1620 nss: TLS CBC padding timing attack 927157 - [RFE][RHEL6] Rebase to nss-3.14.3 to fix the lucky-13 issue [6.4.z] 927158 - Rebase to nss-softokn 3.14.3 to fix the lucky-13 issue [6.4.z] 927171 - Rebase to nss-util 3.14.3 as part of the fix for the lucky-13 issue [rhel-6.4.z] 927186 - Rebase to nspr-4.9.5 946947 - CVE-2013-0791 Mozilla: Out-of-bounds array read in CERT_DecodeCertPackage (MFSA 2013-40) 984967 - nssutil_ReadSecmodDB() leaks memory [6.4.z] 985955 - nss-softokn: missing partial RELRO [6.4.z] 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm i386: nspr-4.9.5-2.el6_4.i686.rpm nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nss-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-softokn-3.14.3-3.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm nss-sysinit-3.14.3-4.el6_4.i686.rpm nss-tools-3.14.3-4.el6_4.i686.rpm nss-util-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm x86_64: nspr-4.9.5-2.el6_4.i686.rpm nspr-4.9.5-2.el6_4.x86_64.rpm nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm nss-3.14.3-4.el6_4.i686.rpm nss-3.14.3-4.el6_4.x86_64.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm nss-softokn-3.14.3-3.el6_4.i686.rpm nss-softokn-3.14.3-3.el6_4.x86_64.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-3.14.3-3.el6_4.x86_64.rpm nss-sysinit-3.14.3-4.el6_4.x86_64.rpm nss-tools-3.14.3-4.el6_4.x86_64.rpm nss-util-3.14.3-3.el6_4.i686.rpm nss-util-3.14.3-3.el6_4.x86_64.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm i386: nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nspr-devel-4.9.5-2.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-devel-3.14.3-4.el6_4.i686.rpm nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm nss-util-devel-3.14.3-3.el6_4.i686.rpm x86_64: nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm nspr-devel-4.9.5-2.el6_4.i686.rpm nspr-devel-4.9.5-2.el6_4.x86_64.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm nss-devel-3.14.3-4.el6_4.i686.rpm nss-devel-3.14.3-4.el6_4.x86_64.rpm nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm nss-pkcs11-devel-3.14.3-4.el6_4.x86_64.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-softokn-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-devel-3.14.3-3.el6_4.x86_64.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.x86_64.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-util-devel-3.14.3-3.el6_4.i686.rpm nss-util-devel-3.14.3-3.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm x86_64: nspr-4.9.5-2.el6_4.i686.rpm nspr-4.9.5-2.el6_4.x86_64.rpm nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm nss-3.14.3-4.el6_4.i686.rpm nss-3.14.3-4.el6_4.x86_64.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm nss-softokn-3.14.3-3.el6_4.i686.rpm nss-softokn-3.14.3-3.el6_4.x86_64.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-3.14.3-3.el6_4.x86_64.rpm nss-sysinit-3.14.3-4.el6_4.x86_64.rpm nss-tools-3.14.3-4.el6_4.x86_64.rpm nss-util-3.14.3-3.el6_4.i686.rpm nss-util-3.14.3-3.el6_4.x86_64.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm x86_64: nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm nspr-devel-4.9.5-2.el6_4.i686.rpm nspr-devel-4.9.5-2.el6_4.x86_64.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm nss-devel-3.14.3-4.el6_4.i686.rpm nss-devel-3.14.3-4.el6_4.x86_64.rpm nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm nss-pkcs11-devel-3.14.3-4.el6_4.x86_64.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-softokn-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-devel-3.14.3-3.el6_4.x86_64.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.x86_64.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-util-devel-3.14.3-3.el6_4.i686.rpm nss-util-devel-3.14.3-3.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm i386: nspr-4.9.5-2.el6_4.i686.rpm nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nspr-devel-4.9.5-2.el6_4.i686.rpm nss-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-devel-3.14.3-4.el6_4.i686.rpm nss-softokn-3.14.3-3.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm nss-sysinit-3.14.3-4.el6_4.i686.rpm nss-tools-3.14.3-4.el6_4.i686.rpm nss-util-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm nss-util-devel-3.14.3-3.el6_4.i686.rpm ppc64: nspr-4.9.5-2.el6_4.ppc.rpm nspr-4.9.5-2.el6_4.ppc64.rpm nspr-debuginfo-4.9.5-2.el6_4.ppc.rpm nspr-debuginfo-4.9.5-2.el6_4.ppc64.rpm nspr-devel-4.9.5-2.el6_4.ppc.rpm nspr-devel-4.9.5-2.el6_4.ppc64.rpm nss-3.14.3-4.el6_4.ppc.rpm nss-3.14.3-4.el6_4.ppc64.rpm nss-debuginfo-3.14.3-4.el6_4.ppc.rpm nss-debuginfo-3.14.3-4.el6_4.ppc64.rpm nss-devel-3.14.3-4.el6_4.ppc.rpm nss-devel-3.14.3-4.el6_4.ppc64.rpm nss-softokn-3.14.3-3.el6_4.ppc.rpm nss-softokn-3.14.3-3.el6_4.ppc64.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.ppc.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.ppc64.rpm nss-softokn-devel-3.14.3-3.el6_4.ppc.rpm nss-softokn-devel-3.14.3-3.el6_4.ppc64.rpm nss-softokn-freebl-3.14.3-3.el6_4.ppc.rpm nss-softokn-freebl-3.14.3-3.el6_4.ppc64.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.ppc.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.ppc64.rpm nss-sysinit-3.14.3-4.el6_4.ppc64.rpm nss-tools-3.14.3-4.el6_4.ppc64.rpm nss-util-3.14.3-3.el6_4.ppc.rpm nss-util-3.14.3-3.el6_4.ppc64.rpm nss-util-debuginfo-3.14.3-3.el6_4.ppc.rpm nss-util-debuginfo-3.14.3-3.el6_4.ppc64.rpm nss-util-devel-3.14.3-3.el6_4.ppc.rpm nss-util-devel-3.14.3-3.el6_4.ppc64.rpm s390x: nspr-4.9.5-2.el6_4.s390.rpm nspr-4.9.5-2.el6_4.s390x.rpm nspr-debuginfo-4.9.5-2.el6_4.s390.rpm nspr-debuginfo-4.9.5-2.el6_4.s390x.rpm nspr-devel-4.9.5-2.el6_4.s390.rpm nspr-devel-4.9.5-2.el6_4.s390x.rpm nss-3.14.3-4.el6_4.s390.rpm nss-3.14.3-4.el6_4.s390x.rpm nss-debuginfo-3.14.3-4.el6_4.s390.rpm nss-debuginfo-3.14.3-4.el6_4.s390x.rpm nss-devel-3.14.3-4.el6_4.s390.rpm nss-devel-3.14.3-4.el6_4.s390x.rpm nss-softokn-3.14.3-3.el6_4.s390.rpm nss-softokn-3.14.3-3.el6_4.s390x.