From bugzilla at redhat.com Mon Mar 3 18:35:42 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Mar 2014 18:35:42 +0000 Subject: [RHSA-2014:0245-01] Important: activemq security update Message-ID: <201403031835.s23IZhVi001040@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: activemq security update Advisory ID: RHSA-2014:0245-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0245.html Issue date: 2014-03-03 CVE Names: CVE-2013-2035 CVE-2013-4152 CVE-2013-4330 CVE-2014-0003 ===================================================================== 1. Summary: An updated activemq package that fixes multiple security issues is now available for Red Hat OpenShift Enterprise 2.0. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHOSE Infrastructure 2.0 - x86_64 RHOSE Node 2.0 - x86_64 3. Description: Apache ActiveMQ provides a SOA infrastructure to connect processes across heterogeneous systems. A flaw was found in Apache Camel's parsing of the FILE_NAME header. A remote attacker able to submit messages to a Camel route, which would write the provided message to a file, could provide expression language (EL) expressions in the FILE_NAME header, which would be evaluated on the server. This could lead to arbitrary remote code execution in the context of the Camel server process. (CVE-2013-4330) It was found that the Apache Camel XSLT component allowed XSL stylesheets to call external Java methods. A remote attacker able to submit messages to a Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process. (CVE-2014-0003) It was discovered that the Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. A remote attacker could use this flaw to conduct XML External Entity (XXE) attacks on web sites, and read files in the context of the user running the application server. The patch for this flaw disables external entity processing by default, and provides a configuration directive to re-enable it. (CVE-2013-4152) The HawtJNI Library class wrote native libraries to a predictable file name in /tmp/ when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035) The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat Product Security Team, and the CVE-2014-0003 issue was discovered by David Jorm of the Red Hat Security Response Team. All users of Red Hat OpenShift Enterprise 2.0 are advised to upgrade to this updated package, which corrects these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution 1000186 - CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw 1011726 - CVE-2013-4330 Camel: remote code execution via header field manipulation 1049692 - CVE-2014-0003 Camel: remote code execution via XSL 6. Package List: RHOSE Infrastructure 2.0: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/activemq-5.9.0-4.redhat.610328.el6op.src.rpm x86_64: activemq-5.9.0-4.redhat.610328.el6op.x86_64.rpm activemq-client-5.9.0-4.redhat.610328.el6op.x86_64.rpm RHOSE Node 2.0: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/activemq-5.9.0-4.redhat.610328.el6op.src.rpm x86_64: activemq-client-5.9.0-4.redhat.610328.el6op.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2035.html https://www.redhat.com/security/data/cve/CVE-2013-4152.html https://www.redhat.com/security/data/cve/CVE-2013-4330.html https://www.redhat.com/security/data/cve/CVE-2014-0003.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTFMqtXlSAg2UNWIIRAmxlAJ4hgdBGo9LDYXKLTLPcR3eeoTFkpgCfYyo6 /weZeuqSRiJHTL3hliZydtk= =xAkl -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 3 18:36:50 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Mar 2014 18:36:50 +0000 Subject: [RHSA-2014:0246-01] Important: gnutls security update Message-ID: <201403031836.s23Iao7O001883@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gnutls security update Advisory ID: RHSA-2014:0246-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0246.html Issue date: 2014-03-03 CVE Names: CVE-2014-0092 ===================================================================== 1. Summary: Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1069865 - CVE-2014-0092 gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/gnutls-2.8.5-13.el6_5.src.rpm i386: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-utils-2.8.5-13.el6_5.i686.rpm x86_64: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-2.8.5-13.el6_5.x86_64.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-utils-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/gnutls-2.8.5-13.el6_5.src.rpm i386: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm x86_64: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.x86_64.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/gnutls-2.8.5-13.el6_5.src.rpm x86_64: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-2.8.5-13.el6_5.x86_64.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-utils-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/gnutls-2.8.5-13.el6_5.src.rpm x86_64: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.x86_64.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/gnutls-2.8.5-13.el6_5.src.rpm i386: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-utils-2.8.5-13.el6_5.i686.rpm ppc64: gnutls-2.8.5-13.el6_5.ppc.rpm gnutls-2.8.5-13.el6_5.ppc64.rpm gnutls-debuginfo-2.8.5-13.el6_5.ppc.rpm gnutls-debuginfo-2.8.5-13.el6_5.ppc64.rpm gnutls-devel-2.8.5-13.el6_5.ppc.rpm gnutls-devel-2.8.5-13.el6_5.ppc64.rpm gnutls-utils-2.8.5-13.el6_5.ppc64.rpm s390x: gnutls-2.8.5-13.el6_5.s390.rpm gnutls-2.8.5-13.el6_5.s390x.rpm gnutls-debuginfo-2.8.5-13.el6_5.s390.rpm gnutls-debuginfo-2.8.5-13.el6_5.s390x.rpm gnutls-devel-2.8.5-13.el6_5.s390.rpm gnutls-devel-2.8.5-13.el6_5.s390x.rpm gnutls-utils-2.8.5-13.el6_5.s390x.rpm x86_64: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-2.8.5-13.el6_5.x86_64.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.x86_64.rpm gnutls-utils-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/gnutls-2.8.5-13.el6_5.src.rpm i386: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm ppc64: gnutls-debuginfo-2.8.5-13.el6_5.ppc.rpm gnutls-debuginfo-2.8.5-13.el6_5.ppc64.rpm gnutls-guile-2.8.5-13.el6_5.ppc.rpm gnutls-guile-2.8.5-13.el6_5.ppc64.rpm s390x: gnutls-debuginfo-2.8.5-13.el6_5.s390.rpm gnutls-debuginfo-2.8.5-13.el6_5.s390x.rpm gnutls-guile-2.8.5-13.el6_5.s390.rpm gnutls-guile-2.8.5-13.el6_5.s390x.rpm x86_64: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/gnutls-2.8.5-13.el6_5.src.rpm i386: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-utils-2.8.5-13.el6_5.i686.rpm x86_64: gnutls-2.8.5-13.el6_5.i686.rpm gnutls-2.8.5-13.el6_5.x86_64.rpm gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-devel-2.8.5-13.el6_5.i686.rpm gnutls-devel-2.8.5-13.el6_5.x86_64.rpm gnutls-utils-2.8.5-13.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/gnutls-2.8.5-13.el6_5.src.rpm i386: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm x86_64: gnutls-debuginfo-2.8.5-13.el6_5.i686.rpm gnutls-debuginfo-2.8.5-13.el6_5.x86_64.rpm gnutls-guile-2.8.5-13.el6_5.i686.rpm gnutls-guile-2.8.5-13.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0092.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTFMueXlSAg2UNWIIRAndYAKCQBGa7HWhlDq2pgfTI5KiGzPgG/QCeKIqt eHpldodPS3XtkYEo5r0Xg3c= =l1d8 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 3 18:37:27 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Mar 2014 18:37:27 +0000 Subject: [RHSA-2014:0247-01] Important: gnutls security update Message-ID: <201403031837.s23IbRIo015068@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gnutls security update Advisory ID: RHSA-2014:0247-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0247.html Issue date: 2014-03-03 CVE Names: CVE-2009-5138 CVE-2014-0092 ===================================================================== 1. Summary: Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) A flaw was found in the way GnuTLS handled version 1 X.509 certificates. An attacker able to obtain a version 1 certificate from a trusted certificate authority could use this flaw to issue certificates for other sites that would be accepted by GnuTLS as valid. (CVE-2009-5138) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1069301 - CVE-2009-5138 gnutls: incorrect handling of V1 intermediate certificates 1069865 - CVE-2014-0092 gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gnutls-1.4.1-14.el5_10.src.rpm i386: gnutls-1.4.1-14.el5_10.i386.rpm gnutls-debuginfo-1.4.1-14.el5_10.i386.rpm gnutls-utils-1.4.1-14.el5_10.i386.rpm x86_64: gnutls-1.4.1-14.el5_10.i386.rpm gnutls-1.4.1-14.el5_10.x86_64.rpm gnutls-debuginfo-1.4.1-14.el5_10.i386.rpm gnutls-debuginfo-1.4.1-14.el5_10.x86_64.rpm gnutls-utils-1.4.1-14.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/gnutls-1.4.1-14.el5_10.src.rpm i386: gnutls-debuginfo-1.4.1-14.el5_10.i386.rpm gnutls-devel-1.4.1-14.el5_10.i386.rpm x86_64: gnutls-debuginfo-1.4.1-14.el5_10.i386.rpm gnutls-debuginfo-1.4.1-14.el5_10.x86_64.rpm gnutls-devel-1.4.1-14.el5_10.i386.rpm gnutls-devel-1.4.1-14.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/gnutls-1.4.1-14.el5_10.src.rpm i386: gnutls-1.4.1-14.el5_10.i386.rpm gnutls-debuginfo-1.4.1-14.el5_10.i386.rpm gnutls-devel-1.4.1-14.el5_10.i386.rpm gnutls-utils-1.4.1-14.el5_10.i386.rpm ia64: gnutls-1.4.1-14.el5_10.i386.rpm gnutls-1.4.1-14.el5_10.ia64.rpm gnutls-debuginfo-1.4.1-14.el5_10.i386.rpm gnutls-debuginfo-1.4.1-14.el5_10.ia64.rpm gnutls-devel-1.4.1-14.el5_10.ia64.rpm gnutls-utils-1.4.1-14.el5_10.ia64.rpm ppc: gnutls-1.4.1-14.el5_10.ppc.rpm gnutls-1.4.1-14.el5_10.ppc64.rpm gnutls-debuginfo-1.4.1-14.el5_10.ppc.rpm gnutls-debuginfo-1.4.1-14.el5_10.ppc64.rpm gnutls-devel-1.4.1-14.el5_10.ppc.rpm gnutls-devel-1.4.1-14.el5_10.ppc64.rpm gnutls-utils-1.4.1-14.el5_10.ppc.rpm s390x: gnutls-1.4.1-14.el5_10.s390.rpm gnutls-1.4.1-14.el5_10.s390x.rpm gnutls-debuginfo-1.4.1-14.el5_10.s390.rpm gnutls-debuginfo-1.4.1-14.el5_10.s390x.rpm gnutls-devel-1.4.1-14.el5_10.s390.rpm gnutls-devel-1.4.1-14.el5_10.s390x.rpm gnutls-utils-1.4.1-14.el5_10.s390x.rpm x86_64: gnutls-1.4.1-14.el5_10.i386.rpm gnutls-1.4.1-14.el5_10.x86_64.rpm gnutls-debuginfo-1.4.1-14.el5_10.i386.rpm gnutls-debuginfo-1.4.1-14.el5_10.x86_64.rpm gnutls-devel-1.4.1-14.el5_10.i386.rpm gnutls-devel-1.4.1-14.el5_10.x86_64.rpm gnutls-utils-1.4.1-14.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-5138.html https://www.redhat.com/security/data/cve/CVE-2014-0092.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTFMvRXlSAg2UNWIIRAs9KAJ0TSmb4X5KJ7TXB4yPSyktdORpryACgwJQR SWz5YPkmJgI2a7QvRA9N3ws= =X6gc -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 4 19:31:46 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Mar 2014 19:31:46 +0000 Subject: [RHSA-2014:0229-01] Moderate: openstack-glance security and bug fix update Message-ID: <201403041931.s24JVlr3003499@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-glance security and bug fix update Advisory ID: RHSA-2014:0229-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0229.html Issue date: 2014-03-04 CVE Names: CVE-2014-1948 ===================================================================== 1. Summary: Updated openstack-glance packages that fix one security issues and multiple bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 4 - noarch 3. Description: OpenStack Image service (glance) provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services. An information leak flaw was found in the way glance stored certain logging information. An attacker with access to the glance log files could use this flaw to obtain authentication credentials to the OpenStack Object Storage (swift) back end. Note that only setups using the swift back end were affected. (CVE-2014-1948) The openstack-glance packages have been upgraded to upstream version 2013.2.2, which provides a number of bug fixes over the previous version. (BZ#1065313) All users of openstack-glance are advised to upgrade to these updated packages, which correct these issues. After installing the updated packages, the running OpenStack Image services must be manually restarted (using "service [service name] restart") for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1064589 - CVE-2014-1948 openstack-glance: Glance Swift store backend password leak 1065313 - Rebase openstack-glance to 2013.2.2 6. Package List: OpenStack 4: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-glance-2013.2.2-2.el6ost.src.rpm noarch: openstack-glance-2013.2.2-2.el6ost.noarch.rpm openstack-glance-doc-2013.2.2-2.el6ost.noarch.rpm python-glance-2013.2.2-2.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-1948.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTFil+XlSAg2UNWIIRAjeWAJ9ZNxtWp9JNVMjIL2rEDIQWFf76uwCfd92v OSzLUzPlx+4AGf6qCJyvgFw= =XktN -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 4 19:32:22 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Mar 2014 19:32:22 +0000 Subject: [RHSA-2014:0230-01] Moderate: mongodb security update Message-ID: <201403041932.s24JWNSl009613@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mongodb security update Advisory ID: RHSA-2014:0230-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0230.html Issue date: 2014-03-04 CVE Names: CVE-2012-6619 ===================================================================== 1. Summary: Updated mongodb packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 4 - x86_64 3. Description: MongoDB is a NoSQL database. A buffer over-read flaw was found in the way MongoDB handled BSON data. A database user permitted to insert BSON data into a MongoDB server could use this flaw to read server memory, potentially disclosing sensitive data. (CVE-2012-6619) All mongodb users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1049748 - CVE-2012-6619 mongodb: memory over-read via incorrect BSON object length 6. Package List: OpenStack 4: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/mongodb-2.2.4-4.el6ost.src.rpm x86_64: libmongodb-2.2.4-4.el6ost.x86_64.rpm mongodb-2.2.4-4.el6ost.x86_64.rpm mongodb-debuginfo-2.2.4-4.el6ost.x86_64.rpm mongodb-server-2.2.4-4.el6ost.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-6619.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTFiovXlSAg2UNWIIRAjBwAJ49nvcbEOYz1NFS55RBWDjxbe3yRACghUDe baZT/rkT6U/jDrvPWFBFD8E= =XnGM -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 4 19:33:05 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Mar 2014 19:33:05 +0000 Subject: [RHSA-2014:0231-01] Moderate: openstack-nova security and bug fix update Message-ID: <201403041933.s24JX5tj032313@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-nova security and bug fix update Advisory ID: RHSA-2014:0231-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0231.html Issue date: 2014-03-04 CVE Names: CVE-2013-6419 CVE-2013-6437 CVE-2013-7048 CVE-2013-7130 ===================================================================== 1. Summary: Updated openstack-nova packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 4 - noarch 3. Description: OpenStack Compute (nova) launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances, managing networks, and controlling access through users and projects. It was discovered that the metadata agent in OpenStack Networking was missing an authorization check on the device ID that is bound to a specific port. A remote tenant could guess the instance ID bound to a port and retrieve metadata of another tenant, resulting in information disclosure. Note that only OpenStack Networking setups running neutron-metadata-agent were affected. (CVE-2013-6419) It was found that nova used directories that were writable to by all local users to temporarily store live snapshots. A local attacker with access to such a directory could use this flaw to read and modify the contents of live snapshots. (CVE-2013-7048) A flaw was found in the way the libvirt driver handled short-lived disk back-up files on Compute nodes. An authenticated attacker could use this flaw to create a large number of such files, exhausting all available space on Compute node disks, and potentially causing a denial of service. Note that only Compute setups using the libvirt driver were affected. (CVE-2013-6437) It was discovered that the libvirt driver did not properly handle live migration of virtual machines. An authenticated attacker could use this flaw to gain access to a snapshot of a migrated virtual machine. Note that only setups using KVM live block migration were affected. (CVE-2013-7130) Red Hat would like to thank the OpenStack Project for reporting CVE-2013-6419, CVE-2013-6437, and CVE-2013-7130. Upstream acknowledges Aaron Rosen of VMware as the original reporter of CVE-2013-6419, Phil Day from HP as the original reporter of CVE-2013-6437, and Loganathan Parthipan as the original reporter of CVE-2013-7130. These updated openstack-nova packages have been upgraded to upstream version 2013.2.2, which provides a number of bug fixes over the previous version. (BZ#1065317) Bug fixes: * The GlusterFS volume connector in nova did not pass a port to libvirt for the GlusterFS disk specification. Attaching a volume failed with a libvirt error indicating the port field was missing. This update fixes this bug by providing the default Gluster port in nova. (BZ#1020979) * The database back end did not handle the 2013 MySQL error code (Lost connection). The 2013 MySQL error code has been added to the collection of known database error codes. (BZ#1060771) * OpenStack Compute set the smbios product/vendor information to OpenStack values, which Red Hat Satellite 5 did not recognize when processing entitlements. (BZ#1059414) * Prior to this update, nova-api did not pass the absolute path of the configuration file to the api-paste library if a file with the same name was found in the current directory. (BZ#1039554) * The definition of the libvirt_info method in the RBD back-end class was missing a positional argument that the base class defined. (BZ#1063445) * Rebooting a host caused all of its instances to stop and change to the SHUTDOWN power state. The unpause action was only allowed on instances with the PAUSED power state. (BZ#1047863) * The previous default of writing zeros over deleted volumes took a significant amount of time. It is now possible to set a global configuration setting to clear only a part of a volume, or to disable clearing completely. Additionally, a new 'shred' capability is available to overwrite volumes with random data instead of zeros. (BZ#1062377) * In OpenStack Compute, low-level QPID debug log messages are no longer shown by default. These previously appeared due to the 'level=debug' parameter set in the nova.conf file. (BZ#1047849) All openstack-nova users are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1020979 - After configuring cinder for libgfapi, volumes create but do not attach 1039148 - CVE-2013-6419 OpenStack Neutron and Nova: Metadata queries from Neutron to Nova are not restricted by tenant 1039554 - Cannot resolve relative uri 'config:api-paste.ini'; no relative_to keyword argument given 1040786 - CVE-2013-7048 Openstack Nova: insecure directory permissions in snapshots 1043106 - CVE-2013-6437 openstack-nova: DoS through ephemeral disk backing files 1047849 - openstack-nova: remove qpid logs from the compute logs 1047863 - Openstack-Nova: Unpause instance after host reboot fails 1055400 - CVE-2013-7130 OpenStack nova: Live migration can leak root disk into ephemeral storage 1060771 - nova does not read sql db config option 1062377 - RFE: configurable volume clearing options for nova 1065317 - Rebase openstack-nova to 2013.2.2 6. Package List: OpenStack 4: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-nova-2013.2.2-2.el6ost.src.rpm noarch: openstack-nova-2013.2.2-2.el6ost.noarch.rpm openstack-nova-api-2013.2.2-2.el6ost.noarch.rpm openstack-nova-cells-2013.2.2-2.el6ost.noarch.rpm openstack-nova-cert-2013.2.2-2.el6ost.noarch.rpm openstack-nova-common-2013.2.2-2.el6ost.noarch.rpm openstack-nova-compute-2013.2.2-2.el6ost.noarch.rpm openstack-nova-conductor-2013.2.2-2.el6ost.noarch.rpm openstack-nova-console-2013.2.2-2.el6ost.noarch.rpm openstack-nova-doc-2013.2.2-2.el6ost.noarch.rpm openstack-nova-network-2013.2.2-2.el6ost.noarch.rpm openstack-nova-novncproxy-2013.2.2-2.el6ost.noarch.rpm openstack-nova-objectstore-2013.2.2-2.el6ost.noarch.rpm openstack-nova-scheduler-2013.2.2-2.el6ost.noarch.rpm python-nova-2013.2.2-2.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6419.html https://www.redhat.com/security/data/cve/CVE-2013-6437.html https://www.redhat.com/security/data/cve/CVE-2013-7048.html https://www.redhat.com/security/data/cve/CVE-2013-7130.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTFipQXlSAg2UNWIIRAonKAJ0djmrWRf9XVDl3qjC7O97pN4jhegCffe/K n63zByWw8lM1nKRALsUhw+s= =qAK0 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 4 19:33:40 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Mar 2014 19:33:40 +0000 Subject: [RHSA-2014:0232-01] Moderate: openstack-swift security update Message-ID: <201403041933.s24JXfd9009502@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-swift security update Advisory ID: RHSA-2014:0232-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0232.html Issue date: 2014-03-04 CVE Names: CVE-2014-0006 ===================================================================== 1. Summary: Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 4 - noarch 3. Description: OpenStack Object Storage (swift) provides object storage in virtual containers, which allows users to store and retrieve files (arbitrary data). The service's distributed architecture supports horizontal scaling; redundancy as failure-proofing is provided through software-based data replication. Because Object Storage supports asynchronous eventual consistency replication, it is well suited to multiple data-center deployment. A timing attack flaw was found in the way the swift TempURL middleware responded to arbitrary TempURL requests. An attacker with knowledge of an object's name could use this flaw to obtain a secret URL to this object, which was intended to be publicly shared only with specific recipients, if the object had the TempURL key set. Note that only setups using the TempURL middleware were affected. (CVE-2014-0006) Red Hat would like to thank the Openstack Project for reporting this issue. Upstream acknowledges Samuel Merritt of SwiftStack as the original reporter. All users of openstack-swift are advised to upgrade to these updated packages, which correct this issue. After installing this update, the OpenStack Object Storage services will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051670 - CVE-2014-0006 Openstack Swift: TempURL timing attack 6. Package List: OpenStack 4: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-swift-1.10.0-3.el6ost.src.rpm noarch: openstack-swift-1.10.0-3.el6ost.noarch.rpm openstack-swift-account-1.10.0-3.el6ost.noarch.rpm openstack-swift-container-1.10.0-3.el6ost.noarch.rpm openstack-swift-doc-1.10.0-3.el6ost.noarch.rpm openstack-swift-object-1.10.0-3.el6ost.noarch.rpm openstack-swift-proxy-1.10.0-3.