From bugzilla at redhat.com Tue Nov 3 20:38:44 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 3 Nov 2015 20:38:44 +0000 Subject: [RHSA-2015:1976-01] Moderate: kernel-rt security, bug fix, and enhancement update Message-ID: <201511032038.tA3Kciik028789@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel-rt security, bug fix, and enhancement update Advisory ID: RHSA-2015:1976-01 Product: Red Hat Enterprise MRG for RHEL-6 Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1976.html Issue date: 2015-11-03 CVE Names: CVE-2014-8559 ===================================================================== 1. Summary: Updated kernel-rt packages that fix one security issue, several bugs, and add one enhancement are now available for Red Hat Enterprise MRG 2.5. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: MRG Realtime for RHEL 6 Server v.2 - noarch, x86_64 3. Description: The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's VFS subsystem handled file system locks. A local, unprivileged user could use this flaw to trigger a deadlock in the kernel, causing a denial of service on the system. (CVE-2014-8559, Moderate) This update provides a build of the kernel-rt package for Red Hat Enterprise MRG 2.5 that is layered on Red Hat Enterprise Linux 6, and fixes the following issues: * Unexpected completion is detected on Intel Ethernet x540 * Divide by zero error in intel_pstate_timer_func() [ inline s64 div_s64_rem() ] * NFS Recover from stateid-type error on SETATTR * pNFS RHEL 7.1 Data Server connection remains after umount due to lseg refcount leak * Race during NFS v4.0 recovery and standard IO. * Fix ip6t_SYNPROXY for namespaces and connection delay * synproxy window size and sequence number behaviour causes long connection delay * Crash in kmem_cache_alloc() during disk stress testing (using ipr) * xfs: sync/backport to upstream v4.1 * iscsi_session recovery_tmo revert back to default when a path becomes active * read from MD raid1 can fail if read from resync target fails * backport scsi-mq * unable to handle kernel paging request at 0000000000237037 [zswap] (BZ#1267373) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add this enhancement. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1159313 - CVE-2014-8559 kernel: fs: deadlock due to incorrect usage of rename_lock 1267373 - update the MRG 2.5.x 3.10 kernel-rt sources 6. Package List: MRG Realtime for RHEL 6 Server v.2: Source: kernel-rt-3.10.0-229.rt56.162.el6rt.src.rpm noarch: kernel-rt-doc-3.10.0-229.rt56.162.el6rt.noarch.rpm kernel-rt-firmware-3.10.0-229.rt56.162.el6rt.noarch.rpm x86_64: kernel-rt-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-debug-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-debug-devel-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-debuginfo-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-devel-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-trace-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-trace-devel-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-vanilla-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-vanilla-debuginfo-3.10.0-229.rt56.162.el6rt.x86_64.rpm kernel-rt-vanilla-devel-3.10.0-229.rt56.162.el6rt.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8559 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWORtIXlSAg2UNWIIRAvTFAJ4xCAB6sWrl+/XWYK4uIdz6dPxHFgCdFZOI cNEzd2n2sM6IFCaX9FyPmZc= =sMvZ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Nov 3 20:39:19 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 3 Nov 2015 20:39:19 +0000 Subject: [RHSA-2015:1977-01] Moderate: kernel-rt security, bug fix, and enhancement update Message-ID: <201511032039.tA3KdJqC006087@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel-rt security, bug fix, and enhancement update Advisory ID: RHSA-2015:1977-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1977.html Issue date: 2015-09-25 Updated on: 2015-11-03 CVE Names: CVE-2014-8559 CVE-2015-5156 ===================================================================== 1. Summary: Updated kernel-rt packages that fix two security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Realtime (v. 7) - noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's VFS subsystem handled file system locks. A local, unprivileged user could use this flaw to trigger a deadlock in the kernel, causing a denial of service on the system. (CVE-2014-8559, Moderate) * A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate) The CVE-2015-5156 issue was discovered by Jason Wang of Red Hat. The kernel-rt packages have been upgraded to version 3.10.0-229.20.1, which provides a number of bug fixes and enhancements over the previous version, including: * Unexpected completion is detected on Intel Ethernet x540 * Divide by zero error in intel_pstate_timer_func() [ inline s64 div_s64_rem() ] * NFS Recover from stateid-type error on SETATTR * pNFS RHEL 7.1 Data Server connection remains after umount due to lseg refcount leak * Race during NFS v4.0 recovery and standard IO. * Fix ip6t_SYNPROXY for namespaces and connection delay * synproxy window size and sequence number behaviour causes long connection delay * Crash in kmem_cache_alloc() during disk stress testing (using ipr) * xfs: sync/backport to upstream v4.1 * iscsi_session recovery_tmo revert back to default when a path becomes active * read from MD raid1 can fail if read from resync target fails * backport scsi-mq * unable to handle kernel paging request at 0000000000237037 [zswap] (BZ#1266915) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add this enhancement. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1159313 - CVE-2014-8559 kernel: fs: deadlock due to incorrect usage of rename_lock 1243852 - CVE-2015-5156 kernel: buffer overflow with fraglist larger than MAX_SKB_FRAGS + 2 in virtio-net 1266915 - kernel-rt: update to the RHEL7.1.z batch 6 source tree 6. Package List: Red Hat Enterprise Linux Realtime (v. 7): Source: kernel-rt-3.10.0-229.20.1.rt56.141.14.el7_1.src.rpm noarch: kernel-rt-doc-3.10.0-229.20.1.rt56.141.14.el7_1.noarch.rpm x86_64: kernel-rt-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm kernel-rt-debug-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm kernel-rt-debug-devel-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm kernel-rt-debuginfo-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm kernel-rt-devel-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm kernel-rt-trace-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm kernel-rt-trace-devel-3.10.0-229.20.1.rt56.141.14.el7_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8559 https://access.redhat.com/security/cve/CVE-2015-5156 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWORttXlSAg2UNWIIRAot6AJ9qxDklzPf1P76Zu/UHcgz82KoDzACfbkT2 WOfkM5Bsc44rjp3q4XoMCSA= =9pHF -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Nov 3 20:40:22 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 3 Nov 2015 20:40:22 +0000 Subject: [RHSA-2015:1978-01] Moderate: kernel security, bug fix, and enhancement update Message-ID: <201511032040.tA3KeMI4024625@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel security, bug fix, and enhancement update Advisory ID: RHSA-2015:1978-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1978.html Issue date: 2015-11-03 CVE Names: CVE-2014-8559 CVE-2015-5156 ===================================================================== 1. Summary: Updated kernel packages that fix two security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's VFS subsystem handled file system locks. A local, unprivileged user could use this flaw to trigger a deadlock in the kernel, causing a denial of service on the system. (CVE-2014-8559, Moderate) * A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate) The CVE-2015-5156 issue was discovered by Jason Wang of Red Hat. This update also fixes several bugs and adds one enhancement. Refer to the following Knowledgebase article for further information: https://access.redhat.com/articles/2039563 All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1159313 - CVE-2014-8559 kernel: fs: deadlock due to incorrect usage of rename_lock 1243852 - CVE-2015-5156 kernel: buffer overflow with fraglist larger than MAX_SKB_FRAGS + 2 in virtio-net 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: kernel-3.10.0-229.20.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-229.20.1.el7.noarch.rpm kernel-doc-3.10.0-229.20.1.el7.noarch.rpm x86_64: kernel-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-229.20.1.el7.x86_64.rpm kernel-devel-3.10.0-229.20.1.el7.x86_64.rpm kernel-headers-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-229.20.1.el7.x86_64.rpm perf-3.10.0-229.20.1.el7.x86_64.rpm perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-229.20.1.el7.x86_64.rpm perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm python-perf-3.10.0-229.20.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: kernel-3.10.0-229.20.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-229.20.1.el7.noarch.rpm kernel-doc-3.10.0-229.20.1.el7.noarch.rpm x86_64: kernel-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-229.20.1.el7.x86_64.rpm kernel-devel-3.10.0-229.20.1.el7.x86_64.rpm kernel-headers-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-229.20.1.el7.x86_64.rpm perf-3.10.0-229.20.1.el7.x86_64.rpm perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-229.20.1.el7.x86_64.rpm perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm python-perf-3.10.0-229.20.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: kernel-3.10.0-229.20.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-229.20.1.el7.noarch.rpm kernel-doc-3.10.0-229.20.1.el7.noarch.rpm ppc64: kernel-3.10.0-229.20.1.el7.ppc64.rpm kernel-bootwrapper-3.10.0-229.20.1.el7.ppc64.rpm kernel-debug-3.10.0-229.20.1.el7.ppc64.rpm kernel-debug-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm kernel-debug-devel-3.10.0-229.20.1.el7.ppc64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-229.20.1.el7.ppc64.rpm kernel-devel-3.10.0-229.20.1.el7.ppc64.rpm kernel-headers-3.10.0-229.20.1.el7.ppc64.rpm kernel-tools-3.10.0-229.20.1.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm kernel-tools-libs-3.10.0-229.20.1.el7.ppc64.rpm perf-3.10.0-229.20.1.el7.ppc64.rpm perf-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm s390x: kernel-3.10.0-229.20.1.el7.s390x.rpm kernel-debug-3.10.0-229.20.1.el7.s390x.rpm kernel-debug-debuginfo-3.10.0-229.20.1.el7.s390x.rpm kernel-debug-devel-3.10.0-229.20.1.el7.s390x.rpm kernel-debuginfo-3.10.0-229.20.1.el7.s390x.rpm kernel-debuginfo-common-s390x-3.10.0-229.20.1.el7.s390x.rpm kernel-devel-3.10.0-229.20.1.el7.s390x.rpm kernel-headers-3.10.0-229.20.1.el7.s390x.rpm kernel-kdump-3.10.0-229.20.1.el7.s390x.rpm kernel-kdump-debuginfo-3.10.0-229.20.1.el7.s390x.rpm kernel-kdump-devel-3.10.0-229.20.1.el7.s390x.rpm perf-3.10.0-229.20.1.el7.s390x.rpm perf-debuginfo-3.10.0-229.20.1.el7.s390x.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.s390x.rpm x86_64: kernel-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-229.20.1.el7.x86_64.rpm kernel-devel-3.10.0-229.20.1.el7.x86_64.rpm kernel-headers-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-229.20.1.el7.x86_64.rpm perf-3.10.0-229.20.1.el7.x86_64.rpm perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: kernel-3.10.0-229.20.1.ael7b.src.rpm noarch: kernel-abi-whitelists-3.10.0-229.20.1.ael7b.noarch.rpm kernel-doc-3.10.0-229.20.1.ael7b.noarch.rpm ppc64le: kernel-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-bootwrapper-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-debug-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-debug-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-devel-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-headers-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-tools-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-tools-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-tools-libs-3.10.0-229.20.1.ael7b.ppc64le.rpm perf-3.10.0-229.20.1.ael7b.ppc64le.rpm perf-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm python-perf-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: kernel-debug-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-229.20.1.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm kernel-tools-libs-devel-3.10.0-229.20.1.el7.ppc64.rpm perf-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm python-perf-3.10.0-229.20.1.el7.ppc64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.ppc64.rpm s390x: kernel-debug-debuginfo-3.10.0-229.20.1.el7.s390x.rpm kernel-debuginfo-3.10.0-229.20.1.el7.s390x.rpm kernel-debuginfo-common-s390x-3.10.0-229.20.1.el7.s390x.rpm kernel-kdump-debuginfo-3.10.0-229.20.1.el7.s390x.rpm perf-debuginfo-3.10.0-229.20.1.el7.s390x.rpm python-perf-3.10.0-229.20.1.el7.s390x.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.s390x.rpm x86_64: kernel-debug-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-229.20.1.el7.x86_64.rpm perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm python-perf-3.10.0-229.20.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64le: kernel-debug-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-debug-devel-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-tools-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm kernel-tools-libs-devel-3.10.0-229.20.1.ael7b.ppc64le.rpm perf-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm python-perf-3.10.0-229.20.1.ael7b.ppc64le.rpm python-perf-debuginfo-3.10.0-229.20.1.ael7b.ppc64le.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: kernel-3.10.0-229.20.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-229.20.1.el7.noarch.rpm kernel-doc-3.10.0-229.20.1.el7.noarch.rpm x86_64: kernel-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-229.20.1.el7.x86_64.rpm kernel-devel-3.10.0-229.20.1.el7.x86_64.rpm kernel-headers-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-229.20.1.el7.x86_64.rpm perf-3.10.0-229.20.1.el7.x86_64.rpm perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-229.20.1.el7.x86_64.rpm perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm python-perf-3.10.0-229.20.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-229.20.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8559 https://access.redhat.com/security/cve/CVE-2015-5156 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/2039563 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWORuqXlSAg2UNWIIRAqyRAJwINqVnJOxzmTtXPKqLn7UjepB/ywCeO9og QC0qwafEMux2FFUwxwgB4uY= =eFZV -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 4 10:00:17 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Nov 2015 10:00:17 +0000 Subject: [RHSA-2015:1979-01] Moderate: libreswan security and enhancement update Message-ID: <201511040945.tA49jted010131@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libreswan security and enhancement update Advisory ID: RHSA-2015:1979-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1979.html Issue date: 2015-11-03 Updated on: 2015-11-04 CVE Names: CVE-2015-3240 ===================================================================== 1. Summary: Updated libreswan packages that fix one security issue, several bugs, and add several enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN). A flaw was discovered in the way Libreswan's IKE daemon processed IKE KE payloads. A remote attacker could send specially crafted IKE payload with a KE payload of g^x=0 that, when processed, would lead to a denial of service (daemon crash). (CVE-2015-3240) This issue was discovered by Paul Wouters of Red Hat. Note: Please note that when upgrading from an earlier version of Libreswan, the existing CA certificates in the /etc/ipsec.d/cacerts/ directory and the existing certificate revocation list (CRL) files from the /etc/ipsec.d/crls/ directory are automatically imported into the NSS database. Once completed, these directories are no longer used by Libreswan. To install new CA certificates or new CRLS, the certutil and crlutil commands must be used to import these directly into the Network Security Services (NSS) database. This update also adds the following enhancements: * This update adds support for RFC 7383 IKEv2 Fragmentation, RFC 7619 Auth Null and ID Null, INVALID_KE renegotiation, CRL and OCSP support via NSS, AES_CTR and AES_GCM support for IKEv2, CAVS testing for FIPS compliance. In addition, this update enforces FIPS algorithms restrictions in FIPS mode, and runs Composite Application Validation System (CAVS) testing for FIPS compliance during package build. A new Cryptographic Algorithm Validation Program (CAVP) binary can be used to re-run the CAVS tests at any time. Regardless of FIPS mode, the pluto daemon runs RFC test vectors for various algorithms. Furthermore, compiling on all architectures now enables the "-Werror" GCC option, which enhances the security by making all warnings into errors. (BZ#1263346) * This update also fixes several memory leaks and introduces a sub-second packet retransmit option. (BZ#1268773) * This update improves migration support from Openswan to Libreswan. Specifically, all Openswan options that can take a time value without a suffix are now supported, and several new keywords for use in the /etc/ipsec.conf file have been introduced. See the relevant man pages for details. (BZ#1268775) * With this update, loopback support via the "loopback=" option has been deprecated. (BZ#1270673) All Libreswan users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1232320 - CVE-2015-3240 libreswan / openswan: denial of service via IKE daemon restart when receiving a bad DH gx value 1268775 - libreswan should support strictcrlpolicy alias for crl-strict= option to support openswan migration 1273719 - libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: libreswan-3.15-5.el7_1.src.rpm x86_64: libreswan-3.15-5.el7_1.x86_64.rpm libreswan-debuginfo-3.15-5.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libreswan-3.15-5.el7_1.src.rpm ppc64: libreswan-3.15-5.el7_1.ppc64.rpm libreswan-debuginfo-3.15-5.el7_1.ppc64.rpm s390x: libreswan-3.15-5.el7_1.s390x.rpm libreswan-debuginfo-3.15-5.el7_1.s390x.rpm x86_64: libreswan-3.15-5.el7_1.x86_64.rpm libreswan-debuginfo-3.15-5.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libreswan-3.15-5.ael7b_1.src.rpm ppc64le: libreswan-3.15-5.ael7b_1.ppc64le.rpm libreswan-debuginfo-3.15-5.ael7b_1.ppc64le.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: libreswan-3.15-5.el7_1.src.rpm x86_64: libreswan-3.15-5.el7_1.x86_64.rpm libreswan-debuginfo-3.15-5.el7_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3240 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWOdPOXlSAg2UNWIIRAiKKAJ4mYauGJ2rGPErRG2dtvCxfRVVwCQCfZhWH DObTsXqNhqzIxScg4jVBAM8= =Xk6n -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 4 13:22:41 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Nov 2015 13:22:41 +0000 Subject: [RHSA-2015:1980-01] Critical: nss and nspr security update Message-ID: <201511041308.tA4D8Jtr012720@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: nss and nspr security update Advisory ID: RHSA-2015:1980-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1980.html Issue date: 2015-11-04 CVE Names: CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 ===================================================================== 1. Summary: Updated nss and nspr packages that fix three security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A use-after-poison flaw and a heap-based buffer overflow flaw were found in the way NSS parsed certain ASN.1 structures. An attacker could use these flaws to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library. (CVE-2015-7181, CVE-2015-7182) A heap-based buffer overflow was found in NSPR. An attacker could use this flaw to cause NSPR to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSPR library. (CVE-2015-7183) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Tyson Smith, David Keeler and Ryan Sleevi as the original reporter. All nss and nspr users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1269345 - CVE-2015-7181 nss: use-after-poison in sec_asn1d_parse_leaf() (MFSA 2015-133) 1269351 - CVE-2015-7182 nss: ASN.1 decoder heap overflow when decoding constructed OCTET STRING that mixes indefinite and definite length encodings (MFSA 2015-133) 1269353 - CVE-2015-7183 nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (MFSA 2015-133) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: nspr-4.10.8-2.el5_11.src.rpm nss-3.19.1-2.el5_11.src.rpm i386: nspr-4.10.8-2.el5_11.i386.rpm nspr-debuginfo-4.10.8-2.el5_11.i386.rpm nss-3.19.1-2.el5_11.i386.rpm nss-debuginfo-3.19.1-2.el5_11.i386.rpm nss-tools-3.19.1-2.el5_11.i386.rpm x86_64: nspr-4.10.8-2.el5_11.i386.rpm nspr-4.10.8-2.el5_11.x86_64.rpm nspr-debuginfo-4.10.8-2.el5_11.i386.rpm nspr-debuginfo-4.10.8-2.el5_11.x86_64.rpm nss-3.19.1-2.el5_11.i386.rpm nss-3.19.1-2.el5_11.x86_64.rpm nss-debuginfo-3.19.1-2.el5_11.i386.rpm nss-debuginfo-3.19.1-2.el5_11.x86_64.rpm nss-tools-3.19.1-2.el5_11.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: nspr-4.10.8-2.el5_11.src.rpm nss-3.19.1-2.el5_11.src.rpm i386: nspr-debuginfo-4.10.8-2.el5_11.i386.rpm nspr-devel-4.10.8-2.el5_11.i386.rpm nss-debuginfo-3.19.1-2.el5_11.i386.rpm nss-devel-3.19.1-2.el5_11.i386.rpm nss-pkcs11-devel-3.19.1-2.el5_11.i386.rpm x86_64: nspr-debuginfo-4.10.8-2.el5_11.i386.rpm nspr-debuginfo-4.10.8-2.el5_11.x86_64.rpm nspr-devel-4.10.8-2.el5_11.i386.rpm nspr-devel-4.10.8-2.el5_11.x86_64.rpm nss-debuginfo-3.19.1-2.el5_11.i386.rpm nss-debuginfo-3.19.1-2.el5_11.x86_64.rpm nss-devel-3.19.1-2.el5_11.i386.rpm nss-devel-3.19.1-2.el5_11.x86_64.rpm nss-pkcs11-devel-3.19.1-2.el5_11.i386.rpm nss-pkcs11-devel-3.19.1-2.el5_11.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: nspr-4.10.8-2.el5_11.src.rpm nss-3.19.1-2.el5_11.src.rpm i386: nspr-4.10.8-2.el5_11.i386.rpm nspr-debuginfo-4.10.8-2.el5_11.i386.rpm nspr-devel-4.10.8-2.el5_11.i386.rpm nss-3.19.1-2.el5_11.i386.rpm nss-debuginfo-3.19.1-2.el5_11.i386.rpm nss-devel-3.19.1-2.el5_11.i386.rpm nss-pkcs11-devel-3.19.1-2.el5_11.i386.rpm nss-tools-3.19.1-2.el5_11.i386.rpm ia64: nspr-4.10.8-2.el5_11.i386.rpm nspr-4.10.8-2.el5_11.ia64.rpm nspr-debuginfo-4.10.8-2.el5_11.i386.rpm nspr-debuginfo-4.10.8-2.el5_11.ia64.rpm nspr-devel-4.10.8-2.el5_11.ia64.rpm nss-3.19.1-2.el5_11.i386.rpm nss-3.19.1-2.el5_11.ia64.rpm nss-debuginfo-3.19.1-2.el5_11.i386.rpm nss-debuginfo-3.19.1-2.el5_11.ia64.rpm nss-devel-3.19.1-2.el5_11.ia64.rpm nss-pkcs11-devel-3.19.1-2.el5_11.ia64.rpm nss-tools-3.19.1-2.el5_11.ia64.rpm ppc: nspr-4.10.8-2.el5_11.ppc.rpm nspr-4.10.8-2.el5_11.ppc64.rpm nspr-debuginfo-4.10.8-2.el5_11.ppc.rpm nspr-debuginfo-4.10.8-2.el5_11.ppc64.rpm nspr-devel-4.10.8-2.el5_11.ppc.rpm nspr-devel-4.10.8-2.el5_11.ppc64.rpm nss-3.19.1-2.el5_11.ppc.rpm nss-3.19.1-2.el5_11.ppc64.rpm nss-debuginfo-3.19.1-2.el5_11.ppc.rpm nss-debuginfo-3.19.1-2.el5_11.ppc64.rpm nss-devel-3.19.1-2.el5_11.ppc.rpm nss-devel-3.19.1-2.el5_11.ppc64.rpm nss-pkcs11-devel-3.19.1-2.el5_11.ppc.rpm nss-pkcs11-devel-3.19.1-2.el5_11.ppc64.rpm nss-tools-3.19.1-2.el5_11.ppc.rpm s390x: nspr-4.10.8-2.el5_11.s390.rpm nspr-4.10.8-2.el5_11.s390x.rpm nspr-debuginfo-4.10.8-2.el5_11.s390.rpm nspr-debuginfo-4.10.8-2.el5_11.s390x.rpm nspr-devel-4.10.8-2.el5_11.s390.rpm nspr-devel-4.10.8-2.el5_11.s390x.rpm nss-3.19.1-2.el5_11.s390.rpm nss-3.19.1-2.el5_11.s390x.rpm nss-debuginfo-3.19.1-2.el5_11.s390.rpm nss-debuginfo-3.19.1-2.el5_11.s390x.rpm nss-devel-3.19.1-2.el5_11.s390.rpm nss-devel-3.19.1-2.el5_11.s390x.rpm nss-pkcs11-devel-3.19.1-2.el5_11.s390.rpm nss-pkcs11-devel-3.19.1-2.el5_11.s390x.rpm nss-tools-3.19.1-2.el5_11.s390x.rpm x86_64: nspr-4.10.8-2.el5_11.i386.rpm nspr-4.10.8-2.el5_11.x86_64.rpm nspr-debuginfo-4.10.8-2.el5_11.i386.rpm nspr-debuginfo-4.10.8-2.el5_11.x86_64.rpm nspr-devel-4.10.8-2.el5_11.i386.rpm nspr-devel-4.10.8-2.el5_11.x86_64.rpm nss-3.19.1-2.el5_11.i386.rpm nss-3.19.1-2.el5_11.x86_64.rpm nss-debuginfo-3.19.1-2.el5_11.i386.rpm nss-debuginfo-3.19.1-2.el5_11.x86_64.rpm nss-devel-3.19.1-2.el5_11.i386.rpm nss-devel-3.19.1-2.el5_11.x86_64.rpm nss-pkcs11-devel-3.19.1-2.el5_11.i386.rpm nss-pkcs11-devel-3.19.1-2.el5_11.x86_64.rpm nss-tools-3.19.1-2.el5_11.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7181 https://access.redhat.com/security/cve/CVE-2015-7182 https://access.redhat.com/security/cve/CVE-2015-7183 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWOgL1XlSAg2UNWIIRAr90AKCw9ck9IdfkIQ4U/mIwRzOTmq5bWwCeNIP9 srV7FNmjGrpebbqDVyEcG0E= =BOTE -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 4 13:26:22 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Nov 2015 13:26:22 +0000 Subject: [RHSA-2015:1981-01] Critical: nss, nss-util, and nspr security update Message-ID: <201511041312.tA4DC0CV004329@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: nss, nss-util, and nspr security update Advisory ID: RHSA-2015:1981-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1981.html Issue date: 2015-11-04 CVE Names: CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 ===================================================================== 1. Summary: Updated nss, nss-util, and nspr packages that fix three security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A use-after-poison flaw and a heap-based buffer overflow flaw were found in the way NSS parsed certain ASN.1 structures. An attacker could use these flaws to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library. (CVE-2015-7181, CVE-2015-7182) A heap-based buffer overflow was found in NSPR. An attacker could use this flaw to cause NSPR to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSPR library. (CVE-2015-7183) Note: Applications using NSPR's PL_ARENA_ALLOCATE, PR_ARENA_ALLOCATE, PL_ARENA_GROW, or PR_ARENA_GROW macros need to be rebuild against the fixed nspr packages to completely resolve the CVE-2015-7183 issue. This erratum includes nss and nss-utils packages rebuilt against the fixed nspr version. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Tyson Smith, David Keeler and Ryan Sleevi as the original reporter. All nss, nss-util and nspr users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1269345 - CVE-2015-7181 nss: use-after-poison in sec_asn1d_parse_leaf() (MFSA 2015-133) 1269351 - CVE-2015-7182 nss: ASN.1 decoder heap overflow when decoding constructed OCTET STRING that mixes indefinite and definite length encodings (MFSA 2015-133) 1269353 - CVE-2015-7183 nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (MFSA 2015-133) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: nspr-4.10.8-2.el6_7.src.rpm nss-3.19.1-5.el6_7.src.rpm nss-util-3.19.1-2.el6_7.src.rpm i386: nspr-4.10.8-2.el6_7.i686.rpm nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nss-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-sysinit-3.19.1-5.el6_7.i686.rpm nss-tools-3.19.1-5.el6_7.i686.rpm nss-util-3.19.1-2.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm x86_64: nspr-4.10.8-2.el6_7.i686.rpm nspr-4.10.8-2.el6_7.x86_64.rpm nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nspr-debuginfo-4.10.8-2.el6_7.x86_64.rpm nss-3.19.1-5.el6_7.i686.rpm nss-3.19.1-5.el6_7.x86_64.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.x86_64.rpm nss-sysinit-3.19.1-5.el6_7.x86_64.rpm nss-tools-3.19.1-5.el6_7.x86_64.rpm nss-util-3.19.1-2.el6_7.i686.rpm nss-util-3.19.1-2.el6_7.x86_64.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nspr-devel-4.10.8-2.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-devel-3.19.1-5.el6_7.i686.rpm nss-pkcs11-devel-3.19.1-5.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm nss-util-devel-3.19.1-2.el6_7.i686.rpm x86_64: nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nspr-debuginfo-4.10.8-2.el6_7.x86_64.rpm nspr-devel-4.10.8-2.el6_7.i686.rpm nspr-devel-4.10.8-2.el6_7.x86_64.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.x86_64.rpm nss-devel-3.19.1-5.el6_7.i686.rpm nss-devel-3.19.1-5.el6_7.x86_64.rpm nss-pkcs11-devel-3.19.1-5.el6_7.i686.rpm nss-pkcs11-devel-3.19.1-5.el6_7.x86_64.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.x86_64.rpm nss-util-devel-3.19.1-2.el6_7.i686.rpm nss-util-devel-3.19.1-2.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: nspr-4.10.8-2.el6_7.src.rpm nss-3.19.1-5.el6_7.src.rpm nss-util-3.19.1-2.el6_7.src.rpm x86_64: nspr-4.10.8-2.el6_7.i686.rpm nspr-4.10.8-2.el6_7.x86_64.rpm nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nspr-debuginfo-4.10.8-2.el6_7.x86_64.rpm nss-3.19.1-5.el6_7.i686.rpm nss-3.19.1-5.el6_7.x86_64.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.x86_64.rpm nss-sysinit-3.19.1-5.el6_7.x86_64.rpm nss-tools-3.19.1-5.el6_7.x86_64.rpm nss-util-3.19.1-2.el6_7.i686.rpm nss-util-3.19.1-2.el6_7.x86_64.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nspr-debuginfo-4.10.8-2.el6_7.x86_64.rpm nspr-devel-4.10.8-2.el6_7.i686.rpm nspr-devel-4.10.8-2.el6_7.x86_64.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.x86_64.rpm nss-devel-3.19.1-5.el6_7.i686.rpm nss-devel-3.19.1-5.el6_7.x86_64.rpm nss-pkcs11-devel-3.19.1-5.el6_7.i686.rpm nss-pkcs11-devel-3.19.1-5.el6_7.x86_64.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.x86_64.rpm nss-util-devel-3.19.1-2.el6_7.i686.rpm nss-util-devel-3.19.1-2.el6_7.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: nspr-4.10.8-2.el6_7.src.rpm nss-3.19.1-5.el6_7.src.rpm nss-util-3.19.1-2.el6_7.src.rpm i386: nspr-4.10.8-2.el6_7.i686.rpm nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nspr-devel-4.10.8-2.el6_7.i686.rpm nss-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-devel-3.19.1-5.el6_7.i686.rpm nss-sysinit-3.19.1-5.el6_7.i686.rpm nss-tools-3.19.1-5.el6_7.i686.rpm nss-util-3.19.1-2.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm nss-util-devel-3.19.1-2.el6_7.i686.rpm ppc64: nspr-4.10.8-2.el6_7.ppc.rpm nspr-4.10.8-2.el6_7.ppc64.rpm nspr-debuginfo-4.10.8-2.el6_7.ppc.rpm nspr-debuginfo-4.10.8-2.el6_7.ppc64.rpm nspr-devel-4.10.8-2.el6_7.ppc.rpm nspr-devel-4.10.8-2.el6_7.ppc64.rpm nss-3.19.1-5.el6_7.ppc.rpm nss-3.19.1-5.el6_7.ppc64.rpm nss-debuginfo-3.19.1-5.el6_7.ppc.rpm nss-debuginfo-3.19.1-5.el6_7.ppc64.rpm nss-devel-3.19.1-5.el6_7.ppc.rpm nss-devel-3.19.1-5.el6_7.ppc64.rpm nss-sysinit-3.19.1-5.el6_7.ppc64.rpm nss-tools-3.19.1-5.el6_7.ppc64.rpm nss-util-3.19.1-2.el6_7.ppc.rpm nss-util-3.19.1-2.el6_7.ppc64.rpm nss-util-debuginfo-3.19.1-2.el6_7.ppc.rpm nss-util-debuginfo-3.19.1-2.el6_7.ppc64.rpm nss-util-devel-3.19.1-2.el6_7.ppc.rpm nss-util-devel-3.19.1-2.el6_7.ppc64.rpm s390x: nspr-4.10.8-2.el6_7.s390.rpm nspr-4.10.8-2.el6_7.s390x.rpm nspr-debuginfo-4.10.8-2.el6_7.s390.rpm nspr-debuginfo-4.10.8-2.el6_7.s390x.rpm nspr-devel-4.10.8-2.el6_7.s390.rpm nspr-devel-4.10.8-2.el6_7.s390x.rpm nss-3.19.1-5.el6_7.s390.rpm nss-3.19.1-5.el6_7.s390x.rpm nss-debuginfo-3.19.1-5.el6_7.s390.rpm nss-debuginfo-3.19.1-5.el6_7.s390x.rpm nss-devel-3.19.1-5.el6_7.s390.rpm nss-devel-3.19.1-5.el6_7.s390x.rpm nss-sysinit-3.19.1-5.el6_7.s390x.rpm nss-tools-3.19.1-5.el6_7.s390x.rpm nss-util-3.19.1-2.el6_7.s390.rpm nss-util-3.19.1-2.el6_7.s390x.rpm nss-util-debuginfo-3.19.1-2.el6_7.s390.rpm nss-util-debuginfo-3.19.1-2.el6_7.s390x.rpm nss-util-devel-3.19.1-2.el6_7.s390.rpm nss-util-devel-3.19.1-2.el6_7.s390x.rpm x86_64: nspr-4.10.8-2.el6_7.i686.rpm nspr-4.10.8-2.el6_7.x86_64.rpm nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nspr-debuginfo-4.10.8-2.el6_7.x86_64.rpm nspr-devel-4.10.8-2.el6_7.i686.rpm nspr-devel-4.10.8-2.el6_7.x86_64.rpm nss-3.19.1-5.el6_7.i686.rpm nss-3.19.1-5.el6_7.x86_64.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.x86_64.rpm nss-devel-3.19.1-5.el6_7.i686.rpm nss-devel-3.19.1-5.el6_7.x86_64.rpm nss-sysinit-3.19.1-5.el6_7.x86_64.rpm nss-tools-3.19.1-5.el6_7.x86_64.rpm nss-util-3.19.1-2.el6_7.i686.rpm nss-util-3.19.1-2.el6_7.x86_64.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.x86_64.rpm nss-util-devel-3.19.1-2.el6_7.i686.rpm nss-util-devel-3.19.1-2.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-pkcs11-devel-3.19.1-5.el6_7.i686.rpm ppc64: nss-debuginfo-3.19.1-5.el6_7.ppc.rpm nss-debuginfo-3.19.1-5.el6_7.ppc64.rpm nss-pkcs11-devel-3.19.1-5.el6_7.ppc.rpm nss-pkcs11-devel-3.19.1-5.el6_7.ppc64.rpm s390x: nss-debuginfo-3.19.1-5.el6_7.s390.rpm nss-debuginfo-3.19.1-5.el6_7.s390x.rpm nss-pkcs11-devel-3.19.1-5.el6_7.s390.rpm nss-pkcs11-devel-3.19.1-5.el6_7.s390x.rpm x86_64: nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.x86_64.rpm nss-pkcs11-devel-3.19.1-5.el6_7.i686.rpm nss-pkcs11-devel-3.19.1-5.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: nspr-4.10.8-2.el6_7.src.rpm nss-3.19.1-5.el6_7.src.rpm nss-util-3.19.1-2.el6_7.src.rpm i386: nspr-4.10.8-2.el6_7.i686.rpm nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nspr-devel-4.10.8-2.el6_7.i686.rpm nss-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-devel-3.19.1-5.el6_7.i686.rpm nss-sysinit-3.19.1-5.el6_7.i686.rpm nss-tools-3.19.1-5.el6_7.i686.rpm nss-util-3.19.1-2.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm nss-util-devel-3.19.1-2.el6_7.i686.rpm x86_64: nspr-4.10.8-2.el6_7.i686.rpm nspr-4.10.8-2.el6_7.x86_64.rpm nspr-debuginfo-4.10.8-2.el6_7.i686.rpm nspr-debuginfo-4.10.8-2.el6_7.x86_64.rpm nspr-devel-4.10.8-2.el6_7.i686.rpm nspr-devel-4.10.8-2.el6_7.x86_64.rpm nss-3.19.1-5.el6_7.i686.rpm nss-3.19.1-5.el6_7.x86_64.rpm nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.x86_64.rpm nss-devel-3.19.1-5.el6_7.i686.rpm nss-devel-3.19.1-5.el6_7.x86_64.rpm nss-sysinit-3.19.1-5.el6_7.x86_64.rpm nss-tools-3.19.1-5.el6_7.x86_64.rpm nss-util-3.19.1-2.el6_7.i686.rpm nss-util-3.19.1-2.el6_7.x86_64.rpm nss-util-debuginfo-3.19.1-2.el6_7.i686.rpm nss-util-debuginfo-3.19.1-2.el6_7.x86_64.rpm nss-util-devel-3.19.1-2.el6_7.i686.rpm nss-util-devel-3.19.1-2.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-pkcs11-devel-3.19.1-5.el6_7.i686.rpm x86_64: nss-debuginfo-3.19.1-5.el6_7.i686.rpm nss-debuginfo-3.19.1-5.el6_7.x86_64.rpm nss-pkcs11-devel-3.19.1-5.el6_7.i686.rpm nss-pkcs11-devel-3.19.1-5.el6_7.