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.s390.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.s390x.rpm nss-softokn-devel-3.14.3-3.el6_4.s390.rpm nss-softokn-devel-3.14.3-3.el6_4.s390x.rpm nss-softokn-freebl-3.14.3-3.el6_4.s390.rpm nss-softokn-freebl-3.14.3-3.el6_4.s390x.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.s390.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.s390x.rpm nss-sysinit-3.14.3-4.el6_4.s390x.rpm nss-tools-3.14.3-4.el6_4.s390x.rpm nss-util-3.14.3-3.el6_4.s390.rpm nss-util-3.14.3-3.el6_4.s390x.rpm nss-util-debuginfo-3.14.3-3.el6_4.s390.rpm nss-util-debuginfo-3.14.3-3.el6_4.s390x.rpm nss-util-devel-3.14.3-3.el6_4.s390.rpm nss-util-devel-3.14.3-3.el6_4.s390x.rpm x86_64: nspr-4.9.5-2.el6_4.i686.rpm nspr-4.9.5-2.el6_4.x86_64.rpm nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm nspr-devel-4.9.5-2.el6_4.i686.rpm nspr-devel-4.9.5-2.el6_4.x86_64.rpm nss-3.14.3-4.el6_4.i686.rpm nss-3.14.3-4.el6_4.x86_64.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm nss-devel-3.14.3-4.el6_4.i686.rpm nss-devel-3.14.3-4.el6_4.x86_64.rpm nss-softokn-3.14.3-3.el6_4.i686.rpm nss-softokn-3.14.3-3.el6_4.x86_64.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-softokn-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-devel-3.14.3-3.el6_4.x86_64.rpm nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-3.14.3-3.el6_4.x86_64.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.x86_64.rpm nss-sysinit-3.14.3-4.el6_4.x86_64.rpm nss-tools-3.14.3-4.el6_4.x86_64.rpm nss-util-3.14.3-3.el6_4.i686.rpm nss-util-3.14.3-3.el6_4.x86_64.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-util-devel-3.14.3-3.el6_4.i686.rpm nss-util-devel-3.14.3-3.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm i386: nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm ppc64: nss-debuginfo-3.14.3-4.el6_4.ppc.rpm nss-debuginfo-3.14.3-4.el6_4.ppc64.rpm nss-pkcs11-devel-3.14.3-4.el6_4.ppc.rpm nss-pkcs11-devel-3.14.3-4.el6_4.ppc64.rpm s390x: nss-debuginfo-3.14.3-4.el6_4.s390.rpm nss-debuginfo-3.14.3-4.el6_4.s390x.rpm nss-pkcs11-devel-3.14.3-4.el6_4.s390.rpm nss-pkcs11-devel-3.14.3-4.el6_4.s390x.rpm x86_64: nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm nss-pkcs11-devel-3.14.3-4.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm i386: nspr-4.9.5-2.el6_4.i686.rpm nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nspr-devel-4.9.5-2.el6_4.i686.rpm nss-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-devel-3.14.3-4.el6_4.i686.rpm nss-softokn-3.14.3-3.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm nss-sysinit-3.14.3-4.el6_4.i686.rpm nss-tools-3.14.3-4.el6_4.i686.rpm nss-util-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm nss-util-devel-3.14.3-3.el6_4.i686.rpm x86_64: nspr-4.9.5-2.el6_4.i686.rpm nspr-4.9.5-2.el6_4.x86_64.rpm nspr-debuginfo-4.9.5-2.el6_4.i686.rpm nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm nspr-devel-4.9.5-2.el6_4.i686.rpm nspr-devel-4.9.5-2.el6_4.x86_64.rpm nss-3.14.3-4.el6_4.i686.rpm nss-3.14.3-4.el6_4.x86_64.rpm nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm nss-devel-3.14.3-4.el6_4.i686.rpm nss-devel-3.14.3-4.el6_4.x86_64.rpm nss-softokn-3.14.3-3.el6_4.i686.rpm nss-softokn-3.14.3-3.el6_4.x86_64.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-softokn-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-devel-3.14.3-3.el6_4.x86_64.rpm nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-3.14.3-3.el6_4.x86_64.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm nss-softokn-freebl-devel-3.14.3-3.el6_4.x86_64.rpm nss-sysinit-3.14.3-4.el6_4.x86_64.rpm nss-tools-3.14.3-4.el6_4.x86_64.rpm nss-util-3.14.3-3.el6_4.i686.rpm nss-util-3.14.3-3.el6_4.x86_64.rpm nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm nss-util-devel-3.14.3-3.el6_4.i686.rpm nss-util-devel-3.14.3-3.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm i386: nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm x86_64: nss-debuginfo-3.14.3-4.el6_4.i686.rpm nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm nss-pkcs11-devel-3.14.3-4.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-0791.html https://www.redhat.com/security/data/cve/CVE-2013-1620.html https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHBA-2013-0445.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSAo+lXlSAg2UNWIIRAi4kAJ0cXp7GWY8zHYfxviF3R6WB3cOlaACePdnV W7Ph1SnJjPLtEtsqk+XMl68= =LOHk -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 7 18:20:38 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 7 Aug 2013 18:20:38 +0000 Subject: [RHSA-2013:1145-01] Low: Red Hat Enterprise Linux 5.6 Extended Update Support Retirement Notice Message-ID: <201308071820.r77IKcR3007371@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise Linux 5.6 Extended Update Support Retirement Notice Advisory ID: RHSA-2013:1145-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1145.html Issue date: 2013-08-07 ===================================================================== 1. Summary: This is the final notification for the retirement of Red Hat Enterprise Linux 5.6 Extended Update Support (EUS). 