From bugzilla at redhat.com Tue Oct 1 16:44:31 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 1 Oct 2013 16:44:31 +0000 Subject: [RHSA-2013:1294-01] Moderate: Red Hat Enterprise MRG Grid 2.4 security update Message-ID: <201310011644.r91GiWVt017960@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Enterprise MRG Grid 2.4 security update Advisory ID: RHSA-2013:1294-01 Product: Red Hat Enterprise MRG for RHEL-6 Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1294.html Issue date: 2013-10-01 CVE Names: CVE-2013-4284 ===================================================================== 1. Summary: Updated Grid component packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2.4 for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: MRG Grid Execute Node for RHEL 6 ComputeNode v.2 - noarch, x86_64 MRG Grid Execute Node for RHEL 6 Server v.2 - i386, noarch, x86_64 MRG Grid for RHEL 6 Server v.2 - i386, noarch, x86_64 MRG Management for RHEL 6 ComputeNode v.2 - noarch MRG Management for RHEL 6 Server v.2 - noarch MRG Realtime for RHEL 6 Server v.2 - noarch Red Hat MRG Messaging for RHEL 6 Server v.2 - noarch 3. Description: Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interoperability, and faster computing for enterprise customers. MRG Grid provides high-throughput computing and enables enterprises to achieve higher peak computing capacity as well as improved infrastructure utilization by leveraging their existing technology to build high performance grids. MRG Grid provides a job-queueing mechanism, scheduling policy, and a priority scheme, as well as resource monitoring and resource management. Users submit their jobs to MRG Grid, where they are placed into a queue. MRG Grid then chooses when and where to run the jobs based upon a policy, carefully monitors their progress, and ultimately informs the user upon completion. A denial of service flaw was found in the way cumin, a web management console for MRG, processed certain Ajax update queries. A remote attacker could use this flaw to issue a specially crafted HTTP request, causing excessive use of CPU time and memory on the system. (CVE-2013-4284) The CVE-2013-4284 issue was discovered by Tomas Novacik of Red Hat. These updated packages for Red Hat Enterprise Linux 6 provide numerous enhancements and bug fixes for the Grid component of MRG. Some of the most important enhancements include: * Improved resource utilization with scheduler driven slot partitioning * Enhanced integration with existing user & group management technology, specifically allowing group and netgroup specifications in HTCondor security policies * Addition of global job priorities, allowing for priority to span scaled-out queues * Reduced memory utilization per running job Space precludes documenting all of these changes in this advisory. Refer to the Red Hat Enterprise MRG 2 Technical Notes document, available shortly from the link in the References section, for information on these changes. All users of the Grid capabilities of Red Hat Enterprise MRG are advised to upgrade to these updated packages, which correct this issue, and fix the bugs and add the enhancements noted in the Red Hat Enterprise MRG 2 Technical Notes. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 794818 - RFE: Support multiple claims from p-slots in negotiation loop 986214 - CVE-2013-4284 cumin: Denial of service due to improper handling of certain Ajax requests 6. Package List: MRG Grid Execute Node for RHEL 6 ComputeNode v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/RHEMRG-RHEL6/SRPMS/condor-7.8.9-0.5.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/RHEMRG-RHEL6/SRPMS/mrg-release-2.4.0-1.el6.src.rpm noarch: mrg-release-2.4.0-1.el6.noarch.rpm x86_64: condor-7.8.9-0.5.el6.x86_64.rpm condor-classads-7.8.9-0.5.el6.x86_64.rpm condor-debuginfo-7.8.9-0.5.el6.x86_64.rpm condor-kbdd-7.8.9-0.5.el6.x86_64.rpm condor-qmf-7.8.9-0.5.el6.x86_64.rpm condor-vm-gahp-7.8.9-0.5.el6.x86_64.rpm MRG Management for RHEL 6 ComputeNode v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/RHEMRG-RHEL6/SRPMS/mrg-release-2.4.0-1.el6.src.rpm noarch: mrg-release-2.4.0-1.el6.noarch.rpm MRG Grid for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-7.8.9-0.5.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/cumin-0.1.5786-2.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/mrg-release-2.4.0-1.el6.src.rpm i386: condor-7.8.9-0.5.el6.i686.rpm condor-aviary-7.8.9-0.5.el6.i686.rpm condor-classads-7.8.9-0.5.el6.i686.rpm condor-cluster-resource-agent-7.8.9-0.5.el6.i686.rpm condor-debuginfo-7.8.9-0.5.el6.i686.rpm condor-kbdd-7.8.9-0.5.el6.i686.rpm condor-plumage-7.8.9-0.5.el6.i686.rpm condor-qmf-7.8.9-0.5.el6.i686.rpm noarch: cumin-0.1.5786-2.el6.noarch.rpm mrg-release-2.4.0-1.el6.noarch.rpm x86_64: condor-7.8.9-0.5.el6.x86_64.rpm condor-aviary-7.8.9-0.5.el6.x86_64.rpm condor-classads-7.8.9-0.5.el6.x86_64.rpm condor-cluster-resource-agent-7.8.9-0.5.el6.x86_64.rpm condor-debuginfo-7.8.9-0.5.el6.x86_64.rpm condor-deltacloud-gahp-7.8.9-0.5.el6.x86_64.rpm condor-kbdd-7.8.9-0.5.el6.x86_64.rpm condor-plumage-7.8.9-0.5.el6.x86_64.rpm condor-qmf-7.8.9-0.5.el6.x86_64.rpm condor-vm-gahp-7.8.9-0.5.el6.x86_64.rpm MRG Grid Execute Node for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/condor-7.8.9-0.5.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/mrg-release-2.4.0-1.el6.src.rpm i386: condor-7.8.9-0.5.el6.i686.rpm condor-classads-7.8.9-0.5.el6.i686.rpm condor-debuginfo-7.8.9-0.5.el6.i686.rpm condor-kbdd-7.8.9-0.5.el6.i686.rpm condor-qmf-7.8.9-0.5.el6.i686.rpm noarch: mrg-release-2.4.0-1.el6.noarch.rpm x86_64: condor-7.8.9-0.5.el6.x86_64.rpm condor-classads-7.8.9-0.5.el6.x86_64.rpm condor-debuginfo-7.8.9-0.5.el6.x86_64.rpm condor-kbdd-7.8.9-0.5.el6.x86_64.rpm condor-qmf-7.8.9-0.5.el6.x86_64.rpm condor-vm-gahp-7.8.9-0.5.el6.x86_64.rpm MRG Management for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/cumin-0.1.5786-2.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/mrg-release-2.4.0-1.el6.src.rpm noarch: cumin-0.1.5786-2.el6.noarch.rpm mrg-release-2.4.0-1.el6.noarch.rpm Red Hat MRG Messaging for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/mrg-release-2.4.0-1.el6.src.rpm noarch: mrg-release-2.4.0-1.el6.noarch.rpm MRG Realtime for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/mrg-release-2.4.0-1.el6.src.rpm noarch: mrg-release-2.4.0-1.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4284.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_MRG/2/html/Technical_Notes/RHSA-2013-1294.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSSvvYXlSAg2UNWIIRAmxnAJ47J+Uhah6PdC1hF5O9RLlucGNvFgCfYUDx C6G1sK9DibzNKRdzuhQAmvM= =uw9z -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 1 16:45:34 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 1 Oct 2013 16:45:34 +0000 Subject: [RHSA-2013:1295-01] Moderate: Red Hat Enterprise MRG Grid 2.4 security update Message-ID: <201310011645.r91GjZuu018731@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Enterprise MRG Grid 2.4 security update Advisory ID: RHSA-2013:1295-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1295.html Issue date: 2013-10-01 CVE Names: CVE-2013-4284 ===================================================================== 1. Summary: Updated Grid component packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2.4 for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: MRG Grid Execute Node for RHEL 5 Server v.2 - i386, noarch, x86_64 MRG Grid for RHEL 5 Server v.2 - i386, noarch, x86_64 MRG Management for RHEL 5 Server v.2 - noarch Red Hat MRG Messaging for RHEL 5 Server v.2 - noarch 3. Description: Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interoperability, and faster computing for enterprise customers. MRG Grid provides high-throughput computing and enables enterprises to achieve higher peak computing capacity as well as improved infrastructure utilization by leveraging their existing technology to build high performance grids. MRG Grid provides a job-queueing mechanism, scheduling policy, and a priority scheme, as well as resource monitoring and resource management. Users submit their jobs to MRG Grid, where they are placed into a queue. MRG Grid then chooses when and where to run the jobs based upon a policy, carefully monitors their progress, and ultimately informs the user upon completion. A denial of service flaw was found in the way cumin, a web management console for MRG, processed certain Ajax update queries. A remote attacker could use this flaw to issue a specially crafted HTTP request, causing excessive use of CPU time and memory on the system. (CVE-2013-4284) The CVE-2013-4284 issue was discovered by Tomas Novacik of Red Hat. These updated packages for Red Hat Enterprise Linux 5 provide numerous enhancements and bug fixes for the Grid component of MRG. Some of the most important enhancements include: * Improved resource utilization with scheduler driven slot partitioning * Enhanced integration with existing user & group management technology, specifically allowing group and netgroup specifications in HTCondor security policies * Addition of global job priorities, allowing for priority to span scaled-out queues * Reduced memory utilization per running job Space precludes documenting all of these changes in this advisory. Refer to the Red Hat Enterprise MRG 2 Technical Notes document, available shortly from the link in the References section, for information on these changes. All users of the Grid capabilities of Red Hat Enterprise MRG are advised to upgrade to these updated packages, which correct this issue, and fix the bugs and add the enhancements noted in the Red Hat Enterprise MRG 2 Technical Notes. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 986214 - CVE-2013-4284 cumin: Denial of service due to improper handling of certain Ajax requests 990231 - Grid 2.4 RHEL5 6. Package List: MRG Grid for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-7.8.9-0.5.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/cumin-0.1.5786-2.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-1.el5_9.src.rpm i386: condor-7.8.9-0.5.el5_9.i386.rpm condor-aviary-7.8.9-0.5.el5_9.i386.rpm condor-classads-7.8.9-0.5.el5_9.i386.rpm condor-debuginfo-7.8.9-0.5.el5_9.i386.rpm condor-kbdd-7.8.9-0.5.el5_9.i386.rpm condor-qmf-7.8.9-0.5.el5_9.i386.rpm condor-vm-gahp-7.8.9-0.5.el5_9.i386.rpm noarch: cumin-0.1.5786-2.el5_9.noarch.rpm mrg-release-2.4.0-1.el5_9.noarch.rpm x86_64: condor-7.8.9-0.5.el5_9.x86_64.rpm condor-aviary-7.8.9-0.5.el5_9.x86_64.rpm condor-classads-7.8.9-0.5.el5_9.x86_64.rpm condor-debuginfo-7.8.9-0.5.el5_9.x86_64.rpm condor-kbdd-7.8.9-0.5.el5_9.x86_64.rpm condor-qmf-7.8.9-0.5.el5_9.x86_64.rpm condor-vm-gahp-7.8.9-0.5.el5_9.x86_64.rpm MRG Grid Execute Node for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/condor-7.8.9-0.5.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-1.el5_9.src.rpm i386: condor-7.8.9-0.5.el5_9.i386.rpm condor-classads-7.8.9-0.5.el5_9.i386.rpm condor-debuginfo-7.8.9-0.5.el5_9.i386.rpm condor-kbdd-7.8.9-0.5.el5_9.i386.rpm condor-qmf-7.8.9-0.5.el5_9.i386.rpm condor-vm-gahp-7.8.9-0.5.el5_9.i386.rpm noarch: mrg-release-2.4.0-1.el5_9.noarch.rpm x86_64: condor-7.8.9-0.5.el5_9.x86_64.rpm condor-classads-7.8.9-0.5.el5_9.x86_64.rpm condor-debuginfo-7.8.9-0.5.el5_9.x86_64.rpm condor-kbdd-7.8.9-0.5.el5_9.x86_64.rpm condor-qmf-7.8.9-0.5.el5_9.x86_64.rpm condor-vm-gahp-7.8.9-0.5.el5_9.x86_64.rpm MRG Management for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/cumin-0.1.5786-2.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-1.el5_9.src.rpm noarch: cumin-0.1.5786-2.el5_9.noarch.rpm mrg-release-2.4.0-1.el5_9.noarch.rpm Red Hat MRG Messaging for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-1.el5_9.src.rpm noarch: mrg-release-2.4.0-1.el5_9.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4284.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_MRG/2/html/Technical_Notes/RHSA-2013-1295.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSSvwIXlSAg2UNWIIRApbnAJsGeDGoP7h8mrqKpydaLfa3h0Pb7wCfYU23 T8zWVWi1Ze/PNzlRXwd7XbQ= =BEDi -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 1 16:52:40 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 1 Oct 2013 16:52:40 +0000 Subject: [RHSA-2013:1399-01] Low: Red Hat Enterprise MRG for Red Hat Enterprise Linux 5 6-month Notice Message-ID: <201310011652.r91GqeAd016596@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise MRG for Red Hat Enterprise Linux 5 6-month Notice Advisory ID: RHSA-2013:1399-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1399.html Issue date: 2013-10-01 ===================================================================== 1. Summary: This is the 6-month notification for the retirement of Red Hat Enterprise MRG Version 1 and Version 2 for Red Hat Enterprise Linux 5. 2. Relevant releases/architectures: MRG Grid Execute Node for RHEL 5 Server - noarch MRG Grid Execute Node for RHEL 5 Server v.2 - noarch MRG Grid for RHEL 5 Server - noarch MRG Grid for RHEL 5 Server v.2 - noarch MRG Management for RHEL 5 Server - noarch MRG Management for RHEL 5 Server v.2 - noarch MRG Realtime for RHEL 5 Server - noarch Red Hat MRG Messaging Base for RHEL 5 Server - noarch Red Hat MRG Messaging for RHEL 5 Server - noarch Red Hat MRG Messaging for RHEL 5 Server v.2 - noarch 3. Description: In accordance with the Red Hat Enterprise MRG Life Cycle policy, the Red Hat Enterprise MRG products, which include the MRG-Messaging, MRG-Realtime, and MRG-Grid, Version 1 and Version 2 offerings for Red Hat Enterprise Linux 5 will be retired as of March 31, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for MRG-Messaging, MRG-Realtime, and MRG-Grid on Red Hat Enterprise Linux 5 after that date. In addition, technical support through Red Hat's Global Support Services will no longer be provided for these products on Red Hat Enterprise Linux 5 after March 31, 2014. Note: This notification applies only to those customers with subscriptions for Red Hat Enterprise MRG Version 1 and Version 2 for Red Hat Enterprise Linux 5. We encourage customers to plan their migration from Red Hat Enterprise MRG Version 1 and Version 2 for Red Hat Enterprise Linux 5 to Red Hat Enterprise MRG Version 2 on Red Hat Enterprise Linux 6. As a benefit of the Red Hat subscription model, customers can use their active Red Hat Enterprise MRG subscriptions to entitle any system on a currently supported version of that product. Details of the Red Hat Enterprise MRG life cycle can be found here: https://access.redhat.com/support/policy/updates/mrg/ 4. Solution: This erratum contains an updated mrg-release package, which provides a copy of this notice in the "/usr/share/doc/" directory. 5. Package List: MRG Grid for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-3.el5.src.rpm noarch: mrg-release-1.3.3-3.el5.noarch.rpm MRG Grid for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-3.el5_9.src.rpm noarch: mrg-release-2.4.0-3.el5_9.noarch.rpm MRG Grid Execute Node for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-3.el5.src.rpm noarch: mrg-release-1.3.3-3.el5.noarch.rpm MRG Grid Execute Node for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-3.el5_9.src.rpm noarch: mrg-release-2.4.0-3.el5_9.noarch.rpm MRG Management for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-3.el5.src.rpm noarch: mrg-release-1.3.3-3.el5.noarch.rpm MRG Management for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-3.el5_9.src.rpm noarch: mrg-release-2.4.0-3.el5_9.noarch.rpm Red Hat MRG Messaging for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-3.el5.src.rpm noarch: mrg-release-1.3.3-3.el5.noarch.rpm Red Hat MRG Messaging for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-3.el5_9.src.rpm noarch: mrg-release-2.4.0-3.el5_9.noarch.rpm Red Hat MRG Messaging Base for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-3.el5.src.rpm noarch: mrg-release-1.3.3-3.el5.noarch.rpm MRG Realtime for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-3.el5.src.rpm noarch: mrg-release-1.3.3-3.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/support/policy/updates/mrg/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSSv3HXlSAg2UNWIIRAlBcAKCo0H9TFzcRqJCTef/rqV4FmFqIvgCfeprm D1bXrikKBspw48TrW67GXro= =bwf6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 2 21:00:57 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Oct 2013 21:00:57 +0000 Subject: [RHSA-2013:1402-01] Important: Adobe Reader - notification of end of updates Message-ID: <201310022100.r92L0fEc011817@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Adobe Reader - notification of end of updates Advisory ID: RHSA-2013:1402-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1402.html Issue date: 2013-10-02 ===================================================================== 1. Summary: Updated acroread packages that disable the Adobe Reader web browser plug-in are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: Adobe Reader allows users to view and print documents in Portable Document Format (PDF). Adobe Reader 9 reached the end of its support cycle on June 26, 2013, and will not receive any more security updates. Future versions of Adobe Acrobat Reader will not be available with Red Hat Enterprise Linux. The Adobe Reader packages in the Red Hat Network (RHN) channels will continue to be available. Red Hat will continue to provide these packages only as a courtesy to customers. Red Hat will not provide updates to the Adobe Reader packages. This update disables the Adobe Reader web browser plug-in, which is available via the acroread-plugin package, to prevent the exploitation of security issues without user interaction when a user visits a malicious web page. 4. Solution: Red Hat advises users to reconsider further use of Adobe Reader for Linux, as it may contain known, unpatched security issues. Alternative PDF rendering software, such as Evince and KPDF (part of the kdegraphics package) in Red Hat Enterprise Linux 5, or Evince and Okular (part of the kdegraphics package) in Red Hat Enterprise Linux 6, should be considered. These packages will continue to receive security fixes. Red Hat will no longer provide security updates to these packages and recommends that customers not use this application on Red Hat Enterprise Linux effective immediately. 5. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: acroread-9.5.5-2.el5_10.i386.rpm acroread-plugin-9.5.5-2.el5_10.i386.rpm x86_64: acroread-9.5.5-2.el5_10.i386.rpm acroread-plugin-9.5.5-2.el5_10.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: acroread-9.5.5-2.el5_10.i386.rpm acroread-plugin-9.5.5-2.el5_10.i386.rpm x86_64: acroread-9.5.5-2.el5_10.i386.rpm acroread-plugin-9.5.5-2.el5_10.