From bugzilla at redhat.com Mon Jan 6 18:40:25 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Jan 2014 18:40:25 +0000 Subject: [RHSA-2014:0008-01] Important: ruby193-rubygem-actionpack security update Message-ID: <201401061840.s06IeNrC023447@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: ruby193-rubygem-actionpack security update Advisory ID: RHSA-2014:0008-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0008.html Issue date: 2014-01-06 CVE Names: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6417 ===================================================================== 1. Summary: Updated ruby193-rubygem-actionpack packages that fix multiple security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch 3. Description: Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. A flaw was found in the way Ruby on Rails performed JSON parameter parsing. An application using a third party library, which uses the Rack::Request interface, or custom Rack middleware could bypass the protection implemented to fix the CVE-2013-0155 vulnerability, causing the application to receive unsafe parameters and become vulnerable to CVE-2013-0155. (CVE-2013-6417) It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component. (CVE-2013-4491) A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed. (CVE-2013-6414) It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter. (CVE-2013-6415) Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1036409 - CVE-2013-6417 rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013-0155) 1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS 1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS 1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS 6. Package List: OpenStack 3: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/ruby193-rubygem-actionpack-3.2.8-5.1.el6.src.rpm noarch: ruby193-rubygem-actionpack-3.2.8-5.1.el6.noarch.rpm ruby193-rubygem-actionpack-doc-3.2.8-5.1.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4491.html https://www.redhat.com/security/data/cve/CVE-2013-6414.html https://www.redhat.com/security/data/cve/CVE-2013-6415.html https://www.redhat.com/security/data/cve/CVE-2013-6417.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSyvhhXlSAg2UNWIIRAtHEAJ4tVJN79jvB810TrVEHMy2Puak4DgCgkEZi gOvl3IL20z5rBR06P/XHVhU= =QuM6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jan 7 18:10:22 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Jan 2014 18:10:22 +0000 Subject: [RHSA-2014:0011-01] Critical: ruby193-ruby security update Message-ID: <201401071810.s07IAMU3022371@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: ruby193-ruby security update Advisory ID: RHSA-2014:0011-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0011.html Issue date: 2014-01-07 CVE Names: CVE-2013-4164 ===================================================================== 1. Summary: Updated ruby193-ruby packages that fix one security issue are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. A buffer overflow flaw was found in the way Ruby parsed floating point numbers from their text representation. If an application using Ruby accepted untrusted input strings and converted them to floating point numbers, an attacker able to provide such input could cause the application to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2013-4164) Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated packages, which correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1033460 - CVE-2013-4164 ruby: heap overflow in floating point parsing 6. Package List: OpenStack 3: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/ruby193-ruby-1.9.3.448-40.1.el6.src.rpm noarch: ruby193-ruby-irb-1.9.3.448-40.1.el6.noarch.rpm ruby193-rubygem-minitest-2.5.1-40.1.el6.noarch.rpm ruby193-rubygem-rake-0.9.2.2-40.1.el6.noarch.rpm x86_64: ruby193-ruby-1.9.3.448-40.1.el6.x86_64.rpm ruby193-ruby-debuginfo-1.9.3.448-40.1.el6.x86_64.rpm ruby193-ruby-devel-1.9.3.448-40.1.el6.x86_64.rpm ruby193-ruby-doc-1.9.3.448-40.1.el6.x86_64.rpm ruby193-ruby-libs-1.9.3.448-40.1.el6.x86_64.rpm ruby193-ruby-tcltk-1.9.3.448-40.1.el6.x86_64.rpm ruby193-rubygem-bigdecimal-1.1.0-40.1.el6.x86_64.rpm ruby193-rubygem-io-console-0.3-40.1.el6.x86_64.rpm ruby193-rubygem-json-1.5.5-40.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4164.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSzEL9XlSAg2UNWIIRAnF6AJ9Mha8XoVS02tEIp1MYRRPImxafzQCfRns5 Myq3JFYjRqMddntLVzp/I/Q= =68nC -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 8 12:57:02 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 8 Jan 2014 12:57:02 +0000 Subject: [RHSA-2014:0014-01] Low: Red Hat Enterprise Linux 6.2 Extended Update Support Retirement Notice Message-ID: <201401081256.s08CuuKl001462@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise Linux 6.2 Extended Update Support Retirement Notice Advisory ID: RHSA-2014:0014-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0014.html Issue date: 2014-01-08 ===================================================================== 1. Summary: This is the final notification for the retirement of Red Hat Enterprise Linux 6.2 Extended Update Support (EUS). 2. Relevant releases/architectures: Red Hat Enterprise Linux Server EUS (v. 6.2) - i386, ppc64, s390x, x86_64 3. Description: In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.2 is retired as of January 7, 2014, and support is no longer provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 6.2 EUS after that date. In addition, technical support through Red Hat's Global Support Services will no longer be provided after January 7, 2014. Note: This notification applies only to those customers subscribed to the Extended Update Support (EUS) channel for Red Hat Enterprise Linux 6.2. We encourage customers to plan their migration from Red Hat Enterprise Linux 6.2 to a more recent version of Red Hat Enterprise Linux 6. As a benefit of the Red Hat subscription model, customers can use their active subscriptions to entitle any system on a currently supported Red Hat Enterprise Linux 6 release (6.3, 6.4, or 6.5 for which EUS is available). Details of the Red Hat Enterprise Linux life cycle can be found here: https://access.redhat.com/support/policy/updates/errata/ 4. Solution: This advisory contains an updated redhat-release-server package that provides a copy of this retirement notice in the "/usr/share/doc/" directory. 5. Package List: Red Hat Enterprise Linux Server EUS (v. 6.2): Source: redhat-release-server-6Server-6.2.0.6.el6_2.src.rpm i386: redhat-release-server-6Server-6.2.0.6.el6_2.i686.rpm ppc64: redhat-release-server-6Server-6.2.0.6.el6_2.ppc64.rpm s390x: redhat-release-server-6Server-6.2.0.6.el6_2.s390x.rpm x86_64: redhat-release-server-6Server-6.2.0.6.el6_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/support/policy/updates/errata/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSzUrAXlSAg2UNWIIRAgE6AKCOj3gMPRhymCLpstqS790xupFKZgCfQmZI U6n6/ZkOWIS2UKMB7CP/To8= =+01a -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 8 18:25:50 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 8 Jan 2014 18:25:50 +0000 Subject: [RHSA-2014:0015-01] Important: openssl security update Message-ID: <201401081825.s08IPodg018343@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openssl security update Advisory ID: RHSA-2014:0015-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0015.html Issue date: 2014-01-08 CVE Names: CVE-2013-4353 CVE-2013-6449 CVE-2013-6450 ===================================================================== 1. Summary: Updated openssl packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way OpenSSL determined which hashing algorithm to use when TLS protocol version 1.2 was enabled. This could possibly cause OpenSSL to use an incorrect hashing algorithm, leading to a crash of an application using the library. (CVE-2013-6449) It was discovered that the Datagram Transport Layer Security (DTLS) protocol implementation in OpenSSL did not properly maintain encryption and digest contexts during renegotiation. A lost or discarded renegotiation handshake packet could cause a DTLS client or server using OpenSSL to crash. (CVE-2013-6450) A NULL pointer dereference flaw was found in the way OpenSSL handled TLS/SSL protocol handshake packets. A specially crafted handshake packet could cause a TLS/SSL client using OpenSSL to crash. (CVE-2013-4353) All OpenSSL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1045363 - CVE-2013-6449 openssl: crash when using TLS 1.2 caused by use of incorrect hash algorithm 1047840 - CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss 1049058 - CVE-2013-4353 openssl: client NULL dereference crash on malformed handshake packets 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openssl-1.0.1e-16.el6_5.4.src.rpm i386: openssl-1.0.1e-16.el6_5.4.i686.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm x86_64: openssl-1.0.1e-16.el6_5.4.i686.rpm openssl-1.0.1e-16.el6_5.4.x86_64.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openssl-1.0.1e-16.el6_5.4.src.rpm i386: openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-devel-1.0.1e-16.el6_5.4.i686.rpm openssl-perl-1.0.1e-16.el6_5.4.i686.rpm openssl-static-1.0.1e-16.el6_5.4.i686.rpm x86_64: openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.x86_64.rpm openssl-devel-1.0.1e-16.el6_5.4.i686.rpm openssl-devel-1.0.1e-16.el6_5.4.x86_64.rpm openssl-perl-1.0.1e-16.el6_5.4.x86_64.rpm openssl-static-1.0.1e-16.el6_5.4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/openssl-1.0.1e-16.el6_5.4.src.rpm x86_64: openssl-1.0.1e-16.el6_5.4.i686.rpm openssl-1.0.1e-16.el6_5.4.x86_64.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/openssl-1.0.1e-16.el6_5.4.src.rpm x86_64: openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.x86_64.rpm openssl-devel-1.0.1e-16.el6_5.4.i686.rpm openssl-devel-1.0.1e-16.el6_5.4.x86_64.rpm openssl-perl-1.0.1e-16.el6_5.4.x86_64.rpm openssl-static-1.0.1e-16.el6_5.4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openssl-1.0.1e-16.el6_5.4.src.rpm i386: openssl-1.0.1e-16.el6_5.4.i686.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-devel-1.0.1e-16.el6_5.4.i686.rpm ppc64: openssl-1.0.1e-16.el6_5.4.ppc.rpm openssl-1.0.1e-16.el6_5.4.ppc64.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.ppc.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.ppc64.rpm openssl-devel-1.0.1e-16.el6_5.4.ppc.rpm openssl-devel-1.0.1e-16.el6_5.4.ppc64.rpm s390x: openssl-1.0.1e-16.el6_5.4.s390.rpm openssl-1.0.1e-16.el6_5.4.s390x.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.s390.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.s390x.rpm openssl-devel-1.0.1e-16.el6_5.4.s390.rpm openssl-devel-1.0.1e-16.el6_5.4.s390x.rpm x86_64: openssl-1.0.1e-16.el6_5.4.i686.rpm openssl-1.0.1e-16.el6_5.4.x86_64.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.x86_64.rpm openssl-devel-1.0.1e-16.el6_5.4.i686.rpm openssl-devel-1.0.1e-16.el6_5.4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openssl-1.0.1e-16.el6_5.4.src.rpm i386: openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-perl-1.0.1e-16.el6_5.4.i686.rpm openssl-static-1.0.1e-16.el6_5.4.i686.rpm ppc64: openssl-debuginfo-1.0.1e-16.el6_5.4.ppc64.rpm openssl-perl-1.0.1e-16.el6_5.4.ppc64.rpm openssl-static-1.0.1e-16.el6_5.4.ppc64.rpm s390x: openssl-debuginfo-1.0.1e-16.el6_5.4.s390x.rpm openssl-perl-1.0.1e-16.el6_5.4.s390x.rpm openssl-static-1.0.1e-16.el6_5.4.