2. Relevant releases/architectures: Red Hat Enterprise Linux EUS (v. 5.6 server) - i386, ia64, ppc, s390x, x86_64 3. Description: In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 5.6 is retired as of August 7, 2013, and support is no longer provided. Accordingly, Red Hat will no longer provide updated packages after the final errata release, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 5.6 EUS after this date. In addition, technical support through Red Hat's Global Support Services will no longer be provided after August 7, 2013. Note: This notification applies only to those customers subscribed to the Extended Update Support (EUS) channel for Red Hat Enterprise Linux 5.6. We encourage customers to plan their migration from Red Hat Enterprise Linux 5.6 to a more recent version of Red Hat Enterprise Linux 5 or 6. As a benefit of the Red Hat subscription model, customers can use their active subscriptions to entitle any system on a currently supported Red Hat Enterprise Linux 5 release (5.9, for which EUS is available) or Red Hat Enterprise Linux 6 release (6.2, 6.3, or 6.4, for which EUS is available). Details of the Red Hat Enterprise Linux life cycle can be found here: https://access.redhat.com/support/policy/updates/errata/ 4. Solution: This erratum contains an updated redhat-release package, that provides a copy of this retirement notice in the "/usr/share/doc/" directory. 5. Package List: Red Hat Enterprise Linux EUS (v. 5.6 server): Source: redhat-release-5Server-5.6.0.9.src.rpm i386: redhat-release-5Server-5.6.0.9.i386.rpm ia64: redhat-release-5Server-5.6.0.9.ia64.rpm ppc: redhat-release-5Server-5.6.0.9.ppc.rpm s390x: redhat-release-5Server-5.6.0.9.s390x.rpm x86_64: redhat-release-5Server-5.6.0.9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/support/policy/updates/errata/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSAo/NXlSAg2UNWIIRAnkPAJ4sB8qX0jnEf4kyijkV8FXgNHSeSgCgu79H qJD6Pwh5sdXsuoAnu2orcWY= =TBRf -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 13 16:38:30 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 13 Aug 2013 16:38:30 +0000 Subject: [RHSA-2013:1156-01] Moderate: httpd security update Message-ID: <201308131638.r7DGcU1Z006977@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: httpd security update Advisory ID: RHSA-2013:1156-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1156.html Issue date: 2013-08-13 CVE Names: CVE-2013-1896 ===================================================================== 1. Summary: Updated httpd packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 3. Description: The Apache HTTP Server is a popular web server. A flaw was found in the way the mod_dav module of the Apache HTTP Server handled merge requests. An attacker could use this flaw to send a crafted merge request that contains URIs that are not configured for DAV, causing the httpd child process to crash. (CVE-2013-1896) All httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 983549 - CVE-2013-1896 httpd: mod_dav DoS (httpd child process crash) via a URI MERGE request with source URI not handled by mod_dav 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-82.el5_9.src.rpm i386: httpd-2.2.3-82.el5_9.i386.rpm httpd-debuginfo-2.2.3-82.el5_9.i386.rpm mod_ssl-2.2.3-82.el5_9.i386.rpm x86_64: httpd-2.2.3-82.el5_9.x86_64.rpm httpd-debuginfo-2.2.3-82.el5_9.x86_64.rpm mod_ssl-2.2.3-82.el5_9.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-82.el5_9.src.rpm i386: httpd-debuginfo-2.2.3-82.el5_9.i386.rpm httpd-devel-2.2.3-82.el5_9.i386.rpm httpd-manual-2.2.3-82.el5_9.i386.rpm x86_64: httpd-debuginfo-2.2.3-82.el5_9.i386.rpm httpd-debuginfo-2.2.3-82.el5_9.x86_64.rpm httpd-devel-2.2.3-82.el5_9.i386.rpm httpd-devel-2.2.3-82.el5_9.x86_64.rpm httpd-manual-2.2.3-82.el5_9.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-82.el5_9.src.rpm i386: httpd-2.2.3-82.el5_9.i386.rpm httpd-debuginfo-2.2.3-82.el5_9.i386.rpm httpd-devel-2.2.3-82.el5_9.i386.rpm httpd-manual-2.2.3-82.el5_9.i386.rpm mod_ssl-2.2.3-82.el5_9.i386.rpm ia64: httpd-2.2.3-82.el5_9.ia64.rpm httpd-debuginfo-2.2.3-82.el5_9.ia64.rpm httpd-devel-2.2.3-82.el5_9.ia64.rpm httpd-manual-2.2.3-82.el5_9.ia64.rpm mod_ssl-2.2.3-82.el5_9.ia64.rpm ppc: httpd-2.2.3-82.el5_9.ppc.rpm httpd-debuginfo-2.2.3-82.el5_9.ppc.rpm httpd-debuginfo-2.2.3-82.el5_9.ppc64.rpm httpd-devel-2.2.3-82.el5_9.ppc.rpm httpd-devel-2.2.3-82.el5_9.ppc64.rpm httpd-manual-2.2.3-82.el5_9.ppc.rpm mod_ssl-2.2.3-82.el5_9.ppc.rpm s390x: httpd-2.2.3-82.el5_9.s390x.rpm httpd-debuginfo-2.2.3-82.el5_9.s390.rpm httpd-debuginfo-2.2.3-82.el5_9.s390x.rpm httpd-devel-2.2.3-82.el5_9.s390.rpm httpd-devel-2.2.3-82.el5_9.s390x.rpm httpd-manual-2.2.3-82.el5_9.s390x.rpm mod_ssl-2.2.3-82.el5_9.s390x.rpm x86_64: httpd-2.2.3-82.el5_9.x86_64.rpm httpd-debuginfo-2.2.3-82.el5_9.i386.rpm httpd-debuginfo-2.2.3-82.el5_9.x86_64.rpm httpd-devel-2.2.3-82.el5_9.i386.rpm httpd-devel-2.2.3-82.el5_9.x86_64.rpm httpd-manual-2.2.3-82.el5_9.x86_64.rpm mod_ssl-2.2.3-82.el5_9.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/httpd-2.2.15-29.el6_4.src.rpm i386: httpd-2.2.15-29.el6_4.i686.rpm httpd-debuginfo-2.2.15-29.el6_4.i686.rpm httpd-tools-2.2.15-29.el6_4.i686.rpm x86_64: httpd-2.2.15-29.el6_4.x86_64.rpm httpd-debuginfo-2.2.15-29.el6_4.x86_64.rpm httpd-tools-2.2.15-29.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/httpd-2.2.15-29.el6_4.src.rpm i386: httpd-debuginfo-2.2.15-29.el6_4.i686.rpm httpd-devel-2.2.15-29.el6_4.i686.rpm mod_ssl-2.2.15-29.el6_4.i686.rpm noarch: httpd-manual-2.2.15-29.el6_4.noarch.rpm x86_64: httpd-debuginfo-2.2.15-29.el6_4.i686.rpm httpd-debuginfo-2.2.15-29.el6_4.x86_64.rpm httpd-devel-2.2.15-29.el6_4.i686.rpm httpd-devel-2.2.15-29.el6_4.x86_64.rpm mod_ssl-2.2.15-29.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/httpd-2.2.15-29.el6_4.src.rpm x86_64: httpd-2.2.15-29.el6_4.x86_64.rpm httpd-debuginfo-2.2.15-29.el6_4.x86_64.rpm httpd-tools-2.2.15-29.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/httpd-2.2.15-29.el6_4.src.rpm noarch: httpd-manual-2.2.15-29.el6_4.noarch.rpm x86_64: httpd-debuginfo-2.2.15-29.el6_4.i686.rpm httpd-debuginfo-2.2.15-29.el6_4.x86_64.rpm httpd-devel-2.2.15-29.el6_4.i686.rpm httpd-devel-2.2.15-29.el6_4.x86_64.rpm mod_ssl-2.2.15-29.