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: acroread-9.5.5-1.el6_4.1.i686.rpm acroread-plugin-9.5.5-1.el6_4.1.i686.rpm x86_64: acroread-9.5.5-1.el6_4.1.i686.rpm acroread-plugin-9.5.5-1.el6_4.1.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: acroread-9.5.5-1.el6_4.1.i686.rpm acroread-plugin-9.5.5-1.el6_4.1.i686.rpm x86_64: acroread-9.5.5-1.el6_4.1.i686.rpm acroread-plugin-9.5.5-1.el6_4.1.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: acroread-9.5.5-1.el6_4.1.i686.rpm acroread-plugin-9.5.5-1.el6_4.1.i686.rpm x86_64: acroread-9.5.5-1.el6_4.1.i686.rpm acroread-plugin-9.5.5-1.el6_4.1.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#important http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#863 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSTIjrXlSAg2UNWIIRAuZtAJ9VMLCdj4MfqwWhbIt6SduHlU1IDgCcC3SZ 4GXQj9NmluZQt4Veic4qq8Q= =gGrk -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 7 17:24:38 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 7 Oct 2013 17:24:38 +0000 Subject: [RHSA-2013:1409-01] Moderate: xinetd security update Message-ID: <201310071724.r97HOdut012391@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: xinetd security update Advisory ID: RHSA-2013:1409-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1409.html Issue date: 2013-10-07 Keywords: xinetd CVE Names: CVE-2013-4342 ===================================================================== 1. Summary: An updated xinetd package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The xinetd package provides a secure replacement for inetd, the Internet services daemon. xinetd provides access control for all services based on the address of the remote host and/or on time of access, and can prevent denial-of-access attacks. It was found that xinetd ignored the user and group configuration directives for services running under the tcpmux-server service. This flaw could cause the associated services to run as root. If there was a flaw in such a service, a remote attacker could use it to execute arbitrary code with the privileges of the root user. (CVE-2013-4342) Red Hat would like to thank Thomas Swan of FedEx for reporting this issue. All xinetd users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1006100 - CVE-2013-4342 xinetd: ignores user and group directives for tcpmux services 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xinetd-2.3.14-20.el5_10.src.rpm i386: xinetd-2.3.14-20.el5_10.i386.rpm xinetd-debuginfo-2.3.14-20.el5_10.i386.rpm x86_64: xinetd-2.3.14-20.el5_10.x86_64.rpm xinetd-debuginfo-2.3.14-20.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xinetd-2.3.14-20.el5_10.src.rpm i386: xinetd-2.3.14-20.el5_10.i386.rpm xinetd-debuginfo-2.3.14-20.el5_10.i386.rpm ia64: xinetd-2.3.14-20.el5_10.ia64.rpm xinetd-debuginfo-2.3.14-20.el5_10.ia64.rpm ppc: xinetd-2.3.14-20.el5_10.ppc.rpm xinetd-debuginfo-2.3.14-20.el5_10.ppc.rpm s390x: xinetd-2.3.14-20.el5_10.s390x.rpm xinetd-debuginfo-2.3.14-20.el5_10.s390x.rpm x86_64: xinetd-2.3.14-20.el5_10.x86_64.rpm xinetd-debuginfo-2.3.14-20.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xinetd-2.3.14-39.el6_4.src.rpm i386: xinetd-2.3.14-39.el6_4.i686.rpm xinetd-debuginfo-2.3.14-39.el6_4.i686.rpm x86_64: xinetd-2.3.14-39.el6_4.x86_64.rpm xinetd-debuginfo-2.3.14-39.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xinetd-2.3.14-39.el6_4.src.rpm x86_64: xinetd-2.3.14-39.el6_4.x86_64.rpm xinetd-debuginfo-2.3.14-39.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xinetd-2.3.14-39.el6_4.src.rpm i386: xinetd-2.3.14-39.el6_4.i686.rpm xinetd-debuginfo-2.3.14-39.el6_4.i686.rpm ppc64: xinetd-2.3.14-39.el6_4.ppc64.rpm xinetd-debuginfo-2.3.14-39.el6_4.ppc64.rpm s390x: xinetd-2.3.14-39.el6_4.s390x.rpm xinetd-debuginfo-2.3.14-39.el6_4.s390x.rpm x86_64: xinetd-2.3.14-39.el6_4.x86_64.rpm xinetd-debuginfo-2.3.14-39.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xinetd-2.3.14-39.el6_4.src.rpm i386: xinetd-2.3.14-39.el6_4.i686.rpm xinetd-debuginfo-2.3.14-39.el6_4.i686.rpm x86_64: xinetd-2.3.14-39.el6_4.x86_64.rpm xinetd-debuginfo-2.3.14-39.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4342.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSUu43XlSAg2UNWIIRAhb9AKCsgG1dIkv6K/fD9cvcMVkl7Anl1ACfai6u 3OfLBMpAJrvHeXoBWD179m8= =GBdo -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 8 16:31:27 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 8 Oct 2013 16:31:27 +0000 Subject: [RHSA-2013:1411-01] Moderate: glibc security and bug fix update Message-ID: <201310081631.r98GVRth024093@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: glibc security and bug fix update Advisory ID: RHSA-2013:1411-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1411.html Issue date: 2013-10-08 CVE Names: CVE-2013-4332 ===================================================================== 1. Summary: Updated glibc packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in glibc's memory allocator functions (pvalloc, valloc, and memalign). If an application used such a function, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2013-4332) This update also fixes the following bug: * Prior to this update, the size of the L3 cache in certain CPUs for SMP (Symmetric Multiprocessing) servers was not correctly detected. The incorrect cache size detection resulted in less than optimal performance for routines that used this information, including the memset() function. To fix this bug, the cache size detection has been corrected and core routines including memset() have their performance restored to expected levels. (BZ#1011424) All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1007545 - CVE-2013-4332 glibc: three integer overflows in memory allocator 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/glibc-2.5-118.el5_10.2.src.rpm i386: glibc-2.5-118.el5_10.2.i386.rpm glibc-2.5-118.el5_10.2.i686.rpm glibc-common-2.5-118.el5_10.2.i386.rpm glibc-debuginfo-2.5-118.el5_10.2.i386.rpm glibc-debuginfo-2.5-118.el5_10.2.i686.rpm glibc-debuginfo-common-2.5-118.el5_10.2.i386.rpm glibc-devel-2.5-118.el5_10.2.i386.rpm glibc-headers-2.5-118.el5_10.2.i386.rpm glibc-utils-2.5-118.el5_10.2.i386.rpm nscd-2.5-118.el5_10.2.i386.rpm x86_64: glibc-2.5-118.el5_10.2.i686.rpm glibc-2.5-118.el5_10.2.x86_64.rpm glibc-common-2.5-118.el5_10.2.x86_64.rpm glibc-debuginfo-2.5-118.el5_10.2.i386.rpm glibc-debuginfo-2.5-118.el5_10.2.i686.rpm glibc-debuginfo-2.5-118.el5_10.2.x86_64.rpm glibc-debuginfo-common-2.5-118.el5_10.2.i386.rpm glibc-devel-2.5-118.el5_10.2.i386.rpm glibc-devel-2.5-118.el5_10.2.x86_64.rpm glibc-headers-2.5-118.el5_10.2.x86_64.rpm glibc-utils-2.5-118.el5_10.2.x86_64.rpm nscd-2.5-118.el5_10.2.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/glibc-2.5-118.el5_10.2.src.rpm i386: glibc-2.5-118.el5_10.2.i386.rpm glibc-2.5-118.el5_10.2.i686.rpm glibc-common-2.5-118.el5_10.2.i386.rpm glibc-debuginfo-2.5-118.el5_10.2.i386.rpm glibc-debuginfo-2.5-118.el5_10.2.i686.rpm glibc-debuginfo-common-2.5-118.el5_10.2.i386.rpm glibc-devel-2.5-118.el5_10.2.i386.rpm glibc-headers-2.5-118.el5_10.2.i386.rpm glibc-utils-2.5-118.el5_10.2.i386.rpm nscd-2.5-118.el5_10.2.i386.rpm ia64: glibc-2.5-118.el5_10.2.i686.rpm glibc-2.5-118.el5_10.2.ia64.rpm glibc-common-2.5-118.el5_10.2.ia64.rpm glibc-debuginfo-2.5-118.el5_10.2.i686.rpm glibc-debuginfo-2.5-118.el5_10.2.ia64.rpm glibc-debuginfo-common-2.5-118.el5_10.2.i386.rpm glibc-devel-2.5-118.el5_10.2.ia64.rpm glibc-headers-2.5-118.el5_10.2.ia64.rpm glibc-utils-2.5-118.el5_10.2.ia64.rpm nscd-2.5-118.el5_10.2.ia64.rpm ppc: glibc-2.5-118.el5_10.2.ppc.rpm glibc-2.5-118.el5_10.2.ppc64.rpm glibc-common-2.5-118.el5_10.2.ppc.rpm glibc-debuginfo-2.5-118.el5_10.2.ppc.rpm glibc-debuginfo-2.5-118.el5_10.2.ppc64.rpm glibc-devel-2.5-118.el5_10.2.ppc.rpm glibc-devel-2.5-118.el5_10.2.ppc64.rpm glibc-headers-2.5-118.el5_10.2.ppc.rpm glibc-utils-2.5-118.el5_10.2.ppc.rpm nscd-2.5-118.el5_10.2.ppc.rpm s390x: glibc-2.5-118.el5_10.2.s390.rpm glibc-2.5-118.el5_10.2.s390x.rpm glibc-common-2.5-118.el5_10.2.s390x.rpm glibc-debuginfo-2.5-118.el5_10.2.s390.rpm glibc-debuginfo-2.5-118.el5_10.2.s390x.rpm glibc-devel-2.5-118.el5_10.2.s390.rpm glibc-devel-2.5-118.el5_10.2.s390x.rpm glibc-headers-2.5-118.el5_10.2.s390x.rpm glibc-utils-2.5-118.el5_10.2.s390x.rpm nscd-2.5-118.el5_10.2.s390x.rpm x86_64: glibc-2.5-118.el5_10.2.i686.rpm glibc-2.5-118.el5_10.2.x86_64.rpm glibc-common-2.5-118.el5_10.2.x86_64.rpm glibc-debuginfo-2.5-118.el5_10.2.i386.rpm glibc-debuginfo-2.5-118.el5_10.2.i686.rpm glibc-debuginfo-2.5-118.el5_10.2.x86_64.rpm glibc-debuginfo-common-2.5-118.el5_10.2.i386.rpm glibc-devel-2.5-118.el5_10.2.i386.rpm glibc-devel-2.5-118.el5_10.2.x86_64.rpm glibc-headers-2.5-118.el5_10.2.x86_64.rpm glibc-utils-2.5-118.el5_10.2.x86_64.rpm nscd-2.5-118.el5_10.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4332.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSVDNBXlSAg2UNWIIRAmYPAJ4kwUy2PEBwIQdfan7y01QGHinPGQCfYBMh omiZGiWAXG2i8uqm1RgxPrs= =d1xX -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 10 16:46:25 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 10 Oct 2013 16:46:25 +0000 Subject: [RHSA-2013:1418-01] Moderate: libtar security update Message-ID: <201310101646.r9AGkQfu030134@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libtar security update Advisory ID: RHSA-2013:1418-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1418.html Issue date: 2013-10-10 Keywords: libtar CVE Names: CVE-2013-4397 ===================================================================== 1. Summary: An updated libtar package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The libtar package contains a C library for manipulating tar archives. The library supports both the strict POSIX tar format and many of the commonly used GNU extensions. Two heap-based buffer overflow flaws were found in the way libtar handled certain archives. If a user were tricked into expanding a specially-crafted archive, it could cause the libtar executable or an application using libtar to crash or, potentially, execute arbitrary code. (CVE-2013-4397) Note: This issue only affected 32-bit builds of libtar. Red Hat would like to thank Timo Warns for reporting this issue. All libtar users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1014492 - CVE-2013-4397 libtar: Heap-based buffer overflows by expanding a specially-crafted archive 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libtar-1.2.11-17.el6_4.1.src.rpm i386: libtar-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm x86_64: libtar-1.2.11-17.el6_4.1.x86_64.rpm libtar-debuginfo-1.2.11-17.el6_4.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libtar-1.2.11-17.el6_4.1.src.rpm i386: libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm libtar-devel-1.2.11-17.el6_4.1.i686.rpm x86_64: libtar-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.x86_64.rpm libtar-devel-1.2.11-17.el6_4.1.i686.rpm libtar-devel-1.2.11-17.el6_4.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libtar-1.2.11-17.el6_4.1.src.rpm x86_64: libtar-1.2.11-17.el6_4.1.x86_64.rpm libtar-debuginfo-1.2.11-17.el6_4.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libtar-1.2.11-17.el6_4.1.src.rpm x86_64: libtar-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.x86_64.rpm libtar-devel-1.2.11-17.el6_4.1.i686.rpm libtar-devel-1.2.11-17.el6_4.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libtar-1.2.11-17.el6_4.1.src.rpm i386: libtar-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm ppc64: libtar-1.2.11-17.el6_4.1.ppc64.rpm libtar-debuginfo-1.2.11-17.el6_4.1.ppc64.rpm s390x: libtar-1.2.11-17.el6_4.1.s390x.rpm libtar-debuginfo-1.2.11-17.el6_4.1.s390x.rpm x86_64: libtar-1.2.11-17.el6_4.1.x86_64.rpm libtar-debuginfo-1.2.11-17.el6_4.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libtar-1.2.11-17.el6_4.1.src.rpm i386: libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm libtar-devel-1.2.11-17.el6_4.1.i686.rpm ppc64: libtar-1.2.11-17.el6_4.1.ppc.rpm libtar-debuginfo-1.2.11-17.el6_4.1.ppc.rpm libtar-debuginfo-1.2.11-17.el6_4.1.ppc64.rpm libtar-devel-1.2.11-17.el6_4.1.ppc.rpm libtar-devel-1.2.11-17.el6_4.1.ppc64.rpm s390x: libtar-1.2.11-17.el6_4.1.s390.rpm libtar-debuginfo-1.2.11-17.el6_4.1.s390.rpm libtar-debuginfo-1.2.11-17.el6_4.1.s390x.rpm libtar-devel-1.2.11-17.el6_4.1.s390.rpm libtar-devel-1.2.11-17.el6_4.1.s390x.rpm x86_64: libtar-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.x86_64.rpm libtar-devel-1.2.11-17.el6_4.1.i686.rpm libtar-devel-1.2.11-17.el6_4.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libtar-1.2.11-17.el6_4.1.src.rpm i386: libtar-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm x86_64: libtar-1.2.11-17.el6_4.1.x86_64.rpm libtar-debuginfo-1.2.11-17.el6_4.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libtar-1.2.11-17.el6_4.1.src.rpm i386: libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm libtar-devel-1.2.11-17.el6_4.1.i686.rpm x86_64: libtar-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.i686.rpm libtar-debuginfo-1.2.11-17.el6_4.1.x86_64.rpm libtar-devel-1.2.11-17.el6_4.1.i686.rpm libtar-devel-1.2.11-17.el6_4.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4397.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSVtmoXlSAg2UNWIIRAr+WAKCMmDc7V3DciUhSukoBSJElBwjkNwCgozwd 3oqbvSJX62cgmWUUJqbUAn0= =HRux -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 15 18:42:16 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 15 Oct 2013 18:42:16 +0000 Subject: [RHSA-2013:1426-01] Important: xorg-x11-server security update Message-ID: <201310151842.r9FIgHva014830@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: xorg-x11-server security update Advisory ID: RHSA-2013:1426-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1426.html Issue date: 2013-10-15 CVE Names: CVE-2013-4396 ===================================================================== 1. Summary: Updated xorg-x11-server packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64 3. Description: X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. A use-after-free flaw was found in the way the X.Org server handled ImageText requests. A malicious, authorized client could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with root privileges. (CVE-2013-4396) Red Hat would like to thank the X.Org security team for reporting this issue. Upstream acknowledges Pedro Ribeiro as the original reporter. All xorg-x11-server users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1014561 - CVE-2013-4396 xorg-x11-server: use-after-free flaw when handling ImageText requests 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xorg-x11-server-1.1.1-48.101.el5_10.1.src.rpm i386: xorg-x11-server-Xdmx-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xephyr-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xnest-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xorg-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xvfb-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xvnc-source-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-debuginfo-1.1.1-48.101.el5_10.1.i386.rpm x86_64: xorg-x11-server-Xdmx-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xephyr-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xnest-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xorg-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xvfb-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xvnc-source-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-debuginfo-1.1.1-48.101.el5_10.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xorg-x11-server-1.1.1-48.101.el5_10.1.src.rpm i386: xorg-x11-server-debuginfo-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-sdk-1.1.1-48.101.el5_10.1.i386.rpm x86_64: xorg-x11-server-debuginfo-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-sdk-1.1.1-48.101.el5_10.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xorg-x11-server-1.1.1-48.101.el5_10.1.src.rpm i386: xorg-x11-server-Xdmx-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xephyr-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xnest-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xorg-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xvfb-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-Xvnc-source-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-debuginfo-1.1.1-48.101.el5_10.1.i386.rpm xorg-x11-server-sdk-1.1.1-48.101.el5_10.1.i386.rpm ia64: xorg-x11-server-Xdmx-1.1.1-48.101.el5_10.1.ia64.rpm xorg-x11-server-Xephyr-1.1.1-48.101.el5_10.1.ia64.rpm xorg-x11-server-Xnest-1.1.1-48.101.el5_10.1.ia64.rpm xorg-x11-server-Xorg-1.1.1-48.101.el5_10.1.ia64.rpm xorg-x11-server-Xvfb-1.1.1-48.101.el5_10.1.ia64.rpm xorg-x11-server-Xvnc-source-1.1.1-48.101.el5_10.1.ia64.rpm xorg-x11-server-debuginfo-1.1.1-48.101.el5_10.1.ia64.rpm xorg-x11-server-sdk-1.1.1-48.101.el5_10.1.ia64.rpm ppc: xorg-x11-server-Xdmx-1.1.1-48.101.el5_10.1.ppc.rpm xorg-x11-server-Xephyr-1.1.1-48.101.el5_10.1.ppc.rpm xorg-x11-server-Xnest-1.1.1-48.101.el5_10.1.ppc.rpm xorg-x11-server-Xorg-1.1.1-48.101.el5_10.1.ppc.rpm xorg-x11-server-Xvfb-1.1.1-48.101.el5_10.1.ppc.rpm xorg-x11-server-Xvnc-source-1.1.1-48.101.el5_10.1.ppc.rpm xorg-x11-server-debuginfo-1.1.1-48.101.el5_10.1.ppc.rpm xorg-x11-server-sdk-1.1.1-48.101.el5_10.1.ppc.rpm s390x: xorg-x11-server-Xephyr-1.1.1-48.101.el5_10.1.s390x.rpm xorg-x11-server-Xnest-1.1.1-48.101.el5_10.1.s390x.rpm xorg-x11-server-Xvfb-1.1.1-48.101.el5_10.1.s390x.rpm xorg-x11-server-Xvnc-source-1.1.1-48.101.el5_10.1.s390x.rpm xorg-x11-server-debuginfo-1.1.1-48.101.el5_10.1.s390x.rpm x86_64: xorg-x11-server-Xdmx-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xephyr-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xnest-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xorg-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xvfb-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-Xvnc-source-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-debuginfo-1.1.1-48.101.el5_10.1.x86_64.rpm xorg-x11-server-sdk-1.1.1-48.101.el5_10.