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-16.el6_5.4.x86_64.rpm openssl-perl-1.0.1e-16.el6_5.4.x86_64.rpm openssl-static-1.0.1e-16.el6_5.4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openssl-1.0.1e-16.el6_5.4.src.rpm i386: openssl-1.0.1e-16.el6_5.4.i686.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-devel-1.0.1e-16.el6_5.4.i686.rpm x86_64: openssl-1.0.1e-16.el6_5.4.i686.rpm openssl-1.0.1e-16.el6_5.4.x86_64.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-debuginfo-1.0.1e-16.el6_5.4.x86_64.rpm openssl-devel-1.0.1e-16.el6_5.4.i686.rpm openssl-devel-1.0.1e-16.el6_5.4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openssl-1.0.1e-16.el6_5.4.src.rpm i386: openssl-debuginfo-1.0.1e-16.el6_5.4.i686.rpm openssl-perl-1.0.1e-16.el6_5.4.i686.rpm openssl-static-1.0.1e-16.el6_5.4.i686.rpm x86_64: openssl-debuginfo-1.0.1e-16.el6_5.4.x86_64.rpm openssl-perl-1.0.1e-16.el6_5.4.x86_64.rpm openssl-static-1.0.1e-16.el6_5.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4353.html https://www.redhat.com/security/data/cve/CVE-2013-6449.html https://www.redhat.com/security/data/cve/CVE-2013-6450.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSzZgHXlSAg2UNWIIRAofWAJ0UK4cssiN2fV0WOt0Ui+wDi/A1BwCfUSDk njgv4mXCZgK/Bf84S2BcZl8= =j7J/ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 8 18:26:32 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 8 Jan 2014 18:26:32 +0000 Subject: [RHSA-2014:0016-01] Moderate: gnupg security update Message-ID: <201401081826.s08IQW7D005384@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: gnupg security update Advisory ID: RHSA-2014:0016-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0016.html Issue date: 2014-01-08 CVE Names: CVE-2013-4576 ===================================================================== 1. Summary: An updated gnupg package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. It was found that GnuPG was vulnerable to side-channel attacks via acoustic cryptanalysis. An attacker in close range to a target system that is decrypting ciphertexts could possibly use this flaw to recover the RSA secret key from that system. (CVE-2013-4576) Red Hat would like to thank Werner Koch of GnuPG upstream for reporting this issue. Upstream acknowledges Genkin, Shamir, and Tromer as the original reporters. All gnupg users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1043327 - CVE-2013-4576 gnupg: RSA secret key recovery via acoustic cryptanalysis 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gnupg-1.4.5-18.el5_10.1.src.rpm i386: gnupg-1.4.5-18.el5_10.1.i386.rpm gnupg-debuginfo-1.4.5-18.el5_10.1.i386.rpm x86_64: gnupg-1.4.5-18.el5_10.1.x86_64.rpm gnupg-debuginfo-1.4.5-18.el5_10.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/gnupg-1.4.5-18.el5_10.1.src.rpm i386: gnupg-1.4.5-18.el5_10.1.i386.rpm gnupg-debuginfo-1.4.5-18.el5_10.1.i386.rpm ia64: gnupg-1.4.5-18.el5_10.1.ia64.rpm gnupg-debuginfo-1.4.5-18.el5_10.1.ia64.rpm ppc: gnupg-1.4.5-18.el5_10.1.ppc.rpm gnupg-debuginfo-1.4.5-18.el5_10.1.ppc.rpm s390x: gnupg-1.4.5-18.el5_10.1.s390x.rpm gnupg-debuginfo-1.4.5-18.el5_10.1.s390x.rpm x86_64: gnupg-1.4.5-18.el5_10.1.x86_64.rpm gnupg-debuginfo-1.4.5-18.el5_10.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4576.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSzZg7XlSAg2UNWIIRArjLAJ0ZkK1lPF2E1DKQl89WvZTsOmIRDACdFDbr LN62s9JwRK6VlpcEHc6920k= =Ntbx -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Jan 10 09:52:38 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 10 Jan 2014 09:52:38 +0000 Subject: [RHSA-2014:0018-01] Important: libXfont security update Message-ID: <201401100948.s0A9mHZA010087@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: libXfont security update Advisory ID: RHSA-2014:0018-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0018.html Issue date: 2014-01-10 CVE Names: CVE-2013-6462 ===================================================================== 1. Summary: Updated libXfont packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The libXfont packages provide the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. A stack-based buffer overflow flaw was found in the way the libXfont library parsed Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server. (CVE-2013-6462) Users of libXfont should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running X.Org server instances must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (https://bugzilla.redhat.com/): 1048044 - CVE-2013-6462 libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libXfont-1.2.2-1.0.5.el5_10.src.rpm i386: libXfont-1.2.2-1.0.5.el5_10.i386.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.i386.rpm x86_64: libXfont-1.2.2-1.0.5.el5_10.i386.rpm libXfont-1.2.2-1.0.5.el5_10.x86_64.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.i386.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/libXfont-1.2.2-1.0.5.el5_10.src.rpm i386: libXfont-debuginfo-1.2.2-1.0.5.el5_10.i386.rpm libXfont-devel-1.2.2-1.0.5.el5_10.i386.rpm x86_64: libXfont-debuginfo-1.2.2-1.0.5.el5_10.i386.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.x86_64.rpm libXfont-devel-1.2.2-1.0.5.el5_10.i386.rpm libXfont-devel-1.2.2-1.0.5.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/libXfont-1.2.2-1.0.5.el5_10.src.rpm i386: libXfont-1.2.2-1.0.5.el5_10.i386.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.i386.rpm libXfont-devel-1.2.2-1.0.5.el5_10.i386.rpm ia64: libXfont-1.2.2-1.0.5.el5_10.ia64.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.ia64.rpm libXfont-devel-1.2.2-1.0.5.el5_10.ia64.rpm ppc: libXfont-1.2.2-1.0.5.el5_10.ppc.rpm libXfont-1.2.2-1.0.5.el5_10.ppc64.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.ppc.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.ppc64.rpm libXfont-devel-1.2.2-1.0.5.el5_10.ppc.rpm libXfont-devel-1.2.2-1.0.5.el5_10.ppc64.rpm s390x: libXfont-1.2.2-1.0.5.el5_10.s390.rpm libXfont-1.2.2-1.0.5.el5_10.s390x.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.s390.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.s390x.rpm libXfont-devel-1.2.2-1.0.5.el5_10.s390.rpm libXfont-devel-1.2.2-1.0.5.el5_10.s390x.rpm x86_64: libXfont-1.2.2-1.0.5.el5_10.i386.rpm libXfont-1.2.2-1.0.5.el5_10.x86_64.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.i386.rpm libXfont-debuginfo-1.2.2-1.0.5.el5_10.x86_64.rpm libXfont-devel-1.2.2-1.0.5.el5_10.i386.rpm libXfont-devel-1.2.2-1.0.5.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libXfont-1.4.5-3.el6_5.src.rpm i386: libXfont-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm x86_64: libXfont-1.4.5-3.el6_5.x86_64.rpm libXfont-debuginfo-1.4.5-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libXfont-1.4.5-3.el6_5.src.rpm i386: libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm libXfont-devel-1.4.5-3.el6_5.i686.rpm x86_64: libXfont-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.x86_64.rpm libXfont-devel-1.4.5-3.el6_5.i686.rpm libXfont-devel-1.4.5-3.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libXfont-1.4.5-3.el6_5.src.rpm x86_64: libXfont-1.4.5-3.el6_5.x86_64.rpm libXfont-debuginfo-1.4.5-3.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libXfont-1.4.5-3.el6_5.src.rpm x86_64: libXfont-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.x86_64.rpm libXfont-devel-1.4.5-3.el6_5.i686.rpm libXfont-devel-1.4.5-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libXfont-1.4.5-3.el6_5.src.rpm i386: libXfont-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm ppc64: libXfont-1.4.5-3.el6_5.ppc64.rpm libXfont-debuginfo-1.4.5-3.el6_5.ppc64.rpm s390x: libXfont-1.4.5-3.el6_5.s390x.rpm libXfont-debuginfo-1.4.5-3.el6_5.s390x.rpm x86_64: libXfont-1.4.5-3.el6_5.x86_64.rpm libXfont-debuginfo-1.4.5-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libXfont-1.4.5-3.el6_5.src.rpm i386: libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm libXfont-devel-1.4.5-3.el6_5.i686.rpm ppc64: libXfont-1.4.5-3.el6_5.ppc.rpm libXfont-debuginfo-1.4.5-3.el6_5.ppc.rpm libXfont-debuginfo-1.4.5-3.el6_5.ppc64.rpm libXfont-devel-1.4.5-3.el6_5.ppc.rpm libXfont-devel-1.4.5-3.el6_5.ppc64.rpm s390x: libXfont-1.4.5-3.el6_5.s390.rpm libXfont-debuginfo-1.4.5-3.el6_5.s390.rpm libXfont-debuginfo-1.4.5-3.el6_5.s390x.rpm libXfont-devel-1.4.5-3.el6_5.s390.rpm libXfont-devel-1.4.5-3.el6_5.s390x.rpm x86_64: libXfont-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.x86_64.rpm libXfont-devel-1.4.5-3.el6_5.i686.rpm libXfont-devel-1.4.5-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libXfont-1.4.5-3.el6_5.src.rpm i386: libXfont-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm x86_64: libXfont-1.4.5-3.el6_5.x86_64.rpm libXfont-debuginfo-1.4.5-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libXfont-1.4.5-3.el6_5.src.rpm i386: libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm libXfont-devel-1.4.5-3.el6_5.i686.rpm x86_64: libXfont-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.i686.rpm libXfont-debuginfo-1.4.5-3.el6_5.x86_64.rpm libXfont-devel-1.4.5-3.el6_5.i686.rpm libXfont-devel-1.4.5-3.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6462.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSz8HSXlSAg2UNWIIRAvo5AJ4976ATNgp8mmoyRgObDFnCvOP4zACfYWJc f9VhkwpGzE3y3jtSD9fupVg= =T7Wm -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 15 01:02:06 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Jan 2014 01:02:06 +0000 Subject: [RHSA-2014:0026-01] Critical: java-1.7.0-openjdk security update Message-ID: <201401150102.s0F1278e022580@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-openjdk security update Advisory ID: RHSA-2014:0026-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0026.html Issue date: 2014-01-15 CVE Names: CVE-2013-5878 CVE-2013-5884 CVE-2013-5893 CVE-2013-5896 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0376 CVE-2014-0411 CVE-2014-0416 CVE-2014-0422 CVE-2014-0423 CVE-2014-0428 ===================================================================== 1. Summary: Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) Note: The java-1.7.0-openjdk package shipped with Red Hat Enterprise Linux 6.5 via RHBA-2013:1611 replaced "java7" with "java" in the provides list. This update re-adds "java7" to the provides list to maintain backwards compatibility with releases prior to Red Hat Enterprise Linux 6.5. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051519 - CVE-2014-0428 OpenJDK: insufficient security checks in IIOP streams (CORBA, 8025767) 1051528 - CVE-2014-0422 OpenJDK: insufficient package access checks in the Naming component (JNDI, 8025758) 1051549 - CVE-2013-5893 OpenJDK: JVM method processing issues (Libraries, 8029507) 1051699 - CVE-2014-0373 OpenJDK: SnmpStatusException handling issues (Serviceability, 7068126) 1051823 - CVE-2013-5878 OpenJDK: null xmlns handling issue (Security, 8025026) 1051911 - CVE-2013-5884 OpenJDK: insufficient security checks in CORBA stub factories (CORBA, 8026193) 1051912 - CVE-2014-0416 OpenJDK: insecure subject principals set handling (JAAS, 8024306) 1051923 - CVE-2014-0376 OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018) 1052915 - CVE-2013-5907 ICU: Layout Engine LookupProcessor insufficient input checks (JDK 2D, 8025034) 1052919 - CVE-2014-0368 OpenJDK: insufficient Socket checkListen checks (Networking, 8011786) 1052942 - CVE-2013-5910 OpenJDK: XML canonicalizer mutable strings passed to untrusted code (Security, 8026417) 1053010 - CVE-2014-0411 OpenJDK: TLS/SSL handshake timing issues (JSSE, 8023069) 1053066 - CVE-2014-0423 OpenJDK: XXE issue in decoder (Beans, 8023245) 1053266 - CVE-2013-5896 OpenJDK: com.sun.corba.se. should be restricted package (CORBA, 8025022) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.src.rpm i386: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el6_5.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.src.rpm x86_64: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.src.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el6_5.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.src.rpm i386: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el6_5.noarch.rpm x86_64: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5.i686.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.src.rpm i386: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el6_5.noarch.rpm x86_64: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5.i686.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5.i686.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5878.html https://www.redhat.com/security/data/cve/CVE-2013-5884.html https://www.redhat.com/security/data/cve/CVE-2013-5893.html https://www.redhat.com/security/data/cve/CVE-2013-5896.html https://www.redhat.com/security/data/cve/CVE-2013-5907.html https://www.redhat.com/security/data/cve/CVE-2013-5910.html https://www.redhat.com/security/data/cve/CVE-2014-0368.html https://www.redhat.com/security/data/cve/CVE-2014-0373.html https://www.redhat.com/security/data/cve/CVE-2014-0376.html https://www.redhat.com/security/data/cve/CVE-2014-0411.html https://www.redhat.com/security/data/cve/CVE-2014-0416.html https://www.redhat.com/security/data/cve/CVE-2014-0422.html https://www.redhat.com/security/data/cve/CVE-2014-0423.html https://www.redhat.com/security/data/cve/CVE-2014-0428.html https://access.redhat.com/security/updates/classification/#critical http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS1d3/XlSAg2UNWIIRAqJ+AJ9kJVULNBLOQxAcGlVS83YYRD+VqQCfaW/S Fzt3HINb9eypUrD3B76nwUQ= =Swtc -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 15 01:02:33 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Jan 2014 01:02:33 +0000 Subject: [RHSA-2014:0027-01] Important: java-1.7.0-openjdk security update Message-ID: <201401150102.s0F12XGZ031576@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.7.0-openjdk security update Advisory ID: RHSA-2014:0027-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0027.html Issue date: 2014-01-15 CVE Names: CVE-2013-5878 CVE-2013-5884 CVE-2013-5893 CVE-2013-5896 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0376 CVE-2014-0411 CVE-2014-0416 CVE-2014-0422 CVE-2014-0423 CVE-2014-0428 ===================================================================== 1. Summary: Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051519 - CVE-2014-0428 OpenJDK: insufficient security checks in IIOP streams (CORBA, 8025767) 1051528 - CVE-2014-0422 OpenJDK: insufficient package access checks in the Naming component (JNDI, 8025758) 1051549 - CVE-2013-5893 OpenJDK: JVM method processing issues (Libraries, 8029507) 1051699 - CVE-2014-0373 OpenJDK: SnmpStatusException handling issues (Serviceability, 7068126) 1051823 - CVE-2013-5878 OpenJDK: null xmlns handling issue (Security, 8025026) 1051911 - CVE-2013-5884 OpenJDK: insufficient security checks in CORBA stub factories (CORBA, 8026193) 1051912 - CVE-2014-0416 OpenJDK: insecure subject principals set handling (JAAS, 8024306) 1051923 - CVE-2014-0376 OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018) 1052915 - CVE-2013-5907 ICU: Layout Engine LookupProcessor insufficient input checks (JDK 2D, 8025034) 1052919 - CVE-2014-0368 OpenJDK: insufficient Socket checkListen checks (Networking, 8011786) 1052942 - CVE-2013-5910 OpenJDK: XML canonicalizer mutable strings passed to untrusted code (Security, 8026417) 1053010 - CVE-2014-0411 OpenJDK: TLS/SSL handshake timing issues (JSSE, 8023069) 1053066 - CVE-2014-0423 OpenJDK: XXE issue in decoder (Beans, 8023245) 1053266 - CVE-2013-5896 OpenJDK: com.sun.corba.se. should be restricted package (CORBA, 8025022) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el5_10.src.rpm i386: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el5_10.i386.rpm x86_64: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el5_10.src.rpm i386: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el5_10.i386.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el5_10.i386.rpm x86_64: java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5878.html https://www.redhat.com/security/data/cve/CVE-2013-5884.html https://www.redhat.com/security/data/cve/CVE-2013-5893.html https://www.redhat.com/security/data/cve/CVE-2013-5896.html https://www.redhat.com/security/data/cve/CVE-2013-5907.html https://www.redhat.com/security/data/cve/CVE-2013-5910.html https://www.redhat.com/security/data/cve/CVE-2014-0368.html https://www.redhat.com/security/data/cve/CVE-2014-0373.html https://www.redhat.com/security/data/cve/CVE-2014-0376.html https://www.redhat.com/security/data/cve/CVE-2014-0411.html https://www.redhat.com/security/data/cve/CVE-2014-0416.html https://www.redhat.com/security/data/cve/CVE-2014-0422.html https://www.redhat.com/security/data/cve/CVE-2014-0423.html https://www.redhat.com/security/data/cve/CVE-2014-0428.html https://access.redhat.com/security/updates/classification/#important http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS1d4aXlSAg2UNWIIRAgZKAKCBy9gXYH6jl4u5kowgI7R4o6ZGmgCgwg61 igdbd+dHMmGNq/eCYK5L1d8= =qliy -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 15 11:05:53 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Jan 2014 11:05:53 +0000 Subject: [RHSA-2014:0028-01] Critical: flash-plugin security update Message-ID: <201401151101.s0FB1R0H012415@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0028-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0028.html Issue date: 2014-01-15 CVE Names: CVE-2014-0491 CVE-2014-0492 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB14-02, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. (CVE-2014-0491, CVE-2014-0492) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.335. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1053233 - CVE-2014-0491 flash-plugin: security protection bypass (APSB14-02) 1053235 - CVE-2014-0492 flash-plugin: memory address layout randomization defeat (APSB14-02) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.335-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.335-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.335-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.335-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.335-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.335-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.335-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.335-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.335-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.335-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0491.html https://www.redhat.com/security/data/cve/CVE-2014-0492.html https://access.redhat.com/security/updates/classification/#critical http://helpx.adobe.com/security/products/flash-player/apsb14-02.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS1mo5XlSAg2UNWIIRAjF3AJ9x66tioj5HSmFU/HvO9WIkLIwYDQCfZGx7 yZGuqfbbQeLtY4YWCbh+gHI= =evNa -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 15 19:21:24 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 15 Jan 2014 19:21:24 +0000 Subject: [RHSA-2014:0030-01] Critical: java-1.7.0-oracle security update Message-ID: <201401151921.s0FJLOL6025099@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-oracle security update Advisory ID: RHSA-2014:0030-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0030.html Issue date: 2014-01-15 CVE Names: CVE-2013-5870 CVE-2013-5878 CVE-2013-5884 CVE-2013-5887 CVE-2013-5888 CVE-2013-5889 CVE-2013-5893 CVE-2013-5895 CVE-2013-5896 CVE-2013-5898 CVE-2013-5899 CVE-2013-5902 CVE-2013-5904 CVE-2013-5905 CVE-2013-5906 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0375 CVE-2014-0376 CVE-2014-0382 CVE-2014-0387 CVE-2014-0403 CVE-2014-0410 CVE-2014-0411 CVE-2014-0415 CVE-2014-0416 CVE-2014-0417 CVE-2014-0418 CVE-2014-0422 CVE-2014-0423 CVE-2014-0424 CVE-2014-0428 ===================================================================== 1. Summary: Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2013-5870, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5893, CVE-2013-5895, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0382, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428) All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 51 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051519 - CVE-2014-0428 OpenJDK: insufficient security checks in IIOP streams (CORBA, 8025767) 1051528 - CVE-2014-0422 OpenJDK: insufficient package access checks in the Naming component (JNDI, 8025758) 1051549 - CVE-2013-5893 OpenJDK: JVM method processing issues (Libraries, 8029507) 1051699 - CVE-2014-0373 OpenJDK: SnmpStatusException handling issues (Serviceability, 7068126) 1051823 - CVE-2013-5878 OpenJDK: null xmlns handling issue (Security, 8025026) 1051911 - CVE-2013-5884 OpenJDK: insufficient security checks in CORBA stub factories (CORBA, 8026193) 1051912 - CVE-2014-0416 OpenJDK: insecure subject principals set handling (JAAS, 8024306) 1051923 - CVE-2014-0376 OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018) 1052915 - CVE-2013-5907 ICU: Layout Engine LookupProcessor insufficient input checks (JDK 2D, 8025034) 1052919 - CVE-2014-0368 OpenJDK: insufficient Socket checkListen checks (Networking, 8011786) 1052942 - CVE-2013-5910 OpenJDK: XML canonicalizer mutable strings passed to untrusted code (Security, 8026417) 1053010 - CVE-2014-0411 OpenJDK: TLS/SSL handshake timing issues (JSSE, 8023069) 1053066 - CVE-2014-0423 OpenJDK: XXE issue in decoder (Beans, 8023245) 1053266 - CVE-2013-5896 OpenJDK: com.sun.corba.se. should be restricted package (CORBA, 8025022) 1053495 - CVE-2014-0410 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053496 - CVE-2014-0415 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053499 - CVE-2013-5889 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053501 - CVE-2014-0417 Oracle JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (2D) 1053502 - CVE-2014-0387 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053504 - CVE-2014-0424 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053506 - CVE-2013-5904 Oracle JDK: unspecified vulnerability fixed in 7u51 (Deployment) 1053507 - CVE-2014-0403 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053508 - CVE-2014-0375 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053509 - CVE-2013-5905 Oracle JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (Install) 1053510 - CVE-2013-5906 Oracle JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (Install) 1053512 - CVE-2013-5902 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053513 - CVE-2014-0418 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053515 - CVE-2013-5887 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053516 - CVE-2013-5899 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053517 - CVE-2013-5888 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053518 - CVE-2013-5898 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment) 1053540 - CVE-2013-5870 CVE-2013-5895 CVE-2014-0382 Oracle JDK: multiple unspecified vulnerabilities fixed in 7u51 (JavaFX) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.7.0-oracle-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el5_10.i386.rpm x86_64: java-1.7.0-oracle-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.7.0-oracle-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el5_10.i386.