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/httpd-2.2.15-29.el6_4.src.rpm i386: httpd-2.2.15-29.el6_4.i686.rpm httpd-debuginfo-2.2.15-29.el6_4.i686.rpm httpd-devel-2.2.15-29.el6_4.i686.rpm httpd-tools-2.2.15-29.el6_4.i686.rpm mod_ssl-2.2.15-29.el6_4.i686.rpm noarch: httpd-manual-2.2.15-29.el6_4.noarch.rpm ppc64: httpd-2.2.15-29.el6_4.ppc64.rpm httpd-debuginfo-2.2.15-29.el6_4.ppc.rpm httpd-debuginfo-2.2.15-29.el6_4.ppc64.rpm httpd-devel-2.2.15-29.el6_4.ppc.rpm httpd-devel-2.2.15-29.el6_4.ppc64.rpm httpd-tools-2.2.15-29.el6_4.ppc64.rpm mod_ssl-2.2.15-29.el6_4.ppc64.rpm s390x: httpd-2.2.15-29.el6_4.s390x.rpm httpd-debuginfo-2.2.15-29.el6_4.s390.rpm httpd-debuginfo-2.2.15-29.el6_4.s390x.rpm httpd-devel-2.2.15-29.el6_4.s390.rpm httpd-devel-2.2.15-29.el6_4.s390x.rpm httpd-tools-2.2.15-29.el6_4.s390x.rpm mod_ssl-2.2.15-29.el6_4.s390x.rpm x86_64: httpd-2.2.15-29.el6_4.x86_64.rpm httpd-debuginfo-2.2.15-29.el6_4.i686.rpm httpd-debuginfo-2.2.15-29.el6_4.x86_64.rpm httpd-devel-2.2.15-29.el6_4.i686.rpm httpd-devel-2.2.15-29.el6_4.x86_64.rpm httpd-tools-2.2.15-29.el6_4.x86_64.rpm mod_ssl-2.2.15-29.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/httpd-2.2.15-29.el6_4.src.rpm i386: httpd-2.2.15-29.el6_4.i686.rpm httpd-debuginfo-2.2.15-29.el6_4.i686.rpm httpd-devel-2.2.15-29.el6_4.i686.rpm httpd-tools-2.2.15-29.el6_4.i686.rpm mod_ssl-2.2.15-29.el6_4.i686.rpm noarch: httpd-manual-2.2.15-29.el6_4.noarch.rpm x86_64: httpd-2.2.15-29.el6_4.x86_64.rpm httpd-debuginfo-2.2.15-29.el6_4.i686.rpm httpd-debuginfo-2.2.15-29.el6_4.x86_64.rpm httpd-devel-2.2.15-29.el6_4.i686.rpm httpd-devel-2.2.15-29.el6_4.x86_64.rpm httpd-tools-2.2.15-29.el6_4.x86_64.rpm mod_ssl-2.2.15-29.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1896.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSCmBXXlSAg2UNWIIRAijZAJ0R8XQ54HGB+TSeP87uMuuB/ILHoQCeJRdQ oNMF6pvhFMNIMKNOMxw1PW0= =b914 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 20 19:02:59 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 20 Aug 2013 19:02:59 +0000 Subject: [RHSA-2013:1166-01] Important: kernel security and bug fix update Message-ID: <201308201903.r7KJ30eA031965@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2013:1166-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1166.html Issue date: 2013-08-20 CVE Names: CVE-2013-2147 CVE-2013-2164 CVE-2013-2206 CVE-2013-2224 CVE-2013-2232 CVE-2013-2234 CVE-2013-2237 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2164, CVE-2013-2147, CVE-2013-2234, CVE-2013-2237, Low) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 971242 - CVE-2013-2147 Kernel: cpqarray/cciss: information leak via ioctl 973100 - CVE-2013-2164 Kernel: information leak in cdrom driver 976562 - CVE-2013-2206 kernel: sctp: duplicate cookie handling NULL pointer dereference 979936 - CVE-2013-2224 kernel: net: IP_REPOPTS invalid free 980995 - CVE-2013-2234 Kernel: net: information leak in AF_KEY notify 981220 - CVE-2013-2237 Kernel: net: af_key: initialize satype in key_notify_policy_flush 981552 - CVE-2013-2232 Kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-348.16.1.el5.src.rpm i386: kernel-2.6.18-348.16.1.el5.i686.rpm kernel-PAE-2.6.18-348.16.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-348.16.1.el5.i686.rpm kernel-PAE-devel-2.6.18-348.16.1.el5.i686.rpm kernel-debug-2.6.18-348.16.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-348.16.1.el5.i686.rpm kernel-debug-devel-2.6.18-348.16.1.el5.i686.rpm kernel-debuginfo-2.6.18-348.16.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-348.16.1.el5.i686.rpm kernel-devel-2.6.18-348.16.1.el5.i686.rpm kernel-headers-2.6.18-348.16.1.el5.i386.rpm kernel-xen-2.6.18-348.16.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-348.16.1.el5.i686.rpm kernel-xen-devel-2.6.18-348.16.1.el5.i686.rpm noarch: kernel-doc-2.6.18-348.16.1.el5.noarch.rpm x86_64: kernel-2.6.18-348.16.1.el5.x86_64.rpm kernel-debug-2.6.18-348.16.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-348.16.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-348.16.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-348.16.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-348.16.1.el5.x86_64.rpm kernel-devel-2.6.18-348.16.1.el5.x86_64.rpm kernel-headers-2.6.18-348.16.1.el5.x86_64.rpm kernel-xen-2.6.18-348.16.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-348.16.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-348.16.1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-348.16.1.el5.src.rpm i386: kernel-2.6.18-348.16.1.el5.i686.rpm kernel-PAE-2.6.18-348.16.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-348.16.1.el5.i686.rpm kernel-PAE-devel-2.6.18-348.16.1.el5.i686.rpm kernel-debug-2.6.18-348.16.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-348.16.1.el5.i686.rpm kernel-debug-devel-2.6.18-348.16.1.el5.i686.rpm kernel-debuginfo-2.6.18-348.16.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-348.16.1.el5.i686.rpm kernel-devel-2.6.18-348.16.1.el5.i686.rpm kernel-headers-2.6.18-348.16.1.el5.i386.rpm kernel-xen-2.6.18-348.16.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-348.16.1.el5.i686.rpm kernel-xen-devel-2.6.18-348.16.1.el5.i686.rpm ia64: kernel-2.6.18-348.16.1.el5.ia64.rpm kernel-debug-2.6.18-348.16.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-348.16.1.el5.ia64.rpm kernel-debug-devel-2.6.18-348.16.1.el5.ia64.rpm kernel-debuginfo-2.6.18-348.16.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-348.16.1.el5.ia64.rpm kernel-devel-2.6.18-348.16.1.el5.ia64.rpm kernel-headers-2.6.18-348.16.1.el5.ia64.rpm kernel-xen-2.6.18-348.16.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-348.16.1.el5.ia64.rpm kernel-xen-devel-2.6.18-348.16.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-348.16.1.el5.noarch.rpm ppc: kernel-2.6.18-348.16.1.el5.ppc64.rpm kernel-debug-2.6.18-348.16.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-348.16.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-348.16.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-348.16.