From bugzilla at redhat.com Mon Feb 3 18:58:48 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Feb 2014 18:58:48 +0000 Subject: [RHSA-2014:0126-01] Moderate: openldap security and bug fix update Message-ID: <201402031858.s13IwmDg018902@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openldap security and bug fix update Advisory ID: RHSA-2014:0126-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0126.html Issue date: 2014-02-03 CVE Names: CVE-2013-4449 ===================================================================== 1. Summary: Updated openldap packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap package contains configuration files, libraries, and documentation for OpenLDAP. A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) performed reference counting when using the rwm (rewrite/remap) overlay. A remote attacker able to query the OpenLDAP server could use this flaw to crash the server by immediately unbinding from the server after sending a search request. (CVE-2013-4449) Red Hat would like to thank Michael Vishchers from Seven Principles AG for reporting this issue. This update also fixes the following bug: * Previously, OpenLDAP did not properly handle a number of simultaneous updates. As a consequence, sending a number of parallel update requests to the server could cause a deadlock. With this update, a superfluous locking mechanism causing the deadlock has been removed, thus fixing the bug. (BZ#1056124) All openldap users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1019490 - CVE-2013-4449 openldap: segfault on certain queries with rwm overlay 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openldap-2.4.23-34.el6_5.1.src.rpm i386: openldap-2.4.23-34.el6_5.1.i686.rpm openldap-clients-2.4.23-34.el6_5.1.i686.rpm openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm x86_64: openldap-2.4.23-34.el6_5.1.i686.rpm openldap-2.4.23-34.el6_5.1.x86_64.rpm openldap-clients-2.4.23-34.el6_5.1.x86_64.rpm openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-debuginfo-2.4.23-34.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openldap-2.4.23-34.el6_5.1.src.rpm i386: openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-devel-2.4.23-34.el6_5.1.i686.rpm openldap-servers-2.4.23-34.el6_5.1.i686.rpm openldap-servers-sql-2.4.23-34.el6_5.1.i686.rpm x86_64: openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-debuginfo-2.4.23-34.el6_5.1.x86_64.rpm openldap-devel-2.4.23-34.el6_5.1.i686.rpm openldap-devel-2.4.23-34.el6_5.1.x86_64.rpm openldap-servers-2.4.23-34.el6_5.1.x86_64.rpm openldap-servers-sql-2.4.23-34.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/openldap-2.4.23-34.el6_5.1.src.rpm x86_64: openldap-2.4.23-34.el6_5.1.i686.rpm openldap-2.4.23-34.el6_5.1.x86_64.rpm openldap-clients-2.4.23-34.el6_5.1.x86_64.rpm openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-debuginfo-2.4.23-34.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/openldap-2.4.23-34.el6_5.1.src.rpm x86_64: openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-debuginfo-2.4.23-34.el6_5.1.x86_64.rpm openldap-devel-2.4.23-34.el6_5.1.i686.rpm openldap-devel-2.4.23-34.el6_5.1.x86_64.rpm openldap-servers-2.4.23-34.el6_5.1.x86_64.rpm openldap-servers-sql-2.4.23-34.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openldap-2.4.23-34.el6_5.1.src.rpm i386: openldap-2.4.23-34.el6_5.1.i686.rpm openldap-clients-2.4.23-34.el6_5.1.i686.rpm openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-devel-2.4.23-34.el6_5.1.i686.rpm openldap-servers-2.4.23-34.el6_5.1.i686.rpm ppc64: openldap-2.4.23-34.el6_5.1.ppc.rpm openldap-2.4.23-34.el6_5.1.ppc64.rpm openldap-clients-2.4.23-34.el6_5.1.ppc64.rpm openldap-debuginfo-2.4.23-34.el6_5.1.ppc.rpm openldap-debuginfo-2.4.23-34.el6_5.1.ppc64.rpm openldap-devel-2.4.23-34.el6_5.1.ppc.rpm openldap-devel-2.4.23-34.el6_5.1.ppc64.rpm openldap-servers-2.4.23-34.el6_5.1.ppc64.rpm s390x: openldap-2.4.23-34.el6_5.1.s390.rpm openldap-2.4.23-34.el6_5.1.s390x.rpm openldap-clients-2.4.23-34.el6_5.1.s390x.rpm openldap-debuginfo-2.4.23-34.el6_5.1.s390.rpm openldap-debuginfo-2.4.23-34.el6_5.1.s390x.rpm openldap-devel-2.4.23-34.el6_5.1.s390.rpm openldap-devel-2.4.23-34.el6_5.1.s390x.rpm openldap-servers-2.4.23-34.el6_5.1.s390x.rpm x86_64: openldap-2.4.23-34.el6_5.1.i686.rpm openldap-2.4.23-34.el6_5.1.x86_64.rpm openldap-clients-2.4.23-34.el6_5.1.x86_64.rpm openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-debuginfo-2.4.23-34.el6_5.1.x86_64.rpm openldap-devel-2.4.23-34.el6_5.1.i686.rpm openldap-devel-2.4.23-34.el6_5.1.x86_64.rpm openldap-servers-2.4.23-34.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openldap-2.4.23-34.el6_5.1.src.rpm i386: openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-servers-sql-2.4.23-34.el6_5.1.i686.rpm ppc64: openldap-debuginfo-2.4.23-34.el6_5.1.ppc64.rpm openldap-servers-sql-2.4.23-34.el6_5.1.ppc64.rpm s390x: openldap-debuginfo-2.4.23-34.el6_5.1.s390x.rpm openldap-servers-sql-2.4.23-34.el6_5.1.s390x.rpm x86_64: openldap-debuginfo-2.4.23-34.el6_5.1.x86_64.rpm openldap-servers-sql-2.4.23-34.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openldap-2.4.23-34.el6_5.1.src.rpm i386: openldap-2.4.23-34.el6_5.1.i686.rpm openldap-clients-2.4.23-34.el6_5.1.i686.rpm openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-devel-2.4.23-34.el6_5.1.i686.rpm openldap-servers-2.4.23-34.el6_5.1.i686.rpm x86_64: openldap-2.4.23-34.el6_5.1.i686.rpm openldap-2.4.23-34.el6_5.1.x86_64.rpm openldap-clients-2.4.23-34.el6_5.1.x86_64.rpm openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-debuginfo-2.4.23-34.el6_5.1.x86_64.rpm openldap-devel-2.4.23-34.el6_5.1.i686.rpm openldap-devel-2.4.23-34.el6_5.1.x86_64.rpm openldap-servers-2.4.23-34.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openldap-2.4.23-34.el6_5.1.src.rpm i386: openldap-debuginfo-2.4.23-34.el6_5.1.i686.rpm openldap-servers-sql-2.4.23-34.el6_5.1.i686.rpm x86_64: openldap-debuginfo-2.4.23-34.el6_5.1.x86_64.rpm openldap-servers-sql-2.4.23-34.el6_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4449.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS7+a6XlSAg2UNWIIRAo7pAJoD62cPaHSs1QnOQpCamTBTTAA8WgCeJNrm ADC5IUuqWpTL81X5s75NRFg= =mHJG -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Feb 3 18:59:40 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Feb 2014 18:59:40 +0000 Subject: [RHSA-2014:0127-01] Moderate: librsvg2 security update Message-ID: <201402031859.s13IxeGT019140@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: librsvg2 security update Advisory ID: RHSA-2014:0127-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0127.html Issue date: 2014-02-03 CVE Names: CVE-2013-1881 ===================================================================== 1. Summary: Updated librsvg2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The librsvg2 packages provide an SVG (Scalable Vector Graphics) library based on libart. An XML External Entity expansion flaw was found in the way librsvg2 processed SVG files. If a user were to open a malicious SVG file, a remote attacker could possibly obtain a copy of the local resources that the user had access to. (CVE-2013-1881) All librsvg2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications that use librsvg2 must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 924414 - CVE-2013-1881 librsvg2: local resource access vulnerability due to XML External Entity enablement 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/librsvg2-2.26.0-6.el6_5.2.src.rpm i386: librsvg2-2.26.0-6.el6_5.2.i686.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm x86_64: librsvg2-2.26.0-6.el6_5.2.i686.rpm librsvg2-2.26.0-6.el6_5.2.x86_64.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/librsvg2-2.26.0-6.el6_5.2.src.rpm i386: librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm librsvg2-devel-2.26.0-6.el6_5.2.i686.rpm x86_64: librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.x86_64.rpm librsvg2-devel-2.26.0-6.el6_5.2.i686.rpm librsvg2-devel-2.26.0-6.el6_5.2.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/librsvg2-2.26.0-6.el6_5.2.src.rpm x86_64: librsvg2-2.26.0-6.el6_5.2.i686.rpm librsvg2-2.26.0-6.el6_5.2.x86_64.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/librsvg2-2.26.0-6.el6_5.2.src.rpm x86_64: librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.x86_64.rpm librsvg2-devel-2.26.0-6.el6_5.2.i686.rpm librsvg2-devel-2.26.0-6.el6_5.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/librsvg2-2.26.0-6.el6_5.2.src.rpm i386: librsvg2-2.26.0-6.el6_5.2.i686.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm librsvg2-devel-2.26.0-6.el6_5.2.i686.rpm ppc64: librsvg2-2.26.0-6.el6_5.2.ppc.rpm librsvg2-2.26.0-6.el6_5.2.ppc64.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.ppc.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.ppc64.rpm librsvg2-devel-2.26.0-6.el6_5.2.ppc.rpm librsvg2-devel-2.26.0-6.el6_5.2.ppc64.rpm s390x: librsvg2-2.26.0-6.el6_5.2.s390.rpm librsvg2-2.26.0-6.el6_5.2.s390x.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.s390.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.s390x.rpm librsvg2-devel-2.26.0-6.el6_5.2.s390.rpm librsvg2-devel-2.26.0-6.el6_5.2.s390x.rpm x86_64: librsvg2-2.26.0-6.el6_5.2.i686.rpm librsvg2-2.26.0-6.el6_5.2.x86_64.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.x86_64.rpm librsvg2-devel-2.26.0-6.el6_5.2.i686.rpm librsvg2-devel-2.26.0-6.el6_5.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/librsvg2-2.26.0-6.el6_5.2.src.rpm i386: librsvg2-2.26.0-6.el6_5.2.i686.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm librsvg2-devel-2.26.0-6.el6_5.2.i686.rpm x86_64: librsvg2-2.26.0-6.el6_5.2.i686.rpm librsvg2-2.26.0-6.el6_5.2.x86_64.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.i686.rpm librsvg2-debuginfo-2.26.0-6.el6_5.2.x86_64.rpm librsvg2-devel-2.26.0-6.el6_5.2.i686.rpm librsvg2-devel-2.26.0-6.el6_5.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1881.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS7+cEXlSAg2UNWIIRAudIAJ9B1vVs3HgJS443HmWKrKgrleqHOgCfUoRW nm7/DBsWRnvBWm31cjTXH9Y= =1fwz -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 4 20:27:31 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Feb 2014 20:27:31 +0000 Subject: [RHSA-2014:0131-01] Low: Red Hat Enterprise Linux 3 Extended Life Cycle Support Retirement Notice Message-ID: <201402042027.s14KRWYK017193@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise Linux 3 Extended Life Cycle Support Retirement Notice Advisory ID: RHSA-2014:0131-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0131.html Issue date: 2014-02-04 ===================================================================== 1. Summary: This is the final notification for the retirement of Red Hat Enterprise Linux 3 Extended Life Cycle Support (ELS). This notice applies only to those customers subscribed in the Customer Portal to the Extended Life Cycle Support (ELS) channel for Red Hat Enterprise Linux 3. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 3 ELS) - i386 Red Hat Enterprise Linux ES (v. 3 ELS) - i386 3. Description: In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Life Cycle Support (ELS) for Red Hat Enterprise Linux 3 was retired on January 30, 2014, and support is no longer provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 3 ELS after January 30, 2014. In addition, technical support through Red Hat's Global Support Services will no longer be provided after this date. In order to provide customers with a final opportunity to migrate their systems to a supported version of Red Hat Enterprise Linux, the retirement process for Red Hat Enterprise Linux 3 ELS will complete on March 31, 2014. On that date, the Red Hat Enterprise Linux 3 ELS channels will be moved to the "Retired" channels area (under the "Retired" tab) on the Customer Portal, and customers will be unsubscribed from the Red Hat Enterprise Linux 3 Extended Life Cycle Support channels. For Red Hat Enterprise Linux 3 only, customers may continue to run Red Hat Enterprise Linux 3 ELS on their systems without consuming a subscription. However, customers wishing to access Red Hat Enterprise Linux 3 ELS content (now under the "Retired" tab) on the Customer Portal will need an active RHEL Server subscription. Also, customers who choose to resubscribe a system to the retired Red Hat Enterprise Linux 3 ELS channels will consume a RHEL Server subscription. Note again that the contents of Retired channels are frozen, and no further security patches or bug fixes are provided. We encourage customers to plan their migration from Red Hat Enterprise Linux 3 to a more recent version of Red Hat Enterprise Linux. As a benefit of the Red Hat subscription model, customers can use active subscriptions to entitle any system on a currently supported Red Hat Enterprise Linux release. Details of the Red Hat Enterprise Linux life cycle can be found here: https://access.redhat.com/site/support/policy/updates/errata/ Additional information can also be found at: https://access.redhat.com/site/solutions/690063 4. Solution: This erratum contains an updated redhat-release package, that provides a copy of this retirement notice in the "/usr/share/doc/" directory. 5. Package List: Red Hat Enterprise Linux AS (v. 3 ELS): Source: redhat-release-3AS-13.9.20.src.rpm i386: redhat-release-3AS-13.9.20.i386.rpm redhat-release-debuginfo-3AS-13.9.20.i386.rpm Red Hat Enterprise Linux ES (v. 3 ELS): Source: redhat-release-3ES-13.9.20.src.rpm i386: redhat-release-3ES-13.9.20.i386.rpm redhat-release-debuginfo-3ES-13.9.20.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/site/support/policy/updates/errata/ https://access.redhat.com/site/solutions/690063 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS8U0TXlSAg2UNWIIRAkhrAJ9wQekC/Y0VNpl7NvagU5nmj9F9jgCffU0n ADL3gt37axPJgWybPO0OyM4= =ekMo -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 4 20:28:34 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Feb 2014 20:28:34 +0000 Subject: [RHSA-2014:0132-01] Critical: firefox security update Message-ID: <201402042028.s14KSZQZ017802@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2014:0132-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0132.html Issue date: 2014-02-04 CVE Names: CVE-2014-1477 CVE-2014-1479 CVE-2014-1481 CVE-2014-1482 CVE-2014-1486 CVE-2014-1487 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1477, CVE-2014-1482, CVE-2014-1486) A flaw was found in the way Firefox handled error messages related to web workers. An attacker could use this flaw to bypass the same-origin policy, which could lead to cross-site scripting (XSS) attacks, or could potentially be used to gather authentication tokens and other data from third-party websites. (CVE-2014-1487) A flaw was found in the implementation of System Only Wrappers (SOW). An attacker could use this flaw to crash Firefox. When combined with other vulnerabilities, this flaw could have additional security implications. (CVE-2014-1479) It was found that the Firefox JavaScript engine incorrectly handled window objects. A remote attacker could use this flaw to bypass certain security checks and possibly execute arbitrary code. (CVE-2014-1481) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Terrence Cole, Jesse Ruderman, Gary Kwong, Eric Rescorla, Jonathan Kew, Dan Gohman, Ryan VanderMeulen, Sotaro Ikeda, Cody Crews, Fredrik "Flonka" L?nnqvist, Arthur Gerkis, Masato Kinugawa, and Boris Zbarsky as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 24.3.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 24.3.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1060938 - CVE-2014-1477 Mozilla: Miscellaneous memory safety hazards (rv:24.3) (MFSA 2014-01) 1060940 - CVE-2014-1479 Mozilla: Clone protected content with XBL scopes (MFSA 2014-02) 1060942 - CVE-2014-1482 Mozilla: Incorrect use of discarded images by RasterImage (MFSA 2014-04) 1060945 - CVE-2014-1486 Mozilla: Use-after-free with imgRequestProxy and image proccessing (MFSA 2014-08) 1060947 - CVE-2014-1487 Mozilla: Cross-origin information leak through web workers (MFSA 2014-09) 1060952 - CVE-2014-1481 Mozilla: Inconsistent JavaScript handling of access to Window objects (MFSA 2014-13) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-24.3.0-2.el5_10.src.rpm i386: firefox-24.3.0-2.el5_10.i386.rpm firefox-debuginfo-24.3.0-2.el5_10.i386.rpm x86_64: firefox-24.3.0-2.el5_10.i386.rpm firefox-24.3.0-2.el5_10.x86_64.rpm firefox-debuginfo-24.3.0-2.el5_10.i386.rpm firefox-debuginfo-24.3.0-2.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-24.3.0-2.el5_10.src.rpm i386: firefox-24.3.0-2.el5_10.i386.rpm firefox-debuginfo-24.3.0-2.el5_10.i386.rpm ia64: firefox-24.3.0-2.el5_10.ia64.rpm firefox-debuginfo-24.3.0-2.el5_10.ia64.rpm ppc: firefox-24.3.0-2.el5_10.ppc.rpm firefox-debuginfo-24.3.0-2.el5_10.ppc.rpm s390x: firefox-24.3.0-2.el5_10.s390.rpm firefox-24.3.0-2.el5_10.s390x.rpm firefox-debuginfo-24.3.0-2.el5_10.s390.rpm firefox-debuginfo-24.3.0-2.el5_10.s390x.rpm x86_64: firefox-24.3.0-2.el5_10.i386.rpm firefox-24.3.0-2.el5_10.x86_64.rpm firefox-debuginfo-24.3.0-2.el5_10.i386.rpm firefox-debuginfo-24.3.0-2.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-24.3.0-2.el6_5.src.rpm i386: firefox-24.3.0-2.el6_5.i686.rpm firefox-debuginfo-24.3.0-2.el6_5.i686.rpm x86_64: firefox-24.3.0-2.el6_5.i686.rpm firefox-24.3.0-2.el6_5.x86_64.rpm firefox-debuginfo-24.3.0-2.el6_5.i686.rpm firefox-debuginfo-24.3.0-2.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-24.3.0-2.el6_5.src.rpm x86_64: firefox-24.3.0-2.el6_5.i686.rpm firefox-24.3.0-2.el6_5.x86_64.rpm firefox-debuginfo-24.3.0-2.el6_5.i686.rpm firefox-debuginfo-24.3.0-2.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-24.3.0-2.el6_5.src.rpm i386: firefox-24.3.0-2.el6_5.i686.rpm firefox-debuginfo-24.3.0-2.el6_5.i686.rpm ppc64: firefox-24.3.0-2.el6_5.ppc.rpm firefox-24.3.0-2.el6_5.ppc64.rpm firefox-debuginfo-24.3.0-2.el6_5.ppc.rpm firefox-debuginfo-24.3.0-2.el6_5.ppc64.rpm s390x: firefox-24.3.0-2.el6_5.s390.rpm firefox-24.3.0-2.el6_5.s390x.rpm firefox-debuginfo-24.3.0-2.el6_5.s390.rpm firefox-debuginfo-24.3.0-2.el6_5.s390x.rpm x86_64: firefox-24.3.0-2.el6_5.i686.rpm firefox-24.3.0-2.el6_5.x86_64.rpm firefox-debuginfo-24.3.0-2.el6_5.i686.rpm firefox-debuginfo-24.3.0-2.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-24.3.0-2.el6_5.src.rpm i386: firefox-24.3.0-2.el6_5.i686.rpm firefox-debuginfo-24.3.0-2.el6_5.i686.rpm x86_64: firefox-24.3.0-2.el6_5.i686.rpm firefox-24.3.0-2.el6_5.x86_64.rpm firefox-debuginfo-24.3.0-2.el6_5.i686.rpm firefox-debuginfo-24.3.0-2.