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: nspr-4.10.8-2.el7_1.src.rpm nss-3.19.1-7.el7_1.2.src.rpm nss-util-3.19.1-4.el7_1.src.rpm x86_64: nspr-4.10.8-2.el7_1.i686.rpm nspr-4.10.8-2.el7_1.x86_64.rpm nspr-debuginfo-4.10.8-2.el7_1.i686.rpm nspr-debuginfo-4.10.8-2.el7_1.x86_64.rpm nss-3.19.1-7.el7_1.2.i686.rpm nss-3.19.1-7.el7_1.2.x86_64.rpm nss-debuginfo-3.19.1-7.el7_1.2.i686.rpm nss-debuginfo-3.19.1-7.el7_1.2.x86_64.rpm nss-sysinit-3.19.1-7.el7_1.2.x86_64.rpm nss-tools-3.19.1-7.el7_1.2.x86_64.rpm nss-util-3.19.1-4.el7_1.i686.rpm nss-util-3.19.1-4.el7_1.x86_64.rpm nss-util-debuginfo-3.19.1-4.el7_1.i686.rpm nss-util-debuginfo-3.19.1-4.el7_1.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: nspr-debuginfo-4.10.8-2.el7_1.i686.rpm nspr-debuginfo-4.10.8-2.el7_1.x86_64.rpm nspr-devel-4.10.8-2.el7_1.i686.rpm nspr-devel-4.10.8-2.el7_1.x86_64.rpm nss-debuginfo-3.19.1-7.el7_1.2.i686.rpm nss-debuginfo-3.19.1-7.el7_1.2.x86_64.rpm nss-devel-3.19.1-7.el7_1.2.i686.rpm nss-devel-3.19.1-7.el7_1.2.x86_64.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.i686.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.x86_64.rpm nss-util-debuginfo-3.19.1-4.el7_1.i686.rpm nss-util-debuginfo-3.19.1-4.el7_1.x86_64.rpm nss-util-devel-3.19.1-4.el7_1.i686.rpm nss-util-devel-3.19.1-4.el7_1.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: nspr-4.10.8-2.el7_1.src.rpm nss-3.19.1-7.el7_1.2.src.rpm nss-util-3.19.1-4.el7_1.src.rpm x86_64: nspr-4.10.8-2.el7_1.i686.rpm nspr-4.10.8-2.el7_1.x86_64.rpm nspr-debuginfo-4.10.8-2.el7_1.i686.rpm nspr-debuginfo-4.10.8-2.el7_1.x86_64.rpm nss-3.19.1-7.el7_1.2.i686.rpm nss-3.19.1-7.el7_1.2.x86_64.rpm nss-debuginfo-3.19.1-7.el7_1.2.i686.rpm nss-debuginfo-3.19.1-7.el7_1.2.x86_64.rpm nss-sysinit-3.19.1-7.el7_1.2.x86_64.rpm nss-tools-3.19.1-7.el7_1.2.x86_64.rpm nss-util-3.19.1-4.el7_1.i686.rpm nss-util-3.19.1-4.el7_1.x86_64.rpm nss-util-debuginfo-3.19.1-4.el7_1.i686.rpm nss-util-debuginfo-3.19.1-4.el7_1.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: nspr-debuginfo-4.10.8-2.el7_1.i686.rpm nspr-debuginfo-4.10.8-2.el7_1.x86_64.rpm nspr-devel-4.10.8-2.el7_1.i686.rpm nspr-devel-4.10.8-2.el7_1.x86_64.rpm nss-debuginfo-3.19.1-7.el7_1.2.i686.rpm nss-debuginfo-3.19.1-7.el7_1.2.x86_64.rpm nss-devel-3.19.1-7.el7_1.2.i686.rpm nss-devel-3.19.1-7.el7_1.2.x86_64.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.i686.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.x86_64.rpm nss-util-debuginfo-3.19.1-4.el7_1.i686.rpm nss-util-debuginfo-3.19.1-4.el7_1.x86_64.rpm nss-util-devel-3.19.1-4.el7_1.i686.rpm nss-util-devel-3.19.1-4.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: nspr-4.10.8-2.el7_1.src.rpm nss-3.19.1-7.el7_1.2.src.rpm nss-util-3.19.1-4.el7_1.src.rpm ppc64: nspr-4.10.8-2.el7_1.ppc.rpm nspr-4.10.8-2.el7_1.ppc64.rpm nspr-debuginfo-4.10.8-2.el7_1.ppc.rpm nspr-debuginfo-4.10.8-2.el7_1.ppc64.rpm nspr-devel-4.10.8-2.el7_1.ppc.rpm nspr-devel-4.10.8-2.el7_1.ppc64.rpm nss-3.19.1-7.el7_1.2.ppc.rpm nss-3.19.1-7.el7_1.2.ppc64.rpm nss-debuginfo-3.19.1-7.el7_1.2.ppc.rpm nss-debuginfo-3.19.1-7.el7_1.2.ppc64.rpm nss-devel-3.19.1-7.el7_1.2.ppc.rpm nss-devel-3.19.1-7.el7_1.2.ppc64.rpm nss-sysinit-3.19.1-7.el7_1.2.ppc64.rpm nss-tools-3.19.1-7.el7_1.2.ppc64.rpm nss-util-3.19.1-4.el7_1.ppc.rpm nss-util-3.19.1-4.el7_1.ppc64.rpm nss-util-debuginfo-3.19.1-4.el7_1.ppc.rpm nss-util-debuginfo-3.19.1-4.el7_1.ppc64.rpm nss-util-devel-3.19.1-4.el7_1.ppc.rpm nss-util-devel-3.19.1-4.el7_1.ppc64.rpm s390x: nspr-4.10.8-2.el7_1.s390.rpm nspr-4.10.8-2.el7_1.s390x.rpm nspr-debuginfo-4.10.8-2.el7_1.s390.rpm nspr-debuginfo-4.10.8-2.el7_1.s390x.rpm nspr-devel-4.10.8-2.el7_1.s390.rpm nspr-devel-4.10.8-2.el7_1.s390x.rpm nss-3.19.1-7.el7_1.2.s390.rpm nss-3.19.1-7.el7_1.2.s390x.rpm nss-debuginfo-3.19.1-7.el7_1.2.s390.rpm nss-debuginfo-3.19.1-7.el7_1.2.s390x.rpm nss-devel-3.19.1-7.el7_1.2.s390.rpm nss-devel-3.19.1-7.el7_1.2.s390x.rpm nss-sysinit-3.19.1-7.el7_1.2.s390x.rpm nss-tools-3.19.1-7.el7_1.2.s390x.rpm nss-util-3.19.1-4.el7_1.s390.rpm nss-util-3.19.1-4.el7_1.s390x.rpm nss-util-debuginfo-3.19.1-4.el7_1.s390.rpm nss-util-debuginfo-3.19.1-4.el7_1.s390x.rpm nss-util-devel-3.19.1-4.el7_1.s390.rpm nss-util-devel-3.19.1-4.el7_1.s390x.rpm x86_64: nspr-4.10.8-2.el7_1.i686.rpm nspr-4.10.8-2.el7_1.x86_64.rpm nspr-debuginfo-4.10.8-2.el7_1.i686.rpm nspr-debuginfo-4.10.8-2.el7_1.x86_64.rpm nspr-devel-4.10.8-2.el7_1.i686.rpm nspr-devel-4.10.8-2.el7_1.x86_64.rpm nss-3.19.1-7.el7_1.2.i686.rpm nss-3.19.1-7.el7_1.2.x86_64.rpm nss-debuginfo-3.19.1-7.el7_1.2.i686.rpm nss-debuginfo-3.19.1-7.el7_1.2.x86_64.rpm nss-devel-3.19.1-7.el7_1.2.i686.rpm nss-devel-3.19.1-7.el7_1.2.x86_64.rpm nss-sysinit-3.19.1-7.el7_1.2.x86_64.rpm nss-tools-3.19.1-7.el7_1.2.x86_64.rpm nss-util-3.19.1-4.el7_1.i686.rpm nss-util-3.19.1-4.el7_1.x86_64.rpm nss-util-debuginfo-3.19.1-4.el7_1.i686.rpm nss-util-debuginfo-3.19.1-4.el7_1.x86_64.rpm nss-util-devel-3.19.1-4.el7_1.i686.rpm nss-util-devel-3.19.1-4.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: nspr-4.10.8-2.ael7b_1.src.rpm nss-3.19.1-7.ael7b_1.2.src.rpm nss-util-3.19.1-4.ael7b_1.src.rpm ppc64le: nspr-4.10.8-2.ael7b_1.ppc64le.rpm nspr-debuginfo-4.10.8-2.ael7b_1.ppc64le.rpm nspr-devel-4.10.8-2.ael7b_1.ppc64le.rpm nss-3.19.1-7.ael7b_1.2.ppc64le.rpm nss-debuginfo-3.19.1-7.ael7b_1.2.ppc64le.rpm nss-devel-3.19.1-7.ael7b_1.2.ppc64le.rpm nss-sysinit-3.19.1-7.ael7b_1.2.ppc64le.rpm nss-tools-3.19.1-7.ael7b_1.2.ppc64le.rpm nss-util-3.19.1-4.ael7b_1.ppc64le.rpm nss-util-debuginfo-3.19.1-4.ael7b_1.ppc64le.rpm nss-util-devel-3.19.1-4.ael7b_1.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: nss-debuginfo-3.19.1-7.el7_1.2.ppc.rpm nss-debuginfo-3.19.1-7.el7_1.2.ppc64.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.ppc.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.ppc64.rpm s390x: nss-debuginfo-3.19.1-7.el7_1.2.s390.rpm nss-debuginfo-3.19.1-7.el7_1.2.s390x.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.s390.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.s390x.rpm x86_64: nss-debuginfo-3.19.1-7.el7_1.2.i686.rpm nss-debuginfo-3.19.1-7.el7_1.2.x86_64.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.i686.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64le: nss-debuginfo-3.19.1-7.ael7b_1.2.ppc64le.rpm nss-pkcs11-devel-3.19.1-7.ael7b_1.2.ppc64le.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: nspr-4.10.8-2.el7_1.src.rpm nss-3.19.1-7.el7_1.2.src.rpm nss-util-3.19.1-4.el7_1.src.rpm x86_64: nspr-4.10.8-2.el7_1.i686.rpm nspr-4.10.8-2.el7_1.x86_64.rpm nspr-debuginfo-4.10.8-2.el7_1.i686.rpm nspr-debuginfo-4.10.8-2.el7_1.x86_64.rpm nspr-devel-4.10.8-2.el7_1.i686.rpm nspr-devel-4.10.8-2.el7_1.x86_64.rpm nss-3.19.1-7.el7_1.2.i686.rpm nss-3.19.1-7.el7_1.2.x86_64.rpm nss-debuginfo-3.19.1-7.el7_1.2.i686.rpm nss-debuginfo-3.19.1-7.el7_1.2.x86_64.rpm nss-devel-3.19.1-7.el7_1.2.i686.rpm nss-devel-3.19.1-7.el7_1.2.x86_64.rpm nss-sysinit-3.19.1-7.el7_1.2.x86_64.rpm nss-tools-3.19.1-7.el7_1.2.x86_64.rpm nss-util-3.19.1-4.el7_1.i686.rpm nss-util-3.19.1-4.el7_1.x86_64.rpm nss-util-debuginfo-3.19.1-4.el7_1.i686.rpm nss-util-debuginfo-3.19.1-4.el7_1.x86_64.rpm nss-util-devel-3.19.1-4.el7_1.i686.rpm nss-util-devel-3.19.1-4.el7_1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: nss-debuginfo-3.19.1-7.el7_1.2.i686.rpm nss-debuginfo-3.19.1-7.el7_1.2.x86_64.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.i686.rpm nss-pkcs11-devel-3.19.1-7.el7_1.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7181 https://access.redhat.com/security/cve/CVE-2015-7182 https://access.redhat.com/security/cve/CVE-2015-7183 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWOgPxXlSAg2UNWIIRAm3PAJ9PhsneTLF/T6vOlscwStPrc/zpUwCglJaA Rz+L0Jjg0gya3/xI5RhtpeU= =c0Rp -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 4 13:29:22 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 4 Nov 2015 13:29:22 +0000 Subject: [RHSA-2015:1982-01] Critical: firefox security update Message-ID: <201511041315.tA4DF0b9009771@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2015:1982-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1982.html Issue date: 2015-11-04 CVE Names: CVE-2015-4513 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 ===================================================================== 1. Summary: Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7197) A same-origin policy bypass flaw was found in the way Firefox handled certain cross-origin resource sharing (CORS) requests. A web page containing malicious content could cause Firefox to disclose sensitive information. (CVE-2015-7193) A same-origin policy bypass flaw was found in the way Firefox handled URLs containing IP addresses with white-space characters. This could lead to cross-site scripting attacks. (CVE-2015-7188) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, and Gary Kwong, Micha? Bentkowski, Looben Yang, Shinto K Anto, Gustavo Grieco, Vytautas Staraitis, Ronald Crane, and Ehsan Akhgari as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.4.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1277332 - CVE-2015-4513 Mozilla: Miscellaneous memory safety hazards (rv:38.4) (MFSA 2015-116) 1277343 - CVE-2015-7188 Mozilla: Trailing whitespace in IP address hostnames can bypass same-origin policy (MFSA 2015-122) 1277344 - CVE-2015-7189 Mozilla: Buffer overflow during image interactions in canvas (MFSA 2015-123) 1277346 - CVE-2015-7193 Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127) 1277347 - CVE-2015-7194 Mozilla: Memory corruption in libjar through zip files (MFSA 2015-128) 1277349 - CVE-2015-7196 Mozilla: JavaScript garbage collection crash with Java applet (MFSA 2015-130) 1277350 - CVE-2015-7198 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131) 1277351 - CVE-2015-7197 Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: firefox-38.4.0-1.el5_11.src.rpm i386: firefox-38.4.0-1.el5_11.i386.rpm firefox-debuginfo-38.4.0-1.el5_11.i386.rpm x86_64: firefox-38.4.0-1.el5_11.i386.rpm firefox-38.4.0-1.el5_11.x86_64.rpm firefox-debuginfo-38.4.0-1.el5_11.i386.rpm firefox-debuginfo-38.4.0-1.el5_11.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: firefox-38.4.0-1.el5_11.src.rpm i386: firefox-38.4.0-1.el5_11.i386.rpm firefox-debuginfo-38.4.0-1.el5_11.i386.rpm ppc: firefox-38.4.0-1.el5_11.ppc64.rpm firefox-debuginfo-38.4.0-1.el5_11.ppc64.rpm s390x: firefox-38.4.0-1.el5_11.s390.rpm firefox-38.4.0-1.el5_11.s390x.rpm firefox-debuginfo-38.4.0-1.el5_11.s390.rpm firefox-debuginfo-38.4.0-1.el5_11.s390x.rpm x86_64: firefox-38.4.0-1.el5_11.i386.rpm firefox-38.4.0-1.el5_11.x86_64.rpm firefox-debuginfo-38.4.0-1.el5_11.i386.rpm firefox-debuginfo-38.4.0-1.el5_11.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: firefox-38.4.0-1.el6_7.src.rpm i386: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm x86_64: firefox-38.4.0-1.el6_7.x86_64.rpm firefox-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): x86_64: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: firefox-38.4.0-1.el6_7.src.rpm x86_64: firefox-38.4.0-1.el6_7.i686.rpm firefox-38.4.0-1.el6_7.x86_64.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: firefox-38.4.0-1.el6_7.src.rpm i386: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm ppc64: firefox-38.4.0-1.el6_7.ppc64.rpm firefox-debuginfo-38.4.0-1.el6_7.ppc64.rpm s390x: firefox-38.4.0-1.el6_7.s390x.rpm firefox-debuginfo-38.4.0-1.el6_7.s390x.rpm x86_64: firefox-38.4.0-1.el6_7.x86_64.rpm firefox-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): ppc64: firefox-38.4.0-1.el6_7.ppc.rpm firefox-debuginfo-38.4.0-1.el6_7.ppc.rpm s390x: firefox-38.4.0-1.el6_7.s390.rpm firefox-debuginfo-38.4.0-1.el6_7.s390.rpm x86_64: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: firefox-38.4.0-1.el6_7.src.rpm i386: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm x86_64: firefox-38.4.0-1.el6_7.x86_64.rpm firefox-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): x86_64: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm Red Hat Enterprise Linux Client (v. 7): Source: firefox-38.4.0-1.el7_1.src.rpm x86_64: firefox-38.4.0-1.el7_1.x86_64.rpm firefox-debuginfo-38.4.0-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: firefox-38.4.0-1.el7_1.i686.rpm firefox-debuginfo-38.4.0-1.el7_1.i686.rpm Red Hat Enterprise Linux Server (v. 7): Source: firefox-38.4.0-1.el7_1.src.rpm ppc64: firefox-38.4.0-1.el7_1.ppc64.rpm firefox-debuginfo-38.4.0-1.el7_1.ppc64.rpm s390x: firefox-38.4.0-1.el7_1.s390x.rpm firefox-debuginfo-38.4.0-1.el7_1.s390x.rpm x86_64: firefox-38.4.0-1.el7_1.x86_64.rpm firefox-debuginfo-38.4.0-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: firefox-38.4.0-1.ael7b_1.src.rpm ppc64le: firefox-38.4.0-1.ael7b_1.ppc64le.rpm firefox-debuginfo-38.4.0-1.ael7b_1.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: firefox-38.4.0-1.el7_1.ppc.rpm firefox-debuginfo-38.4.0-1.el7_1.ppc.rpm s390x: firefox-38.4.0-1.el7_1.s390.rpm firefox-debuginfo-38.4.0-1.el7_1.s390.rpm x86_64: firefox-38.4.0-1.el7_1.i686.rpm firefox-debuginfo-38.4.0-1.el7_1.i686.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: firefox-38.4.0-1.el7_1.src.rpm x86_64: firefox-38.4.0-1.el7_1.x86_64.rpm firefox-debuginfo-38.4.0-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: firefox-38.4.0-1.el7_1.i686.rpm firefox-debuginfo-38.4.0-1.el7_1.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4513 https://access.redhat.com/security/cve/CVE-2015-7188 https://access.redhat.com/security/cve/CVE-2015-7189 https://access.redhat.com/security/cve/CVE-2015-7193 https://access.redhat.com/security/cve/CVE-2015-7194 https://access.redhat.com/security/cve/CVE-2015-7196 https://access.redhat.com/security/cve/CVE-2015-7197 https://access.redhat.com/security/cve/CVE-2015-7198 https://access.redhat.com/security/updates/classification/#critical https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.4 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWOgTPXlSAg2UNWIIRAqeSAKCeXJWyWZgjWtI46FDug6lvyhyzDgCgpFTs tlfkVW6M8aU1SMZ1LMVzu0w= =IACp -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Nov 10 13:43:57 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 10 Nov 2015 13:43:57 +0000 Subject: [RHSA-2015:2019-01] Low: sssd security and bug fix update Message-ID: <201511101343.tAADhw7Q022797@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: sssd security and bug fix update Advisory ID: RHSA-2015:2019-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2019.html Issue date: 2015-11-10 CVE Names: CVE-2015-5292 ===================================================================== 1. Summary: Updated sssd packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system, and a pluggable back-end system to connect to multiple different account sources. It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. (CVE-2015-5292) This update also fixes the following bugs: * Previously, SSSD did not correctly handle sudo rules that applied to groups with names containing special characters, such as the "(" opening parenthesis sign. Consequently, SSSD skipped such sudo rules. The internal sysdb search has been modified to escape special characters when searching for objects to which sudo rules apply. As a result, SSSD applies the described sudo rules as expected. (BZ#1258398) * Prior to this update, SSSD did not correctly handle group names containing special Lightweight Directory Access Protocol (LDAP) characters, such as the "(" or ")" parenthesis signs. When a group name contained one or more such characters, the internal cache cleanup operation failed with an I/O error. With this update, LDAP special characters in the Distinguished Name (DN) of a cache entry are escaped before the cleanup operation starts. As a result, the cleanup operation completes successfully in the described situation. (BZ#1264098) * Applications performing Kerberos authentication previously increased the memory footprint of the Kerberos plug-in that parses the Privilege Attribute Certificate (PAC) information. The plug-in has been updated to free the memory it allocates, thus fixing this bug. (BZ#1268783) * Previously, when malformed POSIX attributes were defined in an Active Directory (AD) LDAP server, SSSD unexpectedly switched to offline mode. This update relaxes certain checks for AD POSIX attribute validity. As a result, SSSD now works as expected even when malformed POSIX attributes are present in AD and no longer enters offline mode in the described situation. (BZ#1268784) All sssd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the sssd service will be restarted automatically. Additionally, all running applications using the PAC responder plug-in must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1267580 - CVE-2015-5292 sssd: memory leak in the sssd_pac_plugin 1268783 - Memory leak / possible DoS with krb auth. [rhel 6.7.z] 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: sssd-1.12.4-47.el6_7.4.src.rpm i386: libipa_hbac-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-python-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-1.12.4-47.el6_7.4.i686.rpm sssd-1.12.4-47.el6_7.4.i686.rpm sssd-ad-1.12.4-47.el6_7.4.i686.rpm sssd-client-1.12.4-47.el6_7.4.i686.rpm sssd-common-1.12.4-47.el6_7.4.i686.rpm sssd-common-pac-1.12.4-47.el6_7.4.i686.rpm sssd-dbus-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-ipa-1.12.4-47.el6_7.4.i686.rpm sssd-krb5-1.12.4-47.el6_7.4.i686.rpm sssd-krb5-common-1.12.4-47.el6_7.4.i686.rpm sssd-ldap-1.12.4-47.el6_7.4.i686.rpm sssd-proxy-1.12.4-47.el6_7.4.i686.rpm noarch: python-sssdconfig-1.12.4-47.el6_7.4.noarch.rpm x86_64: libipa_hbac-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-1.12.4-47.el6_7.4.x86_64.rpm libipa_hbac-python-1.12.4-47.el6_7.4.x86_64.rpm libsss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-1.12.4-47.el6_7.4.x86_64.rpm sssd-1.12.4-47.el6_7.4.x86_64.rpm sssd-ad-1.12.4-47.el6_7.4.x86_64.rpm sssd-client-1.12.4-47.el6_7.4.i686.rpm sssd-client-1.12.4-47.el6_7.4.x86_64.rpm sssd-common-1.12.4-47.el6_7.4.x86_64.rpm sssd-common-pac-1.12.4-47.el6_7.4.x86_64.rpm sssd-dbus-1.12.4-47.el6_7.4.x86_64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.x86_64.rpm sssd-ipa-1.12.4-47.el6_7.4.x86_64.rpm sssd-krb5-1.12.4-47.el6_7.4.x86_64.rpm sssd-krb5-common-1.12.4-47.el6_7.4.x86_64.rpm sssd-ldap-1.12.4-47.el6_7.4.x86_64.rpm sssd-proxy-1.12.4-47.el6_7.4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: libipa_hbac-devel-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-python-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-tools-1.12.4-47.el6_7.4.i686.rpm x86_64: libipa_hbac-devel-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-python-1.12.4-47.el6_7.4.x86_64.rpm libsss_simpleifp-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-1.12.4-47.el6_7.4.x86_64.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.x86_64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.x86_64.rpm sssd-tools-1.12.4-47.el6_7.4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: sssd-1.12.4-47.el6_7.4.src.rpm noarch: python-sssdconfig-1.12.4-47.el6_7.4.noarch.rpm x86_64: libipa_hbac-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-1.12.4-47.el6_7.4.x86_64.rpm libipa_hbac-python-1.12.4-47.el6_7.4.x86_64.rpm libsss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-1.12.4-47.el6_7.4.x86_64.rpm sssd-1.12.4-47.el6_7.4.x86_64.rpm sssd-ad-1.12.4-47.el6_7.4.x86_64.rpm sssd-client-1.12.4-47.el6_7.4.i686.rpm sssd-client-1.12.4-47.el6_7.4.x86_64.rpm sssd-common-1.12.4-47.el6_7.4.x86_64.rpm sssd-common-pac-1.12.4-47.el6_7.4.x86_64.rpm sssd-dbus-1.12.4-47.el6_7.4.x86_64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.x86_64.rpm sssd-ipa-1.12.4-47.el6_7.4.x86_64.rpm sssd-krb5-1.12.4-47.el6_7.4.x86_64.rpm sssd-krb5-common-1.12.4-47.el6_7.4.x86_64.rpm sssd-ldap-1.12.4-47.el6_7.4.x86_64.rpm sssd-proxy-1.12.4-47.el6_7.4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: libipa_hbac-devel-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-python-1.12.4-47.el6_7.4.x86_64.rpm libsss_simpleifp-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-1.12.4-47.el6_7.4.x86_64.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.x86_64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.x86_64.rpm sssd-tools-1.12.4-47.el6_7.4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: sssd-1.12.4-47.el6_7.4.src.rpm i386: libipa_hbac-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-python-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-1.12.4-47.el6_7.4.i686.rpm sssd-1.12.4-47.el6_7.4.i686.rpm sssd-ad-1.12.4-47.el6_7.4.i686.rpm sssd-client-1.12.4-47.el6_7.4.i686.rpm sssd-common-1.12.4-47.el6_7.4.i686.rpm sssd-common-pac-1.12.4-47.el6_7.4.i686.rpm sssd-dbus-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-ipa-1.12.4-47.el6_7.4.i686.rpm sssd-krb5-1.12.4-47.el6_7.4.i686.rpm sssd-krb5-common-1.12.4-47.el6_7.4.i686.rpm sssd-ldap-1.12.4-47.el6_7.4.i686.rpm sssd-proxy-1.12.4-47.el6_7.4.i686.rpm noarch: python-sssdconfig-1.12.4-47.el6_7.4.noarch.rpm ppc64: libipa_hbac-1.12.4-47.el6_7.4.ppc.rpm libipa_hbac-1.12.4-47.el6_7.4.ppc64.rpm libipa_hbac-python-1.12.4-47.el6_7.4.ppc64.rpm libsss_idmap-1.12.4-47.el6_7.4.ppc.rpm libsss_idmap-1.12.4-47.el6_7.4.ppc64.rpm sssd-1.12.4-47.el6_7.4.ppc64.rpm sssd-ad-1.12.4-47.el6_7.4.ppc64.rpm sssd-client-1.12.4-47.el6_7.4.ppc.rpm sssd-client-1.12.4-47.el6_7.4.ppc64.rpm sssd-common-1.12.4-47.el6_7.4.ppc64.rpm sssd-common-pac-1.12.4-47.el6_7.4.ppc64.rpm sssd-dbus-1.12.4-47.el6_7.4.ppc64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.ppc.rpm sssd-debuginfo-1.12.4-47.el6_7.4.ppc64.rpm sssd-ipa-1.12.4-47.el6_7.4.ppc64.rpm sssd-krb5-1.12.4-47.el6_7.4.ppc64.rpm sssd-krb5-common-1.12.4-47.el6_7.4.ppc64.rpm sssd-ldap-1.12.4-47.el6_7.4.ppc64.rpm sssd-proxy-1.12.4-47.el6_7.4.ppc64.rpm s390x: libipa_hbac-1.12.4-47.el6_7.4.s390.rpm libipa_hbac-1.12.4-47.el6_7.4.s390x.rpm libipa_hbac-python-1.12.4-47.el6_7.4.s390x.rpm libsss_idmap-1.12.4-47.el6_7.4.s390.rpm libsss_idmap-1.12.4-47.el6_7.4.s390x.rpm sssd-1.12.4-47.el6_7.4.s390x.rpm sssd-ad-1.12.4-47.el6_7.4.s390x.rpm sssd-client-1.12.4-47.el6_7.4.s390.rpm sssd-client-1.12.4-47.el6_7.4.s390x.rpm sssd-common-1.12.4-47.el6_7.4.s390x.rpm sssd-common-pac-1.12.4-47.el6_7.4.s390x.rpm sssd-dbus-1.12.4-47.el6_7.4.s390x.rpm sssd-debuginfo-1.12.4-47.el6_7.4.s390.rpm sssd-debuginfo-1.12.4-47.el6_7.4.s390x.rpm sssd-ipa-1.12.4-47.el6_7.4.s390x.rpm sssd-krb5-1.12.4-47.el6_7.4.s390x.rpm sssd-krb5-common-1.12.4-47.el6_7.4.s390x.rpm sssd-ldap-1.12.4-47.el6_7.4.s390x.rpm sssd-proxy-1.12.4-47.el6_7.4.s390x.rpm x86_64: libipa_hbac-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-1.12.4-47.el6_7.4.x86_64.rpm libipa_hbac-python-1.12.4-47.el6_7.4.x86_64.rpm libsss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-1.12.4-47.el6_7.4.x86_64.rpm sssd-1.12.4-47.el6_7.4.x86_64.rpm sssd-ad-1.12.4-47.el6_7.4.x86_64.rpm sssd-client-1.12.4-47.el6_7.4.i686.rpm sssd-client-1.12.4-47.el6_7.4.x86_64.rpm sssd-common-1.12.4-47.el6_7.4.x86_64.rpm sssd-common-pac-1.12.4-47.el6_7.4.x86_64.rpm sssd-dbus-1.12.4-47.el6_7.4.x86_64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.x86_64.rpm sssd-ipa-1.12.4-47.el6_7.4.x86_64.rpm sssd-krb5-1.12.4-47.el6_7.4.x86_64.rpm sssd-krb5-common-1.12.4-47.el6_7.4.x86_64.rpm sssd-ldap-1.12.4-47.el6_7.4.x86_64.rpm sssd-proxy-1.12.4-47.el6_7.4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: libipa_hbac-devel-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-python-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-tools-1.12.4-47.el6_7.4.i686.rpm ppc64: libipa_hbac-devel-1.12.4-47.el6_7.4.ppc.rpm libipa_hbac-devel-1.12.4-47.el6_7.4.ppc64.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.ppc.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.ppc64.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.ppc.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.ppc64.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.ppc.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.ppc64.rpm libsss_nss_idmap-python-1.12.4-47.el6_7.4.ppc64.rpm libsss_simpleifp-1.12.4-47.el6_7.4.ppc.rpm libsss_simpleifp-1.12.4-47.el6_7.4.ppc64.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.ppc.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.ppc64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.ppc.rpm sssd-debuginfo-1.12.4-47.el6_7.4.ppc64.rpm sssd-tools-1.12.4-47.el6_7.4.ppc64.rpm s390x: libipa_hbac-devel-1.12.4-47.el6_7.4.s390.rpm libipa_hbac-devel-1.12.4-47.el6_7.4.s390x.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.s390.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.s390x.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.s390.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.s390x.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.s390.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.s390x.rpm libsss_nss_idmap-python-1.12.4-47.el6_7.4.s390x.rpm libsss_simpleifp-1.12.4-47.el6_7.4.s390.rpm libsss_simpleifp-1.12.4-47.el6_7.4.s390x.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.s390.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.s390x.rpm sssd-debuginfo-1.12.4-47.el6_7.4.s390.rpm sssd-debuginfo-1.12.4-47.el6_7.4.s390x.rpm sssd-tools-1.12.4-47.el6_7.4.s390x.rpm x86_64: libipa_hbac-devel-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-python-1.12.4-47.el6_7.4.x86_64.rpm libsss_simpleifp-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-1.12.4-47.el6_7.4.x86_64.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.x86_64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.x86_64.rpm sssd-tools-1.12.4-47.el6_7.4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: sssd-1.12.4-47.el6_7.4.src.rpm i386: libipa_hbac-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-python-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-1.12.4-47.el6_7.4.i686.rpm sssd-1.12.4-47.el6_7.4.i686.rpm sssd-ad-1.12.4-47.el6_7.4.i686.rpm sssd-client-1.12.4-47.el6_7.4.i686.rpm sssd-common-1.12.4-47.el6_7.4.i686.rpm sssd-common-pac-1.12.4-47.el6_7.4.i686.rpm sssd-dbus-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-ipa-1.12.4-47.el6_7.4.i686.rpm sssd-krb5-1.12.4-47.el6_7.4.i686.rpm sssd-krb5-common-1.12.4-47.el6_7.4.i686.rpm sssd-ldap-1.12.4-47.el6_7.4.i686.rpm sssd-proxy-1.12.4-47.el6_7.4.i686.rpm noarch: python-sssdconfig-1.12.4-47.el6_7.4.noarch.rpm x86_64: libipa_hbac-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-1.12.4-47.el6_7.4.x86_64.rpm libipa_hbac-python-1.12.4-47.el6_7.4.x86_64.rpm libsss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-1.12.4-47.el6_7.4.x86_64.rpm sssd-1.12.4-47.el6_7.4.x86_64.rpm sssd-ad-1.12.4-47.el6_7.4.x86_64.rpm sssd-client-1.12.4-47.el6_7.4.i686.rpm sssd-client-1.12.4-47.el6_7.4.x86_64.rpm sssd-common-1.12.4-47.el6_7.4.x86_64.rpm sssd-common-pac-1.12.4-47.el6_7.4.x86_64.rpm sssd-dbus-1.12.4-47.el6_7.4.x86_64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.x86_64.rpm sssd-ipa-1.12.4-47.el6_7.4.x86_64.rpm sssd-krb5-1.12.4-47.el6_7.4.x86_64.rpm sssd-krb5-common-1.12.4-47.el6_7.4.x86_64.rpm sssd-ldap-1.12.4-47.el6_7.4.x86_64.rpm sssd-proxy-1.12.4-47.el6_7.4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: libipa_hbac-devel-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-python-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-tools-1.12.4-47.el6_7.4.i686.rpm x86_64: libipa_hbac-devel-1.12.4-47.el6_7.4.i686.rpm libipa_hbac-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_idmap-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.i686.rpm libsss_nss_idmap-devel-1.12.4-47.el6_7.4.x86_64.rpm libsss_nss_idmap-python-1.12.4-47.el6_7.4.x86_64.rpm libsss_simpleifp-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-1.12.4-47.el6_7.4.x86_64.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.i686.rpm libsss_simpleifp-devel-1.12.4-47.el6_7.4.x86_64.rpm sssd-debuginfo-1.12.4-47.el6_7.4.i686.rpm sssd-debuginfo-1.12.4-47.el6_7.4.x86_64.rpm sssd-tools-1.12.4-47.el6_7.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5292 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWQfRcXlSAg2UNWIIRAupdAKC+5kRX5BMSFVTy7uViKFBpkYCQhQCfRdy1 yd0LhWSC5J/NW+7P8jmK3lw= =DQl1 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 11 11:24:49 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 11 Nov 2015 11:24:49 +0000 Subject: [RHSA-2015:2023-01] Critical: flash-plugin security update Message-ID: <201511111124.tABBOnHk015379@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2015:2023-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2023.html Issue date: 2015-11-11 CVE Names: CVE-2015-7651 CVE-2015-7652 CVE-2015-7653 CVE-2015-7654 CVE-2015-7655 CVE-2015-7656 CVE-2015-7657 CVE-2015-7658 CVE-2015-7659 CVE-2015-7660 CVE-2015-7661 CVE-2015-7662 CVE-2015-7663 CVE-2015-8042 CVE-2015-8043 CVE-2015-8044 CVE-2015-8046 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin APSB15-28 listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content. (CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7659, CVE-2015-7660, CVE-2015-7661, CVE-2015-7662, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.548. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1280062 - flash-plugin: multiple code execution issues fixed in APSB15-28 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.548-1.el6_7.i686.rpm x86_64: flash-plugin-11.2.202.548-1.el6_7.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.548-1.el6_7.i686.rpm x86_64: flash-plugin-11.2.202.548-1.el6_7.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.548-1.el6_7.i686.rpm x86_64: flash-plugin-11.2.202.548-1.el6_7.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7651 https://access.redhat.com/security/cve/CVE-2015-7652 https://access.redhat.com/security/cve/CVE-2015-7653 https://access.redhat.com/security/cve/CVE-2015-7654 https://access.redhat.com/security/cve/CVE-2015-7655 https://access.redhat.com/security/cve/CVE-2015-7656 https://access.redhat.com/security/cve/CVE-2015-7657 https://access.redhat.com/security/cve/CVE-2015-7658 https://access.redhat.com/security/cve/CVE-2015-7659 https://access.redhat.com/security/cve/CVE-2015-7660 https://access.redhat.com/security/cve/CVE-2015-7661 https://access.redhat.com/security/cve/CVE-2015-7662 https://access.redhat.com/security/cve/CVE-2015-7663 https://access.redhat.com/security/cve/CVE-2015-8042 https://access.redhat.com/security/cve/CVE-2015-8043 https://access.redhat.com/security/cve/CVE-2015-8044 https://access.redhat.com/security/cve/CVE-2015-8046 https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb15-28.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWQyVTXlSAg2UNWIIRAvDjAJwKgOImEj7zcQ5I39hBWiMAxYluDACdF+vN A2xUVKrwMjMMezKi8h7ucP4= =2cUK -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 11 11:25:28 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 11 Nov 2015 11:25:28 +0000 Subject: [RHSA-2015:2024-01] Critical: flash-plugin security update Message-ID: <201511111125.tABBPShX015642@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2015:2024-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2024.html Issue date: 2015-11-11 CVE Names: CVE-2015-5569 CVE-2015-7625 CVE-2015-7626 CVE-2015-7627 CVE-2015-7628 CVE-2015-7629 CVE-2015-7630 CVE-2015-7631 CVE-2015-7632 CVE-2015-7633 CVE-2015-7634 CVE-2015-7635 CVE-2015-7636 CVE-2015-7637 CVE-2015-7638 CVE-2015-7639 CVE-2015-7640 CVE-2015-7641 CVE-2015-7642 CVE-2015-7643 CVE-2015-7644 CVE-2015-7645 CVE-2015-7647 CVE-2015-7648 CVE-2015-7651 CVE-2015-7652 CVE-2015-7653 CVE-2015-7654 CVE-2015-7655 CVE-2015-7656 CVE-2015-7657 CVE-2015-7658 CVE-2015-7659 CVE-2015-7660 CVE-2015-7661 CVE-2015-7662 CVE-2015-7663 CVE-2015-8042 CVE-2015-8043 CVE-2015-8044 CVE-2015-8046 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletins APSB15-25, APSB15-27, and APSB15-28 listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content. (CVE-2015-5569, CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7628, CVE-2015-7629, CVE-2015-7630, CVE-2015-7631, CVE-2015-7632, CVE-2015-7633, CVE-2015-7634, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, CVE-2015-7644, CVE-2015-7645, CVE-2015-7647, CVE-2015-7648, CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7659, CVE-2015-7660, CVE-2015-7661, CVE-2015-7662, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.548. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1271383 - flash-plugin: multiple code execution issues fixed in APSB15-25 1271388 - flash-plugin: information leak and hardening fixes in APSB15-25 1271966 - CVE-2015-7645 CVE-2015-7647 CVE-2015-7648 flash-plugin: multiple code execution issue fixed in APSB15-27 1280062 - flash-plugin: multiple code execution issues fixed in APSB15-28 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.548-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.548-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.548-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.548-1.