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-348.16.1.el5.ppc64.rpm kernel-devel-2.6.18-348.16.1.el5.ppc64.rpm kernel-headers-2.6.18-348.16.1.el5.ppc.rpm kernel-headers-2.6.18-348.16.1.el5.ppc64.rpm kernel-kdump-2.6.18-348.16.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-348.16.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-348.16.1.el5.ppc64.rpm s390x: kernel-2.6.18-348.16.1.el5.s390x.rpm kernel-debug-2.6.18-348.16.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-348.16.1.el5.s390x.rpm kernel-debug-devel-2.6.18-348.16.1.el5.s390x.rpm kernel-debuginfo-2.6.18-348.16.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-348.16.1.el5.s390x.rpm kernel-devel-2.6.18-348.16.1.el5.s390x.rpm kernel-headers-2.6.18-348.16.1.el5.s390x.rpm kernel-kdump-2.6.18-348.16.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-348.16.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-348.16.1.el5.s390x.rpm x86_64: kernel-2.6.18-348.16.1.el5.x86_64.rpm kernel-debug-2.6.18-348.16.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-348.16.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-348.16.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-348.16.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-348.16.1.el5.x86_64.rpm kernel-devel-2.6.18-348.16.1.el5.x86_64.rpm kernel-headers-2.6.18-348.16.1.el5.x86_64.rpm kernel-xen-2.6.18-348.16.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-348.16.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-348.16.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2147.html https://www.redhat.com/security/data/cve/CVE-2013-2164.html https://www.redhat.com/security/data/cve/CVE-2013-2206.html https://www.redhat.com/security/data/cve/CVE-2013-2224.html https://www.redhat.com/security/data/cve/CVE-2013-2232.html https://www.redhat.com/security/data/cve/CVE-2013-2234.html https://www.redhat.com/security/data/cve/CVE-2013-2237.html https://access.redhat.com/security/updates/classification/#important https://rhn.redhat.com/errata/RHSA-2012-1540.html https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.9_Technical_Notes/kernel.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSE704XlSAg2UNWIIRAr8zAJ4xaEdklRUY5bq1ot+f3EHSEeTMzQCfdBXS aNZZsMLDLDC5Fst9L+C7Ang= =HI2U -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 21 18:29:17 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 21 Aug 2013 18:29:17 +0000 Subject: [RHSA-2013:1170-01] Important: mongodb and pymongo security and enhancement update Message-ID: <201308211829.r7LITHxS027009@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: mongodb and pymongo security and enhancement update Advisory ID: RHSA-2013:1170-01 Product: Red Hat Enterprise MRG for RHEL-6 Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1170.html Issue date: 2013-08-21 CVE Names: CVE-2013-1892 CVE-2013-2132 ===================================================================== 1. Summary: Updated mongodb and pymongo packages that fix two security issues and add one enhancement are now available for Red Hat Enterprise MRG 2.3 for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: MRG Grid for RHEL 6 Server v.2 - i386, x86_64 3. Description: MongoDB is a NoSQL database. PyMongo provides tools for working with MongoDB. A flaw was found in the run() function implementation in MongoDB. A database user permitted to send database queries to a MongoDB server could use this flaw to crash the server or, possibly, execute arbitrary code with the privileges of the mongodb user. (CVE-2013-1892) A NULL pointer dereference flaw was found in PyMongo. An invalid DBRef record received from a MongoDB server could cause an application using PyMongo to crash. (CVE-2013-2132) Note: In Red Hat Enterprise MRG Grid, MongoDB is not accessed by users directly and is only accessed by other Grid services, such as Condor and Cumin. This update also adds the following enhancement: * Previously, MongoDB was configured to listen for connections on all network interfaces. This could allow remote users to access the database if the firewall was configured to allow access to the MongoDB port (access is blocked by the default firewall configuration in Red Hat Enterprise Linux). This update changes the configuration to only listen on the loopback interface by default. (BZ#892767) Users of Red Hat Enterprise MRG 2.3 for Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages, which contain backported patches to resolve these issues and add this enhancement. After installing this update, MongoDB will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 927536 - CVE-2013-1892 MongoDB: Server Side JavaScript Includes allow Remote Code Execution 969560 - CVE-2013-2132 pymongo: null pointer when decoding invalid DBRef 6. Package List: MRG Grid for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/mongodb-1.6.4-6.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/pymongo-1.9-11.el6.src.rpm i386: mongodb-1.6.4-6.el6.i686.rpm mongodb-debuginfo-1.6.4-6.el6.i686.rpm mongodb-server-1.6.4-6.el6.i686.rpm pymongo-1.9-11.el6.i686.rpm pymongo-debuginfo-1.9-11.el6.i686.rpm python-bson-1.9-11.el6.i686.rpm x86_64: mongodb-1.6.4-6.el6.x86_64.rpm mongodb-debuginfo-1.6.4-6.el6.x86_64.rpm mongodb-server-1.6.4-6.el6.x86_64.rpm pymongo-1.9-11.el6.x86_64.rpm pymongo-debuginfo-1.9-11.el6.x86_64.rpm python-bson-1.9-11.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1892.html https://www.redhat.com/security/data/cve/CVE-2013-2132.