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0006.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTFip6XlSAg2UNWIIRAo6pAJwPy3nfKn4SPNO5u+8rNpRbtBnrXwCfZZsF qHpypUHyvx3KkcU7IVIBPI4= =EwJL -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 4 19:34:24 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Mar 2014 19:34:24 +0000 Subject: [RHSA-2014:0233-01] Important: openstack-packstack security and bug fix update Message-ID: <201403041934.s24JYPUk009700@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openstack-packstack security and bug fix update Advisory ID: RHSA-2014:0233-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0233.html Issue date: 2014-03-04 CVE Names: CVE-2014-0071 ===================================================================== 1. Summary: Updated openstack-packstack packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 4 - noarch 3. Description: PackStack is a command-line utility that uses Puppet modules to support rapid deployment of OpenStack on existing servers over an SSH connection. PackStack is suitable for deploying both single node proof-of-concept installations and more complex multi-node installations. It was found that PackStack did not correctly install the rules defined in the default security groups when deployed on OpenStack Networking (neutron), allowing network connections to be made to systems that should not have been accessible. (CVE-2014-0071) This update also fixes the following bugs: * Previously, swift's object versioning was disabled by default. With this update, this feature is now enabled in the default configuration file ('allow_versions "true"' in /etc/swift/container-server.conf). (BZ#967308) * Previously, it was not possible to run neutron with Open vSwitch using Virtual Extensible LAN (VXLAN). This update adds support for VXLAN in neutron. (BZ#1021778) * PackStack failed to complete the deployment of OpenStack due to the MongoDB service (mongod) being terminated by systemd. This was because mongod, when first started, exceeded the timeout value set by systemd. With this update, mongod uses small files when it is initially started, and no longer exceeds systemd's timeout value. (BZ#1036207) * Previously, services for OpenStack Compute and other OpenStack components ran in debug mode by default. With this update, the CONFIG_DEBUG_MODE configuration parameter has been added. When this parameter is set to 'y', all OpenStack services will run in debug mode. By default, debug mode is disabled. (BZ#1048041) Note: Currently, PackStack does not support deployment of the ML2 Neutron plug-in. The ML2 plug-in can be used in manual configurations, or by deploying initially with the Open vSwitch plug-in using PackStack and converting the installation to use ML2. This method is described at http://openstack.redhat.com/Modular_Layer_2_%28ML2%29_Plugin. The progress on fixing this bug can be followed in Red Hat Bugzilla bug 1017144. All openstack-packstack users are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 967308 - allow swift object versioning by default 1021778 - Packstack should support VXLAN 1029671 - Keystone SQL Backend does not remove expired tokens 1034538 - Packstack puppet module firewall for Quickstack: newer version needed to support resilient iptables rules 1036207 - packstack requires 2 runs to install ceilometer 1042529 - Change qpid puppet module default for max_connections to be UINT16_MAX 1048041 - openstack-packstack install defaults to debug=true in nova 1048705 - packstack fails when qpid ssl enabled 1054498 - Horizon SSL is disabled by Nagios configuration via packstack 1064163 - CVE-2014-0071 OpenStack PackStack: Neutron Security Groups fail to block network traffic 1069215 - Packstack failed to configure Neutron to work with OVS and GRE 6. Package List: OpenStack 4: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-packstack-2013.2.1-0.25.dev987.el6ost.src.rpm noarch: openstack-packstack-2013.2.1-0.25.dev987.el6ost.noarch.rpm packstack-modules-puppet-2013.2.1-0.25.dev987.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0071.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTFiqfXlSAg2UNWIIRAuFNAJ9HB0xj64h4YV34bi+ZG4PSuomFKACgj6+r gREcy3YDyn24JfOxuMzzXpQ= =QDun -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 4 19:50:55 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Mar 2014 19:50:55 +0000 Subject: [RHSA-2014:0249-01] Important: postgresql security update Message-ID: <201403041950.s24JotpO012292@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: postgresql security update Advisory ID: RHSA-2014:0249-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0249.html Issue date: 2014-03-04 CVE Names: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 ===================================================================== 1. Summary: Updated postgresql packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). Multiple stack-based buffer overflow flaws were found in the date/time implementation of PostgreSQL. An authenticated database user could provide a specially crafted date/time value that, when processed, could cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2014-0063) Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in various type input functions in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2014-0064) Multiple potential buffer overflow flaws were found in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. (CVE-2014-0065) It was found that granting an SQL role to a database user in a PostgreSQL database without specifying the "ADMIN" option allowed the grantee to remove other users from their granted role. An authenticated database user could use this flaw to remove a user from an SQL role which they were granted access to. (CVE-2014-0060) A flaw was found in the validator functions provided by PostgreSQL's procedural languages (PLs). An authenticated database user could possibly use this flaw to escalate their privileges. (CVE-2014-0061) A race condition was found in the way the CREATE INDEX command performed multiple independent lookups of a table that had to be indexed. An authenticated database user could possibly use this flaw to escalate their privileges. (CVE-2014-0062) It was found that the chkpass extension of PostgreSQL did not check the return value of the crypt() function. An authenticated database user could possibly use this flaw to crash PostgreSQL via a null pointer dereference. (CVE-2014-0066) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Noah Misch as the original reporter of CVE-2014-0060 and CVE-2014-0063, Heikki Linnakangas and Noah Misch as the original reporters of CVE-2014-0064, Peter Eisentraut and Jozef Mlich as the original reporters of CVE-2014-0065, Andres Freund as the original reporter of CVE-2014-0061, Robert Haas and Andres Freund as the original reporters of CVE-2014-0062, and Honza Horak and Bruce Momjian as the original reporters of CVE-2014-0066. All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1065219 - CVE-2014-0060 postgresql: SET ROLE without ADMIN OPTION allows adding and removing group members 1065220 - CVE-2014-0061 postgresql: privilege escalation via procedural language validator functions 1065222 - CVE-2014-0062 postgresql: CREATE INDEX race condition possibly leading to privilege escalation 1065226 - CVE-2014-0063 postgresql: stack-based buffer overflow in datetime input/output 1065230 - CVE-2014-0064 postgresql: integer overflows leading to buffer overflows 1065235 - CVE-2014-0065 postgresql: possible buffer overflow flaws 1065236 - CVE-2014-0066 postgresql: NULL pointer dereference 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql-8.1.23-10.el5_10.src.rpm i386: postgresql-8.1.23-10.el5_10.i386.rpm postgresql-contrib-8.1.23-10.el5_10.i386.rpm postgresql-debuginfo-8.1.23-10.el5_10.i386.rpm postgresql-docs-8.1.23-10.el5_10.i386.rpm postgresql-libs-8.1.23-10.el5_10.i386.rpm postgresql-python-8.1.23-10.el5_10.i386.rpm postgresql-tcl-8.1.23-10.el5_10.i386.rpm x86_64: postgresql-8.1.23-10.el5_10.x86_64.rpm postgresql-contrib-8.1.23-10.el5_10.x86_64.rpm postgresql-debuginfo-8.1.23-10.el5_10.i386.rpm postgresql-debuginfo-8.1.23-10.el5_10.x86_64.rpm postgresql-docs-8.1.23-10.el5_10.x86_64.rpm postgresql-libs-8.1.23-10.el5_10.i386.rpm postgresql-libs-8.1.23-10.el5_10.x86_64.rpm postgresql-python-8.1.23-10.el5_10.x86_64.rpm postgresql-tcl-8.1.23-10.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/postgresql-8.1.23-10.el5_10.src.rpm i386: postgresql-debuginfo-8.1.23-10.el5_10.i386.rpm postgresql-devel-8.1.23-10.el5_10.i386.rpm postgresql-pl-8.1.23-10.el5_10.i386.rpm postgresql-server-8.1.23-10.el5_10.i386.rpm postgresql-test-8.1.23-10.el5_10.i386.rpm x86_64: postgresql-debuginfo-8.1.23-10.el5_10.i386.rpm postgresql-debuginfo-8.1.23-10.el5_10.x86_64.rpm postgresql-devel-8.1.23-10.el5_10.i386.rpm postgresql-devel-8.1.23-10.el5_10.x86_64.rpm postgresql-pl-8.1.23-10.el5_10.x86_64.rpm postgresql-server-8.1.23-10.el5_10.x86_64.rpm postgresql-test-8.1.23-10.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/postgresql-8.1.23-10.el5_10.src.rpm i386: postgresql-8.1.23-10.el5_10.i386.rpm postgresql-contrib-8.1.23-10.el5_10.i386.rpm postgresql-debuginfo-8.1.23-10.el5_10.i386.rpm postgresql-devel-8.1.23-10.el5_10.i386.rpm postgresql-docs-8.1.23-10.el5_10.i386.rpm postgresql-libs-8.1.23-10.el5_10.i386.rpm postgresql-pl-8.1.23-10.el5_10.i386.rpm postgresql-python-8.1.23-10.el5_10.i386.rpm postgresql-server-8.1.23-10.el5_10.i386.rpm postgresql-tcl-8.1.23-10.el5_10.i386.rpm postgresql-test-8.1.23-10.el5_10.i386.rpm ia64: postgresql-8.1.23-10.el5_10.ia64.rpm postgresql-contrib-8.1.23-10.el5_10.ia64.rpm postgresql-debuginfo-8.1.23-10.el5_10.i386.rpm postgresql-debuginfo-8.1.23-10.el5_10.ia64.rpm postgresql-devel-8.1.23-10.el5_10.ia64.rpm postgresql-docs-8.1.23-10.el5_10.ia64.rpm postgresql-libs-8.1.23-10.el5_10.i386.rpm postgresql-libs-8.1.23-10.el5_10.ia64.rpm postgresql-pl-8.1.23-10.el5_10.ia64.rpm postgresql-python-8.1.23-10.el5_10.ia64.rpm postgresql-server-8.1.23-10.el5_10.ia64.rpm postgresql-tcl-8.1.23-10.el5_10.ia64.rpm postgresql-test-8.1.23-10.el5_10.ia64.rpm ppc: postgresql-8.1.23-10.el5_10.ppc.rpm postgresql-8.1.23-10.el5_10.ppc64.rpm postgresql-contrib-8.1.23-10.el5_10.ppc.rpm postgresql-debuginfo-8.1.23-10.el5_10.ppc.rpm postgresql-debuginfo-8.1.23-10.el5_10.ppc64.rpm postgresql-devel-8.1.23-10.el5_10.ppc.rpm postgresql-devel-8.1.23-10.el5_10.ppc64.rpm postgresql-docs-8.1.23-10.el5_10.ppc.rpm postgresql-libs-8.1.23-10.el5_10.ppc.rpm postgresql-libs-8.1.23-10.el5_10.ppc64.rpm postgresql-pl-8.1.23-10.el5_10.ppc.rpm postgresql-python-8.1.23-10.el5_10.ppc.rpm postgresql-server-8.1.23-10.el5_10.ppc.rpm postgresql-tcl-8.1.23-10.el5_10.ppc.rpm postgresql-test-8.1.23-10.el5_10.ppc.rpm s390x: postgresql-8.1.23-10.el5_10.s390x.rpm postgresql-contrib-8.1.23-10.el5_10.s390x.rpm postgresql-debuginfo-8.1.23-10.el5_10.s390.rpm postgresql-debuginfo-8.1.23-10.el5_10.s390x.rpm postgresql-devel-8.1.23-10.el5_10.s390.rpm postgresql-devel-8.1.23-10.el5_10.s390x.rpm postgresql-docs-8.1.23-10.el5_10.s390x.rpm postgresql-libs-8.1.23-10.el5_10.s390.rpm postgresql-libs-8.1.23-10.el5_10.s390x.rpm postgresql-pl-8.1.23-10.el5_10.s390x.rpm postgresql-python-8.1.23-10.el5_10.s390x.rpm postgresql-server-8.1.23-10.el5_10.s390x.rpm postgresql-tcl-8.1.23-10.el5_10.s390x.rpm postgresql-test-8.1.23-10.el5_10.s390x.rpm x86_64: postgresql-8.1.23-10.el5_10.x86_64.rpm postgresql-contrib-8.1.23-10.el5_10.x86_64.rpm postgresql-debuginfo-8.1.23-10.el5_10.i386.rpm postgresql-debuginfo-8.1.23-10.el5_10.x86_64.rpm postgresql-devel-8.1.23-10.el5_10.i386.rpm postgresql-devel-8.1.23-10.el5_10.x86_64.rpm postgresql-docs-8.1.23-10.el5_10.x86_64.rpm postgresql-libs-8.1.23-10.el5_10.i386.rpm postgresql-libs-8.1.23-10.el5_10.x86_64.rpm postgresql-pl-8.1.23-10.el5_10.x86_64.rpm postgresql-python-8.1.23-10.el5_10.x86_64.rpm postgresql-server-8.1.23-10.el5_10.x86_64.rpm postgresql-tcl-8.1.23-10.el5_10.x86_64.rpm postgresql-test-8.1.23-10.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0060.html https://www.redhat.com/security/data/cve/CVE-2014-0061.html https://www.redhat.com/security/data/cve/CVE-2014-0062.html https://www.redhat.com/security/data/cve/CVE-2014-0063.html https://www.redhat.com/security/data/cve/CVE-2014-0064.html https://www.redhat.com/security/data/cve/CVE-2014-0065.html https://www.redhat.com/security/data/cve/CVE-2014-0066.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTFi5uXlSAg2UNWIIRAuD1AJwMViIK6H5OrweWJ6ZPWRhawPqipACfVj+T aBJpy02d9zNDSx7vwqd5YU8= =VtM0 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 5 19:40:13 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 5 Mar 2014 19:40:13 +0000 Subject: [RHSA-2014:0254-01] Important: activemq security update Message-ID: <201403051940.s25JeDLE003251@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: activemq security update Advisory ID: RHSA-2014:0254-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0254.html Issue date: 2014-03-05 CVE Names: CVE-2013-2035 CVE-2013-4152 CVE-2013-4330 CVE-2014-0003 ===================================================================== 1. Summary: An updated activemq package that fixes multiple security issues is now available for Red Hat OpenShift Enterprise 1.2.7. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHOSE Infrastructure 1.2 - x86_64 Red Hat OpenShift Enterprise Node - x86_64 3. Description: Apache ActiveMQ provides a SOA infrastructure to connect processes across heterogeneous systems. A flaw was found in Apache Camel's parsing of the FILE_NAME header. A remote attacker able to submit messages to a Camel route, which would write the provided message to a file, could provide expression language (EL) expressions in the FILE_NAME header, which would be evaluated on the server. This could lead to arbitrary remote code execution in the context of the Camel server process. (CVE-2013-4330) It was found that the Apache Camel XSLT component allowed XSL stylesheets to call external Java methods. A remote attacker able to submit messages to a Camel route could use this flaw to perform arbitrary remote code execution in the context of the Camel server process. (CVE-2014-0003) It was discovered that the Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. A remote attacker could use this flaw to conduct XML External Entity (XXE) attacks on web sites, and read files in the context of the user running the application server. The patch for this flaw disables external entity processing by default, and provides a configuration directive to re-enable it. (CVE-2013-4152) The HawtJNI Library class wrote native libraries to a predictable file name in /tmp/ when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035) The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat Product Security Team, and the CVE-2014-0003 issue was discovered by David Jorm of the Red Hat Security Response Team. All users of Red Hat OpenShift Enterprise 1.2.7 are advised to upgrade to this updated package, which corrects these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution 1000186 - CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw 1011726 - CVE-2013-4330 Camel: remote code execution via header field manipulation 1049692 - CVE-2014-0003 Camel: remote code execution via XSL 6. Package List: RHOSE Infrastructure 1.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/activemq-5.9.0-4.redhat.610328.el6op.src.rpm x86_64: activemq-5.9.0-4.redhat.610328.el6op.x86_64.rpm activemq-client-5.9.0-4.redhat.610328.el6op.x86_64.rpm Red Hat OpenShift Enterprise Node: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/activemq-5.9.0-4.redhat.610328.el6op.src.rpm x86_64: activemq-client-5.9.0-4.redhat.610328.el6op.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2035.html https://www.redhat.com/security/data/cve/CVE-2013-4152.html https://www.redhat.com/security/data/cve/CVE-2013-4330.html https://www.redhat.com/security/data/cve/CVE-2014-0003.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTF32EXlSAg2UNWIIRAqEBAKCDjJpFw5OFuqbu6hUGz1H39ZgyWQCfRy6O ClQoe0tMPPtGoNh3/o2bhdM= =YJwp -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 5 19:45:08 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 5 Mar 2014 19:45:08 +0000 Subject: [RHSA-2014:0255-01] Moderate: subversion security update Message-ID: <201403051945.s25Jj8KF011787@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: subversion security update Advisory ID: RHSA-2014:0255-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0255.html Issue date: 2014-03-05 CVE Names: CVE-2013-1968 CVE-2013-2112 CVE-2014-0032 ===================================================================== 1. Summary: Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64 3. Description: Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A flaw was found in the way the mod_dav_svn module handled OPTIONS requests. A remote attacker with read access to an SVN repository served via HTTP could use this flaw to cause the httpd process that handled such a request to crash. (CVE-2014-0032) A flaw was found in the way Subversion handled file names with newline characters when the FSFS repository format was used. An attacker with commit access to an SVN repository could corrupt a revision by committing a specially crafted file. (CVE-2013-1968) A flaw was found in the way the svnserve tool of Subversion handled remote client network connections. An attacker with read access to an SVN repository served via svnserve could use this flaw to cause the svnserve daemon to exit, leading to a denial of service. (CVE-2013-2112) All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 970014 - CVE-2013-1968 subversion (FSFS format): Filenames with newline character can lead to revision corruption 970037 - CVE-2013-2112 subversion: Remote DoS due improper handling of early-closing TCP connections 1062042 - CVE-2014-0032 subversion: mod_dav_svn crash when handling certain requests with SVNListParentPath on 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/subversion-1.6.11-12.el5_10.src.rpm i386: mod_dav_svn-1.6.11-12.el5_10.i386.rpm subversion-1.6.11-12.el5_10.i386.rpm subversion-debuginfo-1.6.11-12.el5_10.i386.rpm subversion-devel-1.6.11-12.el5_10.i386.rpm subversion-javahl-1.6.11-12.el5_10.i386.rpm subversion-perl-1.6.11-12.el5_10.i386.rpm subversion-ruby-1.6.11-12.el5_10.i386.rpm x86_64: mod_dav_svn-1.6.11-12.el5_10.x86_64.rpm subversion-1.6.11-12.el5_10.i386.rpm subversion-1.6.11-12.el5_10.x86_64.rpm subversion-debuginfo-1.6.11-12.el5_10.i386.rpm subversion-debuginfo-1.6.11-12.el5_10.x86_64.rpm subversion-devel-1.6.11-12.el5_10.i386.rpm subversion-devel-1.6.11-12.el5_10.x86_64.rpm subversion-javahl-1.6.11-12.el5_10.x86_64.rpm subversion-perl-1.6.11-12.el5_10.x86_64.rpm subversion-ruby-1.6.11-12.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/subversion-1.6.11-12.el5_10.src.rpm i386: mod_dav_svn-1.6.11-12.el5_10.i386.rpm subversion-1.6.11-12.el5_10.i386.rpm subversion-debuginfo-1.6.11-12.el5_10.i386.rpm subversion-devel-1.6.11-12.el5_10.i386.rpm subversion-javahl-1.6.11-12.el5_10.i386.rpm subversion-perl-1.6.11-12.el5_10.i386.rpm subversion-ruby-1.6.11-12.el5_10.i386.rpm ia64: mod_dav_svn-1.6.11-12.el5_10.ia64.rpm subversion-1.6.11-12.el5_10.ia64.rpm subversion-debuginfo-1.6.11-12.el5_10.ia64.rpm subversion-devel-1.6.11-12.el5_10.ia64.rpm subversion-javahl-1.6.11-12.el5_10.ia64.rpm subversion-perl-1.6.11-12.el5_10.ia64.rpm subversion-ruby-1.6.11-12.el5_10.ia64.rpm ppc: mod_dav_svn-1.6.11-12.el5_10.ppc.rpm subversion-1.6.11-12.el5_10.ppc.rpm subversion-1.6.11-12.el5_10.ppc64.rpm subversion-debuginfo-1.6.11-12.el5_10.ppc.rpm subversion-debuginfo-1.6.11-12.el5_10.ppc64.rpm subversion-devel-1.6.11-12.el5_10.ppc.rpm subversion-devel-1.6.11-12.el5_10.ppc64.rpm subversion-javahl-1.6.11-12.el5_10.ppc.rpm subversion-perl-1.6.11-12.el5_10.ppc.rpm subversion-ruby-1.6.11-12.el5_10.ppc.rpm s390x: mod_dav_svn-1.6.11-12.el5_10.s390x.rpm subversion-1.6.11-12.el5_10.s390.rpm subversion-1.6.11-12.el5_10.s390x.rpm subversion-debuginfo-1.6.11-12.el5_10.s390.rpm subversion-debuginfo-1.6.11-12.el5_10.s390x.rpm subversion-devel-1.6.11-12.el5_10.s390.rpm subversion-devel-1.6.11-12.el5_10.s390x.rpm subversion-javahl-1.6.11-12.el5_10.s390x.rpm subversion-perl-1.6.11-12.el5_10.s390x.rpm subversion-ruby-1.6.11-12.el5_10.s390x.rpm x86_64: mod_dav_svn-1.6.11-12.el5_10.x86_64.rpm subversion-1.6.11-12.el5_10.i386.rpm subversion-1.6.11-12.el5_10.x86_64.rpm subversion-debuginfo-1.6.11-12.el5_10.i386.rpm subversion-debuginfo-1.6.11-12.el5_10.x86_64.rpm subversion-devel-1.6.11-12.el5_10.i386.rpm subversion-devel-1.6.11-12.el5_10.x86_64.rpm subversion-javahl-1.6.11-12.el5_10.x86_64.rpm subversion-perl-1.6.11-12.el5_10.x86_64.rpm subversion-ruby-1.6.11-12.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/subversion-1.6.11-10.el6_5.src.rpm i386: mod_dav_svn-1.6.11-10.el6_5.i686.rpm subversion-1.6.11-10.el6_5.i686.rpm subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-devel-1.6.11-10.el6_5.i686.rpm subversion-gnome-1.6.11-10.el6_5.i686.rpm subversion-javahl-1.6.11-10.el6_5.i686.rpm subversion-kde-1.6.11-10.el6_5.i686.rpm subversion-perl-1.6.11-10.el6_5.i686.rpm subversion-ruby-1.6.11-10.el6_5.i686.rpm noarch: subversion-svn2cl-1.6.11-10.el6_5.noarch.rpm x86_64: mod_dav_svn-1.6.11-10.el6_5.x86_64.rpm subversion-1.6.11-10.el6_5.i686.rpm subversion-1.6.11-10.el6_5.x86_64.rpm subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-debuginfo-1.6.11-10.el6_5.x86_64.rpm subversion-devel-1.6.11-10.el6_5.i686.rpm subversion-devel-1.6.11-10.el6_5.x86_64.rpm subversion-gnome-1.6.11-10.el6_5.i686.rpm subversion-gnome-1.6.11-10.el6_5.x86_64.rpm subversion-javahl-1.6.11-10.el6_5.i686.rpm subversion-javahl-1.6.11-10.el6_5.x86_64.rpm subversion-kde-1.6.11-10.el6_5.i686.rpm subversion-kde-1.6.11-10.el6_5.x86_64.rpm subversion-perl-1.6.11-10.el6_5.i686.rpm subversion-perl-1.6.11-10.el6_5.x86_64.rpm subversion-ruby-1.6.11-10.el6_5.i686.rpm subversion-ruby-1.6.11-10.