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el5_10.i386.rpm x86_64: java-1.7.0-oracle-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el5_10.x86_64.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.7.0-oracle-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el6_5.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.7.0-oracle-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.7.0-oracle-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el6_5.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.7.0-oracle-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el6_5.i686.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el6_5.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.51-1jpp.1.el6_5.x86_64.rpm java-1.7.0-oracle-src-1.7.0.51-1jpp.1.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5870.html https://www.redhat.com/security/data/cve/CVE-2013-5878.html https://www.redhat.com/security/data/cve/CVE-2013-5884.html https://www.redhat.com/security/data/cve/CVE-2013-5887.html https://www.redhat.com/security/data/cve/CVE-2013-5888.html https://www.redhat.com/security/data/cve/CVE-2013-5889.html https://www.redhat.com/security/data/cve/CVE-2013-5893.html https://www.redhat.com/security/data/cve/CVE-2013-5895.html https://www.redhat.com/security/data/cve/CVE-2013-5896.html https://www.redhat.com/security/data/cve/CVE-2013-5898.html https://www.redhat.com/security/data/cve/CVE-2013-5899.html https://www.redhat.com/security/data/cve/CVE-2013-5902.html https://www.redhat.com/security/data/cve/CVE-2013-5904.html https://www.redhat.com/security/data/cve/CVE-2013-5905.html https://www.redhat.com/security/data/cve/CVE-2013-5906.html https://www.redhat.com/security/data/cve/CVE-2013-5907.html https://www.redhat.com/security/data/cve/CVE-2013-5910.html https://www.redhat.com/security/data/cve/CVE-2014-0368.html https://www.redhat.com/security/data/cve/CVE-2014-0373.html https://www.redhat.com/security/data/cve/CVE-2014-0375.html https://www.redhat.com/security/data/cve/CVE-2014-0376.html https://www.redhat.com/security/data/cve/CVE-2014-0382.html https://www.redhat.com/security/data/cve/CVE-2014-0387.html https://www.redhat.com/security/data/cve/CVE-2014-0403.html https://www.redhat.com/security/data/cve/CVE-2014-0410.html https://www.redhat.com/security/data/cve/CVE-2014-0411.html https://www.redhat.com/security/data/cve/CVE-2014-0415.html https://www.redhat.com/security/data/cve/CVE-2014-0416.html https://www.redhat.com/security/data/cve/CVE-2014-0417.html https://www.redhat.com/security/data/cve/CVE-2014-0418.html https://www.redhat.com/security/data/cve/CVE-2014-0422.html https://www.redhat.com/security/data/cve/CVE-2014-0423.html https://www.redhat.com/security/data/cve/CVE-2014-0424.html https://www.redhat.com/security/data/cve/CVE-2014-0428.html https://access.redhat.com/security/updates/classification/#critical http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS1t9pXlSAg2UNWIIRAoCWAKCdFkp5zTcj6z1szwR8GPE2L6zX5QCeLood 04l6yCZvH4NU7kNtiTECTqk= =cZuX -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jan 20 17:36:20 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 20 Jan 2014 17:36:20 +0000 Subject: [RHSA-2014:0043-01] Moderate: bind security update Message-ID: <201401201736.s0KHaKj5027806@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: bind security update Advisory ID: RHSA-2014:0043-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0043.html Issue date: 2014-01-20 CVE Names: CVE-2014-0591 ===================================================================== 1. Summary: Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND handled queries for NSEC3-signed zones. A remote attacker could use this flaw against an authoritative name server that served NCES3-signed zones by sending a specially crafted query, which, when processed, would cause named to crash. (CVE-2014-0591) All bind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051717 - CVE-2014-0591 bind: named crash when handling malformed NSEC3-signed zones 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/bind-9.8.2-0.23.rc1.el6_5.1.src.rpm i386: bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-utils-9.8.2-0.23.rc1.el6_5.1.i686.rpm x86_64: bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-utils-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/bind-9.8.2-0.23.rc1.el6_5.1.src.rpm i386: bind-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-chroot-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-sdb-9.8.2-0.23.rc1.el6_5.1.i686.rpm x86_64: bind-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-chroot-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-sdb-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/bind-9.8.2-0.23.rc1.el6_5.1.src.rpm x86_64: bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-utils-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/bind-9.8.2-0.23.rc1.el6_5.1.src.rpm x86_64: bind-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-chroot-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-sdb-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bind-9.8.2-0.23.rc1.el6_5.1.src.rpm i386: bind-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-chroot-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-utils-9.8.2-0.23.rc1.el6_5.1.i686.rpm ppc64: bind-9.8.2-0.23.rc1.el6_5.1.ppc64.rpm bind-chroot-9.8.2-0.23.rc1.el6_5.1.ppc64.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.ppc.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.ppc64.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.ppc.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.ppc64.rpm bind-utils-9.8.2-0.23.rc1.el6_5.1.ppc64.rpm s390x: bind-9.8.2-0.23.rc1.el6_5.1.s390x.rpm bind-chroot-9.8.2-0.23.rc1.el6_5.1.s390x.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.s390.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.s390x.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.s390.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.s390x.rpm bind-utils-9.8.2-0.23.rc1.el6_5.1.s390x.rpm x86_64: bind-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-chroot-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-utils-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bind-9.8.2-0.23.rc1.el6_5.1.src.rpm i386: bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-sdb-9.8.2-0.23.rc1.el6_5.1.i686.rpm ppc64: bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.ppc.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.ppc64.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.ppc.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.ppc64.rpm bind-sdb-9.8.2-0.23.rc1.el6_5.1.ppc64.rpm s390x: bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.s390.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.s390x.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.s390.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.s390x.rpm bind-sdb-9.8.2-0.23.rc1.el6_5.1.s390x.rpm x86_64: bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-sdb-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/bind-9.8.2-0.23.rc1.el6_5.1.src.rpm i386: bind-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-chroot-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-utils-9.8.2-0.23.rc1.el6_5.1.i686.rpm x86_64: bind-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-chroot-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-libs-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-utils-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/bind-9.8.2-0.23.rc1.el6_5.1.src.rpm i386: bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-sdb-9.8.2-0.23.rc1.el6_5.1.i686.rpm x86_64: bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-debuginfo-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.i686.rpm bind-devel-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm bind-sdb-9.8.2-0.23.rc1.el6_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0591.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS3V5nXlSAg2UNWIIRAoV0AKCSbT53H24GJqRpGNsrysYBhzkmCACgrcWT kTa8fejB438czpcUwJGE/Pw= =xyS6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jan 20 17:37:23 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 20 Jan 2014 17:37:23 +0000 Subject: [RHSA-2014:0044-01] Moderate: augeas security update Message-ID: <201401201737.s0KHbNJO017324@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: augeas security update Advisory ID: RHSA-2014:0044-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0044.html Issue date: 2014-01-20 CVE Names: CVE-2013-6412 ===================================================================== 1. Summary: Updated augeas packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Augeas is a utility for editing configuration. Augeas parses configuration files in their native formats and transforms them into a tree. Configuration changes are made by manipulating this tree and saving it back into native configuration files. Augeas also uses "lenses" as basic building blocks for establishing the mapping from files into the Augeas tree and back. A flaw was found in the way Augeas handled certain umask settings when creating new configuration files. This flaw could result in configuration files being created as world writable, allowing unprivileged local users to modify their content. (CVE-2013-6412) This issue was discovered by the Red Hat Security Response Team. All augeas users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using augeas must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1034261 - CVE-2013-6412 augeas: incorrect permissions set on newly created files 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/augeas-1.0.0-5.el6_5.1.src.rpm i386: augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-libs-1.0.0-5.el6_5.1.i686.rpm x86_64: augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.x86_64.rpm augeas-libs-1.0.0-5.el6_5.1.i686.rpm augeas-libs-1.0.0-5.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/augeas-1.0.0-5.el6_5.1.src.rpm i386: augeas-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-devel-1.0.0-5.el6_5.1.i686.rpm x86_64: augeas-1.0.0-5.el6_5.1.x86_64.rpm augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.x86_64.rpm augeas-devel-1.0.0-5.el6_5.1.i686.rpm augeas-devel-1.0.0-5.