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5569 https://access.redhat.com/security/cve/CVE-2015-7625 https://access.redhat.com/security/cve/CVE-2015-7626 https://access.redhat.com/security/cve/CVE-2015-7627 https://access.redhat.com/security/cve/CVE-2015-7628 https://access.redhat.com/security/cve/CVE-2015-7629 https://access.redhat.com/security/cve/CVE-2015-7630 https://access.redhat.com/security/cve/CVE-2015-7631 https://access.redhat.com/security/cve/CVE-2015-7632 https://access.redhat.com/security/cve/CVE-2015-7633 https://access.redhat.com/security/cve/CVE-2015-7634 https://access.redhat.com/security/cve/CVE-2015-7635 https://access.redhat.com/security/cve/CVE-2015-7636 https://access.redhat.com/security/cve/CVE-2015-7637 https://access.redhat.com/security/cve/CVE-2015-7638 https://access.redhat.com/security/cve/CVE-2015-7639 https://access.redhat.com/security/cve/CVE-2015-7640 https://access.redhat.com/security/cve/CVE-2015-7641 https://access.redhat.com/security/cve/CVE-2015-7642 https://access.redhat.com/security/cve/CVE-2015-7643 https://access.redhat.com/security/cve/CVE-2015-7644 https://access.redhat.com/security/cve/CVE-2015-7645 https://access.redhat.com/security/cve/CVE-2015-7647 https://access.redhat.com/security/cve/CVE-2015-7648 https://access.redhat.com/security/cve/CVE-2015-7651 https://access.redhat.com/security/cve/CVE-2015-7652 https://access.redhat.com/security/cve/CVE-2015-7653 https://access.redhat.com/security/cve/CVE-2015-7654 https://access.redhat.com/security/cve/CVE-2015-7655 https://access.redhat.com/security/cve/CVE-2015-7656 https://access.redhat.com/security/cve/CVE-2015-7657 https://access.redhat.com/security/cve/CVE-2015-7658 https://access.redhat.com/security/cve/CVE-2015-7659 https://access.redhat.com/security/cve/CVE-2015-7660 https://access.redhat.com/security/cve/CVE-2015-7661 https://access.redhat.com/security/cve/CVE-2015-7662 https://access.redhat.com/security/cve/CVE-2015-7663 https://access.redhat.com/security/cve/CVE-2015-8042 https://access.redhat.com/security/cve/CVE-2015-8043 https://access.redhat.com/security/cve/CVE-2015-8044 https://access.redhat.com/security/cve/CVE-2015-8046 https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb15-25.html https://helpx.adobe.com/security/products/flash-player/apsb15-27.html https://helpx.adobe.com/security/products/flash-player/apsb15-28.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWQyWTXlSAg2UNWIIRAl6GAKCUFPmvf4wjsXXDijZN3b6tGFg6ywCffbvg CNf9sF8DWG6aZFgviILLieM= =1JsD -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 16 18:59:05 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 16 Nov 2015 13:59:05 -0500 Subject: [RHSA-2015:2065-01] Important: xen security update Message-ID: <201511161859.tAGIx5lv023191@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: xen security update Advisory ID: RHSA-2015:2065-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2065.html Issue date: 2015-11-16 CVE Names: CVE-2015-5279 ===================================================================== 1. Summary: Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Multi OS (v. 5 client) - i386, x86_64 RHEL Virtualization (v. 5 server) - i386, ia64, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A heap buffer overflow flaw was found in the way QEMU's NE2000 NIC emulation implementation handled certain packets received over the network. A privileged user inside a guest could use this flaw to crash the QEMU instance (denial of service) or potentially execute arbitrary code on the host. (CVE-2015-5279) Red Hat would like to thank Qinghao Tang of QIHU 360 Inc. for reporting this issue. All xen users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, all running fully-virtualized guests must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1256672 - CVE-2015-5279 qemu: Heap overflow vulnerability in ne2000_receive() function 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: xen-3.0.3-147.el5_11.src.rpm i386: xen-debuginfo-3.0.3-147.el5_11.i386.rpm xen-libs-3.0.3-147.el5_11.i386.rpm x86_64: xen-debuginfo-3.0.3-147.el5_11.i386.rpm xen-debuginfo-3.0.3-147.el5_11.x86_64.rpm xen-libs-3.0.3-147.el5_11.i386.rpm xen-libs-3.0.3-147.el5_11.x86_64.rpm RHEL Desktop Multi OS (v. 5 client): Source: xen-3.0.3-147.el5_11.src.rpm i386: xen-3.0.3-147.el5_11.i386.rpm xen-debuginfo-3.0.3-147.el5_11.i386.rpm xen-devel-3.0.3-147.el5_11.i386.rpm x86_64: xen-3.0.3-147.el5_11.x86_64.rpm xen-debuginfo-3.0.3-147.el5_11.i386.rpm xen-debuginfo-3.0.3-147.el5_11.x86_64.rpm xen-devel-3.0.3-147.el5_11.i386.rpm xen-devel-3.0.3-147.el5_11.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: xen-3.0.3-147.el5_11.src.rpm i386: xen-debuginfo-3.0.3-147.el5_11.i386.rpm xen-libs-3.0.3-147.el5_11.i386.rpm ia64: xen-debuginfo-3.0.3-147.el5_11.ia64.rpm xen-libs-3.0.3-147.el5_11.ia64.rpm x86_64: xen-debuginfo-3.0.3-147.el5_11.i386.rpm xen-debuginfo-3.0.3-147.el5_11.x86_64.rpm xen-libs-3.0.3-147.el5_11.i386.rpm xen-libs-3.0.3-147.el5_11.x86_64.rpm RHEL Virtualization (v. 5 server): Source: xen-3.0.3-147.el5_11.src.rpm i386: xen-3.0.3-147.el5_11.i386.rpm xen-debuginfo-3.0.3-147.el5_11.i386.rpm xen-devel-3.0.3-147.el5_11.i386.rpm ia64: xen-3.0.3-147.el5_11.ia64.rpm xen-debuginfo-3.0.3-147.el5_11.ia64.rpm xen-devel-3.0.3-147.el5_11.ia64.rpm x86_64: xen-3.0.3-147.el5_11.x86_64.rpm xen-debuginfo-3.0.3-147.el5_11.i386.rpm xen-debuginfo-3.0.3-147.el5_11.x86_64.rpm xen-devel-3.0.3-147.el5_11.i386.rpm xen-devel-3.0.3-147.el5_11.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5279 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWSid4XlSAg2UNWIIRAurXAJ4maw2R9fVtr1ods8hDejGo3azXwgCgugby OqufMf16DKmaRfhIPOrHnj4= =ciXM -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 18 06:48:24 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Nov 2015 06:48:24 +0000 Subject: [RHSA-2015:2068-01] Critical: nss, nss-util, and nspr security update Message-ID: <201511180633.tAI6XlkH021066@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: nss, nss-util, and nspr security update Advisory ID: RHSA-2015:2068-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2068.html Issue date: 2015-11-18 CVE Names: CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 ===================================================================== 1. Summary: Updated nss, nss-util, and nspr packages that fix three security issues are now available for Red Hat Enterprise Linux 6.2 and 6.4 Advanced Update Support, and Red Hat Enterprise Linux 6.5 and 6.6 Extended Update Support. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AUS (v. 6.2 server) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.5) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.5) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.6) - x86_64 Red Hat Enterprise Linux Server AUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.5) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.5) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.6) - i386, ppc64, s390x, x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A use-after-poison flaw and a heap-based buffer overflow flaw were found in the way NSS parsed certain ASN.1 structures. An attacker could use these flaws to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library. (CVE-2015-7181, CVE-2015-7182) A heap-based buffer overflow was found in NSPR. An attacker could use this flaw to cause NSPR to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSPR library. (CVE-2015-7183) Note: Applications using NSPR's PL_ARENA_ALLOCATE, PR_ARENA_ALLOCATE, PL_ARENA_GROW, or PR_ARENA_GROW macros need to be rebuilt against the fixed nspr packages to completely resolve the CVE-2015-7183 issue. This erratum includes nss and nss-utils packages rebuilt against the fixed nspr version. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Tyson Smith, David Keeler, and Ryan Sleevi as the original reporters. All nss, nss-util, and nspr users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1269345 - CVE-2015-7181 nss: use-after-poison in sec_asn1d_parse_leaf() (MFSA 2015-133) 1269351 - CVE-2015-7182 nss: ASN.1 decoder heap overflow when decoding constructed OCTET STRING that mixes indefinite and definite length encodings (MFSA 2015-133) 1269353 - CVE-2015-7183 nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (MFSA 2015-133) 6. Package List: Red Hat Enterprise Linux HPC Node EUS (v. 6.5): Source: nspr-4.10.6-2.el6_5.src.rpm nss-3.16.1-9.el6_5.src.rpm nss-util-3.16.1-3.el6_5.src.rpm x86_64: nspr-4.10.6-2.el6_5.i686.rpm nspr-4.10.6-2.el6_5.x86_64.rpm nspr-debuginfo-4.10.6-2.el6_5.i686.rpm nspr-debuginfo-4.10.6-2.el6_5.x86_64.rpm nss-3.16.1-9.el6_5.i686.rpm nss-3.16.1-9.el6_5.x86_64.rpm nss-debuginfo-3.16.1-9.el6_5.i686.rpm nss-debuginfo-3.16.1-9.el6_5.x86_64.rpm nss-sysinit-3.16.1-9.el6_5.x86_64.rpm nss-tools-3.16.1-9.el6_5.x86_64.rpm nss-util-3.16.1-3.el6_5.i686.rpm nss-util-3.16.1-3.el6_5.x86_64.rpm nss-util-debuginfo-3.16.1-3.el6_5.i686.rpm nss-util-debuginfo-3.16.1-3.el6_5.x86_64.rpm Red Hat Enterprise Linux HPC Node EUS (v. 6.6): Source: nspr-4.10.8-2.el6_6.src.rpm nss-3.19.1-4.el6_6.src.rpm nss-util-3.19.1-2.el6_6.src.rpm x86_64: nspr-4.10.8-2.el6_6.i686.rpm nspr-4.10.8-2.el6_6.x86_64.rpm nspr-debuginfo-4.10.8-2.el6_6.i686.rpm nspr-debuginfo-4.10.8-2.el6_6.x86_64.rpm nss-3.19.1-4.el6_6.i686.rpm nss-3.19.1-4.el6_6.x86_64.rpm nss-debuginfo-3.19.1-4.el6_6.i686.rpm nss-debuginfo-3.19.1-4.el6_6.x86_64.rpm nss-sysinit-3.19.1-4.el6_6.x86_64.rpm nss-tools-3.19.1-4.el6_6.x86_64.rpm nss-util-3.19.1-2.el6_6.i686.rpm nss-util-3.19.1-2.el6_6.x86_64.rpm nss-util-debuginfo-3.19.1-2.el6_6.i686.rpm nss-util-debuginfo-3.19.1-2.el6_6.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.5): Source: nspr-4.10.6-2.el6_5.src.rpm nss-3.16.1-9.el6_5.src.rpm nss-util-3.16.1-3.el6_5.src.rpm x86_64: nspr-debuginfo-4.10.6-2.el6_5.i686.rpm nspr-debuginfo-4.10.6-2.el6_5.x86_64.rpm nspr-devel-4.10.6-2.el6_5.i686.rpm nspr-devel-4.10.6-2.el6_5.x86_64.rpm nss-debuginfo-3.16.1-9.el6_5.i686.rpm nss-debuginfo-3.16.1-9.el6_5.x86_64.rpm nss-devel-3.16.1-9.el6_5.i686.rpm nss-devel-3.16.1-9.el6_5.x86_64.rpm nss-pkcs11-devel-3.16.1-9.el6_5.i686.rpm nss-pkcs11-devel-3.16.1-9.el6_5.x86_64.rpm nss-util-debuginfo-3.16.1-3.el6_5.i686.rpm nss-util-debuginfo-3.16.1-3.el6_5.x86_64.rpm nss-util-devel-3.16.1-3.el6_5.i686.rpm nss-util-devel-3.16.1-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.5): x86_64: nspr-debuginfo-4.10.8-2.el6_6.i686.rpm nspr-debuginfo-4.10.8-2.el6_6.x86_64.rpm nspr-devel-4.10.8-2.el6_6.i686.rpm nspr-devel-4.10.8-2.el6_6.x86_64.rpm nss-debuginfo-3.19.1-4.el6_6.i686.rpm nss-debuginfo-3.19.1-4.el6_6.x86_64.rpm nss-devel-3.19.1-4.el6_6.i686.rpm nss-devel-3.19.1-4.el6_6.x86_64.rpm nss-pkcs11-devel-3.19.1-4.el6_6.i686.rpm nss-pkcs11-devel-3.19.1-4.el6_6.x86_64.rpm nss-util-debuginfo-3.19.1-2.el6_6.i686.rpm nss-util-debuginfo-3.19.1-2.el6_6.x86_64.rpm nss-util-devel-3.19.1-2.el6_6.i686.rpm nss-util-devel-3.19.1-2.el6_6.x86_64.rpm Red Hat Enterprise Linux AUS (v. 6.2 server): Source: nspr-4.8.9-6.el6_2.src.rpm nss-3.13.1-12.el6_2.src.rpm nss-util-3.13.1-9.el6_2.src.rpm x86_64: nspr-4.8.9-6.el6_2.i686.rpm nspr-4.8.9-6.el6_2.x86_64.rpm nspr-debuginfo-4.8.9-6.el6_2.i686.rpm nspr-debuginfo-4.8.9-6.el6_2.x86_64.rpm nspr-devel-4.8.9-6.el6_2.i686.rpm nspr-devel-4.8.9-6.el6_2.x86_64.rpm nss-3.13.1-12.el6_2.i686.rpm nss-3.13.1-12.el6_2.x86_64.rpm nss-debuginfo-3.13.1-12.el6_2.i686.rpm nss-debuginfo-3.13.1-12.el6_2.x86_64.rpm nss-devel-3.13.1-12.el6_2.i686.rpm nss-devel-3.13.1-12.el6_2.x86_64.rpm nss-sysinit-3.13.1-12.el6_2.x86_64.rpm nss-tools-3.13.1-12.el6_2.x86_64.rpm nss-util-3.13.1-9.el6_2.i686.rpm nss-util-3.13.1-9.el6_2.x86_64.rpm nss-util-debuginfo-3.13.1-9.el6_2.i686.rpm nss-util-debuginfo-3.13.1-9.el6_2.x86_64.rpm nss-util-devel-3.13.1-9.el6_2.i686.rpm nss-util-devel-3.13.1-9.el6_2.x86_64.rpm Red Hat Enterprise Linux Server AUS (v. 6.4): Source: nspr-4.9.5-5.el6_4.src.rpm nss-3.14.3-9.el6_4.src.rpm nss-util-3.14.3-7.el6_4.src.rpm i386: nspr-4.9.5-5.el6_4.i686.rpm nspr-debuginfo-4.9.5-5.el6_4.i686.rpm nspr-devel-4.9.5-5.el6_4.i686.rpm nss-3.14.3-9.el6_4.i686.rpm nss-debuginfo-3.14.3-9.el6_4.i686.rpm nss-devel-3.14.3-9.el6_4.i686.rpm nss-sysinit-3.14.3-9.el6_4.i686.rpm nss-tools-3.14.3-9.el6_4.i686.rpm nss-util-3.14.3-7.el6_4.i686.rpm nss-util-debuginfo-3.14.3-7.el6_4.i686.rpm nss-util-devel-3.14.3-7.el6_4.i686.rpm ppc64: nspr-4.9.5-5.el6_4.ppc.rpm nspr-4.9.5-5.el6_4.ppc64.rpm nspr-debuginfo-4.9.5-5.el6_4.ppc.rpm nspr-debuginfo-4.9.5-5.el6_4.ppc64.rpm nspr-devel-4.9.5-5.el6_4.ppc.rpm nspr-devel-4.9.5-5.el6_4.ppc64.rpm nss-3.14.3-9.el6_4.ppc.rpm nss-3.14.3-9.el6_4.ppc64.rpm nss-debuginfo-3.14.3-9.el6_4.ppc.rpm nss-debuginfo-3.14.3-9.el6_4.ppc64.rpm nss-devel-3.14.3-9.el6_4.ppc.rpm nss-devel-3.14.3-9.el6_4.ppc64.rpm nss-sysinit-3.14.3-9.el6_4.ppc64.rpm nss-tools-3.14.3-9.el6_4.ppc64.rpm nss-util-3.14.3-7.el6_4.ppc.rpm nss-util-3.14.3-7.el6_4.ppc64.rpm nss-util-debuginfo-3.14.3-7.el6_4.ppc.rpm nss-util-debuginfo-3.14.3-7.el6_4.ppc64.rpm nss-util-devel-3.14.3-7.el6_4.ppc.rpm nss-util-devel-3.14.3-7.el6_4.ppc64.rpm s390x: nspr-4.9.5-5.el6_4.s390.rpm nspr-4.9.5-5.el6_4.s390x.rpm nspr-debuginfo-4.9.5-5.el6_4.s390.rpm nspr-debuginfo-4.9.5-5.el6_4.s390x.rpm nspr-devel-4.9.5-5.el6_4.s390.rpm nspr-devel-4.9.5-5.el6_4.s390x.rpm nss-3.14.3-9.el6_4.s390.rpm nss-3.14.3-9.el6_4.s390x.rpm nss-debuginfo-3.14.3-9.el6_4.s390.rpm nss-debuginfo-3.14.3-9.el6_4.s390x.rpm nss-devel-3.14.3-9.el6_4.s390.rpm nss-devel-3.14.3-9.el6_4.s390x.rpm nss-sysinit-3.14.3-9.el6_4.s390x.rpm nss-tools-3.14.3-9.el6_4.s390x.rpm nss-util-3.14.3-7.el6_4.s390.rpm nss-util-3.14.3-7.el6_4.s390x.rpm nss-util-debuginfo-3.14.3-7.el6_4.s390.rpm nss-util-debuginfo-3.14.3-7.el6_4.s390x.rpm nss-util-devel-3.14.3-7.el6_4.s390.rpm nss-util-devel-3.14.3-7.el6_4.s390x.rpm x86_64: nspr-4.9.5-5.el6_4.i686.rpm nspr-4.9.5-5.el6_4.x86_64.rpm nspr-debuginfo-4.9.5-5.el6_4.i686.rpm nspr-debuginfo-4.9.5-5.el6_4.x86_64.rpm nspr-devel-4.9.5-5.el6_4.i686.rpm nspr-devel-4.9.5-5.el6_4.x86_64.rpm nss-3.14.3-9.el6_4.i686.rpm nss-3.14.3-9.el6_4.x86_64.rpm nss-debuginfo-3.14.3-9.el6_4.i686.rpm nss-debuginfo-3.14.3-9.el6_4.x86_64.rpm nss-devel-3.14.3-9.el6_4.i686.rpm nss-devel-3.14.3-9.el6_4.x86_64.rpm nss-sysinit-3.14.3-9.el6_4.x86_64.rpm nss-tools-3.14.3-9.el6_4.x86_64.rpm nss-util-3.14.3-7.el6_4.i686.rpm nss-util-3.14.3-7.el6_4.x86_64.rpm nss-util-debuginfo-3.14.3-7.el6_4.i686.rpm nss-util-debuginfo-3.14.3-7.el6_4.x86_64.rpm nss-util-devel-3.14.3-7.el6_4.i686.rpm nss-util-devel-3.14.3-7.el6_4.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.5): Source: nspr-4.10.6-2.el6_5.src.rpm nss-3.16.1-9.el6_5.src.rpm nss-util-3.16.1-3.el6_5.src.rpm i386: nspr-4.10.6-2.el6_5.i686.rpm nspr-debuginfo-4.10.6-2.el6_5.i686.rpm nspr-devel-4.10.6-2.el6_5.i686.rpm nss-3.16.1-9.el6_5.i686.rpm nss-debuginfo-3.16.1-9.el6_5.i686.rpm nss-devel-3.16.1-9.el6_5.i686.rpm nss-sysinit-3.16.1-9.el6_5.i686.rpm nss-tools-3.16.1-9.el6_5.i686.rpm nss-util-3.16.1-3.el6_5.i686.rpm nss-util-debuginfo-3.16.1-3.el6_5.i686.rpm nss-util-devel-3.16.1-3.el6_5.i686.rpm ppc64: nspr-4.10.6-2.el6_5.ppc.rpm nspr-4.10.6-2.el6_5.ppc64.rpm nspr-debuginfo-4.10.6-2.el6_5.ppc.rpm nspr-debuginfo-4.10.6-2.el6_5.ppc64.rpm nspr-devel-4.10.6-2.el6_5.ppc.rpm nspr-devel-4.10.6-2.el6_5.ppc64.rpm nss-3.16.1-9.el6_5.ppc.rpm nss-3.16.1-9.el6_5.ppc64.rpm nss-debuginfo-3.16.1-9.el6_5.ppc.rpm nss-debuginfo-3.16.1-9.el6_5.ppc64.rpm nss-devel-3.16.1-9.el6_5.ppc.rpm nss-devel-3.16.1-9.el6_5.ppc64.rpm nss-sysinit-3.16.1-9.el6_5.ppc64.rpm nss-tools-3.16.1-9.el6_5.ppc64.rpm nss-util-3.16.1-3.el6_5.ppc.rpm nss-util-3.16.1-3.el6_5.ppc64.rpm nss-util-debuginfo-3.16.1-3.el6_5.ppc.rpm nss-util-debuginfo-3.16.1-3.el6_5.ppc64.rpm nss-util-devel-3.16.1-3.el6_5.ppc.rpm nss-util-devel-3.16.1-3.el6_5.ppc64.rpm s390x: nspr-4.10.6-2.el6_5.s390.rpm nspr-4.10.6-2.el6_5.s390x.rpm nspr-debuginfo-4.10.6-2.el6_5.s390.rpm nspr-debuginfo-4.10.6-2.el6_5.s390x.rpm nspr-devel-4.10.6-2.el6_5.s390.rpm nspr-devel-4.10.6-2.el6_5.s390x.rpm nss-3.16.1-9.el6_5.s390.rpm nss-3.16.1-9.el6_5.s390x.rpm nss-debuginfo-3.16.1-9.el6_5.s390.rpm nss-debuginfo-3.16.1-9.el6_5.s390x.rpm nss-devel-3.16.1-9.el6_5.s390.rpm nss-devel-3.16.1-9.el6_5.s390x.rpm nss-sysinit-3.16.1-9.el6_5.s390x.rpm nss-tools-3.16.1-9.el6_5.s390x.rpm nss-util-3.16.1-3.el6_5.s390.rpm nss-util-3.16.1-3.el6_5.s390x.rpm nss-util-debuginfo-3.16.1-3.el6_5.s390.rpm nss-util-debuginfo-3.16.1-3.el6_5.s390x.rpm nss-util-devel-3.16.1-3.el6_5.s390.rpm nss-util-devel-3.16.1-3.el6_5.s390x.rpm x86_64: nspr-4.10.6-2.el6_5.i686.rpm nspr-4.10.6-2.el6_5.x86_64.rpm nspr-debuginfo-4.10.6-2.el6_5.i686.rpm nspr-debuginfo-4.10.6-2.el6_5.x86_64.rpm nspr-devel-4.10.6-2.el6_5.i686.rpm nspr-devel-4.10.6-2.el6_5.x86_64.rpm nss-3.16.1-9.el6_5.i686.rpm nss-3.16.1-9.el6_5.x86_64.rpm nss-debuginfo-3.16.1-9.el6_5.i686.rpm nss-debuginfo-3.16.1-9.el6_5.x86_64.rpm nss-devel-3.16.1-9.el6_5.i686.rpm nss-devel-3.16.1-9.el6_5.x86_64.rpm nss-sysinit-3.16.1-9.el6_5.x86_64.rpm nss-tools-3.16.1-9.el6_5.x86_64.rpm nss-util-3.16.1-3.el6_5.i686.rpm nss-util-3.16.1-3.el6_5.x86_64.rpm nss-util-debuginfo-3.16.1-3.el6_5.i686.rpm nss-util-debuginfo-3.16.1-3.el6_5.x86_64.rpm nss-util-devel-3.16.1-3.el6_5.i686.rpm nss-util-devel-3.16.1-3.el6_5.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.6): Source: nspr-4.10.8-2.el6_6.src.rpm nss-3.19.1-4.el6_6.src.rpm nss-util-3.19.1-2.el6_6.src.rpm i386: nspr-4.10.8-2.el6_6.i686.rpm nspr-debuginfo-4.10.8-2.el6_6.i686.rpm nspr-devel-4.10.8-2.el6_6.i686.rpm nss-3.19.1-4.el6_6.i686.rpm nss-debuginfo-3.19.1-4.el6_6.i686.rpm nss-devel-3.19.1-4.el6_6.i686.rpm nss-sysinit-3.19.1-4.el6_6.i686.rpm nss-tools-3.19.1-4.el6_6.i686.rpm nss-util-3.19.1-2.el6_6.i686.rpm nss-util-debuginfo-3.19.1-2.el6_6.i686.rpm nss-util-devel-3.19.1-2.el6_6.i686.rpm ppc64: nspr-4.10.8-2.el6_6.ppc.rpm nspr-4.10.8-2.el6_6.ppc64.rpm nspr-debuginfo-4.10.8-2.el6_6.ppc.rpm nspr-debuginfo-4.10.8-2.el6_6.ppc64.rpm nspr-devel-4.10.8-2.el6_6.ppc.rpm nspr-devel-4.10.8-2.el6_6.ppc64.rpm nss-3.19.1-4.el6_6.ppc.rpm nss-3.19.1-4.el6_6.ppc64.rpm nss-debuginfo-3.19.1-4.el6_6.ppc.rpm nss-debuginfo-3.19.1-4.el6_6.ppc64.rpm nss-devel-3.19.1-4.el6_6.ppc.rpm nss-devel-3.19.1-4.el6_6.ppc64.rpm nss-sysinit-3.19.1-4.el6_6.ppc64.rpm nss-tools-3.19.1-4.el6_6.ppc64.rpm nss-util-3.19.1-2.el6_6.ppc.rpm nss-util-3.19.1-2.el6_6.ppc64.rpm nss-util-debuginfo-3.19.1-2.el6_6.ppc.rpm nss-util-debuginfo-3.19.1-2.el6_6.ppc64.rpm nss-util-devel-3.19.1-2.el6_6.ppc.rpm nss-util-devel-3.19.1-2.el6_6.ppc64.rpm s390x: nspr-4.10.8-2.el6_6.s390.rpm nspr-4.10.8-2.el6_6.s390x.rpm nspr-debuginfo-4.10.8-2.el6_6.s390.rpm nspr-debuginfo-4.10.8-2.el6_6.s390x.rpm nspr-devel-4.10.8-2.el6_6.s390.rpm nspr-devel-4.10.8-2.el6_6.s390x.rpm nss-3.19.1-4.el6_6.s390.rpm nss-3.19.1-4.el6_6.s390x.rpm nss-debuginfo-3.19.1-4.el6_6.s390.rpm nss-debuginfo-3.19.1-4.el6_6.s390x.rpm nss-devel-3.19.1-4.el6_6.s390.rpm nss-devel-3.19.1-4.el6_6.s390x.rpm nss-sysinit-3.19.1-4.el6_6.s390x.rpm nss-tools-3.19.1-4.el6_6.s390x.rpm nss-util-3.19.1-2.el6_6.s390.rpm nss-util-3.19.1-2.el6_6.s390x.rpm nss-util-debuginfo-3.19.1-2.el6_6.s390.rpm nss-util-debuginfo-3.19.1-2.el6_6.s390x.rpm nss-util-devel-3.19.1-2.el6_6.s390.rpm nss-util-devel-3.19.1-2.el6_6.s390x.rpm x86_64: nspr-4.10.8-2.el6_6.i686.rpm nspr-4.10.8-2.el6_6.x86_64.rpm nspr-debuginfo-4.10.8-2.el6_6.i686.rpm nspr-debuginfo-4.10.8-2.el6_6.x86_64.rpm nspr-devel-4.10.8-2.el6_6.i686.rpm nspr-devel-4.10.8-2.el6_6.x86_64.rpm nss-3.19.1-4.el6_6.i686.rpm nss-3.19.1-4.el6_6.x86_64.rpm nss-debuginfo-3.19.1-4.el6_6.i686.rpm nss-debuginfo-3.19.1-4.el6_6.x86_64.rpm nss-devel-3.19.1-4.el6_6.i686.rpm nss-devel-3.19.1-4.el6_6.x86_64.rpm nss-sysinit-3.19.1-4.el6_6.x86_64.rpm nss-tools-3.19.1-4.el6_6.x86_64.rpm nss-util-3.19.1-2.el6_6.i686.rpm nss-util-3.19.1-2.el6_6.x86_64.rpm nss-util-debuginfo-3.19.1-2.el6_6.i686.rpm nss-util-debuginfo-3.19.1-2.el6_6.x86_64.rpm nss-util-devel-3.19.1-2.el6_6.i686.rpm nss-util-devel-3.19.1-2.el6_6.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 6.2): Source: nss-3.13.1-12.el6_2.src.rpm x86_64: nss-debuginfo-3.13.1-12.el6_2.i686.rpm nss-debuginfo-3.13.1-12.el6_2.x86_64.rpm nss-pkcs11-devel-3.13.1-12.el6_2.i686.rpm nss-pkcs11-devel-3.13.1-12.el6_2.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 6.4): Source: nss-3.14.3-9.el6_4.src.rpm i386: nss-debuginfo-3.14.3-9.el6_4.i686.rpm nss-pkcs11-devel-3.14.3-9.el6_4.i686.rpm ppc64: nss-debuginfo-3.14.3-9.el6_4.ppc.rpm nss-debuginfo-3.14.3-9.el6_4.ppc64.rpm nss-pkcs11-devel-3.14.3-9.el6_4.ppc.rpm nss-pkcs11-devel-3.14.3-9.el6_4.ppc64.rpm s390x: nss-debuginfo-3.14.3-9.el6_4.s390.rpm nss-debuginfo-3.14.3-9.el6_4.s390x.rpm nss-pkcs11-devel-3.14.3-9.el6_4.s390.rpm nss-pkcs11-devel-3.14.3-9.el6_4.s390x.rpm x86_64: nss-debuginfo-3.14.3-9.el6_4.i686.rpm nss-debuginfo-3.14.3-9.el6_4.x86_64.rpm nss-pkcs11-devel-3.14.3-9.el6_4.i686.rpm nss-pkcs11-devel-3.14.3-9.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.5): Source: nss-3.16.1-9.el6_5.src.rpm i386: nss-debuginfo-3.16.1-9.el6_5.i686.rpm nss-pkcs11-devel-3.16.1-9.el6_5.i686.rpm ppc64: nss-debuginfo-3.16.1-9.el6_5.ppc.rpm nss-debuginfo-3.16.1-9.el6_5.ppc64.rpm nss-pkcs11-devel-3.16.1-9.el6_5.ppc.rpm nss-pkcs11-devel-3.16.1-9.el6_5.ppc64.rpm s390x: nss-debuginfo-3.16.1-9.el6_5.s390.rpm nss-debuginfo-3.16.1-9.el6_5.s390x.rpm nss-pkcs11-devel-3.16.1-9.el6_5.s390.rpm nss-pkcs11-devel-3.16.1-9.el6_5.s390x.rpm x86_64: nss-debuginfo-3.16.1-9.el6_5.i686.rpm nss-debuginfo-3.16.1-9.el6_5.x86_64.rpm nss-pkcs11-devel-3.16.1-9.el6_5.i686.rpm nss-pkcs11-devel-3.16.1-9.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.6): i386: nss-debuginfo-3.19.1-4.el6_6.i686.rpm nss-pkcs11-devel-3.19.1-4.el6_6.i686.rpm ppc64: nss-debuginfo-3.19.1-4.el6_6.ppc.rpm nss-debuginfo-3.19.1-4.el6_6.ppc64.rpm nss-pkcs11-devel-3.19.1-4.el6_6.ppc.rpm nss-pkcs11-devel-3.19.1-4.el6_6.ppc64.rpm s390x: nss-debuginfo-3.19.1-4.el6_6.s390.rpm nss-debuginfo-3.19.1-4.el6_6.s390x.rpm nss-pkcs11-devel-3.19.1-4.el6_6.s390.rpm nss-pkcs11-devel-3.19.1-4.el6_6.s390x.rpm x86_64: nss-debuginfo-3.19.1-4.el6_6.i686.rpm nss-debuginfo-3.19.1-4.el6_6.x86_64.rpm nss-pkcs11-devel-3.19.1-4.el6_6.i686.rpm nss-pkcs11-devel-3.19.1-4.el6_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7181 https://access.redhat.com/security/cve/CVE-2015-7182 https://access.redhat.com/security/cve/CVE-2015-7183 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTBvEXlSAg2UNWIIRAqW7AKC6jcwCu3wzEUIoUjaArEXmyeByHgCfWo6f 7S9NTs6qHl1WXkQnecUzsy0= =hnVa -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 18 17:27:06 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Nov 2015 12:27:06 -0500 Subject: [RHSA-2015:2086-01] Important: java-1.6.0-openjdk security update Message-ID: <201511181727.tAIHR6ql013823@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.6.0-openjdk security update Advisory ID: RHSA-2015:2086-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2086.html Issue date: 2015-11-18 CVE Names: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 ===================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844) Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911) It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. (CVE-2015-4872) Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1233687 - CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) 1273022 - CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383) 1273027 - CVE-2015-4881 OpenJDK: missing type checks in IIOPInputStream (CORBA, 8076392) 1273053 - CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) 1273304 - CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) 1273308 - CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) 1273311 - CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) 1273318 - CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) 1273414 - CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387) 1273425 - CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427) 1273430 - CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030) 1273496 - CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) 1273637 - CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842) 1273638 - CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733) 1273645 - CVE-2015-4911 OpenJDK: incomplete supportDTD enforcement (JAXP, 8130078) 1273734 - CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11.src.rpm i386: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11.src.rpm i386: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11.i386.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.src.rpm i386: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.src.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.src.rpm i386: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.src.rpm i386: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7.i686.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.src.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.src.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.src.rpm ppc64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.ppc64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.ppc64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1.ppc64.rpm s390x: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.s390x.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.s390x.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1.s390x.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.ppc64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1.ppc64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1.ppc64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1.ppc64.rpm s390x: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.s390x.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1.s390x.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1.s390x.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1.s390x.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.src.rpm x86_64: java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4734 https://access.redhat.com/security/cve/CVE-2015-4803 https://access.redhat.com/security/cve/CVE-2015-4805 https://access.redhat.com/security/cve/CVE-2015-4806 https://access.redhat.com/security/cve/CVE-2015-4835 https://access.redhat.com/security/cve/CVE-2015-4842 https://access.redhat.com/security/cve/CVE-2015-4843 https://access.redhat.com/security/cve/CVE-2015-4844 https://access.redhat.com/security/cve/CVE-2015-4860 https://access.redhat.com/security/cve/CVE-2015-4872 https://access.redhat.com/security/cve/CVE-2015-4881 https://access.redhat.com/security/cve/CVE-2015-4882 https://access.redhat.com/security/cve/CVE-2015-4883 https://access.redhat.com/security/cve/CVE-2015-4893 https://access.redhat.com/security/cve/CVE-2015-4903 https://access.redhat.com/security/cve/CVE-2015-4911 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. From bugzilla at redhat.com Wed Nov 18 17:25:32 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Nov 2015 12:25:32 -0500 Subject: [RHSA-2015:2083-01] Moderate: postgresql92-postgresql security update Message-ID: <201511181725.tAIHPVX3028145@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: postgresql92-postgresql security update Advisory ID: RHSA-2015:2083-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2083.html Issue date: 2015-11-18 CVE Names: CVE-2015-5288 CVE-2015-5289 ===================================================================== 1. Summary: Updated postgresql92-postgresql packages that fix two security issues are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. (CVE-2015-5288) A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input. (CVE-2015-5289) Please note that SSL renegotiation is now disabled by default. For more information, please refer to PostgreSQL's 2015-10-08 Security Update Release notes, linked to in the References section. All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql92-postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1270306 - CVE-2015-5288 postgresql: limited memory disclosure flaw in crypt() 1270312 - CVE-2015-5289 postgresql: stack overflow DoS when parsing json or jsonb inputs 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: postgresql92-postgresql-9.2.14-1.el6.src.rpm x86_64: postgresql92-postgresql-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-contrib-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-devel-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-docs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-libs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plperl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plpython-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-pltcl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-server-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-test-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-upgrade-9.2.14-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5): Source: postgresql92-postgresql-9.2.14-1.el6.src.rpm x86_64: postgresql92-postgresql-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-contrib-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-devel-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-docs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-libs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plperl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plpython-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-pltcl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-server-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-test-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-upgrade-9.2.14-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: postgresql92-postgresql-9.2.14-1.el6.src.rpm x86_64: postgresql92-postgresql-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-contrib-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-devel-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-docs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-libs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plperl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plpython-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-pltcl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-server-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-test-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-upgrade-9.2.14-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: postgresql92-postgresql-9.2.14-1.el6.src.rpm x86_64: postgresql92-postgresql-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-contrib-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-devel-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-docs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-libs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plperl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plpython-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-pltcl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-server-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-test-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-upgrade-9.2.14-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: postgresql92-postgresql-9.2.14-1.el6.src.rpm x86_64: postgresql92-postgresql-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-contrib-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-devel-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-docs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-libs-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plperl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-plpython-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-pltcl-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-server-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-test-9.2.14-1.el6.x86_64.rpm postgresql92-postgresql-upgrade-9.2.14-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: postgresql92-postgresql-9.2.14-1.el7.src.rpm x86_64: postgresql92-postgresql-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-contrib-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-devel-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-docs-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-libs-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-plperl-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-plpython-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-pltcl-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-server-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-test-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-upgrade-9.2.14-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1): Source: postgresql92-postgresql-9.2.14-1.el7.src.rpm x86_64: postgresql92-postgresql-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-contrib-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-devel-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-docs-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-libs-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-plperl-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-plpython-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-pltcl-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-server-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-test-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-upgrade-9.2.14-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: postgresql92-postgresql-9.2.14-1.el7.src.rpm x86_64: postgresql92-postgresql-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-contrib-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-debuginfo-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-devel-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-docs-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-libs-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-plperl-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-plpython-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-pltcl-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-server-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-test-9.2.14-1.el7.x86_64.rpm postgresql92-postgresql-upgrade-9.2.14-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5288 https://access.redhat.com/security/cve/CVE-2015-5289 https://access.redhat.com/security/updates/classification/#moderate http://www.postgresql.org/about/news/1615/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. From bugzilla at redhat.com Wed Nov 18 17:24:21 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Nov 2015 12:24:21 -0500 Subject: [RHSA-2015:2077-01] Moderate: rh-postgresql94-postgresql security update Message-ID: <201511181724.tAIHOLCg022004@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-postgresql94-postgresql security update Advisory ID: RHSA-2015:2077-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2077.html Issue date: 2015-11-18 CVE Names: CVE-2015-5288 CVE-2015-5289 ===================================================================== 1. Summary: Updated rh-postgresql94-postgresql packages that fix two security