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/subversion-1.6.11-10.el6_5.src.rpm noarch: subversion-svn2cl-1.6.11-10.el6_5.noarch.rpm x86_64: mod_dav_svn-1.6.11-10.el6_5.x86_64.rpm subversion-1.6.11-10.el6_5.i686.rpm subversion-1.6.11-10.el6_5.x86_64.rpm subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-debuginfo-1.6.11-10.el6_5.x86_64.rpm subversion-devel-1.6.11-10.el6_5.i686.rpm subversion-devel-1.6.11-10.el6_5.x86_64.rpm subversion-gnome-1.6.11-10.el6_5.i686.rpm subversion-gnome-1.6.11-10.el6_5.x86_64.rpm subversion-javahl-1.6.11-10.el6_5.i686.rpm subversion-javahl-1.6.11-10.el6_5.x86_64.rpm subversion-kde-1.6.11-10.el6_5.i686.rpm subversion-kde-1.6.11-10.el6_5.x86_64.rpm subversion-perl-1.6.11-10.el6_5.i686.rpm subversion-perl-1.6.11-10.el6_5.x86_64.rpm subversion-ruby-1.6.11-10.el6_5.i686.rpm subversion-ruby-1.6.11-10.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/subversion-1.6.11-10.el6_5.src.rpm i386: mod_dav_svn-1.6.11-10.el6_5.i686.rpm subversion-1.6.11-10.el6_5.i686.rpm subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-javahl-1.6.11-10.el6_5.i686.rpm ppc64: mod_dav_svn-1.6.11-10.el6_5.ppc64.rpm subversion-1.6.11-10.el6_5.ppc.rpm subversion-1.6.11-10.el6_5.ppc64.rpm subversion-debuginfo-1.6.11-10.el6_5.ppc.rpm subversion-debuginfo-1.6.11-10.el6_5.ppc64.rpm s390x: mod_dav_svn-1.6.11-10.el6_5.s390x.rpm subversion-1.6.11-10.el6_5.s390.rpm subversion-1.6.11-10.el6_5.s390x.rpm subversion-debuginfo-1.6.11-10.el6_5.s390.rpm subversion-debuginfo-1.6.11-10.el6_5.s390x.rpm x86_64: mod_dav_svn-1.6.11-10.el6_5.x86_64.rpm subversion-1.6.11-10.el6_5.i686.rpm subversion-1.6.11-10.el6_5.x86_64.rpm subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-debuginfo-1.6.11-10.el6_5.x86_64.rpm subversion-javahl-1.6.11-10.el6_5.i686.rpm subversion-javahl-1.6.11-10.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/subversion-1.6.11-10.el6_5.src.rpm i386: subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-devel-1.6.11-10.el6_5.i686.rpm subversion-gnome-1.6.11-10.el6_5.i686.rpm subversion-kde-1.6.11-10.el6_5.i686.rpm subversion-perl-1.6.11-10.el6_5.i686.rpm subversion-ruby-1.6.11-10.el6_5.i686.rpm noarch: subversion-svn2cl-1.6.11-10.el6_5.noarch.rpm ppc64: subversion-debuginfo-1.6.11-10.el6_5.ppc.rpm subversion-debuginfo-1.6.11-10.el6_5.ppc64.rpm subversion-devel-1.6.11-10.el6_5.ppc.rpm subversion-devel-1.6.11-10.el6_5.ppc64.rpm subversion-gnome-1.6.11-10.el6_5.ppc.rpm subversion-gnome-1.6.11-10.el6_5.ppc64.rpm subversion-javahl-1.6.11-10.el6_5.ppc.rpm subversion-javahl-1.6.11-10.el6_5.ppc64.rpm subversion-kde-1.6.11-10.el6_5.ppc.rpm subversion-kde-1.6.11-10.el6_5.ppc64.rpm subversion-perl-1.6.11-10.el6_5.ppc.rpm subversion-perl-1.6.11-10.el6_5.ppc64.rpm subversion-ruby-1.6.11-10.el6_5.ppc.rpm subversion-ruby-1.6.11-10.el6_5.ppc64.rpm s390x: subversion-debuginfo-1.6.11-10.el6_5.s390.rpm subversion-debuginfo-1.6.11-10.el6_5.s390x.rpm subversion-devel-1.6.11-10.el6_5.s390.rpm subversion-devel-1.6.11-10.el6_5.s390x.rpm subversion-gnome-1.6.11-10.el6_5.s390.rpm subversion-gnome-1.6.11-10.el6_5.s390x.rpm subversion-javahl-1.6.11-10.el6_5.s390.rpm subversion-javahl-1.6.11-10.el6_5.s390x.rpm subversion-kde-1.6.11-10.el6_5.s390.rpm subversion-kde-1.6.11-10.el6_5.s390x.rpm subversion-perl-1.6.11-10.el6_5.s390.rpm subversion-perl-1.6.11-10.el6_5.s390x.rpm subversion-ruby-1.6.11-10.el6_5.s390.rpm subversion-ruby-1.6.11-10.el6_5.s390x.rpm x86_64: subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-debuginfo-1.6.11-10.el6_5.x86_64.rpm subversion-devel-1.6.11-10.el6_5.i686.rpm subversion-devel-1.6.11-10.el6_5.x86_64.rpm subversion-gnome-1.6.11-10.el6_5.i686.rpm subversion-gnome-1.6.11-10.el6_5.x86_64.rpm subversion-kde-1.6.11-10.el6_5.i686.rpm subversion-kde-1.6.11-10.el6_5.x86_64.rpm subversion-perl-1.6.11-10.el6_5.i686.rpm subversion-perl-1.6.11-10.el6_5.x86_64.rpm subversion-ruby-1.6.11-10.el6_5.i686.rpm subversion-ruby-1.6.11-10.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/subversion-1.6.11-10.el6_5.src.rpm i386: mod_dav_svn-1.6.11-10.el6_5.i686.rpm subversion-1.6.11-10.el6_5.i686.rpm subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-javahl-1.6.11-10.el6_5.i686.rpm x86_64: mod_dav_svn-1.6.11-10.el6_5.x86_64.rpm subversion-1.6.11-10.el6_5.i686.rpm subversion-1.6.11-10.el6_5.x86_64.rpm subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-debuginfo-1.6.11-10.el6_5.x86_64.rpm subversion-javahl-1.6.11-10.el6_5.i686.rpm subversion-javahl-1.6.11-10.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/subversion-1.6.11-10.el6_5.src.rpm i386: subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-devel-1.6.11-10.el6_5.i686.rpm subversion-gnome-1.6.11-10.el6_5.i686.rpm subversion-kde-1.6.11-10.el6_5.i686.rpm subversion-perl-1.6.11-10.el6_5.i686.rpm subversion-ruby-1.6.11-10.el6_5.i686.rpm noarch: subversion-svn2cl-1.6.11-10.el6_5.noarch.rpm x86_64: subversion-debuginfo-1.6.11-10.el6_5.i686.rpm subversion-debuginfo-1.6.11-10.el6_5.x86_64.rpm subversion-devel-1.6.11-10.el6_5.i686.rpm subversion-devel-1.6.11-10.el6_5.x86_64.rpm subversion-gnome-1.6.11-10.el6_5.i686.rpm subversion-gnome-1.6.11-10.el6_5.x86_64.rpm subversion-kde-1.6.11-10.el6_5.i686.rpm subversion-kde-1.6.11-10.el6_5.x86_64.rpm subversion-perl-1.6.11-10.el6_5.i686.rpm subversion-perl-1.6.11-10.el6_5.x86_64.rpm subversion-ruby-1.6.11-10.el6_5.i686.rpm subversion-ruby-1.6.11-10.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1968.html https://www.redhat.com/security/data/cve/CVE-2013-2112.html https://www.redhat.com/security/data/cve/CVE-2014-0032.html https://access.redhat.com/security/updates/classification/#moderate https://subversion.apache.org/security/CVE-2014-0032-advisory.txt https://subversion.apache.org/security/CVE-2013-1968-advisory.txt https://subversion.apache.org/security/CVE-2013-2112-advisory.txt 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTF33DXlSAg2UNWIIRAqy2AJ9626q0pYAIJ77R9ZYV57GhsDB4HACbBcLw 7HE5/eCec+ZPCcNFuCbEZGQ= =Nhbq -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 6 18:57:19 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Mar 2014 18:57:19 +0000 Subject: [RHSA-2014:0261-01] Low: Red Hat Enterprise MRG for Red Hat Enterprise Linux 5 1-month Notice Message-ID: <201403061857.s26IvJi0006400@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise MRG for Red Hat Enterprise Linux 5 1-month Notice Advisory ID: RHSA-2014:0261-01 Product: Red Hat Enterprise MRG for RHEL-5 Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0261.html Issue date: 2014-03-06 ===================================================================== 1. Summary: This is the one-month notification for the retirement of Red Hat Enterprise MRG Version 1 for Red Hat Enterprise Linux 5. This notification applies only to those customers with subscriptions for Red Hat Enterprise MRG Version 1 for Red Hat Enterprise Linux 5. 2. Relevant releases/architectures: MRG Grid Execute Node for RHEL 5 Server - noarch MRG Grid Execute Node for RHEL 5 Server v.2 - noarch MRG Grid for RHEL 5 Server - noarch MRG Grid for RHEL 5 Server v.2 - noarch MRG Management for RHEL 5 Server - noarch MRG Management for RHEL 5 Server v.2 - noarch MRG Realtime for RHEL 5 Server - noarch Red Hat MRG Messaging Base for RHEL 5 Server - noarch Red Hat MRG Messaging for RHEL 5 Server - noarch Red Hat MRG Messaging for RHEL 5 Server v.2 - noarch 3. Description: In accordance with the Red Hat Enterprise MRG Life Cycle policy, the Red Hat Enterprise MRG product, which includes MRG-Messaging, MRG-Realtime, and MRG-Grid, Version 1 offering for Red Hat Enterprise Linux 5 will be retired as of March 31, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for MRG-Messaging, MRG-Realtime, and MRG-Grid Version 1 on Red Hat Enterprise Linux 5 after that date. In addition, technical support through Red Hat's Global Support Services will no longer be provided for Red Hat Enterprise MRG Version 1 on Red Hat Enterprise Linux 5 after March 31, 2014. We encourage customers to plan their migration from Red Hat Enterprise MRG Version 1 for Red Hat Enterprise Linux 5 to Red Hat Enterprise MRG Version 2 on either Red Hat Enterprise Linux 5 or Red Hat Enterprise Linux 6. As a benefit of the Red Hat subscription model, customers can use their active Red Hat Enterprise MRG subscriptions to entitle any system on a currently supported version of those products. Details of the Red Hat Enterprise MRG life cycle can be found here: https://access.redhat.com/site/support/policy/updates/mrg/ 4. Solution: This erratum contains an updated mrg-release package, which provides a copy of this notice in the "/usr/share/doc/" directory. 5. Package List: MRG Grid for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-6.el5.src.rpm noarch: mrg-release-1.3.3-6.el5.noarch.rpm MRG Grid for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-5.el5_10.src.rpm noarch: mrg-release-2.4.0-5.el5_10.noarch.rpm MRG Grid Execute Node for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-6.el5.src.rpm noarch: mrg-release-1.3.3-6.el5.noarch.rpm MRG Grid Execute Node for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-5.el5_10.src.rpm noarch: mrg-release-2.4.0-5.el5_10.noarch.rpm MRG Management for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-6.el5.src.rpm noarch: mrg-release-1.3.3-6.el5.noarch.rpm MRG Management for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-5.el5_10.src.rpm noarch: mrg-release-2.4.0-5.el5_10.noarch.rpm Red Hat MRG Messaging for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-6.el5.src.rpm noarch: mrg-release-1.3.3-6.el5.noarch.rpm Red Hat MRG Messaging for RHEL 5 Server v.2: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-2.4.0-5.el5_10.src.rpm noarch: mrg-release-2.4.0-5.el5_10.noarch.rpm Red Hat MRG Messaging Base for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-6.el5.src.rpm noarch: mrg-release-1.3.3-6.el5.noarch.rpm MRG Realtime for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEMRG/SRPMS/mrg-release-1.3.3-6.el5.src.rpm noarch: mrg-release-1.3.3-6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 6. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/site/support/policy/updates/mrg/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTGMTAXlSAg2UNWIIRAuOoAJ0QQLIYGq7qR5pxOFKTcPY/icE6vQCfTaGl U1+oPUEgXrnO5KKHhmCvOro= =qFgi -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 10 16:02:54 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 10 Mar 2014 16:02:54 +0000 Subject: [RHSA-2014:0266-01] Moderate: sudo security update Message-ID: <201403101602.s2AG2sN6023535@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: sudo security update Advisory ID: RHSA-2014:0266-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0266.html Issue date: 2014-03-10 CVE Names: CVE-2014-0106 ===================================================================== 1. Summary: An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the way sudo handled its blacklist of environment variables. When the "env_reset" option was disabled, a user permitted to run certain commands via sudo could use this flaw to run such a command with one of the blacklisted environment variables set, allowing them to run an arbitrary command with the target user's privileges. (CVE-2014-0106) Note: This issue does not affect the default configuration of the sudo package as shipped with Red Hat Enterprise Linux 5. Red Hat would like to thank Todd C. Miller for reporting this issue. Upstream acknowledges Sebastien Macke as the original reporter. All sudo users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1071780 - CVE-2014-0106 sudo: certain environment variables not sanitized when env_reset is disabled 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/sudo-1.7.2p1-29.el5_10.src.rpm i386: sudo-1.7.2p1-29.el5_10.i386.rpm sudo-debuginfo-1.7.2p1-29.el5_10.i386.rpm x86_64: sudo-1.7.2p1-29.el5_10.x86_64.rpm sudo-debuginfo-1.7.2p1-29.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/sudo-1.7.2p1-29.el5_10.src.rpm i386: sudo-1.7.2p1-29.el5_10.i386.rpm sudo-debuginfo-1.7.2p1-29.el5_10.i386.rpm ia64: sudo-1.7.2p1-29.el5_10.ia64.rpm sudo-debuginfo-1.7.2p1-29.el5_10.ia64.rpm ppc: sudo-1.7.2p1-29.el5_10.ppc.rpm sudo-debuginfo-1.7.2p1-29.el5_10.ppc.rpm s390x: sudo-1.7.2p1-29.el5_10.s390x.rpm sudo-debuginfo-1.7.2p1-29.el5_10.s390x.rpm x86_64: sudo-1.7.2p1-29.el5_10.x86_64.rpm sudo-debuginfo-1.7.2p1-29.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0106.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTHeIWXlSAg2UNWIIRAh4wAKCq6u7gbYVBwdmMueHCHYmKKRCTdACeNjJO kv5Vz+HXTexNMGs3Pr3fKpE= =TJ6k -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 11 17:31:10 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 11 Mar 2014 17:31:10 +0000 Subject: [RHSA-2014:0284-01] Important: kernel security and bug fix update Message-ID: <201403111731.s2BHVAO6015671@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2014:0284-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0284.html Issue date: 2014-03-11 CVE Names: CVE-2013-2851 CVE-2013-4387 CVE-2013-4470 CVE-2013-4591 CVE-2013-6367 CVE-2013-6368 CVE-2013-6381 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - noarch, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's IPv6 implementation handled certain UDP packets when the UDP Fragmentation Offload (UFO) feature was enabled. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-4387, Important) * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled sending of certain UDP packets over sockets that used the UDP_CORK option when the UDP Fragmentation Offload (UFO) feature was enabled on the output device. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-4470, Important) * A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's Local Advanced Programmable Interrupt Controller (LAPIC) implementation. A privileged guest user could use this flaw to crash the host. (CVE-2013-6367, Important) * A memory corruption flaw was discovered in the way KVM handled virtual APIC accesses that crossed a page boundary. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6368, Important) * A buffer overflow flaw was found in the way the qeth_snmp_command() function in the Linux kernel's QETH network device driver implementation handled SNMP IOCTL requests with an out-of-bounds length. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6381, Important) * It was found that the fix for CVE-2012-2375 released via RHSA-2012:1580 accidentally removed a check for small-sized result buffers. A local, unprivileged user with access to an NFSv4 mount with ACL support could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-4591, Moderate) * A format string flaw was found in the Linux kernel's block layer. A privileged, local user could potentially use this flaw to escalate their privileges to kernel level (ring0). (CVE-2013-2851, Low) Red Hat would like to thank Hannes Frederic Sowa for reporting CVE-2013-4470, Andrew Honig of Google for reporting CVE-2013-6367 and CVE-2013-6368, and Kees Cook for reporting CVE-2013-2851. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (https://bugzilla.redhat.com/): 969515 - CVE-2013-2851 kernel: block: passing disk names as format strings 1011927 - CVE-2013-4387 Kernel: net: IPv6: panic when UFO=On for an interface 1023477 - CVE-2013-4470 Kernel: net: memory corruption with UDP_CORK and UFO 1031678 - CVE-2013-4591 kernel: nfs: missing check for buffer length in __nfs4_get_acl_uncached 1032207 - CVE-2013-6367 kvm: division by zero in apic_get_tmcct() 1032210 - CVE-2013-6368 kvm: cross page vapic_addr access 1033600 - CVE-2013-6381 Kernel: qeth: buffer overflow in snmp ioctl 6. Package List: Red Hat Enterprise Linux HPC Node EUS (v. 6.4): Source: kernel-2.6.32-358.37.1.el6.src.rpm noarch: kernel-doc-2.6.32-358.37.1.el6.noarch.rpm kernel-firmware-2.6.32-358.37.1.el6.noarch.rpm x86_64: kernel-2.6.32-358.37.1.el6.x86_64.rpm kernel-debug-2.6.32-358.37.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.37.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.37.1.el6.x86_64.rpm kernel-devel-2.6.32-358.37.1.el6.x86_64.rpm kernel-headers-2.6.32-358.37.1.el6.x86_64.rpm perf-2.6.32-358.37.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4): Source: kernel-2.6.32-358.37.1.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.37.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm python-perf-2.6.32-358.37.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.4): Source: kernel-2.6.32-358.37.1.el6.src.rpm i386: kernel-2.6.32-358.37.1.el6.i686.rpm kernel-debug-2.6.32-358.37.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-358.37.1.el6.i686.rpm kernel-debug-devel-2.6.32-358.37.1.el6.i686.rpm kernel-debuginfo-2.6.32-358.37.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.37.1.el6.i686.rpm kernel-devel-2.6.32-358.37.1.el6.i686.rpm kernel-headers-2.6.32-358.37.1.el6.i686.rpm perf-2.6.32-358.37.1.el6.i686.rpm perf-debuginfo-2.6.32-358.37.1.el6.i686.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.i686.rpm noarch: kernel-doc-2.6.32-358.37.1.el6.noarch.rpm kernel-firmware-2.6.32-358.37.1.el6.noarch.rpm ppc64: kernel-2.6.32-358.37.1.el6.ppc64.rpm kernel-bootwrapper-2.6.32-358.37.1.el6.ppc64.rpm kernel-debug-2.6.32-358.37.1.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-358.37.1.el6.ppc64.rpm kernel-debug-devel-2.6.32-358.37.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-358.37.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-358.37.1.el6.ppc64.rpm kernel-devel-2.6.32-358.37.1.el6.ppc64.rpm kernel-headers-2.6.32-358.37.1.el6.ppc64.rpm perf-2.6.32-358.37.1.el6.ppc64.rpm perf-debuginfo-2.6.32-358.37.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.ppc64.rpm s390x: kernel-2.6.32-358.37.1.el6.s390x.rpm kernel-debug-2.6.32-358.37.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-358.37.1.el6.s390x.rpm kernel-debug-devel-2.6.32-358.37.1.el6.s390x.rpm kernel-debuginfo-2.6.32-358.37.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-358.37.1.el6.s390x.rpm kernel-devel-2.6.32-358.37.1.el6.s390x.rpm kernel-headers-2.6.32-358.37.1.el6.s390x.rpm kernel-kdump-2.6.32-358.37.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-358.37.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-358.37.1.el6.s390x.rpm perf-2.6.32-358.37.1.el6.s390x.rpm perf-debuginfo-2.6.32-358.37.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.s390x.rpm x86_64: kernel-2.6.32-358.37.1.el6.x86_64.rpm kernel-debug-2.6.32-358.37.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-358.37.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.37.1.el6.x86_64.rpm kernel-devel-2.6.32-358.37.1.el6.x86_64.rpm kernel-headers-2.6.32-358.37.1.el6.x86_64.rpm perf-2.6.32-358.37.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.4): Source: kernel-2.6.32-358.37.1.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-358.37.1.el6.i686.rpm kernel-debuginfo-2.6.32-358.37.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-358.37.1.el6.i686.rpm perf-debuginfo-2.6.32-358.37.1.el6.i686.rpm python-perf-2.6.32-358.37.1.el6.i686.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-358.37.1.el6.ppc64.rpm kernel-debuginfo-2.6.32-358.37.1.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-358.37.1.el6.ppc64.rpm perf-debuginfo-2.6.32-358.37.1.el6.ppc64.rpm python-perf-2.6.32-358.37.1.el6.ppc64.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-358.37.1.el6.s390x.rpm kernel-debuginfo-2.6.32-358.37.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-358.37.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-358.37.1.el6.s390x.rpm perf-debuginfo-2.6.32-358.37.1.el6.s390x.rpm python-perf-2.6.32-358.37.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-358.37.1.el6.x86_64.rpm perf-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm python-perf-2.6.32-358.37.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-358.37.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2851.html https://www.redhat.com/security/data/cve/CVE-2013-4387.html https://www.redhat.com/security/data/cve/CVE-2013-4470.html https://www.redhat.com/security/data/cve/CVE-2013-4591.html https://www.redhat.com/security/data/cve/CVE-2013-6367.html https://www.redhat.com/security/data/cve/CVE-2013-6368.html https://www.redhat.com/security/data/cve/CVE-2013-6381.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/kernel.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTH0f0XlSAg2UNWIIRAqHiAJ46CxiI0DA1FctbzJTMVLZFZbpZ9gCgwwHT slECbQg168dtNFeJ3F18qYI= =gSQ/ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 12 18:37:52 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Mar 2014 18:37:52 +0000 Subject: [RHSA-2014:0285-01] Important: kernel security, bug fix, and enhancement update Message-ID: <201403121837.s2CIbrjl026012@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security, bug fix, and enhancement update Advisory ID: RHSA-2014:0285-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0285.html Issue date: 2014-03-12 CVE Names: CVE-2013-2929 CVE-2013-4483 CVE-2013-4554 CVE-2013-6381 CVE-2013-6383 CVE-2013-6885 CVE-2013-7263 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, noarch, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A buffer overflow flaw was found in the way the qeth_snmp_command() function in the Linux kernel's QETH network device driver implementation handled SNMP IOCTL requests with an out-of-bounds length. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2013-6381, Important) * A flaw was found in the way the ipc_rcu_putref() function in the Linux kernel's IPC implementation handled reference counter decrementing. A local, unprivileged user could use this flaw to trigger an Out of Memory (OOM) condition and, potentially, crash the system. (CVE-2013-4483, Moderate) * It was found that the Xen hypervisor implementation did not correctly check privileges of hypercall attempts made by HVM guests, allowing hypercalls to be invoked from protection rings 1 and 2 in addition to ring 0. A local attacker in an HVM guest able to execute code on privilege levels 1 and 2 could potentially use this flaw to further escalate their privileges in that guest. Note: Xen HVM guests running unmodified versions of Red Hat Enterprise Linux and Microsoft Windows are not affected by this issue because they are known to only use protection rings 0 (kernel) and 3 (userspace). (CVE-2013-4554, Moderate) * A flaw was found in the way the Linux kernel's Adaptec RAID controller (aacraid) checked permissions of compat IOCTLs. A local attacker could use this flaw to bypass intended security restrictions. (CVE-2013-6383, Moderate) * It was found that, under specific circumstances, a combination of write operations to write-combined memory and locked CPU instructions may cause a core hang on certain AMD CPUs (for more information, refer to AMD CPU erratum 793 linked in the References section). A privileged user in a guest running under the Xen hypervisor could use this flaw to cause a denial of service on the host system. This update adds a workaround to the Xen hypervisor implementation, which mitigates the AMD CPU issue. Note: this issue only affects AMD Family 16h Models 00h-0Fh Processors. Non-AMD CPUs are not vulnerable. (CVE-2013-6885, Moderate) * It was found that certain protocol handlers in the Linux kernel's networking implementation could set the addr_len value without initializing the associated data structure. A local, unprivileged user could use this flaw to leak kernel stack memory to user space using the recvmsg, recvfrom, and recvmmsg system calls. (CVE-2013-7263, Low) * A flaw was found in the way the get_dumpable() function return value was interpreted in the ptrace subsystem of the Linux kernel. When 'fs.suid_dumpable' was set to 2, a local, unprivileged local user could use this flaw to bypass intended ptrace restrictions and obtain potentially sensitive information. (CVE-2013-2929, Low) Red Hat would like to thank Vladimir Davydov of Parallels for reporting CVE-2013-4483 and the Xen project for reporting CVE-2013-4554 and CVE-2013-6885. Upstream acknowledges Jan Beulich as the original reporter of CVE-2013-4554 and CVE-2013-6885. This update also fixes several bugs and adds one enhancement. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (https://bugzilla.redhat.com/): 1024854 - CVE-2013-4483 kernel: ipc: ipc_rcu_putref refcount races 1028148 - CVE-2013-2929 kernel: exec/ptrace: get_dumpable() incorrect tests 1029111 - CVE-2013-4554 kernel: xen: hypercalls exposed to privilege rings 1 and 2 of HVM guests 1033530 - CVE-2013-6383 Kernel: AACRAID Driver compat IOCTL missing capability check 1033600 - CVE-2013-6381 Kernel: qeth: buffer overflow in snmp ioctl 1035823 - CVE-2013-6885 hw: AMD CPU erratum may cause core hang 1035875 - CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to user-space via recv syscalls 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kernel-2.6.18-371.6.1.el5.src.rpm i386: kernel-2.6.18-371.6.1.el5.i686.rpm kernel-PAE-2.6.18-371.6.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-371.6.1.el5.i686.rpm kernel-PAE-devel-2.6.18-371.6.1.el5.i686.rpm kernel-debug-2.6.18-371.6.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-371.6.1.el5.i686.rpm kernel-debug-devel-2.6.18-371.6.1.el5.i686.rpm kernel-debuginfo-2.6.18-371.6.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-371.6.1.el5.i686.rpm kernel-devel-2.6.18-371.6.1.el5.i686.rpm kernel-headers-2.6.18-371.6.1.el5.i386.rpm kernel-xen-2.6.18-371.6.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-371.6.1.el5.i686.rpm kernel-xen-devel-2.6.18-371.6.1.el5.i686.rpm noarch: kernel-doc-2.6.18-371.6.1.el5.noarch.rpm x86_64: kernel-2.6.18-371.6.1.el5.x86_64.rpm kernel-debug-2.6.18-371.6.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-371.6.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-371.6.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-371.6.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-371.6.1.el5.x86_64.rpm kernel-devel-2.6.18-371.6.1.el5.x86_64.rpm kernel-headers-2.6.18-371.6.1.el5.x86_64.rpm kernel-xen-2.6.18-371.6.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-371.6.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-371.6.1.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kernel-2.6.18-371.6.1.el5.src.rpm i386: kernel-2.6.18-371.6.1.el5.i686.rpm kernel-PAE-2.6.18-371.6.1.el5.i686.rpm kernel-PAE-debuginfo-2.6.18-371.6.1.el5.i686.rpm kernel-PAE-devel-2.6.18-371.6.1.el5.i686.rpm kernel-debug-2.6.18-371.6.1.el5.i686.rpm kernel-debug-debuginfo-2.6.18-371.6.1.el5.i686.rpm kernel-debug-devel-2.6.18-371.6.1.el5.i686.rpm kernel-debuginfo-2.6.18-371.6.1.el5.i686.rpm kernel-debuginfo-common-2.6.18-371.6.1.el5.i686.rpm kernel-devel-2.6.18-371.6.1.el5.i686.rpm kernel-headers-2.6.18-371.6.1.el5.i386.rpm kernel-xen-2.6.18-371.6.1.el5.i686.rpm kernel-xen-debuginfo-2.6.18-371.6.1.el5.i686.rpm kernel-xen-devel-2.6.18-371.6.1.el5.i686.rpm ia64: kernel-2.6.18-371.6.1.el5.ia64.rpm kernel-debug-2.6.18-371.6.1.el5.ia64.rpm kernel-debug-debuginfo-2.6.18-371.6.1.el5.ia64.rpm kernel-debug-devel-2.6.18-371.6.1.el5.ia64.rpm kernel-debuginfo-2.6.18-371.6.1.el5.ia64.rpm kernel-debuginfo-common-2.6.18-371.6.1.el5.ia64.rpm kernel-devel-2.6.18-371.6.1.el5.ia64.rpm kernel-headers-2.6.18-371.6.1.el5.ia64.rpm kernel-xen-2.6.18-371.6.1.el5.ia64.rpm kernel-xen-debuginfo-2.6.18-371.6.1.el5.ia64.rpm kernel-xen-devel-2.6.18-371.6.1.el5.ia64.rpm noarch: kernel-doc-2.6.18-371.6.1.el5.noarch.rpm ppc: kernel-2.6.18-371.6.1.el5.ppc64.rpm kernel-debug-2.6.18-371.6.1.el5.ppc64.rpm kernel-debug-debuginfo-2.6.18-371.6.1.el5.ppc64.rpm kernel-debug-devel-2.6.18-371.6.1.el5.ppc64.rpm kernel-debuginfo-2.6.18-371.6.1.el5.ppc64.rpm kernel-debuginfo-common-2.6.18-371.6.1.el5.ppc64.rpm kernel-devel-2.6.18-371.6.1.el5.ppc64.rpm kernel-headers-2.6.18-371.6.1.el5.ppc.rpm kernel-headers-2.6.18-371.6.1.el5.ppc64.rpm kernel-kdump-2.6.18-371.6.1.el5.ppc64.rpm kernel-kdump-debuginfo-2.6.18-371.6.1.el5.ppc64.rpm kernel-kdump-devel-2.6.18-371.6.1.el5.ppc64.rpm s390x: kernel-2.6.18-371.6.1.el5.s390x.rpm kernel-debug-2.6.18-371.6.1.el5.s390x.rpm kernel-debug-debuginfo-2.6.18-371.6.1.el5.s390x.rpm kernel-debug-devel-2.6.18-371.6.1.el5.s390x.rpm kernel-debuginfo-2.6.18-371.6.1.el5.s390x.rpm kernel-debuginfo-common-2.6.18-371.6.1.el5.s390x.rpm kernel-devel-2.6.18-371.6.1.el5.s390x.rpm kernel-headers-2.6.18-371.6.1.el5.s390x.rpm kernel-kdump-2.6.18-371.6.1.el5.s390x.rpm kernel-kdump-debuginfo-2.6.18-371.6.1.el5.s390x.rpm kernel-kdump-devel-2.6.18-371.6.1.el5.s390x.rpm x86_64: kernel-2.6.18-371.6.1.el5.x86_64.rpm kernel-debug-2.6.18-371.6.1.el5.x86_64.rpm kernel-debug-debuginfo-2.6.18-371.6.1.el5.x86_64.rpm kernel-debug-devel-2.6.18-371.6.1.el5.x86_64.rpm kernel-debuginfo-2.6.18-371.6.1.el5.x86_64.rpm kernel-debuginfo-common-2.6.18-371.6.1.el5.x86_64.rpm kernel-devel-2.6.18-371.6.1.el5.x86_64.rpm kernel-headers-2.6.18-371.6.1.el5.x86_64.rpm kernel-xen-2.6.18-371.6.1.el5.x86_64.rpm kernel-xen-debuginfo-2.6.18-371.6.1.el5.x86_64.rpm kernel-xen-devel-2.6.18-371.6.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2929.html https://www.redhat.com/security/data/cve/CVE-2013-4483.html https://www.redhat.com/security/data/cve/CVE-2013-4554.html https://www.redhat.com/security/data/cve/CVE-2013-6381.html https://www.redhat.com/security/data/cve/CVE-2013-6383.html https://www.redhat.com/security/data/cve/CVE-2013-6885.html https://www.redhat.com/security/data/cve/CVE-2013-7263.html https://access.redhat.com/security/updates/classification/#important http://support.amd.com/TechDocs/51810_16h_00h-0Fh_Rev_Guide.pdf https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.10_Technical_Notes/kernel.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTIKllXlSAg2UNWIIRAoE1AKCRsqWRFKokDuMlc5DqDHLfNVvA/wCdHDXK 1A1C4EUJs9uMy4iYcWc1OjI= =ND0O -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 12 18:38:54 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Mar 2014 18:38:54 +0000 Subject: [RHSA-2014:0288-01] Important: gnutls security update Message-ID: <201403121838.s2CIcsJJ019294@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: gnutls security update Advisory ID: RHSA-2014:0288-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0288.html Issue date: 2014-03-12 CVE Names: CVE-2014-0092 ===================================================================== 1. Summary: Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.3, 5.6 and 6.2 Long Life, and Red Hat Enterprise Linux 5.9, 6.3 and 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 4 ELS) - i386, ia64, x86_64 Red Hat Enterprise Linux AUS (v. 6.2 server) - x86_64 Red Hat Enterprise Linux Compute Node EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux ES (v. 4 ELS) - i386, x86_64 Red Hat Enterprise Linux EUS (v. 5.9 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux LL (v. 5.6 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Long Life (v. 5.3 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.3) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) This issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1069865 - CVE-2014-0092 gnutls: incorrect error handling in certificate verification (GNUTLS-SA-2014-2) 6. Package List: Red Hat Enterprise Linux AS (v. 4 ELS): Source: gnutls-1.0.20-5.el4.src.rpm i386: gnutls-1.0.20-5.el4.i386.rpm gnutls-debuginfo-1.0.20-5.el4.i386.rpm gnutls-devel-1.0.20-5.el4.i386.rpm ia64: gnutls-1.0.20-5.el4.i386.rpm gnutls-1.0.20-5.el4.ia64.rpm gnutls-debuginfo-1.0.20-5.el4.i386.rpm gnutls-debuginfo-1.0.20-5.el4.ia64.rpm gnutls-devel-1.0.20-5.el4.ia64.rpm x86_64: gnutls-1.0.20-5.el4.i386.rpm gnutls-1.0.20-5.el4.x86_64.rpm gnutls-debuginfo-1.0.20-5.el4.i386.rpm gnutls-debuginfo-1.0.20-5.el4.x86_64.rpm gnutls-devel-1.0.20-5.el4.x86_64.rpm Red Hat Enterprise Linux ES (v. 4 ELS): Source: gnutls-1.0.20-5.el4.src.rpm i386: gnutls-1.0.20-5.el4.i386.rpm gnutls-debuginfo-1.0.20-5.el4.i386.rpm gnutls-devel-1.0.20-5.el4.i386.rpm x86_64: gnutls-1.0.20-5.el4.i386.rpm gnutls-1.0.20-5.el4.x86_64.rpm gnutls-debuginfo-1.0.20-5.el4.i386.rpm gnutls-debuginfo-1.0.20-5.el4.x86_64.rpm gnutls-devel-1.0.20-5.el4.x86_64.rpm Red Hat Enterprise Linux Long Life (v. 5.3 server): Source: gnutls-1.4.1-3.el5_3.6.src.rpm i386: gnutls-1.4.1-3.el5_3.6.i386.rpm gnutls-debuginfo-1.4.1-3.el5_3.6.i386.rpm gnutls-devel-1.4.1-3.el5_3.6.i386.rpm gnutls-utils-1.4.1-3.el5_3.6.i386.rpm ia64: gnutls-1.4.1-3.el5_3.6.i386.rpm gnutls-1.4.1-3.el5_3.6.ia64.rpm gnutls-debuginfo-1.4.1-3.el5_3.6.i386.rpm gnutls-debuginfo-1.4.1-3.el5_3.6.ia64.rpm gnutls-devel-1.4.1-3.el5_3.6.ia64.rpm gnutls-utils-1.4.1-3.el5_3.6.ia64.rpm x86_64: gnutls-1.4.1-3.el5_3.6.i386.rpm gnutls-1.4.1-3.el5_3.6.x86_64.rpm gnutls-debuginfo-1.4.1-3.el5_3.6.i386.rpm gnutls-debuginfo-1.4.1-3.el5_3.6.x86_64.rpm gnutls-devel-1.4.1-3.el5_3.6.i386.rpm gnutls-devel-1.4.1-3.el5_3.6.x86_64.rpm gnutls-utils-1.4.1-3.el5_3.6.x86_64.rpm Red Hat Enterprise Linux LL (v. 5.6 server): Source: gnutls-1.4.1-7.el5_6.1.src.rpm i386: gnutls-1.4.1-7.el5_6.1.i386.rpm gnutls-debuginfo-1.4.1-7.el5_6.1.i386.rpm gnutls-devel-1.4.1-7.el5_6.1.i386.rpm gnutls-utils-1.4.1-7.el5_6.1.i386.rpm ia64: gnutls-1.4.1-7.el5_6.1.i386.rpm gnutls-1.4.1-7.el5_6.1.ia64.rpm gnutls-debuginfo-1.4.1-7.el5_6.1.i386.rpm gnutls-debuginfo-1.4.1-7.el5_6.1.ia64.rpm gnutls-devel-1.4.1-7.el5_6.1.ia64.rpm gnutls-utils-1.4.1-7.el5_6.1.ia64.rpm x86_64: gnutls-1.4.1-7.el5_6.1.i386.rpm gnutls-1.4.1-7.el5_6.1.x86_64.rpm gnutls-debuginfo-1.4.1-7.el5_6.1.i386.rpm gnutls-debuginfo-1.4.1-7.el5_6.1.x86_64.rpm gnutls-devel-1.4.1-7.el5_6.1.i386.rpm gnutls-devel-1.4.1-7.el5_6.1.x86_64.rpm gnutls-utils-1.4.1-7.el5_6.1.x86_64.rpm Red Hat Enterprise Linux EUS (v. 5.9 server): Source: gnutls-1.4.1-10.el5_9.3.src.rpm i386: gnutls-1.4.1-10.el5_9.3.i386.rpm gnutls-debuginfo-1.4.1-10.el5_9.3.i386.rpm gnutls-devel-1.4.1-10.el5_9.3.i386.rpm gnutls-utils-1.4.1-10.el5_9.3.i386.rpm ia64: gnutls-1.4.1-10.el5_9.3.i386.rpm gnutls-1.4.1-10.el5_9.3.ia64.rpm gnutls-debuginfo-1.4.1-10.el5_9.3.i386.rpm gnutls-debuginfo-1.4.1-10.el5_9.3.ia64.rpm gnutls-devel-1.4.1-10.el5_9.3.ia64.rpm gnutls-utils-1.4.1-10.el5_9.3.ia64.rpm ppc: gnutls-1.4.1-10.el5_9.3.ppc.rpm gnutls-1.4.1-10.el5_9.3.ppc64.rpm gnutls-debuginfo-1.4.1-10.el5_9.3.ppc.rpm gnutls-debuginfo-1.4.1-10.el5_9.3.ppc64.rpm gnutls-devel-1.4.1-10.el5_9.3.ppc.rpm gnutls-devel-1.4.1-10.el5_9.3.ppc64.rpm gnutls-utils-1.4.1-10.el5_9.3.ppc.rpm s390x: gnutls-1.4.1-10.el5_9.3.s390.rpm gnutls-1.4.1-10.el5_9.3.s390x.rpm gnutls-debuginfo-1.4.1-10.el5_9.3.s390.rpm gnutls-debuginfo-1.4.1-10.el5_9.3.s390x.rpm gnutls-devel-1.4.1-10.el5_9.3.s390.rpm gnutls-devel-1.4.1-10.el5_9.3.s390x.rpm gnutls-utils-1.4.1-10.el5_9.3.s390x.rpm x86_64: gnutls-1.4.1-10.el5_9.3.i386.rpm gnutls-1.4.1-10.el5_9.3.x86_64.rpm gnutls-debuginfo-1.4.1-10.el5_9.3.i386.rpm gnutls-debuginfo-1.4.1-10.el5_9.3.x86_64.rpm gnutls-devel-1.4.1-10.el5_9.3.i386.rpm gnutls-devel-1.4.1-10.el5_9.3.x86_64.rpm gnutls-utils-1.4.1-10.el5_9.3.x86_64.rpm Red Hat Enterprise Linux Compute Node EUS (v. 6.3): Source: gnutls-2.8.5-7.el6_3.2.src.rpm x86_64: gnutls-2.8.5-7.el6_3.2.i686.rpm gnutls-2.8.5-7.el6_3.2.x86_64.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.i686.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.x86_64.rpm gnutls-utils-2.8.5-7.el6_3.2.x86_64.rpm Red Hat Enterprise Linux HPC Node EUS (v. 6.4): Source: gnutls-2.8.5-10.el6_4.3.src.rpm x86_64: gnutls-2.8.5-10.el6_4.3.i686.rpm gnutls-2.8.5-10.el6_4.3.x86_64.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.i686.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.x86_64.rpm gnutls-utils-2.8.5-10.el6_4.3.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.3): Source: gnutls-2.8.5-7.el6_3.2.src.rpm x86_64: gnutls-debuginfo-2.8.5-7.el6_3.2.i686.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.x86_64.rpm gnutls-devel-2.8.5-7.el6_3.2.i686.rpm gnutls-devel-2.8.5-7.el6_3.2.x86_64.rpm gnutls-guile-2.8.5-7.el6_3.2.i686.rpm gnutls-guile-2.8.5-7.el6_3.2.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4): Source: gnutls-2.8.5-10.el6_4.3.src.rpm x86_64: gnutls-debuginfo-2.8.5-10.el6_4.3.i686.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.x86_64.rpm gnutls-devel-2.8.5-10.el6_4.3.i686.rpm gnutls-devel-2.8.5-10.el6_4.3.x86_64.rpm gnutls-guile-2.8.5-10.el6_4.3.i686.rpm gnutls-guile-2.8.5-10.el6_4.3.x86_64.rpm Red Hat Enterprise Linux AUS (v. 6.2 server): Source: gnutls-2.8.5-4.el6_2.3.src.rpm x86_64: gnutls-2.8.5-4.el6_2.3.i686.rpm gnutls-2.8.5-4.el6_2.3.x86_64.rpm gnutls-debuginfo-2.8.5-4.el6_2.3.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.3.x86_64.rpm gnutls-devel-2.8.5-4.el6_2.3.i686.rpm gnutls-devel-2.8.5-4.el6_2.3.x86_64.rpm gnutls-utils-2.8.5-4.el6_2.3.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.3): Source: gnutls-2.8.5-7.el6_3.2.src.rpm i386: gnutls-2.8.5-7.el6_3.2.i686.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.i686.rpm gnutls-devel-2.8.5-7.el6_3.2.i686.rpm gnutls-utils-2.8.5-7.el6_3.2.i686.rpm ppc64: gnutls-2.8.5-7.el6_3.2.ppc.rpm gnutls-2.8.5-7.el6_3.2.ppc64.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.ppc.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.ppc64.rpm gnutls-devel-2.8.5-7.el6_3.2.ppc.rpm gnutls-devel-2.8.5-7.el6_3.2.ppc64.rpm gnutls-utils-2.8.5-7.el6_3.2.ppc64.rpm s390x: gnutls-2.8.5-7.el6_3.2.s390.rpm gnutls-2.8.5-7.el6_3.2.s390x.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.s390.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.s390x.rpm gnutls-devel-2.8.5-7.el6_3.2.s390.rpm gnutls-devel-2.8.5-7.el6_3.2.s390x.rpm gnutls-utils-2.8.5-7.el6_3.2.s390x.rpm x86_64: gnutls-2.8.5-7.el6_3.2.i686.rpm gnutls-2.8.5-7.el6_3.2.x86_64.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.i686.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.x86_64.rpm gnutls-devel-2.8.5-7.el6_3.2.i686.rpm gnutls-devel-2.8.5-7.el6_3.2.x86_64.rpm gnutls-utils-2.8.5-7.el6_3.2.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.4): Source: gnutls-2.8.5-10.el6_4.3.src.rpm i386: gnutls-2.8.5-10.el6_4.3.i686.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.i686.rpm gnutls-devel-2.8.5-10.el6_4.3.i686.rpm gnutls-utils-2.8.5-10.el6_4.3.i686.rpm ppc64: gnutls-2.8.5-10.el6_4.3.ppc.rpm gnutls-2.8.5-10.el6_4.3.ppc64.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.ppc.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.ppc64.rpm gnutls-devel-2.8.5-10.el6_4.3.ppc.rpm gnutls-devel-2.8.5-10.el6_4.3.ppc64.rpm gnutls-utils-2.8.5-10.el6_4.3.ppc64.rpm s390x: gnutls-2.8.5-10.el6_4.3.s390.rpm gnutls-2.8.5-10.el6_4.3.s390x.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.s390.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.s390x.rpm gnutls-devel-2.8.5-10.el6_4.3.s390.rpm gnutls-devel-2.8.5-10.el6_4.3.s390x.rpm gnutls-utils-2.8.5-10.el6_4.3.s390x.rpm x86_64: gnutls-2.8.5-10.el6_4.3.i686.rpm gnutls-2.8.5-10.el6_4.3.x86_64.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.i686.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.x86_64.rpm gnutls-devel-2.8.5-10.el6_4.3.i686.rpm gnutls-devel-2.8.5-10.el6_4.3.x86_64.rpm gnutls-utils-2.8.5-10.el6_4.3.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 6.2): Source: gnutls-2.8.5-4.el6_2.3.src.rpm x86_64: gnutls-debuginfo-2.8.5-4.el6_2.3.i686.rpm gnutls-debuginfo-2.8.5-4.el6_2.3.x86_64.rpm gnutls-guile-2.8.5-4.el6_2.3.i686.rpm gnutls-guile-2.8.5-4.el6_2.3.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.3): Source: gnutls-2.8.5-7.el6_3.2.src.rpm i386: gnutls-debuginfo-2.8.5-7.el6_3.2.i686.rpm gnutls-guile-2.8.5-7.el6_3.2.i686.rpm ppc64: gnutls-debuginfo-2.8.5-7.el6_3.2.ppc.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.ppc64.rpm gnutls-guile-2.8.5-7.el6_3.2.ppc.rpm gnutls-guile-2.8.5-7.el6_3.2.ppc64.rpm s390x: gnutls-debuginfo-2.8.5-7.el6_3.2.s390.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.s390x.rpm gnutls-guile-2.8.5-7.el6_3.2.s390.rpm gnutls-guile-2.8.5-7.el6_3.2.s390x.rpm x86_64: gnutls-debuginfo-2.8.5-7.el6_3.2.i686.rpm gnutls-debuginfo-2.8.5-7.el6_3.2.x86_64.rpm gnutls-guile-2.8.5-7.el6_3.2.i686.rpm gnutls-guile-2.8.5-7.el6_3.2.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.4): Source: gnutls-2.8.5-10.el6_4.3.src.rpm i386: gnutls-debuginfo-2.8.5-10.el6_4.3.i686.rpm gnutls-guile-2.8.5-10.el6_4.3.i686.rpm ppc64: gnutls-debuginfo-2.8.5-10.el6_4.3.ppc.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.ppc64.rpm gnutls-guile-2.8.5-10.el6_4.3.ppc.rpm gnutls-guile-2.8.5-10.el6_4.3.ppc64.rpm s390x: gnutls-debuginfo-2.8.5-10.el6_4.3.s390.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.s390x.rpm gnutls-guile-2.8.5-10.el6_4.3.s390.rpm gnutls-guile-2.8.5-10.el6_4.3.s390x.rpm x86_64: gnutls-debuginfo-2.8.5-10.el6_4.3.i686.rpm gnutls-debuginfo-2.8.5-10.el6_4.3.x86_64.rpm gnutls-guile-2.8.5-10.el6_4.3.i686.rpm gnutls-guile-2.8.5-10.el6_4.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0092.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTIKmqXlSAg2UNWIIRAutDAKCNydvqHnaoXqAdNf0FPtkTPM/fCQCfY4O9 riUhNR+w8ykPQO2EPk7RXvc= =p7bC -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 12 18:39:52 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Mar 2014 18:39:52 +0000 Subject: [RHSA-2014:0289-01] Moderate: flash-plugin security update Message-ID: <201403121839.s2CIdrqU026881@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: flash-plugin security update Advisory ID: RHSA-2014:0289-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0289.html Issue date: 2014-03-12 CVE Names: CVE-2014-0503 CVE-2014-0504 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes two vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB14-08, listed in the References section. A vulnerability was reported that could be used to bypass the same origin policy. (CVE-2014-0503) A vulnerability was reported that could be used to read the contents of the clipboard. (CVE-2014-0504) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.346. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1075250 - CVE-2014-0503 flash-plugin: same origin policy bypass (APSB14-08) 1075252 - CVE-2014-0504 flash-plugin: exposure of clipboard contents (APSB14-08) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.346-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.346-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.346-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.346-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.346-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.346-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.346-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.346-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.346-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.346-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0503.html https://www.redhat.com/security/data/cve/CVE-2014-0504.html https://access.redhat.com/security/updates/classification/#moderate https://helpx.adobe.com/security/products/flash-player/apsb14-08.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTIKnTXlSAg2UNWIIRAg/aAKCtaoCjpv2r5cXe4KVmdPVFeLAcdwCdHrIo 76ZW0zH9apL6Fc7u/Gx+QEc= =XmOy -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 13 19:32:17 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 13 Mar 2014 19:32:17 +0000 Subject: [RHSA-2014:0292-01] Important: 389-ds-base security update Message-ID: <201403131932.s2DJWHYT006648@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: 389-ds-base security update Advisory ID: RHSA-2014:0292-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0292.html Issue date: 2014-03-13 CVE Names: CVE-2014-0132 ===================================================================== 1. Summary: Updated 389-ds-base packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. It was discovered that the 389 Directory Server did not properly handle certain SASL-based authentication mechanisms. A user able to authenticate to the directory using these SASL mechanisms could connect as any other directory user, including the administrative Directory Manager account. This could allow them to modify configuration values, as well as read and write any data the directory holds. (CVE-2014-0132) All 389-ds-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the 389 server service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1074845 - CVE-2014-0132 389-ds: flaw in parsing authzid can lead to privilege escalation 6. Package List: Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/389-ds-base-1.2.11.15-32.el6_5.src.rpm i386: 389-ds-base-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.i686.rpm x86_64: 389-ds-base-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/389-ds-base-1.2.11.15-32.el6_5.src.rpm x86_64: 389-ds-base-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/389-ds-base-1.2.11.15-32.el6_5.src.rpm i386: 389-ds-base-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.i686.rpm x86_64: 389-ds-base-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/389-ds-base-1.2.11.15-32.el6_5.src.rpm i386: 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.i686.rpm x86_64: 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/389-ds-base-1.2.11.15-32.el6_5.src.rpm i386: 389-ds-base-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.i686.rpm x86_64: 389-ds-base-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-libs-1.2.11.15-32.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/389-ds-base-1.2.11.15-32.el6_5.src.rpm i386: 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.i686.rpm x86_64: 389-ds-base-debuginfo-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-debuginfo-1.2.11.15-32.el6_5.x86_64.