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-1477.html https://www.redhat.com/security/data/cve/CVE-2014-1479.html https://www.redhat.com/security/data/cve/CVE-2014-1481.html https://www.redhat.com/security/data/cve/CVE-2014-1482.html https://www.redhat.com/security/data/cve/CVE-2014-1486.html https://www.redhat.com/security/data/cve/CVE-2014-1487.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS8U1JXlSAg2UNWIIRApfjAJ0cQzin4VjnsNiPHc/E119S/pcGEACgnbvb a3zh/SYgbGHxwdBmQMnbjSw= =R74K -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 4 20:29:52 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Feb 2014 20:29:52 +0000 Subject: [RHSA-2014:0133-01] Important: thunderbird security update Message-ID: <201402042029.s14KTqbQ008521@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2014:0133-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0133.html Issue date: 2014-02-04 CVE Names: CVE-2014-1477 CVE-2014-1479 CVE-2014-1481 CVE-2014-1482 CVE-2014-1486 CVE-2014-1487 ===================================================================== 1. Summary: An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2014-1477, CVE-2014-1482, CVE-2014-1486) A flaw was found in the way Thunderbird handled error messages related to web workers. An attacker could use this flaw to bypass the same-origin policy, which could lead to cross-site scripting (XSS) attacks, or could potentially be used to gather authentication tokens and other data from third-party websites. (CVE-2014-1487) A flaw was found in the implementation of System Only Wrappers (SOW). An attacker could use this flaw to crash Thunderbird. When combined with other vulnerabilities, this flaw could have additional security implications. (CVE-2014-1479) It was found that the Thunderbird JavaScript engine incorrectly handled window objects. A remote attacker could use this flaw to bypass certain security checks and possibly execute arbitrary code. (CVE-2014-1481) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Terrence Cole, Jesse Ruderman, Gary Kwong, Eric Rescorla, Jonathan Kew, Dan Gohman, Ryan VanderMeulen, Sotaro Ikeda, Cody Crews, Fredrik "Flonka" L?nnqvist, Arthur Gerkis, Masato Kinugawa, and Boris Zbarsky as the original reporters of these issues. Note: All of the above issues cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 24.3.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 24.3.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1046167 - Thunderbird 24.2 no longer launches default browser for web links 1060938 - CVE-2014-1477 Mozilla: Miscellaneous memory safety hazards (rv:24.3) (MFSA 2014-01) 1060940 - CVE-2014-1479 Mozilla: Clone protected content with XBL scopes (MFSA 2014-02) 1060942 - CVE-2014-1482 Mozilla: Incorrect use of discarded images by RasterImage (MFSA 2014-04) 1060945 - CVE-2014-1486 Mozilla: Use-after-free with imgRequestProxy and image proccessing (MFSA 2014-08) 1060947 - CVE-2014-1487 Mozilla: Cross-origin information leak through web workers (MFSA 2014-09) 1060952 - CVE-2014-1481 Mozilla: Inconsistent JavaScript handling of access to Window objects (MFSA 2014-13) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-24.3.0-2.el5_10.src.rpm i386: thunderbird-24.3.0-2.el5_10.i386.rpm thunderbird-debuginfo-24.3.0-2.el5_10.i386.rpm x86_64: thunderbird-24.3.0-2.el5_10.x86_64.rpm thunderbird-debuginfo-24.3.0-2.el5_10.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-24.3.0-2.el5_10.src.rpm i386: thunderbird-24.3.0-2.el5_10.i386.rpm thunderbird-debuginfo-24.3.0-2.el5_10.i386.rpm x86_64: thunderbird-24.3.0-2.el5_10.x86_64.rpm thunderbird-debuginfo-24.3.0-2.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-24.3.0-2.el6_5.src.rpm i386: thunderbird-24.3.0-2.el6_5.i686.rpm thunderbird-debuginfo-24.3.0-2.el6_5.i686.rpm x86_64: thunderbird-24.3.0-2.el6_5.x86_64.rpm thunderbird-debuginfo-24.3.0-2.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-24.3.0-2.el6_5.src.rpm i386: thunderbird-24.3.0-2.el6_5.i686.rpm thunderbird-debuginfo-24.3.0-2.el6_5.i686.rpm ppc64: thunderbird-24.3.0-2.el6_5.ppc64.rpm thunderbird-debuginfo-24.3.0-2.el6_5.ppc64.rpm s390x: thunderbird-24.3.0-2.el6_5.s390x.rpm thunderbird-debuginfo-24.3.0-2.el6_5.s390x.rpm x86_64: thunderbird-24.3.0-2.el6_5.x86_64.rpm thunderbird-debuginfo-24.3.0-2.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-24.3.0-2.el6_5.src.rpm i386: thunderbird-24.3.0-2.el6_5.i686.rpm thunderbird-debuginfo-24.3.0-2.el6_5.i686.rpm x86_64: thunderbird-24.3.0-2.el6_5.x86_64.rpm thunderbird-debuginfo-24.3.0-2.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-1477.html https://www.redhat.com/security/data/cve/CVE-2014-1479.html https://www.redhat.com/security/data/cve/CVE-2014-1481.html https://www.redhat.com/security/data/cve/CVE-2014-1482.html https://www.redhat.com/security/data/cve/CVE-2014-1486.html https://www.redhat.com/security/data/cve/CVE-2014-1487.html https://access.redhat.com/security/updates/classification/#important https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS8U2HXlSAg2UNWIIRAkJLAJ9FrPzRYM2KRNoGbZ/N1334NlAaPwCePZs/ BBKF3ZQqNiPBkG5aC/BmPvM= =/u8r -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 4 20:32:18 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Feb 2014 20:32:18 +0000 Subject: [RHSA-2014:0134-01] Critical: java-1.7.0-ibm security update Message-ID: <201402042032.s14KWIiq003213@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-ibm security update Advisory ID: RHSA-2014:0134-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0134.html Issue date: 2014-02-04 CVE Names: CVE-2013-5878 CVE-2013-5884 CVE-2013-5887 CVE-2013-5888 CVE-2013-5889 CVE-2013-5896 CVE-2013-5898 CVE-2013-5899 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0375 CVE-2014-0376 CVE-2014-0387 CVE-2014-0403 CVE-2014-0410 CVE-2014-0411 CVE-2014-0415 CVE-2014-0416 CVE-2014-0417 CVE-2014-0422 CVE-2014-0423 CVE-2014-0424 CVE-2014-0428 ===================================================================== 1. Summary: Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428) All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR6-FP1 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051519 - CVE-2014-0428 OpenJDK: insufficient security checks in IIOP streams (CORBA, 8025767) 1051528 - CVE-2014-0422 OpenJDK: insufficient package access checks in the Naming component (JNDI, 8025758) 1051699 - CVE-2014-0373 OpenJDK: SnmpStatusException handling issues (Serviceability, 7068126) 1051823 - CVE-2013-5878 OpenJDK: null xmlns handling issue (Security, 8025026) 1051911 - CVE-2013-5884 OpenJDK: insufficient security checks in CORBA stub factories (CORBA, 8026193) 1051912 - CVE-2014-0416 OpenJDK: insecure subject principals set handling (JAAS, 8024306) 1051923 - CVE-2014-0376 OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018) 1052915 - CVE-2013-5907 ICU: Layout Engine LookupProcessor insufficient input checks (JDK 2D, 8025034) 1052919 - CVE-2014-0368 OpenJDK: insufficient Socket checkListen checks (Networking, 8011786) 1052942 - CVE-2013-5910 OpenJDK: XML canonicalizer mutable strings passed to untrusted code (Security, 8026417) 1053010 - CVE-2014-0411 OpenJDK: TLS/SSL handshake timing issues (JSSE, 8023069) 1053066 - CVE-2014-0423 OpenJDK: XXE issue in decoder (Beans, 8023245) 1053266 - CVE-2013-5896 OpenJDK: com.sun.corba.se. should be restricted package (CORBA, 8025022) 1053495 - CVE-2014-0410 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053496 - CVE-2014-0415 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053499 - CVE-2013-5889 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053501 - CVE-2014-0417 Oracle JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (2D) 1053502 - CVE-2014-0387 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053504 - CVE-2014-0424 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053507 - CVE-2014-0403 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053508 - CVE-2014-0375 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053515 - CVE-2013-5887 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053516 - CVE-2013-5899 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053517 - CVE-2013-5888 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053518 - CVE-2013-5898 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.i386.rpm x86_64: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.i386.rpm ppc: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.ppc.rpm java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.ppc64.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.ppc.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.ppc64.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.ppc.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.ppc64.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.ppc.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.ppc64.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el5_10.ppc.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.ppc.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.ppc64.rpm s390x: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.s390.rpm java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.s390x.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.s390.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.s390x.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.s390.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.s390x.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.s390.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.s390x.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.s390.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.s390x.rpm x86_64: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.i386.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el6_5.i686.rpm x86_64: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el6_5.i686.rpm ppc64: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5.ppc64.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el6_5.ppc64.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el6_5.ppc64.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el6_5.ppc64.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el6_5.ppc64.rpm s390x: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5.s390x.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el6_5.s390x.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el6_5.s390x.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el6_5.s390x.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el6_5.s390x.rpm x86_64: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el6_5.i686.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el6_5.i686.rpm x86_64: java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm java-1.7.0-ibm-src-1.7.0.6.1-1jpp.1.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5878.html https://www.redhat.com/security/data/cve/CVE-2013-5884.html https://www.redhat.com/security/data/cve/CVE-2013-5887.html https://www.redhat.com/security/data/cve/CVE-2013-5888.html https://www.redhat.com/security/data/cve/CVE-2013-5889.html https://www.redhat.com/security/data/cve/CVE-2013-5896.html https://www.redhat.com/security/data/cve/CVE-2013-5898.html https://www.redhat.com/security/data/cve/CVE-2013-5899.html https://www.redhat.com/security/data/cve/CVE-2013-5907.html https://www.redhat.com/security/data/cve/CVE-2013-5910.html https://www.redhat.com/security/data/cve/CVE-2014-0368.html https://www.redhat.com/security/data/cve/CVE-2014-0373.html https://www.redhat.com/security/data/cve/CVE-2014-0375.html https://www.redhat.com/security/data/cve/CVE-2014-0376.html https://www.redhat.com/security/data/cve/CVE-2014-0387.html https://www.redhat.com/security/data/cve/CVE-2014-0403.html https://www.redhat.com/security/data/cve/CVE-2014-0410.html https://www.redhat.com/security/data/cve/CVE-2014-0411.html https://www.redhat.com/security/data/cve/CVE-2014-0415.html https://www.redhat.com/security/data/cve/CVE-2014-0416.html https://www.redhat.com/security/data/cve/CVE-2014-0417.html https://www.redhat.com/security/data/cve/CVE-2014-0422.html https://www.redhat.com/security/data/cve/CVE-2014-0423.html https://www.redhat.com/security/data/cve/CVE-2014-0424.html https://www.redhat.com/security/data/cve/CVE-2014-0428.html https://access.redhat.com/security/updates/classification/#critical https://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS8U3fXlSAg2UNWIIRAr5cAJ9s3BxMCGbANClAwz7++hDYvCcHAgCfVYcC y4JqdYZc6qEwNgOalK4QVjU= =zUG7 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 4 20:33:11 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Feb 2014 20:33:11 +0000 Subject: [RHSA-2014:0135-01] Critical: java-1.6.0-ibm security update Message-ID: <201402042033.s14KXBGh020436@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-ibm security update Advisory ID: RHSA-2014:0135-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0135.html Issue date: 2014-02-04 CVE Names: CVE-2013-5878 CVE-2013-5884 CVE-2013-5887 CVE-2013-5888 CVE-2013-5889 CVE-2013-5896 CVE-2013-5898 CVE-2013-5899 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0375 CVE-2014-0376 CVE-2014-0387 CVE-2014-0403 CVE-2014-0410 CVE-2014-0411 CVE-2014-0415 CVE-2014-0416 CVE-2014-0417 CVE-2014-0422 CVE-2014-0423 CVE-2014-0424 CVE-2014-0428 ===================================================================== 1. Summary: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR15-FP1 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051519 - CVE-2014-0428 OpenJDK: insufficient security checks in IIOP streams (CORBA, 8025767) 1051528 - CVE-2014-0422 OpenJDK: insufficient package access checks in the Naming component (JNDI, 8025758) 1051699 - CVE-2014-0373 OpenJDK: SnmpStatusException handling issues (Serviceability, 7068126) 1051823 - CVE-2013-5878 OpenJDK: null xmlns handling issue (Security, 8025026) 1051911 - CVE-2013-5884 OpenJDK: insufficient security checks in CORBA stub factories (CORBA, 8026193) 1051912 - CVE-2014-0416 OpenJDK: insecure subject principals set handling (JAAS, 8024306) 1051923 - CVE-2014-0376 OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018) 1052915 - CVE-2013-5907 ICU: Layout Engine LookupProcessor insufficient input checks (JDK 2D, 8025034) 1052919 - CVE-2014-0368 OpenJDK: insufficient Socket checkListen checks (Networking, 8011786) 1052942 - CVE-2013-5910 OpenJDK: XML canonicalizer mutable strings passed to untrusted code (Security, 8026417) 1053010 - CVE-2014-0411 OpenJDK: TLS/SSL handshake timing issues (JSSE, 8023069) 1053066 - CVE-2014-0423 OpenJDK: XXE issue in decoder (Beans, 8023245) 1053266 - CVE-2013-5896 OpenJDK: com.sun.corba.se. should be restricted package (CORBA, 8025022) 1053495 - CVE-2014-0410 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053496 - CVE-2014-0415 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053499 - CVE-2013-5889 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053501 - CVE-2014-0417 Oracle JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (2D) 1053502 - CVE-2014-0387 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053504 - CVE-2014-0424 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053507 - CVE-2014-0403 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053508 - CVE-2014-0375 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053515 - CVE-2013-5887 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053516 - CVE-2013-5899 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053517 - CVE-2013-5888 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053518 - CVE-2013-5898 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.i386.rpm ppc: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.ppc.rpm java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.ppc64.rpm java-1.6.0-ibm-accessibility-1.6.0.15.1-1jpp.1.el5_10.ppc.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.ppc.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.ppc.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el5_10.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el5_10.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el5_10.ppc.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.ppc.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.s390.rpm java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.s390x.rpm java-1.6.0-ibm-accessibility-1.6.0.15.1-1jpp.1.el5_10.s390x.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.s390.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.s390x.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.s390.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.s390x.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.s390.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.i386.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el6_5.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el6_5.i686.rpm ppc64: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5.ppc64.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el6_5.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.ppc.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el6_5.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el6_5.ppc64.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el6_5.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5.s390x.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el6_5.s390x.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.s390.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el6_5.s390x.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el6_5.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el6_5.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.i686.rpm java-1.6.0-ibm-devel-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.15.1-1jpp.1.