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xorg-x11-server-1.13.0-11.1.el6_4.2.src.rpm i386: xorg-x11-server-Xephyr-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-Xorg-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-common-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm x86_64: xorg-x11-server-Xephyr-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xorg-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-common-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xorg-x11-server-1.13.0-11.1.el6_4.2.src.rpm i386: xorg-x11-server-Xdmx-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-Xnest-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-Xvfb-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.i686.rpm noarch: xorg-x11-server-source-1.13.0-11.1.el6_4.2.noarch.rpm x86_64: xorg-x11-server-Xdmx-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xnest-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xvfb-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xorg-x11-server-1.13.0-11.1.el6_4.2.src.rpm noarch: xorg-x11-server-source-1.13.0-11.1.el6_4.2.noarch.rpm x86_64: xorg-x11-server-Xdmx-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xephyr-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xnest-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xorg-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xvfb-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-common-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xorg-x11-server-1.13.0-11.1.el6_4.2.src.rpm i386: xorg-x11-server-Xephyr-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-Xorg-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-common-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm ppc64: xorg-x11-server-Xephyr-1.13.0-11.1.el6_4.2.ppc64.rpm xorg-x11-server-Xorg-1.13.0-11.1.el6_4.2.ppc64.rpm xorg-x11-server-common-1.13.0-11.1.el6_4.2.ppc64.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.ppc64.rpm s390x: xorg-x11-server-Xephyr-1.13.0-11.1.el6_4.2.s390x.rpm xorg-x11-server-common-1.13.0-11.1.el6_4.2.s390x.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.s390x.rpm x86_64: xorg-x11-server-Xephyr-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xorg-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-common-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xorg-x11-server-1.13.0-11.1.el6_4.2.src.rpm i386: xorg-x11-server-Xdmx-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-Xnest-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-Xvfb-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.i686.rpm noarch: xorg-x11-server-source-1.13.0-11.1.el6_4.2.noarch.rpm ppc64: xorg-x11-server-Xdmx-1.13.0-11.1.el6_4.2.ppc64.rpm xorg-x11-server-Xnest-1.13.0-11.1.el6_4.2.ppc64.rpm xorg-x11-server-Xvfb-1.13.0-11.1.el6_4.2.ppc64.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.ppc.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.ppc64.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.ppc.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.ppc64.rpm s390x: xorg-x11-server-Xdmx-1.13.0-11.1.el6_4.2.s390x.rpm xorg-x11-server-Xnest-1.13.0-11.1.el6_4.2.s390x.rpm xorg-x11-server-Xvfb-1.13.0-11.1.el6_4.2.s390x.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.s390x.rpm x86_64: xorg-x11-server-Xdmx-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xnest-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xvfb-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xorg-x11-server-1.13.0-11.1.el6_4.2.src.rpm i386: xorg-x11-server-Xephyr-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-Xorg-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-common-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm x86_64: xorg-x11-server-Xephyr-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xorg-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-common-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xorg-x11-server-1.13.0-11.1.el6_4.2.src.rpm i386: xorg-x11-server-Xdmx-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-Xnest-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-Xvfb-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.i686.rpm noarch: xorg-x11-server-source-1.13.0-11.1.el6_4.2.noarch.rpm x86_64: xorg-x11-server-Xdmx-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xnest-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-Xvfb-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-debuginfo-1.13.0-11.1.el6_4.2.x86_64.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.i686.rpm xorg-x11-server-devel-1.13.0-11.1.el6_4.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4396.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSXYxwXlSAg2UNWIIRAm/2AKCvUEvpGnUJRnB8qSO++nHUvzyhSACeOkgd mAjaqUHDbJLXTdQileULXs4= =TQ40 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 16 17:37:04 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 16 Oct 2013 17:37:04 +0000 Subject: [RHSA-2013:1436-01] Moderate: kernel security and bug fix update Message-ID: <201310161737.r9GHb4CY031140@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel security and bug fix update Advisory ID: RHSA-2013:1436-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1436.html Issue date: 2013-10-16 CVE Names: CVE-2013-4162 CVE-2013-4299 ===================================================================== 1. Summary: Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-4162, Moderate) * An information leak flaw was found in the way Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible. (CVE-2013-4299, Moderate) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4162; and Fujitsu for reporting CVE-2013-4299. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 987627 - CVE-2013-4162 Kernel: net: panic while pushing pending data out of a IPv6 socket with UDP_CORK enabled 1004233 - CVE-2013-4299 kernel: dm: dm-snapshot data leak 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-358.23.2.el6.src.rpm i386: kernel-2.6.32-358.23.2.el6.i686.rpm kernel-debug-2.6.32-358.23.2.el6.i686.rpm kernel-debug-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debug-devel-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.23.2.el6.i686.rpm kernel-devel-2.6.32-358.23.2.el6.i686.rpm kernel-headers-2.6.32-358.23.2.el6.i686.rpm perf-2.6.32-358.23.2.el6.i686.rpm perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm noarch: kernel-doc-2.6.32-358.23.2.el6.noarch.rpm kernel-firmware-2.6.32-358.23.2.el6.noarch.rpm x86_64: kernel-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.23.2.el6.x86_64.rpm kernel-devel-2.6.32-358.23.2.el6.x86_64.rpm kernel-headers-2.6.32-358.23.2.el6.x86_64.rpm perf-2.6.32-358.23.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-358.23.2.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.23.2.el6.i686.rpm perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm python-perf-2.6.32-358.23.2.el6.i686.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.23.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm python-perf-2.6.32-358.23.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-358.23.2.el6.src.rpm noarch: kernel-doc-2.6.32-358.23.2.el6.noarch.rpm kernel-firmware-2.6.32-358.23.2.el6.noarch.rpm x86_64: kernel-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.23.2.el6.x86_64.rpm kernel-devel-2.6.32-358.23.2.el6.x86_64.rpm kernel-headers-2.6.32-358.23.2.el6.x86_64.rpm perf-2.6.32-358.23.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-358.23.2.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.23.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm python-perf-2.6.32-358.23.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-358.23.2.el6.src.rpm i386: kernel-2.6.32-358.23.2.el6.i686.rpm kernel-debug-2.6.32-358.23.2.el6.i686.rpm kernel-debug-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debug-devel-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.23.2.el6.i686.rpm kernel-devel-2.6.32-358.23.2.el6.i686.rpm kernel-headers-2.6.32-358.23.2.el6.i686.rpm perf-2.6.32-358.23.2.el6.i686.rpm perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm noarch: kernel-doc-2.6.32-358.23.2.el6.noarch.rpm kernel-firmware-2.6.32-358.23.2.el6.noarch.rpm ppc64: kernel-2.6.32-358.23.2.el6.ppc64.rpm kernel-bootwrapper-2.6.32-358.23.2.el6.ppc64.rpm kernel-debug-2.6.32-358.23.2.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-358.23.2.el6.ppc64.rpm kernel-debug-devel-2.6.32-358.23.2.el6.ppc64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-358.23.2.el6.ppc64.rpm kernel-devel-2.6.32-358.23.2.el6.ppc64.rpm kernel-headers-2.6.32-358.23.2.el6.ppc64.rpm perf-2.6.32-358.23.2.el6.ppc64.rpm perf-debuginfo-2.6.32-358.23.2.el6.ppc64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.ppc64.rpm s390x: kernel-2.6.32-358.23.2.el6.s390x.rpm kernel-debug-2.6.32-358.23.2.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-358.23.2.el6.s390x.rpm kernel-debug-devel-2.6.32-358.23.2.el6.s390x.rpm kernel-debuginfo-2.6.32-358.23.2.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-358.23.2.el6.s390x.rpm kernel-devel-2.6.32-358.23.2.el6.s390x.rpm kernel-headers-2.6.32-358.23.2.el6.s390x.rpm kernel-kdump-2.6.32-358.23.2.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-358.23.2.el6.s390x.rpm kernel-kdump-devel-2.6.32-358.23.2.el6.s390x.rpm perf-2.6.32-358.23.2.el6.s390x.rpm perf-debuginfo-2.6.32-358.23.2.el6.s390x.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.s390x.rpm x86_64: kernel-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.23.2.el6.x86_64.rpm kernel-devel-2.6.32-358.23.2.el6.x86_64.rpm kernel-headers-2.6.32-358.23.2.el6.x86_64.rpm perf-2.6.32-358.23.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-358.23.2.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.23.2.el6.i686.rpm perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm python-perf-2.6.32-358.23.2.el6.i686.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-358.23.2.el6.ppc64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-358.23.2.el6.ppc64.rpm perf-debuginfo-2.6.32-358.23.2.el6.ppc64.rpm python-perf-2.6.32-358.23.2.el6.ppc64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-358.23.2.el6.s390x.rpm kernel-debuginfo-2.6.32-358.23.2.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-358.23.2.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-358.23.2.el6.s390x.rpm perf-debuginfo-2.6.32-358.23.2.el6.s390x.rpm python-perf-2.6.32-358.23.2.el6.s390x.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.23.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm python-perf-2.6.32-358.23.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-358.23.2.el6.src.rpm i386: kernel-2.6.32-358.23.2.el6.i686.rpm kernel-debug-2.6.32-358.23.2.el6.i686.rpm kernel-debug-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debug-devel-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.23.2.el6.i686.rpm kernel-devel-2.6.32-358.23.2.el6.i686.rpm kernel-headers-2.6.32-358.23.2.el6.i686.rpm perf-2.6.32-358.23.2.el6.i686.rpm perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm noarch: kernel-doc-2.6.32-358.23.2.el6.noarch.rpm kernel-firmware-2.6.32-358.23.2.el6.noarch.rpm x86_64: kernel-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.23.2.el6.x86_64.rpm kernel-devel-2.6.32-358.23.2.el6.x86_64.rpm kernel-headers-2.6.32-358.23.2.el6.x86_64.rpm perf-2.6.32-358.23.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-358.23.2.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-2.6.32-358.23.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.23.2.el6.i686.rpm perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm python-perf-2.6.32-358.23.2.el6.i686.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.23.2.el6.x86_64.rpm perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm python-perf-2.6.32-358.23.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.23.2.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4162.html https://www.redhat.com/security/data/cve/CVE-2013-4299.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/kernel.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSXs6xXlSAg2UNWIIRAoghAKC1rnlocFUzBUwrLOZy7q1Cvc6EkACfS9A2 OtwtXSgQTe4DoEuJ0O7LeaQ= =oT/7 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 17 17:56:23 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 17 Oct 2013 17:56:23 +0000 Subject: [RHSA-2013:1440-01] Critical: java-1.7.0-oracle security update Message-ID: <201310171756.r9HHuOaP027050@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-oracle security update Advisory ID: RHSA-2013:1440-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1440.html Issue date: 2013-10-17 CVE Names: CVE-2013-3829 CVE-2013-4002 CVE-2013-5772 CVE-2013-5774 CVE-2013-5775 CVE-2013-5776 CVE-2013-5777 CVE-2013-5778 CVE-2013-5780 CVE-2013-5782 CVE-2013-5783 CVE-2013-5784 CVE-2013-5787 CVE-2013-5788 CVE-2013-5789 CVE-2013-5790 CVE-2013-5797 CVE-2013-5800 CVE-2013-5801 CVE-2013-5802 CVE-2013-5803 CVE-2013-5804 CVE-2013-5809 CVE-2013-5810 CVE-2013-5812 CVE-2013-5814 CVE-2013-5817 CVE-2013-5818 CVE-2013-5819 CVE-2013-5820 CVE-2013-5823 CVE-2013-5824 CVE-2013-5825 CVE-2013-5829 CVE-2013-5830 CVE-2013-5831 CVE-2013-5832 CVE-2013-5838 CVE-2013-5840 CVE-2013-5842 CVE-2013-5843 CVE-2013-5844 CVE-2013-5846 CVE-2013-5848 CVE-2013-5849 CVE-2013-5850 CVE-2013-5851 CVE-2013-5852 CVE-2013-5854 ===================================================================== 1. Summary: Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775, CVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851, CVE-2013-5852, CVE-2013-5854) All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 45 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1018713 - CVE-2013-5803 OpenJDK: insufficient checks of KDC replies (JGSS, 8014341) 1018717 - CVE-2013-5772 OpenJDK: insufficient html escaping in jhat (jhat, 8011081) 1018720 - CVE-2013-5797 OpenJDK: insufficient escaping of window title string (Javadoc, 8016675) 1018727 - CVE-2013-5784 OpenJDK: insufficient InterfaceImplementor security checks (Scripting, 8017299) 1018736 - CVE-2013-5790 OpenJDK: insufficient security checks (Beans, 8012071) 1018750 - CVE-2013-5849 OpenJDK: insufficient DataFlavor security checks (AWT, 8012277) 1018755 - CVE-2013-5800 OpenJDK: default keytab path information leak (JGSS, 8022931) 1018785 - CVE-2013-5780 OpenJDK: key data leak via toString() methods (Libraries, 8011071) 1018831 - CVE-2013-5840 OpenJDK: getDeclaringClass() information leak (Libraries, 8014349) 1018972 - CVE-2013-5820 OpenJDK: insufficient security checks (JAXWS, 8017505) 1018977 - CVE-2013-5851 OpenJDK: XML stream factory finder information leak (JAXP, 8013502) 1018984 - CVE-2013-5778 OpenJDK: image conversion out of bounds read (2D, 8014102) 1019108 - CVE-2013-5782 OpenJDK: Incorrect awt_getPixelByte/awt_getPixelShort/awt_setPixelByte/awt_setPixelShort image raster checks (2D, 8014093) 1019110 - CVE-2013-5830 OpenJDK: checkPackageAccess missing security check (Libraries, 8017291) 1019113 - CVE-2013-5809 OpenJDK: JPEGImageReader and JPEGImageWriter missing band size checks (2D, 8013510) 1019115 - CVE-2013-5829 OpenJDK: Java2d Disposer security bypass (2D, 8017287) 1019117 - CVE-2013-5814 OpenJDK: RMIConnection stub missing permission check (CORBA, 8011157) 1019118 - CVE-2013-5817 OpenJDK: VersionHelper12 does not honor modifyThreadGroup restriction (JNDI, 8013739) 1019123 - CVE-2013-5842 OpenJDK: ObjectInputStream/ObjectOutputStream missing checks (Libraries, 8014987) 1019127 - CVE-2013-5850 OpenJDK: Missing CORBA security checks (Libraries, 8017196) 1019130 - CVE-2013-5802 OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425) 1019131 - CVE-2013-5804 OpenJDK: javac does not ignore certain ignorable characters (Javadoc, 8016653) 1019133 - CVE-2013-3829 OpenJDK: java.util.TimeZone does not restrict setting of default time zone (Libraries, 8001029) 1019137 - CVE-2013-5783 OpenJDK: JTable not properly performing certain access checks (Swing, 8013744) 1019139 - CVE-2013-5825 OpenJDK: XML parsing Denial of Service (JAXP, 8014530) 1019145 - CVE-2013-5823 OpenJDK: com.sun.org.apache.xml.internal.security.utils.UnsyncByteArrayOutputStream Denial of Service (Security, 8021290) 1019147 - CVE-2013-5774 OpenJDK: Inet6Address class IPv6 address processing errors (Libraries, 8015743) 1019176 - CVE-2013-4002 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) 1019300 - CVE-2013-5838 OpenJDK: Vulnerability in Libraries component (Libraries, 7023639) 1019691 - CVE-2013-5824 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019692 - CVE-2013-5788 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019693 - CVE-2013-5787 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019697 - CVE-2013-5789 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019701 - CVE-2013-5843 Oracle JDK: unspecified vulnerability fixed in 7u45 (2D) 1019702 - CVE-2013-5832 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019705 - CVE-2013-5852 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019706 - CVE-2013-5812 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019710 - CVE-2013-5801 Oracle JDK: unspecified vulnerability fixed in 7u45 (2D) 1019712 - CVE-2013-5776 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019713 - CVE-2013-5818 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019715 - CVE-2013-5819 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019716 - CVE-2013-5831 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019720 - CVE-2013-5848 Oracle JDK: unspecified vulnerability fixed in 7u45 (Deployment) 1019722 - CVE-2013-5846 CVE-2013-5810 CVE-2013-5844 CVE-2013-5777 CVE-2013-5775 CVE-2013-5854 Oracle JDK: multiple unspecified vulnerabilities fixed in 7u45 (JavaFX) 6. Package List: Red Hat Enterprise Linux Server Supplementary (v. 5): Source: java-1.7.0-oracle-1.7.0.45-1jpp.1.el5_10.src.rpm i386: java-1.7.0-oracle-1.7.0.45-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-devel-1.7.0.45-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-javafx-1.7.0.45-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-jdbc-1.7.0.45-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-plugin-1.7.0.45-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-src-1.7.0.45-1jpp.1.el5_10.i386.rpm x86_64: java-1.7.0-oracle-1.7.0.45-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.45-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.45-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.45-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.45-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-src-1.7.0.45-1jpp.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.7.0-oracle-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-devel-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-javafx-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-plugin-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-src-1.7.0.45-1jpp.2.el6_4.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-src-1.7.0.45-1jpp.2.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.7.0-oracle-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-src-1.7.0.45-1jpp.2.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.7.0-oracle-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-devel-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-javafx-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-plugin-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-src-1.7.0.45-1jpp.2.el6_4.