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.i686.rpm 389-ds-base-devel-1.2.11.15-32.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0132.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD4DBQFTIgeLXlSAg2UNWIIRAiQoAKCJl9GtN1+2NvbeM0gtbIkouLAr0wCXamjL tx1pywr9uPGMRd3AKa/WCw== =Nnub -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 13 19:33:06 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 13 Mar 2014 19:33:06 +0000 Subject: [RHSA-2014:0293-01] Important: udisks security update Message-ID: <201403131933.s2DJX6lM028180@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: udisks security update Advisory ID: RHSA-2014:0293-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0293.html Issue date: 2014-03-13 CVE Names: CVE-2014-0004 ===================================================================== 1. Summary: Updated udisks packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64 3. Description: The udisks package provides a daemon, a D-Bus API, and command line utilities for managing disks and storage devices. A stack-based buffer overflow flaw was found in the way udisks handled files with long path names. A malicious, local user could use this flaw to create a specially crafted directory structure that, when processed by the udisks daemon, could lead to arbitrary code execution with the privileges of the udisks daemon (root). (CVE-2014-0004) This issue was discovered by Florian Weimer of the Red Hat Product Security Team. All udisks users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1049703 - CVE-2014-0004 udisks and udisks2: stack-based buffer overflow when handling long path names 1074964 - multilib conflicts for udisks-devel 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/udisks-1.0.1-7.el6_5.src.rpm i386: udisks-1.0.1-7.el6_5.i686.rpm udisks-debuginfo-1.0.1-7.el6_5.i686.rpm x86_64: udisks-1.0.1-7.el6_5.x86_64.rpm udisks-debuginfo-1.0.1-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/udisks-1.0.1-7.el6_5.src.rpm i386: udisks-debuginfo-1.0.1-7.el6_5.i686.rpm udisks-devel-1.0.1-7.el6_5.i686.rpm noarch: udisks-devel-docs-1.0.1-7.el6_5.noarch.rpm x86_64: udisks-debuginfo-1.0.1-7.el6_5.i686.rpm udisks-debuginfo-1.0.1-7.el6_5.x86_64.rpm udisks-devel-1.0.1-7.el6_5.i686.rpm udisks-devel-1.0.1-7.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/udisks-1.0.1-7.el6_5.src.rpm noarch: udisks-devel-docs-1.0.1-7.el6_5.noarch.rpm x86_64: udisks-1.0.1-7.el6_5.x86_64.rpm udisks-debuginfo-1.0.1-7.el6_5.i686.rpm udisks-debuginfo-1.0.1-7.el6_5.x86_64.rpm udisks-devel-1.0.1-7.el6_5.i686.rpm udisks-devel-1.0.1-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/udisks-1.0.1-7.el6_5.src.rpm i386: udisks-1.0.1-7.el6_5.i686.rpm udisks-debuginfo-1.0.1-7.el6_5.i686.rpm ppc64: udisks-1.0.1-7.el6_5.ppc64.rpm udisks-debuginfo-1.0.1-7.el6_5.ppc64.rpm s390x: udisks-1.0.1-7.el6_5.s390x.rpm udisks-debuginfo-1.0.1-7.el6_5.s390x.rpm x86_64: udisks-1.0.1-7.el6_5.x86_64.rpm udisks-debuginfo-1.0.1-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/udisks-1.0.1-7.el6_5.src.rpm i386: udisks-debuginfo-1.0.1-7.el6_5.i686.rpm udisks-devel-1.0.1-7.el6_5.i686.rpm noarch: udisks-devel-docs-1.0.1-7.el6_5.noarch.rpm ppc64: udisks-debuginfo-1.0.1-7.el6_5.ppc.rpm udisks-debuginfo-1.0.1-7.el6_5.ppc64.rpm udisks-devel-1.0.1-7.el6_5.ppc.rpm udisks-devel-1.0.1-7.el6_5.ppc64.rpm s390x: udisks-debuginfo-1.0.1-7.el6_5.s390.rpm udisks-debuginfo-1.0.1-7.el6_5.s390x.rpm udisks-devel-1.0.1-7.el6_5.s390.rpm udisks-devel-1.0.1-7.el6_5.s390x.rpm x86_64: udisks-debuginfo-1.0.1-7.el6_5.i686.rpm udisks-debuginfo-1.0.1-7.el6_5.x86_64.rpm udisks-devel-1.0.1-7.el6_5.i686.rpm udisks-devel-1.0.1-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/udisks-1.0.1-7.el6_5.src.rpm i386: udisks-1.0.1-7.el6_5.i686.rpm udisks-debuginfo-1.0.1-7.el6_5.i686.rpm x86_64: udisks-1.0.1-7.el6_5.x86_64.rpm udisks-debuginfo-1.0.1-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/udisks-1.0.1-7.el6_5.src.rpm i386: udisks-debuginfo-1.0.1-7.el6_5.i686.rpm udisks-devel-1.0.1-7.el6_5.i686.rpm noarch: udisks-devel-docs-1.0.1-7.el6_5.noarch.rpm x86_64: udisks-debuginfo-1.0.1-7.el6_5.i686.rpm udisks-debuginfo-1.0.1-7.el6_5.x86_64.rpm udisks-devel-1.0.1-7.el6_5.i686.rpm udisks-devel-1.0.1-7.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0004.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTIgfaXlSAg2UNWIIRAu2jAJ9eS0/gyawi+yuD5dNe0vjBDvp4awCcCztm 09zBIa5MnfTy92sWT3BeND0= =jUCJ -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 17 17:49:48 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 17 Mar 2014 17:49:48 +0000 Subject: [RHSA-2014:0304-01] Important: mutt security update Message-ID: <201403171749.s2HHnmKf015316@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: mutt security update Advisory ID: RHSA-2014:0304-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0304.html Issue date: 2014-03-17 CVE Names: CVE-2014-0467 ===================================================================== 1. Summary: An updated mutt package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mutt is a text-mode mail user agent. A heap-based buffer overflow flaw was found in the way mutt processed certain email headers. A remote attacker could use this flaw to send an email with specially crafted headers that, when processed, could cause mutt to crash or, potentially, execute arbitrary code with the permissions of the user running mutt. (CVE-2014-0467) All mutt users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. All running instances of mutt must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1075860 - CVE-2014-0467 mutt: heap-based buffer overflow when parsing certain headers 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/mutt-1.5.20-4.20091214hg736b6a.el6_5.src.rpm i386: mutt-1.5.20-4.20091214hg736b6a.el6_5.i686.rpm mutt-debuginfo-1.5.20-4.20091214hg736b6a.el6_5.i686.rpm x86_64: mutt-1.5.20-4.20091214hg736b6a.el6_5.x86_64.rpm mutt-debuginfo-1.5.20-4.20091214hg736b6a.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/mutt-1.5.20-4.20091214hg736b6a.el6_5.src.rpm x86_64: mutt-1.5.20-4.20091214hg736b6a.el6_5.x86_64.rpm mutt-debuginfo-1.5.20-4.20091214hg736b6a.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/mutt-1.5.20-4.20091214hg736b6a.el6_5.src.rpm i386: mutt-1.5.20-4.20091214hg736b6a.el6_5.i686.rpm mutt-debuginfo-1.5.20-4.20091214hg736b6a.el6_5.i686.rpm ppc64: mutt-1.5.20-4.20091214hg736b6a.el6_5.ppc64.rpm mutt-debuginfo-1.5.20-4.20091214hg736b6a.el6_5.ppc64.rpm s390x: mutt-1.5.20-4.20091214hg736b6a.el6_5.s390x.rpm mutt-debuginfo-1.5.20-4.20091214hg736b6a.el6_5.s390x.rpm x86_64: mutt-1.5.20-4.20091214hg736b6a.el6_5.x86_64.rpm mutt-debuginfo-1.5.20-4.20091214hg736b6a.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/mutt-1.5.20-4.20091214hg736b6a.el6_5.src.rpm i386: mutt-1.5.20-4.20091214hg736b6a.el6_5.i686.rpm mutt-debuginfo-1.5.20-4.20091214hg736b6a.el6_5.i686.rpm x86_64: mutt-1.5.20-4.20091214hg736b6a.el6_5.x86_64.rpm mutt-debuginfo-1.5.20-4.20091214hg736b6a.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0467.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTJzWkXlSAg2UNWIIRAlsyAJ9O84qeSXNWzB4MgNYdCKAaqRjOywCeMp49 d9z8mWnwA4Rnj4sC2chT/eM= =6iAH -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 17 17:50:32 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 17 Mar 2014 17:50:32 +0000 Subject: [RHSA-2014:0305-01] Moderate: samba security update Message-ID: <201403171750.s2HHoWLE018722@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: samba security update Advisory ID: RHSA-2014:0305-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0305.html Issue date: 2014-03-17 CVE Names: CVE-2013-0213 CVE-2013-0214 CVE-2013-4124 ===================================================================== 1. Summary: Updated samba packages that fix three security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. It was discovered that the Samba Web Administration Tool (SWAT) did not protect against being opened in a web page frame. A remote attacker could possibly use this flaw to conduct a clickjacking attack against SWAT users or users with an active SWAT session. (CVE-2013-0213) A flaw was found in the Cross-Site Request Forgery (CSRF) protection mechanism implemented in SWAT. An attacker with the knowledge of a victim's password could use this flaw to bypass CSRF protections and conduct a CSRF attack against the victim SWAT user. (CVE-2013-0214) An integer overflow flaw was found in the way Samba handled an Extended Attribute (EA) list provided by a client. A malicious client could send a specially crafted EA list that triggered an overflow, causing the server to loop and reprocess the list using an excessive amount of memory. (CVE-2013-4124) Note: This issue did not affect the default configuration of the Samba server. Red Hat would like to thank the Samba project for reporting CVE-2013-0213 and CVE-2013-0214. Upstream acknowledges Jann Horn as the original reporter of CVE-2013-0213 and CVE-2013-0214. All users of Samba are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 905700 - CVE-2013-0213 samba: clickjacking vulnerability in SWAT 905704 - CVE-2013-0214 samba: cross-site request forgery vulnerability in SWAT 984401 - CVE-2013-4124 samba: DoS via integer overflow when reading an EA list 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/samba-3.0.33-3.40.el5_10.src.rpm i386: libsmbclient-3.0.33-3.40.el5_10.i386.rpm samba-3.0.33-3.40.el5_10.i386.rpm samba-client-3.0.33-3.40.el5_10.i386.rpm samba-common-3.0.33-3.40.el5_10.i386.rpm samba-debuginfo-3.0.33-3.40.el5_10.i386.rpm samba-swat-3.0.33-3.40.el5_10.i386.rpm x86_64: libsmbclient-3.0.33-3.40.el5_10.i386.rpm libsmbclient-3.0.33-3.40.el5_10.x86_64.rpm samba-3.0.33-3.40.el5_10.x86_64.rpm samba-client-3.0.33-3.40.el5_10.x86_64.rpm samba-common-3.0.33-3.40.el5_10.i386.rpm samba-common-3.0.33-3.40.el5_10.x86_64.rpm samba-debuginfo-3.0.33-3.40.el5_10.i386.rpm samba-debuginfo-3.0.33-3.40.el5_10.x86_64.rpm samba-swat-3.0.33-3.40.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/samba-3.0.33-3.40.el5_10.src.rpm i386: libsmbclient-devel-3.0.33-3.40.el5_10.i386.rpm samba-debuginfo-3.0.33-3.40.el5_10.i386.rpm x86_64: libsmbclient-devel-3.0.33-3.40.el5_10.i386.rpm libsmbclient-devel-3.0.33-3.40.el5_10.x86_64.rpm samba-debuginfo-3.0.33-3.40.el5_10.i386.rpm samba-debuginfo-3.0.33-3.40.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/samba-3.0.33-3.40.el5_10.src.rpm i386: libsmbclient-3.0.33-3.40.el5_10.i386.rpm libsmbclient-devel-3.0.33-3.40.el5_10.i386.rpm samba-3.0.33-3.40.el5_10.i386.rpm samba-client-3.0.33-3.40.el5_10.i386.rpm samba-common-3.0.33-3.40.el5_10.i386.rpm samba-debuginfo-3.0.33-3.40.el5_10.i386.rpm samba-swat-3.0.33-3.40.el5_10.i386.rpm ia64: libsmbclient-3.0.33-3.40.el5_10.ia64.rpm libsmbclient-devel-3.0.33-3.40.el5_10.ia64.rpm samba-3.0.33-3.40.el5_10.ia64.rpm samba-client-3.0.33-3.40.el5_10.ia64.rpm samba-common-3.0.33-3.40.el5_10.ia64.rpm samba-debuginfo-3.0.33-3.40.el5_10.ia64.rpm samba-swat-3.0.33-3.40.el5_10.ia64.rpm ppc: libsmbclient-3.0.33-3.40.el5_10.ppc.rpm libsmbclient-3.0.33-3.40.el5_10.ppc64.rpm libsmbclient-devel-3.0.33-3.40.el5_10.ppc.rpm libsmbclient-devel-3.0.33-3.40.el5_10.ppc64.rpm samba-3.0.33-3.40.el5_10.ppc.rpm samba-client-3.0.33-3.40.el5_10.ppc.rpm samba-common-3.0.33-3.40.el5_10.ppc.rpm samba-common-3.0.33-3.40.el5_10.ppc64.rpm samba-debuginfo-3.0.33-3.40.el5_10.ppc.rpm samba-debuginfo-3.0.33-3.40.el5_10.ppc64.rpm samba-swat-3.0.33-3.40.el5_10.ppc.rpm s390x: libsmbclient-3.0.33-3.40.el5_10.s390.rpm libsmbclient-3.0.33-3.40.el5_10.s390x.rpm libsmbclient-devel-3.0.33-3.40.el5_10.s390.rpm libsmbclient-devel-3.0.33-3.40.el5_10.s390x.rpm samba-3.0.33-3.40.el5_10.s390x.rpm samba-client-3.0.33-3.40.el5_10.s390x.rpm samba-common-3.0.33-3.40.el5_10.s390.rpm samba-common-3.0.33-3.40.el5_10.s390x.rpm samba-debuginfo-3.0.33-3.40.el5_10.s390.rpm samba-debuginfo-3.0.33-3.40.el5_10.s390x.rpm samba-swat-3.0.33-3.40.el5_10.s390x.rpm x86_64: libsmbclient-3.0.33-3.40.el5_10.i386.rpm libsmbclient-3.0.33-3.40.el5_10.x86_64.rpm libsmbclient-devel-3.0.33-3.40.el5_10.i386.rpm libsmbclient-devel-3.0.33-3.40.el5_10.x86_64.rpm samba-3.0.33-3.40.el5_10.x86_64.rpm samba-client-3.0.33-3.40.el5_10.x86_64.rpm samba-common-3.0.33-3.40.el5_10.i386.rpm samba-common-3.0.33-3.40.el5_10.x86_64.rpm samba-debuginfo-3.0.33-3.40.el5_10.i386.rpm samba-debuginfo-3.0.33-3.40.el5_10.x86_64.rpm samba-swat-3.0.33-3.40.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-0213.html https://www.redhat.com/security/data/cve/CVE-2013-0214.html https://www.redhat.com/security/data/cve/CVE-2013-4124.html https://access.redhat.com/security/updates/classification/#moderate https://www.samba.org/samba/security/CVE-2013-0213 https://www.samba.org/samba/security/CVE-2013-0214 https://www.samba.org/samba/security/CVE-2013-4124 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTJzXJXlSAg2UNWIIRAjiKAJ9j+QV7kdLMTDSikROJi6OuHoz/bgCfY/L8 Tec9j0lbTJvEH8w+uiZSfyY= =f2Ha -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 17 17:51:00 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 17 Mar 2014 17:51:00 +0000 Subject: [RHSA-2014:0306-01] Moderate: ruby193-rubygem-actionpack security update Message-ID: <201403171751.s2HHp1Ax018867@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ruby193-rubygem-actionpack security update Advisory ID: RHSA-2014:0306-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0306.html Issue date: 2014-03-17 CVE Names: CVE-2014-0081 CVE-2014-0082 ===================================================================== 1. Summary: Updated ruby193-rubygem-actionpack packages that fix two security issues are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for RHEL 6 Server - noarch Red Hat Software Collections for RHEL 6 Workstation - noarch 3. Description: Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. It was found that several number conversion helpers in Action View did not properly escape all their parameters. An attacker could use these flaws to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user as parameters to the affected helpers. (CVE-2014-0081) A memory consumption issue was discovered in the text rendering component of Action View. A remote attacker could use this flaw to perform a denial of service attack by sending specially crafted queries that would result in the creation of Ruby symbols that were never garbage collected. (CVE-2014-0082) Red Hat would like to thank the Ruby on Rails Project for reporting these issues. Upstream acknowledges Kevin Reintjes as the original reporter of CVE-2014-0081, and Toby Hsieh of SlideShare as the original reporter of CVE-2014-0082. All ruby193-rubygem-actionpack users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1065520 - CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability 1065538 - CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service 6. Package List: Red Hat Software Collections for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHSCL/SRPMS/ruby193-rubygem-actionpack-3.2.8-5.3.el6.src.rpm noarch: ruby193-rubygem-actionpack-3.2.8-5.3.el6.noarch.rpm ruby193-rubygem-actionpack-doc-3.2.8-5.3.el6.noarch.rpm Red Hat Software Collections for RHEL 6 Workstation: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/RHSCL/SRPMS/ruby193-rubygem-actionpack-3.2.8-5.3.el6.src.rpm noarch: ruby193-rubygem-actionpack-3.2.8-5.3.el6.noarch.rpm ruby193-rubygem-actionpack-doc-3.2.8-5.3.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0081.html https://www.redhat.com/security/data/cve/CVE-2014-0082.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTJzXyXlSAg2UNWIIRAr1pAJ4uJ1MgnchBXssQPGCl9OJyQjpWMQCfaEfI owHGaFiGXhkErFHZlFOHzRg= =aEtE -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 18 20:37:23 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Mar 2014 20:37:23 +0000 Subject: [RHSA-2014:0310-01] Critical: firefox security update Message-ID: <201403182037.s2IKbNjF015688@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2014:0310-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0310.html Issue date: 2014-03-18 CVE Names: CVE-2014-1493 CVE-2014-1497 CVE-2014-1505 CVE-2014-1508 CVE-2014-1509 CVE-2014-1510 CVE-2014-1511 CVE-2014-1512 CVE-2014-1513 CVE-2014-1514 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1493, CVE-2014-1510, CVE-2014-1511, CVE-2014-1512, CVE-2014-1513, CVE-2014-1514) Several information disclosure flaws were found in the way Firefox processed malformed web content. An attacker could use these flaws to gain access to sensitive information such as cross-domain content or protected memory addresses or, potentially, cause Firefox to crash. (CVE-2014-1497, CVE-2014-1508, CVE-2014-1505) A memory corruption flaw was found in the way Firefox rendered certain PDF files. An attacker able to trick a user into installing a malicious extension could use this flaw to crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1509) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij, Jesse Ruderman, Dan Gohman, Christoph Diehl, Atte Kettunen, Tyson Smith, Jesse Schwartzentruber, John Thomson, Robert O'Callahan, Mariusz Mlynski, J?ri Aedla, George Hotz, and the security research firm VUPEN as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 24.4.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 24.4.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1077013 - CVE-2014-1493 Mozilla: Miscellaneous memory safety hazards (rv:24.4) (MFSA 2014-15) 1077016 - CVE-2014-1497 Mozilla: Out of bounds read during WAV file decoding (MFSA 2014-17) 1077025 - CVE-2014-1508 Mozilla: Information disclosure through polygon rendering in MathML (MFSA 2014-26) 1077028 - CVE-2014-1509 Mozilla: Memory corruption in Cairo during PDF font rendering (MFSA 2014-27) 1077029 - CVE-2014-1505 Mozilla: SVG filters information disclosure through feDisplacementMap (MFSA 2014-28) 1077490 - CVE-2014-1510 CVE-2014-1511 Mozilla: Privilege escalation using WebIDL-implemented APIs (MFSA 2014-29) 1077491 - CVE-2014-1512 Mozilla: Use-after-free in TypeObject (MFSA 2014-30) 1077492 - CVE-2014-1513 Mozilla: Out-of-bounds read/write through neutering ArrayBuffer objects (MFSA 2014-31) 1077494 - CVE-2014-1514 Mozilla: Out-of-bounds write through TypedArrayObject after neutering (MFSA 2014-32) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-24.4.0-1.el5_10.src.rpm i386: firefox-24.4.0-1.el5_10.i386.rpm firefox-debuginfo-24.4.0-1.el5_10.i386.rpm x86_64: firefox-24.4.0-1.el5_10.i386.rpm firefox-24.4.0-1.el5_10.x86_64.rpm firefox-debuginfo-24.4.0-1.el5_10.i386.rpm firefox-debuginfo-24.4.0-1.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-24.4.0-1.el5_10.src.rpm i386: firefox-24.4.0-1.el5_10.i386.rpm firefox-debuginfo-24.4.0-1.el5_10.i386.rpm ia64: firefox-24.4.0-1.el5_10.ia64.rpm firefox-debuginfo-24.4.0-1.el5_10.ia64.rpm ppc: firefox-24.4.0-1.el5_10.ppc.rpm firefox-debuginfo-24.4.0-1.el5_10.ppc.rpm s390x: firefox-24.4.0-1.el5_10.s390.rpm firefox-24.4.0-1.el5_10.s390x.rpm firefox-debuginfo-24.4.0-1.el5_10.s390.rpm firefox-debuginfo-24.4.0-1.el5_10.s390x.rpm x86_64: firefox-24.4.0-1.el5_10.i386.rpm firefox-24.4.0-1.el5_10.x86_64.rpm firefox-debuginfo-24.4.0-1.el5_10.i386.rpm firefox-debuginfo-24.4.0-1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-24.4.0-1.el6_5.src.rpm i386: firefox-24.4.0-1.el6_5.i686.rpm firefox-debuginfo-24.4.0-1.el6_5.i686.rpm x86_64: firefox-24.4.0-1.el6_5.i686.rpm firefox-24.4.0-1.el6_5.x86_64.rpm firefox-debuginfo-24.4.0-1.el6_5.i686.rpm firefox-debuginfo-24.4.0-1.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-24.4.0-1.el6_5.src.rpm x86_64: firefox-24.4.0-1.el6_5.i686.rpm firefox-24.4.0-1.el6_5.x86_64.rpm firefox-debuginfo-24.4.0-1.el6_5.i686.rpm firefox-debuginfo-24.4.0-1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-24.4.0-1.el6_5.src.rpm i386: firefox-24.4.0-1.el6_5.i686.rpm firefox-debuginfo-24.4.0-1.el6_5.i686.rpm ppc64: firefox-24.4.0-1.el6_5.ppc.rpm firefox-24.4.0-1.el6_5.ppc64.rpm firefox-debuginfo-24.4.0-1.el6_5.ppc.rpm firefox-debuginfo-24.4.0-1.el6_5.ppc64.rpm s390x: firefox-24.4.0-1.el6_5.s390.rpm firefox-24.4.0-1.el6_5.s390x.rpm firefox-debuginfo-24.4.0-1.el6_5.s390.rpm firefox-debuginfo-24.4.0-1.el6_5.s390x.rpm x86_64: firefox-24.4.0-1.el6_5.i686.rpm firefox-24.4.0-1.el6_5.x86_64.rpm firefox-debuginfo-24.4.0-1.el6_5.i686.rpm firefox-debuginfo-24.4.0-1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-24.4.0-1.el6_5.src.rpm i386: firefox-24.4.0-1.el6_5.i686.rpm firefox-debuginfo-24.4.0-1.el6_5.i686.rpm x86_64: firefox-24.4.0-1.el6_5.i686.rpm firefox-24.4.0-1.el6_5.x86_64.rpm firefox-debuginfo-24.4.0-1.el6_5.i686.rpm firefox-debuginfo-24.4.0-1.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-1493.html https://www.redhat.com/security/data/cve/CVE-2014-1497.html https://www.redhat.com/security/data/cve/CVE-2014-1505.html https://www.redhat.com/security/data/cve/CVE-2014-1508.html https://www.redhat.com/security/data/cve/CVE-2014-1509.html https://www.redhat.com/security/data/cve/CVE-2014-1510.html https://www.redhat.com/security/data/cve/CVE-2014-1511.html https://www.redhat.com/security/data/cve/CVE-2014-1512.html https://www.redhat.com/security/data/cve/CVE-2014-1513.html https://www.redhat.com/security/data/cve/CVE-2014-1514.