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5878.html https://www.redhat.com/security/data/cve/CVE-2013-5884.html https://www.redhat.com/security/data/cve/CVE-2013-5887.html https://www.redhat.com/security/data/cve/CVE-2013-5888.html https://www.redhat.com/security/data/cve/CVE-2013-5889.html https://www.redhat.com/security/data/cve/CVE-2013-5896.html https://www.redhat.com/security/data/cve/CVE-2013-5898.html https://www.redhat.com/security/data/cve/CVE-2013-5899.html https://www.redhat.com/security/data/cve/CVE-2013-5907.html https://www.redhat.com/security/data/cve/CVE-2013-5910.html https://www.redhat.com/security/data/cve/CVE-2014-0368.html https://www.redhat.com/security/data/cve/CVE-2014-0373.html https://www.redhat.com/security/data/cve/CVE-2014-0375.html https://www.redhat.com/security/data/cve/CVE-2014-0376.html https://www.redhat.com/security/data/cve/CVE-2014-0387.html https://www.redhat.com/security/data/cve/CVE-2014-0403.html https://www.redhat.com/security/data/cve/CVE-2014-0410.html https://www.redhat.com/security/data/cve/CVE-2014-0411.html https://www.redhat.com/security/data/cve/CVE-2014-0415.html https://www.redhat.com/security/data/cve/CVE-2014-0416.html https://www.redhat.com/security/data/cve/CVE-2014-0417.html https://www.redhat.com/security/data/cve/CVE-2014-0422.html https://www.redhat.com/security/data/cve/CVE-2014-0423.html https://www.redhat.com/security/data/cve/CVE-2014-0424.html https://www.redhat.com/security/data/cve/CVE-2014-0428.html https://access.redhat.com/security/updates/classification/#critical https://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS8U5sXlSAg2UNWIIRAg8CAJ9eviliJQ9lN8sF7IVmsHJKYfhlaACeIalp n3PcqDu094Z7Ibw7WpP7Tls= =gcce -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 4 20:34:35 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Feb 2014 20:34:35 +0000 Subject: [RHSA-2014:0136-01] Important: java-1.5.0-ibm security update Message-ID: <201402042034.s14KYaWP022615@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.5.0-ibm security update Advisory ID: RHSA-2014:0136-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0136.html Issue date: 2014-02-04 CVE Names: CVE-2013-5907 CVE-2014-0368 CVE-2014-0373 CVE-2014-0376 CVE-2014-0411 CVE-2014-0416 CVE-2014-0417 CVE-2014-0422 CVE-2014-0423 CVE-2014-0428 ===================================================================== 1. Summary: Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-5907, CVE-2014-0368, CVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP5 release. All running instances of IBM Java must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051519 - CVE-2014-0428 OpenJDK: insufficient security checks in IIOP streams (CORBA, 8025767) 1051528 - CVE-2014-0422 OpenJDK: insufficient package access checks in the Naming component (JNDI, 8025758) 1051699 - CVE-2014-0373 OpenJDK: SnmpStatusException handling issues (Serviceability, 7068126) 1051912 - CVE-2014-0416 OpenJDK: insecure subject principals set handling (JAAS, 8024306) 1051923 - CVE-2014-0376 OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018) 1052915 - CVE-2013-5907 ICU: Layout Engine LookupProcessor insufficient input checks (JDK 2D, 8025034) 1052919 - CVE-2014-0368 OpenJDK: insufficient Socket checkListen checks (Networking, 8011786) 1053010 - CVE-2014-0411 OpenJDK: TLS/SSL handshake timing issues (JSSE, 8023069) 1053066 - CVE-2014-0423 OpenJDK: XXE issue in decoder (Beans, 8023245) 1053501 - CVE-2014-0417 Oracle JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (2D) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.i386.rpm ppc: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.ppc.rpm java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.ppc64.rpm java-1.5.0-ibm-accessibility-1.5.0.16.5-1jpp.1.el5_10.ppc.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.ppc.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.ppc.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el5_10.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el5_10.ppc.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.ppc.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.ppc64.rpm s390x: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.s390.rpm java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.s390x.rpm java-1.5.0-ibm-accessibility-1.5.0.16.5-1jpp.1.el5_10.s390x.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.s390.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.s390x.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.s390.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.s390x.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el5_10.s390.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.s390.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.i386.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5.i686.rpm x86_64: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5.i686.rpm ppc64: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5.ppc64.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.ppc.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el6_5.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el6_5.ppc.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5.ppc64.rpm s390x: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5.s390x.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5.s390x.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.s390.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.s390x.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el6_5.s390.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5.i686.rpm x86_64: java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5907.html https://www.redhat.com/security/data/cve/CVE-2014-0368.html https://www.redhat.com/security/data/cve/CVE-2014-0373.html https://www.redhat.com/security/data/cve/CVE-2014-0376.html https://www.redhat.com/security/data/cve/CVE-2014-0411.html https://www.redhat.com/security/data/cve/CVE-2014-0416.html https://www.redhat.com/security/data/cve/CVE-2014-0417.html https://www.redhat.com/security/data/cve/CVE-2014-0422.html https://www.redhat.com/security/data/cve/CVE-2014-0423.html https://www.redhat.com/security/data/cve/CVE-2014-0428.html https://access.redhat.com/security/updates/classification/#important https://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS8U6eXlSAg2UNWIIRArJ+AJ9ikRhWWMbA/B75u5yFji9ANSXmZwCfU+5H pkxWC/dm7snMoNYg1rv4py4= =bpCr -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 5 08:18:42 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 5 Feb 2014 08:18:42 +0000 Subject: [RHSA-2014:0137-01] Critical: flash-plugin security update Message-ID: <201402050813.s158Dtn3025245@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0137-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0137.html Issue date: 2014-02-05 Updated on: 2014-02-04 CVE Names: CVE-2014-0497 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed in the Adobe Security bulletin APSB14-04, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. (CVE-2014-0497) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.336. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1061469 - CVE-2014-0497 flash-plugin: integer underflow flaw leads to arbitrary code execution (APSB14-04) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.336-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.336-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.336-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.336-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.336-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.336-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.336-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.336-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.336-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.336-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0497.html https://access.redhat.com/security/updates/classification/#critical http://helpx.adobe.com/security/products/flash-player/apsb14-04.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS8fK3XlSAg2UNWIIRAn3HAJ9Dl9yTq8uwL1jZXpBhxpTOeSlNXACfcWWO 2pb3HgPGlwSq5PcZSe2neeg= =KItO -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 5 17:48:40 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 5 Feb 2014 17:48:40 +0000 Subject: [RHSA-2014:0139-01] Moderate: pidgin security update Message-ID: <201402051748.s15HmfVt021101@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: pidgin security update Advisory ID: RHSA-2014:0139-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0139.html Issue date: 2014-02-05 CVE Names: CVE-2012-6152 CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020 ===================================================================== 1. Summary: Updated pidgin packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A heap-based buffer overflow flaw was found in the way Pidgin processed certain HTTP responses. A malicious server could send a specially crafted HTTP response, causing Pidgin to crash or potentially execute arbitrary code with the permissions of the user running Pidgin. (CVE-2013-6485) Multiple heap-based buffer overflow flaws were found in several protocol plug-ins in Pidgin (Gadu-Gadu, MXit, SIMPLE). A malicious server could send a specially crafted message, causing Pidgin to crash or potentially execute arbitrary code with the permissions of the user running Pidgin. (CVE-2013-6487, CVE-2013-6489, CVE-2013-6490) Multiple denial of service flaws were found in several protocol plug-ins in Pidgin (Yahoo!, XMPP, MSN, stun, IRC). A remote attacker could use these flaws to crash Pidgin by sending a specially crafted message. (CVE-2012-6152, CVE-2013-6477, CVE-2013-6481, CVE-2013-6482, CVE-2013-6484, CVE-2014-0020) It was found that the Pidgin XMPP protocol plug-in did not verify the origin of "iq" replies. A remote attacker could use this flaw to spoof an "iq" reply, which could lead to injection of fake data or cause Pidgin to crash via a NULL pointer dereference. (CVE-2013-6483) A flaw was found in the way Pidgin parsed certain HTTP response headers. A remote attacker could use this flaw to crash Pidgin via a specially crafted HTTP response header. (CVE-2013-6479) It was found that Pidgin crashed when a mouse pointer was hovered over a long URL. A remote attacker could use this flaw to crash Pidgin by sending a message containing a long URL string. (CVE-2013-6478) Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Thijs Alkemade, Robert Vehse, Jaime Breva Ribes, Jacob Appelbaum of the Tor Project, Daniel Atallah, Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen, Matt Jones of Volvent, and Yves Younan, Ryan Pentney, and Pawel Janic of Sourcefire VRT as the original reporters of these issues. All pidgin users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Pidgin must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1056473 - CVE-2012-6152 pidgin: DoS when decoding non-UTF-8 strings in Yahoo protocol plugin 1056479 - CVE-2013-6477 pidgin: DoS when handling timestamps in the XMPP plugin 1056904 - CVE-2013-6478 pidgin: DoS when rendering long URLs 1056907 - CVE-2013-6479 pidgin: DoS when parsing certain HTTP response headers 1056908 - CVE-2013-6481 pidgin: DoS caused due to OOB read in Yahoo protocol plugin 1056913 - CVE-2013-6482 pidgin: DoS via multiple null pointer dereferences in MSN protocol plugin 1056978 - CVE-2013-6483 pidgin: Possible spoofing using iq replies in XMPP protocol plugin 1057481 - CVE-2013-6484 pidgin: DoS via specially-crafted stun messages 1057484 - CVE-2013-6485 pidgin: Heap-based buffer overflow when parsing chunked HTTP responses 1057489 - CVE-2013-6487 pidgin: Heap-based buffer overflow in Gadu-Gadu protocol plugin 1057490 - CVE-2013-6489 pidgin: Heap-based buffer overflow in MXit emoticon parsing 1057498 - CVE-2013-6490 pidgin: Heap-based buffer overflow in SIMPLE protocol plugin 1057502 - CVE-2014-0020 pidgin: DoS in IRC protocol plugin due to arguement parsing 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.6.6-32.el5.src.rpm i386: finch-2.6.6-32.el5.i386.rpm libpurple-2.6.6-32.el5.i386.rpm libpurple-perl-2.6.6-32.el5.i386.rpm libpurple-tcl-2.6.6-32.el5.i386.rpm pidgin-2.6.6-32.el5.i386.rpm pidgin-debuginfo-2.6.6-32.el5.i386.rpm pidgin-perl-2.6.6-32.el5.i386.rpm x86_64: finch-2.6.6-32.el5.i386.rpm finch-2.6.6-32.el5.x86_64.rpm libpurple-2.6.6-32.el5.i386.rpm libpurple-2.6.6-32.el5.x86_64.rpm libpurple-perl-2.6.6-32.el5.x86_64.rpm libpurple-tcl-2.6.6-32.el5.x86_64.rpm pidgin-2.6.6-32.el5.i386.rpm pidgin-2.6.6-32.el5.x86_64.rpm pidgin-debuginfo-2.6.6-32.el5.i386.rpm pidgin-debuginfo-2.6.6-32.el5.x86_64.rpm pidgin-perl-2.6.6-32.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.6.6-32.el5.src.rpm i386: finch-devel-2.6.6-32.el5.i386.rpm libpurple-devel-2.6.6-32.el5.i386.rpm pidgin-debuginfo-2.6.6-32.el5.i386.rpm pidgin-devel-2.6.6-32.el5.i386.rpm x86_64: finch-devel-2.6.6-32.el5.i386.rpm finch-devel-2.6.6-32.el5.x86_64.rpm libpurple-devel-2.6.6-32.el5.i386.rpm libpurple-devel-2.6.6-32.el5.x86_64.rpm pidgin-debuginfo-2.6.6-32.el5.i386.rpm pidgin-debuginfo-2.6.6-32.el5.x86_64.rpm pidgin-devel-2.6.6-32.el5.i386.rpm pidgin-devel-2.6.6-32.el5.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/pidgin-2.7.9-27.el6.src.rpm i386: libpurple-2.7.9-27.el6.i686.rpm pidgin-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm x86_64: libpurple-2.7.9-27.el6.i686.rpm libpurple-2.7.9-27.el6.x86_64.rpm pidgin-2.7.9-27.el6.x86_64.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/pidgin-2.7.9-27.el6.src.rpm i386: finch-2.7.9-27.el6.i686.rpm finch-devel-2.7.9-27.el6.i686.rpm libpurple-devel-2.7.9-27.el6.i686.rpm libpurple-perl-2.7.9-27.el6.i686.rpm libpurple-tcl-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm pidgin-devel-2.7.9-27.el6.i686.rpm pidgin-docs-2.7.9-27.el6.i686.rpm pidgin-perl-2.7.9-27.el6.i686.rpm x86_64: finch-2.7.9-27.el6.i686.rpm finch-2.7.9-27.el6.x86_64.rpm finch-devel-2.7.9-27.el6.i686.rpm finch-devel-2.7.9-27.el6.x86_64.rpm libpurple-devel-2.7.9-27.el6.i686.rpm libpurple-devel-2.7.9-27.el6.x86_64.rpm libpurple-perl-2.7.9-27.el6.x86_64.rpm libpurple-tcl-2.7.9-27.el6.x86_64.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.x86_64.rpm pidgin-devel-2.7.9-27.el6.i686.rpm pidgin-devel-2.7.9-27.el6.x86_64.rpm pidgin-docs-2.7.9-27.el6.x86_64.rpm pidgin-perl-2.7.9-27.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/pidgin-2.7.9-27.el6.src.rpm i386: finch-2.7.9-27.el6.i686.rpm finch-devel-2.7.9-27.el6.i686.rpm libpurple-2.7.9-27.el6.i686.rpm libpurple-devel-2.7.9-27.el6.i686.rpm libpurple-perl-2.7.9-27.el6.i686.rpm libpurple-tcl-2.7.9-27.el6.i686.rpm pidgin-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm pidgin-devel-2.7.9-27.el6.i686.rpm pidgin-docs-2.7.9-27.el6.i686.rpm pidgin-perl-2.7.9-27.el6.i686.rpm ppc64: finch-2.7.9-27.el6.ppc.rpm finch-2.7.9-27.el6.ppc64.rpm finch-devel-2.7.9-27.el6.ppc.rpm finch-devel-2.7.9-27.el6.ppc64.rpm libpurple-2.7.9-27.el6.ppc.rpm libpurple-2.7.9-27.el6.ppc64.rpm libpurple-devel-2.7.9-27.el6.ppc.rpm libpurple-devel-2.7.9-27.el6.ppc64.rpm libpurple-perl-2.7.9-27.el6.ppc64.rpm libpurple-tcl-2.7.9-27.el6.ppc64.rpm pidgin-2.7.9-27.el6.ppc64.rpm pidgin-debuginfo-2.7.9-27.el6.ppc.rpm pidgin-debuginfo-2.7.9-27.el6.ppc64.rpm pidgin-devel-2.7.9-27.el6.ppc.rpm pidgin-devel-2.7.9-27.el6.ppc64.rpm pidgin-docs-2.7.9-27.el6.ppc64.rpm pidgin-perl-2.7.9-27.el6.ppc64.rpm x86_64: finch-2.7.9-27.el6.i686.rpm finch-2.7.9-27.el6.x86_64.rpm finch-devel-2.7.9-27.el6.i686.rpm finch-devel-2.7.9-27.el6.x86_64.rpm libpurple-2.7.9-27.el6.i686.rpm libpurple-2.7.9-27.el6.x86_64.rpm libpurple-devel-2.7.9-27.el6.i686.rpm libpurple-devel-2.7.9-27.el6.x86_64.rpm libpurple-perl-2.7.9-27.el6.x86_64.rpm libpurple-tcl-2.7.9-27.el6.x86_64.rpm pidgin-2.7.9-27.el6.x86_64.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.x86_64.rpm pidgin-devel-2.7.9-27.el6.i686.rpm pidgin-devel-2.7.9-27.el6.x86_64.rpm pidgin-docs-2.7.9-27.el6.x86_64.rpm pidgin-perl-2.7.9-27.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/pidgin-2.7.9-27.el6.src.rpm i386: libpurple-2.7.9-27.el6.i686.rpm pidgin-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm x86_64: libpurple-2.7.9-27.el6.i686.rpm libpurple-2.7.9-27.el6.x86_64.rpm pidgin-2.7.9-27.el6.x86_64.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/pidgin-2.7.9-27.el6.src.rpm i386: finch-2.7.9-27.el6.i686.rpm finch-devel-2.7.9-27.el6.i686.rpm libpurple-devel-2.7.9-27.el6.i686.rpm libpurple-perl-2.7.9-27.el6.i686.rpm libpurple-tcl-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm pidgin-devel-2.7.9-27.el6.i686.rpm pidgin-docs-2.7.9-27.el6.i686.rpm pidgin-perl-2.7.9-27.el6.i686.rpm x86_64: finch-2.7.9-27.el6.i686.rpm finch-2.7.9-27.el6.x86_64.rpm finch-devel-2.7.9-27.el6.i686.rpm finch-devel-2.7.9-27.el6.x86_64.rpm libpurple-devel-2.7.9-27.el6.i686.rpm libpurple-devel-2.7.9-27.el6.x86_64.rpm libpurple-perl-2.7.9-27.el6.x86_64.rpm libpurple-tcl-2.7.9-27.el6.x86_64.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.x86_64.rpm pidgin-devel-2.7.9-27.el6.i686.rpm pidgin-devel-2.7.9-27.el6.x86_64.rpm pidgin-docs-2.7.9-27.el6.x86_64.rpm pidgin-perl-2.7.9-27.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-6152.html https://www.redhat.com/security/data/cve/CVE-2013-6477.html https://www.redhat.com/security/data/cve/CVE-2013-6478.html https://www.redhat.com/security/data/cve/CVE-2013-6479.html https://www.redhat.com/security/data/cve/CVE-2013-6481.html https://www.redhat.com/security/data/cve/CVE-2013-6482.html https://www.redhat.com/security/data/cve/CVE-2013-6483.html https://www.redhat.com/security/data/cve/CVE-2013-6484.html https://www.redhat.com/security/data/cve/CVE-2013-6485.html https://www.redhat.com/security/data/cve/CVE-2013-6487.html https://www.redhat.com/security/data/cve/CVE-2013-6489.html https://www.redhat.com/security/data/cve/CVE-2013-6490.html https://www.redhat.com/security/data/cve/CVE-2014-0020.html https://access.redhat.com/security/updates/classification/#moderate http://www.pidgin.im/news/security/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS8nlZXlSAg2UNWIIRArBiAJoDu2N613Zl8eGtvl8ZP5apVDEdPACgt4y0 f1RLP3CKhTR7CM3e6WmJdzc= =uxHX -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Feb 10 17:34:02 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Feb 2014 17:34:02 +0000 Subject: [RHSA-2014:0151-01] Low: wget security and bug fix update Message-ID: <201402101734.s1AHY2RT004717@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: wget security and bug fix update Advisory ID: RHSA-2014:0151-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0151.html Issue date: 2014-02-10 CVE Names: CVE-2010-2252 ===================================================================== 1. Summary: An updated wget package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The wget package provides the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Wget provides various useful features, such as the ability to work in the background while the user is logged out, recursive retrieval of directories, file name wildcard matching or updating files in dependency on file timestamp comparison. It was discovered that wget used a file name provided by the server when saving a downloaded file. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2010-2252) Note: With this update, wget always uses the last component of the original URL as the name for the downloaded file. Previous behavior of using the server provided name or the last component of the redirected URL when creating files can be re-enabled by using the '--trust-server-names' command line option, or by setting 'trust_server_names=on' in the wget start-up file. This update also fixes the following bugs: * Prior to this update, the wget package did not recognize HTTPS SSL certificates with alternative names (subjectAltName) specified in the certificate as valid. As a consequence, running the wget command failed with a certificate error. This update fixes wget to recognize such certificates as valid. (BZ#1060113) All users of wget are advised to upgrade to this updated package, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 602797 - CVE-2010-2252 wget: multiple HTTP client download filename vulnerability [OCERT 2010-001] 833831 - When redirected, wget should use the original page name for saving 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/wget-1.12-1.11.el6_5.src.rpm i386: wget-1.12-1.11.el6_5.i686.rpm wget-debuginfo-1.12-1.11.el6_5.i686.rpm x86_64: wget-1.12-1.11.el6_5.x86_64.rpm wget-debuginfo-1.12-1.11.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/wget-1.12-1.11.el6_5.src.rpm x86_64: wget-1.12-1.11.el6_5.x86_64.rpm wget-debuginfo-1.12-1.11.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/wget-1.12-1.11.el6_5.src.rpm i386: wget-1.12-1.11.el6_5.i686.rpm wget-debuginfo-1.12-1.11.el6_5.i686.rpm ppc64: wget-1.12-1.11.el6_5.ppc64.rpm wget-debuginfo-1.12-1.11.el6_5.ppc64.rpm s390x: wget-1.12-1.11.el6_5.s390x.rpm wget-debuginfo-1.12-1.11.el6_5.s390x.rpm x86_64: wget-1.12-1.11.el6_5.x86_64.rpm wget-debuginfo-1.12-1.11.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/wget-1.12-1.11.el6_5.src.rpm i386: wget-1.12-1.11.el6_5.i686.rpm wget-debuginfo-1.12-1.11.el6_5.i686.rpm x86_64: wget-1.12-1.11.el6_5.x86_64.rpm wget-debuginfo-1.12-1.11.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-2252.html https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS+Q1oXlSAg2UNWIIRAndgAJ95ZePKhTJ7fCZXQ15A3uX9OdxxdwCcCPXO /iSaiG8HPEasSS2JMX9rC3s= =87G8 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 11 18:38:53 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 11 Feb 2014 18:38:53 +0000 Subject: [RHSA-2014:0159-01] Important: kernel security and bug fix update Message-ID: <201402111838.s1BIcrcq021680@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2014:0159-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0159.html Issue date: 2014-02-11 CVE Names: CVE-2013-2929 CVE-2013-6381 CVE-2013-7263 CVE-2013-7265 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A buffer overflow flaw was found in the way the qeth_snmp_command() function in the Linux kernel's QETH network device driver implementation handled SNMP IOCTL requests with an out-of-bounds length. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6381, Important) * A flaw was found in the way the get_dumpable() function return value was interpreted in the ptrace subsystem of the Linux kernel. When 'fs.suid_dumpable' was set to 2, a local, unprivileged local user could use this flaw to bypass intended ptrace restrictions and obtain potentially sensitive information. (CVE-2013-2929, Low) * It was found that certain protocol handlers in the Linux kernel's networking implementation could set the addr_len value without initializing the associated data structure. A local, unprivileged user could use this flaw to leak kernel stack memory to user space using the recvmsg, recvfrom, and recvmmsg system calls (CVE-2013-7263, CVE-2013-7265, Low). This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (https://bugzilla.redhat.com/): 1028148 - CVE-2013-2929 kernel: exec/ptrace: get_dumpable() incorrect tests 1033600 - CVE-2013-6381 Kernel: qeth: buffer overflow in snmp ioctl 1035875 - CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to user-space via recv syscalls 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-431.5.1.el6.src.rpm i386: kernel-2.6.32-431.5.1.el6.i686.rpm kernel-debug-2.6.32-431.5.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debug-devel-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.5.1.el6.i686.rpm kernel-devel-2.6.32-431.5.1.el6.i686.rpm kernel-headers-2.6.32-431.5.1.el6.i686.rpm perf-2.6.32-431.5.1.el6.i686.rpm perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-431.5.1.el6.noarch.rpm kernel-doc-2.6.32-431.5.1.el6.noarch.rpm kernel-firmware-2.6.32-431.5.1.el6.noarch.rpm x86_64: kernel-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.5.1.el6.x86_64.rpm kernel-devel-2.6.32-431.5.1.el6.x86_64.rpm kernel-headers-2.6.32-431.5.1.el6.x86_64.rpm perf-2.6.32-431.5.1.el6.x86_64.rpm perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-431.5.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.5.1.el6.i686.rpm perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm python-perf-2.6.32-431.5.1.el6.i686.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.5.1.el6.x86_64.rpm perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm python-perf-2.6.32-431.5.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-431.5.1.el6.src.rpm noarch: kernel-abi-whitelists-2.6.32-431.5.1.el6.noarch.rpm kernel-doc-2.6.32-431.5.1.el6.noarch.rpm kernel-firmware-2.6.32-431.5.1.el6.noarch.rpm x86_64: kernel-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.5.1.el6.x86_64.rpm kernel-devel-2.6.32-431.5.1.el6.x86_64.rpm kernel-headers-2.6.32-431.5.1.el6.x86_64.rpm perf-2.6.32-431.5.1.el6.x86_64.rpm perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-431.5.1.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.5.1.el6.x86_64.rpm perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm python-perf-2.6.32-431.5.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-431.5.1.el6.src.rpm i386: kernel-2.6.32-431.5.1.el6.i686.rpm kernel-debug-2.6.32-431.5.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debug-devel-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.5.1.el6.i686.rpm kernel-devel-2.6.32-431.5.1.el6.i686.rpm kernel-headers-2.6.32-431.5.1.el6.i686.rpm perf-2.6.32-431.5.1.el6.i686.rpm perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-431.5.1.el6.noarch.rpm kernel-doc-2.6.32-431.5.1.el6.noarch.rpm kernel-firmware-2.6.32-431.5.1.el6.noarch.rpm ppc64: kernel-2.6.32-431.5.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-431.5.1.el6.ppc64.rpm kernel-debug-2.6.32-431.5.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-431.5.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-431.5.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-431.5.1.el6.ppc64.rpm kernel-devel-2.6.32-431.5.1.el6.ppc64.rpm kernel-headers-2.6.32-431.5.1.el6.ppc64.rpm perf-2.6.32-431.5.1.el6.ppc64.rpm perf-debuginfo-2.6.32-431.5.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.ppc64.rpm s390x: kernel-2.6.32-431.5.1.el6.s390x.rpm kernel-debug-2.6.32-431.5.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-431.5.1.el6.s390x.rpm kernel-debug-devel-2.6.32-431.5.1.el6.s390x.rpm kernel-debuginfo-2.6.32-431.5.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-431.5.1.el6.s390x.rpm kernel-devel-2.6.32-431.5.1.el6.s390x.rpm kernel-headers-2.6.32-431.5.1.el6.s390x.rpm kernel-kdump-2.6.32-431.5.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-431.5.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-431.5.1.el6.s390x.rpm perf-2.6.32-431.5.1.el6.s390x.rpm perf-debuginfo-2.6.32-431.5.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.s390x.rpm x86_64: kernel-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.5.1.el6.x86_64.rpm kernel-devel-2.6.32-431.5.1.el6.x86_64.rpm kernel-headers-2.6.32-431.5.1.el6.x86_64.rpm perf-2.6.32-431.5.1.el6.x86_64.rpm perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-431.5.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.5.1.el6.i686.rpm perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm python-perf-2.6.32-431.5.1.el6.i686.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-431.5.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-431.5.1.el6.ppc64.rpm perf-debuginfo-2.6.32-431.5.1.el6.ppc64.rpm python-perf-2.6.32-431.5.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-431.5.1.el6.s390x.rpm kernel-debuginfo-2.6.32-431.5.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-431.5.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-431.5.1.el6.s390x.rpm perf-debuginfo-2.6.32-431.5.1.el6.s390x.rpm python-perf-2.6.32-431.5.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.5.1.el6.x86_64.rpm perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm python-perf-2.6.32-431.5.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-431.5.1.el6.src.rpm i386: kernel-2.6.32-431.5.1.el6.i686.rpm kernel-debug-2.6.32-431.5.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debug-devel-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.5.1.el6.i686.rpm kernel-devel-2.6.32-431.5.1.el6.i686.rpm kernel-headers-2.6.32-431.5.1.el6.i686.rpm perf-2.6.32-431.5.1.el6.i686.rpm perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-431.5.1.el6.noarch.rpm kernel-doc-2.6.32-431.5.1.el6.noarch.rpm kernel-firmware-2.6.32-431.5.1.el6.noarch.rpm x86_64: kernel-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.5.1.el6.x86_64.rpm kernel-devel-2.6.32-431.5.1.el6.x86_64.rpm kernel-headers-2.6.32-431.5.1.el6.x86_64.rpm perf-2.6.32-431.5.1.el6.x86_64.rpm perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-431.5.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-2.6.32-431.5.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.5.1.el6.i686.rpm perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm python-perf-2.6.32-431.5.1.el6.i686.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.5.1.el6.x86_64.rpm perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm python-perf-2.6.32-431.5.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.5.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2929.html https://www.redhat.com/security/data/cve/CVE-2013-6381.html https://www.redhat.com/security/data/cve/CVE-2013-7263.html https://www.redhat.com/security/data/cve/CVE-2013-7265.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.5_Technical_Notes/kernel.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS+m4gXlSAg2UNWIIRAvr4AKCuLl779LN06FrF9TsEmD5RdEiw/wCfVjSt T3xCdia8sl7jl5fe27Tgzzs= =mUeL -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 12 18:35:00 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Feb 2014 18:35:00 +0000 Subject: [RHSA-2014:0163-01] Important: kvm security update Message-ID: <201402121834.s1CIYpvr009861@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kvm security update Advisory ID: RHSA-2014:0163-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0163.html Issue date: 2014-02-12 CVE Names: CVE-2013-6367 CVE-2013-6368 ===================================================================== 1. Summary: Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Multi OS (v. 5 client) - x86_64 RHEL Virtualization (v. 5 server) - x86_64 3. Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host. (CVE-2013-6367) A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6368) Red Hat would like to thank Andrew Honig of Google for reporting these issues. All kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note: the procedure in the Solution section must be performed before this update will take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 The following procedure must be performed before this update will take effect: 1) Stop all KVM guest virtual machines. 2) Either reboot the hypervisor machine or, as the root user, remove (using "modprobe -r [module]") and reload (using "modprobe [module]") all of the following modules which are currently running (determined using "lsmod"): kvm, ksm, kvm-intel or kvm-amd. 3) Restart the KVM guest virtual machines. 5. Bugs fixed (https://bugzilla.redhat.com/): 1032207 - CVE-2013-6367 kvm: division by zero in apic_get_tmcct() 1032210 - CVE-2013-6368 kvm: cross page vapic_addr access 6. Package List: RHEL Desktop Multi OS (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kvm-83-266.el5_10.1.src.rpm x86_64: kmod-kvm-83-266.el5_10.1.x86_64.rpm kmod-kvm-debug-83-266.el5_10.1.x86_64.rpm kvm-83-266.el5_10.1.x86_64.rpm kvm-debuginfo-83-266.el5_10.1.x86_64.rpm kvm-qemu-img-83-266.el5_10.1.x86_64.rpm kvm-tools-83-266.el5_10.1.x86_64.rpm RHEL Virtualization (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kvm-83-266.el5_10.1.src.rpm x86_64: kmod-kvm-83-266.el5_10.1.x86_64.rpm kmod-kvm-debug-83-266.el5_10.1.x86_64.rpm kvm-83-266.el5_10.1.x86_64.rpm kvm-debuginfo-83-266.el5_10.1.x86_64.rpm kvm-qemu-img-83-266.el5_10.1.x86_64.rpm kvm-tools-83-266.el5_10.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6367.html https://www.redhat.com/security/data/cve/CVE-2013-6368.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS+76fXlSAg2UNWIIRAvpuAKCR6kPi3VdzoncSd12AtIDXnuxqJACgwcjx Klb1hMnPrnkRQsVasMA0cNw= =2G7W -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 12 18:36:56 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Feb 2014 18:36:56 +0000 Subject: [RHSA-2014:0164-01] Moderate: mysql security and bug fix update Message-ID: <201402121836.s1CIakKq001735@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mysql security and bug fix update Advisory ID: RHSA-2014:0164-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0164.html Issue date: 2014-02-12 CVE Names: CVE-2013-5908 CVE-2014-0001 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0437 ===================================================================== 1. Summary: Updated mysql packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0437, CVE-2013-5908) A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client. (CVE-2014-0001) The CVE-2014-0001 issue was discovered by Garth Mollett of the Red Hat Security Response Team. This update also fixes the following bug: * Prior to this update, MySQL did not check whether a MySQL socket was actually being used by any process before starting the mysqld service. If a particular mysqld service did not exit cleanly while a socket was being used by a process, this socket was considered to be still in use during the next start-up of this service, which resulted in a failure to start the service up. With this update, if a socket exists but is not used by any process, it is ignored during the mysqld service start-up. (BZ#1058719) These updated packages upgrade MySQL to version 5.1.73. Refer to the MySQL Release Notes listed in the References section for a complete list of changes. All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1053373 - CVE-2013-5908 mysql: unspecified vulnerability related to Error Handling DoS (CPU Jan 2014) 1053375 - CVE-2014-0386 mysql: unspecified vulnerability related to Optimizer DoS (CPU Jan 2014) 1053377 - CVE-2014-0393 mysql: unspecified vulnerability related to InnoDB affecting integrity (CPU Jan 2014) 1053378 - CVE-2014-0401 mysql: unspecified DoS vulnerability (CPU Jan 2014) 1053380 - CVE-2014-0402 mysql: unspecified vulnerability related to Locking DoS (CPU Jan 2014) 1053381 - CVE-2014-0412 mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014) 1053390 - CVE-2014-0437 mysql: unspecified vulnerability related to Optimizer DoS (CPU Jan 2014) 1054592 - CVE-2014-0001 mysql: command-line tool buffer overflow via long server version string 1058719 - MySQL server does not restart after unclean reboot 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/mysql-5.1.73-3.el6_5.src.rpm i386: mysql-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-libs-5.1.73-3.el6_5.i686.rpm mysql-server-5.1.73-3.el6_5.i686.rpm x86_64: mysql-5.1.73-3.el6_5.x86_64.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.x86_64.rpm mysql-libs-5.1.73-3.el6_5.i686.rpm mysql-libs-5.1.73-3.el6_5.x86_64.rpm mysql-server-5.1.73-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/mysql-5.1.73-3.el6_5.src.rpm i386: mysql-bench-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-devel-5.1.73-3.el6_5.i686.rpm mysql-embedded-5.1.73-3.el6_5.i686.rpm mysql-embedded-devel-5.1.73-3.el6_5.i686.rpm mysql-test-5.1.73-3.el6_5.i686.rpm x86_64: mysql-bench-5.1.73-3.el6_5.x86_64.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.x86_64.rpm mysql-devel-5.1.73-3.el6_5.i686.rpm mysql-devel-5.1.73-3.el6_5.x86_64.rpm mysql-embedded-5.1.73-3.el6_5.i686.rpm mysql-embedded-5.1.73-3.el6_5.x86_64.rpm mysql-embedded-devel-5.1.73-3.el6_5.i686.rpm mysql-embedded-devel-5.1.73-3.el6_5.x86_64.rpm mysql-test-5.1.73-3.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/mysql-5.1.73-3.el6_5.src.rpm x86_64: mysql-5.1.73-3.el6_5.x86_64.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.x86_64.rpm mysql-libs-5.1.73-3.el6_5.i686.rpm mysql-libs-5.1.73-3.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/mysql-5.1.73-3.el6_5.src.rpm x86_64: mysql-bench-5.1.73-3.el6_5.x86_64.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.x86_64.rpm mysql-devel-5.1.73-3.el6_5.i686.rpm mysql-devel-5.1.73-3.el6_5.x86_64.rpm mysql-embedded-5.1.73-3.el6_5.i686.rpm mysql-embedded-5.1.73-3.el6_5.x86_64.rpm mysql-embedded-devel-5.1.73-3.el6_5.i686.rpm mysql-embedded-devel-5.1.73-3.el6_5.x86_64.rpm mysql-server-5.1.73-3.el6_5.x86_64.rpm mysql-test-5.1.73-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/mysql-5.1.73-3.el6_5.src.rpm i386: mysql-5.1.73-3.el6_5.i686.rpm mysql-bench-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-devel-5.1.73-3.el6_5.i686.rpm mysql-libs-5.1.73-3.el6_5.i686.rpm mysql-server-5.1.73-3.el6_5.i686.rpm mysql-test-5.1.73-3.el6_5.i686.rpm ppc64: mysql-5.1.73-3.el6_5.ppc64.rpm mysql-bench-5.1.73-3.el6_5.ppc64.rpm mysql-debuginfo-5.1.73-3.el6_5.ppc.rpm mysql-debuginfo-5.1.73-3.el6_5.ppc64.rpm mysql-devel-5.1.73-3.el6_5.ppc.rpm mysql-devel-5.1.73-3.el6_5.ppc64.rpm mysql-libs-5.1.73-3.el6_5.ppc.rpm mysql-libs-5.1.73-3.el6_5.ppc64.rpm mysql-server-5.1.73-3.el6_5.ppc64.rpm mysql-test-5.1.73-3.el6_5.ppc64.rpm s390x: mysql-5.1.73-3.el6_5.s390x.rpm mysql-bench-5.1.73-3.el6_5.s390x.rpm mysql-debuginfo-5.1.73-3.el6_5.s390.rpm mysql-debuginfo-5.1.73-3.el6_5.s390x.rpm mysql-devel-5.1.73-3.el6_5.s390.rpm mysql-devel-5.1.73-3.el6_5.s390x.rpm mysql-libs-5.1.73-3.el6_5.s390.rpm mysql-libs-5.1.73-3.el6_5.s390x.rpm mysql-server-5.1.73-3.el6_5.s390x.rpm mysql-test-5.1.73-3.el6_5.s390x.rpm x86_64: mysql-5.1.73-3.el6_5.x86_64.rpm mysql-bench-5.1.73-3.el6_5.x86_64.