issues are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. (CVE-2015-5288) A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input. (CVE-2015-5289) Please note that SSL renegotiation is now disabled by default. For more information, please refer to PostgreSQL's 2015-10-08 Security Update Release notes, linked to in the References section. All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the rh-postgresql94-postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1270306 - CVE-2015-5288 postgresql: limited memory disclosure flaw in crypt() 1270312 - CVE-2015-5289 postgresql: stack overflow DoS when parsing json or jsonb inputs 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-postgresql94-postgresql-9.4.5-1.el6.src.rpm x86_64: rh-postgresql94-postgresql-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-contrib-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-debuginfo-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-devel-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-docs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-libs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plperl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plpython-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-pltcl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-server-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-test-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-upgrade-9.4.5-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5): Source: rh-postgresql94-postgresql-9.4.5-1.el6.src.rpm x86_64: rh-postgresql94-postgresql-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-contrib-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-debuginfo-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-devel-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-docs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-libs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plperl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plpython-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-pltcl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-server-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-test-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-upgrade-9.4.5-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: rh-postgresql94-postgresql-9.4.5-1.el6.src.rpm x86_64: rh-postgresql94-postgresql-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-contrib-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-debuginfo-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-devel-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-docs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-libs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plperl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plpython-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-pltcl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-server-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-test-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-upgrade-9.4.5-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: rh-postgresql94-postgresql-9.4.5-1.el6.src.rpm x86_64: rh-postgresql94-postgresql-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-contrib-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-debuginfo-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-devel-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-docs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-libs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plperl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plpython-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-pltcl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-server-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-test-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-upgrade-9.4.5-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: rh-postgresql94-postgresql-9.4.5-1.el6.src.rpm x86_64: rh-postgresql94-postgresql-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-contrib-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-debuginfo-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-devel-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-docs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-libs-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plperl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-plpython-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-pltcl-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-server-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-test-9.4.5-1.el6.x86_64.rpm rh-postgresql94-postgresql-upgrade-9.4.5-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-postgresql94-postgresql-9.4.5-1.el7.src.rpm x86_64: rh-postgresql94-postgresql-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-contrib-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-debuginfo-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-devel-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-docs-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-libs-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-plperl-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-plpython-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-pltcl-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-server-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-test-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-upgrade-9.4.5-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1): Source: rh-postgresql94-postgresql-9.4.5-1.el7.src.rpm x86_64: rh-postgresql94-postgresql-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-contrib-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-debuginfo-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-devel-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-docs-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-libs-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-plperl-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-plpython-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-pltcl-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-server-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-test-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-upgrade-9.4.5-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-postgresql94-postgresql-9.4.5-1.el7.src.rpm x86_64: rh-postgresql94-postgresql-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-contrib-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-debuginfo-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-devel-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-docs-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-libs-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-plperl-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-plpython-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-pltcl-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-server-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-test-9.4.5-1.el7.x86_64.rpm rh-postgresql94-postgresql-upgrade-9.4.5-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5288 https://access.redhat.com/security/cve/CVE-2015-5289 https://access.redhat.com/security/updates/classification/#moderate http://www.postgresql.org/about/news/1615/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. From bugzilla at redhat.com Wed Nov 18 17:24:55 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 18 Nov 2015 12:24:55 -0500 Subject: [RHSA-2015:2081-01] Moderate: postgresql security update Message-ID: <201511181724.tAIHOtvV027494@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: postgresql security update Advisory ID: RHSA-2015:2081-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2081.html Issue date: 2015-11-18 CVE Names: CVE-2015-5288 ===================================================================== 1. Summary: Updated postgresql packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. (CVE-2015-5288) All PostgreSQL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1270306 - CVE-2015-5288 postgresql: limited memory disclosure flaw in crypt() 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: postgresql-8.4.20-4.el6_7.src.rpm i386: postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-libs-8.4.20-4.el6_7.i686.rpm x86_64: postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-debuginfo-8.4.20-4.el6_7.x86_64.rpm postgresql-libs-8.4.20-4.el6_7.i686.rpm postgresql-libs-8.4.20-4.el6_7.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: postgresql-8.4.20-4.el6_7.i686.rpm postgresql-contrib-8.4.20-4.el6_7.i686.rpm postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-devel-8.4.20-4.el6_7.i686.rpm postgresql-docs-8.4.20-4.el6_7.i686.rpm postgresql-plperl-8.4.20-4.el6_7.i686.rpm postgresql-plpython-8.4.20-4.el6_7.i686.rpm postgresql-pltcl-8.4.20-4.el6_7.i686.rpm postgresql-server-8.4.20-4.el6_7.i686.rpm postgresql-test-8.4.20-4.el6_7.i686.rpm x86_64: postgresql-8.4.20-4.el6_7.i686.rpm postgresql-8.4.20-4.el6_7.x86_64.rpm postgresql-contrib-8.4.20-4.el6_7.x86_64.rpm postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-debuginfo-8.4.20-4.el6_7.x86_64.rpm postgresql-devel-8.4.20-4.el6_7.i686.rpm postgresql-devel-8.4.20-4.el6_7.x86_64.rpm postgresql-docs-8.4.20-4.el6_7.x86_64.rpm postgresql-plperl-8.4.20-4.el6_7.x86_64.rpm postgresql-plpython-8.4.20-4.el6_7.x86_64.rpm postgresql-pltcl-8.4.20-4.el6_7.x86_64.rpm postgresql-server-8.4.20-4.el6_7.x86_64.rpm postgresql-test-8.4.20-4.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: postgresql-8.4.20-4.el6_7.src.rpm x86_64: postgresql-8.4.20-4.el6_7.i686.rpm postgresql-8.4.20-4.el6_7.x86_64.rpm postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-debuginfo-8.4.20-4.el6_7.x86_64.rpm postgresql-libs-8.4.20-4.el6_7.i686.rpm postgresql-libs-8.4.20-4.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: postgresql-contrib-8.4.20-4.el6_7.x86_64.rpm postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-debuginfo-8.4.20-4.el6_7.x86_64.rpm postgresql-devel-8.4.20-4.el6_7.i686.rpm postgresql-devel-8.4.20-4.el6_7.x86_64.rpm postgresql-docs-8.4.20-4.el6_7.x86_64.rpm postgresql-plperl-8.4.20-4.el6_7.x86_64.rpm postgresql-plpython-8.4.20-4.el6_7.x86_64.rpm postgresql-pltcl-8.4.20-4.el6_7.x86_64.rpm postgresql-server-8.4.20-4.el6_7.x86_64.rpm postgresql-test-8.4.20-4.el6_7.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: postgresql-8.4.20-4.el6_7.src.rpm i386: postgresql-8.4.20-4.el6_7.i686.rpm postgresql-contrib-8.4.20-4.el6_7.i686.rpm postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-devel-8.4.20-4.el6_7.i686.rpm postgresql-docs-8.4.20-4.el6_7.i686.rpm postgresql-libs-8.4.20-4.el6_7.i686.rpm postgresql-plperl-8.4.20-4.el6_7.i686.rpm postgresql-plpython-8.4.20-4.el6_7.i686.rpm postgresql-pltcl-8.4.20-4.el6_7.i686.rpm postgresql-server-8.4.20-4.el6_7.i686.rpm postgresql-test-8.4.20-4.el6_7.i686.rpm ppc64: postgresql-8.4.20-4.el6_7.ppc.rpm postgresql-8.4.20-4.el6_7.ppc64.rpm postgresql-contrib-8.4.20-4.el6_7.ppc64.rpm postgresql-debuginfo-8.4.20-4.el6_7.ppc.rpm postgresql-debuginfo-8.4.20-4.el6_7.ppc64.rpm postgresql-devel-8.4.20-4.el6_7.ppc.rpm postgresql-devel-8.4.20-4.el6_7.ppc64.rpm postgresql-docs-8.4.20-4.el6_7.ppc64.rpm postgresql-libs-8.4.20-4.el6_7.ppc.rpm postgresql-libs-8.4.20-4.el6_7.ppc64.rpm postgresql-plperl-8.4.20-4.el6_7.ppc64.rpm postgresql-plpython-8.4.20-4.el6_7.ppc64.rpm postgresql-pltcl-8.4.20-4.el6_7.ppc64.rpm postgresql-server-8.4.20-4.el6_7.ppc64.rpm postgresql-test-8.4.20-4.el6_7.ppc64.rpm s390x: postgresql-8.4.20-4.el6_7.s390.rpm postgresql-8.4.20-4.el6_7.s390x.rpm postgresql-contrib-8.4.20-4.el6_7.s390x.rpm postgresql-debuginfo-8.4.20-4.el6_7.s390.rpm postgresql-debuginfo-8.4.20-4.el6_7.s390x.rpm postgresql-devel-8.4.20-4.el6_7.s390.rpm postgresql-devel-8.4.20-4.el6_7.s390x.rpm postgresql-docs-8.4.20-4.el6_7.s390x.rpm postgresql-libs-8.4.20-4.el6_7.s390.rpm postgresql-libs-8.4.20-4.el6_7.s390x.rpm postgresql-plperl-8.4.20-4.el6_7.s390x.rpm postgresql-plpython-8.4.20-4.el6_7.s390x.rpm postgresql-pltcl-8.4.20-4.el6_7.s390x.rpm postgresql-server-8.4.20-4.el6_7.s390x.rpm postgresql-test-8.4.20-4.el6_7.s390x.rpm x86_64: postgresql-8.4.20-4.el6_7.i686.rpm postgresql-8.4.20-4.el6_7.x86_64.rpm postgresql-contrib-8.4.20-4.el6_7.x86_64.rpm postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-debuginfo-8.4.20-4.el6_7.x86_64.rpm postgresql-devel-8.4.20-4.el6_7.i686.rpm postgresql-devel-8.4.20-4.el6_7.x86_64.rpm postgresql-docs-8.4.20-4.el6_7.x86_64.rpm postgresql-libs-8.4.20-4.el6_7.i686.rpm postgresql-libs-8.4.20-4.el6_7.x86_64.rpm postgresql-plperl-8.4.20-4.el6_7.x86_64.rpm postgresql-plpython-8.4.20-4.el6_7.x86_64.rpm postgresql-pltcl-8.4.20-4.el6_7.x86_64.rpm postgresql-server-8.4.20-4.el6_7.x86_64.rpm postgresql-test-8.4.20-4.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: postgresql-8.4.20-4.el6_7.src.rpm i386: postgresql-8.4.20-4.el6_7.i686.rpm postgresql-contrib-8.4.20-4.el6_7.i686.rpm postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-devel-8.4.20-4.el6_7.i686.rpm postgresql-docs-8.4.20-4.el6_7.i686.rpm postgresql-libs-8.4.20-4.el6_7.i686.rpm postgresql-plperl-8.4.20-4.el6_7.i686.rpm postgresql-plpython-8.4.20-4.el6_7.i686.rpm postgresql-pltcl-8.4.20-4.el6_7.i686.rpm postgresql-server-8.4.20-4.el6_7.i686.rpm postgresql-test-8.4.20-4.el6_7.i686.rpm x86_64: postgresql-8.4.20-4.el6_7.i686.rpm postgresql-8.4.20-4.el6_7.x86_64.rpm postgresql-contrib-8.4.20-4.el6_7.x86_64.rpm postgresql-debuginfo-8.4.20-4.el6_7.i686.rpm postgresql-debuginfo-8.4.20-4.el6_7.x86_64.rpm postgresql-devel-8.4.20-4.el6_7.i686.rpm postgresql-devel-8.4.20-4.el6_7.x86_64.rpm postgresql-docs-8.4.20-4.el6_7.x86_64.rpm postgresql-libs-8.4.20-4.el6_7.i686.rpm postgresql-libs-8.4.20-4.el6_7.x86_64.rpm postgresql-plperl-8.4.20-4.el6_7.x86_64.rpm postgresql-plpython-8.4.20-4.el6_7.x86_64.rpm postgresql-pltcl-8.4.20-4.el6_7.x86_64.rpm postgresql-server-8.4.20-4.el6_7.x86_64.rpm postgresql-test-8.4.20-4.el6_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5288 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. From bugzilla at redhat.com Thu Nov 19 09:04:11 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 09:04:11 +0000 Subject: [RHSA-2015:2078-01] Moderate: postgresql security update Message-ID: <201511190904.tAJ94BG7017484@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: postgresql security update Advisory ID: RHSA-2015:2078-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2078.html Issue date: 2015-11-18 CVE Names: CVE-2015-5288 CVE-2015-5289 ===================================================================== 1. Summary: Updated postgresql packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: PostgreSQL is an advanced object-relational database management system (DBMS). A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. (CVE-2015-5288) A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input. (CVE-2015-5289) Please note that SSL renegotiation is now disabled by default. For more information, please refer to PostgreSQL's 2015-10-08 Security Update Release notes, linked to in the References section. All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1270306 - CVE-2015-5288 postgresql: limited memory disclosure flaw in crypt() 1270312 - CVE-2015-5289 postgresql: stack overflow DoS when parsing json or jsonb inputs 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: postgresql-9.2.14-1.el7_1.src.rpm x86_64: postgresql-9.2.14-1.el7_1.i686.rpm postgresql-9.2.14-1.el7_1.x86_64.rpm postgresql-contrib-9.2.14-1.el7_1.x86_64.rpm postgresql-debuginfo-9.2.14-1.el7_1.i686.rpm postgresql-debuginfo-9.2.14-1.el7_1.x86_64.rpm postgresql-devel-9.2.14-1.el7_1.i686.rpm postgresql-devel-9.2.14-1.el7_1.x86_64.rpm postgresql-docs-9.2.14-1.el7_1.x86_64.rpm postgresql-libs-9.2.14-1.el7_1.i686.rpm postgresql-libs-9.2.14-1.el7_1.x86_64.rpm postgresql-plperl-9.2.14-1.el7_1.x86_64.rpm postgresql-plpython-9.2.14-1.el7_1.x86_64.rpm postgresql-pltcl-9.2.14-1.el7_1.x86_64.rpm postgresql-server-9.2.14-1.el7_1.x86_64.rpm postgresql-test-9.2.14-1.el7_1.x86_64.rpm postgresql-upgrade-9.2.14-1.el7_1.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: postgresql-9.2.14-1.el7_1.src.rpm x86_64: postgresql-9.2.14-1.el7_1.x86_64.rpm postgresql-debuginfo-9.2.14-1.el7_1.i686.rpm postgresql-debuginfo-9.2.14-1.el7_1.x86_64.rpm postgresql-libs-9.2.14-1.el7_1.i686.rpm postgresql-libs-9.2.14-1.el7_1.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: postgresql-9.2.14-1.el7_1.i686.rpm postgresql-contrib-9.2.14-1.el7_1.x86_64.rpm postgresql-debuginfo-9.2.14-1.el7_1.i686.rpm postgresql-debuginfo-9.2.14-1.el7_1.x86_64.rpm postgresql-devel-9.2.14-1.el7_1.i686.rpm postgresql-devel-9.2.14-1.el7_1.x86_64.rpm postgresql-docs-9.2.14-1.el7_1.x86_64.rpm postgresql-plperl-9.2.14-1.el7_1.x86_64.rpm postgresql-plpython-9.2.14-1.el7_1.x86_64.rpm postgresql-pltcl-9.2.14-1.el7_1.x86_64.rpm postgresql-server-9.2.14-1.el7_1.x86_64.rpm postgresql-test-9.2.14-1.el7_1.x86_64.rpm postgresql-upgrade-9.2.14-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: postgresql-9.2.14-1.el7_1.src.rpm ppc64: postgresql-9.2.14-1.el7_1.ppc.rpm postgresql-9.2.14-1.el7_1.ppc64.rpm postgresql-contrib-9.2.14-1.el7_1.ppc64.rpm postgresql-debuginfo-9.2.14-1.el7_1.ppc.rpm postgresql-debuginfo-9.2.14-1.el7_1.ppc64.rpm postgresql-devel-9.2.14-1.el7_1.ppc.rpm postgresql-devel-9.2.14-1.el7_1.ppc64.rpm postgresql-docs-9.2.14-1.el7_1.ppc64.rpm postgresql-libs-9.2.14-1.el7_1.ppc.rpm postgresql-libs-9.2.14-1.el7_1.ppc64.rpm postgresql-plperl-9.2.14-1.el7_1.ppc64.rpm postgresql-plpython-9.2.14-1.el7_1.ppc64.rpm postgresql-pltcl-9.2.14-1.el7_1.ppc64.rpm postgresql-server-9.2.14-1.el7_1.ppc64.rpm postgresql-test-9.2.14-1.el7_1.ppc64.rpm s390x: postgresql-9.2.14-1.el7_1.s390.rpm postgresql-9.2.14-1.el7_1.s390x.rpm postgresql-contrib-9.2.14-1.el7_1.s390x.rpm postgresql-debuginfo-9.2.14-1.el7_1.s390.rpm postgresql-debuginfo-9.2.14-1.el7_1.s390x.rpm postgresql-devel-9.2.14-1.el7_1.s390.rpm postgresql-devel-9.2.14-1.el7_1.s390x.rpm postgresql-docs-9.2.14-1.el7_1.s390x.rpm postgresql-libs-9.2.14-1.el7_1.s390.rpm postgresql-libs-9.2.14-1.el7_1.s390x.rpm postgresql-plperl-9.2.14-1.el7_1.s390x.rpm postgresql-plpython-9.2.14-1.el7_1.s390x.rpm postgresql-pltcl-9.2.14-1.el7_1.s390x.rpm postgresql-server-9.2.14-1.el7_1.s390x.rpm postgresql-test-9.2.14-1.el7_1.s390x.rpm x86_64: postgresql-9.2.14-1.el7_1.i686.rpm postgresql-9.2.14-1.el7_1.x86_64.rpm postgresql-contrib-9.2.14-1.el7_1.x86_64.rpm postgresql-debuginfo-9.2.14-1.el7_1.i686.rpm postgresql-debuginfo-9.2.14-1.el7_1.x86_64.rpm postgresql-devel-9.2.14-1.el7_1.i686.rpm postgresql-devel-9.2.14-1.el7_1.x86_64.rpm postgresql-docs-9.2.14-1.el7_1.x86_64.rpm postgresql-libs-9.2.14-1.el7_1.i686.rpm postgresql-libs-9.2.14-1.el7_1.x86_64.rpm postgresql-plperl-9.2.14-1.el7_1.x86_64.rpm postgresql-plpython-9.2.14-1.el7_1.x86_64.rpm postgresql-pltcl-9.2.14-1.el7_1.x86_64.rpm postgresql-server-9.2.14-1.el7_1.x86_64.rpm postgresql-test-9.2.14-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: postgresql-9.2.14-1.ael7b_1.src.rpm ppc64le: postgresql-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-contrib-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-debuginfo-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-devel-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-docs-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-libs-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-plperl-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-plpython-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-pltcl-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-server-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-test-9.2.14-1.ael7b_1.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: postgresql-debuginfo-9.2.14-1.el7_1.ppc64.rpm postgresql-upgrade-9.2.14-1.el7_1.ppc64.rpm s390x: postgresql-debuginfo-9.2.14-1.el7_1.s390x.rpm postgresql-upgrade-9.2.14-1.el7_1.s390x.rpm x86_64: postgresql-debuginfo-9.2.14-1.el7_1.x86_64.rpm postgresql-upgrade-9.2.14-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64le: postgresql-debuginfo-9.2.14-1.ael7b_1.ppc64le.rpm postgresql-upgrade-9.2.14-1.ael7b_1.ppc64le.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: postgresql-9.2.14-1.el7_1.src.rpm x86_64: postgresql-9.2.14-1.el7_1.i686.rpm postgresql-9.2.14-1.el7_1.x86_64.rpm postgresql-contrib-9.2.14-1.el7_1.x86_64.rpm postgresql-debuginfo-9.2.14-1.el7_1.i686.rpm postgresql-debuginfo-9.2.14-1.el7_1.x86_64.rpm postgresql-devel-9.2.14-1.el7_1.i686.rpm postgresql-devel-9.2.14-1.el7_1.x86_64.rpm postgresql-docs-9.2.14-1.el7_1.x86_64.rpm postgresql-libs-9.2.14-1.el7_1.i686.rpm postgresql-libs-9.2.14-1.el7_1.x86_64.rpm postgresql-plperl-9.2.14-1.el7_1.x86_64.rpm postgresql-plpython-9.2.14-1.el7_1.x86_64.rpm postgresql-pltcl-9.2.14-1.el7_1.x86_64.rpm postgresql-server-9.2.14-1.el7_1.x86_64.rpm postgresql-test-9.2.14-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: postgresql-debuginfo-9.2.14-1.el7_1.x86_64.rpm postgresql-upgrade-9.2.14-1.el7_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5288 https://access.redhat.com/security/cve/CVE-2015-5289 https://access.redhat.com/security/updates/classification/#moderate http://www.postgresql.org/about/news/1615/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTZCAXlSAg2UNWIIRAi8qAJ4hd7pZzHqxZo6iBW79DKPcb/gv1gCeNk6O 0gvTmwSQOWDU3ccjgfH3WY0= =YU0Q -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:31:28 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:31:28 -0500 Subject: [RHSA-2015:2079-09] Moderate: binutils security, bug fix, and enhancement update Message-ID: <201511192131.tAJLVSll029013@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: binutils security, bug fix, and enhancement update Advisory ID: RHSA-2015:2079-09 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2079.html Issue date: 2015-11-19 CVE Names: CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502 CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 CVE-2014-8738 ===================================================================== 1. Summary: Updated binutils packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The binutils packages provide a set of binary utilities. Multiple buffer overflow flaws were found in the libbdf library used by various binutils utilities. If a user were tricked into processing a specially crafted file with an application using the libbdf library, it could cause the application to crash or, potentially, execute arbitrary code. (CVE-2014-8485, CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504, CVE-2014-8738) An integer overflow flaw was found in the libbdf library used by various binutils utilities. If a user were tricked into processing a specially crafted file with an application using the libbdf library, it could cause the application to crash. (CVE-2014-8484) A directory traversal flaw was found in the strip and objcopy utilities. A specially crafted file could cause strip or objdump to overwrite an arbitrary file writable by the user running either of these utilities. (CVE-2014-8737) This update fixes the following bugs: * Binary files started by the system loader could lack the Relocation Read-Only (RELRO) protection even though it was explicitly requested when the application was built. This bug has been fixed on multiple architectures. Applications and all dependent object files, archives, and libraries built with an alpha or beta version of binutils should be rebuilt to correct this defect. (BZ#1200138, BZ#1175624) * The ld linker on 64-bit PowerPC now correctly checks the output format when asked to produce a binary in another format than PowerPC. (BZ#1226864) * An important variable that holds the symbol table for the binary being debugged has been made persistent, and the objdump utility on 64-bit PowerPC is now able to access the needed information without reading an invalid memory region. (BZ#1172766) * Undesirable runtime relocations described in RHBA-2015:0974. (BZ#872148) The update adds these enhancements: * New hardware instructions of the IBM z Systems z13 are now supported by assembler, disassembler, and linker, as well as Single Instruction, Multiple Data (SIMD) instructions. (BZ#1182153) * Expressions of the form: "FUNC at localentry" to refer to the local entry point for the FUNC function (if defined) are now supported by the PowerPC assembler. These are required by the ELFv2 ABI on the little-endian variant of IBM Power Systems. (BZ#1194164) All binutils users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1156272 - CVE-2014-8484 binutils: invalid read flaw in libbfd 1157276 - CVE-2014-8485 binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections() 1162570 - CVE-2014-8501 binutils: out-of-bounds write when parsing specially crafted PE executable 1162594 - CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485) 1162607 - CVE-2014-8503 binutils: stack overflow in objdump when parsing specially crafted ihex file 1162621 - CVE-2014-8504 binutils: stack overflow in the SREC parser 1162655 - CVE-2014-8737 binutils: directory traversal vulnerability 1162666 - CVE-2014-8738 binutils: out of bounds memory write 1172766 - ppc64: segv in libbfd 1200138 - binutils: ld sporadically generates binaries without relro protection even when told so 1203603 - The binutils package contains the windmc(1) manual page but the utility is not included 1238783 - [aarch64][binutils] relocation truncated to fit: R_AARCH64_LD64_GOT_LO12_NC against 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: binutils-2.23.52.0.1-55.el7.src.rpm x86_64: binutils-2.23.52.0.1-55.el7.x86_64.rpm binutils-debuginfo-2.23.52.0.1-55.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: binutils-debuginfo-2.23.52.0.1-55.el7.i686.rpm binutils-debuginfo-2.23.52.0.1-55.el7.x86_64.rpm binutils-devel-2.23.52.0.1-55.el7.i686.rpm binutils-devel-2.23.52.0.1-55.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: binutils-2.23.52.0.1-55.el7.src.rpm x86_64: binutils-2.23.52.0.1-55.el7.x86_64.rpm binutils-debuginfo-2.23.52.0.1-55.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: binutils-debuginfo-2.23.52.0.1-55.el7.i686.rpm binutils-debuginfo-2.23.52.0.1-55.el7.x86_64.rpm binutils-devel-2.23.52.0.1-55.el7.i686.rpm binutils-devel-2.23.52.0.1-55.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: binutils-2.23.52.0.1-55.el7.src.rpm aarch64: binutils-2.23.52.0.1-55.el7.aarch64.rpm binutils-debuginfo-2.23.52.0.1-55.el7.aarch64.rpm binutils-devel-2.23.52.0.1-55.el7.aarch64.rpm ppc64: binutils-2.23.52.0.1-55.el7.ppc64.rpm binutils-debuginfo-2.23.52.0.1-55.el7.ppc.rpm binutils-debuginfo-2.23.52.0.1-55.el7.ppc64.rpm binutils-devel-2.23.52.0.1-55.el7.ppc.rpm binutils-devel-2.23.52.0.1-55.el7.ppc64.rpm ppc64le: binutils-2.23.52.0.1-55.el7.ppc64le.rpm binutils-debuginfo-2.23.52.0.1-55.el7.ppc64le.rpm binutils-devel-2.23.52.0.1-55.el7.ppc64le.rpm s390x: binutils-2.23.52.0.1-55.el7.s390x.rpm binutils-debuginfo-2.23.52.0.1-55.el7.s390.rpm binutils-debuginfo-2.23.52.0.1-55.el7.s390x.rpm binutils-devel-2.23.52.0.1-55.el7.s390.rpm binutils-devel-2.23.52.0.1-55.el7.s390x.rpm x86_64: binutils-2.23.52.0.1-55.el7.x86_64.rpm binutils-debuginfo-2.23.52.0.1-55.el7.i686.rpm binutils-debuginfo-2.23.52.0.1-55.el7.x86_64.rpm binutils-devel-2.23.52.0.1-55.el7.i686.rpm binutils-devel-2.23.52.0.1-55.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: binutils-2.23.52.0.1-55.el7.src.rpm x86_64: binutils-2.23.52.0.1-55.el7.x86_64.rpm binutils-debuginfo-2.23.52.0.1-55.el7.i686.rpm binutils-debuginfo-2.23.52.0.1-55.el7.x86_64.rpm binutils-devel-2.23.52.0.1-55.el7.i686.rpm binutils-devel-2.23.52.0.1-55.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8484 https://access.redhat.com/security/cve/CVE-2014-8485 https://access.redhat.com/security/cve/CVE-2014-8501 https://access.redhat.com/security/cve/CVE-2014-8502 https://access.redhat.com/security/cve/CVE-2014-8503 https://access.redhat.com/security/cve/CVE-2014-8504 https://access.redhat.com/security/cve/CVE-2014-8737 https://access.redhat.com/security/cve/CVE-2014-8738 https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHBA-2015-0974.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTj+vXlSAg2UNWIIRAosDAJ9UW/KloF0+gU1k4ESyUSphUZB+rwCfdtIx eubQR+CSHh5IwM/hbjWLFmw= =gZ99 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:31:46 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:31:46 -0500 Subject: [RHSA-2015:2088-06] Moderate: openssh security, bug fix, and enhancement update Message-ID: <201511192131.tAJLVkDj000962@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openssh security, bug fix, and enhancement update Advisory ID: RHSA-2015:2088-06 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2088.html Issue date: 2015-11-19 CVE Names: CVE-2015-5600 CVE-2015-6563 CVE-2015-6564 ===================================================================== 1. Summary: Updated openssh packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users. (CVE-2015-6563) A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges. (CVE-2015-6564) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) It was found that the OpenSSH ssh-agent, a program to hold private keys used for public key authentication, was vulnerable to password guessing attacks. An attacker able to connect to the agent could use this flaw to conduct a brute-force attack to unlock keys in the ssh-agent. (BZ#1238238) This update fixes the following bugs: * Previously, the sshd_config(5) man page was misleading and could thus confuse the user. This update improves the man page text to clearly describe the AllowGroups feature. (BZ#1150007) * The limit for the function for restricting the number of files listed using the wildcard character (*) that prevents the Denial of Service (DoS) for both server and client was previously set too low. Consequently, the user reaching the limit was prevented from listing a directory with a large number of files over Secure File Transfer Protocol (SFTP). This update increases the aforementioned limit, thus fixing this bug. (BZ#1160377) * When the ForceCommand option with a pseudoterminal was used and the MaxSession option was set to "2", multiplexed SSH connections did not work as expected. After the user attempted to open a second multiplexed connection, the attempt failed if the first connection was still open. This update modifies OpenSSH to issue only one audit message per session, and the user is thus able to open two multiplexed connections in this situation. (BZ#1199112) * The ssh-copy-id utility failed if the account on the remote server did not use an sh-like shell. Remote commands have been modified to run in an sh-like shell, and ssh-copy-id now works also with non-sh-like shells. (BZ#1201758) * Due to a race condition between auditing messages and answers when using ControlMaster multiplexing, one session in the shared connection randomly and unexpectedly exited the connection. This update fixes the race condition in the auditing code, and multiplexing connections now work as expected even with a number of sessions created at once. (BZ#1240613) In addition, this update adds the following enhancements: * As not all Lightweight Directory Access Protocol (LDAP) servers possess a default schema, as expected by the ssh-ldap-helper program, this update provides the user with an ability to adjust the LDAP query to get public keys from servers with a different schema, while the default functionality stays untouched. (BZ#1201753) * With this enhancement update, the administrator is able to set permissions for files uploaded using Secure File Transfer Protocol (SFTP). (BZ#1197989) * This update provides the LDAP schema in LDAP Data Interchange Format (LDIF) format as a complement to the old schema previously accepted by OpenLDAP. (BZ#1184938) * With this update, the user can selectively disable the Generic Security Services API (GSSAPI) key exchange algorithms as any normal key exchange. (BZ#1253062) Users of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1125110 - pam_namespace usage is not consistent across system-wide PAM configuration 1160377 - sftp is failing using wildcards and many files 1178116 - Default selinux policy prevents ssh-ldap-helper from connecting to LDAP server 1181591 - No Documentation= line in the sshd.service file 1184938 - Provide LDIF version of LPK schema 1187597 - sshd -T does not show all (default) options, inconsistency 1197666 - ssh client using HostbasedAuthentication aborts in FIPS mode 1197989 - RFE: option to let openssh/sftp force the exact permissions on newly uploaded files 1238238 - openssh: weakness of agent locking (ssh-add -x) to password guessing 1245969 - CVE-2015-5600 openssh: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices 1252844 - CVE-2015-6563 openssh: Privilege separation weakness related to PAM support 1252852 - CVE-2015-6564 openssh: Use-after-free bug related to PAM support 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: openssh-6.6.1p1-22.el7.src.rpm x86_64: openssh-6.6.1p1-22.el7.x86_64.rpm openssh-askpass-6.6.1p1-22.el7.x86_64.rpm openssh-clients-6.6.1p1-22.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-22.el7.x86_64.rpm openssh-keycat-6.6.1p1-22.el7.x86_64.rpm openssh-server-6.6.1p1-22.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: openssh-debuginfo-6.6.1p1-22.el7.i686.rpm openssh-debuginfo-6.6.1p1-22.el7.x86_64.rpm openssh-ldap-6.6.1p1-22.el7.x86_64.rpm openssh-server-sysvinit-6.6.1p1-22.el7.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.i686.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: openssh-6.6.1p1-22.el7.src.rpm x86_64: openssh-6.6.1p1-22.el7.x86_64.rpm openssh-clients-6.6.1p1-22.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-22.el7.x86_64.rpm openssh-keycat-6.6.1p1-22.el7.x86_64.rpm openssh-server-6.6.1p1-22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: openssh-askpass-6.6.1p1-22.