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTKK5nXlSAg2UNWIIRAg0HAKCoOM0v98Te8pjKYD3ZMl22VHEQowCfQVcq eaoQTYDXvWJWWIXRvn+Z/jM= =xuAz -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 18 20:38:07 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Mar 2014 20:38:07 +0000 Subject: [RHSA-2014:0311-01] Critical: php security update Message-ID: <201403182038.s2IKc7S4015870@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: php security update Advisory ID: RHSA-2014:0311-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0311.html Issue date: 2014-03-18 CVE Names: CVE-2006-7243 CVE-2009-0689 ===================================================================== 1. Summary: Updated php packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A buffer overflow flaw was found in the way PHP parsed floating point numbers from their text representation. If a PHP application converted untrusted input strings to numbers, an attacker able to provide such input could cause the application to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2009-0689) It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2006-7243) All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 539784 - CVE-2009-0689 array index error in dtoa implementation of many products 662707 - CVE-2006-7243 php: paths with NULL character were considered valid 1057555 - CVE-2009-0689 php: heap overflow in floating point parsing 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/php-5.1.6-44.el5_10.src.rpm i386: php-5.1.6-44.el5_10.i386.rpm php-bcmath-5.1.6-44.el5_10.i386.rpm php-cli-5.1.6-44.el5_10.i386.rpm php-common-5.1.6-44.el5_10.i386.rpm php-dba-5.1.6-44.el5_10.i386.rpm php-debuginfo-5.1.6-44.el5_10.i386.rpm php-devel-5.1.6-44.el5_10.i386.rpm php-gd-5.1.6-44.el5_10.i386.rpm php-imap-5.1.6-44.el5_10.i386.rpm php-ldap-5.1.6-44.el5_10.i386.rpm php-mbstring-5.1.6-44.el5_10.i386.rpm php-mysql-5.1.6-44.el5_10.i386.rpm php-ncurses-5.1.6-44.el5_10.i386.rpm php-odbc-5.1.6-44.el5_10.i386.rpm php-pdo-5.1.6-44.el5_10.i386.rpm php-pgsql-5.1.6-44.el5_10.i386.rpm php-snmp-5.1.6-44.el5_10.i386.rpm php-soap-5.1.6-44.el5_10.i386.rpm php-xml-5.1.6-44.el5_10.i386.rpm php-xmlrpc-5.1.6-44.el5_10.i386.rpm x86_64: php-5.1.6-44.el5_10.x86_64.rpm php-bcmath-5.1.6-44.el5_10.x86_64.rpm php-cli-5.1.6-44.el5_10.x86_64.rpm php-common-5.1.6-44.el5_10.x86_64.rpm php-dba-5.1.6-44.el5_10.x86_64.rpm php-debuginfo-5.1.6-44.el5_10.x86_64.rpm php-devel-5.1.6-44.el5_10.x86_64.rpm php-gd-5.1.6-44.el5_10.x86_64.rpm php-imap-5.1.6-44.el5_10.x86_64.rpm php-ldap-5.1.6-44.el5_10.x86_64.rpm php-mbstring-5.1.6-44.el5_10.x86_64.rpm php-mysql-5.1.6-44.el5_10.x86_64.rpm php-ncurses-5.1.6-44.el5_10.x86_64.rpm php-odbc-5.1.6-44.el5_10.x86_64.rpm php-pdo-5.1.6-44.el5_10.x86_64.rpm php-pgsql-5.1.6-44.el5_10.x86_64.rpm php-snmp-5.1.6-44.el5_10.x86_64.rpm php-soap-5.1.6-44.el5_10.x86_64.rpm php-xml-5.1.6-44.el5_10.x86_64.rpm php-xmlrpc-5.1.6-44.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/php-5.1.6-44.el5_10.src.rpm i386: php-5.1.6-44.el5_10.i386.rpm php-bcmath-5.1.6-44.el5_10.i386.rpm php-cli-5.1.6-44.el5_10.i386.rpm php-common-5.1.6-44.el5_10.i386.rpm php-dba-5.1.6-44.el5_10.i386.rpm php-debuginfo-5.1.6-44.el5_10.i386.rpm php-devel-5.1.6-44.el5_10.i386.rpm php-gd-5.1.6-44.el5_10.i386.rpm php-imap-5.1.6-44.el5_10.i386.rpm php-ldap-5.1.6-44.el5_10.i386.rpm php-mbstring-5.1.6-44.el5_10.i386.rpm php-mysql-5.1.6-44.el5_10.i386.rpm php-ncurses-5.1.6-44.el5_10.i386.rpm php-odbc-5.1.6-44.el5_10.i386.rpm php-pdo-5.1.6-44.el5_10.i386.rpm php-pgsql-5.1.6-44.el5_10.i386.rpm php-snmp-5.1.6-44.el5_10.i386.rpm php-soap-5.1.6-44.el5_10.i386.rpm php-xml-5.1.6-44.el5_10.i386.rpm php-xmlrpc-5.1.6-44.el5_10.i386.rpm ia64: php-5.1.6-44.el5_10.ia64.rpm php-bcmath-5.1.6-44.el5_10.ia64.rpm php-cli-5.1.6-44.el5_10.ia64.rpm php-common-5.1.6-44.el5_10.ia64.rpm php-dba-5.1.6-44.el5_10.ia64.rpm php-debuginfo-5.1.6-44.el5_10.ia64.rpm php-devel-5.1.6-44.el5_10.ia64.rpm php-gd-5.1.6-44.el5_10.ia64.rpm php-imap-5.1.6-44.el5_10.ia64.rpm php-ldap-5.1.6-44.el5_10.ia64.rpm php-mbstring-5.1.6-44.el5_10.ia64.rpm php-mysql-5.1.6-44.el5_10.ia64.rpm php-ncurses-5.1.6-44.el5_10.ia64.rpm php-odbc-5.1.6-44.el5_10.ia64.rpm php-pdo-5.1.6-44.el5_10.ia64.rpm php-pgsql-5.1.6-44.el5_10.ia64.rpm php-snmp-5.1.6-44.el5_10.ia64.rpm php-soap-5.1.6-44.el5_10.ia64.rpm php-xml-5.1.6-44.el5_10.ia64.rpm php-xmlrpc-5.1.6-44.el5_10.ia64.rpm ppc: php-5.1.6-44.el5_10.ppc.rpm php-bcmath-5.1.6-44.el5_10.ppc.rpm php-cli-5.1.6-44.el5_10.ppc.rpm php-common-5.1.6-44.el5_10.ppc.rpm php-dba-5.1.6-44.el5_10.ppc.rpm php-debuginfo-5.1.6-44.el5_10.ppc.rpm php-devel-5.1.6-44.el5_10.ppc.rpm php-gd-5.1.6-44.el5_10.ppc.rpm php-imap-5.1.6-44.el5_10.ppc.rpm php-ldap-5.1.6-44.el5_10.ppc.rpm php-mbstring-5.1.6-44.el5_10.ppc.rpm php-mysql-5.1.6-44.el5_10.ppc.rpm php-ncurses-5.1.6-44.el5_10.ppc.rpm php-odbc-5.1.6-44.el5_10.ppc.rpm php-pdo-5.1.6-44.el5_10.ppc.rpm php-pgsql-5.1.6-44.el5_10.ppc.rpm php-snmp-5.1.6-44.el5_10.ppc.rpm php-soap-5.1.6-44.el5_10.ppc.rpm php-xml-5.1.6-44.el5_10.ppc.rpm php-xmlrpc-5.1.6-44.el5_10.ppc.rpm s390x: php-5.1.6-44.el5_10.s390x.rpm php-bcmath-5.1.6-44.el5_10.s390x.rpm php-cli-5.1.6-44.el5_10.s390x.rpm php-common-5.1.6-44.el5_10.s390x.rpm php-dba-5.1.6-44.el5_10.s390x.rpm php-debuginfo-5.1.6-44.el5_10.s390x.rpm php-devel-5.1.6-44.el5_10.s390x.rpm php-gd-5.1.6-44.el5_10.s390x.rpm php-imap-5.1.6-44.el5_10.s390x.rpm php-ldap-5.1.6-44.el5_10.s390x.rpm php-mbstring-5.1.6-44.el5_10.s390x.rpm php-mysql-5.1.6-44.el5_10.s390x.rpm php-ncurses-5.1.6-44.el5_10.s390x.rpm php-odbc-5.1.6-44.el5_10.s390x.rpm php-pdo-5.1.6-44.el5_10.s390x.rpm php-pgsql-5.1.6-44.el5_10.s390x.rpm php-snmp-5.1.6-44.el5_10.s390x.rpm php-soap-5.1.6-44.el5_10.s390x.rpm php-xml-5.1.6-44.el5_10.s390x.rpm php-xmlrpc-5.1.6-44.el5_10.s390x.rpm x86_64: php-5.1.6-44.el5_10.x86_64.rpm php-bcmath-5.1.6-44.el5_10.x86_64.rpm php-cli-5.1.6-44.el5_10.x86_64.rpm php-common-5.1.6-44.el5_10.x86_64.rpm php-dba-5.1.6-44.el5_10.x86_64.rpm php-debuginfo-5.1.6-44.el5_10.x86_64.rpm php-devel-5.1.6-44.el5_10.x86_64.rpm php-gd-5.1.6-44.el5_10.x86_64.rpm php-imap-5.1.6-44.el5_10.x86_64.rpm php-ldap-5.1.6-44.el5_10.x86_64.rpm php-mbstring-5.1.6-44.el5_10.x86_64.rpm php-mysql-5.1.6-44.el5_10.x86_64.rpm php-ncurses-5.1.6-44.el5_10.x86_64.rpm php-odbc-5.1.6-44.el5_10.x86_64.rpm php-pdo-5.1.6-44.el5_10.x86_64.rpm php-pgsql-5.1.6-44.el5_10.x86_64.rpm php-snmp-5.1.6-44.el5_10.x86_64.rpm php-soap-5.1.6-44.el5_10.x86_64.rpm php-xml-5.1.6-44.el5_10.x86_64.rpm php-xmlrpc-5.1.6-44.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2006-7243.html https://www.redhat.com/security/data/cve/CVE-2009-0689.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTKK6SXlSAg2UNWIIRAvabAJ4jx2BoAiTlNmk2kTvRfRxEYaq4xQCcDBs0 uZFVkkONOXaGwJr80qz2YtY= =oA4a -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 18 20:38:53 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Mar 2014 20:38:53 +0000 Subject: [RHSA-2014:0312-01] Critical: php security update Message-ID: <201403182038.s2IKcrdo016154@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: php security update Advisory ID: RHSA-2014:0312-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0312.html Issue date: 2014-03-18 CVE Names: CVE-2009-0689 ===================================================================== 1. Summary: Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 5.3 and 5.6 Long Life, and Red Hat Enterprise Linux 5.9 Extended Update Support. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux EUS (v. 5.9 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux LL (v. 5.6 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Long Life (v. 5.3 server) - i386, ia64, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A buffer overflow flaw was found in the way PHP parsed floating point numbers from their text representation. If a PHP application converted untrusted input strings to numbers, an attacker able to provide such input could cause the application to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2009-0689) All php users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 539784 - CVE-2009-0689 array index error in dtoa implementation of many products 1057555 - CVE-2009-0689 php: heap overflow in floating point parsing 6. Package List: Red Hat Enterprise Linux Long Life (v. 5.3 server): Source: php-5.1.6-23.6.el5_3.src.rpm i386: php-5.1.6-23.6.el5_3.i386.rpm php-bcmath-5.1.6-23.6.el5_3.i386.rpm php-cli-5.1.6-23.6.el5_3.i386.rpm php-common-5.1.6-23.6.el5_3.i386.rpm php-dba-5.1.6-23.6.el5_3.i386.rpm php-debuginfo-5.1.6-23.6.el5_3.i386.rpm php-devel-5.1.6-23.6.el5_3.i386.rpm php-gd-5.1.6-23.6.el5_3.i386.rpm php-imap-5.1.6-23.6.el5_3.i386.rpm php-ldap-5.1.6-23.6.el5_3.i386.rpm php-mbstring-5.1.6-23.6.el5_3.i386.rpm php-mysql-5.1.6-23.6.el5_3.i386.rpm php-ncurses-5.1.6-23.6.el5_3.i386.rpm php-odbc-5.1.6-23.6.el5_3.i386.rpm php-pdo-5.1.6-23.6.el5_3.i386.rpm php-pgsql-5.1.6-23.6.el5_3.i386.rpm php-snmp-5.1.6-23.6.el5_3.i386.rpm php-soap-5.1.6-23.6.el5_3.i386.rpm php-xml-5.1.6-23.6.el5_3.i386.rpm php-xmlrpc-5.1.6-23.6.el5_3.i386.rpm ia64: php-5.1.6-23.6.el5_3.ia64.rpm php-bcmath-5.1.6-23.6.el5_3.ia64.rpm php-cli-5.1.6-23.6.el5_3.ia64.rpm php-common-5.1.6-23.6.el5_3.ia64.rpm php-dba-5.1.6-23.6.el5_3.ia64.rpm php-debuginfo-5.1.6-23.6.el5_3.ia64.rpm php-devel-5.1.6-23.6.el5_3.ia64.rpm php-gd-5.1.6-23.6.el5_3.ia64.rpm php-imap-5.1.6-23.6.el5_3.ia64.rpm php-ldap-5.1.6-23.6.el5_3.ia64.rpm php-mbstring-5.1.6-23.6.el5_3.ia64.rpm php-mysql-5.1.6-23.6.el5_3.ia64.rpm php-ncurses-5.1.6-23.6.el5_3.ia64.rpm php-odbc-5.1.6-23.6.el5_3.ia64.rpm php-pdo-5.1.6-23.6.el5_3.ia64.rpm php-pgsql-5.1.6-23.6.el5_3.ia64.rpm php-snmp-5.1.6-23.6.el5_3.ia64.rpm php-soap-5.1.6-23.6.el5_3.ia64.rpm php-xml-5.1.6-23.6.el5_3.ia64.rpm php-xmlrpc-5.1.6-23.6.el5_3.ia64.rpm x86_64: php-5.1.6-23.6.el5_3.x86_64.rpm php-bcmath-5.1.6-23.6.el5_3.x86_64.rpm php-cli-5.1.6-23.6.el5_3.x86_64.rpm php-common-5.1.6-23.6.el5_3.x86_64.rpm php-dba-5.1.6-23.6.el5_3.x86_64.rpm php-debuginfo-5.1.6-23.6.el5_3.x86_64.rpm php-devel-5.1.6-23.6.el5_3.x86_64.rpm php-gd-5.1.6-23.6.el5_3.x86_64.rpm php-imap-5.1.6-23.6.el5_3.x86_64.rpm php-ldap-5.1.6-23.6.el5_3.x86_64.rpm php-mbstring-5.1.6-23.6.el5_3.x86_64.rpm php-mysql-5.1.6-23.6.el5_3.x86_64.rpm php-ncurses-5.1.6-23.6.el5_3.x86_64.rpm php-odbc-5.1.6-23.6.el5_3.x86_64.rpm php-pdo-5.1.6-23.6.el5_3.x86_64.rpm php-pgsql-5.1.6-23.6.el5_3.x86_64.rpm php-snmp-5.1.6-23.6.el5_3.x86_64.rpm php-soap-5.1.6-23.6.el5_3.x86_64.rpm php-xml-5.1.6-23.6.el5_3.x86_64.rpm php-xmlrpc-5.1.6-23.6.el5_3.x86_64.rpm Red Hat Enterprise Linux LL (v. 5.6 server): Source: php-5.1.6-27.el5_6.7.src.rpm i386: php-5.1.6-27.el5_6.7.i386.rpm php-bcmath-5.1.6-27.el5_6.7.i386.rpm php-cli-5.1.6-27.el5_6.7.i386.rpm php-common-5.1.6-27.el5_6.7.i386.rpm php-dba-5.1.6-27.el5_6.7.i386.rpm php-debuginfo-5.1.6-27.el5_6.7.i386.rpm php-devel-5.1.6-27.el5_6.7.i386.rpm php-gd-5.1.6-27.el5_6.7.i386.rpm php-imap-5.1.6-27.el5_6.7.i386.rpm php-ldap-5.1.6-27.el5_6.7.i386.rpm php-mbstring-5.1.6-27.el5_6.7.i386.rpm php-mysql-5.1.6-27.el5_6.7.i386.rpm php-ncurses-5.1.6-27.el5_6.7.i386.rpm php-odbc-5.1.6-27.el5_6.7.i386.rpm php-pdo-5.1.6-27.el5_6.7.i386.rpm php-pgsql-5.1.6-27.el5_6.7.i386.rpm php-snmp-5.1.6-27.el5_6.7.i386.rpm php-soap-5.1.6-27.el5_6.7.i386.rpm php-xml-5.1.6-27.el5_6.7.i386.rpm php-xmlrpc-5.1.6-27.el5_6.7.i386.rpm ia64: php-5.1.6-27.el5_6.7.ia64.rpm php-bcmath-5.1.6-27.el5_6.7.ia64.rpm php-cli-5.1.6-27.el5_6.7.ia64.rpm php-common-5.1.6-27.el5_6.7.ia64.rpm php-dba-5.1.6-27.el5_6.7.ia64.rpm php-debuginfo-5.1.6-27.el5_6.7.ia64.rpm php-devel-5.1.6-27.el5_6.7.ia64.rpm php-gd-5.1.6-27.el5_6.7.ia64.rpm php-imap-5.1.6-27.el5_6.7.ia64.rpm php-ldap-5.1.6-27.el5_6.7.ia64.rpm php-mbstring-5.1.6-27.el5_6.7.ia64.rpm php-mysql-5.1.6-27.el5_6.7.ia64.rpm php-ncurses-5.1.6-27.el5_6.7.ia64.rpm php-odbc-5.1.6-27.el5_6.7.ia64.rpm php-pdo-5.1.6-27.el5_6.7.ia64.rpm php-pgsql-5.1.6-27.el5_6.7.ia64.rpm php-snmp-5.1.6-27.el5_6.7.ia64.rpm php-soap-5.1.6-27.el5_6.7.ia64.rpm php-xml-5.1.6-27.el5_6.7.ia64.rpm php-xmlrpc-5.1.6-27.el5_6.7.ia64.rpm x86_64: php-5.1.6-27.el5_6.7.x86_64.rpm php-bcmath-5.1.6-27.el5_6.7.x86_64.rpm php-cli-5.1.6-27.el5_6.7.x86_64.rpm php-common-5.1.6-27.el5_6.7.x86_64.rpm php-dba-5.1.6-27.el5_6.7.x86_64.rpm php-debuginfo-5.1.6-27.el5_6.7.x86_64.rpm php-devel-5.1.6-27.el5_6.7.x86_64.rpm php-gd-5.1.6-27.el5_6.7.x86_64.rpm php-imap-5.1.6-27.el5_6.7.x86_64.rpm php-ldap-5.1.6-27.el5_6.7.x86_64.rpm php-mbstring-5.1.6-27.el5_6.7.x86_64.rpm php-mysql-5.1.6-27.el5_6.7.x86_64.rpm php-ncurses-5.1.6-27.el5_6.7.x86_64.rpm php-odbc-5.1.6-27.el5_6.7.x86_64.rpm php-pdo-5.1.6-27.el5_6.7.x86_64.rpm php-pgsql-5.1.6-27.el5_6.7.x86_64.rpm php-snmp-5.1.6-27.el5_6.7.x86_64.rpm php-soap-5.1.6-27.el5_6.7.x86_64.rpm php-xml-5.1.6-27.el5_6.7.x86_64.rpm php-xmlrpc-5.1.6-27.el5_6.7.x86_64.rpm Red Hat Enterprise Linux EUS (v. 5.9 server): Source: php-5.1.6-40.el5_9.2.src.rpm i386: php-5.1.6-40.el5_9.2.i386.rpm php-bcmath-5.1.6-40.el5_9.2.i386.rpm php-cli-5.1.6-40.el5_9.2.i386.rpm php-common-5.1.6-40.el5_9.2.i386.rpm php-dba-5.1.6-40.el5_9.2.i386.rpm php-debuginfo-5.1.6-40.el5_9.2.i386.rpm php-devel-5.1.6-40.el5_9.2.i386.rpm php-gd-5.1.6-40.el5_9.2.i386.rpm php-imap-5.1.6-40.el5_9.2.i386.rpm php-ldap-5.1.6-40.el5_9.2.i386.rpm php-mbstring-5.1.6-40.el5_9.2.i386.rpm php-mysql-5.1.6-40.el5_9.2.i386.rpm php-ncurses-5.1.6-40.el5_9.2.i386.rpm php-odbc-5.1.6-40.el5_9.2.i386.rpm php-pdo-5.1.6-40.el5_9.2.i386.rpm php-pgsql-5.1.6-40.el5_9.2.i386.rpm php-snmp-5.1.6-40.el5_9.2.i386.rpm php-soap-5.1.6-40.el5_9.2.i386.rpm php-xml-5.1.6-40.el5_9.2.i386.rpm php-xmlrpc-5.1.6-40.el5_9.2.i386.rpm ia64: php-5.1.6-40.el5_9.2.ia64.rpm php-bcmath-5.1.6-40.el5_9.2.ia64.rpm php-cli-5.1.6-40.el5_9.2.ia64.rpm php-common-5.1.6-40.el5_9.2.ia64.rpm php-dba-5.1.6-40.el5_9.2.ia64.rpm php-debuginfo-5.1.6-40.el5_9.2.ia64.rpm php-devel-5.1.6-40.el5_9.2.ia64.rpm php-gd-5.1.6-40.el5_9.2.ia64.rpm php-imap-5.1.6-40.el5_9.2.ia64.rpm php-ldap-5.1.6-40.el5_9.2.ia64.rpm php-mbstring-5.1.6-40.el5_9.2.ia64.rpm php-mysql-5.1.6-40.el5_9.2.ia64.rpm php-ncurses-5.1.6-40.el5_9.2.ia64.rpm php-odbc-5.1.6-40.el5_9.2.ia64.rpm php-pdo-5.1.6-40.el5_9.2.ia64.rpm php-pgsql-5.1.6-40.el5_9.2.ia64.rpm php-snmp-5.1.6-40.el5_9.2.ia64.rpm php-soap-5.1.6-40.el5_9.2.ia64.rpm php-xml-5.1.6-40.el5_9.2.ia64.rpm php-xmlrpc-5.1.6-40.el5_9.2.ia64.rpm ppc: php-5.1.6-40.el5_9.2.ppc.rpm php-bcmath-5.1.6-40.el5_9.2.ppc.rpm php-cli-5.1.6-40.el5_9.2.ppc.rpm php-common-5.1.6-40.el5_9.2.ppc.rpm php-dba-5.1.6-40.el5_9.2.ppc.rpm php-debuginfo-5.1.6-40.el5_9.2.ppc.rpm php-devel-5.1.6-40.el5_9.2.ppc.rpm php-gd-5.1.6-40.el5_9.2.ppc.rpm php-imap-5.1.6-40.el5_9.2.ppc.rpm php-ldap-5.1.6-40.el5_9.2.ppc.rpm php-mbstring-5.1.6-40.el5_9.2.ppc.rpm php-mysql-5.1.6-40.el5_9.2.ppc.rpm php-ncurses-5.1.6-40.el5_9.2.ppc.rpm php-odbc-5.1.6-40.el5_9.2.ppc.rpm php-pdo-5.1.6-40.el5_9.2.ppc.rpm php-pgsql-5.1.6-40.el5_9.2.ppc.rpm php-snmp-5.1.6-40.el5_9.2.ppc.rpm php-soap-5.1.6-40.el5_9.2.ppc.rpm php-xml-5.1.6-40.el5_9.2.ppc.rpm php-xmlrpc-5.1.6-40.el5_9.2.ppc.rpm s390x: php-5.1.6-40.el5_9.2.s390x.rpm php-bcmath-5.1.6-40.el5_9.2.s390x.rpm php-cli-5.1.6-40.el5_9.2.s390x.rpm php-common-5.1.6-40.el5_9.2.s390x.rpm php-dba-5.1.6-40.el5_9.2.s390x.rpm php-debuginfo-5.1.6-40.el5_9.2.s390x.rpm php-devel-5.1.6-40.el5_9.2.s390x.rpm php-gd-5.1.6-40.el5_9.2.s390x.rpm php-imap-5.1.6-40.el5_9.2.s390x.rpm php-ldap-5.1.6-40.el5_9.2.s390x.rpm php-mbstring-5.1.6-40.el5_9.2.s390x.rpm php-mysql-5.1.6-40.el5_9.2.s390x.rpm php-ncurses-5.1.6-40.el5_9.2.s390x.rpm php-odbc-5.1.6-40.el5_9.2.s390x.rpm php-pdo-5.1.6-40.el5_9.2.s390x.rpm php-pgsql-5.1.6-40.el5_9.2.s390x.rpm php-snmp-5.1.6-40.el5_9.2.s390x.rpm php-soap-5.1.6-40.el5_9.2.s390x.rpm php-xml-5.1.6-40.el5_9.2.s390x.rpm php-xmlrpc-5.1.6-40.el5_9.2.s390x.rpm x86_64: php-5.1.6-40.el5_9.2.x86_64.rpm php-bcmath-5.1.6-40.el5_9.2.x86_64.rpm php-cli-5.1.6-40.el5_9.2.x86_64.rpm php-common-5.1.6-40.el5_9.2.x86_64.rpm php-dba-5.1.6-40.el5_9.2.x86_64.rpm php-debuginfo-5.1.6-40.el5_9.2.x86_64.rpm php-devel-5.1.6-40.el5_9.2.x86_64.rpm php-gd-5.1.6-40.el5_9.2.x86_64.rpm php-imap-5.1.6-40.el5_9.2.x86_64.rpm php-ldap-5.1.6-40.el5_9.2.x86_64.rpm php-mbstring-5.1.6-40.el5_9.2.x86_64.rpm php-mysql-5.1.6-40.el5_9.2.x86_64.rpm php-ncurses-5.1.6-40.el5_9.2.x86_64.rpm php-odbc-5.1.6-40.el5_9.2.x86_64.rpm php-pdo-5.1.6-40.el5_9.2.x86_64.rpm php-pgsql-5.1.6-40.el5_9.2.x86_64.rpm php-snmp-5.1.6-40.el5_9.2.x86_64.rpm php-soap-5.1.6-40.el5_9.2.x86_64.rpm php-xml-5.1.6-40.el5_9.2.x86_64.rpm php-xmlrpc-5.1.6-40.el5_9.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-0689.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTKK7IXlSAg2UNWIIRApClAJwLYQvQATfrTv93P62SN7kOC1NjVwCfeh5B DyFDWwbw92UlcSzs59idyUw= =VgcE -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 19 17:46:51 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 19 Mar 2014 17:46:51 +0000 Subject: [RHSA-2014:0316-01] Important: thunderbird security update Message-ID: <201403191746.s2JHkpeH001283@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2014:0316-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0316.html Issue date: 2014-03-19 CVE Names: CVE-2014-1493 CVE-2014-1497 CVE-2014-1505 CVE-2014-1508 CVE-2014-1509 CVE-2014-1510 CVE-2014-1511 CVE-2014-1512 CVE-2014-1513 CVE-2014-1514 ===================================================================== 1. Summary: An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2014-1493, CVE-2014-1510, CVE-2014-1511, CVE-2014-1512, CVE-2014-1513, CVE-2014-1514) Several information disclosure flaws were found in the way Thunderbird processed malformed web content. An attacker could use these flaws to gain access to sensitive information such as cross-domain content or protected memory addresses or, potentially, cause Thunderbird to crash. (CVE-2014-1497, CVE-2014-1508, CVE-2014-1505) A memory corruption flaw was found in the way Thunderbird rendered certain PDF files. An attacker able to trick a user into installing a malicious extension could use this flaw to crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2014-1509) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij, Jesse Ruderman, Dan Gohman, Christoph Diehl, Atte Kettunen, Tyson Smith, Jesse Schwartzentruber, John Thomson, Robert O'Callahan, Mariusz Mlynski, J?ri Aedla, George Hotz, and the security research firm VUPEN as the original reporters of these issues. Note: All of the above issues cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 24.4.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 24.4.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1077013 - CVE-2014-1493 Mozilla: Miscellaneous memory safety hazards (rv:24.4) (MFSA 2014-15) 1077016 - CVE-2014-1497 Mozilla: Out of bounds read during WAV file decoding (MFSA 2014-17) 1077025 - CVE-2014-1508 Mozilla: Information disclosure through polygon rendering in MathML (MFSA 2014-26) 1077028 - CVE-2014-1509 Mozilla: Memory corruption in Cairo during PDF font rendering (MFSA 2014-27) 1077029 - CVE-2014-1505 Mozilla: SVG filters information disclosure through feDisplacementMap (MFSA 2014-28) 1077490 - CVE-2014-1510 CVE-2014-1511 Mozilla: Privilege escalation using WebIDL-implemented APIs (MFSA 2014-29) 1077491 - CVE-2014-1512 Mozilla: Use-after-free in TypeObject (MFSA 2014-30) 1077492 - CVE-2014-1513 Mozilla: Out-of-bounds read/write through neutering ArrayBuffer objects (MFSA 2014-31) 1077494 - CVE-2014-1514 Mozilla: Out-of-bounds write through TypedArrayObject after neutering (MFSA 2014-32) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-24.4.0-1.el5_10.src.rpm i386: thunderbird-24.4.0-1.el5_10.i386.rpm thunderbird-debuginfo-24.4.0-1.el5_10.i386.rpm x86_64: thunderbird-24.4.0-1.el5_10.x86_64.rpm thunderbird-debuginfo-24.4.0-1.el5_10.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/thunderbird-24.4.0-1.el5_10.src.rpm i386: thunderbird-24.4.0-1.el5_10.i386.rpm thunderbird-debuginfo-24.4.0-1.el5_10.i386.rpm x86_64: thunderbird-24.4.0-1.el5_10.x86_64.rpm thunderbird-debuginfo-24.4.0-1.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/thunderbird-24.4.0-1.el6_5.src.rpm i386: thunderbird-24.4.0-1.el6_5.i686.rpm thunderbird-debuginfo-24.4.0-1.el6_5.i686.rpm x86_64: thunderbird-24.4.0-1.el6_5.x86_64.rpm thunderbird-debuginfo-24.4.0-1.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/thunderbird-24.4.0-1.el6_5.src.rpm i386: thunderbird-24.4.0-1.el6_5.i686.rpm thunderbird-debuginfo-24.4.0-1.el6_5.i686.rpm ppc64: thunderbird-24.4.0-1.el6_5.ppc64.rpm thunderbird-debuginfo-24.4.0-1.el6_5.ppc64.rpm s390x: thunderbird-24.4.0-1.el6_5.s390x.rpm thunderbird-debuginfo-24.4.0-1.el6_5.s390x.rpm x86_64: thunderbird-24.4.0-1.el6_5.x86_64.rpm thunderbird-debuginfo-24.4.0-1.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/thunderbird-24.4.0-1.el6_5.src.rpm i386: thunderbird-24.4.0-1.el6_5.i686.rpm thunderbird-debuginfo-24.4.0-1.el6_5.i686.rpm x86_64: thunderbird-24.4.0-1.el6_5.x86_64.rpm thunderbird-debuginfo-24.4.0-1.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-1493.html https://www.redhat.com/security/data/cve/CVE-2014-1497.html https://www.redhat.com/security/data/cve/CVE-2014-1505.html https://www.redhat.com/security/data/cve/CVE-2014-1508.html https://www.redhat.com/security/data/cve/CVE-2014-1509.html https://www.redhat.com/security/data/cve/CVE-2014-1510.html https://www.redhat.com/security/data/cve/CVE-2014-1511.html https://www.redhat.com/security/data/cve/CVE-2014-1512.html https://www.redhat.com/security/data/cve/CVE-2014-1513.html https://www.redhat.com/security/data/cve/CVE-2014-1514.html https://access.redhat.com/security/updates/classification/#important https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTKdf1XlSAg2UNWIIRAtDzAJ4uWAL3tyjRPY1BjByJkaIKb8p4xwCfaOwR cfL6k2NDvXH6NHAQJJu//VM= =+c9o -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 24 18:08:32 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Mar 2014 18:08:32 +0000 Subject: [RHSA-2014:0321-01] Moderate: net-snmp security and bug fix update Message-ID: <201403241808.s2OI8WVD023075@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: net-snmp security and bug fix update Advisory ID: RHSA-2014:0321-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0321.html Issue date: 2014-03-24 CVE Names: CVE-2014-2284 ===================================================================== 1. Summary: Updated net-snmp packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser. A buffer overflow flaw was found in the way the decode_icmp_msg() function in the ICMP-MIB implementation processed Internet Control Message Protocol (ICMP) message statistics reported in the /proc/net/snmp file. A remote attacker could send a message for each ICMP message type, which could potentially cause the snmpd service to crash when processing the /proc/net/snmp file. (CVE-2014-2284) This update also fixes the following bug: * The snmpd service parses the /proc/diskstats file to track disk usage statistics for UCD-DISKIO-MIB::diskIOTable. On systems with a large number of block devices, /proc/diskstats may be large in size and parsing it can take a non-trivial amount of CPU time. With this update, Net-SNMP introduces a new option, 'diskio', in the /etc/snmp/snmpd.conf file, which can be used to explicitly specify devices that should be monitored. Only these whitelisted devices are then reported in UCD-DISKIO-MIB::diskIOTable, thus speeding up snmpd on systems with numerous block devices. (BZ#990674) All net-snmp users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the snmpd service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1070396 - CVE-2014-2284 net-snmp: denial of service flaw in Linux implementation of ICMP-MIB 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/net-snmp-5.5-49.el6_5.1.src.rpm i386: net-snmp-5.5-49.el6_5.1.i686.rpm net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-libs-5.5-49.el6_5.1.i686.rpm x86_64: net-snmp-5.5-49.el6_5.1.x86_64.rpm net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-debuginfo-5.5-49.el6_5.1.x86_64.rpm net-snmp-libs-5.5-49.el6_5.1.i686.rpm net-snmp-libs-5.5-49.