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-src-1.7.0.45-1jpp.2.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.7.0-oracle-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-devel-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-javafx-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-plugin-1.7.0.45-1jpp.2.el6_4.i686.rpm java-1.7.0-oracle-src-1.7.0.45-1jpp.2.el6_4.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.45-1jpp.2.el6_4.x86_64.rpm java-1.7.0-oracle-src-1.7.0.45-1jpp.2.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-3829.html https://www.redhat.com/security/data/cve/CVE-2013-4002.html https://www.redhat.com/security/data/cve/CVE-2013-5772.html https://www.redhat.com/security/data/cve/CVE-2013-5774.html https://www.redhat.com/security/data/cve/CVE-2013-5775.html https://www.redhat.com/security/data/cve/CVE-2013-5776.html https://www.redhat.com/security/data/cve/CVE-2013-5777.html https://www.redhat.com/security/data/cve/CVE-2013-5778.html https://www.redhat.com/security/data/cve/CVE-2013-5780.html https://www.redhat.com/security/data/cve/CVE-2013-5782.html https://www.redhat.com/security/data/cve/CVE-2013-5783.html https://www.redhat.com/security/data/cve/CVE-2013-5784.html https://www.redhat.com/security/data/cve/CVE-2013-5787.html https://www.redhat.com/security/data/cve/CVE-2013-5788.html https://www.redhat.com/security/data/cve/CVE-2013-5789.html https://www.redhat.com/security/data/cve/CVE-2013-5790.html https://www.redhat.com/security/data/cve/CVE-2013-5797.html https://www.redhat.com/security/data/cve/CVE-2013-5800.html https://www.redhat.com/security/data/cve/CVE-2013-5801.html https://www.redhat.com/security/data/cve/CVE-2013-5802.html https://www.redhat.com/security/data/cve/CVE-2013-5803.html https://www.redhat.com/security/data/cve/CVE-2013-5804.html https://www.redhat.com/security/data/cve/CVE-2013-5809.html https://www.redhat.com/security/data/cve/CVE-2013-5810.html https://www.redhat.com/security/data/cve/CVE-2013-5812.html https://www.redhat.com/security/data/cve/CVE-2013-5814.html https://www.redhat.com/security/data/cve/CVE-2013-5817.html https://www.redhat.com/security/data/cve/CVE-2013-5818.html https://www.redhat.com/security/data/cve/CVE-2013-5819.html https://www.redhat.com/security/data/cve/CVE-2013-5820.html https://www.redhat.com/security/data/cve/CVE-2013-5823.html https://www.redhat.com/security/data/cve/CVE-2013-5824.html https://www.redhat.com/security/data/cve/CVE-2013-5825.html https://www.redhat.com/security/data/cve/CVE-2013-5829.html https://www.redhat.com/security/data/cve/CVE-2013-5830.html https://www.redhat.com/security/data/cve/CVE-2013-5831.html https://www.redhat.com/security/data/cve/CVE-2013-5832.html https://www.redhat.com/security/data/cve/CVE-2013-5838.html https://www.redhat.com/security/data/cve/CVE-2013-5840.html https://www.redhat.com/security/data/cve/CVE-2013-5842.html https://www.redhat.com/security/data/cve/CVE-2013-5843.html https://www.redhat.com/security/data/cve/CVE-2013-5844.html https://www.redhat.com/security/data/cve/CVE-2013-5846.html https://www.redhat.com/security/data/cve/CVE-2013-5848.html https://www.redhat.com/security/data/cve/CVE-2013-5849.html https://www.redhat.com/security/data/cve/CVE-2013-5850.html https://www.redhat.com/security/data/cve/CVE-2013-5851.html https://www.redhat.com/security/data/cve/CVE-2013-5852.html https://www.redhat.com/security/data/cve/CVE-2013-5854.html https://access.redhat.com/security/updates/classification/#critical http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSYCS0XlSAg2UNWIIRAqssAJsFSVmpelX/LUJqEoe+oE6L1hmYdQCgtCdY 6L5xR1GEbb/AQ8U+jLJ3ivQ= =eZtY -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 17 17:57:04 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 17 Oct 2013 17:57:04 +0000 Subject: [RHSA-2013:1441-01] Moderate: rubygems security update Message-ID: <201310171757.r9HHv4Lo027245@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rubygems security update Advisory ID: RHSA-2013:1441-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1441.html Issue date: 2013-10-17 CVE Names: CVE-2012-2125 CVE-2012-2126 CVE-2013-4287 ===================================================================== 1. Summary: An updated rubygems package that fixes three security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch 3. Description: RubyGems is the Ruby standard for publishing and managing third-party libraries. It was found that RubyGems did not verify SSL connections. This could lead to man-in-the-middle attacks. (CVE-2012-2126) It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the connection may have been silently downgraded to HTTP. (CVE-2012-2125) It was discovered that the rubygems API validated version strings using an unsafe regular expression. An application making use of this API to process a version string from an untrusted source could be vulnerable to a denial of service attack through CPU exhaustion. (CVE-2013-4287) Red Hat would like to thank Rubygems upstream for reporting CVE-2013-4287. Upstream acknowledges Damir Sharipov as the original reporter. All rubygems users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 814718 - CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23 1002364 - CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability 6. Package List: Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/rubygems-1.3.7-4.el6_4.src.rpm noarch: rubygems-1.3.7-4.el6_4.noarch.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/rubygems-1.3.7-4.el6_4.src.rpm noarch: rubygems-1.3.7-4.el6_4.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/rubygems-1.3.7-4.el6_4.src.rpm noarch: rubygems-1.3.7-4.el6_4.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/rubygems-1.3.7-4.el6_4.src.rpm noarch: rubygems-1.3.7-4.el6_4.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-2125.html https://www.redhat.com/security/data/cve/CVE-2012-2126.html https://www.redhat.com/security/data/cve/CVE-2013-4287.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSYCTdXlSAg2UNWIIRArK7AJwJo9uuLHx0AhLRFGP1/MXS+o7K4ACggdXy 64HCLJnvBOJkG8BaaH9nSHE= =OuIY -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 21 17:45:46 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 21 Oct 2013 17:45:46 +0000 Subject: [RHSA-2013:1447-01] Important: java-1.7.0-openjdk security update Message-ID: <201310211745.r9LHjk4u027914@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.7.0-openjdk security update Advisory ID: RHSA-2013:1447-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1447.html Issue date: 2013-10-21 CVE Names: CVE-2013-3829 CVE-2013-4002 CVE-2013-5772 CVE-2013-5774 CVE-2013-5778 CVE-2013-5780 CVE-2013-5782 CVE-2013-5783 CVE-2013-5784 CVE-2013-5790 CVE-2013-5797 CVE-2013-5800 CVE-2013-5802 CVE-2013-5803 CVE-2013-5804 CVE-2013-5809 CVE-2013-5814 CVE-2013-5817 CVE-2013-5820 CVE-2013-5823 CVE-2013-5825 CVE-2013-5829 CVE-2013-5830 CVE-2013-5838 CVE-2013-5840 CVE-2013-5842 CVE-2013-5849 CVE-2013-5850 CVE-2013-5851 ===================================================================== 1. Summary: Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782) The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830) Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850, CVE-2013-5838) Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions. (CVE-2013-5809) The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802) Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823) Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784) It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778) Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. (CVE-2013-5804, CVE-2013-5797) Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780) The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772) The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1018713 - CVE-2013-5803 OpenJDK: insufficient checks of KDC replies (JGSS, 8014341) 1018717 - CVE-2013-5772 OpenJDK: insufficient html escaping in jhat (jhat, 8011081) 1018720 - CVE-2013-5797 OpenJDK: insufficient escaping of window title string (Javadoc, 8016675) 1018727 - CVE-2013-5784 OpenJDK: insufficient InterfaceImplementor security checks (Scripting, 8017299) 1018736 - CVE-2013-5790 OpenJDK: insufficient security checks (Beans, 8012071) 1018750 - CVE-2013-5849 OpenJDK: insufficient DataFlavor security checks (AWT, 8012277) 1018755 - CVE-2013-5800 OpenJDK: default keytab path information leak (JGSS, 8022931) 1018785 - CVE-2013-5780 OpenJDK: key data leak via toString() methods (Libraries, 8011071) 1018831 - CVE-2013-5840 OpenJDK: getDeclaringClass() information leak (Libraries, 8014349) 1018972 - CVE-2013-5820 OpenJDK: insufficient security checks (JAXWS, 8017505) 1018977 - CVE-2013-5851 OpenJDK: XML stream factory finder information leak (JAXP, 8013502) 1018984 - CVE-2013-5778 OpenJDK: image conversion out of bounds read (2D, 8014102) 1019108 - CVE-2013-5782 OpenJDK: Incorrect awt_getPixelByte/awt_getPixelShort/awt_setPixelByte/awt_setPixelShort image raster checks (2D, 8014093) 1019110 - CVE-2013-5830 OpenJDK: checkPackageAccess missing security check (Libraries, 8017291) 1019113 - CVE-2013-5809 OpenJDK: JPEGImageReader and JPEGImageWriter missing band size checks (2D, 8013510) 1019115 - CVE-2013-5829 OpenJDK: Java2d Disposer security bypass (2D, 8017287) 1019117 - CVE-2013-5814 OpenJDK: RMIConnection stub missing permission check (CORBA, 8011157) 1019118 - CVE-2013-5817 OpenJDK: VersionHelper12 does not honor modifyThreadGroup restriction (JNDI, 8013739) 1019123 - CVE-2013-5842 OpenJDK: ObjectInputStream/ObjectOutputStream missing checks (Libraries, 8014987) 1019127 - CVE-2013-5850 OpenJDK: Missing CORBA security checks (Libraries, 8017196) 1019130 - CVE-2013-5802 OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425) 1019131 - CVE-2013-5804 OpenJDK: javac does not ignore certain ignorable characters (Javadoc, 8016653) 1019133 - CVE-2013-3829 OpenJDK: java.util.TimeZone does not restrict setting of default time zone (Libraries, 8001029) 1019137 - CVE-2013-5783 OpenJDK: JTable not properly performing certain access checks (Swing, 8013744) 1019139 - CVE-2013-5825 OpenJDK: XML parsing Denial of Service (JAXP, 8014530) 1019145 - CVE-2013-5823 OpenJDK: com.sun.org.apache.xml.internal.security.utils.UnsyncByteArrayOutputStream Denial of Service (Security, 8021290) 1019147 - CVE-2013-5774 OpenJDK: Inet6Address class IPv6 address processing errors (Libraries, 8015743) 1019176 - CVE-2013-4002 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) 1019300 - CVE-2013-5838 OpenJDK: Vulnerability in Libraries component (Libraries, 7023639) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10.src.rpm i386: java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10.i386.rpm x86_64: java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10.src.rpm i386: java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10.i386.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10.i386.rpm x86_64: java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-3829.html https://www.redhat.com/security/data/cve/CVE-2013-4002.html https://www.redhat.com/security/data/cve/CVE-2013-5772.html https://www.redhat.com/security/data/cve/CVE-2013-5774.html https://www.redhat.com/security/data/cve/CVE-2013-5778.html https://www.redhat.com/security/data/cve/CVE-2013-5780.html https://www.redhat.com/security/data/cve/CVE-2013-5782.html https://www.redhat.com/security/data/cve/CVE-2013-5783.html https://www.redhat.com/security/data/cve/CVE-2013-5784.html https://www.redhat.com/security/data/cve/CVE-2013-5790.html https://www.redhat.com/security/data/cve/CVE-2013-5797.html https://www.redhat.com/security/data/cve/CVE-2013-5800.html https://www.redhat.com/security/data/cve/CVE-2013-5802.html https://www.redhat.com/security/data/cve/CVE-2013-5803.html https://www.redhat.com/security/data/cve/CVE-2013-5804.html https://www.redhat.com/security/data/cve/CVE-2013-5809.html https://www.redhat.com/security/data/cve/CVE-2013-5814.html https://www.redhat.com/security/data/cve/CVE-2013-5817.html https://www.redhat.com/security/data/cve/CVE-2013-5820.html https://www.redhat.com/security/data/cve/CVE-2013-5823.html https://www.redhat.com/security/data/cve/CVE-2013-5825.html https://www.redhat.com/security/data/cve/CVE-2013-5829.html https://www.redhat.com/security/data/cve/CVE-2013-5830.html https://www.redhat.com/security/data/cve/CVE-2013-5838.html https://www.redhat.com/security/data/cve/CVE-2013-5840.html https://www.redhat.com/security/data/cve/CVE-2013-5842.html https://www.redhat.com/security/data/cve/CVE-2013-5849.html https://www.redhat.com/security/data/cve/CVE-2013-5850.html https://www.redhat.com/security/data/cve/CVE-2013-5851.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSZWg6XlSAg2UNWIIRAtrcAJ9Pr8HUGP6KoZuAOmHGz4SotHk0CwCgmOVZ 5FtHw7EpRVvpS7dBLzZEHE0= =QE5j -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 22 17:43:53 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 22 Oct 2013 17:43:53 +0000 Subject: [RHSA-2013:1449-01] Moderate: kernel security and bug fix update Message-ID: <201310221743.r9MHhrB7009164@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel security and bug fix update Advisory ID: RHSA-2013:1449-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1449.html Issue date: 2013-10-22 CVE Names: CVE-2013-0343 CVE-2013-4299 CVE-2013-4345 CVE-2013-4368 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel handled the creation of temporary IPv6 addresses. If the IPv6 privacy extension was enabled (/proc/sys/net/ipv6/conf/eth0/use_tempaddr is set to '2'), an attacker on the local network could disable IPv6 temporary address generation, leading to a potential information disclosure. (CVE-2013-0343, Moderate) * An information leak flaw was found in the way Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible. (CVE-2013-4299, Moderate) * An off-by-one flaw was found in the way the ANSI CPRNG implementation in the Linux kernel processed non-block size aligned requests. This could lead to random numbers being generated with less bits of entropy than expected when ANSI CPRNG was used. (CVE-2013-4345, Moderate) * An information leak flaw was found in the way Xen hypervisor emulated the OUTS instruction for 64-bit paravirtualized guests. A privileged guest user could use this flaw to leak hypervisor stack memory to the guest. (CVE-2013-4368, Moderate) Red Hat would like to thank Fujitsu for reporting CVE-2013-4299, Stephan Mueller for reporting CVE-2013-4345, and the Xen project for reporting CVE-2013-4368. This update also fixes the following bug: * A bug in the GFS2 code prevented glock work queues from freeing glock-related memory while the glock memory shrinker repeatedly queued a large number of demote requests, for example when performing a simultaneous backup of several live GFS2 volumes with a large file count. As a consequence, the glock work queues became overloaded which resulted in a high CPU usage and the GFS2 file systems being unresponsive for a significant amount of time. A patch has been applied to alleviate this problem by calling the yield() function after scheduling a certain amount of tasks on the glock work queues. The problem can now occur only with extremely high work loads. (BZ#1014714) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 914664 - CVE-2013-0343 kernel: handling of IPv6 temporary addresses 1004233 - CVE-2013-4299 kernel: dm: dm-snapshot data leak 1007690 - CVE-2013-4345 kernel: ansi_cprng: off by one error in non-block size request 1012550 - CVE-2013-4368 xen: information leak through outs instruction emulation (XSA-67) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-371.1.2.el5.src.rpm i386: kernel-2.6.18-371.1.2.el5.i686.rpm kernel-PAE-2.6.18-371.1.2.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-371.1.2.el5.i686.rpm kernel-PAE-devel-2.6.18-371.1.2.el5.i686.rpm kernel-debug-2.6.18-371.1.2.el5.i686.rpm kernel-debug-debuginfo-2.6.18-371.1.2.el5.i686.rpm kernel-debug-devel-2.6.18-371.1.2.el5.i686.rpm kernel-debuginfo-2.6.18-371.1.2.el5.i686.rpm kernel-debuginfo-common-2.6.18-371.1.2.el5.i686.rpm kernel-devel-2.6.18-371.1.2.el5.i686.rpm kernel-headers-2.6.18-371.1.2.el5.i386.rpm kernel-xen-2.6.18-371.1.2.el5.i686.rpm kernel-xen-debuginfo-2.6.18-371.1.2.el5.i686.rpm kernel-xen-devel-2.6.18-371.1.2.el5.i686.rpm noarch: kernel-doc-2.6.18-371.1.2.el5.noarch.rpm x86_64: kernel-2.6.18-371.1.2.el5.x86_64.rpm kernel-debug-2.6.18-371.1.2.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-371.1.2.el5.x86_64.rpm kernel-debug-devel-2.6.18-371.1.2.el5.x86_64.rpm kernel-debuginfo-2.6.18-371.1.2.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-371.1.2.el5.x86_64.rpm kernel-devel-2.6.18-371.1.2.el5.x86_64.rpm kernel-headers-2.6.18-371.1.2.el5.x86_64.rpm kernel-xen-2.6.18-371.1.2.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-371.1.2.el5.x86_64.rpm kernel-xen-devel-2.6.18-371.1.2.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-371.1.2.el5.src.rpm i386: kernel-2.6.18-371.1.2.el5.i686.rpm kernel-PAE-2.6.18-371.1.2.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-371.1.2.el5.i686.rpm kernel-PAE-devel-2.6.18-371.1.2.el5.i686.rpm kernel-debug-2.6.18-371.1.2.el5.i686.rpm kernel-debug-debuginfo-2.6.18-371.1.2.el5.i686.rpm kernel-debug-devel-2.6.18-371.1.2.el5.i686.rpm kernel-debuginfo-2.6.18-371.1.2.el5.i686.rpm kernel-debuginfo-common-2.6.18-371.1.2.el5.i686.rpm kernel-devel-2.6.18-371.1.2.el5.i686.rpm kernel-headers-2.6.18-371.1.2.el5.i386.rpm kernel-xen-2.6.18-371.1.2.el5.i686.rpm kernel-xen-debuginfo-2.6.18-371.1.2.el5.i686.rpm kernel-xen-devel-2.6.18-371.1.2.el5.i686.rpm ia64: kernel-2.6.18-371.1.2.el5.ia64.rpm kernel-debug-2.6.18-371.1.2.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-371.1.2.el5.ia64.rpm kernel-debug-devel-2.6.18-371.1.2.el5.ia64.rpm kernel-debuginfo-2.6.18-371.1.2.el5.ia64.rpm kernel-debuginfo-common-2.6.18-371.1.2.el5.ia64.rpm kernel-devel-2.6.18-371.1.2.el5.ia64.rpm kernel-headers-2.6.18-371.1.2.el5.ia64.rpm kernel-xen-2.6.18-371.1.2.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-371.1.2.el5.ia64.rpm kernel-xen-devel-2.6.18-371.1.2.el5.ia64.rpm noarch: kernel-doc-2.6.18-371.1.2.el5.noarch.rpm ppc: kernel-2.6.18-371.1.2.el5.ppc64.rpm kernel-debug-2.6.18-371.1.2.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-371.1.2.el5.ppc64.rpm kernel-debug-devel-2.6.18-371.1.2.el5.ppc64.rpm kernel-debuginfo-2.6.18-371.1.2.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-371.1.2.el5.ppc64.rpm kernel-devel-2.6.18-371.1.2.el5.ppc64.rpm kernel-headers-2.6.18-371.1.2.el5.ppc.rpm kernel-headers-2.6.18-371.1.2.el5.ppc64.rpm kernel-kdump-2.6.18-371.1.2.