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/augeas-1.0.0-5.el6_5.1.src.rpm x86_64: augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.x86_64.rpm augeas-libs-1.0.0-5.el6_5.1.i686.rpm augeas-libs-1.0.0-5.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/augeas-1.0.0-5.el6_5.1.src.rpm x86_64: augeas-1.0.0-5.el6_5.1.x86_64.rpm augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.x86_64.rpm augeas-devel-1.0.0-5.el6_5.1.i686.rpm augeas-devel-1.0.0-5.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/augeas-1.0.0-5.el6_5.1.src.rpm i386: augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-libs-1.0.0-5.el6_5.1.i686.rpm ppc64: augeas-debuginfo-1.0.0-5.el6_5.1.ppc.rpm augeas-debuginfo-1.0.0-5.el6_5.1.ppc64.rpm augeas-libs-1.0.0-5.el6_5.1.ppc.rpm augeas-libs-1.0.0-5.el6_5.1.ppc64.rpm s390x: augeas-debuginfo-1.0.0-5.el6_5.1.s390.rpm augeas-debuginfo-1.0.0-5.el6_5.1.s390x.rpm augeas-libs-1.0.0-5.el6_5.1.s390.rpm augeas-libs-1.0.0-5.el6_5.1.s390x.rpm x86_64: augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.x86_64.rpm augeas-libs-1.0.0-5.el6_5.1.i686.rpm augeas-libs-1.0.0-5.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/augeas-1.0.0-5.el6_5.1.src.rpm i386: augeas-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-devel-1.0.0-5.el6_5.1.i686.rpm ppc64: augeas-1.0.0-5.el6_5.1.ppc64.rpm augeas-debuginfo-1.0.0-5.el6_5.1.ppc.rpm augeas-debuginfo-1.0.0-5.el6_5.1.ppc64.rpm augeas-devel-1.0.0-5.el6_5.1.ppc.rpm augeas-devel-1.0.0-5.el6_5.1.ppc64.rpm s390x: augeas-1.0.0-5.el6_5.1.s390x.rpm augeas-debuginfo-1.0.0-5.el6_5.1.s390.rpm augeas-debuginfo-1.0.0-5.el6_5.1.s390x.rpm augeas-devel-1.0.0-5.el6_5.1.s390.rpm augeas-devel-1.0.0-5.el6_5.1.s390x.rpm x86_64: augeas-1.0.0-5.el6_5.1.x86_64.rpm augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.x86_64.rpm augeas-devel-1.0.0-5.el6_5.1.i686.rpm augeas-devel-1.0.0-5.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/augeas-1.0.0-5.el6_5.1.src.rpm i386: augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-libs-1.0.0-5.el6_5.1.i686.rpm x86_64: augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.x86_64.rpm augeas-libs-1.0.0-5.el6_5.1.i686.rpm augeas-libs-1.0.0-5.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/augeas-1.0.0-5.el6_5.1.src.rpm i386: augeas-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-devel-1.0.0-5.el6_5.1.i686.rpm x86_64: augeas-1.0.0-5.el6_5.1.x86_64.rpm augeas-debuginfo-1.0.0-5.el6_5.1.i686.rpm augeas-debuginfo-1.0.0-5.el6_5.1.x86_64.rpm augeas-devel-1.0.0-5.el6_5.1.i686.rpm augeas-devel-1.0.0-5.el6_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6412.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS3V6vXlSAg2UNWIIRApKZAKCL6RzuSRMmBnG53dCxYOd3EIZ7+ACdGge9 Fwsi6gGkQ042GqX++V2R6Yc= =9UIu -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 22 18:34:23 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Jan 2014 18:34:23 +0000 Subject: [RHSA-2014:0089-01] Moderate: openstack-keystone security and bug fix update Message-ID: <201401221834.s0MIYNL5009098@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-keystone security and bug fix update Advisory ID: RHSA-2014:0089-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0089.html Issue date: 2014-01-22 CVE Names: CVE-2013-6391 ===================================================================== 1. Summary: Updated openstack-keystone packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 4 - noarch 3. Description: The openstack-keystone packages provide keystone, a Python implementation of the OpenStack Identity service API, which provides Identity, Token, Catalog, and Policy services. It was found that the ec2token API in keystone, which is used to generate EC2-style (Amazon Elastic Compute Cloud) credentials, could generate a token not scoped to a particular trust when creating a token from a received trust-scoped token. A remote attacker could use this flaw to retrieve a token that elevated their privileges to all of the trustor's roles. Note that only OpenStack Identity setups that have EC2-style authentication enabled were affected. (CVE-2013-6391) Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Steven Hardy of Red Hat as the original reporter. These updated packages have been upgraded to upstream version 2013.2.1, which provides a number of bug fixes over the previous version. (BZ#1045408) All openstack-keystone users are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1039164 - CVE-2013-6391 OpenStack Keystone: trust circumvention through EC2-style tokens 6. Package List: OpenStack 4: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-keystone-2013.2.1-1.el6ost.src.rpm noarch: openstack-keystone-2013.2.1-1.el6ost.noarch.rpm openstack-keystone-doc-2013.2.1-1.el6ost.noarch.rpm python-keystone-2013.2.1-1.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6391.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS4A8VXlSAg2UNWIIRAjJqAKDDxljyhy9+ybjyo9I9I++GectVKACfcjc7 ECBM7t/wvVlRKsRJ8LQub44= =bKDR -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 22 18:40:28 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Jan 2014 18:40:28 +0000 Subject: [RHSA-2014:0090-01] Moderate: openstack-heat security, bug fix, and enhancement update Message-ID: <201401221840.s0MIeS40003901@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-heat security, bug fix, and enhancement update Advisory ID: RHSA-2014:0090-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0090.html Issue date: 2014-01-22 CVE Names: CVE-2013-6426 CVE-2013-6428 ===================================================================== 1. Summary: Updated openstack-heat packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: OpenStack 4 - noarch 3. Description: The openstack-heat packages provide heat, a Python implementation of the OpenStack Orchestration engine, to launch multiple composite cloud applications based on templates. It was found that heat did not properly enforce cloudformation-compatible API policy rules. An in-instance attacker could use the CreateStack or UpdateStack methods to create or update a stack, resulting in a violation of the API policy. Note that only setups using Orchestration's cloudformation-compatible API were affected. (CVE-2013-6426) A flaw was found in the way Orchestration's REST API implementation handled modified request paths. An authenticated remote user could use this flaw to bypass the tenant-scoping restriction by modifying the request path, resulting in privilege escalation. Note that only setups using Orchestration's cloudformation-compatible API were affected. (CVE-2013-6428) Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting these issues. Upstream acknowledges Steven Hardy of Red Hat as the original reporter. The openstack-heat packages have been upgraded to upstream version 2013.2.1, which provides a number of bug fixes and enhancements over the previous version. The most notable fixes and enhancements are: * Auto-scaling has been fixed when AdjustmentType was set to PercentChangeInCapacity. * A QPID broker restart no longer permanently disrupts subscribed clients. * RPC requests are now only serviced by one server in a given topic group. * Auto-scaling group growth or shrinkage has been fixed to utilize the full available size, regardless of the scaling policy adjustment. (BZ#1045430) This update also fixes the following bugs: * The outdated heat-db-setup tool, which only supported local installs, has been removed. The Red Hat Enterprise Linux OpenStack Platform 4 Installation and Configuration Guide has been updated to show how to create the necessary database and associated tables for Orchestration, allowing the deployment of the database server on a local or remote system (see Installing the OpenStack Orchestration Service). (BZ#1046326) * The heat-engine source code had a hard-coded reference to a Fedora image name in the implementation of the AWS-compatible LoadBalancer resource. This meant that you could not specify an alternative LoadBalancer image name in deployments (for example, Red Hat Enterprise Linux). A new option has been added to the Orchestration configuration file, /etc/heat/heat.conf, which is named loadbalancer_template. The new loadbalancer_template option can now be used to specify an alternate LoadBalancer template that contains a different image name. (BZ#1048215) * Due to a packaging error, the heat-manage tool was not working properly (which prohibited a successful database creation). This error has been fixed by moving the parallel package selection code so that all Orchestration tools now use the proper packages for use at runtime. (BZ#1048335) All openstack-heat users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 Documentation for releases of Red Hat Enterprise Linux OpenStack Platform is available at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/ 5. Bugs fixed (https://bugzilla.redhat.com/): 1039141 - CVE-2013-6426 OpenStack Heat: CFN policy rules not all enforced 1039144 - CVE-2013-6428 OpenStack Heat: ReST API doesn't respect tenant scoping 1046326 - remove heat-db-setup from openstack-heat packaging 1048335 - heat-manage doesn't work on EL 6. Package List: OpenStack 4: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-heat-2013.2.1-4.el6ost.src.rpm noarch: openstack-heat-api-2013.2.1-4.el6ost.noarch.rpm openstack-heat-api-cfn-2013.2.1-4.el6ost.noarch.rpm openstack-heat-api-cloudwatch-2013.2.1-4.el6ost.noarch.rpm openstack-heat-common-2013.2.1-4.el6ost.noarch.rpm openstack-heat-engine-2013.2.1-4.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6426.html https://www.redhat.com/security/data/cve/CVE-2013-6428.