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-22.el7.i686.rpm openssh-debuginfo-6.6.1p1-22.el7.x86_64.rpm openssh-ldap-6.6.1p1-22.el7.x86_64.rpm openssh-server-sysvinit-6.6.1p1-22.el7.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.i686.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: openssh-6.6.1p1-22.el7.src.rpm aarch64: openssh-6.6.1p1-22.el7.aarch64.rpm openssh-clients-6.6.1p1-22.el7.aarch64.rpm openssh-debuginfo-6.6.1p1-22.el7.aarch64.rpm openssh-keycat-6.6.1p1-22.el7.aarch64.rpm openssh-server-6.6.1p1-22.el7.aarch64.rpm ppc64: openssh-6.6.1p1-22.el7.ppc64.rpm openssh-askpass-6.6.1p1-22.el7.ppc64.rpm openssh-clients-6.6.1p1-22.el7.ppc64.rpm openssh-debuginfo-6.6.1p1-22.el7.ppc64.rpm openssh-keycat-6.6.1p1-22.el7.ppc64.rpm openssh-server-6.6.1p1-22.el7.ppc64.rpm ppc64le: openssh-6.6.1p1-22.el7.ppc64le.rpm openssh-askpass-6.6.1p1-22.el7.ppc64le.rpm openssh-clients-6.6.1p1-22.el7.ppc64le.rpm openssh-debuginfo-6.6.1p1-22.el7.ppc64le.rpm openssh-keycat-6.6.1p1-22.el7.ppc64le.rpm openssh-server-6.6.1p1-22.el7.ppc64le.rpm s390x: openssh-6.6.1p1-22.el7.s390x.rpm openssh-askpass-6.6.1p1-22.el7.s390x.rpm openssh-clients-6.6.1p1-22.el7.s390x.rpm openssh-debuginfo-6.6.1p1-22.el7.s390x.rpm openssh-keycat-6.6.1p1-22.el7.s390x.rpm openssh-server-6.6.1p1-22.el7.s390x.rpm x86_64: openssh-6.6.1p1-22.el7.x86_64.rpm openssh-askpass-6.6.1p1-22.el7.x86_64.rpm openssh-clients-6.6.1p1-22.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-22.el7.x86_64.rpm openssh-keycat-6.6.1p1-22.el7.x86_64.rpm openssh-server-6.6.1p1-22.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: openssh-askpass-6.6.1p1-22.el7.aarch64.rpm openssh-debuginfo-6.6.1p1-22.el7.aarch64.rpm openssh-ldap-6.6.1p1-22.el7.aarch64.rpm openssh-server-sysvinit-6.6.1p1-22.el7.aarch64.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.aarch64.rpm ppc64: openssh-debuginfo-6.6.1p1-22.el7.ppc.rpm openssh-debuginfo-6.6.1p1-22.el7.ppc64.rpm openssh-ldap-6.6.1p1-22.el7.ppc64.rpm openssh-server-sysvinit-6.6.1p1-22.el7.ppc64.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.ppc.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.ppc64.rpm ppc64le: openssh-debuginfo-6.6.1p1-22.el7.ppc64le.rpm openssh-ldap-6.6.1p1-22.el7.ppc64le.rpm openssh-server-sysvinit-6.6.1p1-22.el7.ppc64le.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.ppc64le.rpm s390x: openssh-debuginfo-6.6.1p1-22.el7.s390.rpm openssh-debuginfo-6.6.1p1-22.el7.s390x.rpm openssh-ldap-6.6.1p1-22.el7.s390x.rpm openssh-server-sysvinit-6.6.1p1-22.el7.s390x.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.s390.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.s390x.rpm x86_64: openssh-debuginfo-6.6.1p1-22.el7.i686.rpm openssh-debuginfo-6.6.1p1-22.el7.x86_64.rpm openssh-ldap-6.6.1p1-22.el7.x86_64.rpm openssh-server-sysvinit-6.6.1p1-22.el7.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.i686.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: openssh-6.6.1p1-22.el7.src.rpm x86_64: openssh-6.6.1p1-22.el7.x86_64.rpm openssh-askpass-6.6.1p1-22.el7.x86_64.rpm openssh-clients-6.6.1p1-22.el7.x86_64.rpm openssh-debuginfo-6.6.1p1-22.el7.x86_64.rpm openssh-keycat-6.6.1p1-22.el7.x86_64.rpm openssh-server-6.6.1p1-22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: openssh-debuginfo-6.6.1p1-22.el7.i686.rpm openssh-debuginfo-6.6.1p1-22.el7.x86_64.rpm openssh-ldap-6.6.1p1-22.el7.x86_64.rpm openssh-server-sysvinit-6.6.1p1-22.el7.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.i686.rpm pam_ssh_agent_auth-0.9.3-9.22.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5600 https://access.redhat.com/security/cve/CVE-2015-6563 https://access.redhat.com/security/cve/CVE-2015-6564 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTj/BXlSAg2UNWIIRAgIEAJ4+Nlu4NsYtiDloNVrVn2F/vT/9kACdEHqE h3XwDOy3+OSs/h1DEpVBtV0= =x/s+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:32:04 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:32:04 -0500 Subject: [RHSA-2015:2101-01] Moderate: python security, bug fix, and enhancement update Message-ID: <201511192132.tAJLW4aL029316@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python security, bug fix, and enhancement update Advisory ID: RHSA-2015:2101-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2101.html Issue date: 2015-11-19 CVE Names: CVE-2013-1752 CVE-2013-1753 CVE-2014-4616 CVE-2014-4650 CVE-2014-7185 ===================================================================== 1. Summary: Updated python packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). It was discovered that the Python xmlrpclib module did not restrict the size of gzip-compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753) It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict the sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752) It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose the source code of the scripts in the cgi-bin directory. (CVE-2014-4650) An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control these arguments could use this flaw to disclose portions of the application memory or cause it to crash. (CVE-2014-7185) A flaw was found in the way the json module handled negative index arguments passed to certain functions (such as raw_decode()). An attacker able to control the index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. (CVE-2014-4616) The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365) Note: The Python standard library was updated to make it possible to enable certificate verification by default. However, for backwards compatibility, verification remains disabled by default. Future updates may change this default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1219108) This update also fixes the following bugs: * Subprocesses used with the Eventlet library or regular threads previously tried to close epoll file descriptors twice, which led to an "Invalid argument" error. Subprocesses have been fixed to close the file descriptors only once. (BZ#1103452) * When importing the readline module from a Python script, Python no longer produces erroneous random characters on stdout. (BZ#1189301) * The cProfile utility has been fixed to print all values that the "-s" option supports when this option is used without a correct value. (BZ#1237107) * The load_cert_chain() function now accepts "None" as a keyfile argument. (BZ#1250611) In addition, this update adds the following enhancements: * Security enhancements as described in PEP 466 have been backported to the Python standard library, for example, new features of the ssl module: Server Name Indication (SNI) support, support for new TLSv1.x protocols, new hash algorithms in the hashlib module, and many more. (BZ#1111461) * Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl library. (BZ#1192015) * The ssl.SSLSocket.version() method is now available to access information about the version of the SSL protocol used in a connection. (BZ#1259421) All python users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1046170 - CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding 1046174 - CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib 1058482 - tmpwatch removes python multiprocessing sockets 1112285 - CVE-2014-4616 python: missing boundary check in JSON module 1113527 - CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs 1146026 - CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read 1173041 - CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476) 1177613 - setup.py bdist_rpm NameError: global name 'get_python_version' is not defined 1181624 - multiprocessing BaseManager serve_client() does not check EINTR on recv 1237107 - cProfile main() traceback if options syntax is invalid 1250611 - SSLContext.load_cert_chain() keyfile argument can't be set to None 1259421 - Backport SSLSocket.version() to python 2.7.5 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: python-2.7.5-34.el7.src.rpm x86_64: python-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.i686.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-libs-2.7.5-34.el7.i686.rpm python-libs-2.7.5-34.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: python-debug-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-devel-2.7.5-34.el7.x86_64.rpm python-test-2.7.5-34.el7.x86_64.rpm python-tools-2.7.5-34.el7.x86_64.rpm tkinter-2.7.5-34.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: python-2.7.5-34.el7.src.rpm x86_64: python-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.i686.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-devel-2.7.5-34.el7.x86_64.rpm python-libs-2.7.5-34.el7.i686.rpm python-libs-2.7.5-34.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: python-debug-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-test-2.7.5-34.el7.x86_64.rpm python-tools-2.7.5-34.el7.x86_64.rpm tkinter-2.7.5-34.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: python-2.7.5-34.el7.src.rpm aarch64: python-2.7.5-34.el7.aarch64.rpm python-debuginfo-2.7.5-34.el7.aarch64.rpm python-devel-2.7.5-34.el7.aarch64.rpm python-libs-2.7.5-34.el7.aarch64.rpm ppc64: python-2.7.5-34.el7.ppc64.rpm python-debuginfo-2.7.5-34.el7.ppc.rpm python-debuginfo-2.7.5-34.el7.ppc64.rpm python-devel-2.7.5-34.el7.ppc64.rpm python-libs-2.7.5-34.el7.ppc.rpm python-libs-2.7.5-34.el7.ppc64.rpm ppc64le: python-2.7.5-34.el7.ppc64le.rpm python-debuginfo-2.7.5-34.el7.ppc64le.rpm python-devel-2.7.5-34.el7.ppc64le.rpm python-libs-2.7.5-34.el7.ppc64le.rpm s390x: python-2.7.5-34.el7.s390x.rpm python-debuginfo-2.7.5-34.el7.s390.rpm python-debuginfo-2.7.5-34.el7.s390x.rpm python-devel-2.7.5-34.el7.s390x.rpm python-libs-2.7.5-34.el7.s390.rpm python-libs-2.7.5-34.el7.s390x.rpm x86_64: python-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.i686.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-devel-2.7.5-34.el7.x86_64.rpm python-libs-2.7.5-34.el7.i686.rpm python-libs-2.7.5-34.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: python-debug-2.7.5-34.el7.aarch64.rpm python-debuginfo-2.7.5-34.el7.aarch64.rpm python-test-2.7.5-34.el7.aarch64.rpm python-tools-2.7.5-34.el7.aarch64.rpm tkinter-2.7.5-34.el7.aarch64.rpm ppc64: python-debug-2.7.5-34.el7.ppc64.rpm python-debuginfo-2.7.5-34.el7.ppc64.rpm python-test-2.7.5-34.el7.ppc64.rpm python-tools-2.7.5-34.el7.ppc64.rpm tkinter-2.7.5-34.el7.ppc64.rpm ppc64le: python-debug-2.7.5-34.el7.ppc64le.rpm python-debuginfo-2.7.5-34.el7.ppc64le.rpm python-test-2.7.5-34.el7.ppc64le.rpm python-tools-2.7.5-34.el7.ppc64le.rpm tkinter-2.7.5-34.el7.ppc64le.rpm s390x: python-debug-2.7.5-34.el7.s390x.rpm python-debuginfo-2.7.5-34.el7.s390x.rpm python-test-2.7.5-34.el7.s390x.rpm python-tools-2.7.5-34.el7.s390x.rpm tkinter-2.7.5-34.el7.s390x.rpm x86_64: python-debug-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-test-2.7.5-34.el7.x86_64.rpm python-tools-2.7.5-34.el7.x86_64.rpm tkinter-2.7.5-34.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: python-2.7.5-34.el7.src.rpm x86_64: python-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.i686.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-devel-2.7.5-34.el7.x86_64.rpm python-libs-2.7.5-34.el7.i686.rpm python-libs-2.7.5-34.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: python-debug-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-test-2.7.5-34.el7.x86_64.rpm python-tools-2.7.5-34.el7.x86_64.rpm tkinter-2.7.5-34.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-1752 https://access.redhat.com/security/cve/CVE-2013-1753 https://access.redhat.com/security/cve/CVE-2014-4616 https://access.redhat.com/security/cve/CVE-2014-4650 https://access.redhat.com/security/cve/CVE-2014-7185 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/2039753 https://www.python.org/dev/peps/pep-0466/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTj/SXlSAg2UNWIIRAuXcAKCCJdw1P4H3y4fnhu6lXW2AcADYJgCfRO+v qMX3qLAXBobeDiPX4eN9Pxc= =JQMw -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:32:14 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:32:14 -0500 Subject: [RHSA-2015:2108-03] Moderate: cpio security and bug fix update Message-ID: <201511192132.tAJLWEo9029392@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cpio security and bug fix update Advisory ID: RHSA-2015:2108-03 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2108.html Issue date: 2015-11-19 CVE Names: CVE-2014-9112 ===================================================================== 1. Summary: Updated cpio packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The cpio packages provide the GNU cpio utility for creating and extracting archives, or copying files from one place to another. A heap-based buffer overflow flaw was found in cpio's list_file() function. An attacker could provide a specially crafted archive that, when processed by cpio, would crash cpio, or potentially lead to arbitrary code execution. (CVE-2014-9112) This update fixes the following bugs: * Previously, during archive creation, cpio internals did not detect a read() system call failure. Based on the premise that the call succeeded, cpio terminated unexpectedly with a segmentation fault without processing further files. The underlying source code has been patched, and an archive is now created successfully. (BZ#1138148) * Previously, running the cpio command without parameters on Red Hat Enterprise Linux 7 with Russian as the default language resulted in an error message that was not accurate in Russian due to an error in spelling. This has been corrected and the Russian error message is spelled correctly. (BZ#1075513) All cpio users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1075513 - [PATCH] Typo in ru.po 1167571 - CVE-2014-9112 cpio: heap-based buffer overflow flaw in list_file() 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: cpio-2.11-24.el7.src.rpm x86_64: cpio-2.11-24.el7.x86_64.rpm cpio-debuginfo-2.11-24.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: cpio-2.11-24.el7.src.rpm x86_64: cpio-2.11-24.el7.x86_64.rpm cpio-debuginfo-2.11-24.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: cpio-2.11-24.el7.src.rpm aarch64: cpio-2.11-24.el7.aarch64.rpm cpio-debuginfo-2.11-24.el7.aarch64.rpm ppc64: cpio-2.11-24.el7.ppc64.rpm cpio-debuginfo-2.11-24.el7.ppc64.rpm ppc64le: cpio-2.11-24.el7.ppc64le.rpm cpio-debuginfo-2.11-24.el7.ppc64le.rpm s390x: cpio-2.11-24.el7.s390x.rpm cpio-debuginfo-2.11-24.el7.s390x.rpm x86_64: cpio-2.11-24.el7.x86_64.rpm cpio-debuginfo-2.11-24.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: cpio-2.11-24.el7.src.rpm x86_64: cpio-2.11-24.el7.x86_64.rpm cpio-debuginfo-2.11-24.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-9112 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTj/dXlSAg2UNWIIRAtX1AJ48isCW7XlptLeEO/HS+AoV1IPMegCgpgUU rBAy5UvG6cOssddJocJXgg8= =fTLf -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:32:25 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:32:25 -0500 Subject: [RHSA-2015:2111-07] Low: grep security and bug fix update Message-ID: <201511192132.tAJLWPqi009698@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: grep security and bug fix update Advisory ID: RHSA-2015:2111-07 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2111.html Issue date: 2015-11-19 CVE Names: CVE-2015-1345 ===================================================================== 1. Summary: Updated grep packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The grep utility searches through textual input for lines that contain a match to a specified pattern and then prints the matching lines. The GNU grep utilities include grep, egrep, and fgrep. A heap-based buffer overflow flaw was found in the way grep processed certain pattern and text combinations. An attacker able to trick a user into running grep on specially crafted input could use this flaw to crash grep or, potentially, read from uninitialized memory. (CVE-2015-1345) This update also fixes the following bugs: * Prior to this update, the \w and \W symbols were inconsistently matched to the [:alnum:] character class. Consequently, using regular expressions with "\w" and "\W" could lead to incorrect results. With this update, "\w" is consistently matched to the [_[:alnum:]] character, and "\W" is consistently matched to the [^_[:alnum:]] character. (BZ#1159012) * Previously, the Perl Compatible Regular Expression (PCRE) matcher (selected by the "-P" parameter in grep) did not work correctly when matching non-UTF-8 text in UTF-8 locales. Consequently, an error message about invalid UTF-8 byte sequence characters was returned. To fix this bug, patches from upstream have been applied to the grep utility. As a result, PCRE now skips non-UTF-8 characters as non-matching text without returning any error message. (BZ#1217080) All grep users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1103259 - undocumented option --fixed-regexp 1159012 - inconsistent \w and [[:alnum:]] behaviour 1183651 - CVE-2015-1345 grep: heap buffer overrun 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: grep-2.20-2.el7.src.rpm x86_64: grep-2.20-2.el7.x86_64.rpm grep-debuginfo-2.20-2.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: grep-2.20-2.el7.src.rpm x86_64: grep-2.20-2.el7.x86_64.rpm grep-debuginfo-2.20-2.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: grep-2.20-2.el7.src.rpm aarch64: grep-2.20-2.el7.aarch64.rpm grep-debuginfo-2.20-2.el7.aarch64.rpm ppc64: grep-2.20-2.el7.ppc64.rpm grep-debuginfo-2.20-2.el7.ppc64.rpm ppc64le: grep-2.20-2.el7.ppc64le.rpm grep-debuginfo-2.20-2.el7.ppc64le.rpm s390x: grep-2.20-2.el7.s390x.rpm grep-debuginfo-2.20-2.el7.s390x.rpm x86_64: grep-2.20-2.el7.x86_64.rpm grep-debuginfo-2.20-2.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: grep-2.20-2.el7.src.rpm x86_64: grep-2.20-2.el7.x86_64.rpm grep-debuginfo-2.20-2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-1345 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTj/oXlSAg2UNWIIRAmLoAKCzSmXX5ktdOLkFscvLrEzhCHDCOQCgwAba 21ij1MSsoc5FnUPC9/HCHJg= =Luf+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:33:31 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:33:31 -0500 Subject: [RHSA-2015:2131-03] Moderate: openldap security, bug fix, and enhancement update Message-ID: <201511192133.tAJLXV8t006929@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openldap security, bug fix, and enhancement update Advisory ID: RHSA-2015:2131-03 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2131.html Issue date: 2015-11-19 CVE Names: CVE-2015-3276 ===================================================================== 1. Summary: Updated openldap packages that fix one security issue, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenLDAP is an open-source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap packages contain configuration files, libraries, and documentation for OpenLDAP. A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings. As a result, OpenLDAP could potentially use ciphers that were not intended to be enabled. (CVE-2015-3276) This issue was discovered by Martin Poole of the Red Hat Software Maintenance Engineering group. The openldap packages have been upgraded to upstream version 2.4.40, which provides a number of bug fixes and one enhancement over the previous version: * The ORDERING matching rules have been added to the ppolicy attribute type descriptions. * The server no longer terminates unexpectedly when processing SRV records. * Missing objectClass information has been added, which enables the user to modify the front-end configuration by standard means. (BZ#1147982) This update also fixes the following bugs: * Previously, OpenLDAP did not properly handle a number of simultaneous updates. As a consequence, sending a number of parallel update requests to the server could cause a deadlock. With this update, a superfluous locking mechanism causing the deadlock has been removed, thus fixing the bug. (BZ#1125152) * The httpd service sometimes terminated unexpectedly with a segmentation fault on the libldap library unload. The underlying source code has been modified to prevent a bad memory access error that caused the bug to occur. As a result, httpd no longer crashes in this situation. (BZ#1158005) * After upgrading the system from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7, symbolic links to certain libraries unexpectedly pointed to locations belonging to the openldap-devel package. If the user uninstalled openldap-devel, the symbolic links were broken and the "rpm -V openldap" command sometimes produced errors. With this update, the symbolic links no longer get broken in the described situation. If the user downgrades openldap to version 2.4.39-6 or earlier, the symbolic links might break. After such downgrade, it is recommended to verify that the symbolic links did not break. To do this, make sure the yum-plugin-verify package is installed and obtain the target libraries by running the "rpm -V openldap" or "yum verify openldap" command. (BZ#1230263) In addition, this update adds the following enhancement: * OpenLDAP clients now automatically choose the Network Security Services (NSS) default cipher suites for communication with the server. It is no longer necessary to maintain the default cipher suites manually in the OpenLDAP source code. (BZ#1245279) All openldap users are advised to upgrade to these updated packages, which correct these issues and add this enhancement. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1147982 - Rebase openldap to 2.4.40 1158005 - OpenLDAP crash in NSS shutdown handling 1174634 - pwdChecker library requires version in pwdCheckModule attribute 1174723 - values for pwdChecker are not set to default values 1175415 - openldap: crash in ldap_domain2hostlist when processing SRV records 1184585 - slaptest doesn't convert perlModuleConfig lines 1209229 - openldap-servers leverages 'find' from findutils which is not a dep of the rpm 1226600 - olcDatabase in olcFrontend attribute incorrect/faulty 1230263 - rpm -V openldap complains 1231228 - automount via ldap with TLS/SSL support is not working 1238322 - CVE-2015-3276 openldap: incorrect multi-keyword mode cipherstring parsing 1245279 - OpenLDAP doesn't use sane (or default) cipher order 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: openldap-2.4.40-8.el7.src.rpm x86_64: openldap-2.4.40-8.el7.i686.rpm openldap-2.4.40-8.el7.x86_64.rpm openldap-clients-2.4.40-8.el7.x86_64.rpm openldap-debuginfo-2.4.40-8.el7.i686.rpm openldap-debuginfo-2.4.40-8.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: openldap-debuginfo-2.4.40-8.el7.i686.rpm openldap-debuginfo-2.4.40-8.el7.x86_64.rpm openldap-devel-2.4.40-8.el7.i686.rpm openldap-devel-2.4.40-8.el7.x86_64.rpm openldap-servers-2.4.40-8.el7.x86_64.rpm openldap-servers-sql-2.4.40-8.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: openldap-2.4.40-8.el7.src.rpm x86_64: openldap-2.4.40-8.el7.i686.rpm openldap-2.4.40-8.el7.x86_64.rpm openldap-clients-2.4.40-8.el7.x86_64.rpm openldap-debuginfo-2.4.40-8.el7.i686.rpm openldap-debuginfo-2.4.40-8.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: openldap-debuginfo-2.4.40-8.el7.i686.rpm openldap-debuginfo-2.4.40-8.el7.x86_64.rpm openldap-devel-2.4.40-8.el7.i686.rpm openldap-devel-2.4.40-8.el7.x86_64.rpm openldap-servers-2.4.40-8.el7.x86_64.rpm openldap-servers-sql-2.4.40-8.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: openldap-2.4.40-8.el7.src.rpm aarch64: openldap-2.4.40-8.el7.aarch64.rpm openldap-clients-2.4.40-8.el7.aarch64.rpm openldap-debuginfo-2.4.40-8.el7.aarch64.rpm openldap-devel-2.4.40-8.el7.aarch64.rpm openldap-servers-2.4.40-8.el7.aarch64.rpm ppc64: openldap-2.4.40-8.el7.ppc.rpm openldap-2.4.40-8.el7.ppc64.rpm openldap-clients-2.4.40-8.el7.ppc64.rpm openldap-debuginfo-2.4.40-8.el7.ppc.rpm openldap-debuginfo-2.4.40-8.el7.ppc64.rpm openldap-devel-2.4.40-8.el7.ppc.rpm openldap-devel-2.4.40-8.el7.ppc64.rpm openldap-servers-2.4.40-8.el7.ppc64.rpm ppc64le: openldap-2.4.40-8.el7.ppc64le.rpm openldap-clients-2.4.40-8.el7.ppc64le.rpm openldap-debuginfo-2.4.40-8.el7.ppc64le.rpm openldap-devel-2.4.40-8.el7.ppc64le.rpm openldap-servers-2.4.40-8.el7.ppc64le.rpm s390x: openldap-2.4.40-8.el7.s390.rpm openldap-2.4.40-8.el7.s390x.rpm openldap-clients-2.4.40-8.el7.s390x.rpm openldap-debuginfo-2.4.40-8.el7.s390.rpm openldap-debuginfo-2.4.40-8.el7.s390x.rpm openldap-devel-2.4.40-8.el7.s390.rpm openldap-devel-2.4.40-8.el7.s390x.rpm openldap-servers-2.4.40-8.el7.s390x.rpm x86_64: openldap-2.4.40-8.el7.i686.rpm openldap-2.4.40-8.el7.x86_64.rpm openldap-clients-2.4.40-8.el7.x86_64.rpm openldap-debuginfo-2.4.40-8.el7.i686.rpm openldap-debuginfo-2.4.40-8.el7.x86_64.rpm openldap-devel-2.4.40-8.el7.i686.rpm openldap-devel-2.4.40-8.el7.x86_64.rpm openldap-servers-2.4.40-8.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: openldap-debuginfo-2.4.40-8.el7.aarch64.rpm openldap-servers-sql-2.4.40-8.el7.aarch64.rpm ppc64: openldap-debuginfo-2.4.40-8.el7.ppc64.rpm openldap-servers-sql-2.4.40-8.el7.ppc64.rpm ppc64le: openldap-debuginfo-2.4.40-8.el7.ppc64le.rpm openldap-servers-sql-2.4.40-8.el7.ppc64le.rpm s390x: openldap-debuginfo-2.4.40-8.el7.s390x.rpm openldap-servers-sql-2.4.40-8.el7.s390x.rpm x86_64: openldap-debuginfo-2.4.40-8.el7.x86_64.rpm openldap-servers-sql-2.4.40-8.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: openldap-2.4.40-8.el7.src.rpm x86_64: openldap-2.4.40-8.el7.i686.rpm openldap-2.4.40-8.el7.x86_64.rpm openldap-clients-2.4.40-8.el7.x86_64.rpm openldap-debuginfo-2.4.40-8.el7.i686.rpm openldap-debuginfo-2.4.40-8.el7.x86_64.rpm openldap-devel-2.4.40-8.el7.i686.rpm openldap-devel-2.4.40-8.el7.x86_64.rpm openldap-servers-2.4.40-8.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: openldap-debuginfo-2.4.40-8.el7.x86_64.rpm openldap-servers-sql-2.4.40-8.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3276 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkAqXlSAg2UNWIIRApiCAJ44SptkF3iHK4PzvRFEUVr9a7n1/QCfRzvk RLWIUgb0gZuTaV7Oz1bKfvI= =qJ1g -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:33:46 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:33:46 -0500 Subject: [RHSA-2015:2140-07] Low: libssh2 security and bug fix update Message-ID: <201511192133.tAJLXkjT030255@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: libssh2 security and bug fix update Advisory ID: RHSA-2015:2140-07 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2140.html Issue date: 2015-11-19 CVE Names: CVE-2015-1782 ===================================================================== 1. Summary: Updated libssh2 packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: The libssh2 packages provide a library that implements the SSH2 protocol. A flaw was found in the way the kex_agree_methods() function of libssh2 performed a key exchange when negotiating a new SSH session. A man-in-the-middle attacker could use a crafted SSH_MSG_KEXINIT packet to crash a connecting libssh2 client. (CVE-2015-1782) This update also fixes the following bugs: * Previously, libssh2 did not correctly adjust the size of the receive window while reading from an SSH channel. This caused downloads over the secure copy (SCP) protocol to consume an excessive amount of memory. A series of upstream patches has been applied on the libssh2 source code to improve handling of the receive window size. Now, SCP downloads work as expected. (BZ#1080459) * Prior to this update, libssh2 did not properly initialize an internal variable holding the SSH agent file descriptor, which caused the agent destructor to close the standard input file descriptor by mistake. An upstream patch has been applied on libssh2 sources to properly initialize the internal variable. Now, libssh2 closes only the file descriptors it owns. (BZ#1147717) All libssh2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1147717 - free'ing a not-connected agent closes STDIN 1199511 - CVE-2015-1782 libssh2: Using SSH_MSG_KEXINIT data unbounded 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: libssh2-1.4.3-10.el7.src.rpm x86_64: libssh2-1.4.3-10.el7.i686.rpm libssh2-1.4.3-10.el7.x86_64.rpm libssh2-debuginfo-1.4.3-10.el7.i686.rpm libssh2-debuginfo-1.4.3-10.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: libssh2-docs-1.4.3-10.el7.noarch.rpm x86_64: libssh2-debuginfo-1.4.3-10.el7.i686.rpm libssh2-debuginfo-1.4.3-10.el7.x86_64.rpm libssh2-devel-1.4.3-10.el7.i686.rpm libssh2-devel-1.4.3-10.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: libssh2-1.4.3-10.el7.src.rpm x86_64: libssh2-1.4.3-10.el7.i686.rpm libssh2-1.4.3-10.el7.x86_64.rpm libssh2-debuginfo-1.4.3-10.el7.i686.rpm libssh2-debuginfo-1.4.3-10.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: libssh2-docs-1.4.3-10.el7.noarch.rpm x86_64: libssh2-debuginfo-1.4.3-10.el7.i686.rpm libssh2-debuginfo-1.4.3-10.el7.x86_64.rpm libssh2-devel-1.4.3-10.el7.i686.rpm libssh2-devel-1.4.3-10.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libssh2-1.4.3-10.el7.src.rpm aarch64: libssh2-1.4.3-10.el7.aarch64.rpm libssh2-debuginfo-1.4.3-10.el7.aarch64.rpm ppc64: libssh2-1.4.3-10.el7.ppc.rpm libssh2-1.4.3-10.el7.ppc64.rpm libssh2-debuginfo-1.4.3-10.el7.ppc.rpm libssh2-debuginfo-1.4.3-10.el7.ppc64.rpm ppc64le: libssh2-1.4.3-10.el7.ppc64le.rpm libssh2-debuginfo-1.4.3-10.el7.ppc64le.rpm s390x: libssh2-1.4.3-10.el7.s390.rpm libssh2-1.4.3-10.el7.s390x.rpm libssh2-debuginfo-1.4.3-10.el7.s390.rpm libssh2-debuginfo-1.4.3-10.el7.s390x.rpm x86_64: libssh2-1.4.3-10.el7.i686.rpm libssh2-1.4.3-10.el7.x86_64.rpm libssh2-debuginfo-1.4.3-10.el7.i686.rpm libssh2-debuginfo-1.4.3-10.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: libssh2-debuginfo-1.4.3-10.el7.aarch64.rpm libssh2-devel-1.4.3-10.el7.aarch64.rpm noarch: libssh2-docs-1.4.3-10.el7.noarch.rpm ppc64: libssh2-debuginfo-1.4.3-10.el7.ppc.rpm libssh2-debuginfo-1.4.3-10.el7.ppc64.rpm libssh2-devel-1.4.3-10.el7.ppc.rpm libssh2-devel-1.4.3-10.el7.ppc64.rpm ppc64le: libssh2-debuginfo-1.4.3-10.el7.ppc64le.rpm libssh2-devel-1.4.3-10.el7.ppc64le.rpm s390x: libssh2-debuginfo-1.4.3-10.el7.s390.rpm libssh2-debuginfo-1.4.3-10.el7.s390x.rpm libssh2-devel-1.4.3-10.el7.s390.rpm libssh2-devel-1.4.3-10.el7.s390x.rpm x86_64: libssh2-debuginfo-1.4.3-10.el7.i686.rpm libssh2-debuginfo-1.4.3-10.el7.x86_64.rpm libssh2-devel-1.4.3-10.el7.i686.rpm libssh2-devel-1.4.3-10.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: libssh2-1.4.3-10.el7.src.rpm x86_64: libssh2-1.4.3-10.el7.i686.rpm libssh2-1.4.3-10.el7.x86_64.rpm libssh2-debuginfo-1.4.3-10.el7.i686.rpm libssh2-debuginfo-1.4.3-10.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: libssh2-docs-1.4.3-10.el7.noarch.rpm x86_64: libssh2-debuginfo-1.4.3-10.el7.i686.rpm libssh2-debuginfo-1.4.3-10.el7.x86_64.rpm libssh2-devel-1.4.3-10.el7.i686.rpm libssh2-devel-1.4.3-10.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-1782 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkA5XlSAg2UNWIIRAhHeAKDDXLexWGqd0HUd1B8lkq4KQHxUPgCdHvpT dPQp8MyMC4cwhobLU2M/n9w= =vv7B -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:34:02 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:34:02 -0500 Subject: [RHSA-2015:2151-01] Low: xfsprogs security, bug fix and enhancement update Message-ID: <201511192134.tAJLY2OR010526@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: xfsprogs security, bug fix and enhancement update Advisory ID: RHSA-2015:2151-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2151.html Issue date: 2015-11-19 CVE Names: CVE-2012-2150 ===================================================================== 1. Summary: Updated xfsprogs packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The xfsprogs packages contain a set of commands to use the XFS file system, including the mkfs.xfs command to construct an XFS system. It was discovered that the xfs_metadump tool of the xfsprogs suite did not fully adhere to the standards of obfuscation described in its man page. In case a user with the necessary privileges used xfs_metadump and relied on the advertised obfuscation, the generated data could contain unexpected traces of potentially sensitive information. (CVE-2012-2150) The xfsprogs packages have been upgraded to upstream version 3.2.2, which provides a number of bug fixes and enhancements over the previous version. This release also includes updates present in upstream version 3.2.3, although it omits the mkfs.xfs default disk format change (for metadata checksumming) which is present upstream. (BZ#1223991) Users of xfsprogs are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 817696 - CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw 1201238 - xfs_repair verify the last secondary superblock corruption failed 1223991 - Rebase xfsprogs to 3.2.3 (pending upstream) 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: xfsprogs-3.2.2-2.el7.src.rpm x86_64: xfsprogs-3.2.2-2.el7.i686.rpm xfsprogs-3.2.2-2.el7.x86_64.rpm xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm xfsprogs-devel-3.2.2-2.el7.i686.rpm xfsprogs-devel-3.2.2-2.el7.x86_64.rpm xfsprogs-qa-devel-3.2.2-2.el7.i686.rpm xfsprogs-qa-devel-3.2.2-2.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: xfsprogs-3.2.2-2.el7.src.rpm x86_64: xfsprogs-3.2.2-2.el7.i686.rpm xfsprogs-3.2.2-2.el7.x86_64.rpm xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm xfsprogs-devel-3.2.2-2.el7.i686.rpm xfsprogs-devel-3.2.2-2.el7.x86_64.rpm xfsprogs-qa-devel-3.2.2-2.el7.i686.rpm xfsprogs-qa-devel-3.2.2-2.