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-371.1.2.el5.ppc64.rpm kernel-kdump-devel-2.6.18-371.1.2.el5.ppc64.rpm s390x: kernel-2.6.18-371.1.2.el5.s390x.rpm kernel-debug-2.6.18-371.1.2.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-371.1.2.el5.s390x.rpm kernel-debug-devel-2.6.18-371.1.2.el5.s390x.rpm kernel-debuginfo-2.6.18-371.1.2.el5.s390x.rpm kernel-debuginfo-common-2.6.18-371.1.2.el5.s390x.rpm kernel-devel-2.6.18-371.1.2.el5.s390x.rpm kernel-headers-2.6.18-371.1.2.el5.s390x.rpm kernel-kdump-2.6.18-371.1.2.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-371.1.2.el5.s390x.rpm kernel-kdump-devel-2.6.18-371.1.2.el5.s390x.rpm x86_64: kernel-2.6.18-371.1.2.el5.x86_64.rpm kernel-debug-2.6.18-371.1.2.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-371.1.2.el5.x86_64.rpm kernel-debug-devel-2.6.18-371.1.2.el5.x86_64.rpm kernel-debuginfo-2.6.18-371.1.2.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-371.1.2.el5.x86_64.rpm kernel-devel-2.6.18-371.1.2.el5.x86_64.rpm kernel-headers-2.6.18-371.1.2.el5.x86_64.rpm kernel-xen-2.6.18-371.1.2.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-371.1.2.el5.x86_64.rpm kernel-xen-devel-2.6.18-371.1.2.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-0343.html https://www.redhat.com/security/data/cve/CVE-2013-4299.html https://www.redhat.com/security/data/cve/CVE-2013-4345.html https://www.redhat.com/security/data/cve/CVE-2013-4368.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSZrlBXlSAg2UNWIIRApYYAJ9bcp1GQ+h9XqP9Eptg3X/hKb0ScgCeLHyD JxTnsQImjB31NJ13wHSkj20= =TGZZ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 22 17:44:37 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 22 Oct 2013 17:44:37 +0000 Subject: [RHSA-2013:1450-01] Important: kernel security and bug fix update Message-ID: <201310221744.r9MHibRn003292@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2013:1450-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1450.html Issue date: 2013-10-22 CVE Names: CVE-2013-2224 CVE-2013-2852 CVE-2013-4299 ===================================================================== 1. Summary: Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 6.3 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Compute Node EUS (v. 6.3) - noarch, x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.3) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.3) - i386, ppc64, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * An information leak flaw was found in the way Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible. (CVE-2013-4299, Moderate) * A format string flaw was found in the b43_do_request_fw() function in the Linux kernel's b43 driver implementation. A local user who is able to specify the "fwpostfix" b43 module parameter could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-2852, Low) Red Hat would like to thank Fujitsu for reporting CVE-2013-4299, and Kees Cook for reporting CVE-2013-2852. This update also fixes the following bugs: * An insufficiently designed calculation in the CPU accelerator could cause an arithmetic overflow in the set_cyc2ns_scale() function if the system uptime exceeded 208 days prior to using kexec to boot into a new kernel. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) clock source, primarily the systems using Intel Xeon E5 processors that do not reset TSC on soft power cycles. A patch has been applied to modify the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances. (BZ#1004185) * A race condition in the abort task and SPP device task management path of the isci driver could, under certain circumstances, cause the driver to fail cleaning up timed-out I/O requests that were pending on an SAS disk device. As a consequence, the kernel removed such a device from the system. A patch applied to the isci driver fixes this problem by sending the task management function request to the SAS drive anytime the abort function is entered and the task has not completed. The driver now cleans up timed-out I/O requests as expected in this situation. (BZ#1007467) * A kernel panic could occur during path failover on systems using multiple iSCSI, FC or SRP paths to connect an iSCSI initiator and an iSCSI target. This happened because a race condition in the SCSI driver allowed removing a SCSI device from the system before processing its run queue, which led to a NULL pointer dereference. The SCSI driver has been modified and the race is now avoided by holding a reference to a SCSI device run queue while it is active. (BZ#1008507) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 969518 - CVE-2013-2852 kernel: b43: format string leaking into error msgs 979936 - CVE-2013-2224 kernel: net: IP_REPOPTS invalid free 1004233 - CVE-2013-4299 kernel: dm: dm-snapshot data leak 6. Package List: Red Hat Enterprise Linux Compute Node EUS (v. 6.3): Source: kernel-2.6.32-279.37.2.el6.src.rpm noarch: kernel-doc-2.6.32-279.37.2.el6.noarch.rpm kernel-firmware-2.6.32-279.37.2.el6.noarch.rpm x86_64: kernel-2.6.32-279.37.2.el6.x86_64.rpm kernel-debug-2.6.32-279.37.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-279.37.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.37.2.el6.x86_64.rpm kernel-devel-2.6.32-279.37.2.el6.x86_64.rpm kernel-headers-2.6.32-279.37.2.el6.x86_64.rpm perf-2.6.32-279.37.2.el6.x86_64.rpm perf-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) : Source: kernel-2.6.32-279.37.2.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.37.2.el6.x86_64.rpm perf-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm python-perf-2.6.32-279.37.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.3): Source: kernel-2.6.32-279.37.2.el6.src.rpm i386: kernel-2.6.32-279.37.2.el6.i686.rpm kernel-debug-2.6.32-279.37.2.el6.i686.rpm kernel-debug-debuginfo-2.6.32-279.37.2.el6.i686.rpm kernel-debug-devel-2.6.32-279.37.2.el6.i686.rpm kernel-debuginfo-2.6.32-279.37.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-279.37.2.el6.i686.rpm kernel-devel-2.6.32-279.37.2.el6.i686.rpm kernel-headers-2.6.32-279.37.2.el6.i686.rpm perf-2.6.32-279.37.2.el6.i686.rpm perf-debuginfo-2.6.32-279.37.2.el6.i686.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.i686.rpm noarch: kernel-doc-2.6.32-279.37.2.el6.noarch.rpm kernel-firmware-2.6.32-279.37.2.el6.noarch.rpm ppc64: kernel-2.6.32-279.37.2.el6.ppc64.rpm kernel-bootwrapper-2.6.32-279.37.2.el6.ppc64.rpm kernel-debug-2.6.32-279.37.2.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-279.37.2.el6.ppc64.rpm kernel-debug-devel-2.6.32-279.37.2.el6.ppc64.rpm kernel-debuginfo-2.6.32-279.37.2.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-279.37.2.el6.ppc64.rpm kernel-devel-2.6.32-279.37.2.el6.ppc64.rpm kernel-headers-2.6.32-279.37.2.el6.ppc64.rpm perf-2.6.32-279.37.2.el6.ppc64.rpm perf-debuginfo-2.6.32-279.37.2.el6.ppc64.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.ppc64.rpm s390x: kernel-2.6.32-279.37.2.el6.s390x.rpm kernel-debug-2.6.32-279.37.2.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-279.37.2.el6.s390x.rpm kernel-debug-devel-2.6.32-279.37.2.el6.s390x.rpm kernel-debuginfo-2.6.32-279.37.2.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-279.37.2.el6.s390x.rpm kernel-devel-2.6.32-279.37.2.el6.s390x.rpm kernel-headers-2.6.32-279.37.2.el6.s390x.rpm kernel-kdump-2.6.32-279.37.2.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-279.37.2.el6.s390x.rpm kernel-kdump-devel-2.6.32-279.37.2.el6.s390x.rpm perf-2.6.32-279.37.2.el6.s390x.rpm perf-debuginfo-2.6.32-279.37.2.el6.s390x.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.s390x.rpm x86_64: kernel-2.6.32-279.37.2.el6.x86_64.rpm kernel-debug-2.6.32-279.37.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-279.37.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.37.2.el6.x86_64.rpm kernel-devel-2.6.32-279.37.2.el6.x86_64.rpm kernel-headers-2.6.32-279.37.2.el6.x86_64.rpm perf-2.6.32-279.37.2.el6.x86_64.rpm perf-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.3): Source: kernel-2.6.32-279.37.2.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-279.37.2.el6.i686.rpm kernel-debuginfo-2.6.32-279.37.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-279.37.2.el6.i686.rpm perf-debuginfo-2.6.32-279.37.2.el6.i686.rpm python-perf-2.6.32-279.37.2.el6.i686.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-279.37.2.el6.ppc64.rpm kernel-debuginfo-2.6.32-279.37.2.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-279.37.2.el6.ppc64.rpm perf-debuginfo-2.6.32-279.37.2.el6.ppc64.rpm python-perf-2.6.32-279.37.2.el6.ppc64.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-279.37.2.el6.s390x.rpm kernel-debuginfo-2.6.32-279.37.2.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-279.37.2.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-279.37.2.el6.s390x.rpm perf-debuginfo-2.6.32-279.37.2.el6.s390x.rpm python-perf-2.6.32-279.37.2.el6.s390x.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-279.37.2.el6.x86_64.rpm perf-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm python-perf-2.6.32-279.37.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-279.37.2.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2224.html https://www.redhat.com/security/data/cve/CVE-2013-2852.html https://www.redhat.com/security/data/cve/CVE-2013-4299.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSZrlrXlSAg2UNWIIRAs0GAKCFMseO7vV8bC8+xOLvyYYFyBEDogCgw/NT mJr9jzxDPWpAb+zZOXi8SZk= =e6kg -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 22 17:45:50 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 22 Oct 2013 17:45:50 +0000 Subject: [RHSA-2013:1451-01] Critical: java-1.7.0-openjdk security update Message-ID: <201310221745.r9MHjoBS010510@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-openjdk security update Advisory ID: RHSA-2013:1451-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1451.html Issue date: 2013-10-22 CVE Names: CVE-2013-3829 CVE-2013-4002 CVE-2013-5772 CVE-2013-5774 CVE-2013-5778 CVE-2013-5780 CVE-2013-5782 CVE-2013-5783 CVE-2013-5784 CVE-2013-5790 CVE-2013-5797 CVE-2013-5800 CVE-2013-5802 CVE-2013-5803 CVE-2013-5804 CVE-2013-5809 CVE-2013-5814 CVE-2013-5817 CVE-2013-5820 CVE-2013-5823 CVE-2013-5825 CVE-2013-5829 CVE-2013-5830 CVE-2013-5838 CVE-2013-5840 CVE-2013-5842 CVE-2013-5849 CVE-2013-5850 CVE-2013-5851 ===================================================================== 1. Summary: Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64 3. Description: The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782) The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830) Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850, CVE-2013-5838) Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions. (CVE-2013-5809) The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802) Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823) Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784) It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778) Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. (CVE-2013-5804, CVE-2013-5797) Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780) The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772) The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1018713 - CVE-2013-5803 OpenJDK: insufficient checks of KDC replies (JGSS, 8014341) 1018717 - CVE-2013-5772 OpenJDK: insufficient html escaping in jhat (jhat, 8011081) 1018720 - CVE-2013-5797 OpenJDK: insufficient escaping of window title string (Javadoc, 8016675) 1018727 - CVE-2013-5784 OpenJDK: insufficient InterfaceImplementor security checks (Scripting, 8017299) 1018736 - CVE-2013-5790 OpenJDK: insufficient security checks (Beans, 8012071) 1018750 - CVE-2013-5849 OpenJDK: insufficient DataFlavor security checks (AWT, 8012277) 1018755 - CVE-2013-5800 OpenJDK: default keytab path information leak (JGSS, 8022931) 1018785 - CVE-2013-5780 OpenJDK: key data leak via toString() methods (Libraries, 8011071) 1018831 - CVE-2013-5840 OpenJDK: getDeclaringClass() information leak (Libraries, 8014349) 1018972 - CVE-2013-5820 OpenJDK: insufficient security checks (JAXWS, 8017505) 1018977 - CVE-2013-5851 OpenJDK: XML stream factory finder information leak (JAXP, 8013502) 1018984 - CVE-2013-5778 OpenJDK: image conversion out of bounds read (2D, 8014102) 1019108 - CVE-2013-5782 OpenJDK: Incorrect awt_getPixelByte/awt_getPixelShort/awt_setPixelByte/awt_setPixelShort image raster checks (2D, 8014093) 1019110 - CVE-2013-5830 OpenJDK: checkPackageAccess missing security check (Libraries, 8017291) 1019113 - CVE-2013-5809 OpenJDK: JPEGImageReader and JPEGImageWriter missing band size checks (2D, 8013510) 1019115 - CVE-2013-5829 OpenJDK: Java2d Disposer security bypass (2D, 8017287) 1019117 - CVE-2013-5814 OpenJDK: RMIConnection stub missing permission check (CORBA, 8011157) 1019118 - CVE-2013-5817 OpenJDK: VersionHelper12 does not honor modifyThreadGroup restriction (JNDI, 8013739) 1019123 - CVE-2013-5842 OpenJDK: ObjectInputStream/ObjectOutputStream missing checks (Libraries, 8014987) 1019127 - CVE-2013-5850 OpenJDK: Missing CORBA security checks (Libraries, 8017196) 1019130 - CVE-2013-5802 OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425) 1019131 - CVE-2013-5804 OpenJDK: javac does not ignore certain ignorable characters (Javadoc, 8016653) 1019133 - CVE-2013-3829 OpenJDK: java.util.TimeZone does not restrict setting of default time zone (Libraries, 8001029) 1019137 - CVE-2013-5783 OpenJDK: JTable not properly performing certain access checks (Swing, 8013744) 1019139 - CVE-2013-5825 OpenJDK: XML parsing Denial of Service (JAXP, 8014530) 1019145 - CVE-2013-5823 OpenJDK: com.sun.org.apache.xml.internal.security.utils.UnsyncByteArrayOutputStream Denial of Service (Security, 8021290) 1019147 - CVE-2013-5774 OpenJDK: Inet6Address class IPv6 address processing errors (Libraries, 8015743) 1019176 - CVE-2013-4002 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) 1019300 - CVE-2013-5838 OpenJDK: Vulnerability in Libraries component (Libraries, 7023639) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.src.rpm i386: java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.el6_4.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.2.el6_4.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.src.rpm x86_64: java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.src.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.2.el6_4.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.src.rpm i386: java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.el6_4.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.el6_4.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.2.el6_4.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.src.rpm i386: java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.el6_4.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.el6_4.i686.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.el6_4.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.2.el6_4.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-3829.html https://www.redhat.com/security/data/cve/CVE-2013-4002.html https://www.redhat.com/security/data/cve/CVE-2013-5772.html https://www.redhat.com/security/data/cve/CVE-2013-5774.html https://www.redhat.com/security/data/cve/CVE-2013-5778.html https://www.redhat.com/security/data/cve/CVE-2013-5780.html https://www.redhat.com/security/data/cve/CVE-2013-5782.html https://www.redhat.com/security/data/cve/CVE-2013-5783.html https://www.redhat.com/security/data/cve/CVE-2013-5784.html https://www.redhat.com/security/data/cve/CVE-2013-5790.html https://www.redhat.com/security/data/cve/CVE-2013-5797.html https://www.redhat.com/security/data/cve/CVE-2013-5800.html https://www.redhat.com/security/data/cve/CVE-2013-5802.html https://www.redhat.com/security/data/cve/CVE-2013-5803.html https://www.redhat.com/security/data/cve/CVE-2013-5804.html https://www.redhat.com/security/data/cve/CVE-2013-5809.html https://www.redhat.com/security/data/cve/CVE-2013-5814.html https://www.redhat.com/security/data/cve/CVE-2013-5817.html https://www.redhat.com/security/data/cve/CVE-2013-5820.html https://www.redhat.com/security/data/cve/CVE-2013-5823.html https://www.redhat.com/security/data/cve/CVE-2013-5825.html https://www.redhat.com/security/data/cve/CVE-2013-5829.html https://www.redhat.com/security/data/cve/CVE-2013-5830.html https://www.redhat.com/security/data/cve/CVE-2013-5838.html https://www.redhat.com/security/data/cve/CVE-2013-5840.html https://www.redhat.com/security/data/cve/CVE-2013-5842.html https://www.redhat.com/security/data/cve/CVE-2013-5849.html https://www.redhat.com/security/data/cve/CVE-2013-5850.html https://www.redhat.com/security/data/cve/CVE-2013-5851.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSZrmrXlSAg2UNWIIRAh6sAJ0WQ797HscVf/5+FQidZT6jkWaPsgCZAUjS J8t9STiPD1W6tH8qpm7fzBA= =hgt4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 22 17:46:35 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 22 Oct 2013 17:46:35 +0000 Subject: [RHSA-2013:1452-01] Moderate: vino security update Message-ID: <201310221746.r9MHka7X004250@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: vino security update Advisory ID: RHSA-2013:1452-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1452.html Issue date: 2013-10-22 CVE Names: CVE-2013-5745 ===================================================================== 1. Summary: Updated vino packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Vino is a Virtual Network Computing (VNC) server for GNOME. It allows remote users to connect to a running GNOME session using VNC. A denial of service flaw was found in the way Vino handled certain authenticated requests from clients that were in the deferred state. A remote attacker could use this flaw to make the vino-server process enter an infinite loop when processing those incoming requests. (CVE-2013-5745) All vino users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The GNOME session must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 910082 - CVE-2013-5745 vino: denial of service flaw 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/vino-2.13.5-10.el5_10.src.rpm i386: vino-2.13.5-10.el5_10.i386.rpm vino-debuginfo-2.13.5-10.el5_10.i386.rpm x86_64: vino-2.13.5-10.el5_10.x86_64.rpm vino-debuginfo-2.13.5-10.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/vino-2.13.5-10.el5_10.src.rpm i386: vino-2.13.5-10.el5_10.i386.rpm vino-debuginfo-2.13.5-10.el5_10.i386.rpm ia64: vino-2.13.5-10.el5_10.ia64.rpm vino-debuginfo-2.13.5-10.el5_10.ia64.rpm ppc: vino-2.13.5-10.el5_10.ppc.rpm vino-debuginfo-2.13.5-10.el5_10.ppc.rpm s390x: vino-2.13.5-10.el5_10.s390x.rpm vino-debuginfo-2.13.5-10.el5_10.s390x.rpm x86_64: vino-2.13.5-10.el5_10.x86_64.rpm vino-debuginfo-2.13.5-10.