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/net-snmp-5.5-49.el6_5.1.src.rpm i386: net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-devel-5.5-49.el6_5.1.i686.rpm net-snmp-perl-5.5-49.el6_5.1.i686.rpm net-snmp-python-5.5-49.el6_5.1.i686.rpm net-snmp-utils-5.5-49.el6_5.1.i686.rpm x86_64: net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-debuginfo-5.5-49.el6_5.1.x86_64.rpm net-snmp-devel-5.5-49.el6_5.1.i686.rpm net-snmp-devel-5.5-49.el6_5.1.x86_64.rpm net-snmp-perl-5.5-49.el6_5.1.x86_64.rpm net-snmp-python-5.5-49.el6_5.1.x86_64.rpm net-snmp-utils-5.5-49.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/net-snmp-5.5-49.el6_5.1.src.rpm x86_64: net-snmp-5.5-49.el6_5.1.x86_64.rpm net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-debuginfo-5.5-49.el6_5.1.x86_64.rpm net-snmp-libs-5.5-49.el6_5.1.i686.rpm net-snmp-libs-5.5-49.el6_5.1.x86_64.rpm net-snmp-perl-5.5-49.el6_5.1.x86_64.rpm net-snmp-python-5.5-49.el6_5.1.x86_64.rpm net-snmp-utils-5.5-49.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/net-snmp-5.5-49.el6_5.1.src.rpm x86_64: net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-debuginfo-5.5-49.el6_5.1.x86_64.rpm net-snmp-devel-5.5-49.el6_5.1.i686.rpm net-snmp-devel-5.5-49.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/net-snmp-5.5-49.el6_5.1.src.rpm i386: net-snmp-5.5-49.el6_5.1.i686.rpm net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-devel-5.5-49.el6_5.1.i686.rpm net-snmp-libs-5.5-49.el6_5.1.i686.rpm net-snmp-perl-5.5-49.el6_5.1.i686.rpm net-snmp-python-5.5-49.el6_5.1.i686.rpm net-snmp-utils-5.5-49.el6_5.1.i686.rpm ppc64: net-snmp-5.5-49.el6_5.1.ppc64.rpm net-snmp-debuginfo-5.5-49.el6_5.1.ppc.rpm net-snmp-debuginfo-5.5-49.el6_5.1.ppc64.rpm net-snmp-devel-5.5-49.el6_5.1.ppc.rpm net-snmp-devel-5.5-49.el6_5.1.ppc64.rpm net-snmp-libs-5.5-49.el6_5.1.ppc.rpm net-snmp-libs-5.5-49.el6_5.1.ppc64.rpm net-snmp-perl-5.5-49.el6_5.1.ppc64.rpm net-snmp-python-5.5-49.el6_5.1.ppc64.rpm net-snmp-utils-5.5-49.el6_5.1.ppc64.rpm s390x: net-snmp-5.5-49.el6_5.1.s390x.rpm net-snmp-debuginfo-5.5-49.el6_5.1.s390.rpm net-snmp-debuginfo-5.5-49.el6_5.1.s390x.rpm net-snmp-devel-5.5-49.el6_5.1.s390.rpm net-snmp-devel-5.5-49.el6_5.1.s390x.rpm net-snmp-libs-5.5-49.el6_5.1.s390.rpm net-snmp-libs-5.5-49.el6_5.1.s390x.rpm net-snmp-perl-5.5-49.el6_5.1.s390x.rpm net-snmp-python-5.5-49.el6_5.1.s390x.rpm net-snmp-utils-5.5-49.el6_5.1.s390x.rpm x86_64: net-snmp-5.5-49.el6_5.1.x86_64.rpm net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-debuginfo-5.5-49.el6_5.1.x86_64.rpm net-snmp-devel-5.5-49.el6_5.1.i686.rpm net-snmp-devel-5.5-49.el6_5.1.x86_64.rpm net-snmp-libs-5.5-49.el6_5.1.i686.rpm net-snmp-libs-5.5-49.el6_5.1.x86_64.rpm net-snmp-perl-5.5-49.el6_5.1.x86_64.rpm net-snmp-python-5.5-49.el6_5.1.x86_64.rpm net-snmp-utils-5.5-49.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/net-snmp-5.5-49.el6_5.1.src.rpm i386: net-snmp-5.5-49.el6_5.1.i686.rpm net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-devel-5.5-49.el6_5.1.i686.rpm net-snmp-libs-5.5-49.el6_5.1.i686.rpm net-snmp-perl-5.5-49.el6_5.1.i686.rpm net-snmp-python-5.5-49.el6_5.1.i686.rpm net-snmp-utils-5.5-49.el6_5.1.i686.rpm x86_64: net-snmp-5.5-49.el6_5.1.x86_64.rpm net-snmp-debuginfo-5.5-49.el6_5.1.i686.rpm net-snmp-debuginfo-5.5-49.el6_5.1.x86_64.rpm net-snmp-devel-5.5-49.el6_5.1.i686.rpm net-snmp-devel-5.5-49.el6_5.1.x86_64.rpm net-snmp-libs-5.5-49.el6_5.1.i686.rpm net-snmp-libs-5.5-49.el6_5.1.x86_64.rpm net-snmp-perl-5.5-49.el6_5.1.x86_64.rpm net-snmp-python-5.5-49.el6_5.1.x86_64.rpm net-snmp-utils-5.5-49.el6_5.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-2284.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTMHSUXlSAg2UNWIIRAu9gAKCgZGeo3dgdN4AzZEKwPD95hEI84wCfdSBk Ax2mHPrwg7akMIc4K32nwIo= =KJfr -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 24 18:08:59 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Mar 2014 18:08:59 +0000 Subject: [RHSA-2014:0322-01] Moderate: net-snmp security update Message-ID: <201403241809.s2OI90NP025127@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: net-snmp security update Advisory ID: RHSA-2014:0322-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0322.html Issue date: 2014-03-24 CVE Names: CVE-2012-6151 CVE-2014-2285 ===================================================================== 1. Summary: Updated net-snmp packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser. A denial of service flaw was found in the way snmpd, the Net-SNMP daemon, handled subagent timeouts. A remote attacker able to trigger a subagent timeout could use this flaw to cause snmpd to loop infinitely or crash. (CVE-2012-6151) A denial of service flaw was found in the way the snmptrapd service, which receives and logs SNMP trap messages, handled SNMP trap requests with an empty community string when the Perl handler (provided by the net-snmp-perl package) was enabled. A remote attacker could use this flaw to crash snmptrapd by sending a trap request with an empty community string. (CVE-2014-2285) All net-snmp users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the snmpd and snmptrapd services will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1038007 - CVE-2012-6151 net-snmp: snmpd crashes/hangs when AgentX subagent times-out 1072778 - CVE-2014-2285 net-snmp: snmptrapd crash when using a trap with empty community string 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/net-snmp-5.3.2.2-22.el5_10.1.src.rpm i386: net-snmp-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.i386.rpm x86_64: net-snmp-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/net-snmp-5.3.2.2-22.el5_10.1.src.rpm i386: net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.i386.rpm x86_64: net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/net-snmp-5.3.2.2-22.el5_10.1.src.rpm i386: net-snmp-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.i386.rpm ia64: net-snmp-5.3.2.2-22.el5_10.1.ia64.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.ia64.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.ia64.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.ia64.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.ia64.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.ia64.rpm ppc: net-snmp-5.3.2.2-22.el5_10.1.ppc.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.ppc.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.ppc64.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.ppc.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.ppc64.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.ppc.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.ppc64.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.ppc.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.ppc.rpm s390x: net-snmp-5.3.2.2-22.el5_10.1.s390x.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.s390.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.s390x.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.s390.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.s390x.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.s390.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.s390x.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.s390x.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.s390x.rpm x86_64: net-snmp-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-debuginfo-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-devel-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.i386.rpm net-snmp-libs-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-perl-5.3.2.2-22.el5_10.1.x86_64.rpm net-snmp-utils-5.3.2.2-22.el5_10.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-6151.html https://www.redhat.com/security/data/cve/CVE-2014-2285.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTMHSuXlSAg2UNWIIRAry9AJ9/8dV56R/SbgYJ11yIkbD/xeXQYQCeNWNw O5Ub5yb41Yk85fyW4Z/hbsM= =Pr1x -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 25 14:39:42 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 25 Mar 2014 14:39:42 +0000 Subject: [RHSA-2014:0328-01] Important: kernel security and bug fix update Message-ID: <201403251434.s2PEY8vL008811@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2014:0328-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0328.html Issue date: 2014-03-25 CVE Names: CVE-2013-1860 CVE-2014-0055 CVE-2014-0069 CVE-2014-0101 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the get_rx_bufs() function in the vhost_net implementation in the Linux kernel handled error conditions reported by the vhost_get_vq_desc() function. A privileged guest user could use this flaw to crash the host. (CVE-2014-0055, Important) * A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101, Important) * A flaw was found in the way the Linux kernel's CIFS implementation handled uncached write operations with specially crafted iovec structures. An unprivileged local user with access to a CIFS share could use this flaw to crash the system, leak kernel memory, or, potentially, escalate their privileges on the system. Note: the default cache settings for CIFS mounts on Red Hat Enterprise Linux 6 prohibit a successful exploitation of this issue. (CVE-2014-0069, Moderate) * A heap-based buffer overflow flaw was found in the Linux kernel's cdc-wdm driver, used for USB CDC WCM device management. An attacker with physical access to a system could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-1860, Low) Red Hat would like to thank Nokia Siemens Networks for reporting CVE-2014-0101, and Al Viro for reporting CVE-2014-0069. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system. 5. Bugs fixed (https://bugzilla.redhat.com/): 921970 - CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device 1062577 - CVE-2014-0055 kernel: vhost-net: insufficient handling of error conditions in get_rx_bufs() 1064253 - CVE-2014-0069 kernel: cifs: incorrect handling of bogus user pointers during uncached writes 1070705 - CVE-2014-0101 kernel: net: sctp: null pointer dereference when processing authenticated cookie_echo chunk 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-431.11.2.el6.src.rpm i386: kernel-2.6.32-431.11.2.el6.i686.rpm kernel-debug-2.6.32-431.11.2.el6.i686.rpm kernel-debug-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debug-devel-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.11.2.el6.i686.rpm kernel-devel-2.6.32-431.11.2.el6.i686.rpm kernel-headers-2.6.32-431.11.2.el6.i686.rpm perf-2.6.32-431.11.2.el6.i686.rpm perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-431.11.2.el6.noarch.rpm kernel-doc-2.6.32-431.11.2.el6.noarch.rpm kernel-firmware-2.6.32-431.11.2.el6.noarch.rpm x86_64: kernel-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.11.2.el6.x86_64.rpm kernel-devel-2.6.32-431.11.2.el6.x86_64.rpm kernel-headers-2.6.32-431.11.2.el6.x86_64.rpm perf-2.6.32-431.11.2.el6.x86_64.rpm perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/kernel-2.6.32-431.11.2.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.11.2.el6.i686.rpm perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm python-perf-2.6.32-431.11.2.el6.i686.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.11.2.el6.x86_64.rpm perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm python-perf-2.6.32-431.11.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-431.11.2.el6.src.rpm noarch: kernel-abi-whitelists-2.6.32-431.11.2.el6.noarch.rpm kernel-doc-2.6.32-431.11.2.el6.noarch.rpm kernel-firmware-2.6.32-431.11.2.el6.noarch.rpm x86_64: kernel-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.11.2.el6.x86_64.rpm kernel-devel-2.6.32-431.11.2.el6.x86_64.rpm kernel-headers-2.6.32-431.11.2.el6.x86_64.rpm perf-2.6.32-431.11.2.el6.x86_64.rpm perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/kernel-2.6.32-431.11.2.el6.src.rpm x86_64: kernel-debug-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.11.2.el6.x86_64.rpm perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm python-perf-2.6.32-431.11.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-431.11.2.el6.src.rpm i386: kernel-2.6.32-431.11.2.el6.i686.rpm kernel-debug-2.6.32-431.11.2.el6.i686.rpm kernel-debug-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debug-devel-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.11.2.el6.i686.rpm kernel-devel-2.6.32-431.11.2.el6.i686.rpm kernel-headers-2.6.32-431.11.2.el6.i686.rpm perf-2.6.32-431.11.2.el6.i686.rpm perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-431.11.2.el6.noarch.rpm kernel-doc-2.6.32-431.11.2.el6.noarch.rpm kernel-firmware-2.6.32-431.11.2.el6.noarch.rpm ppc64: kernel-2.6.32-431.11.2.el6.ppc64.rpm kernel-bootwrapper-2.6.32-431.11.2.el6.ppc64.rpm kernel-debug-2.6.32-431.11.2.el6.ppc64.rpm kernel-debug-debuginfo-2.6.32-431.11.2.el6.ppc64.rpm kernel-debug-devel-2.6.32-431.11.2.el6.ppc64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-431.11.2.el6.ppc64.rpm kernel-devel-2.6.32-431.11.2.el6.ppc64.rpm kernel-headers-2.6.32-431.11.2.el6.ppc64.rpm perf-2.6.32-431.11.2.el6.ppc64.rpm perf-debuginfo-2.6.32-431.11.2.el6.ppc64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.ppc64.rpm s390x: kernel-2.6.32-431.11.2.el6.s390x.rpm kernel-debug-2.6.32-431.11.2.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-431.11.2.el6.s390x.rpm kernel-debug-devel-2.6.32-431.11.2.el6.s390x.rpm kernel-debuginfo-2.6.32-431.11.2.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-431.11.2.el6.s390x.rpm kernel-devel-2.6.32-431.11.2.el6.s390x.rpm kernel-headers-2.6.32-431.11.2.el6.s390x.rpm kernel-kdump-2.6.32-431.11.2.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-431.11.2.el6.s390x.rpm kernel-kdump-devel-2.6.32-431.11.2.el6.s390x.rpm perf-2.6.32-431.11.2.el6.s390x.rpm perf-debuginfo-2.6.32-431.11.2.el6.s390x.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.s390x.rpm x86_64: kernel-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.11.2.el6.x86_64.rpm kernel-devel-2.6.32-431.11.2.el6.x86_64.rpm kernel-headers-2.6.32-431.11.2.el6.x86_64.rpm perf-2.6.32-431.11.2.el6.x86_64.rpm perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-431.11.2.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.11.2.el6.i686.rpm perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm python-perf-2.6.32-431.11.2.el6.i686.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm ppc64: kernel-debug-debuginfo-2.6.32-431.11.2.el6.ppc64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.ppc64.rpm kernel-debuginfo-common-ppc64-2.6.32-431.11.2.el6.ppc64.rpm perf-debuginfo-2.6.32-431.11.2.el6.ppc64.rpm python-perf-2.6.32-431.11.2.el6.ppc64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.ppc64.rpm s390x: kernel-debug-debuginfo-2.6.32-431.11.2.el6.s390x.rpm kernel-debuginfo-2.6.32-431.11.2.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-431.11.2.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-431.11.2.el6.s390x.rpm perf-debuginfo-2.6.32-431.11.2.el6.s390x.rpm python-perf-2.6.32-431.11.2.el6.s390x.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.11.2.el6.x86_64.rpm perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm python-perf-2.6.32-431.11.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-431.11.2.el6.src.rpm i386: kernel-2.6.32-431.11.2.el6.i686.rpm kernel-debug-2.6.32-431.11.2.el6.i686.rpm kernel-debug-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debug-devel-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.11.2.el6.i686.rpm kernel-devel-2.6.32-431.11.2.el6.i686.rpm kernel-headers-2.6.32-431.11.2.el6.i686.rpm perf-2.6.32-431.11.2.el6.i686.rpm perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-431.11.2.el6.noarch.rpm kernel-doc-2.6.32-431.11.2.el6.noarch.rpm kernel-firmware-2.6.32-431.11.2.el6.noarch.rpm x86_64: kernel-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debug-devel-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.11.2.el6.x86_64.rpm kernel-devel-2.6.32-431.11.2.el6.x86_64.rpm kernel-headers-2.6.32-431.11.2.el6.x86_64.rpm perf-2.6.32-431.11.2.el6.x86_64.rpm perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/kernel-2.6.32-431.11.2.el6.src.rpm i386: kernel-debug-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-2.6.32-431.11.2.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-431.11.2.el6.i686.rpm perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm python-perf-2.6.32-431.11.2.el6.i686.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.i686.rpm x86_64: kernel-debug-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-431.11.2.el6.x86_64.rpm perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm python-perf-2.6.32-431.11.2.el6.x86_64.rpm python-perf-debuginfo-2.6.32-431.11.2.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1860.html https://www.redhat.com/security/data/cve/CVE-2014-0055.html https://www.redhat.com/security/data/cve/CVE-2014-0069.html https://www.redhat.com/security/data/cve/CVE-2014-0101.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.5_Technical_Notes/kernel.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTMZPXXlSAg2UNWIIRAs3jAKCY1B4c1Gm3xuwrXDDvHlYLoVu3WQCfRaVc ZY3S4jlAmQF9n5M8ByIyFkY= =OVFT -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 25 15:49:28 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 25 Mar 2014 15:49:28 +0000 Subject: [RHSA-2014:0330-01] Moderate: samba and samba3x security update Message-ID: <201403251543.s2PFhs5X029929@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: samba and samba3x security update Advisory ID: RHSA-2014:0330-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0330.html Issue date: 2014-03-25 CVE Names: CVE-2012-6150 CVE-2013-4496 ===================================================================== 1. Summary: Updated samba3x and samba packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. It was found that certain Samba configurations did not enforce the password lockout mechanism. A remote attacker could use this flaw to perform password guessing attacks on Samba user accounts. Note: this flaw only affected Samba when deployed as a Primary Domain Controller. (CVE-2013-4496) A flaw was found in the way the pam_winbind module handled configurations that specified a non-existent group as required. An authenticated user could possibly use this flaw to gain access to a service using pam_winbind in its PAM configuration when group restriction was intended for access to the service. (CVE-2012-6150) Red Hat would like to thank the Samba project for reporting CVE-2013-4496 and Sam Richardson for reporting CVE-2012-6150. Upstream acknowledges Andrew Bartlett as the original reporter of CVE-2013-4496. All users of Samba are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1036897 - CVE-2012-6150 samba: pam_winbind fails open when non-existent group specified to require_membership_of 1072792 - CVE-2013-4496 samba: Password lockout not enforced for SAMR password changes 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/samba3x-3.6.6-0.139.el5_10.src.rpm i386: samba3x-3.6.6-0.139.el5_10.i386.rpm samba3x-client-3.6.6-0.139.el5_10.i386.rpm samba3x-common-3.6.6-0.139.el5_10.i386.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.i386.rpm samba3x-doc-3.6.6-0.139.el5_10.i386.rpm samba3x-domainjoin-gui-3.6.6-0.139.el5_10.i386.rpm samba3x-swat-3.6.6-0.139.el5_10.i386.rpm samba3x-winbind-3.6.6-0.139.el5_10.i386.rpm x86_64: samba3x-3.6.6-0.139.el5_10.x86_64.rpm samba3x-client-3.6.6-0.139.el5_10.x86_64.rpm samba3x-common-3.6.6-0.139.el5_10.x86_64.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.i386.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.x86_64.rpm samba3x-doc-3.6.6-0.139.el5_10.x86_64.rpm samba3x-domainjoin-gui-3.6.6-0.139.el5_10.x86_64.rpm samba3x-swat-3.6.6-0.139.el5_10.x86_64.rpm samba3x-winbind-3.6.6-0.139.el5_10.i386.rpm samba3x-winbind-3.6.6-0.139.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/samba3x-3.6.6-0.139.el5_10.src.rpm i386: samba3x-debuginfo-3.6.6-0.139.el5_10.i386.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.i386.rpm x86_64: samba3x-debuginfo-3.6.6-0.139.el5_10.i386.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.x86_64.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.i386.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/samba3x-3.6.6-0.139.el5_10.src.rpm i386: samba3x-3.6.6-0.139.el5_10.i386.rpm samba3x-client-3.6.6-0.139.el5_10.i386.rpm samba3x-common-3.6.6-0.139.el5_10.i386.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.i386.rpm samba3x-doc-3.6.6-0.139.el5_10.i386.rpm samba3x-domainjoin-gui-3.6.6-0.139.el5_10.i386.rpm samba3x-swat-3.6.6-0.139.el5_10.i386.rpm samba3x-winbind-3.6.6-0.139.el5_10.i386.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.i386.rpm ia64: samba3x-3.6.6-0.139.el5_10.ia64.rpm samba3x-client-3.6.6-0.139.el5_10.ia64.rpm samba3x-common-3.6.6-0.139.el5_10.ia64.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.ia64.rpm samba3x-doc-3.6.6-0.139.el5_10.ia64.rpm samba3x-domainjoin-gui-3.6.6-0.139.el5_10.ia64.rpm samba3x-swat-3.6.6-0.139.el5_10.ia64.rpm samba3x-winbind-3.6.6-0.139.el5_10.ia64.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.ia64.rpm ppc: samba3x-3.6.6-0.139.el5_10.ppc.rpm samba3x-client-3.6.6-0.139.el5_10.ppc.rpm samba3x-common-3.6.6-0.139.el5_10.ppc.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.ppc.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.ppc64.rpm samba3x-doc-3.6.6-0.139.el5_10.ppc.rpm samba3x-domainjoin-gui-3.6.6-0.139.el5_10.ppc.rpm samba3x-swat-3.6.6-0.139.el5_10.ppc.rpm samba3x-winbind-3.6.6-0.139.el5_10.ppc.rpm samba3x-winbind-3.6.6-0.139.el5_10.ppc64.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.ppc.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.ppc64.rpm s390x: samba3x-3.6.6-0.139.el5_10.s390x.rpm samba3x-client-3.6.6-0.139.el5_10.s390x.rpm samba3x-common-3.6.6-0.139.el5_10.s390x.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.s390.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.s390x.rpm samba3x-doc-3.6.6-0.139.el5_10.s390x.rpm samba3x-domainjoin-gui-3.6.6-0.139.el5_10.s390x.rpm samba3x-swat-3.6.6-0.139.el5_10.s390x.rpm samba3x-winbind-3.6.6-0.139.el5_10.s390.rpm samba3x-winbind-3.6.6-0.139.el5_10.s390x.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.s390.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.s390x.rpm x86_64: samba3x-3.6.6-0.139.el5_10.x86_64.rpm samba3x-client-3.6.6-0.139.el5_10.x86_64.rpm samba3x-common-3.6.6-0.139.el5_10.x86_64.