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.x86_64.rpm mysql-devel-5.1.73-3.el6_5.i686.rpm mysql-devel-5.1.73-3.el6_5.x86_64.rpm mysql-libs-5.1.73-3.el6_5.i686.rpm mysql-libs-5.1.73-3.el6_5.x86_64.rpm mysql-server-5.1.73-3.el6_5.x86_64.rpm mysql-test-5.1.73-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/mysql-5.1.73-3.el6_5.src.rpm i386: mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-embedded-5.1.73-3.el6_5.i686.rpm mysql-embedded-devel-5.1.73-3.el6_5.i686.rpm ppc64: mysql-debuginfo-5.1.73-3.el6_5.ppc.rpm mysql-debuginfo-5.1.73-3.el6_5.ppc64.rpm mysql-embedded-5.1.73-3.el6_5.ppc.rpm mysql-embedded-5.1.73-3.el6_5.ppc64.rpm mysql-embedded-devel-5.1.73-3.el6_5.ppc.rpm mysql-embedded-devel-5.1.73-3.el6_5.ppc64.rpm s390x: mysql-debuginfo-5.1.73-3.el6_5.s390.rpm mysql-debuginfo-5.1.73-3.el6_5.s390x.rpm mysql-embedded-5.1.73-3.el6_5.s390.rpm mysql-embedded-5.1.73-3.el6_5.s390x.rpm mysql-embedded-devel-5.1.73-3.el6_5.s390.rpm mysql-embedded-devel-5.1.73-3.el6_5.s390x.rpm x86_64: mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.x86_64.rpm mysql-embedded-5.1.73-3.el6_5.i686.rpm mysql-embedded-5.1.73-3.el6_5.x86_64.rpm mysql-embedded-devel-5.1.73-3.el6_5.i686.rpm mysql-embedded-devel-5.1.73-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/mysql-5.1.73-3.el6_5.src.rpm i386: mysql-5.1.73-3.el6_5.i686.rpm mysql-bench-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-devel-5.1.73-3.el6_5.i686.rpm mysql-libs-5.1.73-3.el6_5.i686.rpm mysql-server-5.1.73-3.el6_5.i686.rpm mysql-test-5.1.73-3.el6_5.i686.rpm x86_64: mysql-5.1.73-3.el6_5.x86_64.rpm mysql-bench-5.1.73-3.el6_5.x86_64.rpm mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.x86_64.rpm mysql-devel-5.1.73-3.el6_5.i686.rpm mysql-devel-5.1.73-3.el6_5.x86_64.rpm mysql-libs-5.1.73-3.el6_5.i686.rpm mysql-libs-5.1.73-3.el6_5.x86_64.rpm mysql-server-5.1.73-3.el6_5.x86_64.rpm mysql-test-5.1.73-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/mysql-5.1.73-3.el6_5.src.rpm i386: mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-embedded-5.1.73-3.el6_5.i686.rpm mysql-embedded-devel-5.1.73-3.el6_5.i686.rpm x86_64: mysql-debuginfo-5.1.73-3.el6_5.i686.rpm mysql-debuginfo-5.1.73-3.el6_5.x86_64.rpm mysql-embedded-5.1.73-3.el6_5.i686.rpm mysql-embedded-5.1.73-3.el6_5.x86_64.rpm mysql-embedded-devel-5.1.73-3.el6_5.i686.rpm mysql-embedded-devel-5.1.73-3.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5908.html https://www.redhat.com/security/data/cve/CVE-2014-0001.html https://www.redhat.com/security/data/cve/CVE-2014-0386.html https://www.redhat.com/security/data/cve/CVE-2014-0393.html https://www.redhat.com/security/data/cve/CVE-2014-0401.html https://www.redhat.com/security/data/cve/CVE-2014-0402.html https://www.redhat.com/security/data/cve/CVE-2014-0412.html https://www.redhat.com/security/data/cve/CVE-2014-0437.html https://access.redhat.com/security/updates/classification/#moderate http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixMSQL http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-73.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS+78UXlSAg2UNWIIRAuxTAKCa5dn1g/T64CVnHWvIUtOlRnt1zwCfXNDS diQVeTtU92UiIYEW33g8PMM= =Gs2a -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 13 18:53:13 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 13 Feb 2014 18:53:13 +0000 Subject: [RHSA-2014:0173-01] Moderate: mysql55-mysql security update Message-ID: <201402131852.s1DIqupS025044@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mysql55-mysql security update Advisory ID: RHSA-2014:0173-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0173.html Issue date: 2014-02-13 CVE Names: CVE-2013-3839 CVE-2013-5807 CVE-2013-5891 CVE-2013-5908 CVE-2014-0001 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0420 CVE-2014-0437 ===================================================================== 1. Summary: Updated mysql55-mysql packages that fix several security issues are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for RHEL 6 Server - x86_64 Red Hat Software Collections for RHEL 6 Workstation - x86_64 3. Description: MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2013-5807, CVE-2013-5891, CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0420, CVE-2014-0437, CVE-2013-3839, CVE-2013-5908) A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client. (CVE-2014-0001) The CVE-2014-0001 issue was discovered by Garth Mollett of the Red Hat Security Response Team. These updated packages upgrade MySQL to version 5.5.36. Refer to the MySQL Release Notes listed in the References section for a complete list of changes. All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1019978 - CVE-2013-3839 mysql: unspecified DoS related to Optimizer (CPU October 2013) 1019997 - CVE-2013-5807 mysql: unspecified flaw related to Replication (CPU October 2013) 1053371 - CVE-2013-5891 mysql: unspecified vulnerability related to Partition DoS (CPU Jan 2014) 1053373 - CVE-2013-5908 mysql: unspecified vulnerability related to Error Handling DoS (CPU Jan 2014) 1053375 - CVE-2014-0386 mysql: unspecified vulnerability related to Optimizer DoS (CPU Jan 2014) 1053377 - CVE-2014-0393 mysql: unspecified vulnerability related to InnoDB affecting integrity (CPU Jan 2014) 1053378 - CVE-2014-0401 mysql: unspecified DoS vulnerability (CPU Jan 2014) 1053380 - CVE-2014-0402 mysql: unspecified vulnerability related to Locking DoS (CPU Jan 2014) 1053381 - CVE-2014-0412 mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014) 1053383 - CVE-2014-0420 mysql: unspecified vulnerability related to Replication DoS (CPU Jan 2014) 1053390 - CVE-2014-0437 mysql: unspecified vulnerability related to Optimizer DoS (CPU Jan 2014) 1054592 - CVE-2014-0001 mysql: command-line tool buffer overflow via long server version string 6. Package List: Red Hat Software Collections for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHSCL/SRPMS/mysql55-mysql-5.5.36-1.1.el6.src.rpm x86_64: mysql55-mysql-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-bench-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-debuginfo-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-devel-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-libs-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-server-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-test-5.5.36-1.1.el6.x86_64.rpm Red Hat Software Collections for RHEL 6 Workstation: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/RHSCL/SRPMS/mysql55-mysql-5.5.36-1.1.el6.src.rpm x86_64: mysql55-mysql-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-bench-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-debuginfo-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-devel-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-libs-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-server-5.5.36-1.1.el6.x86_64.rpm mysql55-mysql-test-5.5.36-1.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-3839.html https://www.redhat.com/security/data/cve/CVE-2013-5807.html https://www.redhat.com/security/data/cve/CVE-2013-5891.html https://www.redhat.com/security/data/cve/CVE-2013-5908.html https://www.redhat.com/security/data/cve/CVE-2014-0001.html https://www.redhat.com/security/data/cve/CVE-2014-0386.html https://www.redhat.com/security/data/cve/CVE-2014-0393.html https://www.redhat.com/security/data/cve/CVE-2014-0401.html https://www.redhat.com/security/data/cve/CVE-2014-0402.html https://www.redhat.com/security/data/cve/CVE-2014-0412.html https://www.redhat.com/security/data/cve/CVE-2014-0420.html https://www.redhat.com/security/data/cve/CVE-2014-0437.html https://access.redhat.com/security/updates/classification/#moderate http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixMSQL http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixMSQL http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-36.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS/RRtXlSAg2UNWIIRAlqjAJ9mgISy5mmIhvU52tS+4rau+RKQGwCgjFUv OFhBYVjxeiY2hRHzJHHtcj0= =d5g3 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 13 18:53:45 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 13 Feb 2014 18:53:45 +0000 Subject: [RHSA-2014:0174-01] Important: piranha security update Message-ID: <201402131853.s1DIrSLs023114@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: piranha security update Advisory ID: RHSA-2014:0174-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0174.html Issue date: 2014-02-13 CVE Names: CVE-2013-6492 ===================================================================== 1. Summary: An updated piranha package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Clustering (v. 5 server) - i386, ia64, ppc, x86_64 3. Description: Piranha provides high-availability and load-balancing services for Red Hat Enterprise Linux. The piranha packages contain various tools to administer and configure the Linux Virtual Server (LVS), as well as the heartbeat and failover components. LVS is a dynamically-adjusted kernel routing mechanism that provides load balancing, primarily for Web and FTP servers. It was discovered that the Piranha Configuration Tool did not properly restrict access to its web pages. A remote attacker able to connect to the Piranha Configuration Tool web server port could use this flaw to read or modify the LVS configuration without providing valid administrative credentials. (CVE-2013-6492) All piranha users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1043040 - CVE-2013-6492 piranha: web UI authentication bypass using POST requests 6. Package List: RHEL Clustering (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/piranha-0.8.4-26.el5_10.1.src.rpm i386: piranha-0.8.4-26.el5_10.1.i386.rpm piranha-debuginfo-0.8.4-26.el5_10.1.i386.rpm ia64: piranha-0.8.4-26.el5_10.1.ia64.rpm piranha-debuginfo-0.8.4-26.el5_10.1.ia64.rpm ppc: piranha-0.8.4-26.el5_10.1.ppc.rpm piranha-debuginfo-0.8.4-26.el5_10.1.ppc.rpm x86_64: piranha-0.8.4-26.el5_10.1.x86_64.rpm piranha-debuginfo-0.8.4-26.el5_10.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6492.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS/RSSXlSAg2UNWIIRAllvAKCDxPbXEcGglUZgFc+IE08NOXzFcwCdGKqD jYmbn1MRFF5DMUDrMAw3yEw= =Hts1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 13 18:54:21 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 13 Feb 2014 18:54:21 +0000 Subject: [RHSA-2014:0175-01] Important: piranha security and bug fix update Message-ID: <201402131854.s1DIs3Qn023796@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: piranha security and bug fix update Advisory ID: RHSA-2014:0175-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0175.html Issue date: 2014-02-13 CVE Names: CVE-2013-6492 ===================================================================== 1. Summary: An updated piranha package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Load Balancer (v. 6) - i386, x86_64 3. Description: Piranha provides high-availability and load-balancing services for Red Hat Enterprise Linux. The piranha packages contain various tools to administer and configure the Linux Virtual Server (LVS), as well as the heartbeat and failover components. LVS is a dynamically-adjusted kernel routing mechanism that provides load balancing, primarily for Web and FTP servers. It was discovered that the Piranha Configuration Tool did not properly restrict access to its web pages. A remote attacker able to connect to the Piranha Configuration Tool web server port could use this flaw to read or modify the LVS configuration without providing valid administrative credentials. (CVE-2013-6492) This update also fixes the following bug: * When the lvsd service attempted to start, the sem_timedwait() function received the interrupted function call (EINTR) error and exited, causing the lvsd service to fail to start. With this update, EINTR errors are correctly ignored during the start-up of the lvsd service. (BZ#1055709) All piranha users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1043040 - CVE-2013-6492 piranha: web UI authentication bypass using POST requests 1055709 - pulse: ignore EINTR while waiting for semaphore 6. Package List: Red Hat Enterprise Linux Load Balancer (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/piranha-0.8.6-4.el6_5.2.src.rpm i386: piranha-0.8.6-4.el6_5.2.i686.rpm piranha-debuginfo-0.8.6-4.el6_5.2.i686.rpm x86_64: piranha-0.8.6-4.el6_5.2.x86_64.rpm piranha-debuginfo-0.8.6-4.el6_5.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6492.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS/RSyXlSAg2UNWIIRAteSAKCPyBOqLcBj/niuICECjuc4+E9NowCdEoma nprYVqHj1pu2dLRLRlbAtno= =ZZq+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 18 18:06:01 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Feb 2014 18:06:01 +0000 Subject: [RHSA-2014:0185-01] Moderate: openswan security update Message-ID: <201402181805.s1II5vqK006308@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openswan security update Advisory ID: RHSA-2014:0185-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0185.html Issue date: 2014-02-18 CVE Names: CVE-2013-6466 ===================================================================== 1. Summary: Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped. (CVE-2013-6466) All openswan users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1050277 - CVE-2013-6466 openswan: dereferencing missing IKEv2 payloads causes pluto daemon to restart 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openswan-2.6.32-7.3.el5_10.src.rpm i386: openswan-2.6.32-7.3.el5_10.i386.rpm openswan-debuginfo-2.6.32-7.3.el5_10.i386.rpm openswan-doc-2.6.32-7.3.el5_10.i386.rpm x86_64: openswan-2.6.32-7.3.el5_10.x86_64.rpm openswan-debuginfo-2.6.32-7.3.el5_10.x86_64.rpm openswan-doc-2.6.32-7.3.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/openswan-2.6.32-7.3.el5_10.src.rpm i386: openswan-2.6.32-7.3.el5_10.i386.rpm openswan-debuginfo-2.6.32-7.3.el5_10.i386.rpm openswan-doc-2.6.32-7.3.el5_10.i386.rpm ia64: openswan-2.6.32-7.3.el5_10.ia64.rpm openswan-debuginfo-2.6.32-7.3.el5_10.ia64.rpm openswan-doc-2.6.32-7.3.el5_10.ia64.rpm ppc: openswan-2.6.32-7.3.el5_10.ppc.rpm openswan-debuginfo-2.6.32-7.3.el5_10.ppc.rpm openswan-doc-2.6.32-7.3.el5_10.ppc.rpm s390x: openswan-2.6.32-7.3.el5_10.s390x.rpm openswan-debuginfo-2.6.32-7.3.el5_10.s390x.rpm openswan-doc-2.6.32-7.3.el5_10.s390x.rpm x86_64: openswan-2.6.32-7.3.el5_10.x86_64.rpm openswan-debuginfo-2.6.32-7.3.el5_10.x86_64.rpm openswan-doc-2.6.32-7.3.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-2.6.32-27.2.el6_5.i686.rpm openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm x86_64: openswan-2.6.32-27.2.el6_5.x86_64.rpm openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm openswan-doc-2.6.32-27.2.el6_5.i686.rpm x86_64: openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm openswan-doc-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-2.6.32-27.2.el6_5.i686.rpm openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm ppc64: openswan-2.6.32-27.2.el6_5.ppc64.rpm openswan-debuginfo-2.6.32-27.2.el6_5.ppc64.rpm s390x: openswan-2.6.32-27.2.el6_5.s390x.rpm openswan-debuginfo-2.6.32-27.2.el6_5.s390x.rpm x86_64: openswan-2.6.32-27.2.el6_5.x86_64.rpm openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm openswan-doc-2.6.32-27.2.el6_5.i686.rpm ppc64: openswan-debuginfo-2.6.32-27.2.el6_5.ppc64.rpm openswan-doc-2.6.32-27.2.el6_5.ppc64.rpm s390x: openswan-debuginfo-2.6.32-27.2.el6_5.s390x.rpm openswan-doc-2.6.32-27.2.el6_5.s390x.rpm x86_64: openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm openswan-doc-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-2.6.32-27.2.el6_5.i686.rpm openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm x86_64: openswan-2.6.32-27.2.el6_5.x86_64.rpm openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm openswan-doc-2.6.32-27.2.el6_5.i686.rpm x86_64: openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm openswan-doc-2.6.32-27.2.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6466.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTA6D7XlSAg2UNWIIRAkO0AKCCIbfDJPZuuXS7U6rZU8/CimQlxwCeIPUb dpyjtxp6hcgn2NES8FPSOkw= =jFWA -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 18 18:06:54 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Feb 2014 18:06:54 +0000 Subject: [RHSA-2014:0186-01] Moderate: mysql55-mysql security update Message-ID: <201402181806.s1II6oKL005735@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mysql55-mysql security update Advisory ID: RHSA-2014:0186-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0186.html Issue date: 2014-02-18 CVE Names: CVE-2013-3839 CVE-2013-5807 CVE-2013-5891 CVE-2013-5908 CVE-2014-0001 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0420 CVE-2014-0437 ===================================================================== 1. Summary: Updated mysql55-mysql packages that fix several security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2013-5807, CVE-2013-5891, CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0420, CVE-2014-0437, CVE-2013-3839, CVE-2013-5908) A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client. (CVE-2014-0001) The CVE-2014-0001 issue was discovered by Garth Mollett of the Red Hat Security Response Team. These updated packages upgrade MySQL to version 5.5.36. Refer to the MySQL Release Notes listed in the References section for a complete list of changes. All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1019978 - CVE-2013-3839 mysql: unspecified DoS related to Optimizer (CPU October 2013) 1019997 - CVE-2013-5807 mysql: unspecified flaw related to Replication (CPU October 2013) 1053371 - CVE-2013-5891 mysql: unspecified vulnerability related to Partition DoS (CPU Jan 2014) 1053373 - CVE-2013-5908 mysql: unspecified vulnerability related to Error Handling DoS (CPU Jan 2014) 1053375 - CVE-2014-0386 mysql: unspecified vulnerability related to Optimizer DoS (CPU Jan 2014) 1053377 - CVE-2014-0393 mysql: unspecified vulnerability related to InnoDB affecting integrity (CPU Jan 2014) 1053378 - CVE-2014-0401 mysql: unspecified DoS vulnerability (CPU Jan 2014) 1053380 - CVE-2014-0402 mysql: unspecified vulnerability related to Locking DoS (CPU Jan 2014) 1053381 - CVE-2014-0412 mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014) 1053383 - CVE-2014-0420 mysql: unspecified vulnerability related to Replication DoS (CPU Jan 2014) 1053390 - CVE-2014-0437 mysql: unspecified vulnerability related to Optimizer DoS (CPU Jan 2014) 1054592 - CVE-2014-0001 mysql: command-line tool buffer overflow via long server version string 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/mysql55-mysql-5.5.36-2.el5.src.rpm i386: mysql55-mysql-5.5.36-2.el5.i386.rpm mysql55-mysql-bench-5.5.36-2.el5.i386.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.i386.rpm mysql55-mysql-libs-5.5.36-2.el5.i386.rpm mysql55-mysql-server-5.5.36-2.el5.i386.rpm mysql55-mysql-test-5.5.36-2.el5.i386.rpm x86_64: mysql55-mysql-5.5.36-2.el5.x86_64.rpm mysql55-mysql-bench-5.5.36-2.el5.x86_64.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.x86_64.rpm mysql55-mysql-libs-5.5.36-2.el5.x86_64.rpm mysql55-mysql-server-5.5.36-2.el5.x86_64.rpm mysql55-mysql-test-5.5.36-2.