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/vino-2.28.1-9.el6_4.src.rpm i386: vino-2.28.1-9.el6_4.i686.rpm vino-debuginfo-2.28.1-9.el6_4.i686.rpm x86_64: vino-2.28.1-9.el6_4.x86_64.rpm vino-debuginfo-2.28.1-9.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/vino-2.28.1-9.el6_4.src.rpm i386: vino-2.28.1-9.el6_4.i686.rpm vino-debuginfo-2.28.1-9.el6_4.i686.rpm ppc64: vino-2.28.1-9.el6_4.ppc64.rpm vino-debuginfo-2.28.1-9.el6_4.ppc64.rpm s390x: vino-2.28.1-9.el6_4.s390x.rpm vino-debuginfo-2.28.1-9.el6_4.s390x.rpm x86_64: vino-2.28.1-9.el6_4.x86_64.rpm vino-debuginfo-2.28.1-9.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/vino-2.28.1-9.el6_4.src.rpm i386: vino-2.28.1-9.el6_4.i686.rpm vino-debuginfo-2.28.1-9.el6_4.i686.rpm x86_64: vino-2.28.1-9.el6_4.x86_64.rpm vino-debuginfo-2.28.1-9.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5745.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSZrnqXlSAg2UNWIIRAs1kAKC0tfR8rphEZg1ADs3a6KcXv7Z2AgCdEWUv M4cNz93JF58fiUXxHGCpEBY= =mUF4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 24 15:29:21 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Oct 2013 15:29:21 +0000 Subject: [RHSA-2013:1457-01] Moderate: libgcrypt security update Message-ID: <201310241529.r9OFTME1032082@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libgcrypt security update Advisory ID: RHSA-2013:1457-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1457.html Issue date: 2013-10-24 CVE Names: CVE-2013-4242 ===================================================================== 1. Summary: An updated libgcrypt package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The libgcrypt library provides general-purpose implementations of various cryptographic algorithms. It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process (such as a different local user or a user of a KVM guest running on the same host with the kernel same-page merging functionality enabled) could possibly use this flaw to obtain portions of the RSA secret key. (CVE-2013-4242) All libgcrypt users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 988589 - CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libgcrypt-1.4.4-7.el5_10.src.rpm i386: libgcrypt-1.4.4-7.el5_10.i386.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.i386.rpm x86_64: libgcrypt-1.4.4-7.el5_10.i386.rpm libgcrypt-1.4.4-7.el5_10.x86_64.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.i386.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libgcrypt-1.4.4-7.el5_10.src.rpm i386: libgcrypt-debuginfo-1.4.4-7.el5_10.i386.rpm libgcrypt-devel-1.4.4-7.el5_10.i386.rpm x86_64: libgcrypt-debuginfo-1.4.4-7.el5_10.i386.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.x86_64.rpm libgcrypt-devel-1.4.4-7.el5_10.i386.rpm libgcrypt-devel-1.4.4-7.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/libgcrypt-1.4.4-7.el5_10.src.rpm i386: libgcrypt-1.4.4-7.el5_10.i386.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.i386.rpm libgcrypt-devel-1.4.4-7.el5_10.i386.rpm ia64: libgcrypt-1.4.4-7.el5_10.i386.rpm libgcrypt-1.4.4-7.el5_10.ia64.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.i386.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.ia64.rpm libgcrypt-devel-1.4.4-7.el5_10.ia64.rpm ppc: libgcrypt-1.4.4-7.el5_10.ppc.rpm libgcrypt-1.4.4-7.el5_10.ppc64.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.ppc.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.ppc64.rpm libgcrypt-devel-1.4.4-7.el5_10.ppc.rpm libgcrypt-devel-1.4.4-7.el5_10.ppc64.rpm s390x: libgcrypt-1.4.4-7.el5_10.s390.rpm libgcrypt-1.4.4-7.el5_10.s390x.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.s390.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.s390x.rpm libgcrypt-devel-1.4.4-7.el5_10.s390.rpm libgcrypt-devel-1.4.4-7.el5_10.s390x.rpm x86_64: libgcrypt-1.4.4-7.el5_10.i386.rpm libgcrypt-1.4.4-7.el5_10.x86_64.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.i386.rpm libgcrypt-debuginfo-1.4.4-7.el5_10.x86_64.rpm libgcrypt-devel-1.4.4-7.el5_10.i386.rpm libgcrypt-devel-1.4.4-7.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libgcrypt-1.4.5-11.el6_4.src.rpm i386: libgcrypt-1.4.5-11.el6_4.i686.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm x86_64: libgcrypt-1.4.5-11.el6_4.i686.rpm libgcrypt-1.4.5-11.el6_4.x86_64.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libgcrypt-1.4.5-11.el6_4.src.rpm i386: libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm libgcrypt-devel-1.4.5-11.el6_4.i686.rpm x86_64: libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.x86_64.rpm libgcrypt-devel-1.4.5-11.el6_4.i686.rpm libgcrypt-devel-1.4.5-11.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libgcrypt-1.4.5-11.el6_4.src.rpm x86_64: libgcrypt-1.4.5-11.el6_4.i686.rpm libgcrypt-1.4.5-11.el6_4.x86_64.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libgcrypt-1.4.5-11.el6_4.src.rpm x86_64: libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.x86_64.rpm libgcrypt-devel-1.4.5-11.el6_4.i686.rpm libgcrypt-devel-1.4.5-11.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libgcrypt-1.4.5-11.el6_4.src.rpm i386: libgcrypt-1.4.5-11.el6_4.i686.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm libgcrypt-devel-1.4.5-11.el6_4.i686.rpm ppc64: libgcrypt-1.4.5-11.el6_4.ppc.rpm libgcrypt-1.4.5-11.el6_4.ppc64.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.ppc.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.ppc64.rpm libgcrypt-devel-1.4.5-11.el6_4.ppc.rpm libgcrypt-devel-1.4.5-11.el6_4.ppc64.rpm s390x: libgcrypt-1.4.5-11.el6_4.s390.rpm libgcrypt-1.4.5-11.el6_4.s390x.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.s390.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.s390x.rpm libgcrypt-devel-1.4.5-11.el6_4.s390.rpm libgcrypt-devel-1.4.5-11.el6_4.s390x.rpm x86_64: libgcrypt-1.4.5-11.el6_4.i686.rpm libgcrypt-1.4.5-11.el6_4.x86_64.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.x86_64.rpm libgcrypt-devel-1.4.5-11.el6_4.i686.rpm libgcrypt-devel-1.4.5-11.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libgcrypt-1.4.5-11.el6_4.src.rpm i386: libgcrypt-1.4.5-11.el6_4.i686.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm libgcrypt-devel-1.4.5-11.el6_4.i686.rpm x86_64: libgcrypt-1.4.5-11.el6_4.i686.rpm libgcrypt-1.4.5-11.el6_4.x86_64.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm libgcrypt-debuginfo-1.4.5-11.el6_4.x86_64.rpm libgcrypt-devel-1.4.5-11.el6_4.i686.rpm libgcrypt-devel-1.4.5-11.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4242.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSaTzCXlSAg2UNWIIRAikcAKCzZNS/6BcbF74uGRp3jUm2q7RdNACgoU53 AxDsNDrnSeRETSGpztSo7j4= =2Mvv -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 24 15:30:03 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Oct 2013 15:30:03 +0000 Subject: [RHSA-2013:1458-01] Moderate: gnupg security update Message-ID: <201310241530.r9OFU3Ng011222@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: gnupg security update Advisory ID: RHSA-2013:1458-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1458.html Issue date: 2013-10-24 CVE Names: CVE-2012-6085 CVE-2013-4242 CVE-2013-4351 CVE-2013-4402 ===================================================================== 1. Summary: An updated gnupg package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process (such as a different local user or a user of a KVM guest running on the same host with the kernel same-page merging functionality enabled) could possibly use this flaw to obtain portions of the RSA secret key. (CVE-2013-4242) A denial of service flaw was found in the way GnuPG parsed certain compressed OpenPGP packets. An attacker could use this flaw to send specially crafted input data to GnuPG, making GnuPG enter an infinite loop when parsing data. (CVE-2013-4402) It was found that importing a corrupted public key into a GnuPG keyring database corrupted that keyring. An attacker could use this flaw to trick a local user into importing a specially crafted public key into their keyring database, causing the keyring to be corrupted and preventing its further use. (CVE-2012-6085) It was found that GnuPG did not properly interpret the key flags in a PGP key packet. GPG could accept a key for uses not indicated by its holder. (CVE-2013-4351) Red Hat would like to thank Werner Koch for reporting the CVE-2013-4402 issue. Upstream acknowledges Taylor R Campbell as the original reporter. All gnupg users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 891142 - CVE-2012-6085 GnuPG: read_block() corrupt key input validation 988589 - CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack 1010137 - CVE-2013-4351 gnupg: treats no-usage-permitted keys as all-usages-permitted 1015685 - CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser DoS 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gnupg-1.4.5-18.el5_10.src.rpm i386: gnupg-1.4.5-18.el5_10.i386.rpm gnupg-debuginfo-1.4.5-18.el5_10.i386.rpm x86_64: gnupg-1.4.5-18.el5_10.x86_64.rpm gnupg-debuginfo-1.4.5-18.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/gnupg-1.4.5-18.el5_10.src.rpm i386: gnupg-1.4.5-18.el5_10.i386.rpm gnupg-debuginfo-1.4.5-18.el5_10.i386.rpm ia64: gnupg-1.4.5-18.el5_10.ia64.rpm gnupg-debuginfo-1.4.5-18.el5_10.ia64.rpm ppc: gnupg-1.4.5-18.el5_10.ppc.rpm gnupg-debuginfo-1.4.5-18.el5_10.ppc.rpm s390x: gnupg-1.4.5-18.el5_10.s390x.rpm gnupg-debuginfo-1.4.5-18.el5_10.s390x.rpm x86_64: gnupg-1.4.5-18.el5_10.x86_64.rpm gnupg-debuginfo-1.4.5-18.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-6085.html https://www.redhat.com/security/data/cve/CVE-2013-4242.html https://www.redhat.com/security/data/cve/CVE-2013-4351.html https://www.redhat.com/security/data/cve/CVE-2013-4402.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSaTzeXlSAg2UNWIIRAuZvAJ93/bPF5XiUzGd5pwRa0ZYTVp/KngCfSqbg D1l6mFb8d+AcZmHt4uWJjhA= =ZSJL -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 24 15:31:18 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 24 Oct 2013 15:31:18 +0000 Subject: [RHSA-2013:1459-01] Moderate: gnupg2 security update Message-ID: <201310241531.r9OFVJEd012437@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: gnupg2 security update Advisory ID: RHSA-2013:1459-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1459.html Issue date: 2013-10-24 CVE Names: CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 ===================================================================== 1. Summary: An updated gnupg2 package that fixes three security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. A denial of service flaw was found in the way GnuPG parsed certain compressed OpenPGP packets. An attacker could use this flaw to send specially crafted input data to GnuPG, making GnuPG enter an infinite loop when parsing data. (CVE-2013-4402) It was found that importing a corrupted public key into a GnuPG keyring database corrupted that keyring. An attacker could use this flaw to trick a local user into importing a specially crafted public key into their keyring database, causing the keyring to be corrupted and preventing its further use. (CVE-2012-6085) It was found that GnuPG did not properly interpret the key flags in a PGP key packet. GPG could accept a key for uses not indicated by its holder. (CVE-2013-4351) Red Hat would like to thank Werner Koch for reporting the CVE-2013-4402 issue. Upstream acknowledges Taylor R Campbell as the original reporter. All gnupg2 users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 891142 - CVE-2012-6085 GnuPG: read_block() corrupt key input validation 1010137 - CVE-2013-4351 gnupg: treats no-usage-permitted keys as all-usages-permitted 1015685 - CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser DoS 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gnupg2-2.0.10-6.el5_10.src.rpm i386: gnupg2-2.0.10-6.el5_10.i386.rpm gnupg2-debuginfo-2.0.10-6.el5_10.i386.rpm x86_64: gnupg2-2.0.10-6.el5_10.x86_64.rpm gnupg2-debuginfo-2.0.10-6.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/gnupg2-2.0.10-6.el5_10.src.rpm i386: gnupg2-2.0.10-6.el5_10.i386.rpm gnupg2-debuginfo-2.0.10-6.el5_10.i386.rpm ia64: gnupg2-2.0.10-6.el5_10.ia64.rpm gnupg2-debuginfo-2.0.10-6.el5_10.ia64.rpm ppc: gnupg2-2.0.10-6.el5_10.ppc.rpm gnupg2-debuginfo-2.0.10-6.el5_10.ppc.rpm s390x: gnupg2-2.0.10-6.el5_10.s390x.rpm gnupg2-debuginfo-2.0.10-6.el5_10.s390x.rpm x86_64: gnupg2-2.0.10-6.el5_10.x86_64.rpm gnupg2-debuginfo-2.0.10-6.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/gnupg2-2.0.14-6.el6_4.src.rpm i386: gnupg2-2.0.14-6.el6_4.i686.rpm gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm x86_64: gnupg2-2.0.14-6.el6_4.x86_64.rpm gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/gnupg2-2.0.14-6.el6_4.src.rpm i386: gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm gnupg2-smime-2.0.14-6.el6_4.i686.rpm x86_64: gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/gnupg2-2.0.14-6.el6_4.src.rpm x86_64: gnupg2-2.0.14-6.el6_4.x86_64.rpm gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/gnupg2-2.0.14-6.el6_4.src.rpm x86_64: gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/gnupg2-2.0.14-6.el6_4.src.rpm i386: gnupg2-2.0.14-6.el6_4.i686.rpm gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm ppc64: gnupg2-2.0.14-6.el6_4.ppc64.rpm gnupg2-debuginfo-2.0.14-6.el6_4.ppc64.rpm s390x: gnupg2-2.0.14-6.el6_4.s390x.rpm gnupg2-debuginfo-2.0.14-6.el6_4.s390x.rpm x86_64: gnupg2-2.0.14-6.el6_4.x86_64.rpm gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/gnupg2-2.0.14-6.el6_4.src.rpm i386: gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm gnupg2-smime-2.0.14-6.el6_4.i686.rpm ppc64: gnupg2-debuginfo-2.0.14-6.el6_4.ppc64.rpm gnupg2-smime-2.0.14-6.el6_4.ppc64.rpm s390x: gnupg2-debuginfo-2.0.14-6.el6_4.s390x.rpm gnupg2-smime-2.0.14-6.el6_4.s390x.rpm x86_64: gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/gnupg2-2.0.14-6.el6_4.src.rpm i386: gnupg2-2.0.14-6.el6_4.i686.rpm gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm x86_64: gnupg2-2.0.14-6.el6_4.x86_64.rpm gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/gnupg2-2.0.14-6.el6_4.src.rpm i386: gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm gnupg2-smime-2.0.14-6.el6_4.i686.rpm x86_64: gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-6085.html https://www.redhat.com/security/data/cve/CVE-2013-4351.html https://www.redhat.com/security/data/cve/CVE-2013-4402.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSaT0xXlSAg2UNWIIRAvDWAJ9pkYJvy6gI+pxMk2Ygz4ysgoV7QACgs6YN 1xVQcpLM9L1IoCunepN5I4k= =UM2O -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 29 21:18:27 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 29 Oct 2013 21:18:27 +0000 Subject: [RHSA-2013:1473-01] Important: spice-server security update Message-ID: <201310292118.r9TLISM0028094@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: spice-server security update Advisory ID: RHSA-2013:1473-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1473.html Issue date: 2013-10-29 CVE Names: CVE-2013-4282 ===================================================================== 1. Summary: An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - x86_64 Red Hat Enterprise Linux Workstation (v. 6) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64 3. Description: The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4282) This issue was discovered by Tomas Jamrisko of Red Hat. All spice-server users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1000443 - CVE-2013-4282 spice: stack buffer overflow in reds_handle_ticket() function 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/spice-server-0.12.0-12.el6_4.5.src.rpm x86_64: spice-server-0.12.0-12.el6_4.5.x86_64.rpm spice-server-debuginfo-0.12.0-12.el6_4.5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/spice-server-0.12.0-12.el6_4.5.src.rpm x86_64: spice-server-debuginfo-0.12.0-12.el6_4.5.x86_64.rpm spice-server-devel-0.12.0-12.el6_4.5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/spice-server-0.12.0-12.el6_4.5.src.rpm x86_64: spice-server-0.12.0-12.el6_4.5.x86_64.rpm spice-server-debuginfo-0.12.0-12.el6_4.5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/spice-server-0.12.0-12.el6_4.5.src.rpm x86_64: spice-server-debuginfo-0.12.0-12.el6_4.5.x86_64.rpm spice-server-devel-0.12.0-12.el6_4.5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/spice-server-0.12.0-12.el6_4.5.src.rpm x86_64: spice-server-0.12.0-12.el6_4.5.x86_64.rpm spice-server-debuginfo-0.12.0-12.el6_4.5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/spice-server-0.12.0-12.el6_4.5.src.rpm x86_64: spice-server-debuginfo-0.12.0-12.el6_4.5.x86_64.rpm spice-server-devel-0.12.0-12.el6_4.5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/spice-server-0.12.0-12.el6_4.5.src.rpm x86_64: spice-server-0.12.0-12.el6_4.5.x86_64.rpm spice-server-debuginfo-0.12.0-12.el6_4.5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/spice-server-0.12.0-12.el6_4.5.src.rpm x86_64: spice-server-debuginfo-0.12.0-12.el6_4.5.x86_64.rpm spice-server-devel-0.12.0-12.el6_4.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4282.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFScCYSXlSAg2UNWIIRAqAnAJ0d7phVfwN3JHLYjlbit1Q7GUlnaACfRS54 CfdvuZKuNJ9Xt49y3h/0ltU= =i2fu -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 29 21:18:57 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 29 Oct 2013 21:18:57 +0000 Subject: [RHSA-2013:1474-01] Important: qspice security update Message-ID: <201310292118.r9TLIvxF028293@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: qspice security update Advisory ID: RHSA-2013:1474-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1474.html Issue date: 2013-10-29 CVE Names: CVE-2013-4282 ===================================================================== 1. Summary: Updated qspice packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Multi OS (v. 5 client) - x86_64 RHEL Virtualization (v. 5 server) - x86_64 Red Hat Enterprise Linux (v. 5 server) - x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - x86_64 3. Description: The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4282) This issue was discovered by Tomas Jamrisko of Red Hat. All qspice users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1000443 - CVE-2013-4282 spice: stack buffer overflow in reds_handle_ticket() function 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/qspice-0.3.0-56.el5_10.1.src.rpm x86_64: qspice-debuginfo-0.3.0-56.el5_10.1.x86_64.rpm qspice-libs-0.3.0-56.el5_10.1.x86_64.rpm RHEL Desktop Multi OS (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/qspice-0.3.0-56.el5_10.1.src.rpm x86_64: qspice-0.3.0-56.el5_10.1.x86_64.rpm qspice-debuginfo-0.3.0-56.el5_10.1.x86_64.rpm qspice-libs-devel-0.3.0-56.el5_10.