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS4BA4XlSAg2UNWIIRAlGlAJ9QjRKqFby9CXkYiulBoGfsoJ2HNwCgoGeq pD/FnCr48t8vlgZB9GOXe2A= =j0il -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 22 18:41:58 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Jan 2014 18:41:58 +0000 Subject: [RHSA-2014:0091-01] Moderate: openstack-neutron security, bug fix, and enhancement update Message-ID: <201401221841.s0MIfwQJ013905@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-neutron security, bug fix, and enhancement update Advisory ID: RHSA-2014:0091-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0091.html Issue date: 2014-01-22 CVE Names: CVE-2013-6419 ===================================================================== 1. Summary: Updated openstack-neutron packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 4 - noarch 3. Description: The openstack-neutron packages provide Openstack Networking (neutron), the virtual network service. It was discovered that the metadata agent in OpenStack Networking was missing an authorization check on the device ID that is bound to a specific port. A remote tenant could guess the instance ID bound to a port and retrieve metadata of another tenant, resulting in information disclosure. Note that only OpenStack Networking setups running neutron-metadata-agent were affected. (CVE-2013-6419) Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Aaron Rosen of VMware as the original reporter. The openstack-neutron packages have been upgraded to upstream version 2013.2.1, which provides a number of bug fixes and enhancements over the previous version. The most notable fixes and enhancements are: * Support for multiple workers in the Neutron API. This can be achieved by setting the 'workers=' parameter in the neutron.conf file. * The downtime and report interval default settings are tuned for neutron agents. * The floating IP address stability has been enhanced. * A heartbeat-related deadlock problem in neutron-server has been fixed. (BZ#1045419) This update also fixes the following bugs: * An incorrect warning was displayed when running neutron-dhcp-agent with Red Hat Enterprise Linux's version of dnsmasq. This meant that users were incorrectly warned that Red Hat Enterprise Linux's dnsmasq version will not work with neutron-dhcp-agent. This warning has been removed, and will no longer be logged to the neutron-dhcp-agent log file. (BZ#1040196) * A bug in the QPID topic consumer re-connection logic (under the v2 topology) caused qpidd to use a malformed subscriber address after restarting, resulting in RPC requests sent to a topic with multiple servers ending up being incorrectly multicast to all servers. This update removes the special-case reconnect logic that handles UUID addresses, which in turn avoids the incorrect establishment of multiple subscription to the same fanout address. The QPID broker now simply automatically generates unique queue names when clients reconnect. (BZ#1045067) * Thread-consuming QPID messages were killed silently by unhandled errors, thus resulting in isolating the component from the rest of the system. With this update, consuming threads are made more resilient to errors by ensuring they do not die on an unhandled error. The error is now logged, and the consuming thread is retried. (BZ#1054249) In addition, this update adds the following enhancement: * Previously, instances connected to tenant networks gained outside connectivity by going through an SNAT by the L3 agent hosting that network's virtual router. With this release, the ability to disable SNAT/PAT on virtual servers is added ensuring that an instance in a tenant network subnet will retain its IP address as it passes through external networks. For example, if 10.0.0.1 is an instance in the 10.0.0.0/8 tenant network, R1, a virtual router that connects the 10.0.0.0/8 subnet to the 20.0.0.0/8 public provider networks, then you can use the 'neutron router-gateway-set --disable-snat R1 public' command and any traffic from 10.0.0.1, which is forwarded out to the provider network, will retain its actual source IP address of 10.0.0.1. This can be a flexible and useful method to connect instances directly to a provider network, while retaining it in a tenant network. (BZ#1046070) All openstack-neutron users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1038737 - neutron is creating duplicated NAT rules, resulting in instances without network connection 1039148 - CVE-2013-6419 OpenStack Neutron and Nova: Metadata queries from Neutron to Nova are not restricted by tenant 1039528 - Neutron rootwrap does not follow packaging guidelines 1040196 - Remove dnsmasq version warning for dhcp-agent on RHEL 1045067 - [oslo] With QPID, RPC calls to a topic are always fanned-out to all subscribers. 1046070 - Configurable External Gateway Modes 1046087 - The error message that indicates manual DB stamping is needed is not clear enough 1054249 - Thread consuming qpid messages can die silently 6. Package List: OpenStack 4: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-neutron-2013.2.1-4.el6ost.src.rpm noarch: openstack-neutron-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-bigswitch-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-brocade-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-cisco-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-hyperv-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-linuxbridge-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-mellanox-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-metaplugin-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-metering-agent-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-midonet-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-ml2-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-nec-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-nicira-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-openvswitch-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-plumgrid-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-ryu-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-vpn-agent-2013.2.1-4.el6ost.noarch.rpm python-neutron-2013.2.1-4.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6419.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS4BDfXlSAg2UNWIIRAivNAKCVWiwL/nIdn7v6YXgfI0F+74mk0QCfZlps gQgFmSvzl9jrK02N6xI26E8= =s88t -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jan 27 19:57:58 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 27 Jan 2014 19:57:58 +0000 Subject: [RHSA-2014:0097-01] Important: java-1.6.0-openjdk security update Message-ID: <201401271957.s0RJvwbt001513@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.6.0-openjdk security update Advisory ID: RHSA-2014:0097-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0097.html Issue date: 2014-01-27 CVE Names: CVE-2013-5878 CVE-2013-5884 CVE-2013-5896 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0376 CVE-2014-0411 CVE-2014-0416 CVE-2014-0422 CVE-2014-0423 CVE-2014-0428 ===================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to a disclosure of information about the used encryption keys. (CVE-2014-0411) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051519 - CVE-2014-0428 OpenJDK: insufficient security checks in IIOP streams (CORBA, 8025767) 1051528 - CVE-2014-0422 OpenJDK: insufficient package access checks in the Naming component (JNDI, 8025758) 1051699 - CVE-2014-0373 OpenJDK: SnmpStatusException handling issues (Serviceability, 7068126) 1051823 - CVE-2013-5878 OpenJDK: null xmlns handling issue (Security, 8025026) 1051911 - CVE-2013-5884 OpenJDK: insufficient security checks in CORBA stub factories (CORBA, 8026193) 1051912 - CVE-2014-0416 OpenJDK: insecure subject principals set handling (JAAS, 8024306) 1051923 - CVE-2014-0376 OpenJDK: document builder missing security checks (JAXP, 8027201, 8025018) 1052915 - CVE-2013-5907 ICU: Layout Engine LookupProcessor insufficient input checks (JDK 2D, 8025034) 1052919 - CVE-2014-0368 OpenJDK: insufficient Socket checkListen checks (Networking, 8011786) 1052942 - CVE-2013-5910 OpenJDK: XML canonicalizer mutable strings passed to untrusted code (Security, 8026417) 1053010 - CVE-2014-0411 OpenJDK: TLS/SSL handshake timing issues (JSSE, 8023069) 1053066 - CVE-2014-0423 OpenJDK: XXE issue in decoder (Beans, 8023245) 1053266 - CVE-2013-5896 OpenJDK: com.sun.corba.se. should be restricted package (CORBA, 8025022) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el5_10.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el5_10.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el5_10.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.src.rpm i386: java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.src.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.src.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.src.rpm i386: java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.src.rpm i386: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.src.rpm i386: java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-5878.html https://www.redhat.com/security/data/cve/CVE-2013-5884.html https://www.redhat.com/security/data/cve/CVE-2013-5896.html https://www.redhat.com/security/data/cve/CVE-2013-5907.html https://www.redhat.com/security/data/cve/CVE-2013-5910.html https://www.redhat.com/security/data/cve/CVE-2014-0368.html https://www.redhat.com/security/data/cve/CVE-2014-0373.html https://www.redhat.com/security/data/cve/CVE-2014-0376.html https://www.redhat.com/security/data/cve/CVE-2014-0411.html https://www.redhat.com/security/data/cve/CVE-2014-0416.html https://www.redhat.com/security/data/cve/CVE-2014-0422.html https://www.redhat.com/security/data/cve/CVE-2014-0423.html https://www.redhat.com/security/data/cve/CVE-2014-0428.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS5roaXlSAg2UNWIIRAtyjAJ9Xx3+FZVkWSCQ5/EmokFTTF8GolACeILg1 yB5/DPd5clczwxw/bljRnJo= =qDKh -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jan 28 17:51:41 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 28 Jan 2014 17:51:41 +0000 Subject: [RHSA-2014:0100-01] Important: kernel-rt security and bug fix update Message-ID: <201401281751.s0SHpgVG026281@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2014:0100-01 Product: Red Hat Enterprise MRG for RHEL-6 Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0100.html Issue date: 2014-01-28 CVE Names: CVE-2013-2929 CVE-2013-2930 CVE-2013-4270 CVE-2013-4470 CVE-2013-6378 CVE-2013-6383 CVE-2013-6431 ===================================================================== 1. Summary: Updated kernel-rt packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise MRG 2.4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: MRG Realtime for RHEL 6 Server v.2 - noarch, x86_64 3. Description: The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled sending of certain UDP packets over sockets that used the UDP_CORK option when the UDP Fragmentation Offload (UFO) feature was enabled on the output device. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-4470, Important) * A flaw was found in the way the perf_trace_event_perm() function in the Linux kernel checked permissions for the function tracer functionality. An unprivileged local user could use this flaw to enable function tracing and cause a denial of service on the system. (CVE-2013-2930, Moderate) * A flaw was found in the way the net_ctl_permissions() function in the Linux kernel checked access permissions. A local, unprivileged user could potentially use this flaw to access certain files in /proc/sys/net regardless of the underlying file system permissions. (CVE-2013-4270, Moderate) * A flaw was found in the way the Linux kernel's Adaptec RAID controller (aacraid) checked permissions of compat IOCTLs. A local attacker could use this flaw to bypass intended security restrictions. (CVE-2013-6383, Moderate) * A flaw was found in the way the get_dumpable() function return value was interpreted in the ptrace subsystem of the Linux kernel. When 'fs.suid_dumpable' was set to 2, a local, unprivileged local user could use this flaw to bypass intended ptrace restrictions and obtain potentially sensitive information. (CVE-2013-2929, Low) * An invalid pointer dereference flaw was found in the Marvell 8xxx Libertas WLAN (libertas) driver in the Linux kernel. A local user able to write to a file that is provided by the libertas driver and located on the debug file system (debugfs) could use this flaw to crash the system. Note: The debugfs file system must be mounted locally to exploit this issue. It is not mounted by default. (CVE-2013-6378, Low) * A NULL pointer dereference flaw was found in the Linux kernel's IPv6 source address-based routing implementation. A local attacker who has the CAP_NET_ADMIN capability could use this flaw to crash the system. (CVE-2013-6431, Low) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4470. The CVE-2013-4270 issue was discovered by Miroslav Vadkerti of Red Hat. This update also fixes multiple bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which upgrade the kernel-rt kernel to version kernel-rt-3.8.13-rt27, correct these issues, and fix the bugs noted in the Red Hat Enterprise MRG 2 Technical Notes. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (https://bugzilla.redhat.com/): 1016729 - Apply IB performance patches to 3.8 realtime kernel 1023477 - CVE-2013-4470 Kernel: net: memory corruption with UDP_CORK and UFO 1027752 - CVE-2013-4270 kernel: net: permissions flaw in /proc/sys/net 1027778 - CVE-2013-2930 kernel: perf/ftrace: insufficient check in perf_trace_event_perm() 1028148 - CVE-2013-2929 kernel: exec/ptrace: get_dumpable() incorrect tests 1033530 - CVE-2013-6383 Kernel: AACRAID Driver compat IOCTL missing capability check 1033578 - CVE-2013-6378 Kernel: drivers: libertas: potential oops in debugfs 1037770 - Recent -rt kernels compiled without CONFIG_NETFILTER_XT_MATCH_ADDRTYPE 1039054 - CVE-2013-6431 kernel: net: fib: fib6_add: potential NULL pointer dereference 1039743 - kernel: panic when unloading ip6_tunnel module 6. Package List: MRG Realtime for RHEL 6 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEMRG-RHEL6/SRPMS/kernel-rt-3.8.13-rt27.33.el6rt.src.rpm noarch: kernel-rt-doc-3.8.13-rt27.33.el6rt.noarch.rpm kernel-rt-firmware-3.8.13-rt27.33.el6rt.noarch.rpm x86_64: kernel-rt-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-debug-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-debug-debuginfo-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-debug-devel-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-debuginfo-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-devel-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-trace-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-trace-debuginfo-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-trace-devel-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-vanilla-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-vanilla-debuginfo-3.8.13-rt27.33.el6rt.x86_64.rpm kernel-rt-vanilla-devel-3.8.13-rt27.33.el6rt.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2929.html https://www.redhat.com/security/data/cve/CVE-2013-2930.html https://www.redhat.com/security/data/cve/CVE-2013-4270.html https://www.redhat.com/security/data/cve/CVE-2013-4470.html https://www.redhat.com/security/data/cve/CVE-2013-6378.html https://www.redhat.com/security/data/cve/CVE-2013-6383.html https://www.redhat.com/security/data/cve/CVE-2013-6431.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_MRG/2/html/Technical_Notes/RHSA-2014-0100.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS5+4QXlSAg2UNWIIRAk69AKCIJ+KWTW4FueOZ7VTCacRd78NcvACeImdx FPo19nKq6xu6YEH7IKNduE4= =U6os -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jan 28 17:52:30 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 28 Jan 2014 17:52:30 +0000 Subject: [RHSA-2014:0103-01] Moderate: libvirt security and bug fix update Message-ID: <201401281752.s0SHqUTZ004436@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libvirt security and bug fix update Advisory ID: RHSA-2014:0103-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0103.html Issue date: 2014-01-28 Keywords: libvirt virtualization migration CVE Names: CVE-2013-6458 CVE-2014-1447 ===================================================================== 1. Summary: Updated libvirt packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64 3. Description: The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. A use-after-free flaw was found in the way several libvirt block APIs handled domain jobs. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, execute arbitrary code with the privileges of the libvirtd process (usually root). (CVE-2013-6458) A race condition was found in the way libvirtd handled keepalive initialization requests when the connection was closed prior to establishing connection credentials. An attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd, resulting in a denial of service. (CVE-2014-1447) This update also fixes the following bug: * A race condition was possible between a thread starting a virtual machine with a guest agent configured (regular start-up or while migrating) and a thread that was killing the VM process (or the process crashing). The race could cause the monitor object to be freed by the thread that killed the VM process, which was later accessed by the thread that was attempting to start the VM, resulting in a crash. This issue was fixed by checking the state of the VM after the attempted connection to the guest agent; if the VM in the meantime exited, no other operations are attempted. (BZ#1055578) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1048631 - CVE-2013-6458 qemu: job usage issue in several APIs leading to libvirtd crash 1052957 - CVE-2014-1447 libvirt: denial of service with keepalive 1055578 - bidirectional VMs migration between 2 hosts fail on VM doesn't exist / fatal error 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libvirt-0.10.2-29.el6_5.3.src.rpm i386: libvirt-0.10.2-29.el6_5.3.i686.rpm libvirt-client-0.10.2-29.el6_5.3.i686.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-python-0.10.2-29.el6_5.3.i686.rpm x86_64: libvirt-0.10.2-29.el6_5.3.x86_64.rpm libvirt-client-0.10.2-29.el6_5.3.i686.rpm libvirt-client-0.10.2-29.el6_5.3.x86_64.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.x86_64.rpm libvirt-python-0.10.2-29.el6_5.3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/libvirt-0.10.2-29.el6_5.3.src.rpm i386: libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-devel-0.10.2-29.el6_5.3.i686.rpm x86_64: libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.x86_64.rpm libvirt-devel-0.10.2-29.el6_5.3.i686.rpm libvirt-devel-0.10.2-29.el6_5.3.x86_64.rpm libvirt-lock-sanlock-0.10.2-29.el6_5.3.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libvirt-0.10.2-29.el6_5.3.src.rpm x86_64: libvirt-0.10.2-29.el6_5.3.x86_64.rpm libvirt-client-0.10.2-29.el6_5.3.i686.rpm libvirt-client-0.10.2-29.el6_5.3.x86_64.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.x86_64.rpm libvirt-python-0.10.2-29.el6_5.3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/libvirt-0.10.2-29.el6_5.3.src.rpm x86_64: libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.x86_64.rpm libvirt-devel-0.10.2-29.el6_5.3.i686.rpm libvirt-devel-0.10.2-29.el6_5.3.x86_64.rpm libvirt-lock-sanlock-0.10.2-29.el6_5.3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libvirt-0.10.2-29.el6_5.3.src.rpm i386: libvirt-0.10.2-29.el6_5.3.i686.rpm libvirt-client-0.10.2-29.el6_5.3.i686.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-devel-0.10.2-29.el6_5.3.i686.rpm libvirt-python-0.10.2-29.el6_5.3.i686.rpm ppc64: libvirt-0.10.2-29.el6_5.3.ppc64.rpm libvirt-client-0.10.2-29.el6_5.3.ppc.rpm libvirt-client-0.10.2-29.el6_5.3.ppc64.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.ppc.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.ppc64.rpm libvirt-devel-0.10.2-29.el6_5.3.ppc.rpm libvirt-devel-0.10.2-29.el6_5.3.ppc64.rpm libvirt-python-0.10.2-29.el6_5.3.ppc64.rpm s390x: libvirt-0.10.2-29.el6_5.3.s390x.rpm libvirt-client-0.10.2-29.el6_5.3.s390.rpm libvirt-client-0.10.2-29.el6_5.3.s390x.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.s390.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.s390x.rpm libvirt-devel-0.10.2-29.el6_5.3.s390.rpm libvirt-devel-0.10.2-29.el6_5.3.s390x.rpm libvirt-python-0.10.2-29.el6_5.3.s390x.rpm x86_64: libvirt-0.10.2-29.el6_5.3.x86_64.rpm libvirt-client-0.10.2-29.el6_5.3.i686.rpm libvirt-client-0.10.2-29.el6_5.3.x86_64.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.x86_64.rpm libvirt-devel-0.10.2-29.el6_5.3.i686.rpm libvirt-devel-0.10.2-29.el6_5.3.x86_64.rpm libvirt-python-0.10.2-29.el6_5.3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/libvirt-0.10.2-29.el6_5.3.src.rpm x86_64: libvirt-debuginfo-0.10.2-29.el6_5.3.x86_64.rpm libvirt-lock-sanlock-0.10.2-29.el6_5.3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libvirt-0.10.2-29.el6_5.3.src.rpm i386: libvirt-0.10.2-29.el6_5.3.i686.rpm libvirt-client-0.10.2-29.el6_5.3.i686.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-devel-0.10.2-29.el6_5.3.i686.rpm libvirt-python-0.10.2-29.el6_5.3.i686.rpm x86_64: libvirt-0.10.2-29.el6_5.3.x86_64.rpm libvirt-client-0.10.2-29.el6_5.3.i686.rpm libvirt-client-0.10.2-29.el6_5.3.x86_64.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.i686.rpm libvirt-debuginfo-0.10.2-29.el6_5.3.x86_64.rpm libvirt-devel-0.10.2-29.el6_5.3.i686.rpm libvirt-devel-0.10.2-29.el6_5.3.x86_64.rpm libvirt-python-0.10.2-29.el6_5.3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/libvirt-0.10.2-29.el6_5.3.src.rpm x86_64: libvirt-debuginfo-0.10.2-29.el6_5.3.x86_64.rpm libvirt-lock-sanlock-0.10.2-29.el6_5.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6458.html https://www.redhat.com/security/data/cve/CVE-2014-1447.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS5+5FXlSAg2UNWIIRAqvdAJ40K73i7SL5I2Z63oM59ZFx9lwVpwCffUnA +mAKpw0eJGIld9MM5UfII9M= =w0tY -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jan 29 17:44:14 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 29 Jan 2014 17:44:14 +0000 Subject: [RHSA-2014:0108-01] Moderate: kernel security and bug fix update Message-ID: <201401291744.s0THiEqG003989@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel security and bug fix update Advisory ID: RHSA-2014:0108-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0108.html Issue date: 2014-01-29 CVE Names: CVE-2013-4494 ===================================================================== 1. Summary: Updated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Xen hypervisor did not always lock 'page_alloc_lock' and 'grant_table.lock' in the same order. This could potentially lead to a deadlock. A malicious guest administrator could use this flaw to cause a denial of service on the host. (CVE-2013-4494, Moderate) Red Hat would like to thank the Xen project for reporting this issue. This update also fixes the following bugs: * A recent patch to the CIFS code that introduced the NTLMSSP (NT LAN Manager Security Support Provider) authentication mechanism caused a regression in CIFS behavior. As a result of the regression, an encryption key that is returned during the SMB negotiation protocol response was only used for the first session that was created on the SMB client. Any subsequent mounts to the same server did not use the encryption key returned by the initial negotiation with the server. As a consequence, it was impossible to mount multiple SMB shares with different credentials to the same server. A patch has been applied to correct this problem so that an encryption key or a server challenge is now provided for every SMB session during the SMB negotiation protocol response. (BZ#1029865) * The igb driver previously used a 16-bit mask when writing values of the flow control high-water mark to hardware registers on a network device. Consequently, the values were truncated on some network devices, disrupting the flow control. A patch has been applied to the igb driver so that it now uses a 32-bit mask as expected. (BZ#1041694) * The IPMI driver did not properly handle kernel panic messages. Consequently, when a kernel panic occurred on a system that was utilizing IPMI without Kdump being set up, a second kernel panic could be triggered. A patch has been applied to the IPMI driver to fix this problem, and a message handler now properly waits for a response to panic event messages. (BZ#1049731) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (https://bugzilla.redhat.com/): 1026243 - CVE-2013-4494 kernel: xen: Lock order reversal between page allocation and grant table locks 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-371.4.1.el5.src.rpm i386: kernel-2.6.18-371.4.1.el5.i686.rpm kernel-PAE-2.6.18-371.4.