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/mysql55-mysql-5.5.36-2.el5.src.rpm i386: mysql55-mysql-debuginfo-5.5.36-2.el5.i386.rpm mysql55-mysql-devel-5.5.36-2.el5.i386.rpm x86_64: mysql55-mysql-debuginfo-5.5.36-2.el5.i386.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.x86_64.rpm mysql55-mysql-devel-5.5.36-2.el5.i386.rpm mysql55-mysql-devel-5.5.36-2.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/mysql55-mysql-5.5.36-2.el5.src.rpm i386: mysql55-mysql-5.5.36-2.el5.i386.rpm mysql55-mysql-bench-5.5.36-2.el5.i386.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.i386.rpm mysql55-mysql-devel-5.5.36-2.el5.i386.rpm mysql55-mysql-libs-5.5.36-2.el5.i386.rpm mysql55-mysql-server-5.5.36-2.el5.i386.rpm mysql55-mysql-test-5.5.36-2.el5.i386.rpm ia64: mysql55-mysql-5.5.36-2.el5.ia64.rpm mysql55-mysql-bench-5.5.36-2.el5.ia64.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.ia64.rpm mysql55-mysql-devel-5.5.36-2.el5.ia64.rpm mysql55-mysql-libs-5.5.36-2.el5.ia64.rpm mysql55-mysql-server-5.5.36-2.el5.ia64.rpm mysql55-mysql-test-5.5.36-2.el5.ia64.rpm ppc: mysql55-mysql-5.5.36-2.el5.ppc.rpm mysql55-mysql-bench-5.5.36-2.el5.ppc.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.ppc.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.ppc64.rpm mysql55-mysql-devel-5.5.36-2.el5.ppc.rpm mysql55-mysql-devel-5.5.36-2.el5.ppc64.rpm mysql55-mysql-libs-5.5.36-2.el5.ppc.rpm mysql55-mysql-server-5.5.36-2.el5.ppc.rpm mysql55-mysql-test-5.5.36-2.el5.ppc.rpm s390x: mysql55-mysql-5.5.36-2.el5.s390x.rpm mysql55-mysql-bench-5.5.36-2.el5.s390x.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.s390.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.s390x.rpm mysql55-mysql-devel-5.5.36-2.el5.s390.rpm mysql55-mysql-devel-5.5.36-2.el5.s390x.rpm mysql55-mysql-libs-5.5.36-2.el5.s390x.rpm mysql55-mysql-server-5.5.36-2.el5.s390x.rpm mysql55-mysql-test-5.5.36-2.el5.s390x.rpm x86_64: mysql55-mysql-5.5.36-2.el5.x86_64.rpm mysql55-mysql-bench-5.5.36-2.el5.x86_64.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.i386.rpm mysql55-mysql-debuginfo-5.5.36-2.el5.x86_64.rpm mysql55-mysql-devel-5.5.36-2.el5.i386.rpm mysql55-mysql-devel-5.5.36-2.el5.x86_64.rpm mysql55-mysql-libs-5.5.36-2.el5.x86_64.rpm mysql55-mysql-server-5.5.36-2.el5.x86_64.rpm mysql55-mysql-test-5.5.36-2.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-3839.html https://www.redhat.com/security/data/cve/CVE-2013-5807.html https://www.redhat.com/security/data/cve/CVE-2013-5891.html https://www.redhat.com/security/data/cve/CVE-2013-5908.html https://www.redhat.com/security/data/cve/CVE-2014-0001.html https://www.redhat.com/security/data/cve/CVE-2014-0386.html https://www.redhat.com/security/data/cve/CVE-2014-0393.html https://www.redhat.com/security/data/cve/CVE-2014-0401.html https://www.redhat.com/security/data/cve/CVE-2014-0402.html https://www.redhat.com/security/data/cve/CVE-2014-0412.html https://www.redhat.com/security/data/cve/CVE-2014-0420.html https://www.redhat.com/security/data/cve/CVE-2014-0437.html https://access.redhat.com/security/updates/classification/#moderate http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixMSQL http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixMSQL http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-36.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTA6EkXlSAg2UNWIIRAm5NAJ9Srp/4WyalIYIFea++hqGIfLw7sACcDiTM Ya07d5i30dE6IDVJjRJr29k= =wyZH -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Feb 19 19:17:53 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 19 Feb 2014 19:17:53 +0000 Subject: [RHSA-2014:0189-01] Moderate: mariadb55-mariadb security update Message-ID: <201402191917.s1JJHqp3025422@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mariadb55-mariadb security update Advisory ID: RHSA-2014:0189-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0189.html Issue date: 2014-02-19 CVE Names: CVE-2013-3839 CVE-2013-5807 CVE-2013-5891 CVE-2013-5908 CVE-2014-0001 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0420 CVE-2014-0437 ===================================================================== 1. Summary: Updated mariadb55-mariadb packages that fix several security issues are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for RHEL 6 Server - x86_64 Red Hat Software Collections for RHEL 6 Workstation - x86_64 3. Description: MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2013-5807, CVE-2013-5891, CVE-2014-0386, CVE-2014-0393, CVE-2014-0401, CVE-2014-0402, CVE-2014-0412, CVE-2014-0420, CVE-2014-0437, CVE-2013-3839, CVE-2013-5908) A buffer overflow flaw was found in the way the MariaDB command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MariaDB server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client. (CVE-2014-0001) The CVE-2014-0001 issue was discovered by Garth Mollett of the Red Hat Security Response Team. These updated packages upgrade MariaDB to version 5.5.35. Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. All MariaDB users should upgrade to these updated packages, which correct these issues. After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1019978 - CVE-2013-3839 mysql: unspecified DoS related to Optimizer (CPU October 2013) 1019997 - CVE-2013-5807 mysql: unspecified flaw related to Replication (CPU October 2013) 1053371 - CVE-2013-5891 mysql: unspecified vulnerability related to Partition DoS (CPU Jan 2014) 1053373 - CVE-2013-5908 mysql: unspecified vulnerability related to Error Handling DoS (CPU Jan 2014) 1053375 - CVE-2014-0386 mysql: unspecified vulnerability related to Optimizer DoS (CPU Jan 2014) 1053377 - CVE-2014-0393 mysql: unspecified vulnerability related to InnoDB affecting integrity (CPU Jan 2014) 1053378 - CVE-2014-0401 mysql: unspecified DoS vulnerability (CPU Jan 2014) 1053380 - CVE-2014-0402 mysql: unspecified vulnerability related to Locking DoS (CPU Jan 2014) 1053381 - CVE-2014-0412 mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014) 1053383 - CVE-2014-0420 mysql: unspecified vulnerability related to Replication DoS (CPU Jan 2014) 1053390 - CVE-2014-0437 mysql: unspecified vulnerability related to Optimizer DoS (CPU Jan 2014) 1054592 - CVE-2014-0001 mysql: command-line tool buffer overflow via long server version string 6. Package List: Red Hat Software Collections for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHSCL/SRPMS/mariadb55-mariadb-5.5.35-1.1.el6.src.rpm x86_64: mariadb55-mariadb-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-bench-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-debuginfo-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-devel-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-libs-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-server-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-test-5.5.35-1.1.el6.x86_64.rpm Red Hat Software Collections for RHEL 6 Workstation: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/RHSCL/SRPMS/mariadb55-mariadb-5.5.35-1.1.el6.src.rpm x86_64: mariadb55-mariadb-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-bench-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-debuginfo-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-devel-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-libs-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-server-5.5.35-1.1.el6.x86_64.rpm mariadb55-mariadb-test-5.5.35-1.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-3839.html https://www.redhat.com/security/data/cve/CVE-2013-5807.html https://www.redhat.com/security/data/cve/CVE-2013-5891.html https://www.redhat.com/security/data/cve/CVE-2013-5908.html https://www.redhat.com/security/data/cve/CVE-2014-0001.html https://www.redhat.com/security/data/cve/CVE-2014-0386.html https://www.redhat.com/security/data/cve/CVE-2014-0393.html https://www.redhat.com/security/data/cve/CVE-2014-0401.html https://www.redhat.com/security/data/cve/CVE-2014-0402.html https://www.redhat.com/security/data/cve/CVE-2014-0412.html https://www.redhat.com/security/data/cve/CVE-2014-0420.html https://www.redhat.com/security/data/cve/CVE-2014-0437.html https://access.redhat.com/security/updates/classification/#moderate http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixMSQL http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixMSQL https://mariadb.com/kb/en/mariadb-5535-release-notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTBQNOXlSAg2UNWIIRApEHAJ9cQmR7g9Z/iNYX+3JNDU29yiy31QCfT6Ip ubcMuVyN/BQPW0bwLFQafm4= =NWh5 -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Feb 21 09:50:25 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 21 Feb 2014 09:50:25 +0000 Subject: [RHSA-2014:0196-01] Critical: flash-plugin security update Message-ID: <201402210950.s1L9oKcO031849@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0196-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0196.html Issue date: 2014-02-21 CVE Names: CVE-2014-0498 CVE-2014-0499 CVE-2014-0502 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes three security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB14-07, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. (CVE-2014-0498, CVE-2014-0499, CVE-2014-0502) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.341. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1067656 - CVE-2014-0498 CVE-2014-0499 CVE-2014-0502 flash-plugin: multiple flaws lead to arbitrary code execution (APSB14-07) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.341-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.341-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.341-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.341-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.341-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.341-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.341-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.341-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.341-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.341-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0498.html https://www.redhat.com/security/data/cve/CVE-2014-0499.html https://www.redhat.com/security/data/cve/CVE-2014-0502.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-07.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTByEnXlSAg2UNWIIRAi1rAKCBxwErUI32sTpMx0NosGcAjO+YSQCfZzHe MX7b/r4AbJFfCjm9BexmJdw= =X9yY -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Feb 24 20:37:08 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Feb 2014 20:37:08 +0000 Subject: [RHSA-2014:0206-01] Moderate: openldap security update Message-ID: <201402242037.s1OKb7P9021466@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openldap security update Advisory ID: RHSA-2014:0206-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0206.html Issue date: 2014-02-24 CVE Names: CVE-2013-4449 ===================================================================== 1. Summary: Updated openldap packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap package contains configuration files, libraries, and documentation for OpenLDAP. A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) performed reference counting when using the rwm (rewrite/remap) overlay. A remote attacker able to query the OpenLDAP server could use this flaw to crash the server by immediately unbinding from the server after sending a search request. (CVE-2013-4449) Red Hat would like to thank Michael Vishchers from Seven Principles AG for reporting this issue. All openldap users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1019490 - CVE-2013-4449 openldap: segfault on certain queries with rwm overlay 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openldap-2.3.43-27.el5_10.src.rpm i386: compat-openldap-2.3.43_2.2.29-27.el5_10.i386.rpm openldap-2.3.43-27.el5_10.i386.rpm openldap-clients-2.3.43-27.el5_10.i386.rpm openldap-debuginfo-2.3.43-27.el5_10.i386.rpm x86_64: compat-openldap-2.3.43_2.2.29-27.el5_10.i386.rpm compat-openldap-2.3.43_2.2.29-27.el5_10.x86_64.rpm openldap-2.3.43-27.el5_10.i386.rpm openldap-2.3.43-27.el5_10.x86_64.rpm openldap-clients-2.3.43-27.el5_10.x86_64.rpm openldap-debuginfo-2.3.43-27.el5_10.i386.rpm openldap-debuginfo-2.3.43-27.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openldap-2.3.43-27.el5_10.src.rpm i386: openldap-debuginfo-2.3.43-27.el5_10.i386.rpm openldap-devel-2.3.43-27.el5_10.i386.rpm openldap-servers-2.3.43-27.el5_10.i386.rpm openldap-servers-overlays-2.3.43-27.el5_10.i386.rpm openldap-servers-sql-2.3.43-27.el5_10.i386.rpm x86_64: openldap-debuginfo-2.3.43-27.el5_10.i386.rpm openldap-debuginfo-2.3.43-27.el5_10.x86_64.rpm openldap-devel-2.3.43-27.el5_10.i386.rpm openldap-devel-2.3.43-27.el5_10.x86_64.rpm openldap-servers-2.3.43-27.el5_10.x86_64.rpm openldap-servers-overlays-2.3.43-27.el5_10.x86_64.rpm openldap-servers-sql-2.3.43-27.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/openldap-2.3.43-27.el5_10.src.rpm i386: compat-openldap-2.3.43_2.2.29-27.el5_10.i386.rpm openldap-2.3.43-27.el5_10.i386.rpm openldap-clients-2.3.43-27.el5_10.i386.rpm openldap-debuginfo-2.3.43-27.el5_10.i386.rpm openldap-devel-2.3.43-27.el5_10.i386.rpm openldap-servers-2.3.43-27.el5_10.i386.rpm openldap-servers-overlays-2.3.43-27.el5_10.i386.rpm openldap-servers-sql-2.3.43-27.el5_10.i386.rpm ia64: compat-openldap-2.3.43_2.2.29-27.el5_10.i386.rpm compat-openldap-2.3.43_2.2.29-27.el5_10.ia64.rpm openldap-2.3.43-27.el5_10.i386.rpm openldap-2.3.43-27.el5_10.ia64.rpm openldap-clients-2.3.43-27.el5_10.ia64.rpm openldap-debuginfo-2.3.43-27.el5_10.i386.rpm openldap-debuginfo-2.3.43-27.el5_10.ia64.rpm openldap-devel-2.3.43-27.el5_10.ia64.rpm openldap-servers-2.3.43-27.el5_10.ia64.rpm openldap-servers-overlays-2.3.43-27.el5_10.ia64.rpm openldap-servers-sql-2.3.43-27.el5_10.ia64.rpm ppc: compat-openldap-2.3.43_2.2.29-27.el5_10.ppc.rpm compat-openldap-2.3.43_2.2.29-27.el5_10.ppc64.rpm openldap-2.3.43-27.el5_10.ppc.rpm openldap-2.3.43-27.el5_10.ppc64.rpm openldap-clients-2.3.43-27.el5_10.ppc.rpm openldap-debuginfo-2.3.43-27.el5_10.ppc.rpm openldap-debuginfo-2.3.43-27.el5_10.ppc64.rpm openldap-devel-2.3.43-27.el5_10.ppc.rpm openldap-devel-2.3.43-27.el5_10.ppc64.rpm openldap-servers-2.3.43-27.el5_10.ppc.rpm openldap-servers-overlays-2.3.43-27.el5_10.ppc.rpm openldap-servers-sql-2.3.43-27.el5_10.ppc.rpm s390x: compat-openldap-2.3.43_2.2.29-27.el5_10.s390.rpm compat-openldap-2.3.43_2.2.29-27.el5_10.s390x.rpm openldap-2.3.43-27.el5_10.s390.rpm openldap-2.3.43-27.el5_10.s390x.rpm openldap-clients-2.3.43-27.el5_10.s390x.rpm openldap-debuginfo-2.3.43-27.el5_10.s390.rpm openldap-debuginfo-2.3.43-27.el5_10.s390x.rpm openldap-devel-2.3.43-27.el5_10.s390.rpm openldap-devel-2.3.43-27.el5_10.s390x.rpm openldap-servers-2.3.43-27.el5_10.s390x.rpm openldap-servers-overlays-2.3.43-27.el5_10.s390x.rpm openldap-servers-sql-2.3.43-27.el5_10.s390x.rpm x86_64: compat-openldap-2.3.43_2.2.29-27.el5_10.i386.rpm compat-openldap-2.3.43_2.2.29-27.el5_10.x86_64.rpm openldap-2.3.43-27.el5_10.i386.rpm openldap-2.3.43-27.el5_10.x86_64.rpm openldap-clients-2.3.43-27.el5_10.x86_64.rpm openldap-debuginfo-2.3.43-27.el5_10.i386.rpm openldap-debuginfo-2.3.43-27.el5_10.x86_64.rpm openldap-devel-2.3.43-27.el5_10.i386.rpm openldap-devel-2.3.43-27.el5_10.x86_64.rpm openldap-servers-2.3.43-27.el5_10.x86_64.rpm openldap-servers-overlays-2.3.43-27.el5_10.x86_64.rpm openldap-servers-sql-2.3.43-27.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4449.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTC61LXlSAg2UNWIIRAvGMAKClCf/4o8bG6hMFheLHl2ILSlrZGgCfUHX4 vmUDf9PvZMJhQ5Mf8UEw9nI= =D8pm -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Feb 24 20:37:49 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Feb 2014 20:37:49 +0000 Subject: [RHSA-2014:0207-01] Moderate: rubygems security update Message-ID: <201402242037.s1OKblK5013809@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rubygems security update Advisory ID: RHSA-2014:0207-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0207.html Issue date: 2014-02-24 CVE Names: CVE-2013-4287 ===================================================================== 1. Summary: An updated rubygems package that fixes one security issue is now available for Red Hat OpenShift Enterprise 2.0.2. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHOSE Client 2.0 - noarch RHOSE Infrastructure 2.0 - noarch RHOSE Node 2.0 - noarch 3. Description: RubyGems is the Ruby standard for publishing and managing third-party libraries. It was discovered that the rubygems API validated version strings using an unsafe regular expression. An application making use of this API to process a version string from an untrusted source could be vulnerable to a denial of service attack through CPU exhaustion. (CVE-2013-4287) Red Hat would like to thank Rubygems upstream for reporting this issue. Upstream acknowledges Damir Sharipov as the original reporter. All users of Red Hat OpenShift Enterprise 2.0.2 are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1002364 - CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability 6. Package List: RHOSE Client 2.0: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygems-1.8.24-5.el6op.src.rpm noarch: rubygems-1.8.24-5.el6op.noarch.rpm rubygems-devel-1.8.24-5.el6op.noarch.rpm RHOSE Infrastructure 2.0: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygems-1.8.24-5.el6op.src.rpm noarch: rubygems-1.8.24-5.el6op.noarch.rpm rubygems-devel-1.8.24-5.el6op.noarch.rpm RHOSE Node 2.0: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygems-1.8.24-5.el6op.src.rpm noarch: rubygems-1.8.24-5.el6op.noarch.rpm rubygems-devel-1.8.24-5.el6op.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4287.