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.i386.rpm samba3x-debuginfo-3.6.6-0.139.el5_10.x86_64.rpm samba3x-doc-3.6.6-0.139.el5_10.x86_64.rpm samba3x-domainjoin-gui-3.6.6-0.139.el5_10.x86_64.rpm samba3x-swat-3.6.6-0.139.el5_10.x86_64.rpm samba3x-winbind-3.6.6-0.139.el5_10.i386.rpm samba3x-winbind-3.6.6-0.139.el5_10.x86_64.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.i386.rpm samba3x-winbind-devel-3.6.6-0.139.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/samba-3.6.9-168.el6_5.src.rpm i386: libsmbclient-3.6.9-168.el6_5.i686.rpm samba-client-3.6.9-168.el6_5.i686.rpm samba-common-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-winbind-3.6.9-168.el6_5.i686.rpm samba-winbind-clients-3.6.9-168.el6_5.i686.rpm x86_64: libsmbclient-3.6.9-168.el6_5.i686.rpm libsmbclient-3.6.9-168.el6_5.x86_64.rpm samba-client-3.6.9-168.el6_5.x86_64.rpm samba-common-3.6.9-168.el6_5.i686.rpm samba-common-3.6.9-168.el6_5.x86_64.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.x86_64.rpm samba-winbind-3.6.9-168.el6_5.x86_64.rpm samba-winbind-clients-3.6.9-168.el6_5.i686.rpm samba-winbind-clients-3.6.9-168.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/samba-3.6.9-168.el6_5.src.rpm i386: libsmbclient-devel-3.6.9-168.el6_5.i686.rpm samba-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-doc-3.6.9-168.el6_5.i686.rpm samba-domainjoin-gui-3.6.9-168.el6_5.i686.rpm samba-swat-3.6.9-168.el6_5.i686.rpm samba-winbind-devel-3.6.9-168.el6_5.i686.rpm samba-winbind-krb5-locator-3.6.9-168.el6_5.i686.rpm x86_64: libsmbclient-devel-3.6.9-168.el6_5.i686.rpm libsmbclient-devel-3.6.9-168.el6_5.x86_64.rpm samba-3.6.9-168.el6_5.x86_64.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.x86_64.rpm samba-doc-3.6.9-168.el6_5.x86_64.rpm samba-domainjoin-gui-3.6.9-168.el6_5.x86_64.rpm samba-swat-3.6.9-168.el6_5.x86_64.rpm samba-winbind-devel-3.6.9-168.el6_5.i686.rpm samba-winbind-devel-3.6.9-168.el6_5.x86_64.rpm samba-winbind-krb5-locator-3.6.9-168.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/samba-3.6.9-168.el6_5.src.rpm x86_64: samba-client-3.6.9-168.el6_5.x86_64.rpm samba-common-3.6.9-168.el6_5.i686.rpm samba-common-3.6.9-168.el6_5.x86_64.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.x86_64.rpm samba-winbind-3.6.9-168.el6_5.x86_64.rpm samba-winbind-clients-3.6.9-168.el6_5.i686.rpm samba-winbind-clients-3.6.9-168.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/samba-3.6.9-168.el6_5.src.rpm x86_64: libsmbclient-3.6.9-168.el6_5.i686.rpm libsmbclient-3.6.9-168.el6_5.x86_64.rpm libsmbclient-devel-3.6.9-168.el6_5.i686.rpm libsmbclient-devel-3.6.9-168.el6_5.x86_64.rpm samba-3.6.9-168.el6_5.x86_64.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.x86_64.rpm samba-doc-3.6.9-168.el6_5.x86_64.rpm samba-domainjoin-gui-3.6.9-168.el6_5.x86_64.rpm samba-swat-3.6.9-168.el6_5.x86_64.rpm samba-winbind-devel-3.6.9-168.el6_5.i686.rpm samba-winbind-devel-3.6.9-168.el6_5.x86_64.rpm samba-winbind-krb5-locator-3.6.9-168.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/samba-3.6.9-168.el6_5.src.rpm i386: libsmbclient-3.6.9-168.el6_5.i686.rpm samba-3.6.9-168.el6_5.i686.rpm samba-client-3.6.9-168.el6_5.i686.rpm samba-common-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-winbind-3.6.9-168.el6_5.i686.rpm samba-winbind-clients-3.6.9-168.el6_5.i686.rpm ppc64: libsmbclient-3.6.9-168.el6_5.ppc.rpm libsmbclient-3.6.9-168.el6_5.ppc64.rpm samba-3.6.9-168.el6_5.ppc64.rpm samba-client-3.6.9-168.el6_5.ppc64.rpm samba-common-3.6.9-168.el6_5.ppc.rpm samba-common-3.6.9-168.el6_5.ppc64.rpm samba-debuginfo-3.6.9-168.el6_5.ppc.rpm samba-debuginfo-3.6.9-168.el6_5.ppc64.rpm samba-winbind-3.6.9-168.el6_5.ppc64.rpm samba-winbind-clients-3.6.9-168.el6_5.ppc.rpm samba-winbind-clients-3.6.9-168.el6_5.ppc64.rpm s390x: libsmbclient-3.6.9-168.el6_5.s390.rpm libsmbclient-3.6.9-168.el6_5.s390x.rpm samba-3.6.9-168.el6_5.s390x.rpm samba-client-3.6.9-168.el6_5.s390x.rpm samba-common-3.6.9-168.el6_5.s390.rpm samba-common-3.6.9-168.el6_5.s390x.rpm samba-debuginfo-3.6.9-168.el6_5.s390.rpm samba-debuginfo-3.6.9-168.el6_5.s390x.rpm samba-winbind-3.6.9-168.el6_5.s390x.rpm samba-winbind-clients-3.6.9-168.el6_5.s390.rpm samba-winbind-clients-3.6.9-168.el6_5.s390x.rpm x86_64: libsmbclient-3.6.9-168.el6_5.i686.rpm libsmbclient-3.6.9-168.el6_5.x86_64.rpm samba-3.6.9-168.el6_5.x86_64.rpm samba-client-3.6.9-168.el6_5.x86_64.rpm samba-common-3.6.9-168.el6_5.i686.rpm samba-common-3.6.9-168.el6_5.x86_64.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.x86_64.rpm samba-winbind-3.6.9-168.el6_5.x86_64.rpm samba-winbind-clients-3.6.9-168.el6_5.i686.rpm samba-winbind-clients-3.6.9-168.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/samba-3.6.9-168.el6_5.src.rpm i386: libsmbclient-devel-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-doc-3.6.9-168.el6_5.i686.rpm samba-domainjoin-gui-3.6.9-168.el6_5.i686.rpm samba-swat-3.6.9-168.el6_5.i686.rpm samba-winbind-devel-3.6.9-168.el6_5.i686.rpm samba-winbind-krb5-locator-3.6.9-168.el6_5.i686.rpm ppc64: libsmbclient-devel-3.6.9-168.el6_5.ppc.rpm libsmbclient-devel-3.6.9-168.el6_5.ppc64.rpm samba-debuginfo-3.6.9-168.el6_5.ppc.rpm samba-debuginfo-3.6.9-168.el6_5.ppc64.rpm samba-doc-3.6.9-168.el6_5.ppc64.rpm samba-domainjoin-gui-3.6.9-168.el6_5.ppc64.rpm samba-swat-3.6.9-168.el6_5.ppc64.rpm samba-winbind-devel-3.6.9-168.el6_5.ppc.rpm samba-winbind-devel-3.6.9-168.el6_5.ppc64.rpm samba-winbind-krb5-locator-3.6.9-168.el6_5.ppc64.rpm s390x: libsmbclient-devel-3.6.9-168.el6_5.s390.rpm libsmbclient-devel-3.6.9-168.el6_5.s390x.rpm samba-debuginfo-3.6.9-168.el6_5.s390.rpm samba-debuginfo-3.6.9-168.el6_5.s390x.rpm samba-doc-3.6.9-168.el6_5.s390x.rpm samba-domainjoin-gui-3.6.9-168.el6_5.s390x.rpm samba-swat-3.6.9-168.el6_5.s390x.rpm samba-winbind-devel-3.6.9-168.el6_5.s390.rpm samba-winbind-devel-3.6.9-168.el6_5.s390x.rpm samba-winbind-krb5-locator-3.6.9-168.el6_5.s390x.rpm x86_64: libsmbclient-devel-3.6.9-168.el6_5.i686.rpm libsmbclient-devel-3.6.9-168.el6_5.x86_64.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.x86_64.rpm samba-doc-3.6.9-168.el6_5.x86_64.rpm samba-domainjoin-gui-3.6.9-168.el6_5.x86_64.rpm samba-swat-3.6.9-168.el6_5.x86_64.rpm samba-winbind-devel-3.6.9-168.el6_5.i686.rpm samba-winbind-devel-3.6.9-168.el6_5.x86_64.rpm samba-winbind-krb5-locator-3.6.9-168.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/samba-3.6.9-168.el6_5.src.rpm i386: libsmbclient-3.6.9-168.el6_5.i686.rpm samba-3.6.9-168.el6_5.i686.rpm samba-client-3.6.9-168.el6_5.i686.rpm samba-common-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-winbind-3.6.9-168.el6_5.i686.rpm samba-winbind-clients-3.6.9-168.el6_5.i686.rpm x86_64: libsmbclient-3.6.9-168.el6_5.i686.rpm libsmbclient-3.6.9-168.el6_5.x86_64.rpm samba-3.6.9-168.el6_5.x86_64.rpm samba-client-3.6.9-168.el6_5.x86_64.rpm samba-common-3.6.9-168.el6_5.i686.rpm samba-common-3.6.9-168.el6_5.x86_64.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.x86_64.rpm samba-winbind-3.6.9-168.el6_5.x86_64.rpm samba-winbind-clients-3.6.9-168.el6_5.i686.rpm samba-winbind-clients-3.6.9-168.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/samba-3.6.9-168.el6_5.src.rpm i386: libsmbclient-devel-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-doc-3.6.9-168.el6_5.i686.rpm samba-domainjoin-gui-3.6.9-168.el6_5.i686.rpm samba-swat-3.6.9-168.el6_5.i686.rpm samba-winbind-devel-3.6.9-168.el6_5.i686.rpm samba-winbind-krb5-locator-3.6.9-168.el6_5.i686.rpm x86_64: libsmbclient-devel-3.6.9-168.el6_5.i686.rpm libsmbclient-devel-3.6.9-168.el6_5.x86_64.rpm samba-debuginfo-3.6.9-168.el6_5.i686.rpm samba-debuginfo-3.6.9-168.el6_5.x86_64.rpm samba-doc-3.6.9-168.el6_5.x86_64.rpm samba-domainjoin-gui-3.6.9-168.el6_5.x86_64.rpm samba-swat-3.6.9-168.el6_5.x86_64.rpm samba-winbind-devel-3.6.9-168.el6_5.i686.rpm samba-winbind-devel-3.6.9-168.el6_5.x86_64.rpm samba-winbind-krb5-locator-3.6.9-168.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-6150.html https://www.redhat.com/security/data/cve/CVE-2013-4496.html https://access.redhat.com/security/updates/classification/#moderate http://www.samba.org/samba/security/CVE-2012-6150 http://www.samba.org/samba/security/CVE-2013-4496 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTMaQfXlSAg2UNWIIRAmYTAJ0Xd5Lnc4WHxB+TxDzLrA1nslb5MACfWD5m DY4eRWd76EEHM39GpBq8wYs= =uyBF -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 31 18:09:42 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 31 Mar 2014 18:09:42 +0000 Subject: [RHSA-2014:0340-01] Low: Red Hat Enterprise Developer Toolset Version 1 3-month Retirement Notice Message-ID: <201403311809.s2VI9hja025716@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Enterprise Developer Toolset Version 1 3-month Retirement Notice Advisory ID: RHSA-2014:0340-01 Product: Red Hat Developer Toolset Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0340.html Issue date: 2014-03-31 ===================================================================== 1. Summary: This is the three-month notification for the retirement of Red Hat Developer Toolset Version 1. This notification applies only to those customers with subscriptions for Red Hat Developer Toolset Version 1. 2. Description: In accordance with the Red Hat Enterprise Developer Toolset Life Cycle policy, the Red Hat Developer Toolset Version 1 offering will be retired as of June 30, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Developer Toolset Version 1 after June 30, 2014. In addition, technical support through Red Hat's Global Support Services will no longer be provided for Red Hat Developer Toolset Version 1 after this date. We encourage customers to plan their migration from Red Hat Enterprise Developer Toolset Version 1 to a more recent release of Red Hat Developer Toolset. As a benefit of the Red Hat subscription model, customers can use their active Red Hat Developer Toolset subscriptions to entitle any system on a currently supported version of this product. Details of the Red Hat Enterprise Developer Toolset life cycle can be found at https://access.redhat.com/site/support/policy/updates/dts/ 3. Solution: Red Hat Enterprise Developer Toolset Version 1 will be retired on June 30, 2014. Customers are encouraged to migrate to a newer release of Red Hat Enterprise Developer Toolset, and can find additional details on the Red Hat Enterprise Developer Toolset life cycle page at https://access.redhat.com/site/support/policy/updates/dts/ 4. References: https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/site/support/policy/updates/dts/ 5. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTOa9DXlSAg2UNWIIRAtuUAKCI5IG8SZfJKfImvdQZbw4XXdAQCgCgsBZt WYUBypNf5Mm97W1tSgcpyY8= =JB6O -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 31 18:14:14 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 31 Mar 2014 18:14:14 +0000 Subject: [RHSA-2014:0341-01] Moderate: wireshark security update Message-ID: <201403311814.s2VIEErh024830@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: wireshark security update Advisory ID: RHSA-2014:0341-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0341.html Issue date: 2014-03-31 CVE Names: CVE-2012-5595 CVE-2012-5598 CVE-2012-5599 CVE-2012-5600 CVE-2012-6056 CVE-2012-6060 CVE-2012-6061 CVE-2012-6062 CVE-2013-3557 CVE-2013-3559 CVE-2013-4081 CVE-2013-4083 CVE-2013-4927 CVE-2013-4931 CVE-2013-4932 CVE-2013-4933 CVE-2013-4934 CVE-2013-4935 CVE-2013-5721 CVE-2013-7112 CVE-2014-2281 CVE-2014-2299 ===================================================================== 1. Summary: Updated wireshark packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Wireshark is a network protocol analyzer. It is used to capture and browse the traffic running on a computer network. Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2013-3559, CVE-2013-4083, CVE-2014-2281, CVE-2014-2299) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2012-5595, CVE-2012-5598, CVE-2012-5599, CVE-2012-5600, CVE-2012-6056, CVE-2012-6060, CVE-2012-6061, CVE-2012-6062, CVE-2013-3557, CVE-2013-4081, CVE-2013-4927, CVE-2013-4931, CVE-2013-4932, CVE-2013-4933, CVE-2013-4934, CVE-2013-4935, CVE-2013-5721, CVE-2013-7112) All Wireshark users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Wireshark must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 881742 - CVE-2012-5600 CVE-2012-6062 wireshark: DoS (infinite loop) in the RTCP dissector (wnpa-sec-2012-38) 881748 - CVE-2012-5599 CVE-2012-6061 wireshark: DoS (infinite loop) in the WTP dissector (wnpa-sec-2012-37) 881771 - CVE-2012-5598 CVE-2012-6060 wireshark: DoS (infinite loop) in the iSCSI dissector (wnpa-sec-2012-36) 881809 - CVE-2012-5595 CVE-2012-6056 wireshark: DoS (infinite loop) in the SCTP dissector (wnpa-sec-2012-33) 965190 - CVE-2013-3559 wireshark: DoS (crash) in the DCP ETSI dissector (wnpa-sec-2013-27, upstream #8231, #8540, #8541) 965193 - CVE-2013-3557 wireshark: DoS (crash) in the ASN.1 BER dissector (wnpa-sec-2013-25, upstream #8599) 972686 - CVE-2013-4081 wireshark: DoS (infinite loop) in the HTTP dissector (wnpa-sec-2013-39) 972688 - CVE-2013-4083 wireshark: Invalid free in the DCP ETSI dissector (wnpa-sec-2013-41) 990166 - CVE-2013-4927 wireshark: Integer signedness error in the Bluetooth SDP dissector (wnpa-sec-2013-45) 990170 - CVE-2013-4931 wireshark: DoS (infinite loop) in the GSM RR dissector (wnpa-sec-2013-49) 990172 - CVE-2013-4932 wireshark: Multiple array index errors in the GSM A Common dissector (wnpa-sec-2013-50) 990175 - CVE-2013-4933 wireshark: DoS (application crash) in the Netmon file parser (wnpa-sec-2013-51) 990178 - CVE-2013-4934 wireshark: DoS (application crash) in the Netmon file parser (wnpa-sec-2013-51) (A different flaw than CVE-2013-4933) 990179 - CVE-2013-4935 wireshark: DoS (application crash) in the ASN.1 PER dissector (wnpa-sec-2013-52) 1007197 - CVE-2013-5721 wireshark: MQ dissector crash (wnpa-sec-2013-58, upstream bug 9079) 1044508 - CVE-2013-7112 wireshark: SIP dissector could go into an infinite loop (wnpa-sec-2013-66) 1074109 - CVE-2014-2299 wireshark: buffer overflow in MPEG file parser (wnpa-sec-2014-04) 1074114 - CVE-2014-2281 wireshark: NFS dissector crash (wnpa-sec-2014-01) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/wireshark-1.0.15-6.el5_10.src.rpm i386: wireshark-1.0.15-6.el5_10.i386.rpm wireshark-debuginfo-1.0.15-6.el5_10.i386.rpm x86_64: wireshark-1.0.15-6.el5_10.x86_64.rpm wireshark-debuginfo-1.0.15-6.el5_10.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/wireshark-1.0.15-6.el5_10.src.rpm i386: wireshark-debuginfo-1.0.15-6.el5_10.i386.rpm wireshark-gnome-1.0.15-6.el5_10.i386.rpm x86_64: wireshark-debuginfo-1.0.15-6.el5_10.x86_64.rpm wireshark-gnome-1.0.15-6.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/wireshark-1.0.15-6.el5_10.src.rpm i386: wireshark-1.0.15-6.el5_10.i386.rpm wireshark-debuginfo-1.0.15-6.el5_10.i386.rpm wireshark-gnome-1.0.15-6.el5_10.i386.rpm ia64: wireshark-1.0.15-6.el5_10.ia64.rpm wireshark-debuginfo-1.0.15-6.el5_10.ia64.rpm wireshark-gnome-1.0.15-6.el5_10.ia64.rpm ppc: wireshark-1.0.15-6.el5_10.ppc.rpm wireshark-debuginfo-1.0.15-6.el5_10.ppc.rpm wireshark-gnome-1.0.15-6.el5_10.ppc.rpm s390x: wireshark-1.0.15-6.el5_10.s390x.rpm wireshark-debuginfo-1.0.15-6.el5_10.s390x.rpm wireshark-gnome-1.0.15-6.el5_10.s390x.rpm x86_64: wireshark-1.0.15-6.el5_10.x86_64.rpm wireshark-debuginfo-1.0.15-6.el5_10.x86_64.rpm wireshark-gnome-1.0.15-6.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5595.html https://www.redhat.com/security/data/cve/CVE-2012-5598.html https://www.redhat.com/security/data/cve/CVE-2012-5599.html https://www.redhat.com/security/data/cve/CVE-2012-5600.html https://www.redhat.com/security/data/cve/CVE-2012-6056.html https://www.redhat.com/security/data/cve/CVE-2012-6060.html https://www.redhat.com/security/data/cve/CVE-2012-6061.html https://www.redhat.com/security/data/cve/CVE-2012-6062.html https://www.redhat.com/security/data/cve/CVE-2013-3557.html https://www.redhat.com/security/data/cve/CVE-2013-3559.html https://www.redhat.com/security/data/cve/CVE-2013-4081.html https://www.redhat.com/security/data/cve/CVE-2013-4083.html https://www.redhat.com/security/data/cve/CVE-2013-4927.html https://www.redhat.com/security/data/cve/CVE-2013-4931.html https://www.redhat.com/security/data/cve/CVE-2013-4932.html https://www.redhat.com/security/data/cve/CVE-2013-4933.html https://www.redhat.com/security/data/cve/CVE-2013-4934.html https://www.redhat.com/security/data/cve/CVE-2013-4935.html https://www.redhat.com/security/data/cve/CVE-2013-5721.html https://www.redhat.com/security/data/cve/CVE-2013-7112.html https://www.redhat.com/security/data/cve/CVE-2014-2281.html https://www.redhat.com/security/data/cve/CVE-2014-2299.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTObBeXlSAg2UNWIIRAqsMAJ4wfxz1NEBoC1aiYu1ZcPdFR01x5gCfXRlR 7qOcA32K13g9nQmmLA2p3J4= =Cvyj -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 31 18:15:50 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 31 Mar 2014 18:15:50 +0000 Subject: [RHSA-2014:0342-01] Moderate: wireshark security update Message-ID: <201403311815.s2VIFoYG012315@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: wireshark security update Advisory ID: RHSA-2014:0342-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0342.html Issue date: 2014-03-31 CVE Names: CVE-2013-6336 CVE-2013-6337 CVE-2013-6338 CVE-2013-6339 CVE-2013-6340 CVE-2013-7112 CVE-2013-7114 CVE-2014-2281 CVE-2014-2283 CVE-2014-2299 ===================================================================== 1. Summary: Updated wireshark packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Wireshark is a network protocol analyzer. It is used to capture and browse the traffic running on a computer network. Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2014-2281, CVE-2014-2299) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2013-6336, CVE-2013-6337, CVE-2013-6338, CVE-2013-6339, CVE-2013-6340, CVE-2014-2283, CVE-2013-7112, CVE-2013-7114) All Wireshark users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Wireshark must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1026534 - CVE-2013-6336 wireshark: IEEE 802.15.4 dissector crash (wnpa-sec-2013-61) 1026538 - CVE-2013-6337 wireshark: NBAP dissector crash (wnpa-sec-2013-62) 1026539 - CVE-2013-6338 wireshark: SIP dissector crash (wnpa-sec-2013-63) 1026540 - CVE-2013-6339 wireshark: ActiveMQ OpenWire dissector large loop (wnpa-sec-2013-64) 1026541 - CVE-2013-6340 wireshark: TCP dissector crash (wnpa-sec-2013-65) 1044508 - CVE-2013-7112 wireshark: SIP dissector could go into an infinite loop (wnpa-sec-2013-66) 1044510 - CVE-2013-7114 wireshark: NTLMSSP v2 dissector could crash (wnpa-sec-2013-68) 1074109 - CVE-2014-2299 wireshark: buffer overflow in MPEG file parser (wnpa-sec-2014-04) 1074111 - CVE-2014-2283 wireshark: RLC dissector crash (wnpa-sec-2014-03) 1074114 - CVE-2014-2281 wireshark: NFS dissector crash (wnpa-sec-2014-01) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/wireshark-1.8.10-7.el6_5.src.rpm i386: wireshark-1.8.10-7.el6_5.i686.rpm wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-gnome-1.8.10-7.el6_5.i686.rpm x86_64: wireshark-1.8.10-7.el6_5.i686.rpm wireshark-1.8.10-7.el6_5.x86_64.rpm wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-debuginfo-1.8.10-7.el6_5.x86_64.rpm wireshark-gnome-1.8.10-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/wireshark-1.8.10-7.el6_5.src.rpm i386: wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-devel-1.8.10-7.el6_5.i686.rpm x86_64: wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-debuginfo-1.8.10-7.el6_5.x86_64.rpm wireshark-devel-1.8.10-7.el6_5.i686.rpm wireshark-devel-1.8.10-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/wireshark-1.8.10-7.el6_5.src.rpm i386: wireshark-1.8.10-7.el6_5.i686.rpm wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-gnome-1.8.10-7.el6_5.i686.rpm ppc64: wireshark-1.8.10-7.el6_5.ppc.rpm wireshark-1.8.10-7.el6_5.ppc64.rpm wireshark-debuginfo-1.8.10-7.el6_5.ppc.rpm wireshark-debuginfo-1.8.10-7.el6_5.ppc64.rpm wireshark-gnome-1.8.10-7.el6_5.ppc64.rpm s390x: wireshark-1.8.10-7.el6_5.s390.rpm wireshark-1.8.10-7.el6_5.s390x.rpm wireshark-debuginfo-1.8.10-7.el6_5.s390.rpm wireshark-debuginfo-1.8.10-7.el6_5.s390x.rpm wireshark-gnome-1.8.10-7.el6_5.s390x.rpm x86_64: wireshark-1.8.10-7.el6_5.i686.rpm wireshark-1.8.10-7.el6_5.x86_64.rpm wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-debuginfo-1.8.10-7.el6_5.x86_64.rpm wireshark-gnome-1.8.10-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/wireshark-1.8.10-7.el6_5.src.rpm i386: wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-devel-1.8.10-7.el6_5.i686.rpm ppc64: wireshark-debuginfo-1.8.10-7.el6_5.ppc.rpm wireshark-debuginfo-1.8.10-7.el6_5.ppc64.rpm wireshark-devel-1.8.10-7.el6_5.ppc.rpm wireshark-devel-1.8.10-7.el6_5.ppc64.rpm s390x: wireshark-debuginfo-1.8.10-7.el6_5.s390.rpm wireshark-debuginfo-1.8.10-7.el6_5.s390x.rpm wireshark-devel-1.8.10-7.el6_5.s390.rpm wireshark-devel-1.8.10-7.el6_5.s390x.rpm x86_64: wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-debuginfo-1.8.10-7.el6_5.x86_64.rpm wireshark-devel-1.8.10-7.el6_5.i686.rpm wireshark-devel-1.8.10-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/wireshark-1.8.10-7.el6_5.src.rpm i386: wireshark-1.8.10-7.el6_5.i686.rpm wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-gnome-1.8.10-7.el6_5.i686.rpm x86_64: wireshark-1.8.10-7.el6_5.i686.rpm wireshark-1.8.10-7.el6_5.x86_64.rpm wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-debuginfo-1.8.10-7.el6_5.x86_64.rpm wireshark-gnome-1.8.10-7.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/wireshark-1.8.10-7.el6_5.src.rpm i386: wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-devel-1.8.10-7.el6_5.i686.rpm x86_64: wireshark-debuginfo-1.8.10-7.el6_5.i686.rpm wireshark-debuginfo-1.8.10-7.el6_5.x86_64.rpm wireshark-devel-1.8.10-7.el6_5.i686.rpm wireshark-devel-1.8.10-7.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6336.html https://www.redhat.com/security/data/cve/CVE-2013-6337.html https://www.redhat.com/security/data/cve/CVE-2013-6338.html https://www.redhat.com/security/data/cve/CVE-2013-6339.html https://www.redhat.com/security/data/cve/CVE-2013-6340.html https://www.redhat.com/security/data/cve/CVE-2013-7112.html https://www.redhat.com/security/data/cve/CVE-2013-7114.html https://www.redhat.com/security/data/cve/CVE-2014-2281.html https://www.redhat.com/security/data/cve/CVE-2014-2283.html https://www.redhat.com/security/data/cve/CVE-2014-2299.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTObCWXlSAg2UNWIIRAvGBAJ9CpH4SkIM1R5rNDsn+zPFrwONSjgCglTsq Jii/SE7kf/HWla32ffv2npc= =QcrX -----END PGP SIGNATURE-----