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-371.4.1.el5.i686.rpm kernel-PAE-devel-2.6.18-371.4.1.el5.i686.rpm kernel-debug-2.6.18-371.4.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-371.4.1.el5.i686.rpm kernel-debug-devel-2.6.18-371.4.1.el5.i686.rpm kernel-debuginfo-2.6.18-371.4.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-371.4.1.el5.i686.rpm kernel-devel-2.6.18-371.4.1.el5.i686.rpm kernel-headers-2.6.18-371.4.1.el5.i386.rpm kernel-xen-2.6.18-371.4.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-371.4.1.el5.i686.rpm kernel-xen-devel-2.6.18-371.4.1.el5.i686.rpm noarch: kernel-doc-2.6.18-371.4.1.el5.noarch.rpm x86_64: kernel-2.6.18-371.4.1.el5.x86_64.rpm kernel-debug-2.6.18-371.4.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-371.4.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-371.4.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-371.4.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-371.4.1.el5.x86_64.rpm kernel-devel-2.6.18-371.4.1.el5.x86_64.rpm kernel-headers-2.6.18-371.4.1.el5.x86_64.rpm kernel-xen-2.6.18-371.4.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-371.4.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-371.4.1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-371.4.1.el5.src.rpm i386: kernel-2.6.18-371.4.1.el5.i686.rpm kernel-PAE-2.6.18-371.4.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-371.4.1.el5.i686.rpm kernel-PAE-devel-2.6.18-371.4.1.el5.i686.rpm kernel-debug-2.6.18-371.4.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-371.4.1.el5.i686.rpm kernel-debug-devel-2.6.18-371.4.1.el5.i686.rpm kernel-debuginfo-2.6.18-371.4.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-371.4.1.el5.i686.rpm kernel-devel-2.6.18-371.4.1.el5.i686.rpm kernel-headers-2.6.18-371.4.1.el5.i386.rpm kernel-xen-2.6.18-371.4.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-371.4.1.el5.i686.rpm kernel-xen-devel-2.6.18-371.4.1.el5.i686.rpm ia64: kernel-2.6.18-371.4.1.el5.ia64.rpm kernel-debug-2.6.18-371.4.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-371.4.1.el5.ia64.rpm kernel-debug-devel-2.6.18-371.4.1.el5.ia64.rpm kernel-debuginfo-2.6.18-371.4.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-371.4.1.el5.ia64.rpm kernel-devel-2.6.18-371.4.1.el5.ia64.rpm kernel-headers-2.6.18-371.4.1.el5.ia64.rpm kernel-xen-2.6.18-371.4.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-371.4.1.el5.ia64.rpm kernel-xen-devel-2.6.18-371.4.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-371.4.1.el5.noarch.rpm ppc: kernel-2.6.18-371.4.1.el5.ppc64.rpm kernel-debug-2.6.18-371.4.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-371.4.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-371.4.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-371.4.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-371.4.1.el5.ppc64.rpm kernel-devel-2.6.18-371.4.1.el5.ppc64.rpm kernel-headers-2.6.18-371.4.1.el5.ppc.rpm kernel-headers-2.6.18-371.4.1.el5.ppc64.rpm kernel-kdump-2.6.18-371.4.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-371.4.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-371.4.1.el5.ppc64.rpm s390x: kernel-2.6.18-371.4.1.el5.s390x.rpm kernel-debug-2.6.18-371.4.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-371.4.1.el5.s390x.rpm kernel-debug-devel-2.6.18-371.4.1.el5.s390x.rpm kernel-debuginfo-2.6.18-371.4.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-371.4.1.el5.s390x.rpm kernel-devel-2.6.18-371.4.1.el5.s390x.rpm kernel-headers-2.6.18-371.4.1.el5.s390x.rpm kernel-kdump-2.6.18-371.4.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-371.4.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-371.4.1.el5.s390x.rpm x86_64: kernel-2.6.18-371.4.1.el5.x86_64.rpm kernel-debug-2.6.18-371.4.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-371.4.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-371.4.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-371.4.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-371.4.1.el5.x86_64.rpm kernel-devel-2.6.18-371.4.1.el5.x86_64.rpm kernel-headers-2.6.18-371.4.1.el5.x86_64.rpm kernel-xen-2.6.18-371.4.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-371.4.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-371.4.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4494.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS6T3KXlSAg2UNWIIRAizrAJ9HvUjFrc1yMReUU2KRGMYV2denIgCaA8zI CTg1u8g/cdJJ10R3kO5e88I= =DPjK -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jan 30 20:29:18 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Jan 2014 20:29:18 +0000 Subject: [RHSA-2014:0112-01] Moderate: openstack-nova security and bug fix update Message-ID: <201401302029.s0UKTCiE028321@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-nova security and bug fix update Advisory ID: RHSA-2014:0112-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0112.html Issue date: 2014-01-30 CVE Names: CVE-2013-4463 CVE-2013-6491 ===================================================================== 1. Summary: Updated openstack-nova packages that fix two security issues and three bugs are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch 3. Description: The openstack-nova packages provide OpenStack Compute (nova), which provides services for provisioning, managing, and using virtual machine instances. It was discovered that enabling "qpid_protocol = ssl" in the nova.conf file did not result in nova using SSL to communicate to Qpid. If Qpid was not configured to enforce SSL this could lead to sensitive information being sent unencrypted over the communication channel. (CVE-2013-6491) A flaw was found in the way OpenStack Compute controlled the size of disk images. An authenticated remote user could use malicious compressed qcow2 disk images to consume large amounts of disk space, potentially causing a denial of service on the OpenStack Compute nodes. (CVE-2013-4463) Red Hat would like to thank the OpenStack project for reporting CVE-2013-4463. Upstream acknowledges Bernhard M. Wiedemann of SuSE as the original reporter of this issue. This update also fixes the following bugs: * When using GroupAntiAffinityFilter, the scheduler was not filtering instances in the group, which could cause an instance to not be scheduled at all if a group was specified on boot. With this fix, groups are taken into account and the instance is scheduled as expected. (BZ#1014948) * If an exchange had not been created previously by a consumer, the publisher would crash because it could not find the specified exchange. This resulted from Qpid's direct publisher using the wrong exchange type 'Direct'. With this fix, the exchange type in the publisher has been changed to 'direct'. (BZ#1042055) * Unhandled errors in the Qpid consuming thread could kill it silently and isolate the component from the rest of the system. To fix this, the consuming thread has been made more resilient to errors by ensuring it does not die on an unhandled error. Compute now logs the error and retries the consuming thread. (BZ#1050213) All openstack-nova users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 996766 - CVE-2013-6491: Setting Qpid SSL protocol sets wrong variable [openstack-3] 1014948 - GroupAntiAffinityFilter filters are broken 1023239 - CVE-2013-4463 OpenStack Nova: Compressed disk image DoS 1044562 - booting an instance with swap or ephemeral secondary disks doesn't work 1050213 - Thread consuming qpid messages can die silently 1059504 - CVE-2013-6491 Openstack nova: qpid SSL configuration 6. Package List: OpenStack 3: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-nova-2013.1.4-4.el6ost.src.rpm noarch: openstack-nova-2013.1.4-4.el6ost.noarch.rpm openstack-nova-api-2013.1.4-4.el6ost.noarch.rpm openstack-nova-cells-2013.1.4-4.el6ost.noarch.rpm openstack-nova-cert-2013.1.4-4.el6ost.noarch.rpm openstack-nova-common-2013.1.4-4.el6ost.noarch.rpm openstack-nova-compute-2013.1.4-4.el6ost.noarch.rpm openstack-nova-conductor-2013.1.4-4.el6ost.noarch.rpm openstack-nova-console-2013.1.4-4.el6ost.noarch.rpm openstack-nova-doc-2013.1.4-4.el6ost.noarch.rpm openstack-nova-network-2013.1.4-4.el6ost.noarch.rpm openstack-nova-objectstore-2013.1.4-4.el6ost.noarch.rpm openstack-nova-scheduler-2013.1.4-4.el6ost.noarch.rpm python-nova-2013.1.4-4.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4463.html https://www.redhat.com/security/data/cve/CVE-2013-6491.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS6rWfXlSAg2UNWIIRAjNQAJ4imHqsxUofj0gu/HKdu5rb2ILXnACdEsIu sI/icPgJFzG44tTOka9O2pI= =iRE5 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jan 30 20:30:41 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Jan 2014 20:30:41 +0000 Subject: [RHSA-2014:0113-01] Moderate: openstack-keystone security update Message-ID: <201401302030.s0UKUawZ014057@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-keystone security update Advisory ID: RHSA-2014:0113-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0113.html Issue date: 2014-01-30 CVE Names: CVE-2013-4477 ===================================================================== 1. Summary: Updated openstack-keystone packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch 3. Description: The openstack-keystone packages provide keystone, a Python implementation of the OpenStack Identity service API, which provides Identity, Token, Catalog, and Policy services. A flaw was discovered in the way the LDAP backend in keystone handled the removal of a role. A user could unintentionally be granted a role if the role being removed had not been previously granted to that user. Note that only OpenStack Identity setups using an LDAP backend were affected. (CVE-2013-4477) All openstack-keystone users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1024401 - CVE-2013-4477 openstack-keystone: unintentional role granting with Keystone LDAP backend 6. Package List: OpenStack 3: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-keystone-2013.1.4-2.el6ost.src.rpm noarch: openstack-keystone-2013.1.4-2.el6ost.noarch.rpm openstack-keystone-doc-2013.1.4-2.el6ost.noarch.rpm python-keystone-2013.1.4-2.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4477.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS6rYhXlSAg2UNWIIRAjIpAKCCVwzwHT/KoZRRuPwU2tAXXDy/NQCdGhJJ NPJL1gHOyHP9yKqVgPpqkFo= =1fWq -----END PGP SIGNATURE-----