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSFQb3XlSAg2UNWIIRAptVAJ4idyFf19jChBXB0HDox3Xy3oEZ/gCfd0yj nz4H+Z007JHbJWChMXS6VZI= =gxWG -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 21 18:29:42 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 21 Aug 2013 18:29:42 +0000 Subject: [RHSA-2013:1171-01] Moderate: condor security update Message-ID: <201308211829.r7LIThwd012044@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: condor security update Advisory ID: RHSA-2013:1171-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1171.html Issue date: 2013-08-21 CVE Names: CVE-2013-4255 ===================================================================== 1. Summary: Updated condor packages that fix one security issue are now available for Red Hat Enterprise MRG 2.3 for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: MRG Grid Execute Node for RHEL 5 Server v.2 - i386, x86_64 MRG Grid for RHEL 5 Server v.2 - i386, x86_64 3. Description: HTCondor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management. A denial of service flaw was found in the way HTCondor's policy definition evaluator processed certain policy definitions. If an administrator used an attribute defined on a job in a CONTINUE, KILL, PREEMPT, or SUSPEND condor_startd policy, a remote HTCondor service user could use this flaw to cause condor_startd to exit by submitting a job that caused such a policy definition to be evaluated to either the ERROR or UNDEFINED states. (CVE-2013-4255) Note: This issue did not affect the default HTCondor configuration. This issue was found by Matthew Farrellee of Red Hat. All Red Hat Enterprise MRG 2.3 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. HTCondor must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 919401 - CVE-2013-4255 condor: condor_startd DoS when parsing policy definition that evaluates to ERROR or UNDEFINED 6. Package List: MRG Grid for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-7.8.8-0.4.2.el5_9.src.rpm i386: condor-7.8.8-0.4.2.el5_9.i386.rpm condor-aviary-7.8.8-0.4.2.el5_9.i386.rpm condor-classads-7.8.8-0.4.2.el5_9.i386.rpm condor-debuginfo-7.8.8-0.4.2.el5_9.i386.rpm condor-kbdd-7.8.8-0.4.2.el5_9.i386.rpm condor-qmf-7.8.8-0.4.2.el5_9.i386.rpm condor-vm-gahp-7.8.8-0.4.2.el5_9.i386.rpm x86_64: condor-7.8.8-0.4.2.el5_9.x86_64.rpm condor-aviary-7.8.8-0.4.2.el5_9.x86_64.rpm condor-classads-7.8.8-0.4.2.el5_9.x86_64.rpm condor-debuginfo-7.8.8-0.4.2.el5_9.x86_64.rpm condor-kbdd-7.8.8-0.4.2.el5_9.x86_64.rpm condor-qmf-7.8.8-0.4.2.el5_9.x86_64.rpm condor-vm-gahp-7.8.8-0.4.2.el5_9.x86_64.rpm MRG Grid Execute Node for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-7.8.8-0.4.2.el5_9.src.rpm i386: condor-7.8.8-0.4.2.el5_9.i386.rpm condor-classads-7.8.8-0.4.2.el5_9.i386.rpm condor-debuginfo-7.8.8-0.4.2.el5_9.i386.rpm condor-kbdd-7.8.8-0.4.2.el5_9.i386.rpm condor-qmf-7.8.8-0.4.2.el5_9.i386.rpm condor-vm-gahp-7.8.8-0.4.2.el5_9.i386.rpm x86_64: condor-7.8.8-0.4.2.el5_9.x86_64.rpm condor-classads-7.8.8-0.4.2.el5_9.x86_64.rpm condor-debuginfo-7.8.8-0.4.2.el5_9.x86_64.rpm condor-kbdd-7.8.8-0.4.2.el5_9.x86_64.rpm condor-qmf-7.8.8-0.4.2.el5_9.x86_64.rpm condor-vm-gahp-7.8.8-0.4.2.el5_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4255.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSFQcQXlSAg2UNWIIRAmwSAJ9dChADxves/BxNggiB6UXKV3yxiQCfSZrd xuzoNLw/TzaIaXf4lEQmh4w= =5TAt -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 21 18:30:28 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 21 Aug 2013 18:30:28 +0000 Subject: [RHSA-2013:1172-01] Moderate: condor security update Message-ID: <201308211830.r7LIUSkt027747@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: condor security update Advisory ID: RHSA-2013:1172-01 Product: Red Hat Enterprise MRG for RHEL-6 Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1172.html Issue date: 2013-08-21 CVE Names: CVE-2013-4255 ===================================================================== 1. Summary: Updated condor packages that fix one security issue are now available for Red Hat Enterprise MRG 2.3 for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: MRG Grid Execute Node for RHEL 6 ComputeNode v.2 - x86_64 MRG Grid Execute Node for RHEL 6 Server v.2 - i386, x86_64 MRG Grid for RHEL 6 Server v.2 - i386, x86_64 3. Description: HTCondor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management. A denial of service flaw was found in the way HTCondor's policy definition evaluator processed certain policy definitions. If an administrator used an attribute defined on a job in a CONTINUE, KILL, PREEMPT, or SUSPEND condor_startd policy, a remote HTCondor service user could use this flaw to cause condor_startd to exit by submitting a job that caused such a policy definition to be evaluated to either the ERROR or UNDEFINED states. (CVE-2013-4255) Note: This issue did not affect the default HTCondor configuration. This issue was found by Matthew Farrellee of Red Hat. All Red Hat Enterprise MRG 2.3 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. HTCondor must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 919401 - CVE-2013-4255 condor: condor_startd DoS when parsing policy definition that evaluates to ERROR or UNDEFINED 6. Package List: MRG Grid Execute Node for RHEL 6 ComputeNode v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/RHEMRG-RHEL6/SRPMS/condor-7.8.8-0.4.3.el6_4.src.rpm x86_64: condor-7.8.8-0.4.3.el6_4.x86_64.rpm condor-classads-7.8.8-0.4.3.el6_4.x86_64.rpm condor-debuginfo-7.8.8-0.4.3.el6_4.x86_64.rpm condor-kbdd-7.8.8-0.4.3.el6_4.x86_64.rpm condor-qmf-7.8.8-0.4.3.el6_4.x86_64.rpm condor-vm-gahp-7.8.8-0.4.3.el6_4.x86_64.rpm MRG Grid for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-7.8.8-0.4.3.el6_4.src.rpm i386: condor-7.8.8-0.4.3.el6_4.i686.rpm condor-aviary-7.8.8-0.4.3.el6_4.i686.rpm condor-classads-7.8.8-0.4.3.el6_4.i686.rpm condor-cluster-resource-agent-7.8.8-0.4.3.el6_4.i686.rpm condor-debuginfo-7.8.8-0.4.3.el6_4.i686.rpm condor-kbdd-7.8.8-0.4.3.el6_4.i686.rpm condor-plumage-7.8.8-0.4.3.el6_4.i686.rpm condor-qmf-7.8.8-0.4.3.el6_4.i686.rpm x86_64: condor-7.8.8-0.4.3.el6_4.x86_64.rpm condor-aviary-7.8.8-0.4.3.el6_4.x86_64.rpm condor-classads-7.8.8-0.4.3.el6_4.x86_64.rpm