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/qspice-0.3.0-56.el5_10.1.src.rpm x86_64: qspice-debuginfo-0.3.0-56.el5_10.1.x86_64.rpm qspice-libs-0.3.0-56.el5_10.1.x86_64.rpm RHEL Virtualization (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/qspice-0.3.0-56.el5_10.1.src.rpm x86_64: qspice-0.3.0-56.el5_10.1.x86_64.rpm qspice-debuginfo-0.3.0-56.el5_10.1.x86_64.rpm qspice-libs-devel-0.3.0-56.el5_10.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4282.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFScCYuXlSAg2UNWIIRAvkqAJ9g398p99BWrseQm2kXDbMdZmWkhgCfXNFI eBg/eGmTuCsTailEOfb8PnI= =pc2q -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 29 21:20:12 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 29 Oct 2013 21:20:12 +0000 Subject: [RHSA-2013:1475-01] Moderate: postgresql and postgresql84 security update Message-ID: <201310292120.r9TLKCTI004119@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: postgresql and postgresql84 security update Advisory ID: RHSA-2013:1475-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1475.html Issue date: 2013-10-29 CVE Names: CVE-2013-0255 CVE-2013-1900 ===================================================================== 1. Summary: Updated postgresql and postgresql84 packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). An array index error, leading to a heap-based out-of-bounds buffer read flaw, was found in the way PostgreSQL performed certain error processing using enumeration types. An unprivileged database user could issue a specially crafted SQL query that, when processed by the server component of the PostgreSQL service, would lead to a denial of service (daemon crash) or disclosure of certain portions of server memory. (CVE-2013-0255) A flaw was found in the way the pgcrypto contrib module of PostgreSQL (re)initialized its internal random number generator. This could lead to random numbers with less bits of entropy being used by certain pgcrypto functions, possibly allowing an attacker to conduct other attacks. (CVE-2013-1900) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Sumit Soni via Secunia SVCRP as the original reporter of CVE-2013-0255, and Marko Kreen as the original reporter of CVE-2013-1900. These updated packages upgrade PostgreSQL to version 8.4.18, which fixes these issues as well as several non-security issues. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.4/static/release-8-4-18.html After installing this update, it is advisable to rebuild, using the REINDEX command, Generalized Search Tree (GiST) indexes that meet one or more of the following conditions: - - GiST indexes on box, polygon, circle, or point columns - - GiST indexes for variable-width data types, that is text, bytea, bit, and numeric - - GiST multi-column indexes All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 907892 - CVE-2013-0255 postgresql: array indexing error in enum_recv() 929255 - CVE-2013-1900 postgresql: Improper randomization of pgcrypto functions (requiring random seed) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql84-8.4.18-1.el5_10.src.rpm i386: postgresql84-8.4.18-1.el5_10.i386.rpm postgresql84-contrib-8.4.18-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.18-1.el5_10.i386.rpm postgresql84-docs-8.4.18-1.el5_10.i386.rpm postgresql84-libs-8.4.18-1.el5_10.i386.rpm postgresql84-python-8.4.18-1.el5_10.i386.rpm postgresql84-tcl-8.4.18-1.el5_10.i386.rpm x86_64: postgresql84-8.4.18-1.el5_10.x86_64.rpm postgresql84-contrib-8.4.18-1.el5_10.x86_64.rpm postgresql84-debuginfo-8.4.18-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.18-1.el5_10.x86_64.rpm postgresql84-docs-8.4.18-1.el5_10.x86_64.rpm postgresql84-libs-8.4.18-1.el5_10.i386.rpm postgresql84-libs-8.4.18-1.el5_10.x86_64.rpm postgresql84-python-8.4.18-1.el5_10.x86_64.rpm postgresql84-tcl-8.4.18-1.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql84-8.4.18-1.el5_10.src.rpm i386: postgresql84-debuginfo-8.4.18-1.el5_10.i386.rpm postgresql84-devel-8.4.18-1.el5_10.i386.rpm postgresql84-plperl-8.4.18-1.el5_10.i386.rpm postgresql84-plpython-8.4.18-1.el5_10.i386.rpm postgresql84-pltcl-8.4.18-1.el5_10.i386.rpm postgresql84-server-8.4.18-1.el5_10.i386.rpm postgresql84-test-8.4.18-1.el5_10.i386.rpm x86_64: postgresql84-debuginfo-8.4.18-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.18-1.el5_10.x86_64.rpm postgresql84-devel-8.4.18-1.el5_10.i386.rpm postgresql84-devel-8.4.18-1.el5_10.x86_64.rpm postgresql84-plperl-8.4.18-1.el5_10.x86_64.rpm postgresql84-plpython-8.4.18-1.el5_10.x86_64.rpm postgresql84-pltcl-8.4.18-1.el5_10.x86_64.rpm postgresql84-server-8.4.18-1.el5_10.x86_64.rpm postgresql84-test-8.4.18-1.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/postgresql84-8.4.18-1.el5_10.src.rpm i386: postgresql84-8.4.18-1.el5_10.i386.rpm postgresql84-contrib-8.4.18-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.18-1.el5_10.i386.rpm postgresql84-devel-8.4.18-1.el5_10.i386.rpm postgresql84-docs-8.4.18-1.el5_10.i386.rpm postgresql84-libs-8.4.18-1.el5_10.i386.rpm postgresql84-plperl-8.4.18-1.el5_10.i386.rpm postgresql84-plpython-8.4.18-1.el5_10.i386.rpm postgresql84-pltcl-8.4.18-1.el5_10.i386.rpm postgresql84-python-8.4.18-1.el5_10.i386.rpm postgresql84-server-8.4.18-1.el5_10.i386.rpm postgresql84-tcl-8.4.18-1.el5_10.i386.rpm postgresql84-test-8.4.18-1.el5_10.i386.rpm ia64: postgresql84-8.4.18-1.el5_10.ia64.rpm postgresql84-contrib-8.4.18-1.el5_10.ia64.rpm postgresql84-debuginfo-8.4.18-1.el5_10.ia64.rpm postgresql84-devel-8.4.18-1.el5_10.ia64.rpm postgresql84-docs-8.4.18-1.el5_10.ia64.rpm postgresql84-libs-8.4.18-1.el5_10.ia64.rpm postgresql84-plperl-8.4.18-1.el5_10.ia64.rpm postgresql84-plpython-8.4.18-1.el5_10.ia64.rpm postgresql84-pltcl-8.4.18-1.el5_10.ia64.rpm postgresql84-python-8.4.18-1.el5_10.ia64.rpm postgresql84-server-8.4.18-1.el5_10.ia64.rpm postgresql84-tcl-8.4.18-1.el5_10.ia64.rpm postgresql84-test-8.4.18-1.el5_10.ia64.rpm ppc: postgresql84-8.4.18-1.el5_10.ppc.rpm postgresql84-8.4.18-1.el5_10.ppc64.rpm postgresql84-contrib-8.4.18-1.el5_10.ppc.rpm postgresql84-debuginfo-8.4.18-1.el5_10.ppc.rpm postgresql84-debuginfo-8.4.18-1.el5_10.ppc64.rpm postgresql84-devel-8.4.18-1.el5_10.ppc.rpm postgresql84-devel-8.4.18-1.el5_10.ppc64.rpm postgresql84-docs-8.4.18-1.el5_10.ppc.rpm postgresql84-libs-8.4.18-1.el5_10.ppc.rpm postgresql84-libs-8.4.18-1.el5_10.ppc64.rpm postgresql84-plperl-8.4.18-1.el5_10.ppc.rpm postgresql84-plpython-8.4.18-1.el5_10.ppc.rpm postgresql84-pltcl-8.4.18-1.el5_10.ppc.rpm postgresql84-python-8.4.18-1.el5_10.ppc.rpm postgresql84-server-8.4.18-1.el5_10.ppc.rpm postgresql84-tcl-8.4.18-1.el5_10.ppc.rpm postgresql84-test-8.4.18-1.el5_10.ppc.rpm s390x: postgresql84-8.4.18-1.el5_10.s390x.rpm postgresql84-contrib-8.4.18-1.el5_10.s390x.rpm postgresql84-debuginfo-8.4.18-1.el5_10.s390.rpm postgresql84-debuginfo-8.4.18-1.el5_10.s390x.rpm postgresql84-devel-8.4.18-1.el5_10.s390.rpm postgresql84-devel-8.4.18-1.el5_10.s390x.rpm postgresql84-docs-8.4.18-1.el5_10.s390x.rpm postgresql84-libs-8.4.18-1.el5_10.s390.rpm postgresql84-libs-8.4.18-1.el5_10.s390x.rpm postgresql84-plperl-8.4.18-1.el5_10.s390x.rpm postgresql84-plpython-8.4.18-1.el5_10.s390x.rpm postgresql84-pltcl-8.4.18-1.el5_10.s390x.rpm postgresql84-python-8.4.18-1.el5_10.s390x.rpm postgresql84-server-8.4.18-1.el5_10.s390x.rpm postgresql84-tcl-8.4.18-1.el5_10.s390x.rpm postgresql84-test-8.4.18-1.el5_10.s390x.rpm x86_64: postgresql84-8.4.18-1.el5_10.x86_64.rpm postgresql84-contrib-8.4.18-1.el5_10.x86_64.rpm postgresql84-debuginfo-8.4.18-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.18-1.el5_10.x86_64.rpm postgresql84-devel-8.4.18-1.el5_10.i386.rpm postgresql84-devel-8.4.18-1.el5_10.x86_64.rpm postgresql84-docs-8.4.18-1.el5_10.x86_64.rpm postgresql84-libs-8.4.18-1.el5_10.i386.rpm postgresql84-libs-8.4.18-1.el5_10.x86_64.rpm postgresql84-plperl-8.4.18-1.el5_10.x86_64.rpm postgresql84-plpython-8.4.18-1.el5_10.x86_64.rpm postgresql84-pltcl-8.4.18-1.el5_10.x86_64.rpm postgresql84-python-8.4.18-1.el5_10.x86_64.rpm postgresql84-server-8.4.18-1.el5_10.x86_64.rpm postgresql84-tcl-8.4.18-1.el5_10.x86_64.rpm postgresql84-test-8.4.18-1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/postgresql-8.4.18-1.el6_4.src.rpm i386: postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-libs-8.4.18-1.el6_4.i686.rpm x86_64: postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-debuginfo-8.4.18-1.el6_4.x86_64.rpm postgresql-libs-8.4.18-1.el6_4.i686.rpm postgresql-libs-8.4.18-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/postgresql-8.4.18-1.el6_4.src.rpm i386: postgresql-8.4.18-1.el6_4.i686.rpm postgresql-contrib-8.4.18-1.el6_4.i686.rpm postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-devel-8.4.18-1.el6_4.i686.rpm postgresql-docs-8.4.18-1.el6_4.i686.rpm postgresql-plperl-8.4.18-1.el6_4.i686.rpm postgresql-plpython-8.4.18-1.el6_4.i686.rpm postgresql-pltcl-8.4.18-1.el6_4.i686.rpm postgresql-server-8.4.18-1.el6_4.i686.rpm postgresql-test-8.4.18-1.el6_4.i686.rpm x86_64: postgresql-8.4.18-1.el6_4.i686.rpm postgresql-8.4.18-1.el6_4.x86_64.rpm postgresql-contrib-8.4.18-1.el6_4.x86_64.rpm postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-debuginfo-8.4.18-1.el6_4.x86_64.rpm postgresql-devel-8.4.18-1.el6_4.i686.rpm postgresql-devel-8.4.18-1.el6_4.x86_64.rpm postgresql-docs-8.4.18-1.el6_4.x86_64.rpm postgresql-plperl-8.4.18-1.el6_4.x86_64.rpm postgresql-plpython-8.4.18-1.el6_4.x86_64.rpm postgresql-pltcl-8.4.18-1.el6_4.x86_64.rpm postgresql-server-8.4.18-1.el6_4.x86_64.rpm postgresql-test-8.4.18-1.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/postgresql-8.4.18-1.el6_4.src.rpm x86_64: postgresql-8.4.18-1.el6_4.i686.rpm postgresql-8.4.18-1.el6_4.x86_64.rpm postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-debuginfo-8.4.18-1.el6_4.x86_64.rpm postgresql-libs-8.4.18-1.el6_4.i686.rpm postgresql-libs-8.4.18-1.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/postgresql-8.4.18-1.el6_4.src.rpm x86_64: postgresql-contrib-8.4.18-1.el6_4.x86_64.rpm postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-debuginfo-8.4.18-1.el6_4.x86_64.rpm postgresql-devel-8.4.18-1.el6_4.i686.rpm postgresql-devel-8.4.18-1.el6_4.x86_64.rpm postgresql-docs-8.4.18-1.el6_4.x86_64.rpm postgresql-plperl-8.4.18-1.el6_4.x86_64.rpm postgresql-plpython-8.4.18-1.el6_4.x86_64.rpm postgresql-pltcl-8.4.18-1.el6_4.x86_64.rpm postgresql-server-8.4.18-1.el6_4.x86_64.rpm postgresql-test-8.4.18-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/postgresql-8.4.18-1.el6_4.src.rpm i386: postgresql-8.4.18-1.el6_4.i686.rpm postgresql-contrib-8.4.18-1.el6_4.i686.rpm postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-devel-8.4.18-1.el6_4.i686.rpm postgresql-docs-8.4.18-1.el6_4.i686.rpm postgresql-libs-8.4.18-1.el6_4.i686.rpm postgresql-plperl-8.4.18-1.el6_4.i686.rpm postgresql-plpython-8.4.18-1.el6_4.i686.rpm postgresql-pltcl-8.4.18-1.el6_4.i686.rpm postgresql-server-8.4.18-1.el6_4.i686.rpm postgresql-test-8.4.18-1.el6_4.i686.rpm ppc64: postgresql-8.4.18-1.el6_4.ppc.rpm postgresql-8.4.18-1.el6_4.ppc64.rpm postgresql-contrib-8.4.18-1.el6_4.ppc64.rpm postgresql-debuginfo-8.4.18-1.el6_4.ppc.rpm postgresql-debuginfo-8.4.18-1.el6_4.ppc64.rpm postgresql-devel-8.4.18-1.el6_4.ppc.rpm postgresql-devel-8.4.18-1.el6_4.ppc64.rpm postgresql-docs-8.4.18-1.el6_4.ppc64.rpm postgresql-libs-8.4.18-1.el6_4.ppc.rpm postgresql-libs-8.4.18-1.el6_4.ppc64.rpm postgresql-plperl-8.4.18-1.el6_4.ppc64.rpm postgresql-plpython-8.4.18-1.el6_4.ppc64.rpm postgresql-pltcl-8.4.18-1.el6_4.ppc64.rpm postgresql-server-8.4.18-1.el6_4.ppc64.rpm postgresql-test-8.4.18-1.el6_4.ppc64.rpm s390x: postgresql-8.4.18-1.el6_4.s390.rpm postgresql-8.4.18-1.el6_4.s390x.rpm postgresql-contrib-8.4.18-1.el6_4.s390x.rpm postgresql-debuginfo-8.4.18-1.el6_4.s390.rpm postgresql-debuginfo-8.4.18-1.el6_4.s390x.rpm postgresql-devel-8.4.18-1.el6_4.s390.rpm postgresql-devel-8.4.18-1.el6_4.s390x.rpm postgresql-docs-8.4.18-1.el6_4.s390x.rpm postgresql-libs-8.4.18-1.el6_4.s390.rpm postgresql-libs-8.4.18-1.el6_4.s390x.rpm postgresql-plperl-8.4.18-1.el6_4.s390x.rpm postgresql-plpython-8.4.18-1.el6_4.s390x.rpm postgresql-pltcl-8.4.18-1.el6_4.s390x.rpm postgresql-server-8.4.18-1.el6_4.s390x.rpm postgresql-test-8.4.18-1.el6_4.s390x.rpm x86_64: postgresql-8.4.18-1.el6_4.i686.rpm postgresql-8.4.18-1.el6_4.x86_64.rpm postgresql-contrib-8.4.18-1.el6_4.x86_64.rpm postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-debuginfo-8.4.18-1.el6_4.x86_64.rpm postgresql-devel-8.4.18-1.el6_4.i686.rpm postgresql-devel-8.4.18-1.el6_4.x86_64.rpm postgresql-docs-8.4.18-1.el6_4.x86_64.rpm postgresql-libs-8.4.18-1.el6_4.i686.rpm postgresql-libs-8.4.18-1.el6_4.x86_64.rpm postgresql-plperl-8.4.18-1.el6_4.x86_64.rpm postgresql-plpython-8.4.18-1.el6_4.x86_64.rpm postgresql-pltcl-8.4.18-1.el6_4.x86_64.rpm postgresql-server-8.4.18-1.el6_4.x86_64.rpm postgresql-test-8.4.18-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/postgresql-8.4.18-1.el6_4.src.rpm i386: postgresql-8.4.18-1.el6_4.i686.rpm postgresql-contrib-8.4.18-1.el6_4.i686.rpm postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-devel-8.4.18-1.el6_4.i686.rpm postgresql-docs-8.4.18-1.el6_4.i686.rpm postgresql-libs-8.4.18-1.el6_4.i686.rpm postgresql-plperl-8.4.18-1.el6_4.i686.rpm postgresql-plpython-8.4.18-1.el6_4.i686.rpm postgresql-pltcl-8.4.18-1.el6_4.i686.rpm postgresql-server-8.4.18-1.el6_4.i686.rpm postgresql-test-8.4.18-1.el6_4.i686.rpm x86_64: postgresql-8.4.18-1.el6_4.i686.rpm postgresql-8.4.18-1.el6_4.x86_64.rpm postgresql-contrib-8.4.18-1.el6_4.x86_64.rpm postgresql-debuginfo-8.4.18-1.el6_4.i686.rpm postgresql-debuginfo-8.4.18-1.el6_4.x86_64.rpm postgresql-devel-8.4.18-1.el6_4.i686.rpm postgresql-devel-8.4.18-1.el6_4.x86_64.rpm postgresql-docs-8.4.18-1.el6_4.x86_64.rpm postgresql-libs-8.4.18-1.el6_4.i686.rpm postgresql-libs-8.4.18-1.el6_4.x86_64.rpm postgresql-plperl-8.4.18-1.el6_4.x86_64.rpm postgresql-plpython-8.4.18-1.el6_4.x86_64.rpm postgresql-pltcl-8.4.18-1.el6_4.x86_64.rpm postgresql-server-8.4.18-1.el6_4.x86_64.rpm postgresql-test-8.4.18-1.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-0255.html https://www.redhat.com/security/data/cve/CVE-2013-1900.html https://access.redhat.com/security/updates/classification/#moderate http://www.postgresql.org/docs/8.4/static/release-8-4-18.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFScCZhXlSAg2UNWIIRAq1+AJ4vcrw1RRXE04ML0cLDIRqRAvxr8gCcDsPI AFMQoVQnnT50UXV6rpw+akM= =R3O9 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 29 21:21:12 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 29 Oct 2013 21:21:12 +0000 Subject: [RHSA-2013:1476-01] Critical: firefox security update Message-ID: <201310292121.r9TLLChS016330@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2013:1476-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1476.html Issue date: 2013-10-29 CVE Names: CVE-2013-5590 CVE-2013-5595 CVE-2013-5597 CVE-2013-5599 CVE-2013-5600 CVE-2013-5601 CVE-2013-5602 CVE-2013-5604 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to terminate unexpectedly or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-5590, CVE-2013-5597, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602) It was found that the Firefox JavaScript engine incorrectly allocated memory for certain functions. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-5595) A flaw was found in the way Firefox handled certain Extensible Stylesheet Language Transformations (XSLT) files. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-5604) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jesse Ruderman, Christoph Diehl, Dan Gohman, Byoungyoung Lee, Nils, and Abhishek Arya as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 17.0.10 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 17.0.10 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 983488 - Resizing window changes window size to 0 with third party window manager 1023835 - CVE-2013-5590 Mozilla: Miscellaneous memory safety hazards (rv:17.0.10) (MFSA 2013-93) 1023839 - CVE-2013-5595 Mozilla: Improperly initialized memory and overflows in some JavaScript functions (MFSA 2013-96) 1023841 - CVE-2013-5597 Mozilla: Use-after-free when updating offline cache (MFSA 2013-98) 1023843 - CVE-2013-5599 CVE-2013-5600 CVE-2013-5601 Mozilla: Miscellaneous use-after-free issues found through ASAN fuzzing (MFSA 2013-100) 1023844 - CVE-2013-5602 Mozilla: Memory corruption in workers (MFSA 2013-101) 1023863 - CVE-2013-5604 Mozilla: Access violation with XSLT and uninitialized data (MFSA 2013-95) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-17.0.10-1.el5_10.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.10-1.el5_10.src.rpm i386: firefox-17.0.10-1.el5_10.i386.rpm firefox-debuginfo-17.0.10-1.el5_10.i386.rpm xulrunner-17.0.10-1.el5_10.i386.rpm xulrunner-debuginfo-17.0.10-1.el5_10.i386.rpm x86_64: firefox-17.0.10-1.el5_10.i386.rpm firefox-17.0.10-1.el5_10.x86_64.rpm firefox-debuginfo-17.0.10-1.el5_10.i386.rpm firefox-debuginfo-17.0.10-1.el5_10.x86_64.rpm xulrunner-17.0.10-1.el5_10.i386.rpm xulrunner-17.0.10-1.el5_10.x86_64.rpm xulrunner-debuginfo-17.0.10-1.el5_10.i386.rpm xulrunner-debuginfo-17.0.10-1.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.10-1.el5_10.src.rpm i386: xulrunner-debuginfo-17.0.10-1.el5_10.i386.rpm xulrunner-devel-17.0.10-1.el5_10.i386.rpm x86_64: xulrunner-debuginfo-17.0.10-1.el5_10.i386.rpm xulrunner-debuginfo-17.0.10-1.el5_10.x86_64.rpm xulrunner-devel-17.0.10-1.el5_10.i386.rpm xulrunner-devel-17.0.10-1.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-17.0.10-1.el5_10.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-17.0.10-1.el5_10.src.rpm i386: firefox-17.0.10-1.el5_10.i386.rpm firefox-debuginfo-17.0.10-1.el5_10.i386.rpm xulrunner-17.0.10-1.el5_10.i386.rpm xulrunner-debuginfo-17.0.10-1.el5_10.i386.rpm xulrunner-devel-17.0.10-1.el5_10.i386.rpm ia64: firefox-17.0.10-1.el5_10.ia64.rpm firefox-debuginfo-17.0.10-1.el5_10.ia64.rpm xulrunner-17.0.10-1.el5_10.ia64.rpm xulrunner-debuginfo-17.0.10-1.el5_10.ia64.rpm xulrunner-devel-17.0.10-1.el5_10.ia64.rpm ppc: firefox-17.0.10-1.el5_10.ppc.rpm firefox-debuginfo-17.0.10-1.el5_10.ppc.rpm xulrunner-17.0.10-1.el5_10.ppc.rpm xulrunner-17.0.10-1.el5_10.ppc64.rpm xulrunner-debuginfo-17.0.10-1.el5_10.ppc.rpm xulrunner-debuginfo-17.0.10-1.el5_10.ppc64.rpm xulrunner-devel-17.0.10-1.el5_10.ppc.rpm xulrunner-devel-17.0.10-1.el5_10.ppc64.rpm s390x: firefox-17.0.10-1.el5_10.s390.rpm firefox-17.0.10-1.el5_10.s390x.rpm firefox-debuginfo-17.0.10-1.el5_10.s390.rpm firefox-debuginfo-17.0.10-1.el5_10.s390x.rpm xulrunner-17.0.10-1.el5_10.s390.rpm xulrunner-17.0.10-1.el5_10.s390x.rpm xulrunner-debuginfo-17.0.10-1.el5_10.s390.rpm xulrunner-debuginfo-17.0.10-1.el5_10.s390x.rpm xulrunner-devel-17.0.10-1.el5_10.s390.rpm xulrunner-devel-17.0.10-1.el5_10.s390x.rpm x86_64: firefox-17.0.10-1.el5_10.i386.rpm firefox-17.0.10-1.el5_10.x86_64.rpm firefox-debuginfo-17.0.10-1.el5_10.i386.rpm firefox-debuginfo-17.0.10-1.el5_10.x86_64.rpm xulrunner-17.0.10-1.el5_10.i386.rpm xulrunner-17.0.10-1.el5_10.x86_64.rpm xulrunner-debuginfo-17.0.10-1.el5_10.i386.rpm xulrunner-debuginfo-17.0.10-1.el5_10.x86_64.rpm xulrunner-devel-17.0.10-1.el5_10.i386.rpm xulrunner-devel-17.0.10-1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-17.0.10-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.10-1.el6_4.src.rpm i386: firefox-17.0.10-1.el6_4.i686.rpm firefox-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm x86_64: firefox-17.0.10-1.el6_4.i686.rpm firefox-17.0.10-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.10-1.el6_4.i686.rpm firefox-debuginfo-17.0.10-1.el6_4.x86_64.rpm xulrunner-17.0.10-1.el6_4.i686.rpm xulrunner-17.0.10-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.10-1.