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTC61+XlSAg2UNWIIRAmYpAJ9x0kNuOFJwSnhO2ol5jYybaqLTYQCeK7vZ h/113nkMNNOmO9ZoEsAiK7c= =Px43 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Feb 25 16:44:18 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 25 Feb 2014 16:44:18 +0000 Subject: [RHSA-2014:0211-01] Important: postgresql84 and postgresql security update Message-ID: <201402251644.s1PGiItX023777@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: postgresql84 and postgresql security update Advisory ID: RHSA-2014:0211-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0211.html Issue date: 2014-02-25 CVE Names: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 ===================================================================== 1. Summary: Updated postgresql84 and postgresql packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). Multiple stack-based buffer overflow flaws were found in the date/time implementation of PostgreSQL. An authenticated database user could provide a specially crafted date/time value that, when processed, could cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2014-0063) Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in various type input functions in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2014-0064) Multiple potential buffer overflow flaws were found in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2014-0065) It was found that granting an SQL role to a database user in a PostgreSQL database without specifying the "ADMIN" option allowed the grantee to remove other users from their granted role. An authenticated database user could use this flaw to remove a user from an SQL role which they were granted access to. (CVE-2014-0060) A flaw was found in the validator functions provided by PostgreSQL's procedural languages (PLs). An authenticated database user could possibly use this flaw to escalate their privileges. (CVE-2014-0061) A race condition was found in the way the CREATE INDEX command performed multiple independent lookups of a table that had to be indexed. An authenticated database user could possibly use this flaw to escalate their privileges. (CVE-2014-0062) It was found that the chkpass extension of PostgreSQL did not check the return value of the crypt() function. An authenticated database user could possibly use this flaw to crash PostgreSQL via a null pointer dereference. (CVE-2014-0066) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Noah Misch as the original reporter of CVE-2014-0060 and CVE-2014-0063, Heikki Linnakangas and Noah Misch as the original reporters of CVE-2014-0064, Peter Eisentraut and Jozef Mlich as the original reporters of CVE-2014-0065, Andres Freund as the original reporter of CVE-2014-0061, Robert Haas and Andres Freund as the original reporters of CVE-2014-0062, and Honza Horak and Bruce Momjian as the original reporters of CVE-2014-0066. These updated packages upgrade PostgreSQL to version 8.4.20, which fixes these issues as well as several non-security issues. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.4/static/release-8-4-19.html http://www.postgresql.org/docs/8.4/static/release-8-4-20.html All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1065219 - CVE-2014-0060 postgresql: SET ROLE without ADMIN OPTION allows adding and removing group members 1065220 - CVE-2014-0061 postgresql: privilege escalation via procedural language validator functions 1065222 - CVE-2014-0062 postgresql: CREATE INDEX race condition possibly leading to privilege escalation 1065226 - CVE-2014-0063 postgresql: stack-based buffer overflow in datetime input/output 1065230 - CVE-2014-0064 postgresql: integer overflows leading to buffer overflows 1065235 - CVE-2014-0065 postgresql: possible buffer overflow flaws 1065236 - CVE-2014-0066 postgresql: NULL pointer dereference 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql84-8.4.20-1.el5_10.src.rpm i386: postgresql84-8.4.20-1.el5_10.i386.rpm postgresql84-contrib-8.4.20-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.20-1.el5_10.i386.rpm postgresql84-docs-8.4.20-1.el5_10.i386.rpm postgresql84-libs-8.4.20-1.el5_10.i386.rpm postgresql84-python-8.4.20-1.el5_10.i386.rpm postgresql84-tcl-8.4.20-1.el5_10.i386.rpm x86_64: postgresql84-8.4.20-1.el5_10.x86_64.rpm postgresql84-contrib-8.4.20-1.el5_10.x86_64.rpm postgresql84-debuginfo-8.4.20-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.20-1.el5_10.x86_64.rpm postgresql84-docs-8.4.20-1.el5_10.x86_64.rpm postgresql84-libs-8.4.20-1.el5_10.i386.rpm postgresql84-libs-8.4.20-1.el5_10.x86_64.rpm postgresql84-python-8.4.20-1.el5_10.x86_64.rpm postgresql84-tcl-8.4.20-1.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql84-8.4.20-1.el5_10.src.rpm i386: postgresql84-debuginfo-8.4.20-1.el5_10.i386.rpm postgresql84-devel-8.4.20-1.el5_10.i386.rpm postgresql84-plperl-8.4.20-1.el5_10.i386.rpm postgresql84-plpython-8.4.20-1.el5_10.i386.rpm postgresql84-pltcl-8.4.20-1.el5_10.i386.rpm postgresql84-server-8.4.20-1.el5_10.i386.rpm postgresql84-test-8.4.20-1.el5_10.i386.rpm x86_64: postgresql84-debuginfo-8.4.20-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.20-1.el5_10.x86_64.rpm postgresql84-devel-8.4.20-1.el5_10.i386.rpm postgresql84-devel-8.4.20-1.el5_10.x86_64.rpm postgresql84-plperl-8.4.20-1.el5_10.x86_64.rpm postgresql84-plpython-8.4.20-1.el5_10.x86_64.rpm postgresql84-pltcl-8.4.20-1.el5_10.x86_64.rpm postgresql84-server-8.4.20-1.el5_10.x86_64.rpm postgresql84-test-8.4.20-1.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/postgresql84-8.4.20-1.el5_10.src.rpm i386: postgresql84-8.4.20-1.el5_10.i386.rpm postgresql84-contrib-8.4.20-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.20-1.el5_10.i386.rpm postgresql84-devel-8.4.20-1.el5_10.i386.rpm postgresql84-docs-8.4.20-1.el5_10.i386.rpm postgresql84-libs-8.4.20-1.el5_10.i386.rpm postgresql84-plperl-8.4.20-1.el5_10.i386.rpm postgresql84-plpython-8.4.20-1.el5_10.i386.rpm postgresql84-pltcl-8.4.20-1.el5_10.i386.rpm postgresql84-python-8.4.20-1.el5_10.i386.rpm postgresql84-server-8.4.20-1.el5_10.i386.rpm postgresql84-tcl-8.4.20-1.el5_10.i386.rpm postgresql84-test-8.4.20-1.el5_10.i386.rpm ia64: postgresql84-8.4.20-1.el5_10.ia64.rpm postgresql84-contrib-8.4.20-1.el5_10.ia64.rpm postgresql84-debuginfo-8.4.20-1.el5_10.ia64.rpm postgresql84-devel-8.4.20-1.el5_10.ia64.rpm postgresql84-docs-8.4.20-1.el5_10.ia64.rpm postgresql84-libs-8.4.20-1.el5_10.ia64.rpm postgresql84-plperl-8.4.20-1.el5_10.ia64.rpm postgresql84-plpython-8.4.20-1.el5_10.ia64.rpm postgresql84-pltcl-8.4.20-1.el5_10.ia64.rpm postgresql84-python-8.4.20-1.el5_10.ia64.rpm postgresql84-server-8.4.20-1.el5_10.ia64.rpm postgresql84-tcl-8.4.20-1.el5_10.ia64.rpm postgresql84-test-8.4.20-1.el5_10.ia64.rpm ppc: postgresql84-8.4.20-1.el5_10.ppc.rpm postgresql84-8.4.20-1.el5_10.ppc64.rpm postgresql84-contrib-8.4.20-1.el5_10.ppc.rpm postgresql84-debuginfo-8.4.20-1.el5_10.ppc.rpm postgresql84-debuginfo-8.4.20-1.el5_10.ppc64.rpm postgresql84-devel-8.4.20-1.el5_10.ppc.rpm postgresql84-devel-8.4.20-1.el5_10.ppc64.rpm postgresql84-docs-8.4.20-1.el5_10.ppc.rpm postgresql84-libs-8.4.20-1.el5_10.ppc.rpm postgresql84-libs-8.4.20-1.el5_10.ppc64.rpm postgresql84-plperl-8.4.20-1.el5_10.ppc.rpm postgresql84-plpython-8.4.20-1.el5_10.ppc.rpm postgresql84-pltcl-8.4.20-1.el5_10.ppc.rpm postgresql84-python-8.4.20-1.el5_10.ppc.rpm postgresql84-server-8.4.20-1.el5_10.ppc.rpm postgresql84-tcl-8.4.20-1.el5_10.ppc.rpm postgresql84-test-8.4.20-1.el5_10.ppc.rpm s390x: postgresql84-8.4.20-1.el5_10.s390x.rpm postgresql84-contrib-8.4.20-1.el5_10.s390x.rpm postgresql84-debuginfo-8.4.20-1.el5_10.s390.rpm postgresql84-debuginfo-8.4.20-1.el5_10.s390x.rpm postgresql84-devel-8.4.20-1.el5_10.s390.rpm postgresql84-devel-8.4.20-1.el5_10.s390x.rpm postgresql84-docs-8.4.20-1.el5_10.s390x.rpm postgresql84-libs-8.4.20-1.el5_10.s390.rpm postgresql84-libs-8.4.20-1.el5_10.s390x.rpm postgresql84-plperl-8.4.20-1.el5_10.s390x.rpm postgresql84-plpython-8.4.20-1.el5_10.s390x.rpm postgresql84-pltcl-8.4.20-1.el5_10.s390x.rpm postgresql84-python-8.4.20-1.el5_10.s390x.rpm postgresql84-server-8.4.20-1.el5_10.s390x.rpm postgresql84-tcl-8.4.20-1.el5_10.s390x.rpm postgresql84-test-8.4.20-1.el5_10.s390x.rpm x86_64: postgresql84-8.4.20-1.el5_10.x86_64.rpm postgresql84-contrib-8.4.20-1.el5_10.x86_64.rpm postgresql84-debuginfo-8.4.20-1.el5_10.i386.rpm postgresql84-debuginfo-8.4.20-1.el5_10.x86_64.rpm postgresql84-devel-8.4.20-1.el5_10.i386.rpm postgresql84-devel-8.4.20-1.el5_10.x86_64.rpm postgresql84-docs-8.4.20-1.el5_10.x86_64.rpm postgresql84-libs-8.4.20-1.el5_10.i386.rpm postgresql84-libs-8.4.20-1.el5_10.x86_64.rpm postgresql84-plperl-8.4.20-1.el5_10.x86_64.rpm postgresql84-plpython-8.4.20-1.el5_10.x86_64.rpm postgresql84-pltcl-8.4.20-1.el5_10.x86_64.rpm postgresql84-python-8.4.20-1.el5_10.x86_64.rpm postgresql84-server-8.4.20-1.el5_10.x86_64.rpm postgresql84-tcl-8.4.20-1.el5_10.x86_64.rpm postgresql84-test-8.4.20-1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/postgresql-8.4.20-1.el6_5.src.rpm i386: postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-libs-8.4.20-1.el6_5.i686.rpm x86_64: postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-debuginfo-8.4.20-1.el6_5.x86_64.rpm postgresql-libs-8.4.20-1.el6_5.i686.rpm postgresql-libs-8.4.20-1.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/postgresql-8.4.20-1.el6_5.src.rpm i386: postgresql-8.4.20-1.el6_5.i686.rpm postgresql-contrib-8.4.20-1.el6_5.i686.rpm postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-devel-8.4.20-1.el6_5.i686.rpm postgresql-docs-8.4.20-1.el6_5.i686.rpm postgresql-plperl-8.4.20-1.el6_5.i686.rpm postgresql-plpython-8.4.20-1.el6_5.i686.rpm postgresql-pltcl-8.4.20-1.el6_5.i686.rpm postgresql-server-8.4.20-1.el6_5.i686.rpm postgresql-test-8.4.20-1.el6_5.i686.rpm x86_64: postgresql-8.4.20-1.el6_5.i686.rpm postgresql-8.4.20-1.el6_5.x86_64.rpm postgresql-contrib-8.4.20-1.el6_5.x86_64.rpm postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-debuginfo-8.4.20-1.el6_5.x86_64.rpm postgresql-devel-8.4.20-1.el6_5.i686.rpm postgresql-devel-8.4.20-1.el6_5.x86_64.rpm postgresql-docs-8.4.20-1.el6_5.x86_64.rpm postgresql-plperl-8.4.20-1.el6_5.x86_64.rpm postgresql-plpython-8.4.20-1.el6_5.x86_64.rpm postgresql-pltcl-8.4.20-1.el6_5.x86_64.rpm postgresql-server-8.4.20-1.el6_5.x86_64.rpm postgresql-test-8.4.20-1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/postgresql-8.4.20-1.el6_5.src.rpm x86_64: postgresql-8.4.20-1.el6_5.i686.rpm postgresql-8.4.20-1.el6_5.x86_64.rpm postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-debuginfo-8.4.20-1.el6_5.x86_64.rpm postgresql-libs-8.4.20-1.el6_5.i686.rpm postgresql-libs-8.4.20-1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/postgresql-8.4.20-1.el6_5.src.rpm x86_64: postgresql-contrib-8.4.20-1.el6_5.x86_64.rpm postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-debuginfo-8.4.20-1.el6_5.x86_64.rpm postgresql-devel-8.4.20-1.el6_5.i686.rpm postgresql-devel-8.4.20-1.el6_5.x86_64.rpm postgresql-docs-8.4.20-1.el6_5.x86_64.rpm postgresql-plperl-8.4.20-1.el6_5.x86_64.rpm postgresql-plpython-8.4.20-1.el6_5.x86_64.rpm postgresql-pltcl-8.4.20-1.el6_5.x86_64.rpm postgresql-server-8.4.20-1.el6_5.x86_64.rpm postgresql-test-8.4.20-1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/postgresql-8.4.20-1.el6_5.src.rpm i386: postgresql-8.4.20-1.el6_5.i686.rpm postgresql-contrib-8.4.20-1.el6_5.i686.rpm postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-devel-8.4.20-1.el6_5.i686.rpm postgresql-docs-8.4.20-1.el6_5.i686.rpm postgresql-libs-8.4.20-1.el6_5.i686.rpm postgresql-plperl-8.4.20-1.el6_5.i686.rpm postgresql-plpython-8.4.20-1.el6_5.i686.rpm postgresql-pltcl-8.4.20-1.el6_5.i686.rpm postgresql-server-8.4.20-1.el6_5.i686.rpm postgresql-test-8.4.20-1.el6_5.i686.rpm ppc64: postgresql-8.4.20-1.el6_5.ppc.rpm postgresql-8.4.20-1.el6_5.ppc64.rpm postgresql-contrib-8.4.20-1.el6_5.ppc64.rpm postgresql-debuginfo-8.4.20-1.el6_5.ppc.rpm postgresql-debuginfo-8.4.20-1.el6_5.ppc64.rpm postgresql-devel-8.4.20-1.el6_5.ppc.rpm postgresql-devel-8.4.20-1.el6_5.ppc64.rpm postgresql-docs-8.4.20-1.el6_5.ppc64.rpm postgresql-libs-8.4.20-1.el6_5.ppc.rpm postgresql-libs-8.4.20-1.el6_5.ppc64.rpm postgresql-plperl-8.4.20-1.el6_5.ppc64.rpm postgresql-plpython-8.4.20-1.el6_5.ppc64.rpm postgresql-pltcl-8.4.20-1.el6_5.ppc64.rpm postgresql-server-8.4.20-1.el6_5.ppc64.rpm postgresql-test-8.4.20-1.el6_5.ppc64.rpm s390x: postgresql-8.4.20-1.el6_5.s390.rpm postgresql-8.4.20-1.el6_5.s390x.rpm postgresql-contrib-8.4.20-1.el6_5.s390x.rpm postgresql-debuginfo-8.4.20-1.el6_5.s390.rpm postgresql-debuginfo-8.4.20-1.el6_5.s390x.rpm postgresql-devel-8.4.20-1.el6_5.s390.rpm postgresql-devel-8.4.20-1.el6_5.s390x.rpm postgresql-docs-8.4.20-1.el6_5.s390x.rpm postgresql-libs-8.4.20-1.el6_5.s390.rpm postgresql-libs-8.4.20-1.el6_5.s390x.rpm postgresql-plperl-8.4.20-1.el6_5.s390x.rpm postgresql-plpython-8.4.20-1.el6_5.s390x.rpm postgresql-pltcl-8.4.20-1.el6_5.s390x.rpm postgresql-server-8.4.20-1.el6_5.s390x.rpm postgresql-test-8.4.20-1.el6_5.s390x.rpm x86_64: postgresql-8.4.20-1.el6_5.i686.rpm postgresql-8.4.20-1.el6_5.x86_64.rpm postgresql-contrib-8.4.20-1.el6_5.x86_64.rpm postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-debuginfo-8.4.20-1.el6_5.x86_64.rpm postgresql-devel-8.4.20-1.el6_5.i686.rpm postgresql-devel-8.4.20-1.el6_5.x86_64.rpm postgresql-docs-8.4.20-1.el6_5.x86_64.rpm postgresql-libs-8.4.20-1.el6_5.i686.rpm postgresql-libs-8.4.20-1.el6_5.x86_64.rpm postgresql-plperl-8.4.20-1.el6_5.x86_64.rpm postgresql-plpython-8.4.20-1.el6_5.x86_64.rpm postgresql-pltcl-8.4.20-1.el6_5.x86_64.rpm postgresql-server-8.4.20-1.el6_5.x86_64.rpm postgresql-test-8.4.20-1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/postgresql-8.4.20-1.el6_5.src.rpm i386: postgresql-8.4.20-1.el6_5.i686.rpm postgresql-contrib-8.4.20-1.el6_5.i686.rpm postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-devel-8.4.20-1.el6_5.i686.rpm postgresql-docs-8.4.20-1.el6_5.i686.rpm postgresql-libs-8.4.20-1.el6_5.i686.rpm postgresql-plperl-8.4.20-1.el6_5.i686.rpm postgresql-plpython-8.4.20-1.el6_5.i686.rpm postgresql-pltcl-8.4.20-1.el6_5.i686.rpm postgresql-server-8.4.20-1.el6_5.i686.rpm postgresql-test-8.4.20-1.el6_5.i686.rpm x86_64: postgresql-8.4.20-1.el6_5.i686.rpm postgresql-8.4.20-1.el6_5.x86_64.rpm postgresql-contrib-8.4.20-1.el6_5.x86_64.rpm postgresql-debuginfo-8.4.20-1.el6_5.i686.rpm postgresql-debuginfo-8.4.20-1.el6_5.x86_64.rpm postgresql-devel-8.4.20-1.el6_5.i686.rpm postgresql-devel-8.4.20-1.el6_5.x86_64.rpm postgresql-docs-8.4.20-1.el6_5.x86_64.rpm postgresql-libs-8.4.20-1.el6_5.i686.rpm postgresql-libs-8.4.20-1.el6_5.x86_64.rpm postgresql-plperl-8.4.20-1.el6_5.x86_64.rpm postgresql-plpython-8.4.20-1.el6_5.x86_64.rpm postgresql-pltcl-8.4.20-1.el6_5.x86_64.rpm postgresql-server-8.4.20-1.el6_5.x86_64.rpm postgresql-test-8.4.20-1.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0060.html https://www.redhat.com/security/data/cve/CVE-2014-0061.html https://www.redhat.com/security/data/cve/CVE-2014-0062.html https://www.redhat.com/security/data/cve/CVE-2014-0063.html https://www.redhat.com/security/data/cve/CVE-2014-0064.html https://www.redhat.com/security/data/cve/CVE-2014-0065.html https://www.redhat.com/security/data/cve/CVE-2014-0066.html https://access.redhat.com/security/updates/classification/#important http://www.postgresql.org/docs/8.4/static/release-8-4-19.html http://www.postgresql.org/docs/8.4/static/release-8-4-20.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTDMg+XlSAg2UNWIIRAlSvAJ9P4sARMig4TkGayGSS3Nl8CgxZ8gCfcfRC KPGhDgsx0R8Puuwcq/FvBrg= =YvQj -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 27 18:40:48 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Feb 2014 18:40:48 +0000 Subject: [RHSA-2014:0221-01] Important: postgresql92-postgresql security update Message-ID: <201402271840.s1RIemno018517@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: postgresql92-postgresql security update Advisory ID: RHSA-2014:0221-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0221.html Issue date: 2014-02-27 CVE Names: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 ===================================================================== 1. Summary: Updated postgresql92-postgresql packages that fix multiple security issues are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for RHEL 6 Server - x86_64 Red Hat Software Collections for RHEL 6 Workstation - x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). Multiple stack-based buffer overflow flaws were found in the date/time implementation of PostgreSQL. An authenticated database user could provide a specially crafted date/time value that, when processed, could cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2014-0063) Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in various type input functions in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2014-0064) Multiple potential buffer overflow flaws were found in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2014-0065) It was found that granting an SQL role to a database user in a PostgreSQL database without specifying the "ADMIN" option allowed the grantee to remove other users from their granted role. An authenticated database user could use this flaw to remove a user from an SQL role which they were granted access to. (CVE-2014-0060) A flaw was found in the validator functions provided by PostgreSQL's procedural languages (PLs). An authenticated database user could possibly use this flaw to escalate their privileges. (CVE-2014-0061) A race condition was found in the way the CREATE INDEX command performed multiple independent lookups of a table that had to be indexed. An authenticated database user could possibly use this flaw to escalate their privileges. (CVE-2014-0062) It was found that the chkpass extension of PostgreSQL did not check the return value of the crypt() function. An authenticated database user could possibly use this flaw to crash PostgreSQL via a null pointer dereference. (CVE-2014-0066) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Noah Misch as the original reporter of CVE-2014-0060 and CVE-2014-0063, Heikki Linnakangas and Noah Misch as the original reporters of CVE-2014-0064, Peter Eisentraut and Jozef Mlich as the original reporters of CVE-2014-0065, Andres Freund as the original reporter of CVE-2014-0061, Robert Haas and Andres Freund as the original reporters of CVE-2014-0062, and Honza Horak and Bruce Momjian as the original reporters of CVE-2014-0066. These updated packages upgrade PostgreSQL to version 9.2.7, which fixes these issues as well as several non-security issues. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/9.2/static/release-9-2-7.html All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1065219 - CVE-2014-0060 postgresql: SET ROLE without ADMIN OPTION allows adding and removing group members 1065220 - CVE-2014-0061 postgresql: privilege escalation via procedural language validator functions 1065222 - CVE-2014-0062 postgresql: CREATE INDEX race condition possibly leading to privilege escalation 1065226 - CVE-2014-0063 postgresql: stack-based buffer overflow in datetime input/output 1065230 - CVE-2014-0064 postgresql: integer overflows leading to buffer overflows 1065235 - CVE-2014-0065 postgresql: possible buffer overflow flaws 1065236 - CVE-2014-0066 postgresql: NULL pointer dereference 6. Package List: Red Hat Software Collections for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHSCL/SRPMS/postgresql92-postgresql-9.2.7-1.1.el6.src.rpm x86_64: postgresql92-postgresql-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-contrib-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-devel-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-docs-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-libs-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-plperl-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-plpython-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-pltcl-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-server-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-test-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-upgrade-9.2.7-1.1.el6.x86_64.rpm Red Hat Software Collections for RHEL 6 Workstation: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/RHSCL/SRPMS/postgresql92-postgresql-9.2.7-1.1.el6.src.rpm x86_64: postgresql92-postgresql-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-contrib-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-devel-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-docs-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-libs-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-plperl-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-plpython-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-pltcl-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-server-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-test-9.2.7-1.1.el6.x86_64.rpm postgresql92-postgresql-upgrade-9.2.7-1.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0060.html https://www.redhat.com/security/data/cve/CVE-2014-0061.html https://www.redhat.com/security/data/cve/CVE-2014-0062.html https://www.redhat.com/security/data/cve/CVE-2014-0063.html https://www.redhat.com/security/data/cve/CVE-2014-0064.html https://www.redhat.com/security/data/cve/CVE-2014-0065.html https://www.redhat.com/security/data/cve/CVE-2014-0066.html https://access.redhat.com/security/updates/classification/#important http://www.postgresql.org/docs/9.2/static/release-9-2-7.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTD4ZxXlSAg2UNWIIRAkEEAJ9OKS1eN4m0WhJ9RBBex1z7T8+n+wCdES6T IDk5rc7t10YA7OZdi5emLwU= =LhYt -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 27 18:41:46 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Feb 2014 18:41:46 +0000 Subject: [RHSA-2014:0222-01] Moderate: libtiff security update Message-ID: <201402271841.s1RIfkpl014223@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libtiff security update Advisory ID: RHSA-2014:0222-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0222.html Issue date: 2014-02-27 CVE Names: CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 ===================================================================== 1. Summary: Updated libtiff packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. A heap-based buffer overflow and a use-after-free flaw were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code. (CVE-2013-1960, CVE-2013-4232) Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code. (CVE-2013-4231, CVE-2013-4243, CVE-2013-4244) A flaw was found in the way libtiff handled OJPEG-encoded TIFF images. An attacker could use this flaw to create a specially crafted TIFF file that would cause an application using libtiff to crash. (CVE-2010-2596) Multiple buffer overflow flaws were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash. (CVE-2013-1961) Red Hat would like to thank Emmanuel Bouillon of NCI Agency for reporting CVE-2013-1960 and CVE-2013-1961. The CVE-2013-4243 issue was discovered by Murray McAllister of the Red Hat Security Response Team, and the CVE-2013-4244 issue was discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. All libtiff users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against libtiff must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 610759 - CVE-2010-2596 libtiff: assertion failure on downsampled OJPEG file 952131 - CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed image-length and resolution 952158 - CVE-2013-1960 libtiff (tiff2pdf): Heap-based buffer overflow in t2_process_jpeg_strip() 995965 - CVE-2013-4231 libtiff (gif2tiff): GIF LZW decoder missing datasize value check 995975 - CVE-2013-4232 libtiff (tiff2pdf): use-after-free in t2p_readwrite_pdf_image() 996052 - CVE-2013-4243 libtiff (gif2tiff): possible heap-based buffer overflow in readgifimage() 996468 - CVE-2013-4244 libtiff (gif2tiff): OOB Write in LZW decompressor 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libtiff-3.9.4-10.el6_5.src.rpm i386: libtiff-3.9.4-10.el6_5.i686.rpm libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm x86_64: libtiff-3.9.4-10.el6_5.i686.rpm libtiff-3.9.4-10.el6_5.x86_64.rpm libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-debuginfo-3.9.4-10.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libtiff-3.9.4-10.el6_5.src.rpm i386: libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-devel-3.9.4-10.el6_5.i686.rpm libtiff-static-3.9.4-10.el6_5.i686.rpm x86_64: libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-debuginfo-3.9.4-10.el6_5.x86_64.rpm libtiff-devel-3.9.4-10.el6_5.i686.rpm libtiff-devel-3.9.4-10.el6_5.x86_64.rpm libtiff-static-3.9.4-10.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libtiff-3.9.4-10.el6_5.src.rpm x86_64: libtiff-3.9.4-10.el6_5.i686.rpm libtiff-3.9.4-10.el6_5.x86_64.rpm libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-debuginfo-3.9.4-10.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libtiff-3.9.4-10.el6_5.src.rpm x86_64: libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-debuginfo-3.9.4-10.el6_5.x86_64.rpm libtiff-devel-3.9.4-10.el6_5.i686.rpm libtiff-devel-3.9.4-10.el6_5.x86_64.rpm libtiff-static-3.9.4-10.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libtiff-3.9.4-10.el6_5.src.rpm i386: libtiff-3.9.4-10.el6_5.i686.rpm libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-devel-3.9.4-10.el6_5.i686.rpm ppc64: libtiff-3.9.4-10.el6_5.ppc.rpm libtiff-3.9.4-10.el6_5.ppc64.rpm libtiff-debuginfo-3.9.4-10.el6_5.ppc.rpm libtiff-debuginfo-3.9.4-10.el6_5.ppc64.rpm libtiff-devel-3.9.4-10.el6_5.ppc.rpm libtiff-devel-3.9.4-10.el6_5.ppc64.rpm s390x: libtiff-3.9.4-10.el6_5.s390.rpm libtiff-3.9.4-10.el6_5.s390x.rpm libtiff-debuginfo-3.9.4-10.el6_5.s390.rpm libtiff-debuginfo-3.9.4-10.el6_5.s390x.rpm libtiff-devel-3.9.4-10.el6_5.s390.rpm libtiff-devel-3.9.4-10.el6_5.s390x.rpm x86_64: libtiff-3.9.4-10.el6_5.i686.rpm libtiff-3.9.4-10.el6_5.x86_64.rpm libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-debuginfo-3.9.4-10.el6_5.x86_64.rpm libtiff-devel-3.9.4-10.el6_5.i686.rpm libtiff-devel-3.9.4-10.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libtiff-3.9.4-10.el6_5.src.rpm i386: libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-static-3.9.4-10.el6_5.i686.rpm ppc64: libtiff-debuginfo-3.9.4-10.el6_5.ppc64.rpm libtiff-static-3.9.4-10.el6_5.ppc64.rpm s390x: libtiff-debuginfo-3.9.4-10.el6_5.s390x.rpm libtiff-static-3.9.4-10.el6_5.s390x.rpm x86_64: libtiff-debuginfo-3.9.4-10.el6_5.x86_64.rpm libtiff-static-3.9.4-10.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libtiff-3.9.4-10.el6_5.src.rpm i386: libtiff-3.9.4-10.el6_5.i686.rpm libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-devel-3.9.4-10.el6_5.i686.rpm x86_64: libtiff-3.9.4-10.el6_5.i686.rpm libtiff-3.9.4-10.el6_5.x86_64.rpm libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-debuginfo-3.9.4-10.el6_5.x86_64.rpm libtiff-devel-3.9.4-10.el6_5.i686.rpm libtiff-devel-3.9.4-10.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libtiff-3.9.4-10.el6_5.src.rpm i386: libtiff-debuginfo-3.9.4-10.el6_5.i686.rpm libtiff-static-3.9.4-10.el6_5.i686.rpm x86_64: libtiff-debuginfo-3.9.4-10.el6_5.x86_64.rpm libtiff-static-3.9.4-10.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-2596.html https://www.redhat.com/security/data/cve/CVE-2013-1960.html https://www.redhat.com/security/data/cve/CVE-2013-1961.html https://www.redhat.com/security/data/cve/CVE-2013-4231.html https://www.redhat.com/security/data/cve/CVE-2013-4232.html https://www.redhat.com/security/data/cve/CVE-2013-4243.html https://www.redhat.com/security/data/cve/CVE-2013-4244.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTD4bKXlSAg2UNWIIRAqYgAJ0bLDebogORpf2QkkZCyPAsqqte5ACfZ7/F 9kjPPFFXXpKCClco9Ymt6IA= =ptyC -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 27 18:42:25 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Feb 2014 18:42:25 +0000 Subject: [RHSA-2014:0223-01] Moderate: libtiff security update Message-ID: <201402271842.s1RIgPtP005904@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libtiff security update Advisory ID: RHSA-2014:0223-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0223.html Issue date: 2014-02-27 CVE Names: CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 ===================================================================== 1. Summary: Updated libtiff packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. A heap-based buffer overflow and a use-after-free flaw were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code. (CVE-2013-1960, CVE-2013-4232) Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code. (CVE-2013-4231, CVE-2013-4243, CVE-2013-4244) Multiple buffer overflow flaws were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash. (CVE-2013-1961) Red Hat would like to thank Emmanuel Bouillon of NCI Agency for reporting CVE-2013-1960 and CVE-2013-1961. The CVE-2013-4243 issue was discovered by Murray McAllister of the Red Hat Security Response Team, and the CVE-2013-4244 issue was discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team. All libtiff users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against libtiff must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 952131 - CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed image-length and resolution 952158 - CVE-2013-1960 libtiff (tiff2pdf): Heap-based buffer overflow in t2_process_jpeg_strip() 995965 - CVE-2013-4231 libtiff (gif2tiff): GIF LZW decoder missing datasize value check 995975 - CVE-2013-4232 libtiff (tiff2pdf): use-after-free in t2p_readwrite_pdf_image() 996052 - CVE-2013-4243 libtiff (gif2tiff): possible heap-based buffer overflow in readgifimage() 996468 - CVE-2013-4244 libtiff (gif2tiff): OOB Write in LZW decompressor 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libtiff-3.8.2-19.el5_10.src.rpm i386: libtiff-3.8.2-19.el5_10.i386.rpm libtiff-debuginfo-3.8.2-19.el5_10.i386.rpm x86_64: libtiff-3.8.2-19.el5_10.i386.rpm libtiff-3.8.2-19.el5_10.x86_64.rpm libtiff-debuginfo-3.8.2-19.el5_10.i386.rpm libtiff-debuginfo-3.8.2-19.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libtiff-3.8.2-19.el5_10.src.rpm i386: libtiff-debuginfo-3.8.2-19.el5_10.i386.rpm libtiff-devel-3.8.2-19.el5_10.i386.rpm x86_64: libtiff-debuginfo-3.8.2-19.el5_10.i386.rpm libtiff-debuginfo-3.8.2-19.el5_10.x86_64.rpm libtiff-devel-3.8.2-19.el5_10.i386.rpm libtiff-devel-3.8.2-19.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/libtiff-3.8.2-19.el5_10.src.rpm i386: libtiff-3.8.2-19.el5_10.i386.rpm libtiff-debuginfo-3.8.2-19.el5_10.i386.rpm libtiff-devel-3.8.2-19.el5_10.i386.rpm ia64: libtiff-3.8.2-19.el5_10.i386.rpm libtiff-3.8.2-19.el5_10.ia64.rpm libtiff-debuginfo-3.8.2-19.el5_10.i386.rpm libtiff-debuginfo-3.8.2-19.el5_10.ia64.rpm libtiff-devel-3.8.2-19.el5_10.ia64.rpm ppc: libtiff-3.8.2-19.el5_10.ppc.rpm libtiff-3.8.2-19.el5_10.ppc64.rpm libtiff-debuginfo-3.8.2-19.el5_10.ppc.rpm libtiff-debuginfo-3.8.2-19.el5_10.ppc64.rpm libtiff-devel-3.8.2-19.el5_10.ppc.rpm libtiff-devel-3.8.2-19.el5_10.ppc64.rpm s390x: libtiff-3.8.2-19.el5_10.s390.rpm libtiff-3.8.2-19.el5_10.s390x.rpm libtiff-debuginfo-3.8.2-19.el5_10.s390.rpm libtiff-debuginfo-3.8.2-19.el5_10.s390x.rpm libtiff-devel-3.8.2-19.el5_10.s390.rpm libtiff-devel-3.8.2-19.el5_10.s390x.rpm x86_64: libtiff-3.8.2-19.el5_10.i386.rpm libtiff-3.8.2-19.el5_10.x86_64.rpm libtiff-debuginfo-3.8.2-19.el5_10.i386.rpm libtiff-debuginfo-3.8.2-19.el5_10.x86_64.rpm libtiff-devel-3.8.2-19.el5_10.i386.rpm libtiff-devel-3.8.2-19.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1960.html https://www.redhat.com/security/data/cve/CVE-2013-1961.html https://www.redhat.com/security/data/cve/CVE-2013-4231.html https://www.redhat.com/security/data/cve/CVE-2013-4232.html https://www.redhat.com/security/data/cve/CVE-2013-4243.html https://www.redhat.com/security/data/cve/CVE-2013-4244.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTD4b4XlSAg2UNWIIRAkSvAJ0Z+cFZba9LeDWda2wP9lkQI8v5lQCfa64p XDdTPnId1DhffWI++tiUrNI= =KXd6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Feb 28 01:23:01 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 28 Feb 2014 01:23:01 +0000 Subject: [RHSA-2014:0225-01] Low: Red Hat Enterprise Linux 5.3 Advanced Mission Critical 1-month Notice Message-ID: <201402280123.s1S1N184010768@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise Linux 5.3 Advanced Mission Critical 1-month Notice Advisory ID: RHSA-2014:0225-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0225.html Issue date: 2014-02-28 ===================================================================== 1. Summary: This is the 1-month notification for the retirement of Red Hat Enterprise Linux 5.3 Advanced Mission Critical (AMC). 2. Relevant releases/architectures: Red Hat Enterprise Linux Long Life (v. 5.3 server) - i386, ia64, x86_64 3. Description: In accordance with the Red Hat Enterprise Linux Errata Support Policy, Advanced Mission Critical for Red Hat Enterprise Linux 5.3 will be retired as of March 31, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 5.3 AMC after March 31, 2014. In addition, technical support through Red Hat's Global Support Services for this product will no longer be provided after this date. Note: This notification applies only to those customers with subscriptions for Advanced Mission Critical Support (AMC) channels for Red Hat Enterprise Linux 5.3. We encourage customers to plan their migration from Red Hat Enterprise Linux 5.3 to a more recent release of Red Hat Enterprise Linux 5 or 6. As a benefit of the Red Hat subscription model, customers can use their active subscriptions to entitle any system on a currently supported Red Hat Enterprise Linux 5 release (AMC is available on 5.9) or Red Hat Enterprise Linux 6 release (AMC is available on 6.2 and 6.4, and planned for 6.6). Details of the Red Hat Enterprise Linux life cycle can be found here: https://access.redhat.com/site/support/policy/updates/errata/ 4. Solution: This erratum contains an updated redhat-release package, that provides a copy of this notice in the "/usr/share/doc/" directory. 5. Package List: Red Hat Enterprise Linux Long Life (v. 5.3 server): Source: redhat-release-5Server-5.3.0.7.src.rpm i386: redhat-release-5Server-5.3.0.7.i386.rpm redhat-release-debuginfo-5Server-5.3.0.7.i386.rpm ia64: redhat-release-5Server-5.3.0.7.ia64.rpm redhat-release-debuginfo-5Server-5.3.0.7.ia64.rpm x86_64: redhat-release-5Server-5.3.0.7.x86_64.rpm redhat-release-debuginfo-5Server-5.3.0.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/site/support/policy/updates/errata/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTD+TaXlSAg2UNWIIRAqUBAJ9VyC5ZCs+OSUftr1DdcsZw70wimACeKxmk R5x4GCCYP157Ha35RBb6EqA= =Vv12 -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Feb 28 01:25:16 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 28 Feb 2014 01:25:16 +0000 Subject: [RHSA-2014:0226-01] Low: Red Hat Enterprise Linux 4 Extended Life Cycle Support 1-year Notice Message-ID: <201402280125.s1S1PGpU020753@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise Linux 4 Extended Life Cycle Support 1-year Notice Advisory ID: RHSA-2014:0226-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0226.html Issue date: 2014-02-28 ===================================================================== 1. Summary: This is the one-year notification for the retirement of Red Hat Enterprise Linux 4 Extended Life Cycle Support (ELS). This notice applies only to those customers subscribed to the Extended Life Cycle Support (ELS) channel for Red Hat Enterprise Linux 4 in the Customer Portal. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 4 ELS) - i386, ia64, x86_64 Red Hat Enterprise Linux ES (v. 4 ELS) - i386, x86_64 3. Description: In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Life Cycle Support (ELS) for Red Hat Enterprise Linux 4 will be retired on February 28, 2015, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 4 ELS after February 28, 2015. In addition, technical support through Red Hat's Global Support Services will no longer be provided after this date. The retirement process for Red Hat Enterprise Linux 4 ELS will complete on February 28, 2015. On that date, the Red Hat Enterprise Linux 4 ELS channels will be moved to the "Retired" channels area (under the "Retired" tab) on the Customer Portal, and customers will be unsubscribed from the Red Hat Enterprise Linux 4 Extended Life Cycle Support channels. Customers continuing to run Red Hat Enterprise Linux 4 ELS on a system will consume a subscription. Customers wishing to access Red Hat Enterprise Linux 4 ELS content on the Customer Portal will need an active RHEL Server subscription. Customers who choose to resubscribe a system to the retired Red Hat Enterprise Linux 4 ELS channels will consume a RHEL Server subscription. Note again that the products in the Retired channels are frozen, and no further security patches or bug fixes will be provided. We encourage customers to plan their migration from Red Hat Enterprise Linux 4 to a more recent version of Red Hat Enterprise Linux. As a benefit of the Red Hat subscription model, customers can use their active subscriptions to entitle any system on a currently supported Red Hat Enterprise Linux release. Details of the Red Hat Enterprise Linux life cycle can be found here: https://access.redhat.com/site/support/policy/updates/errata/ 4. Solution: This advisory contains an updated redhat-release package, that provides a copy of this end of life notice in the "/usr/share/doc/" directory. 5. Package List: Red Hat Enterprise Linux AS (v. 4 ELS): Source: redhat-release-4AS-10.11.src.rpm i386: redhat-release-4AS-10.11.i386.rpm ia64: redhat-release-4AS-10.11.ia64.rpm x86_64: redhat-release-4AS-10.11.x86_64.rpm Red Hat Enterprise Linux ES (v. 4 ELS): Source: redhat-release-4ES-10.11.src.rpm i386: redhat-release-4ES-10.11.i386.rpm x86_64: redhat-release-4ES-10.11.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/site/support/policy/updates/errata/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTD+T+XlSAg2UNWIIRAoPUAKCBY479bYvl3obWAF3NQtYp/ZFBNACfYIf3 ObYNJJ+qFFO8WXyf2ZlOC+I= =OB8O -----END PGP SIGNATURE-----