condor-cluster-resource-agent-7.8.8-0.4.3.el6_4.x86_64.rpm condor-debuginfo-7.8.8-0.4.3.el6_4.x86_64.rpm condor-deltacloud-gahp-7.8.8-0.4.3.el6_4.x86_64.rpm condor-kbdd-7.8.8-0.4.3.el6_4.x86_64.rpm condor-plumage-7.8.8-0.4.3.el6_4.x86_64.rpm condor-qmf-7.8.8-0.4.3.el6_4.x86_64.rpm condor-vm-gahp-7.8.8-0.4.3.el6_4.x86_64.rpm MRG Grid Execute Node for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-7.8.8-0.4.3.el6_4.src.rpm i386: condor-7.8.8-0.4.3.el6_4.i686.rpm condor-classads-7.8.8-0.4.3.el6_4.i686.rpm condor-debuginfo-7.8.8-0.4.3.el6_4.i686.rpm condor-kbdd-7.8.8-0.4.3.el6_4.i686.rpm condor-qmf-7.8.8-0.4.3.el6_4.i686.rpm x86_64: condor-7.8.8-0.4.3.el6_4.x86_64.rpm condor-classads-7.8.8-0.4.3.el6_4.x86_64.rpm condor-debuginfo-7.8.8-0.4.3.el6_4.x86_64.rpm condor-kbdd-7.8.8-0.4.3.el6_4.x86_64.rpm condor-qmf-7.8.8-0.4.3.el6_4.x86_64.rpm condor-vm-gahp-7.8.8-0.4.3.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4255.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSFQc3XlSAg2UNWIIRAjvLAKCtYyosQAnDQ330DRllg6fJS2wSpwCfVMO4 qUfx9nEh6Qh5/CrMjxPsMEs= =CxfN -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 27 19:30:24 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 27 Aug 2013 19:30:24 +0000 Subject: [RHSA-2013:1173-01] Important: kernel security and bug fix update Message-ID: <201308271930.r7RJUPAw014704@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2013:1173-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1173.html Issue date: 2013-08-27 CVE Names: CVE-2012-6544 CVE-2013-2146 CVE-2013-2206 CVE-2013-2224 CVE-2013-2232 CVE-2013-2237 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1304 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers. (CVE-2013-2146, Moderate) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Information leak flaws in the Linux kernel's Bluetooth implementation could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2012-6544, Low) * An information leak flaw in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2237, Low) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 922414 - CVE-2012-6544 Kernel: Bluetooth: HCI & L2CAP information leaks 971309 - CVE-2013-2146 Kernel: perf/x86: offcore_rsp valid mask for SNB/IVB 976562 - CVE-2013-2206 kernel: sctp: duplicate cookie handling NULL pointer dereference 979936 - CVE-2013-2224 kernel: net: IP_REPOPTS invalid free 981220 - CVE-2013-2237 Kernel: net: af_key: initialize satype in key_notify_policy_flush 981552 - CVE-2013-2232 Kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-358.18.1.el6.src.rpm i386: kernel-2.6.32-358.18.1.el6.i686.rpm kernel-debug-2.6.32-358.18.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debug-devel-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.18.1.el6.i686.rpm kernel-devel-2.6.32-358.18.1.el6.i686.rpm kernel-headers-2.6.32-358.18.1.el6.i686.rpm perf-2.6.32-358.18.1.el6.i686.rpm perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm noarch: kernel-doc-2.6.32-358.18.1.el6.noarch.rpm kernel-firmware-2.6.32-358.18.1.el6.noarch.rpm x86_64: kernel-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.18.1.el6.x86_64.rpm kernel-devel-2.6.32-358.18.1.el6.x86_64.rpm kernel-headers-2.6.32-358.18.1.el6.x86_64.rpm perf-2.6.32-358.18.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-358.18.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.18.1.el6.i686.rpm perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm python-perf-2.6.32-358.18.1.el6.i686.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.18.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm python-perf-2.6.32-358.18.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-358.18.1.el6.src.rpm noarch: kernel-doc-2.6.32-358.18.1.el6.noarch.rpm kernel-firmware-2.6.32-358.18.1.el6.noarch.rpm x86_64: kernel-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.18.1.el6.x86_64.rpm kernel-devel-2.6.32-358.18.1.el6.x86_64.rpm kernel-headers-2.6.32-358.18.1.el6.x86_64.rpm perf-2.6.32-358.18.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-358.18.1.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.18.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm python-perf-2.6.32-358.18.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-358.18.1.el6.src.rpm i386: kernel-2.6.32-358.18.1.el6.i686.rpm kernel-debug-2.6.32-358.18.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debug-devel-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.18.1.el6.i686.rpm kernel-devel-2.6.32-358.18.1.el6.i686.rpm kernel-headers-2.6.32-358.18.1.el6.i686.rpm perf-2.6.32-358.18.1.el6.i686.rpm perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm noarch: kernel-doc-2.6.32-358.18.1.el6.noarch.rpm kernel-firmware-2.6.32-358.18.1.el6.noarch.rpm ppc64: kernel-2.6.32-358.18.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-358.18.1.el6.ppc64.rpm kernel-debug-2.6.32-358.18.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-358.18.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-358.18.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-358.18.1.el6.ppc64.rpm kernel-devel-2.6.32-358.18.1.el6.ppc64.rpm kernel-headers-2.6.32-358.18.1.el6.ppc64.rpm perf-2.6.32-358.18.1.el6.ppc64.rpm perf-debuginfo-2.6.32-358.18.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.ppc64.rpm s390x: kernel-2.6.32-358.18.1.el6.s390x.rpm kernel-debug-2.6.32-358.18.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-358.18.1.el6.s390x.rpm kernel-debug-devel-2.6.32-358.18.1.el6.s390x.rpm kernel-debuginfo-2.6.32-358.18.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-358.18.1.el6.s390x.rpm kernel-devel-2.6.32-358.18.1.el6.s390x.rpm kernel-headers-2.6.32-358.18.1.el6.s390x.rpm kernel-kdump-2.6.32-358.18.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-358.18.