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-devel-17.0.10-1.el6_4.i686.rpm x86_64: xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.x86_64.rpm xulrunner-devel-17.0.10-1.el6_4.i686.rpm xulrunner-devel-17.0.10-1.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-17.0.10-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-17.0.10-1.el6_4.src.rpm x86_64: firefox-17.0.10-1.el6_4.i686.rpm firefox-17.0.10-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.10-1.el6_4.i686.rpm firefox-debuginfo-17.0.10-1.el6_4.x86_64.rpm xulrunner-17.0.10-1.el6_4.i686.rpm xulrunner-17.0.10-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.x86_64.rpm xulrunner-devel-17.0.10-1.el6_4.i686.rpm xulrunner-devel-17.0.10-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-17.0.10-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.10-1.el6_4.src.rpm i386: firefox-17.0.10-1.el6_4.i686.rpm firefox-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm ppc64: firefox-17.0.10-1.el6_4.ppc.rpm firefox-17.0.10-1.el6_4.ppc64.rpm firefox-debuginfo-17.0.10-1.el6_4.ppc.rpm firefox-debuginfo-17.0.10-1.el6_4.ppc64.rpm xulrunner-17.0.10-1.el6_4.ppc.rpm xulrunner-17.0.10-1.el6_4.ppc64.rpm xulrunner-debuginfo-17.0.10-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.10-1.el6_4.ppc64.rpm s390x: firefox-17.0.10-1.el6_4.s390.rpm firefox-17.0.10-1.el6_4.s390x.rpm firefox-debuginfo-17.0.10-1.el6_4.s390.rpm firefox-debuginfo-17.0.10-1.el6_4.s390x.rpm xulrunner-17.0.10-1.el6_4.s390.rpm xulrunner-17.0.10-1.el6_4.s390x.rpm xulrunner-debuginfo-17.0.10-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.10-1.el6_4.s390x.rpm x86_64: firefox-17.0.10-1.el6_4.i686.rpm firefox-17.0.10-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.10-1.el6_4.i686.rpm firefox-debuginfo-17.0.10-1.el6_4.x86_64.rpm xulrunner-17.0.10-1.el6_4.i686.rpm xulrunner-17.0.10-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.10-1.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-devel-17.0.10-1.el6_4.i686.rpm ppc64: xulrunner-debuginfo-17.0.10-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.10-1.el6_4.ppc64.rpm xulrunner-devel-17.0.10-1.el6_4.ppc.rpm xulrunner-devel-17.0.10-1.el6_4.ppc64.rpm s390x: xulrunner-debuginfo-17.0.10-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.10-1.el6_4.s390x.rpm xulrunner-devel-17.0.10-1.el6_4.s390.rpm xulrunner-devel-17.0.10-1.el6_4.s390x.rpm x86_64: xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.x86_64.rpm xulrunner-devel-17.0.10-1.el6_4.i686.rpm xulrunner-devel-17.0.10-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-17.0.10-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.10-1.el6_4.src.rpm i386: firefox-17.0.10-1.el6_4.i686.rpm firefox-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm x86_64: firefox-17.0.10-1.el6_4.i686.rpm firefox-17.0.10-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.10-1.el6_4.i686.rpm firefox-debuginfo-17.0.10-1.el6_4.x86_64.rpm xulrunner-17.0.10-1.el6_4.i686.rpm xulrunner-17.0.10-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.10-1.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-devel-17.0.10-1.el6_4.i686.rpm x86_64: xulrunner-debuginfo-17.0.10-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.10-1.el6_4.x86_64.rpm xulrunner-devel-17.0.10-1.el6_4.i686.rpm xulrunner-devel-17.0.10-1.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5590.html https://www.redhat.com/security/data/cve/CVE-2013-5595.html https://www.redhat.com/security/data/cve/CVE-2013-5597.html https://www.redhat.com/security/data/cve/CVE-2013-5599.html https://www.redhat.com/security/data/cve/CVE-2013-5600.html https://www.redhat.com/security/data/cve/CVE-2013-5601.html https://www.redhat.com/security/data/cve/CVE-2013-5602.html https://www.redhat.com/security/data/cve/CVE-2013-5604.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFScCazXlSAg2UNWIIRAhnUAJ979wspIqZAmWQ+7flmxHEUEAV/2ACfRTZh aIuuOC+zENjo4qGBt9x75Ho= =zh5L -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 30 16:35:46 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 30 Oct 2013 16:35:46 +0000 Subject: [RHSA-2013:1480-01] Important: thunderbird security update Message-ID: <201310301635.r9UGZk6r007752@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2013:1480-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1480.html Issue date: 2013-10-30 CVE Names: CVE-2013-5590 CVE-2013-5595 CVE-2013-5597 CVE-2013-5599 CVE-2013-5600 CVE-2013-5601 CVE-2013-5602 CVE-2013-5604 ===================================================================== 1. Summary: An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-5590, CVE-2013-5597, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602) It was found that the Thunderbird JavaScript engine incorrectly allocated memory for certain functions. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-5595) A flaw was found in the way Thunderbird handled certain Extensible Stylesheet Language Transformations (XSLT) files. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2013-5604) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jesse Ruderman, Christoph Diehl, Dan Gohman, Byoungyoung Lee, Nils, and Abhishek Arya as the original reporters of these issues. Note: All of the above issues cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 17.0.10 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 17.0.10 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1023835 - CVE-2013-5590 Mozilla: Miscellaneous memory safety hazards (rv:17.0.10) (MFSA 2013-93) 1023839 - CVE-2013-5595 Mozilla: Improperly initialized memory and overflows in some JavaScript functions (MFSA 2013-96) 1023841 - CVE-2013-5597 Mozilla: Use-after-free when updating offline cache (MFSA 2013-98) 1023843 - CVE-2013-5599 CVE-2013-5600 CVE-2013-5601 Mozilla: Miscellaneous use-after-free issues found through ASAN fuzzing (MFSA 2013-100) 1023844 - CVE-2013-5602 Mozilla: Memory corruption in workers (MFSA 2013-101) 1023863 - CVE-2013-5604 Mozilla: Access violation with XSLT and uninitialized data (MFSA 2013-95) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-17.0.10-1.el5_10.src.rpm i386: thunderbird-17.0.10-1.el5_10.i386.rpm thunderbird-debuginfo-17.0.10-1.el5_10.i386.rpm x86_64: thunderbird-17.0.10-1.el5_10.x86_64.rpm thunderbird-debuginfo-17.0.10-1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-17.0.10-1.el6_4.src.rpm i386: thunderbird-17.0.10-1.el6_4.i686.rpm thunderbird-debuginfo-17.0.10-1.el6_4.i686.rpm x86_64: thunderbird-17.0.10-1.el6_4.x86_64.rpm thunderbird-debuginfo-17.0.10-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-17.0.10-1.el6_4.src.rpm i386: thunderbird-17.0.10-1.el6_4.i686.rpm thunderbird-debuginfo-17.0.10-1.el6_4.i686.rpm ppc64: thunderbird-17.0.10-1.el6_4.ppc64.rpm thunderbird-debuginfo-17.0.10-1.el6_4.ppc64.rpm s390x: thunderbird-17.0.10-1.el6_4.s390x.rpm thunderbird-debuginfo-17.0.10-1.el6_4.s390x.rpm x86_64: thunderbird-17.0.10-1.el6_4.x86_64.rpm thunderbird-debuginfo-17.0.10-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-17.0.10-1.el6_4.src.rpm i386: thunderbird-17.0.10-1.el6_4.i686.rpm thunderbird-debuginfo-17.0.10-1.el6_4.i686.rpm x86_64: thunderbird-17.0.10-1.el6_4.x86_64.rpm thunderbird-debuginfo-17.0.10-1.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5590.html https://www.redhat.com/security/data/cve/CVE-2013-5595.html https://www.redhat.com/security/data/cve/CVE-2013-5597.html https://www.redhat.com/security/data/cve/CVE-2013-5599.html https://www.redhat.com/security/data/cve/CVE-2013-5600.html https://www.redhat.com/security/data/cve/CVE-2013-5601.html https://www.redhat.com/security/data/cve/CVE-2013-5602.html https://www.redhat.com/security/data/cve/CVE-2013-5604.html https://access.redhat.com/security/updates/classification/#important http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFScTVDXlSAg2UNWIIRAlrCAKCfzA2owaQLBwxu1Ig0egoq3ecopQCgoTfO VuE4BlyFgC01QqVfNQFkdQQ= =J/AE -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 30 16:36:10 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 30 Oct 2013 16:36:10 +0000 Subject: [RHSA-2013:1482-01] Low: Red Hat Enterprise Linux 3 Extended Lifecycle Support 3-month Notice Message-ID: <201310301636.r9UGaAAt002006@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise Linux 3 Extended Lifecycle Support 3-month Notice Advisory ID: RHSA-2013:1482-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1482.html Issue date: 2013-10-30 ===================================================================== 1. Summary: This is the 3-month notification for the retirement of Red Hat Enterprise Linux 3 Extended Lifecycle Support (ELS). 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 3 ELS) - i386 Red Hat Enterprise Linux ES (v. 3 ELS) - i386 3. Description: In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Lifecycle Support (ELS) for Red Hat Enterprise Linux 3 will be retired as of January 30, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 3 ELS after that date. In addition, technical support through Red Hat's Global Support Services will no longer be provided after January 30, 2014. Note: This notification applies only to those customers subscribed to the Extended Lifecycle Support (ELS) channel for Red Hat Enterprise Linux 3. We encourage customers to plan their migration from Red Hat Enterprise Linux 3 to a more recent version of Red Hat Enterprise Linux 5 or 6. As a benefit of the Red Hat subscription model, customers can use their active subscriptions to entitle any system on a currently supported Red Hat Enterprise Linux 5 release or Red Hat Enterprise Linux 6 release. Details of the Red Hat Enterprise Linux life cycle can be found here: https://access.redhat.com/support/policy/updates/errata/ 4. Solution: This erratum contains an updated redhat-release package, that provides a copy of this retirement notice in the "/usr/share/doc/" directory. 5. Package List: Red Hat Enterprise Linux AS (v. 3 ELS): Source: redhat-release-3AS-13.9.16.src.rpm i386: redhat-release-3AS-13.9.16.i386.rpm redhat-release-debuginfo-3AS-13.9.16.i386.rpm Red Hat Enterprise Linux ES (v. 3 ELS): Source: redhat-release-3ES-13.9.16.src.rpm i386: redhat-release-3ES-13.9.16.i386.rpm redhat-release-debuginfo-3ES-13.9.16.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/support/policy/updates/errata/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFScTVqXlSAg2UNWIIRAm6rAKCkTs/p15CIWHxwR7hvMSmRCggMKACaAhMr t9fiQCHQO9hTs6wSTXgKP/g= =M7SY -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 31 16:29:49 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 31 Oct 2013 16:29:49 +0000 Subject: [RHSA-2013:1490-01] Important: kernel-rt security and bug fix update Message-ID: <201310311629.r9VGToPV023154@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2013:1490-01 Product: Red Hat Enterprise MRG for RHEL-6 Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1490.html Issue date: 2013-10-31 CVE Names: CVE-2013-0343 CVE-2013-2888 CVE-2013-2892 CVE-2013-2893 CVE-2013-2895 CVE-2013-2896 CVE-2013-4299 CVE-2013-4343 CVE-2013-4345 CVE-2013-4348 CVE-2013-4350 CVE-2013-4387 ===================================================================== 1. Summary: Updated kernel-rt packages that fix multiple security issues and one bug are now available for Red Hat Enterprise MRG 2.4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: MRG Realtime for RHEL 6 Server v.2 - noarch, x86_64 3. Description: The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way IP packets with an Internet Header Length (ihl) of zero were processed in the skb_flow_dissect() function in the Linux kernel. A remote attacker could use this flaw to trigger an infinite loop in the kernel, leading to a denial of service. (CVE-2013-4348, Important) * A flaw was found in the way the Linux kernel's IPv6 implementation handled certain UDP packets when the UDP Fragmentation Offload (UFO) feature was enabled. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-4387, Important) * A flaw was found in the way the Linux kernel handled the creation of temporary IPv6 addresses. If the IPv6 privacy extension was enabled (/proc/sys/net/ipv6/conf/eth0/use_tempaddr set to '2'), an attacker on the local network could disable IPv6 temporary address generation, leading to a potential information disclosure. (CVE-2013-0343, Moderate) * A flaw was found in the way the Linux kernel handled HID (Human Interface Device) reports with an out-of-bounds Report ID. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-2888, Moderate) * Heap-based buffer overflow flaws were found in the way the Pantherlord/GreenAsia game controller driver, the Logitech force feedback drivers, and the Logitech Unifying receivers driver handled HID reports. An attacker with physical access to the system could use these flaws to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-2892, CVE-2013-2893, CVE-2013-2895, Moderate) * A NULL pointer dereference flaw was found in the way the N-Trig touch screen driver handled HID reports. An attacker with physical access to the system could use this flaw to crash the system, resulting in a denial of service. (CVE-2013-2896, Moderate) * An information leak flaw was found in the way the Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible. (CVE-2013-4299, Moderate) * A use-after-free flaw was found in the tun_set_iff() function in the Universal TUN/TAP device driver implementation in the Linux kernel. A privileged user could use this flaw to crash the system or, potentially, further escalate their privileges on the system. (CVE-2013-4343, Moderate) * An off-by-one flaw was found in the way the ANSI CPRNG implementation in the Linux kernel processed non-block size aligned requests. This could lead to random numbers being generated with less bits of entropy than expected when ANSI CPRNG was used. (CVE-2013-4345, Moderate) * A flaw was found in the way the Linux kernel's IPv6 SCTP implementation interacted with the IPsec subsystem. This resulted in unencrypted SCTP packets being sent over the network even though IPsec encryption was enabled. An attacker able to inspect these SCTP packets could use this flaw to obtain potentially sensitive information. (CVE-2013-4350, Moderate) Red Hat would like to thank Fujitsu for reporting CVE-2013-4299 and Stephan Mueller for reporting CVE-2013-4345. The CVE-2013-4348 issue was discovered by Jason Wang of Red Hat. Bug fix: * RoCE appeared to be supported in the MRG Realtime kernel even when the required user space packages from the HPN channel were not installed. The Realtime kernel now checks for the HPN channel packages before exposing the RoCE interfaces. RoCE devices appear as plain 10GigE devices if the needed HPN channel user space packages are not installed. (BZ#1012993) Users should upgrade to these updated packages, which upgrade the kernel-rt kernel to version kernel-rt-3.8.13-rt14, and correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (http://bugzilla.redhat.com/): 914664 - CVE-2013-0343 kernel: handling of IPv6 temporary addresses 1000360 - CVE-2013-2895 Kernel: HID: logitech-dj: heap overflow flaw 1000414 - CVE-2013-2893 Kernel: HID: LG: heap overflow flaw 1000429 - CVE-2013-2892 Kernel: HID: pantherlord: heap overflow flaw 1000451 - CVE-2013-2888 Kernel: HID: memory corruption flaw 1000494 - CVE-2013-2896 Kernel: HID: ntrig: NULL pointer dereference 1004233 - CVE-2013-4299 kernel: dm: dm-snapshot data leak 1007690 - CVE-2013-4345 kernel: ansi_cprng: off by one error in non-block size request 1007733 - CVE-2013-4343 Kernel: net: use-after-free TUNSETIFF 1007872 - CVE-2013-4350 kernel: net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit 1007939 - CVE-2013-4348 kernel: net: deadloop path in skb_flow_dissect() 1011927 - CVE-2013-4387 Kernel: net: IPv6: panic when UFO=On for an interface 1012993 - mlx4: Don't show RoCE interfaces if the hpn channel is not installed 6. Package List: MRG Realtime for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/kernel-rt-3.8.13-rt14.25.el6rt.src.rpm noarch: kernel-rt-doc-3.8.13-rt14.25.el6rt.noarch.rpm kernel-rt-firmware-3.8.13-rt14.25.el6rt.noarch.rpm mrg-rt-release-3.8.13-rt14.25.el6rt.noarch.rpm x86_64: kernel-rt-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-debug-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-debug-debuginfo-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-debug-devel-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-debuginfo-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-devel-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-trace-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-trace-debuginfo-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-trace-devel-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-vanilla-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-vanilla-debuginfo-3.8.13-rt14.25.el6rt.x86_64.rpm kernel-rt-vanilla-devel-3.8.13-rt14.25.el6rt.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-0343.html https://www.redhat.com/security/data/cve/CVE-2013-2888.html https://www.redhat.com/security/data/cve/CVE-2013-2892.html https://www.redhat.com/security/data/cve/CVE-2013-2893.html https://www.redhat.com/security/data/cve/CVE-2013-2895.html https://www.redhat.com/security/data/cve/CVE-2013-2896.html https://www.redhat.com/security/data/cve/CVE-2013-4299.html https://www.redhat.com/security/data/cve/CVE-2013-4343.html https://www.redhat.com/security/data/cve/CVE-2013-4345.html https://www.redhat.com/security/data/cve/CVE-2013-4348.html https://www.redhat.com/security/data/cve/CVE-2013-4350.html https://www.redhat.com/security/data/cve/CVE-2013-4387.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFScoTNXlSAg2UNWIIRArQ9AKC+zLIFuCiouQc65SiEJThJ4eS94gCgtiRp 7xo4y5duHWb2LD+MwW0fm5A= =GSR7 -----END PGP SIGNATURE-----