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-358.18.1.el6.s390x.rpm perf-2.6.32-358.18.1.el6.s390x.rpm perf-debuginfo-2.6.32-358.18.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.s390x.rpm x86_64: kernel-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.18.1.el6.x86_64.rpm kernel-devel-2.6.32-358.18.1.el6.x86_64.rpm kernel-headers-2.6.32-358.18.1.el6.x86_64.rpm perf-2.6.32-358.18.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-358.18.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.18.1.el6.i686.rpm perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm python-perf-2.6.32-358.18.1.el6.i686.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-358.18.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-358.18.1.el6.ppc64.rpm perf-debuginfo-2.6.32-358.18.1.el6.ppc64.rpm python-perf-2.6.32-358.18.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-358.18.1.el6.s390x.rpm kernel-debuginfo-2.6.32-358.18.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-358.18.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-358.18.1.el6.s390x.rpm perf-debuginfo-2.6.32-358.18.1.el6.s390x.rpm python-perf-2.6.32-358.18.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.18.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm python-perf-2.6.32-358.18.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-358.18.1.el6.src.rpm i386: kernel-2.6.32-358.18.1.el6.i686.rpm kernel-debug-2.6.32-358.18.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debug-devel-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.18.1.el6.i686.rpm kernel-devel-2.6.32-358.18.1.el6.i686.rpm kernel-headers-2.6.32-358.18.1.el6.i686.rpm perf-2.6.32-358.18.1.el6.i686.rpm perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm noarch: kernel-doc-2.6.32-358.18.1.el6.noarch.rpm kernel-firmware-2.6.32-358.18.1.el6.noarch.rpm x86_64: kernel-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.18.1.el6.x86_64.rpm kernel-devel-2.6.32-358.18.1.el6.x86_64.rpm kernel-headers-2.6.32-358.18.1.el6.x86_64.rpm perf-2.6.32-358.18.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-358.18.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-2.6.32-358.18.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.18.1.el6.i686.rpm perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm python-perf-2.6.32-358.18.1.el6.i686.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.18.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm python-perf-2.6.32-358.18.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.18.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-6544.html https://www.redhat.com/security/data/cve/CVE-2013-2146.html https://www.redhat.com/security/data/cve/CVE-2013-2206.html https://www.redhat.com/security/data/cve/CVE-2013-2224.html https://www.redhat.com/security/data/cve/CVE-2013-2232.html https://www.redhat.com/security/data/cve/CVE-2013-2237.html https://access.redhat.com/security/updates/classification/#important https://rhn.redhat.com/errata/RHSA-2012-1304.html https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/kernel.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSHP4KXlSAg2UNWIIRAmIQAJ4w7qsE/JlEMd3vjqhuq4GiXq9z6ACfWw4T BSLca6faY3vCUPuac5I6Yr8= =SdOM -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 28 16:06:40 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 28 Aug 2013 16:06:40 +0000 Subject: [RHSA-2013:1182-01] Important: 389-ds-base security update Message-ID: <201308281606.r7SG6eAf030831@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: 389-ds-base security update Advisory ID: RHSA-2013:1182-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1182.html Issue date: 2013-08-28 CVE Names: CVE-2013-4283 ===================================================================== 1. Summary: Updated 389-ds-base packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. It was discovered that the 389 Directory Server did not properly handle the receipt of certain MOD operations with a bogus Distinguished Name (DN). A remote, unauthenticated attacker could use this flaw to cause the 389 Directory Server to crash. (CVE-2013-4283) All 389-ds-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the 389 server service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 999634 - CVE-2013-4283 389-ds-base: ns-slapd crash due to bogus DN 6. Package List: Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/389-ds-base-1.2.11.15-22.el6_4.src.rpm i386: 389-ds-base-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.i686.rpm x86_64: 389-ds-base-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/389-ds-base-1.2.11.15-22.el6_4.src.rpm x86_64: 389-ds-base-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/389-ds-base-1.2.11.15-22.el6_4.src.rpm i386: 389-ds-base-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.i686.rpm x86_64: 389-ds-base-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/389-ds-base-1.2.11.15-22.el6_4.src.rpm i386: 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.i686.rpm x86_64: 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/389-ds-base-1.2.11.15-22.el6_4.src.rpm i386: 389-ds-base-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.i686.rpm x86_64: 389-ds-base-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-libs-1.2.11.15-22.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/389-ds-base-1.2.11.15-22.el6_4.src.rpm i386: 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.i686.rpm x86_64: 389-ds-base-debuginfo-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-debuginfo-1.2.11.15-22.el6_4.x86_64.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.i686.rpm 389-ds-base-devel-1.2.11.15-22.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4283.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSHh/6XlSAg2UNWIIRAij/AKCf4KhfDAy5sOlSma9ne0AHJOiONgCffSeM KTvNOAXHOTzKkGieoi1EKtM= =IjTm -----END PGP SIGNATURE-----