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: xfsprogs-3.2.2-2.el7.src.rpm aarch64: xfsprogs-3.2.2-2.el7.aarch64.rpm xfsprogs-debuginfo-3.2.2-2.el7.aarch64.rpm ppc64: xfsprogs-3.2.2-2.el7.ppc.rpm xfsprogs-3.2.2-2.el7.ppc64.rpm xfsprogs-debuginfo-3.2.2-2.el7.ppc.rpm xfsprogs-debuginfo-3.2.2-2.el7.ppc64.rpm ppc64le: xfsprogs-3.2.2-2.el7.ppc64le.rpm xfsprogs-debuginfo-3.2.2-2.el7.ppc64le.rpm s390x: xfsprogs-3.2.2-2.el7.s390.rpm xfsprogs-3.2.2-2.el7.s390x.rpm xfsprogs-debuginfo-3.2.2-2.el7.s390.rpm xfsprogs-debuginfo-3.2.2-2.el7.s390x.rpm x86_64: xfsprogs-3.2.2-2.el7.i686.rpm xfsprogs-3.2.2-2.el7.x86_64.rpm xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: xfsprogs-debuginfo-3.2.2-2.el7.aarch64.rpm xfsprogs-devel-3.2.2-2.el7.aarch64.rpm xfsprogs-qa-devel-3.2.2-2.el7.aarch64.rpm ppc64: xfsprogs-debuginfo-3.2.2-2.el7.ppc.rpm xfsprogs-debuginfo-3.2.2-2.el7.ppc64.rpm xfsprogs-devel-3.2.2-2.el7.ppc.rpm xfsprogs-devel-3.2.2-2.el7.ppc64.rpm xfsprogs-qa-devel-3.2.2-2.el7.ppc.rpm xfsprogs-qa-devel-3.2.2-2.el7.ppc64.rpm ppc64le: xfsprogs-debuginfo-3.2.2-2.el7.ppc64le.rpm xfsprogs-devel-3.2.2-2.el7.ppc64le.rpm xfsprogs-qa-devel-3.2.2-2.el7.ppc64le.rpm s390x: xfsprogs-debuginfo-3.2.2-2.el7.s390.rpm xfsprogs-debuginfo-3.2.2-2.el7.s390x.rpm xfsprogs-devel-3.2.2-2.el7.s390.rpm xfsprogs-devel-3.2.2-2.el7.s390x.rpm xfsprogs-qa-devel-3.2.2-2.el7.s390.rpm xfsprogs-qa-devel-3.2.2-2.el7.s390x.rpm x86_64: xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm xfsprogs-devel-3.2.2-2.el7.i686.rpm xfsprogs-devel-3.2.2-2.el7.x86_64.rpm xfsprogs-qa-devel-3.2.2-2.el7.i686.rpm xfsprogs-qa-devel-3.2.2-2.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: xfsprogs-3.2.2-2.el7.src.rpm x86_64: xfsprogs-3.2.2-2.el7.i686.rpm xfsprogs-3.2.2-2.el7.x86_64.rpm xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: xfsprogs-debuginfo-3.2.2-2.el7.i686.rpm xfsprogs-debuginfo-3.2.2-2.el7.x86_64.rpm xfsprogs-devel-3.2.2-2.el7.i686.rpm xfsprogs-devel-3.2.2-2.el7.x86_64.rpm xfsprogs-qa-devel-3.2.2-2.el7.i686.rpm xfsprogs-qa-devel-3.2.2-2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2012-2150 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkBJXlSAg2UNWIIRAoi8AJ9mZzQ69HHic+hbV8ddVnu35NaQfQCgm7+P +WvUjZ8t7jpqpJFnwF8ZNhg= =fF5T -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:34:30 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:34:30 -0500 Subject: [RHSA-2015:2152-02] Important: kernel security, bug fix, and enhancement update Message-ID: <201511192134.tAJLYUpF011042@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security, bug fix, and enhancement update Advisory ID: RHSA-2015:2152-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2152.html Issue date: 2015-11-19 CVE Names: CVE-2010-5313 CVE-2013-7421 CVE-2014-3647 CVE-2014-7842 CVE-2014-8171 CVE-2014-9419 CVE-2014-9644 CVE-2015-0239 CVE-2015-2925 CVE-2015-3339 CVE-2015-4170 CVE-2015-5283 CVE-2015-6526 CVE-2015-7613 CVE-2015-7837 ===================================================================== 1. Summary: Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the second regular update. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate) * A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest. (CVE-2014-3647, Moderate) * It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system. (CVE-2014-8171, Moderate) * A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate) * A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate) * A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate) * A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate) * A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low) * An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. (CVE-2014-9419, Low) * It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low) * A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low) 4. Solution: Red Hat would like to thank Nadav Amit for reporting the CVE-2010-5313, CVE-2014-3647, CVE-2014-7842, and CVE-2015-0239 issues; and Linn Crosetto of HP for reporting the CVE-2015-7837 issue. The CVE-2015-5283 issue was discovered by Ji Jianwen from Red Hat engineering. This update fixes several hundred bugs and adds numerous enhancements. Refer to the Red Hat Enterprise Linux 7.2 Release Notes for information on the most significant of these changes, and the following Knowledge base article for further information: https://access.redhat.com/articles/1749293 All Red Hat Enterprise Linux 7 users are advised to install these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 839466 - ext4: ext4 driver should reject nonsensical mount options for ext2 and ext3 1033907 - Test case failure: Outputs - DVI on Radeon HD 7850 [1002:6819] 1033908 - Test case failure: Multihead - Large Desktop on Radeon HD 7850 [1002:6819] 1033910 - Test case failure: Panning on Radeon HD 7850 [1002:6819] 1033911 - Test case failure: Screen - Change Monitors on Radeon HD 7850 [1002:6819] 1034497 - Test case failure: KMS - Log out after suspend/resume on AMD/ATI Kaveri [1002:1304] 1036792 - PXE boot 5-10x slower in RHEL due to invalid guest state emulation 1064059 - clock_nanosleep returns early with TIMER_ABSTIME 1076738 - No RHGB on some new ATI hardware 1076769 - Test case failure: KMS - Log out after suspend/resume on ATI Pitcairn PRO [Radeon HD 7850] [1002:6819] 1144897 - CVE-2014-3647 kernel: kvm: noncanonical rip after emulation 1163762 - CVE-2010-5313 CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace 1177260 - CVE-2014-9419 kernel: partial ASLR bypass through TLS base addresses leak 1182243 - partition scan in losetup does not succeed when bound repeatedly 1184155 - Dynamic tickless feature not working in RHEL7 KVM guest 1185469 - CVE-2013-7421 Linux kernel: crypto api unprivileged arbitrary module load via request_module() 1186112 - [thinkpad] Support the Lenovo early 2015 models touchpad (X1 Carbon 3rd, T450, W541) 1186448 - CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code 1190546 - CVE-2014-9644 Linux kernel: crypto api unprivileged arbitrary module load via request_module() 1191604 - DM RAID - Add support for 'raid0' mappings to device-mapper raid target 1198109 - CVE-2014-8171 kernel: memcg: OOM handling DoS 1205258 - Busy loop in recv(MSG_PEEK|MSG_WAITALL) 1206198 - Intel 9-series PCH chipset ACS quirks 1209367 - CVE-2015-2925 Kernel: vfs: Do not allow escaping from bind mounts 1214030 - CVE-2015-3339 kernel: race condition between chown() and execve() 1218454 - CVE-2015-6526 kernel: perf on ppc64 can loop forever getting userlevel stacktraces 1218879 - CVE-2015-4170 kernel: pty layer race condition on tty ldisc shutdown. 1243998 - CVE-2015-7837 kernel: securelevel disabled after kexec [rhel-7.2] 1249107 - [targetcli] cannot discover iSCSI target with IPv6 1251331 - Lenovo W541 Xorg freezes when mini display port cable is plugged in - 3.10.0-267.el7 WARNING: at drivers/gpu/drm/drm_dp_mst_topology.c:1272 process_single_tx_qlock+0x4b6/0x540 [drm_kms_helper]() 1257528 - CVE-2015-5283 kernel: Creating multiple sockets when SCTP module isn't loaded leads to kernel panic 1268270 - CVE-2015-7613 kernel: Unauthorized access to IPC objects with SysV shm 1272472 - CVE-2015-7837 kernel: securelevel disabled after kexec 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: kernel-3.10.0-327.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.el7.noarch.rpm kernel-doc-3.10.0-327.el7.noarch.rpm x86_64: kernel-3.10.0-327.el7.x86_64.rpm kernel-debug-3.10.0-327.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.el7.x86_64.rpm kernel-devel-3.10.0-327.el7.x86_64.rpm kernel-headers-3.10.0-327.el7.x86_64.rpm kernel-tools-3.10.0-327.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.el7.x86_64.rpm perf-3.10.0-327.el7.x86_64.rpm perf-debuginfo-3.10.0-327.el7.x86_64.rpm python-perf-3.10.0-327.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.el7.x86_64.rpm perf-debuginfo-3.10.0-327.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: kernel-3.10.0-327.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.el7.noarch.rpm kernel-doc-3.10.0-327.el7.noarch.rpm x86_64: kernel-3.10.0-327.el7.x86_64.rpm kernel-debug-3.10.0-327.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.el7.x86_64.rpm kernel-devel-3.10.0-327.el7.x86_64.rpm kernel-headers-3.10.0-327.el7.x86_64.rpm kernel-tools-3.10.0-327.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.el7.x86_64.rpm perf-3.10.0-327.el7.x86_64.rpm perf-debuginfo-3.10.0-327.el7.x86_64.rpm python-perf-3.10.0-327.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.el7.x86_64.rpm perf-debuginfo-3.10.0-327.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: kernel-3.10.0-327.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.el7.noarch.rpm kernel-doc-3.10.0-327.el7.noarch.rpm ppc64: kernel-3.10.0-327.el7.ppc64.rpm kernel-bootwrapper-3.10.0-327.el7.ppc64.rpm kernel-debug-3.10.0-327.el7.ppc64.rpm kernel-debug-debuginfo-3.10.0-327.el7.ppc64.rpm kernel-debug-devel-3.10.0-327.el7.ppc64.rpm kernel-debuginfo-3.10.0-327.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-327.el7.ppc64.rpm kernel-devel-3.10.0-327.el7.ppc64.rpm kernel-headers-3.10.0-327.el7.ppc64.rpm kernel-tools-3.10.0-327.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-327.el7.ppc64.rpm kernel-tools-libs-3.10.0-327.el7.ppc64.rpm perf-3.10.0-327.el7.ppc64.rpm perf-debuginfo-3.10.0-327.el7.ppc64.rpm python-perf-3.10.0-327.el7.ppc64.rpm python-perf-debuginfo-3.10.0-327.el7.ppc64.rpm ppc64le: kernel-3.10.0-327.el7.ppc64le.rpm kernel-bootwrapper-3.10.0-327.el7.ppc64le.rpm kernel-debug-3.10.0-327.el7.ppc64le.rpm kernel-debug-debuginfo-3.10.0-327.el7.ppc64le.rpm kernel-debuginfo-3.10.0-327.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-327.el7.ppc64le.rpm kernel-devel-3.10.0-327.el7.ppc64le.rpm kernel-headers-3.10.0-327.el7.ppc64le.rpm kernel-tools-3.10.0-327.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-327.el7.ppc64le.rpm kernel-tools-libs-3.10.0-327.el7.ppc64le.rpm perf-3.10.0-327.el7.ppc64le.rpm perf-debuginfo-3.10.0-327.el7.ppc64le.rpm python-perf-3.10.0-327.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-327.el7.ppc64le.rpm s390x: kernel-3.10.0-327.el7.s390x.rpm kernel-debug-3.10.0-327.el7.s390x.rpm kernel-debug-debuginfo-3.10.0-327.el7.s390x.rpm kernel-debug-devel-3.10.0-327.el7.s390x.rpm kernel-debuginfo-3.10.0-327.el7.s390x.rpm kernel-debuginfo-common-s390x-3.10.0-327.el7.s390x.rpm kernel-devel-3.10.0-327.el7.s390x.rpm kernel-headers-3.10.0-327.el7.s390x.rpm kernel-kdump-3.10.0-327.el7.s390x.rpm kernel-kdump-debuginfo-3.10.0-327.el7.s390x.rpm kernel-kdump-devel-3.10.0-327.el7.s390x.rpm perf-3.10.0-327.el7.s390x.rpm perf-debuginfo-3.10.0-327.el7.s390x.rpm python-perf-3.10.0-327.el7.s390x.rpm python-perf-debuginfo-3.10.0-327.el7.s390x.rpm x86_64: kernel-3.10.0-327.el7.x86_64.rpm kernel-debug-3.10.0-327.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.el7.x86_64.rpm kernel-devel-3.10.0-327.el7.x86_64.rpm kernel-headers-3.10.0-327.el7.x86_64.rpm kernel-tools-3.10.0-327.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.el7.x86_64.rpm perf-3.10.0-327.el7.x86_64.rpm perf-debuginfo-3.10.0-327.el7.x86_64.rpm python-perf-3.10.0-327.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: kernel-debug-debuginfo-3.10.0-327.el7.ppc64.rpm kernel-debuginfo-3.10.0-327.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-327.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-327.el7.ppc64.rpm kernel-tools-libs-devel-3.10.0-327.el7.ppc64.rpm perf-debuginfo-3.10.0-327.el7.ppc64.rpm python-perf-debuginfo-3.10.0-327.el7.ppc64.rpm ppc64le: kernel-debug-debuginfo-3.10.0-327.el7.ppc64le.rpm kernel-debug-devel-3.10.0-327.el7.ppc64le.rpm kernel-debuginfo-3.10.0-327.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-327.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-327.el7.ppc64le.rpm kernel-tools-libs-devel-3.10.0-327.el7.ppc64le.rpm perf-debuginfo-3.10.0-327.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-327.el7.ppc64le.rpm x86_64: kernel-debug-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.el7.x86_64.rpm perf-debuginfo-3.10.0-327.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: kernel-3.10.0-327.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-327.el7.noarch.rpm kernel-doc-3.10.0-327.el7.noarch.rpm x86_64: kernel-3.10.0-327.el7.x86_64.rpm kernel-debug-3.10.0-327.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debug-devel-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.el7.x86_64.rpm kernel-devel-3.10.0-327.el7.x86_64.rpm kernel-headers-3.10.0-327.el7.x86_64.rpm kernel-tools-3.10.0-327.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-tools-libs-3.10.0-327.el7.x86_64.rpm perf-3.10.0-327.el7.x86_64.rpm perf-debuginfo-3.10.0-327.el7.x86_64.rpm python-perf-3.10.0-327.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-327.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-327.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-327.el7.x86_64.rpm perf-debuginfo-3.10.0-327.el7.x86_64.rpm python-perf-debuginfo-3.10.0-327.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2010-5313 https://access.redhat.com/security/cve/CVE-2013-7421 https://access.redhat.com/security/cve/CVE-2014-3647 https://access.redhat.com/security/cve/CVE-2014-7842 https://access.redhat.com/security/cve/CVE-2014-8171 https://access.redhat.com/security/cve/CVE-2014-9419 https://access.redhat.com/security/cve/CVE-2014-9644 https://access.redhat.com/security/cve/CVE-2015-0239 https://access.redhat.com/security/cve/CVE-2015-2925 https://access.redhat.com/security/cve/CVE-2015-3339 https://access.redhat.com/security/cve/CVE-2015-4170 https://access.redhat.com/security/cve/CVE-2015-5283 https://access.redhat.com/security/cve/CVE-2015-6526 https://access.redhat.com/security/cve/CVE-2015-7613 https://access.redhat.com/security/cve/CVE-2015-7837 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/7.2_Release_Notes/index.html https://access.redhat.com/articles/1749293 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkBkXlSAg2UNWIIRAoW3AKCZx0Bvsg8nJgW82t0Z0N/1ZlzwSwCgnNd/ aXXpApqtSrKb7yYm9XcevtI= =+6w8 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:34:46 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:34:46 -0500 Subject: [RHSA-2015:2154-07] Moderate: krb5 security, bug fix, and enhancement update Message-ID: <201511192134.tAJLYkDr031193@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: krb5 security, bug fix, and enhancement update Advisory ID: RHSA-2015:2154-07 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2154.html Issue date: 2015-11-19 CVE Names: CVE-2014-5355 CVE-2015-2694 ===================================================================== 1. Summary: Updated krb5 packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694) The krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#1203889) Notably, this update fixes the following bugs: * Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. (BZ#1251586) * Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message: No credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context Querying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems. (BZ#1252454) All krb5 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1156144 - krb5 upstream test t_kdb.py failure 1163402 - kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64 1164304 - Upstream unit tests loads the installed shared libraries instead the ones from the build 1185770 - Missing upstream test in krb5-1.12.2: src/tests/gssapi/t_invalid.c 1193939 - CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and others 1203889 - RFE: Rebase krb5 in RHEL7.2 to krb5 1.13 (krb1.13.2) ... 1216133 - CVE-2015-2694 krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass 1222903 - [SELinux] AVC denials may appear when kadmind starts 1247608 - [RFE] Add support for multi-hop preauth mechs via |KDC_ERR_MORE_PREAUTH_DATA_REQUIRED| for RFC 6113 ("A Generalized Framework for Kerberos Pre-Authentication") 1247751 - krb5-config returns wrong -specs path 1247761 - RFE: Minor krb5 spec file cleanup and sync with recent Fedora 22/23 changes 1250154 - [s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL 1251586 - KDC sends multiple requests to ipa-otpd for the same authentication 1259846 - KDC does not return proper client principal for client referrals 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: krb5-1.13.2-10.el7.src.rpm x86_64: krb5-debuginfo-1.13.2-10.el7.i686.rpm krb5-debuginfo-1.13.2-10.el7.x86_64.rpm krb5-libs-1.13.2-10.el7.i686.rpm krb5-libs-1.13.2-10.el7.x86_64.rpm krb5-pkinit-1.13.2-10.el7.x86_64.rpm krb5-workstation-1.13.2-10.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: krb5-debuginfo-1.13.2-10.el7.i686.rpm krb5-debuginfo-1.13.2-10.el7.x86_64.rpm krb5-devel-1.13.2-10.el7.i686.rpm krb5-devel-1.13.2-10.el7.x86_64.rpm krb5-server-1.13.2-10.el7.x86_64.rpm krb5-server-ldap-1.13.2-10.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: krb5-1.13.2-10.el7.src.rpm x86_64: krb5-debuginfo-1.13.2-10.el7.i686.rpm krb5-debuginfo-1.13.2-10.el7.x86_64.rpm krb5-libs-1.13.2-10.el7.i686.rpm krb5-libs-1.13.2-10.el7.x86_64.rpm krb5-pkinit-1.13.2-10.el7.x86_64.rpm krb5-workstation-1.13.2-10.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: krb5-debuginfo-1.13.2-10.el7.i686.rpm krb5-debuginfo-1.13.2-10.el7.x86_64.rpm krb5-devel-1.13.2-10.el7.i686.rpm krb5-devel-1.13.2-10.el7.x86_64.rpm krb5-server-1.13.2-10.el7.x86_64.rpm krb5-server-ldap-1.13.2-10.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: krb5-1.13.2-10.el7.src.rpm aarch64: krb5-debuginfo-1.13.2-10.el7.aarch64.rpm krb5-devel-1.13.2-10.el7.aarch64.rpm krb5-libs-1.13.2-10.el7.aarch64.rpm krb5-pkinit-1.13.2-10.el7.aarch64.rpm krb5-server-1.13.2-10.el7.aarch64.rpm krb5-server-ldap-1.13.2-10.el7.aarch64.rpm krb5-workstation-1.13.2-10.el7.aarch64.rpm ppc64: krb5-debuginfo-1.13.2-10.el7.ppc.rpm krb5-debuginfo-1.13.2-10.el7.ppc64.rpm krb5-devel-1.13.2-10.el7.ppc.rpm krb5-devel-1.13.2-10.el7.ppc64.rpm krb5-libs-1.13.2-10.el7.ppc.rpm krb5-libs-1.13.2-10.el7.ppc64.rpm krb5-pkinit-1.13.2-10.el7.ppc64.rpm krb5-server-1.13.2-10.el7.ppc64.rpm krb5-server-ldap-1.13.2-10.el7.ppc64.rpm krb5-workstation-1.13.2-10.el7.ppc64.rpm ppc64le: krb5-debuginfo-1.13.2-10.el7.ppc64le.rpm krb5-devel-1.13.2-10.el7.ppc64le.rpm krb5-libs-1.13.2-10.el7.ppc64le.rpm krb5-pkinit-1.13.2-10.el7.ppc64le.rpm krb5-server-1.13.2-10.el7.ppc64le.rpm krb5-server-ldap-1.13.2-10.el7.ppc64le.rpm krb5-workstation-1.13.2-10.el7.ppc64le.rpm s390x: krb5-debuginfo-1.13.2-10.el7.s390.rpm krb5-debuginfo-1.13.2-10.el7.s390x.rpm krb5-devel-1.13.2-10.el7.s390.rpm krb5-devel-1.13.2-10.el7.s390x.rpm krb5-libs-1.13.2-10.el7.s390.rpm krb5-libs-1.13.2-10.el7.s390x.rpm krb5-pkinit-1.13.2-10.el7.s390x.rpm krb5-server-1.13.2-10.el7.s390x.rpm krb5-server-ldap-1.13.2-10.el7.s390x.rpm krb5-workstation-1.13.2-10.el7.s390x.rpm x86_64: krb5-debuginfo-1.13.2-10.el7.i686.rpm krb5-debuginfo-1.13.2-10.el7.x86_64.rpm krb5-devel-1.13.2-10.el7.i686.rpm krb5-devel-1.13.2-10.el7.x86_64.rpm krb5-libs-1.13.2-10.el7.i686.rpm krb5-libs-1.13.2-10.el7.x86_64.rpm krb5-pkinit-1.13.2-10.el7.x86_64.rpm krb5-server-1.13.2-10.el7.x86_64.rpm krb5-server-ldap-1.13.2-10.el7.x86_64.rpm krb5-workstation-1.13.2-10.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: krb5-1.13.2-10.el7.src.rpm x86_64: krb5-debuginfo-1.13.2-10.el7.i686.rpm krb5-debuginfo-1.13.2-10.el7.x86_64.rpm krb5-devel-1.13.2-10.el7.i686.rpm krb5-devel-1.13.2-10.el7.x86_64.rpm krb5-libs-1.13.2-10.el7.i686.rpm krb5-libs-1.13.2-10.el7.x86_64.rpm krb5-pkinit-1.13.2-10.el7.x86_64.rpm krb5-server-1.13.2-10.el7.x86_64.rpm krb5-server-ldap-1.13.2-10.el7.x86_64.rpm krb5-workstation-1.13.2-10.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-5355 https://access.redhat.com/security/cve/CVE-2015-2694 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkB1XlSAg2UNWIIRAhCfAKCwIT8Iv7NulCjHEaWaTxjBifItagCeKV/H R2dzlpQmDy4LE5jAdvwqzmU= =hNo2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:35:48 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:35:48 -0500 Subject: [RHSA-2015:2155-07] Moderate: file security and bug fix update Message-ID: <201511192135.tAJLZm65003950@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: file security and bug fix update Advisory ID: RHSA-2015:2155-07 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2155.html Issue date: 2015-11-19 CVE Names: CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3538 CVE-2014-3587 CVE-2014-3710 CVE-2014-8116 CVE-2014-8117 CVE-2014-9652 CVE-2014-9653 ===================================================================== 1. Summary: Updated file packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The file command is used to identify a particular file according to the type of data the file contains. It can identify many different file types, including Executable and Linkable Format (ELF) binary files, system libraries, RPM packages, and different graphics formats. Multiple denial of service flaws were found in the way file parsed certain Composite Document Format (CDF) files. A remote attacker could use either of these flaws to crash file, or an application using file, via a specially crafted CDF file. (CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3587) Two flaws were found in the way file processed certain Pascal strings. A remote attacker could cause file to crash if it was used to identify the type of the attacker-supplied file. (CVE-2014-3478, CVE-2014-9652) Multiple flaws were found in the file regular expression rules for detecting various files. A remote attacker could use these flaws to cause file to consume an excessive amount of CPU. (CVE-2014-3538) Multiple flaws were found in the way file parsed Executable and Linkable Format (ELF) files. A remote attacker could use these flaws to cause file to crash, disclose portions of its memory, or consume an excessive amount of system resources. (CVE-2014-3710, CVE-2014-8116, CVE-2014-8117, CVE-2014-9653) Red Hat would like to thank Thomas Jarosch of Intra2net AG for reporting the CVE-2014-8116 and CVE-2014-8117 issues. The CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3710 issues were discovered by Francisco Alonso of Red Hat Product Security; the CVE-2014-3538 issue was discovered by Jan Kalu?a of the Red Hat Web Stack Team The file packages have been updated to ensure correct operation on Power little endian and ARM 64-bit hardware architectures. (BZ#1224667, BZ#1224668, BZ#1157850, BZ#1067688). All file users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1064167 - back out patch to MAXDESC 1091842 - CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check 1094648 - file reports JPEG image as 'Minix filesystem' 1098155 - CVE-2014-0238 file: CDF property info parsing nelements infinite loop 1098193 - CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS 1098222 - CVE-2014-3538 file: unrestricted regular expression matching 1104858 - CVE-2014-3480 file: cdf_count_chain insufficient boundary check 1104863 - CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size 1104869 - CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check 1107544 - CVE-2014-3487 file: cdf_read_property_info insufficient boundary check 1128587 - CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info 1155071 - CVE-2014-3710 file: out-of-bounds read in elf note headers 1157850 - File command does not recognize kernel images on ppc64le 1161911 - file command does not display "from" field correctly when run on 32 bit ppc core file 1161912 - too many spaces ... 1171580 - CVE-2014-8116 file: multiple denial of service issues (resource consumption) 1174606 - CVE-2014-8117 file: denial of service issue (resource consumption) 1188599 - CVE-2014-9652 file: out of bounds read in mconvert() 1190116 - CVE-2014-9653 file: malformed elf file causes access to uninitialized memory 1224667 - aarch64: "file" fails to get the whole information of the new swap partition 1224668 - ppc64le: "file" fails to get the whole information of the new swap partition 1255396 - BuildID[sha1] sum is architecture dependent 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: file-5.11-31.el7.src.rpm noarch: python-magic-5.11-31.el7.noarch.rpm x86_64: file-5.11-31.el7.x86_64.rpm file-debuginfo-5.11-31.el7.i686.rpm file-debuginfo-5.11-31.el7.x86_64.rpm file-libs-5.11-31.el7.i686.rpm file-libs-5.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: file-debuginfo-5.11-31.el7.i686.rpm file-debuginfo-5.11-31.el7.x86_64.rpm file-devel-5.11-31.el7.i686.rpm file-devel-5.11-31.el7.x86_64.rpm file-static-5.11-31.el7.i686.rpm file-static-5.11-31.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: file-5.11-31.el7.src.rpm noarch: python-magic-5.11-31.el7.noarch.rpm x86_64: file-5.11-31.el7.x86_64.rpm file-debuginfo-5.11-31.el7.i686.rpm file-debuginfo-5.11-31.el7.x86_64.rpm file-libs-5.11-31.el7.i686.rpm file-libs-5.11-31.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: file-debuginfo-5.11-31.el7.i686.rpm file-debuginfo-5.11-31.el7.x86_64.rpm file-devel-5.11-31.el7.i686.rpm file-devel-5.11-31.el7.x86_64.rpm file-static-5.11-31.el7.i686.rpm file-static-5.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: file-5.11-31.el7.src.rpm aarch64: file-5.11-31.el7.aarch64.rpm file-debuginfo-5.11-31.el7.aarch64.rpm file-libs-5.11-31.el7.aarch64.rpm noarch: python-magic-5.11-31.el7.noarch.rpm ppc64: file-5.11-31.el7.ppc64.rpm file-debuginfo-5.11-31.el7.ppc.rpm file-debuginfo-5.11-31.el7.ppc64.rpm file-libs-5.11-31.el7.ppc.rpm file-libs-5.11-31.el7.ppc64.rpm ppc64le: file-5.11-31.el7.ppc64le.rpm file-debuginfo-5.11-31.el7.ppc64le.rpm file-libs-5.11-31.el7.ppc64le.rpm s390x: file-5.11-31.el7.s390x.rpm file-debuginfo-5.11-31.el7.s390.rpm file-debuginfo-5.11-31.el7.s390x.rpm file-libs-5.11-31.el7.s390.rpm file-libs-5.11-31.el7.s390x.rpm x86_64: file-5.11-31.el7.x86_64.rpm file-debuginfo-5.11-31.el7.i686.rpm file-debuginfo-5.11-31.el7.x86_64.rpm file-libs-5.11-31.el7.i686.rpm file-libs-5.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: file-debuginfo-5.11-31.el7.aarch64.rpm file-devel-5.11-31.el7.aarch64.rpm file-static-5.11-31.el7.aarch64.rpm ppc64: file-debuginfo-5.11-31.el7.ppc.rpm file-debuginfo-5.11-31.el7.ppc64.rpm file-devel-5.11-31.el7.ppc.rpm file-devel-5.11-31.el7.ppc64.rpm file-static-5.11-31.el7.ppc.rpm file-static-5.11-31.el7.ppc64.rpm ppc64le: file-debuginfo-5.11-31.el7.ppc64le.rpm file-devel-5.11-31.el7.ppc64le.rpm file-static-5.11-31.el7.ppc64le.rpm s390x: file-debuginfo-5.11-31.el7.s390.rpm file-debuginfo-5.11-31.el7.s390x.rpm file-devel-5.11-31.el7.s390.rpm file-devel-5.11-31.el7.s390x.rpm file-static-5.11-31.el7.s390.rpm file-static-5.11-31.el7.s390x.rpm x86_64: file-debuginfo-5.11-31.el7.i686.rpm file-debuginfo-5.11-31.el7.x86_64.rpm file-devel-5.11-31.el7.i686.rpm file-devel-5.11-31.el7.x86_64.rpm file-static-5.11-31.el7.i686.rpm file-static-5.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: file-5.11-31.el7.src.rpm noarch: python-magic-5.11-31.el7.noarch.rpm x86_64: file-5.11-31.el7.x86_64.rpm file-debuginfo-5.11-31.el7.i686.rpm file-debuginfo-5.11-31.el7.x86_64.rpm file-libs-5.11-31.el7.i686.rpm file-libs-5.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: file-debuginfo-5.11-31.el7.i686.rpm file-debuginfo-5.11-31.el7.x86_64.rpm file-devel-5.11-31.el7.i686.rpm file-devel-5.11-31.el7.x86_64.rpm file-static-5.11-31.el7.i686.rpm file-static-5.11-31.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-0207 https://access.redhat.com/security/cve/CVE-2014-0237 https://access.redhat.com/security/cve/CVE-2014-0238 https://access.redhat.com/security/cve/CVE-2014-3478 https://access.redhat.com/security/cve/CVE-2014-3479 https://access.redhat.com/security/cve/CVE-2014-3480 https://access.redhat.com/security/cve/CVE-2014-3487 https://access.redhat.com/security/cve/CVE-2014-3538 https://access.redhat.com/security/cve/CVE-2014-3587 https://access.redhat.com/security/cve/CVE-2014-3710 https://access.redhat.com/security/cve/CVE-2014-8116 https://access.redhat.com/security/cve/CVE-2014-8117 https://access.redhat.com/security/cve/CVE-2014-9652 https://access.redhat.com/security/cve/CVE-2014-9653 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkCyXlSAg2UNWIIRAupSAJ0TVUyMQqn/7m4ByA2ijXC3gaC3YwCfR9jS qi8oKX7gvmn7L6fqQ5qhg/0= =oh/6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:36:36 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:36:36 -0500 Subject: [RHSA-2015:2159-06] Moderate: curl security, bug fix, and enhancement update Message-ID: <201511192136.tAJLaamp004420@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: curl security, bug fix, and enhancement update Advisory ID: RHSA-2015:2159-06 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2159.html Issue date: 2015-11-19 CVE Names: CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 ===================================================================== 1. Summary: Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotatiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specifc way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes: * An out-of-protocol fallback to SSL 3.0 was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSL 3.0 through the libcurl API. (BZ#1154060) * TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can explicitly disable them through the libcurl API. (BZ#1170339) * FTP operations such as downloading files took a significantly long time to complete. Now, the FTP implementation in libcurl correctly sets blocking direction and estimated timeout for connections, resulting in faster FTP transfers. (BZ#1218272) Enhancements: * With the updated packages, it is possible to explicitly enable or disable new Advanced Encryption Standard (AES) cipher suites to be used for the TLS protocol. (BZ#1066065) * The libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on the libcurl multi API. The non-blocking SSL handshake has been implemented in libcurl, and the libcurl multi API now immediately returns the control back to the application whenever it cannot read or write data from or to the underlying network socket. (BZ#1091429) * The libcurl library used an unnecessarily long blocking delay for actions with no active file descriptors, even for short operations. Some actions, such as resolving a host name using /etc/hosts, took a long time to complete. The blocking code in libcurl has been modified so that the initial delay is short and gradually increases until an event occurs. (BZ#1130239) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1130239 - Difference in curl performance between RHEL6 and RHEL7 1136154 - CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain 1154060 - curl: Disable out-of-protocol fallback to SSL 3.0 1154941 - CVE-2014-3707 curl: incorrect handle duplication after COPYPOSTFIELDS 1161182 - Response headers added by proxy servers missing in CURLINFO_HEADER_SIZE 1166264 - NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth [RHEL-7] 1170339 - use the default min/max TLS version provided by NSS 1178692 - CVE-2014-8150 curl: URL request injection vulnerability in parseurlandfillconn() 1213306 - CVE-2015-3143 curl: re-using authenticated connection when unauthenticated 1213351 - CVE-2015-3148 curl: Negotiate not treated as connection-oriented 1218272 - Performance problem with libcurl and FTP on RHEL7.X 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: curl-7.29.0-25.el7.src.rpm x86_64: curl-7.29.0-25.el7.x86_64.rpm curl-debuginfo-7.29.0-25.el7.i686.rpm curl-debuginfo-7.29.0-25.el7.x86_64.rpm libcurl-7.29.0-25.el7.i686.rpm libcurl-7.29.0-25.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: curl-debuginfo-7.29.0-25.el7.i686.rpm curl-debuginfo-7.29.0-25.el7.x86_64.rpm libcurl-devel-7.29.0-25.el7.i686.rpm libcurl-devel-7.29.0-25.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: curl-7.29.0-25.el7.src.rpm x86_64: curl-7.29.0-25.el7.x86_64.rpm curl-debuginfo-7.29.0-25.el7.i686.rpm curl-debuginfo-7.29.0-25.el7.x86_64.rpm libcurl-7.29.0-25.el7.i686.rpm libcurl-7.29.0-25.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: curl-debuginfo-7.29.0-25.el7.i686.rpm curl-debuginfo-7.29.0-25.el7.x86_64.rpm libcurl-devel-7.29.0-25.el7.i686.rpm libcurl-devel-7.29.0-25.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: curl-7.29.0-25.el7.src.rpm aarch64: curl-7.29.0-25.el7.aarch64.rpm curl-debuginfo-7.29.0-25.el7.aarch64.rpm libcurl-7.29.0-25.el7.aarch64.rpm libcurl-devel-7.29.0-25.el7.aarch64.rpm ppc64: curl-7.29.0-25.el7.ppc64.rpm curl-debuginfo-7.29.0-25.el7.ppc.rpm curl-debuginfo-7.29.0-25.el7.ppc64.rpm libcurl-7.29.0-25.el7.ppc.rpm libcurl-7.29.0-25.el7.ppc64.rpm libcurl-devel-7.29.0-25.el7.ppc.rpm libcurl-devel-7.29.0-25.el7.ppc64.rpm ppc64le: curl-7.29.0-25.el7.ppc64le.rpm curl-debuginfo-7.29.0-25.el7.ppc64le.rpm libcurl-7.29.0-25.el7.ppc64le.rpm libcurl-devel-7.29.0-25.el7.ppc64le.rpm s390x: curl-7.29.0-25.el7.s390x.rpm curl-debuginfo-7.29.0-25.el7.s390.rpm curl-debuginfo-7.29.0-25.el7.s390x.rpm libcurl-7.29.0-25.el7.s390.rpm libcurl-7.29.0-25.el7.s390x.rpm libcurl-devel-7.29.0-25.el7.s390.rpm libcurl-devel-7.29.0-25.el7.s390x.rpm x86_64: curl-7.29.0-25.el7.x86_64.rpm curl-debuginfo-7.29.0-25.el7.i686.rpm curl-debuginfo-7.29.0-25.el7.x86_64.rpm libcurl-7.29.0-25.el7.i686.rpm libcurl-7.29.0-25.el7.x86_64.rpm libcurl-devel-7.29.0-25.el7.i686.rpm libcurl-devel-7.29.0-25.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: curl-7.29.0-25.el7.src.rpm x86_64: curl-7.29.0-25.el7.x86_64.rpm curl-debuginfo-7.29.0-25.el7.i686.rpm curl-debuginfo-7.29.0-25.el7.x86_64.rpm libcurl-7.29.0-25.el7.i686.rpm libcurl-7.29.0-25.el7.x86_64.rpm libcurl-devel-7.29.0-25.el7.i686.rpm libcurl-devel-7.29.0-25.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3613 https://access.redhat.com/security/cve/CVE-2014-3707 https://access.redhat.com/security/cve/CVE-2014-8150 https://access.redhat.com/security/cve/CVE-2015-3143 https://access.redhat.com/security/cve/CVE-2015-3148 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkDjXlSAg2UNWIIRAiUIAKCDiD6XED0dZ145uiyufkWCK1ogUACgnQTY 3iELkxAEAUfZ3lJlUq4u7Uo= =rhuc -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:36:51 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:36:51 -0500 Subject: [RHSA-2015:2180-07] Moderate: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update Message-ID: <201511192136.tAJLapAE013369@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update Advisory ID: RHSA-2015:2180-07 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2180.html Issue date: 2015-11-19 CVE Names: CVE-2013-0334 ===================================================================== 1. Summary: Updated rubygem-bundler and rubygem-thor packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably. Thor is a toolkit for building powerful command-line interfaces. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access to one of the sources could create a malicious gem with the same name, which they could then use to trick a user into installing, potentially resulting in execution of code from the attacker-supplied malicious gem. (CVE-2013-0334) Bundler has been upgraded to upstream version 1.7.8 and Thor has been upgraded to upstream version 1.19.1, both of which provide a number of bug fixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921) All rubygem-bundler and rubygem-thor users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1146335 - CVE-2013-0334 rubygem-bundler: 'bundle install' may install a gem from a source other than expected 1163076 - Bundler can't see its dependencies after Bundler.setup [rhel-7] 1194243 - Update Bundler to the latest release 1209921 - Update Thor to the latest release 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: rubygem-bundler-1.7.8-3.el7.src.rpm rubygem-thor-0.19.1-1.el7.src.rpm noarch: rubygem-bundler-1.7.8-3.el7.noarch.rpm rubygem-thor-0.19.1-1.el7.noarch.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: rubygem-bundler-doc-1.7.8-3.el7.noarch.rpm rubygem-thor-doc-0.19.1-1.el7.noarch.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: rubygem-bundler-1.7.8-3.el7.src.rpm rubygem-thor-0.19.1-1.el7.src.rpm noarch: rubygem-bundler-1.7.8-3.el7.noarch.rpm rubygem-thor-0.19.1-1.el7.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: rubygem-bundler-doc-1.7.8-3.el7.noarch.rpm rubygem-thor-doc-0.19.1-1.el7.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: rubygem-bundler-1.7.8-3.el7.src.rpm rubygem-thor-0.19.1-1.el7.src.rpm noarch: rubygem-bundler-1.7.8-3.el7.noarch.rpm rubygem-thor-0.19.1-1.el7.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: rubygem-bundler-doc-1.7.8-3.el7.noarch.rpm rubygem-thor-doc-0.19.1-1.el7.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: rubygem-bundler-1.7.8-3.el7.src.rpm rubygem-thor-0.19.1-1.el7.src.rpm noarch: rubygem-bundler-1.7.8-3.el7.noarch.rpm rubygem-thor-0.19.1-1.el7.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: rubygem-bundler-doc-1.7.8-3.el7.noarch.rpm rubygem-thor-doc-0.19.1-1.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-0334 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkDyXlSAg2UNWIIRAkDuAKC49E0PnAepoC0Bh3VFhc0pnxDAhwCfbzSK jPk6pHQqzE3CkRRC6Xhqeyc= =49aE -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:37:10 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:37:10 -0500 Subject: [RHSA-2015:2184-07] Moderate: realmd security, bug fix, and enhancement update Message-ID: <201511192137.tAJLbAkF000632@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: realmd security, bug fix, and enhancement update Advisory ID: RHSA-2015:2184-07 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2184.html Issue date: 2015-11-19 CVE Names: CVE-2015-2704 ===================================================================== 1. Summary: Updated realmd packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The realmd DBus system service manages discovery of and enrollment in realms and domains, such as Active Directory or Identity Management (IdM). The realmd service detects available domains, automatically configures the system, and joins it as an account to a domain. A flaw was found in the way realmd parsed certain input when writing configuration into the sssd.conf or smb.conf file. A remote attacker could use this flaw to inject arbitrary configurations into these files via a newline character in an LDAP response. (CVE-2015-2704) It was found that the realm client would try to automatically join an active directory domain without authentication, which could potentially lead to privilege escalation within a specified domain. (BZ#1205751) The realmd packages have been upgraded to upstream version 0.16.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1174911) This update also fixes the following bugs: * Joining a Red Hat Enterprise Linux machine to a domain using the realm utility creates /home/domainname/[username]/ directories for domain users. Previously, SELinux labeled the domain users' directories incorrectly. As a consequence, the domain users sometimes experienced problems with SELinux policy. This update modifies the realmd service default behavior so that the domain users' directories are compatible with the standard SELinux policy. (BZ#1241832) * Previously, the realm utility was unable to join or discover domains with domain names containing underscore (_). The realmd service has been modified to process underscores in domain names correctly, which fixes the described bug. (BZ#1243771) In addition, this update adds the following enhancement: * The realmd utility now allows the user to disable automatic ID mapping from the command line. To disable the mapping, pass the "--automatic-id-mapping=no" option to the realmd utility. (BZ#1230941) All realmd users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1142191 - realm command crashes when no input password 1174911 - Rebase to 0.16.x 1205751 - realmd: unauthenticated Active Directory join 1205752 - CVE-2015-2704 realmd: untrusted data is used when configuring sssd.conf and/or smb.conf 1241832 - Wrong SELinux label on domain users home folders 1243771 - realm fails to join domain names with underscore in name 1271618 - net ads keytab add fails on system joined to AD with RHEL 7.2 realm join 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: realmd-0.16.1-5.el7.src.rpm x86_64: realmd-0.16.1-5.el7.x86_64.rpm realmd-debuginfo-0.16.1-5.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: realmd-debuginfo-0.16.1-5.el7.x86_64.rpm realmd-devel-docs-0.16.1-5.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: realmd-0.16.1-5.el7.src.rpm x86_64: realmd-0.16.1-5.el7.x86_64.rpm realmd-debuginfo-0.16.1-5.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: realmd-debuginfo-0.16.1-5.el7.x86_64.rpm realmd-devel-docs-0.16.1-5.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: realmd-0.16.1-5.el7.src.rpm aarch64: realmd-0.16.1-5.el7.aarch64.rpm realmd-debuginfo-0.16.1-5.el7.aarch64.rpm ppc64: realmd-0.16.1-5.el7.ppc64.rpm realmd-debuginfo-0.16.1-5.el7.ppc64.rpm ppc64le: realmd-0.16.1-5.el7.ppc64le.rpm realmd-debuginfo-0.16.1-5.el7.ppc64le.rpm s390x: realmd-0.16.1-5.el7.s390x.rpm realmd-debuginfo-0.16.1-5.el7.s390x.rpm x86_64: realmd-0.16.1-5.el7.x86_64.rpm realmd-debuginfo-0.16.1-5.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: realmd-debuginfo-0.16.1-5.el7.aarch64.rpm realmd-devel-docs-0.16.1-5.el7.aarch64.rpm ppc64: realmd-debuginfo-0.16.1-5.el7.ppc64.rpm realmd-devel-docs-0.16.1-5.el7.ppc64.rpm ppc64le: realmd-debuginfo-0.16.1-5.el7.ppc64le.rpm realmd-devel-docs-0.16.1-5.el7.ppc64le.rpm s390x: realmd-debuginfo-0.16.1-5.el7.s390x.rpm realmd-devel-docs-0.16.1-5.el7.s390x.rpm x86_64: realmd-debuginfo-0.16.1-5.el7.x86_64.rpm realmd-devel-docs-0.16.1-5.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: realmd-0.16.1-5.el7.src.rpm x86_64: realmd-0.16.1-5.el7.x86_64.rpm realmd-debuginfo-0.16.1-5.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: realmd-debuginfo-0.16.1-5.el7.x86_64.rpm realmd-devel-docs-0.16.1-5.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-2704 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkEFXlSAg2UNWIIRArkYAKCDNOG9yQ9fS/YfMW6QOjCN6EOdxwCgu7PC C6ysi14xA8Yx7xTqC3kO6Vk= =bl2G -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:37:30 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:37:30 -0500 Subject: [RHSA-2015:2199-07] Moderate: glibc security, bug fix, and enhancement update Message-ID: <201511192137.tAJLbUcA000979@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: glibc security, bug fix, and enhancement update Advisory ID: RHSA-2015:2199-07 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2199.html Issue date: 2015-11-19 CVE Names: CVE-2013-7423 CVE-2015-1472 CVE-2015-1473 CVE-2015-1781 ===================================================================== 1. Summary: Updated glibc packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data. (CVE-2013-7423) A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1781) A heap-based buffer overflow flaw and a stack overflow flaw were found in glibc's swscanf() function. An attacker able to make an application call the swscanf() function could use these flaws to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1472, CVE-2015-1473) An integer overflow flaw, leading to a heap-based buffer overflow, was found in glibc's _IO_wstr_overflow() function. An attacker able to make an application call this function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (BZ#1195762) A flaw was found in the way glibc's fnmatch() function processed certain malformed patterns. An attacker able to make an application call this function could use this flaw to crash that application. (BZ#1197730) The CVE-2015-1781 issue was discovered by Arjun Shankar of Red Hat. These updated glibc packages also include numerous bug fixes and one enhancement. Space precludes documenting all of these changes in this advisory. For information on the most significant of these changes, users are directed to the following article on the Red Hat Customer Portal: https://access.redhat.com/articles/2050743 All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1064066 - Test suite failure: test-ldouble 1098042 - getaddrinfo return EAI_NONAME instead of EAI_AGAIN in case the DNS query times out 1144133 - calloc in dl-reloc.c computes size incorrectly 1187109 - CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descriptors under high load 1188235 - CVE-2015-1472 glibc: heap buffer overflow in glibc swscanf 1195762 - glibc: _IO_wstr_overflow integer overflow 1197730 - glibc: potential denial of service in internal_fnmatch() 1199525 - CVE-2015-1781 glibc: buffer overflow in gethostbyname_r() and related functions with misaligned buffer 1207032 - glibc deadlock when printing backtrace from memory allocator 1209105 - CVE-2015-1473 glibc: Stack-overflow in glibc swscanf 1219891 - Missing define for TCP_USER_TIMEOUT in netinet/tcp.h 1225490 - [RFE] Unconditionally enable SDT probes in glibc builds. 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: glibc-2.17-105.el7.src.rpm x86_64: glibc-2.17-105.el7.i686.rpm glibc-2.17-105.el7.x86_64.rpm glibc-common-2.17-105.el7.x86_64.rpm glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-devel-2.17-105.el7.i686.rpm glibc-devel-2.17-105.el7.x86_64.rpm glibc-headers-2.17-105.el7.x86_64.rpm glibc-utils-2.17-105.el7.x86_64.rpm nscd-2.17-105.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-static-2.17-105.el7.i686.rpm glibc-static-2.17-105.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: glibc-2.17-105.el7.src.rpm x86_64: glibc-2.17-105.el7.i686.rpm glibc-2.17-105.el7.x86_64.rpm glibc-common-2.17-105.el7.x86_64.rpm glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-devel-2.17-105.el7.i686.rpm glibc-devel-2.17-105.el7.x86_64.rpm glibc-headers-2.17-105.el7.x86_64.rpm glibc-utils-2.17-105.el7.x86_64.rpm nscd-2.17-105.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-static-2.17-105.el7.i686.rpm glibc-static-2.17-105.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: glibc-2.17-105.el7.src.rpm aarch64: glibc-2.17-105.el7.aarch64.rpm glibc-common-2.17-105.el7.aarch64.rpm glibc-debuginfo-2.17-105.el7.aarch64.rpm glibc-devel-2.17-105.el7.aarch64.rpm glibc-headers-2.17-105.el7.aarch64.rpm glibc-utils-2.17-105.el7.aarch64.rpm nscd-2.17-105.el7.aarch64.rpm ppc64: glibc-2.17-105.el7.ppc.rpm glibc-2.17-105.el7.ppc64.rpm glibc-common-2.17-105.el7.ppc64.rpm glibc-debuginfo-2.17-105.el7.ppc.rpm glibc-debuginfo-2.17-105.el7.ppc64.rpm glibc-debuginfo-common-2.17-105.el7.ppc.rpm glibc-debuginfo-common-2.17-105.el7.ppc64.rpm glibc-devel-2.17-105.el7.ppc.rpm glibc-devel-2.17-105.el7.ppc64.rpm glibc-headers-2.17-105.el7.ppc64.rpm glibc-utils-2.17-105.el7.ppc64.rpm nscd-2.17-105.el7.ppc64.rpm ppc64le: glibc-2.17-105.el7.ppc64le.rpm glibc-common-2.17-105.el7.ppc64le.rpm glibc-debuginfo-2.17-105.el7.ppc64le.rpm glibc-debuginfo-common-2.17-105.el7.ppc64le.rpm glibc-devel-2.17-105.el7.ppc64le.rpm glibc-headers-2.17-105.el7.ppc64le.rpm glibc-utils-2.17-105.el7.ppc64le.rpm nscd-2.17-105.el7.ppc64le.rpm s390x: glibc-2.17-105.el7.s390.rpm glibc-2.17-105.el7.s390x.rpm glibc-common-2.17-105.el7.s390x.rpm glibc-debuginfo-2.17-105.el7.s390.rpm glibc-debuginfo-2.17-105.el7.s390x.rpm glibc-debuginfo-common-2.17-105.el7.s390.rpm glibc-debuginfo-common-2.17-105.el7.s390x.rpm glibc-devel-2.17-105.el7.s390.rpm glibc-devel-2.17-105.el7.s390x.rpm glibc-headers-2.17-105.el7.s390x.rpm glibc-utils-2.17-105.el7.s390x.rpm nscd-2.17-105.el7.s390x.rpm x86_64: glibc-2.17-105.el7.i686.rpm glibc-2.17-105.el7.x86_64.rpm glibc-common-2.17-105.el7.x86_64.rpm glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-devel-2.17-105.el7.i686.rpm glibc-devel-2.17-105.el7.x86_64.rpm glibc-headers-2.17-105.el7.x86_64.rpm glibc-utils-2.17-105.el7.x86_64.rpm nscd-2.17-105.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: glibc-debuginfo-2.17-105.el7.aarch64.rpm glibc-static-2.17-105.el7.aarch64.rpm ppc64: glibc-debuginfo-2.17-105.el7.ppc.rpm glibc-debuginfo-2.17-105.el7.ppc64.rpm glibc-debuginfo-common-2.17-105.el7.ppc.rpm glibc-debuginfo-common-2.17-105.el7.ppc64.rpm glibc-static-2.17-105.el7.ppc.rpm glibc-static-2.17-105.el7.ppc64.rpm ppc64le: glibc-debuginfo-2.17-105.el7.ppc64le.rpm glibc-debuginfo-common-2.17-105.el7.ppc64le.rpm glibc-static-2.17-105.el7.ppc64le.rpm s390x: glibc-debuginfo-2.17-105.el7.s390.rpm glibc-debuginfo-2.17-105.el7.s390x.rpm glibc-debuginfo-common-2.17-105.el7.s390.rpm glibc-debuginfo-common-2.17-105.el7.s390x.rpm glibc-static-2.17-105.el7.s390.rpm glibc-static-2.17-105.el7.s390x.rpm x86_64: glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-static-2.17-105.el7.i686.rpm glibc-static-2.17-105.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: glibc-2.17-105.el7.src.rpm x86_64: glibc-2.17-105.el7.i686.rpm glibc-2.17-105.el7.x86_64.rpm glibc-common-2.17-105.el7.x86_64.rpm glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-devel-2.17-105.el7.i686.rpm glibc-devel-2.17-105.el7.x86_64.rpm glibc-headers-2.17-105.el7.x86_64.rpm glibc-utils-2.17-105.el7.x86_64.rpm nscd-2.17-105.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-static-2.17-105.el7.i686.rpm glibc-static-2.17-105.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-7423 https://access.redhat.com/security/cve/CVE-2015-1472 https://access.redhat.com/security/cve/CVE-2015-1473 https://access.redhat.com/security/cve/CVE-2015-1781 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/2050743 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkEYXlSAg2UNWIIRAueyAJ98kB1kgF2zvCkEn5k70+Aq5ynM3QCfS8Lx xSL2O69mtC2Sh4D4RYIP+2k= =MEoD -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:38:21 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:38:21 -0500 Subject: [RHSA-2015:2231-04] Moderate: ntp security, bug fix, and enhancement update Message-ID: <201511192138.tAJLcLao010824@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ntp security, bug fix, and enhancement update Advisory ID: RHSA-2015:2231-04 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2231.html Issue date: 2015-11-19 CVE Names: CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 CVE-2015-1798 CVE-2015-1799 CVE-2015-3405 ===================================================================== 1. Summary: Updated ntp packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. It was found that because NTP's access control was based on a source IP address, an attacker could bypass source IP restrictions and send malicious control and configuration packets by spoofing ::1 addresses. (CVE-2014-9298, CVE-2014-9751) A denial of service flaw was found in the way NTP hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1799) A flaw was found in the way the ntp-keygen utility generated MD5 symmetric keys on big-endian systems. An attacker could possibly use this flaw to guess generated MD5 keys, which could then be used to spoof an NTP client or server. (CVE-2015-3405) A stack-based buffer overflow was found in the way the NTP autokey protocol was implemented. When an NTP client decrypted a secret received from an NTP server, it could cause that client to crash. (CVE-2014-9297, CVE-2014-9750) It was found that ntpd did not check whether a Message Authentication Code (MAC) was present in a received packet when ntpd was configured to use symmetric cryptographic keys. A man-in-the-middle attacker could use this flaw to send crafted packets that would be accepted by a client or a peer without the attacker knowing the symmetric key. (CVE-2015-1798) The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav Lichv?r of Red Hat. Bug fixes: * The ntpd service truncated symmetric keys specified in the key file to 20 bytes. As a consequence, it was impossible to configure NTP authentication to work with peers that use longer keys. With this update, the maximum key length has been changed to 32 bytes. (BZ#1191111) * The ntpd service could previously join multicast groups only when starting, which caused problems if ntpd was started during system boot before network was configured. With this update, ntpd attempts to join multicast groups every time network configuration is changed. (BZ#1207014) * Previously, the ntp-keygen utility used the exponent of 3 when generating RSA keys. Consequently, generating RSA keys failed when FIPS mode was enabled. With this update, ntp-keygen has been modified to use the exponent of 65537, and generating keys in FIPS mode now works as expected. (BZ#1191116) * The ntpd service dropped incoming NTP packets if their source port was lower than 123 (the NTP port). With this update, ntpd no longer checks the source port number, and clients behind NAT are now able to correctly synchronize with the server. (BZ#1171640) Enhancements: * This update adds support for configurable Differentiated Services Code Points (DSCP) in NTP packets, simplifying configuration in large networks where different NTP implementations or versions are using different DSCP values. (BZ#1202828) * This update adds the ability to configure separate clock stepping thresholds for each direction (backward and forward). Use the "stepback" and "stepfwd" options to configure each threshold. (BZ#1193154) * Support for nanosecond resolution has been added to the Structural Health Monitoring (SHM) reference clock. Prior to this update, when a Precision Time Protocol (PTP) hardware clock was used as a time source to synchronize the system clock, the accuracy of the synchronization was limited due to the microsecond resolution of the SHM protocol. The nanosecond extension in the SHM protocol now allows sub-microsecond synchronization of the system clock. (BZ#1117702) All ntp users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1117702 - SHM refclock doesn't support nanosecond resolution 1122012 - SHM refclock allows only two units with owner-only access 1171640 - NTP drops requests when sourceport is below 123 1180721 - ntp: mreadvar command crash in ntpq 1184572 - CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1 1184573 - CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated 1191108 - ntpd should warn when monitoring facility can't be disabled due to restrict configuration 1191122 - ntpd -x steps clock on leap second 1193154 - permit differential fwd/back threshold for step vs. slew [PATCH] 1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto 1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks 1210324 - CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm aarch64: ntp-4.2.6p5-22.el7.aarch64.rpm ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm ntpdate-4.2.6p5-22.el7.aarch64.rpm ppc64: ntp-4.2.6p5-22.el7.ppc64.rpm ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm ntpdate-4.2.6p5-22.el7.ppc64.rpm ppc64le: ntp-4.2.6p5-22.el7.ppc64le.rpm ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm ntpdate-4.2.6p5-22.el7.ppc64le.rpm s390x: ntp-4.2.6p5-22.el7.s390x.rpm ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm ntpdate-4.2.6p5-22.el7.s390x.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm sntp-4.2.6p5-22.el7.aarch64.rpm noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm ppc64: ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm sntp-4.2.6p5-22.el7.ppc64.rpm ppc64le: ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm sntp-4.2.6p5-22.el7.ppc64le.rpm s390x: ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm sntp-4.2.6p5-22.el7.s390x.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: ntp-4.2.6p5-22.el7.src.rpm x86_64: ntp-4.2.6p5-22.el7.x86_64.rpm ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm ntpdate-4.2.6p5-22.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: ntp-doc-4.2.6p5-22.el7.noarch.rpm ntp-perl-4.2.6p5-22.el7.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm sntp-4.2.6p5-22.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-9297 https://access.redhat.com/security/cve/CVE-2014-9298 https://access.redhat.com/security/cve/CVE-2014-9750 https://access.redhat.com/security/cve/CVE-2014-9751 https://access.redhat.com/security/cve/CVE-2015-1798 https://access.redhat.com/security/cve/CVE-2015-1799 https://access.redhat.com/security/cve/CVE-2015-3405 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD4DBQFWTkFJXlSAg2UNWIIRAphzAKCRHDVdHI5OvJ8glkXYLBwyQgeyvwCYmTV3 1hLTu5I/PUzWOnD8rRIlZQ== =sWdG -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:38:37 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:38:37 -0500 Subject: [RHSA-2015:2233-03] Moderate: tigervnc security, bug fix, and enhancement update Message-ID: <201511192138.tAJLcbqS010954@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tigervnc security, bug fix, and enhancement update Advisory ID: RHSA-2015:2233-03 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2233.html Issue date: 2015-11-19 CVE Names: CVE-2014-8240 CVE-2014-8241 ===================================================================== 1. Summary: Updated tigervnc packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. The tigervnc packages contain a client which allows users to connect to other desktops running a VNC server. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way TigerVNC handled screen sizes. A malicious VNC server could use this flaw to cause a client to crash or, potentially, execute arbitrary code on the client. (CVE-2014-8240) A NULL pointer dereference flaw was found in TigerVNC's XRegion. A malicious VNC server could use this flaw to cause a client to crash. (CVE-2014-8241) The tigervnc packages have been upgraded to upstream version 1.3.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1199453) This update also fixes the following bug: * The position of the mouse cursor in the VNC session was not correctly communicated to the VNC viewer, resulting in cursor misplacement. The method of displaying the remote cursor has been changed, and cursor movements on the VNC server are now accurately reflected on the VNC client. (BZ#1100661) All tigervnc users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1072733 - vnc black screen and error 'XRequest.130: BadValue (integer parameter out of range for operation) 0x400' 1119640 - VNC-EXTENSION missed on Xorg server regeneration 1151307 - CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling 1151312 - CVE-2014-8241 tigervnc: NULL pointer dereference flaw in XRegion 1162722 - tigervnc-server has no IPV6 support 1181287 - gnome 3 session inside vncserver changes initial resolution instead of using what was specified from "-geometry 1194898 - Rebuild tigervnc against rebased xserver in 7.2 1195266 - The display number is not required in the file name for VNC 1199437 - Enable Xinerama extension 1199453 - Re-base to tigervnc-1.3.x 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: tigervnc-1.3.1-3.el7.src.rpm noarch: tigervnc-icons-1.3.1-3.el7.noarch.rpm tigervnc-license-1.3.1-3.el7.noarch.rpm x86_64: tigervnc-1.3.1-3.el7.x86_64.rpm tigervnc-debuginfo-1.3.1-3.el7.x86_64.rpm tigervnc-server-1.3.1-3.el7.x86_64.rpm tigervnc-server-minimal-1.3.1-3.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: tigervnc-server-applet-1.3.1-3.el7.noarch.rpm x86_64: tigervnc-debuginfo-1.3.1-3.el7.x86_64.rpm tigervnc-server-module-1.3.1-3.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: tigervnc-1.3.1-3.el7.src.rpm noarch: tigervnc-license-1.3.1-3.el7.noarch.rpm x86_64: tigervnc-debuginfo-1.3.1-3.el7.x86_64.rpm tigervnc-server-minimal-1.3.1-3.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: tigervnc-icons-1.3.1-3.el7.noarch.rpm tigervnc-server-applet-1.3.1-3.el7.noarch.rpm x86_64: tigervnc-1.3.1-3.el7.x86_64.rpm tigervnc-debuginfo-1.3.1-3.el7.x86_64.rpm tigervnc-server-1.3.1-3.el7.x86_64.rpm tigervnc-server-module-1.3.1-3.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: tigervnc-1.3.1-3.el7.src.rpm aarch64: tigervnc-1.3.1-3.el7.aarch64.rpm tigervnc-debuginfo-1.3.1-3.el7.aarch64.rpm tigervnc-server-1.3.1-3.el7.aarch64.rpm tigervnc-server-minimal-1.3.1-3.el7.aarch64.rpm noarch: tigervnc-icons-1.3.1-3.el7.noarch.rpm tigervnc-license-1.3.1-3.el7.noarch.rpm ppc64: tigervnc-1.3.1-3.el7.ppc64.rpm tigervnc-debuginfo-1.3.1-3.el7.ppc64.rpm tigervnc-server-1.3.1-3.el7.ppc64.rpm tigervnc-server-minimal-1.3.1-3.el7.ppc64.rpm ppc64le: tigervnc-1.3.1-3.el7.ppc64le.rpm tigervnc-debuginfo-1.3.1-3.el7.ppc64le.rpm tigervnc-server-1.3.1-3.el7.ppc64le.rpm tigervnc-server-minimal-1.3.1-3.el7.ppc64le.rpm s390x: tigervnc-1.3.1-3.el7.s390x.rpm tigervnc-debuginfo-1.3.1-3.el7.s390x.rpm tigervnc-server-1.3.1-3.el7.s390x.rpm tigervnc-server-minimal-1.3.1-3.el7.s390x.rpm x86_64: tigervnc-1.3.1-3.el7.x86_64.rpm tigervnc-debuginfo-1.3.1-3.el7.x86_64.rpm tigervnc-server-1.3.1-3.el7.x86_64.rpm tigervnc-server-minimal-1.3.1-3.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: tigervnc-debuginfo-1.3.1-3.el7.aarch64.rpm tigervnc-server-module-1.3.1-3.el7.aarch64.rpm noarch: tigervnc-server-applet-1.3.1-3.el7.noarch.rpm ppc64: tigervnc-debuginfo-1.3.1-3.el7.ppc64.rpm tigervnc-server-module-1.3.1-3.el7.ppc64.rpm ppc64le: tigervnc-debuginfo-1.3.1-3.el7.ppc64le.rpm tigervnc-server-module-1.3.1-3.el7.ppc64le.rpm x86_64: tigervnc-debuginfo-1.3.1-3.el7.x86_64.rpm tigervnc-server-module-1.3.1-3.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: tigervnc-1.3.1-3.el7.src.rpm noarch: tigervnc-icons-1.3.1-3.el7.noarch.rpm tigervnc-license-1.3.1-3.el7.noarch.rpm x86_64: tigervnc-1.3.1-3.el7.x86_64.rpm tigervnc-debuginfo-1.3.1-3.el7.x86_64.rpm tigervnc-server-1.3.1-3.el7.x86_64.rpm tigervnc-server-minimal-1.3.1-3.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: tigervnc-server-applet-1.3.1-3.el7.noarch.rpm x86_64: tigervnc-debuginfo-1.3.1-3.el7.x86_64.rpm tigervnc-server-module-1.3.1-3.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8240 https://access.redhat.com/security/cve/CVE-2014-8241 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkFbXlSAg2UNWIIRApcmAJ9ZlXEToKIsDNrTFr5FRkcRISLqugCggmed 562fPnuqRjojP14BU4Imu04= =TyNg -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:38:52 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:38:52 -0500 Subject: [RHSA-2015:2237-03] Low: rest security update Message-ID: <201511192138.tAJLcqOH015523@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: rest security update Advisory ID: RHSA-2015:2237-03 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2237.html Issue date: 2015-11-19 CVE Names: CVE-2015-2675 ===================================================================== 1. Summary: Updated rest packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The rest library was designed to make it easier to access web services that claim to be RESTful. A RESTful service should have URLs that represent remote objects, which methods can then be called on. It was found that the OAuth implementation in librest, a helper library for RESTful services, incorrectly truncated the pointer returned by the rest_proxy_call_get_url call. An attacker could use this flaw to crash an application using the librest library. (CVE-2015-2675) All users of rest are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using librest must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1183982 - Memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url 1199049 - CVE-2015-2675 rest: memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: rest-0.7.92-3.el7.src.rpm x86_64: rest-0.7.92-3.el7.i686.rpm rest-0.7.92-3.el7.x86_64.rpm rest-debuginfo-0.7.92-3.el7.i686.rpm rest-debuginfo-0.7.92-3.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: rest-debuginfo-0.7.92-3.el7.i686.rpm rest-debuginfo-0.7.92-3.el7.x86_64.rpm rest-devel-0.7.92-3.el7.i686.rpm rest-devel-0.7.92-3.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: rest-0.7.92-3.el7.src.rpm x86_64: rest-0.7.92-3.el7.i686.rpm rest-0.7.92-3.el7.x86_64.rpm rest-debuginfo-0.7.92-3.el7.i686.rpm rest-debuginfo-0.7.92-3.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: rest-debuginfo-0.7.92-3.el7.i686.rpm rest-debuginfo-0.7.92-3.el7.x86_64.rpm rest-devel-0.7.92-3.el7.i686.rpm rest-devel-0.7.92-3.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: rest-0.7.92-3.el7.src.rpm aarch64: rest-0.7.92-3.el7.aarch64.rpm rest-debuginfo-0.7.92-3.el7.aarch64.rpm ppc64: rest-0.7.92-3.el7.ppc.rpm rest-0.7.92-3.el7.ppc64.rpm rest-debuginfo-0.7.92-3.el7.ppc.rpm rest-debuginfo-0.7.92-3.el7.ppc64.rpm ppc64le: rest-0.7.92-3.el7.ppc64le.rpm rest-debuginfo-0.7.92-3.el7.ppc64le.rpm s390x: rest-0.7.92-3.el7.s390.rpm rest-0.7.92-3.el7.s390x.rpm rest-debuginfo-0.7.92-3.el7.s390.rpm rest-debuginfo-0.7.92-3.el7.s390x.rpm x86_64: rest-0.7.92-3.el7.i686.rpm rest-0.7.92-3.el7.x86_64.rpm rest-debuginfo-0.7.92-3.el7.i686.rpm rest-debuginfo-0.7.92-3.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: rest-debuginfo-0.7.92-3.el7.aarch64.rpm rest-devel-0.7.92-3.el7.aarch64.rpm ppc64: rest-debuginfo-0.7.92-3.el7.ppc.rpm rest-debuginfo-0.7.92-3.el7.ppc64.rpm rest-devel-0.7.92-3.el7.ppc.rpm rest-devel-0.7.92-3.el7.ppc64.rpm ppc64le: rest-debuginfo-0.7.92-3.el7.ppc64le.rpm rest-devel-0.7.92-3.el7.ppc64le.rpm s390x: rest-debuginfo-0.7.92-3.el7.s390.rpm rest-debuginfo-0.7.92-3.el7.s390x.rpm rest-devel-0.7.92-3.el7.s390.rpm rest-devel-0.7.92-3.el7.s390x.rpm x86_64: rest-debuginfo-0.7.92-3.el7.i686.rpm rest-debuginfo-0.7.92-3.el7.x86_64.rpm rest-devel-0.7.92-3.el7.i686.rpm rest-devel-0.7.92-3.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: rest-0.7.92-3.el7.src.rpm x86_64: rest-0.7.92-3.el7.i686.rpm rest-0.7.92-3.el7.x86_64.rpm rest-debuginfo-0.7.92-3.el7.i686.rpm rest-debuginfo-0.7.92-3.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: rest-debuginfo-0.7.92-3.el7.i686.rpm rest-debuginfo-0.7.92-3.el7.x86_64.rpm rest-devel-0.7.92-3.el7.i686.rpm rest-devel-0.7.92-3.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-2675 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkFrXlSAg2UNWIIRAs4WAJ4lqg3HGVnkd8q2pF+zRdV2+SbU4wCgoOOa y+cnHn+FcL0VgTqgVr0YUKk= =bSun -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:39:03 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:39:03 -0500 Subject: [RHSA-2015:2241-03] Moderate: chrony security, bug fix, and enhancement update Message-ID: <201511192139.tAJLd3wN011196@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: chrony security, bug fix, and enhancement update Advisory ID: RHSA-2015:2241-03 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2241.html Issue date: 2015-11-19 CVE Names: CVE-2015-1821 CVE-2015-1822 CVE-2015-1853 ===================================================================== 1. Summary: Updated chrony packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol (NTP), specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input. It can also operate as an NTPv4 (RFC 5905) server or peer to provide a time service to other computers in the network. An out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1821) An uninitialized pointer use flaw was found when allocating memory to save unacknowledged replies to authenticated command requests. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process. (CVE-2015-1822) A denial of service flaw was found in the way chrony hosts that were peering with each other authenticated themselves before updating their internal state variables. An attacker could send packets to one peer host, which could cascade to other peers, and stop the synchronization process among the reached peers. (CVE-2015-1853) These issues were discovered by Miroslav Lichv?r of Red Hat. The chrony packages have been upgraded to upstream version 2.1.1, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include: * Updated to NTP version 4 (RFC 5905) * Added pool directive to specify pool of NTP servers * Added leapsecmode directive to select how to correct clock for leap second * Added smoothtime directive to smooth served time and enable leap smear * Added asynchronous name resolving with POSIX threads * Ready for year 2036 (next NTP era) * Improved clock control * Networking code reworked to open separate client sockets for each NTP server (BZ#1117882) This update also fixes the following bug: * The chronyd service previously assumed that network interfaces specified with the "bindaddress" directive were ready when the service was started. This could cause chronyd to fail to bind an NTP server socket to the interface if the interface was not ready. With this update, chronyd uses the IP_FREEBIND socket option, enabling it to bind to an interface later, not only when the service starts. (BZ#1169353) In addition, this update adds the following enhancement: * The chronyd service now supports four modes of handling leap seconds, configured using the "leapsecmode" option. The clock can be either stepped by the kernel (the default "system" mode), stepped by chronyd ("step" mode), slowly adjusted by slewing ("slew" mode), or the leap second can be ignored and corrected later in normal operation ("ignore" mode). If you select slewing, the correction will always start at 00:00:00 UTC and will be applied at a rate specified in the "maxslewrate" option. (BZ#1206504) All chrony users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1117882 - rebase chrony to 2.1.1 1169353 - Chronyd not starting with bindaddress option set to bond interface 1206504 - RFE: option to correct clock for leap second by slewing 1209568 - RFE: add option for leap smear 1209572 - CVE-2015-1853 chrony: authentication doesn't protect symmetric associations against DoS attacks 1209631 - CVE-2015-1821 chrony: Heap out of bound write in address filter 1209632 - CVE-2015-1822 chrony: uninitialized pointer in cmdmon reply slots 1211600 - RFE: add support for SRV _ntp._udp resolution 1219492 - Use iburst option for NTP servers from DHCP 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: chrony-2.1.1-1.el7.src.rpm x86_64: chrony-2.1.1-1.el7.x86_64.rpm chrony-debuginfo-2.1.1-1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: chrony-2.1.1-1.el7.src.rpm x86_64: chrony-2.1.1-1.el7.x86_64.rpm chrony-debuginfo-2.1.1-1.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: chrony-2.1.1-1.el7.src.rpm aarch64: chrony-2.1.1-1.el7.aarch64.rpm chrony-debuginfo-2.1.1-1.el7.aarch64.rpm ppc64: chrony-2.1.1-1.el7.ppc64.rpm chrony-debuginfo-2.1.1-1.el7.ppc64.rpm ppc64le: chrony-2.1.1-1.el7.ppc64le.rpm chrony-debuginfo-2.1.1-1.el7.ppc64le.rpm s390x: chrony-2.1.1-1.el7.s390x.rpm chrony-debuginfo-2.1.1-1.el7.s390x.rpm x86_64: chrony-2.1.1-1.el7.x86_64.rpm chrony-debuginfo-2.1.1-1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: chrony-2.1.1-1.el7.src.rpm x86_64: chrony-2.1.1-1.el7.x86_64.rpm chrony-debuginfo-2.1.1-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-1821 https://access.redhat.com/security/cve/CVE-2015-1822 https://access.redhat.com/security/cve/CVE-2015-1853 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkF2XlSAg2UNWIIRAtUhAJ9VLqWZCrDEOFZAG5EROQf+FH02MwCfcP3l cqxZgb5BDquCIrAAy6riOZQ= =u/rC -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:39:19 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:39:19 -0500 Subject: [RHSA-2015:2248-03] Moderate: netcf security, bug fix, and enhancement update Message-ID: <201511192139.tAJLdJvh015980@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: netcf security, bug fix, and enhancement update Advisory ID: RHSA-2015:2248-03 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2248.html Issue date: 2015-11-19 CVE Names: CVE-2014-8119 ===================================================================== 1. Summary: Updated netcf packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The netcf packages contain a library for modifying the network configuration of a system. Network configuration is expressed in a platform-independent XML format, which netcf translates into changes to the system's "native" network configuration files. A denial of service flaw was found in netcf. A specially crafted interface name could cause an application using netcf (such as the libvirt daemon) to crash. (CVE-2014-8119) This issue was discovered by Hao Liu of Red Hat. The netcf packages have been upgraded to upstream version 0.2.8, which provides a number of bug fixes and enhancements over the previous version. (BZ#1206680) Users of netcf are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 761246 - Bad parsing of network-scripts/ifcfg-xxxx files. 1090011 - Need to limit names of new interfaces to IFNAMSIZ 1113983 - netcf should allow interfaces to be configured with both DHCPv4 and static IPv4 addresses at the same time 1159000 - netcf ignores any IPv4 address past the first one 1170941 - Remove extraneous single quotes from IPV6ADDR_SECONDARIES 1172176 - CVE-2014-8119 netcf: augeas path expression injection via interface name 1206680 - rebase netcf for RHEL7.2 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: netcf-0.2.8-1.el7.src.rpm x86_64: netcf-debuginfo-0.2.8-1.el7.i686.rpm netcf-debuginfo-0.2.8-1.el7.x86_64.rpm netcf-libs-0.2.8-1.el7.i686.rpm netcf-libs-0.2.8-1.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: netcf-0.2.8-1.el7.x86_64.rpm netcf-debuginfo-0.2.8-1.el7.i686.rpm netcf-debuginfo-0.2.8-1.el7.x86_64.rpm netcf-devel-0.2.8-1.el7.i686.rpm netcf-devel-0.2.8-1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: netcf-0.2.8-1.el7.src.rpm x86_64: netcf-0.2.8-1.el7.x86_64.rpm netcf-debuginfo-0.2.8-1.el7.i686.rpm netcf-debuginfo-0.2.8-1.el7.x86_64.rpm netcf-devel-0.2.8-1.el7.i686.rpm netcf-devel-0.2.8-1.el7.x86_64.rpm netcf-libs-0.2.8-1.el7.i686.rpm netcf-libs-0.2.8-1.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: netcf-0.2.8-1.el7.src.rpm ppc64: netcf-debuginfo-0.2.8-1.el7.ppc.rpm netcf-debuginfo-0.2.8-1.el7.ppc64.rpm netcf-libs-0.2.8-1.el7.ppc.rpm netcf-libs-0.2.8-1.el7.ppc64.rpm ppc64le: netcf-debuginfo-0.2.8-1.el7.ppc64le.rpm netcf-libs-0.2.8-1.el7.ppc64le.rpm s390x: netcf-debuginfo-0.2.8-1.el7.s390.rpm netcf-debuginfo-0.2.8-1.el7.s390x.rpm netcf-libs-0.2.8-1.el7.s390.rpm netcf-libs-0.2.8-1.el7.s390x.rpm x86_64: netcf-debuginfo-0.2.8-1.el7.i686.rpm netcf-debuginfo-0.2.8-1.el7.x86_64.rpm netcf-libs-0.2.8-1.el7.i686.rpm netcf-libs-0.2.8-1.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: netcf-0.2.8-1.el7.ppc64.rpm netcf-debuginfo-0.2.8-1.el7.ppc.rpm netcf-debuginfo-0.2.8-1.el7.ppc64.rpm netcf-devel-0.2.8-1.el7.ppc.rpm netcf-devel-0.2.8-1.el7.ppc64.rpm ppc64le: netcf-0.2.8-1.el7.ppc64le.rpm netcf-debuginfo-0.2.8-1.el7.ppc64le.rpm netcf-devel-0.2.8-1.el7.ppc64le.rpm s390x: netcf-0.2.8-1.el7.s390x.rpm netcf-debuginfo-0.2.8-1.el7.s390.rpm netcf-debuginfo-0.2.8-1.el7.s390x.rpm netcf-devel-0.2.8-1.el7.s390.rpm netcf-devel-0.2.8-1.el7.s390x.rpm x86_64: netcf-0.2.8-1.el7.x86_64.rpm netcf-debuginfo-0.2.8-1.el7.i686.rpm netcf-debuginfo-0.2.8-1.el7.x86_64.rpm netcf-devel-0.2.8-1.el7.i686.rpm netcf-devel-0.2.8-1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: netcf-0.2.8-1.el7.src.rpm x86_64: netcf-debuginfo-0.2.8-1.el7.i686.rpm netcf-debuginfo-0.2.8-1.el7.x86_64.rpm netcf-libs-0.2.8-1.el7.i686.rpm netcf-libs-0.2.8-1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: netcf-0.2.8-1.el7.x86_64.rpm netcf-debuginfo-0.2.8-1.el7.i686.rpm netcf-debuginfo-0.2.8-1.el7.x86_64.rpm netcf-devel-0.2.8-1.el7.i686.rpm netcf-devel-0.2.8-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8119 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkGGXlSAg2UNWIIRAu8VAJ9jshyZO0h9q0q7zXwJtiMIhK57UwCfSdt0 po//IgM5HcNroeKxchz7ycw= =mSNE -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:40:42 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:40:42 -0500 Subject: [RHSA-2015:2290-01] Moderate: pcs security, bug fix, and enhancement update Message-ID: <201511192140.tAJLeglU017120@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: pcs security, bug fix, and enhancement update Advisory ID: RHSA-2015:2290-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2290.html Issue date: 2015-11-19 CVE Names: CVE-2015-3225 ===================================================================== 1. Summary: An updated pcs package that fixes one security issue, several bugs, and add various enhancements is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server High Availability (v. 7) - s390x, x86_64 Red Hat Enterprise Linux Server Resilient Storage (v. 7) - s390x, x86_64 3. Description: The pcs package provides a configuration tool for Corosync and Pacemaker. It permits users to easily view, modify and create Pacemaker based clusters. The pcs package includes Rack, which provides a minimal interface between webservers that support Ruby and Ruby frameworks. A flaw was found in a way Rack processed parameters of incoming requests. An attacker could use this flaw to send a crafted request that would cause an application using Rack to crash. (CVE-2015-3225) Red Hat would like to thank Ruby upstream developers for reporting this. Upstream acknowledges Tomek Rabczak from the NCC Group as the original reporter. The pcs package has been upgraded to upstream version 0.9.143, which provides a number of bug fixes and enhancements over the previous version. (BZ#1198265) The following enhancements are described in more detail in the Red Hat Enterprise Linux 7.2 Release Notes, linked to from the References section: * The pcs resource move and pcs resource ban commands now display a warning message to clarify the commands' behavior (BZ#1201452) * New command to move a Pacemaker resource to its preferred node (BZ#1122818) This update also fixes the following bugs: * Before this update, a bug caused location, ordering, and colocation constraints related to a resource group to be removed when removing any resource from that group. This bug has been fixed, and the constraints are now preserved until the group has no resources left, and is removed. (BZ#1158537) * Previously, when a user disabled a resource clone or multi-state resource, and then later enabled a primitive resource within it, the clone or multi-state resource remained disabled. With this update, enabling a resource within a disabled clone or multi-state resource enables it. (BZ#1218979) * When the web UI displayed a list of resource attributes, a bug caused the list to be truncated at the first "=" character. This update fixes the bug and now the web UI displays lists of resource attributes correctly. (BZ#1243579) * The documentation for the "pcs stonith confirm" command was not clear. This could lead to incorrect usage of the command, which could in turn cause data corruption. With this update, the documentation has been improved and the "pcs stonith confirm" command is now more clearly explained. (BZ#1245264) * Previously, if there were any unauthenticated nodes, creating a new cluster, adding a node to an existing cluster, or adding a cluster to the web UI failed with the message "Node is not authenticated". With this update, when the web UI detects a problem with authentication, the web UI displays a dialog to authenticate nodes as necessary. (BZ#1158569) * Previously, the web UI displayed only primitive resources. Thus there was no way to set attributes, constraints and other properties separately for a parent resource and a child resource. This has now been fixed, and resources are displayed in a tree structure, meaning all resource elements can be viewed and edited independently. (BZ#1189857) In addition, this update adds the following enhancements: * A dashboard has been added which shows the status of clusters in the web UI. Previously, it was not possible to view all important information about clusters in one place. Now, a dashboard showing the status of clusters has been added to the main page of the web UI. (BZ#1158566) * With this update, the pcsd daemon automatically synchronizes pcsd configuration across a cluster. This enables the web UI to be run from any node, allowing management even if any particular node is down. (BZ#1158577) * The web UI can now be used to set permissions for users and groups on a cluster. This allows users and groups to have their access restricted to certain operations on certain clusters. (BZ#1158571) All pcs users are advised to upgrade to this updated package, which corrects these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1121791 - Provide documentation of batch-limit and other pacemaker properties in man page or pcs help 1134426 - pcs needs a better parser for corosync.conf 1148863 - Pcsd backward/forward compatibility issues 1158491 - 'pcs cluster status' is documented to be an alias to 'pcs status cluster' but has different output 1158537 - Removing a resource from a group also removes constraints mentioning that group 1158571 - user and group support in gui - permissions to clusters managed by pcsd 1163671 - [RFE] Default corosync configuration should log to file 1163682 - nodes authentication stops if failed on one node 1165803 - pcs CLI should recognize and act upon "fail due to lack of authentication" state if/as suitable (e.g. for "pcs config restore") 1166160 - 'pcs acl role create' does not check syntax properly 1170205 - pcs cluster auth --force doesn't overwrite /var/lib/pcsd/tokens if its content is corrupt 1175400 - pcs resource op add creates duplicate op entires 1176687 - Pacemaker resource defaults should show up in 'pcs config' output 1182119 - A cloned resource banned on one of the nodes is shown as Inactive in GUI 1182793 - When attempting to add a duplicate fence level we get a non-useful error message 1182986 - Unable to find out value for require-all parameter for ordering constraint with clones 1183752 - Unable to delete VirtualDomain resource remote-node when it has configured some constraints 1185096 - debug-promote implementation 1186692 - cluster node removal should verify possible loss of quorum 1187320 - Uncloning a non-cloned resource produces invalid CIB 1187571 - ungrouping a resource from a cloned group produces invalid CIB when other resources exist in that group 1188571 - The --wait functionality implementation needs an overhaul 1189857 - need a tree view for clones/MS/groups in the resource panel [GUI] 1196412 - pcs cluster start should go to pcsd if user is not root 1197758 - pcs does not inform about incorrect command usage (pcs constraint order set) 1198222 - pcsd: GUI fails if orphaned resource is present in a cluster 1198265 - PCS Rebase bug for 7.2 1198274 - pcsd: don't automatically use --force everytime a resource is being removed 1198640 - [WebUI] spaces not allowed in resource agent options fields 1199073 - creating a resource name colliding with an existing group/clone/master ID needs better error message 1202457 - Referencing a non-existent ACL role should error out more gracefully 1204880 - pcs: stonith level value checking 1205653 - pcsd gui is not able to remove constraints and standby/unstandby nodes of remote cluster 1206214 - Formatting of longdesc metadata of resource agent is destroyed when using "pcs resource describe" 1206219 - pcs stonith describe only lists parameters of fence agent, but not description 1207805 - Need a way for pcs to clear out auth tokens 1212904 - better integration with standalone (unbundled) clufter package for cluster configuration conversion 1213429 - Cluster request fails on first node if this is not authorized 1215198 - pcsd: GUI ignores timeout value in fence_xvm agent form 1219574 - [gui] resource optional arguments: quoted strings missing 1231987 - pcs ought to require psmisc package (hidden dependency for killall execution) 1232292 - CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() 1235022 - Nagios metadata is missing 1247818 - pcs depends on initscripts 1250720 - traceback when running 'pcs resource enable clvmd --wait' 1253491 - pcs status pcsd shows "Unable to authenticate" on serial console 1257369 - pcs should print the output of crm_resource from pcs resource cleanup commands 1258619 - Ruby traceback on pcsd startup - /webrick.rb:48:in `shutdown': undefined method `shutdown' 1265425 - pcs is not parsing the output of crm_node properly 1268801 - A change in "crm_resource --set-parameter is-managed" introduces regression for Clone and M/S resources 6. Package List: Red Hat Enterprise Linux Server High Availability (v. 7): Source: pcs-0.9.143-15.el7.src.rpm s390x: pcs-0.9.143-15.el7.s390x.rpm pcs-debuginfo-0.9.143-15.el7.s390x.rpm x86_64: pcs-0.9.143-15.el7.x86_64.rpm pcs-debuginfo-0.9.143-15.el7.x86_64.rpm Red Hat Enterprise Linux Server Resilient Storage (v. 7): Source: pcs-0.9.143-15.el7.src.rpm s390x: pcs-0.9.143-15.el7.s390x.rpm pcs-debuginfo-0.9.143-15.el7.s390x.rpm x86_64: pcs-0.9.143-15.el7.x86_64.rpm pcs-debuginfo-0.9.143-15.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3225 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/High_Availability_Add-On_Reference/ https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkHZXlSAg2UNWIIRAuqcAKCBXYt6+iVW1O2dE/D/96QMfxRi2ACfZglv 8U4T/Lbc6FPY10oa290FIqY= =gMKX -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:41:18 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:41:18 -0500 Subject: [RHSA-2015:2315-01] Moderate: NetworkManager security, bug fix, and enhancement update Message-ID: <201511192141.tAJLfIsO004118@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: NetworkManager security, bug fix, and enhancement update Advisory ID: RHSA-2015:2315-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2315.html Issue date: 2015-11-19 CVE Names: CVE-2015-0272 CVE-2015-2924 ===================================================================== 1. Summary: Updated NetworkManager packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: NetworkManager is a system network service that manages network devices and connections. It was discovered that NetworkManager would set device MTUs based on MTU values received in IPv6 RAs (Router Advertisements), without sanity checking the MTU value first. A remote attacker could exploit this flaw to create a denial of service attack, by sending a specially crafted IPv6 RA packet to disturb IPv6 communication. (CVE-2015-0272) A flaw was found in the way NetworkManager handled router advertisements. An unprivileged user on a local network could use IPv6 Neighbor Discovery ICMP to broadcast a non-route with a low hop limit, causing machines to lower the hop limit on existing IPv6 routes. If this limit is small enough, IPv6 packets would be dropped before reaching the final destination. (CVE-2015-2924) The network-manager-applet and NetworkManager-libreswan packages have been upgraded to upstream versions 1.0.6, and provide a number of bug fixes and enhancements over the previous versions. (BZ#1177582, BZ#1243057) Bugs: * It was not previously possible to set the Wi-Fi band to the "a" or "bg" values to lock to a specific frequency band. NetworkManager has been fixed, and it now sets the wpa_supplicant's "freq_list" option correctly, which enables proper Wi-Fi band locking. (BZ#1254461) * NetworkManager immediately failed activation of devices that did not have a carrier early in the boot process. The legacy network.service then reported activation failure. Now, NetworkManager has a grace period during which it waits for the carrier to appear. Devices that have a carrier down for a short time on system startup no longer cause the legacy network.service to fail. (BZ#1079353) * NetworkManager brought down a team device if the teamd service managing it exited unexpectedly, and the team device was deactivated. Now, NetworkManager respawns the teamd instances that disappear and is able to recover from a teamd failure avoiding disruption of the team device operation. (BZ#1145988) * NetworkManager did not send the FQDN DHCP option even if host name was set to FQDN. Consequently, Dynamic DNS (DDNS) setups failed to update the DNS records for clients running NetworkManager. Now, NetworkManager sends the FQDN option with DHCP requests, and the DHCP server is able to create DNS records for such clients. (BZ#1212597) * The command-line client was not validating the vlan.flags property correctly, and a spurious warning message was displayed when the nmcli tool worked with VLAN connections. The validation routine has been fixed, and the warning message no longer appears. (BZ#1244048) * NetworkManager did not propagate a media access control (MAC) address change from a bonding interface to a VLAN interface on top of it. Consequently, a VLAN interface on top of a bond used an incorrect MAC address. Now, NetworkManager synchronizes the addresses correctly. (BZ#1264322) Enhancements: * IPv6 Privacy extensions are now enabled by default. NetworkManager checks the per-network configuration files, NetworkManager.conf, and then falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr" to determine and set IPv6 privacy settings at device activation. (BZ#1187525) * The NetworkManager command-line tool, nmcli, now allows setting the wake-on-lan property to 0 ("none", "disable", "disabled"). (BZ#1260584) * NetworkManager now provides information about metered connections. (BZ#1200452) * NetworkManager daemon and the connection editor now support setting the Maximum Transmission Unit (MTU) of a bond. It is now possible to change MTU of a bond interface in a GUI. (BZ#1177582, BZ#1177860) * NetworkManager daemon and the connection editor now support setting the MTU of a team, allowing to change MTU of a teaming interface. (BZ#1255927) NetworkManager users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 918692 - PIN/Password dialog for Mobile Broadband forces user to enter password, even if it's not needed 1062301 - NetworkManager should provide a way to reload a configuration and to refresh resolv.conf if necessary 1139536 - [RFE] Improve handling of DEVICE and HWADDR in nm-connection-editor 1141417 - Persistent wake on lan across reboot 1168388 - veth device goes down when ipv4 dhcp lease expires 1168657 - nmcli hangs when deleting profile two times 1182575 - [nmcli] Can't add certificate blob via nmcli as description states 1183015 - ipv6.method shared prevents connection from being upped 1183444 - Attaching a team device to a bridge doesn't work. 1187525 - Enable privacy extensions by default 1192132 - CVE-2015-0272 kernel/NetworkManager: remote DoS using IPv6 RA with bogus MTU 1200451 - feature request: Indicate 2ghz and 5ghz wifi device capabilities 1200452 - feature request: provide information about metered connections 1201497 - [PATCH] fix a configure-and-quit=yes bug when DHCP client ID is set and hostname is not given 1207730 - Continuous IPv6 router solicitation loop 1209902 - CVE-2015-2924 NetworkManager: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements 1211133 - high cpu use with many IPv6 cloned routes 1211859 - _nl_get_vtable: assertion 'vtable.handle' failed 1229471 - [bluez5] add DUN support to nm-connection-editor 1238840 - libreswan vpn is not working 1243057 - Update to NetworkManager-openswan/libreswan 1.0.6 or later 1244293 - NetworkManager support for secondary IPv6 addresses 1246496 - dhclient is terminated and won't start after restart NetworkManager 1250019 - NetworkManager doesn't handle MTU correctly 1250723 - Updating IPv4 address lifetime causes VPN disconnection 1251954 - Can activate a DUN connection only once 1253744 - segfault while trying to connect to VPN 1254089 - Netlink error at 'link_change' function when net interface dynamic plug out and plug in on Xen 1254461 - Wi-Fi band-locking doesn't work 1255735 - Dialog run by nm-connection-editor --create --type=vlan doesn't offer connections (eg bond) as parents 1256772 - NetworkManager quits prematurely with "configure-and-quit" 1261428 - ipv6 dns set even if ipv6.ignore-auto-dns set yes 1264024 - no network on xen guests: Error: Connection activation failed: No suitable device found for this connection. 1264089 - cannot add adsl type connection 1264361 - backport upstream bugfix to platform handling links in different netns (IFLA_LINK_NETNSID) 1267326 - libnm-gtk: fix a possible crash in functions handling password entry 1267330 - libnm-gtk: remove underscore from tooltip and use symbolic icons for password location icons 1267462 - NetworkManager segfault on_bss_proxy_acquired 1267672 - fix crash in nmtui when requesting password 1268030 - 20 seconds timeout is not sufficient for VPN password entry 1271973 - no more vpn dialog after previous canceling 1272023 - vpn password request still visible after timeout (3 mins) 1272974 - Fix regression detecting s390 CTC devices 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: ModemManager-1.1.0-8.git20130913.el7.src.rpm NetworkManager-1.0.6-27.el7.src.rpm NetworkManager-libreswan-1.0.6-3.el7.src.rpm network-manager-applet-1.0.6-2.el7.src.rpm x86_64: ModemManager-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-glib-1.1.0-8.git20130913.el7.i686.rpm ModemManager-glib-1.1.0-8.git20130913.el7.x86_64.rpm NetworkManager-1.0.6-27.el7.x86_64.rpm NetworkManager-adsl-1.0.6-27.el7.x86_64.rpm NetworkManager-bluetooth-1.0.6-27.el7.x86_64.rpm NetworkManager-debuginfo-1.0.6-27.el7.i686.rpm NetworkManager-debuginfo-1.0.6-27.el7.x86_64.rpm NetworkManager-glib-1.0.6-27.el7.i686.rpm NetworkManager-glib-1.0.6-27.el7.x86_64.rpm NetworkManager-libnm-1.0.6-27.el7.i686.rpm NetworkManager-libnm-1.0.6-27.el7.x86_64.rpm NetworkManager-libreswan-1.0.6-3.el7.x86_64.rpm NetworkManager-libreswan-debuginfo-1.0.6-3.el7.x86_64.rpm NetworkManager-libreswan-gnome-1.0.6-3.el7.x86_64.rpm NetworkManager-team-1.0.6-27.el7.x86_64.rpm NetworkManager-tui-1.0.6-27.el7.x86_64.rpm NetworkManager-wifi-1.0.6-27.el7.x86_64.rpm NetworkManager-wwan-1.0.6-27.el7.x86_64.rpm libnm-gtk-1.0.6-2.el7.i686.rpm libnm-gtk-1.0.6-2.el7.x86_64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.i686.rpm network-manager-applet-debuginfo-1.0.6-2.el7.x86_64.rpm nm-connection-editor-1.0.6-2.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: ModemManager-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-devel-1.1.0-8.git20130913.el7.i686.rpm ModemManager-devel-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.i686.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-vala-1.1.0-8.git20130913.el7.x86_64.rpm NetworkManager-config-routing-rules-1.0.6-27.el7.x86_64.rpm NetworkManager-config-server-1.0.6-27.el7.x86_64.rpm NetworkManager-debuginfo-1.0.6-27.el7.i686.rpm NetworkManager-debuginfo-1.0.6-27.el7.x86_64.rpm NetworkManager-devel-1.0.6-27.el7.i686.rpm NetworkManager-devel-1.0.6-27.el7.x86_64.rpm NetworkManager-glib-devel-1.0.6-27.el7.i686.rpm NetworkManager-glib-devel-1.0.6-27.el7.x86_64.rpm NetworkManager-libnm-devel-1.0.6-27.el7.i686.rpm NetworkManager-libnm-devel-1.0.6-27.el7.x86_64.rpm libnm-gtk-devel-1.0.6-2.el7.i686.rpm libnm-gtk-devel-1.0.6-2.el7.x86_64.rpm network-manager-applet-1.0.6-2.el7.x86_64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.i686.rpm network-manager-applet-debuginfo-1.0.6-2.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: ModemManager-1.1.0-8.git20130913.el7.src.rpm NetworkManager-1.0.6-27.el7.src.rpm network-manager-applet-1.0.6-2.el7.src.rpm x86_64: ModemManager-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-glib-1.1.0-8.git20130913.el7.i686.rpm ModemManager-glib-1.1.0-8.git20130913.el7.x86_64.rpm NetworkManager-1.0.6-27.el7.x86_64.rpm NetworkManager-adsl-1.0.6-27.el7.x86_64.rpm NetworkManager-bluetooth-1.0.6-27.el7.x86_64.rpm NetworkManager-debuginfo-1.0.6-27.el7.i686.rpm NetworkManager-debuginfo-1.0.6-27.el7.x86_64.rpm NetworkManager-glib-1.0.6-27.el7.i686.rpm NetworkManager-glib-1.0.6-27.el7.x86_64.rpm NetworkManager-libnm-1.0.6-27.el7.i686.rpm NetworkManager-libnm-1.0.6-27.el7.x86_64.rpm NetworkManager-team-1.0.6-27.el7.x86_64.rpm NetworkManager-tui-1.0.6-27.el7.x86_64.rpm NetworkManager-wifi-1.0.6-27.el7.x86_64.rpm NetworkManager-wwan-1.0.6-27.el7.x86_64.rpm libnm-gtk-1.0.6-2.el7.i686.rpm libnm-gtk-1.0.6-2.el7.x86_64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.i686.rpm network-manager-applet-debuginfo-1.0.6-2.el7.x86_64.rpm nm-connection-editor-1.0.6-2.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: ModemManager-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-devel-1.1.0-8.git20130913.el7.i686.rpm ModemManager-devel-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.i686.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-vala-1.1.0-8.git20130913.el7.x86_64.rpm NetworkManager-config-routing-rules-1.0.6-27.el7.x86_64.rpm NetworkManager-config-server-1.0.6-27.el7.x86_64.rpm NetworkManager-debuginfo-1.0.6-27.el7.i686.rpm NetworkManager-debuginfo-1.0.6-27.el7.x86_64.rpm NetworkManager-devel-1.0.6-27.el7.i686.rpm NetworkManager-devel-1.0.6-27.el7.x86_64.rpm NetworkManager-glib-devel-1.0.6-27.el7.i686.rpm NetworkManager-glib-devel-1.0.6-27.el7.x86_64.rpm NetworkManager-libnm-devel-1.0.6-27.el7.i686.rpm NetworkManager-libnm-devel-1.0.6-27.el7.x86_64.rpm libnm-gtk-devel-1.0.6-2.el7.i686.rpm libnm-gtk-devel-1.0.6-2.el7.x86_64.rpm network-manager-applet-1.0.6-2.el7.x86_64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.i686.rpm network-manager-applet-debuginfo-1.0.6-2.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: ModemManager-1.1.0-8.git20130913.el7.src.rpm NetworkManager-1.0.6-27.el7.src.rpm NetworkManager-libreswan-1.0.6-3.el7.src.rpm network-manager-applet-1.0.6-2.el7.src.rpm aarch64: ModemManager-1.1.0-8.git20130913.el7.aarch64.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.aarch64.rpm ModemManager-glib-1.1.0-8.git20130913.el7.aarch64.rpm NetworkManager-1.0.6-27.el7.aarch64.rpm NetworkManager-adsl-1.0.6-27.el7.aarch64.rpm NetworkManager-bluetooth-1.0.6-27.el7.aarch64.rpm NetworkManager-config-server-1.0.6-27.el7.aarch64.rpm NetworkManager-debuginfo-1.0.6-27.el7.aarch64.rpm NetworkManager-glib-1.0.6-27.el7.aarch64.rpm NetworkManager-libnm-1.0.6-27.el7.aarch64.rpm NetworkManager-libreswan-1.0.6-3.el7.aarch64.rpm NetworkManager-libreswan-debuginfo-1.0.6-3.el7.aarch64.rpm NetworkManager-libreswan-gnome-1.0.6-3.el7.aarch64.rpm NetworkManager-team-1.0.6-27.el7.aarch64.rpm NetworkManager-tui-1.0.6-27.el7.aarch64.rpm NetworkManager-wifi-1.0.6-27.el7.aarch64.rpm NetworkManager-wwan-1.0.6-27.el7.aarch64.rpm libnm-gtk-1.0.6-2.el7.aarch64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.aarch64.rpm nm-connection-editor-1.0.6-2.el7.aarch64.rpm ppc64: ModemManager-1.1.0-8.git20130913.el7.ppc64.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.ppc.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.ppc64.rpm ModemManager-glib-1.1.0-8.git20130913.el7.ppc.rpm ModemManager-glib-1.1.0-8.git20130913.el7.ppc64.rpm NetworkManager-1.0.6-27.el7.ppc64.rpm NetworkManager-adsl-1.0.6-27.el7.ppc64.rpm NetworkManager-bluetooth-1.0.6-27.el7.ppc64.rpm NetworkManager-config-server-1.0.6-27.el7.ppc64.rpm NetworkManager-debuginfo-1.0.6-27.el7.ppc.rpm NetworkManager-debuginfo-1.0.6-27.el7.ppc64.rpm NetworkManager-glib-1.0.6-27.el7.ppc.rpm NetworkManager-glib-1.0.6-27.el7.ppc64.rpm NetworkManager-libnm-1.0.6-27.el7.ppc.rpm NetworkManager-libnm-1.0.6-27.el7.ppc64.rpm NetworkManager-libreswan-1.0.6-3.el7.ppc64.rpm NetworkManager-libreswan-debuginfo-1.0.6-3.el7.ppc64.rpm NetworkManager-libreswan-gnome-1.0.6-3.el7.ppc64.rpm NetworkManager-team-1.0.6-27.el7.ppc64.rpm NetworkManager-tui-1.0.6-27.el7.ppc64.rpm NetworkManager-wifi-1.0.6-27.el7.ppc64.rpm NetworkManager-wwan-1.0.6-27.el7.ppc64.rpm libnm-gtk-1.0.6-2.el7.ppc.rpm libnm-gtk-1.0.6-2.el7.ppc64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.ppc.rpm network-manager-applet-debuginfo-1.0.6-2.el7.ppc64.rpm nm-connection-editor-1.0.6-2.el7.ppc64.rpm ppc64le: ModemManager-1.1.0-8.git20130913.el7.ppc64le.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.ppc64le.rpm ModemManager-glib-1.1.0-8.git20130913.el7.ppc64le.rpm NetworkManager-1.0.6-27.el7.ppc64le.rpm NetworkManager-adsl-1.0.6-27.el7.ppc64le.rpm NetworkManager-bluetooth-1.0.6-27.el7.ppc64le.rpm NetworkManager-config-server-1.0.6-27.el7.ppc64le.rpm NetworkManager-debuginfo-1.0.6-27.el7.ppc64le.rpm NetworkManager-glib-1.0.6-27.el7.ppc64le.rpm NetworkManager-libnm-1.0.6-27.el7.ppc64le.rpm NetworkManager-libreswan-1.0.6-3.el7.ppc64le.rpm NetworkManager-libreswan-debuginfo-1.0.6-3.el7.ppc64le.rpm NetworkManager-libreswan-gnome-1.0.6-3.el7.ppc64le.rpm NetworkManager-team-1.0.6-27.el7.ppc64le.rpm NetworkManager-tui-1.0.6-27.el7.ppc64le.rpm NetworkManager-wifi-1.0.6-27.el7.ppc64le.rpm NetworkManager-wwan-1.0.6-27.el7.ppc64le.rpm libnm-gtk-1.0.6-2.el7.ppc64le.rpm network-manager-applet-debuginfo-1.0.6-2.el7.ppc64le.rpm nm-connection-editor-1.0.6-2.el7.ppc64le.rpm s390x: ModemManager-debuginfo-1.1.0-8.git20130913.el7.s390.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.s390x.rpm ModemManager-glib-1.1.0-8.git20130913.el7.s390.rpm ModemManager-glib-1.1.0-8.git20130913.el7.s390x.rpm NetworkManager-1.0.6-27.el7.s390x.rpm NetworkManager-bluetooth-1.0.6-27.el7.s390x.rpm NetworkManager-config-server-1.0.6-27.el7.s390x.rpm NetworkManager-debuginfo-1.0.6-27.el7.s390.rpm NetworkManager-debuginfo-1.0.6-27.el7.s390x.rpm NetworkManager-glib-1.0.6-27.el7.s390.rpm NetworkManager-glib-1.0.6-27.el7.s390x.rpm NetworkManager-libnm-1.0.6-27.el7.s390.rpm NetworkManager-libnm-1.0.6-27.el7.s390x.rpm NetworkManager-libreswan-1.0.6-3.el7.s390x.rpm NetworkManager-libreswan-debuginfo-1.0.6-3.el7.s390x.rpm NetworkManager-libreswan-gnome-1.0.6-3.el7.s390x.rpm NetworkManager-team-1.0.6-27.el7.s390x.rpm NetworkManager-tui-1.0.6-27.el7.s390x.rpm NetworkManager-wifi-1.0.6-27.el7.s390x.rpm NetworkManager-wwan-1.0.6-27.el7.s390x.rpm libnm-gtk-1.0.6-2.el7.s390.rpm libnm-gtk-1.0.6-2.el7.s390x.rpm network-manager-applet-debuginfo-1.0.6-2.el7.s390.rpm network-manager-applet-debuginfo-1.0.6-2.el7.s390x.rpm nm-connection-editor-1.0.6-2.el7.s390x.rpm x86_64: ModemManager-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-glib-1.1.0-8.git20130913.el7.i686.rpm ModemManager-glib-1.1.0-8.git20130913.el7.x86_64.rpm NetworkManager-1.0.6-27.el7.x86_64.rpm NetworkManager-adsl-1.0.6-27.el7.x86_64.rpm NetworkManager-bluetooth-1.0.6-27.el7.x86_64.rpm NetworkManager-config-server-1.0.6-27.el7.x86_64.rpm NetworkManager-debuginfo-1.0.6-27.el7.i686.rpm NetworkManager-debuginfo-1.0.6-27.el7.x86_64.rpm NetworkManager-glib-1.0.6-27.el7.i686.rpm NetworkManager-glib-1.0.6-27.el7.x86_64.rpm NetworkManager-libnm-1.0.6-27.el7.i686.rpm NetworkManager-libnm-1.0.6-27.el7.x86_64.rpm NetworkManager-libreswan-1.0.6-3.el7.x86_64.rpm NetworkManager-libreswan-debuginfo-1.0.6-3.el7.x86_64.rpm NetworkManager-libreswan-gnome-1.0.6-3.el7.x86_64.rpm NetworkManager-team-1.0.6-27.el7.x86_64.rpm NetworkManager-tui-1.0.6-27.el7.x86_64.rpm NetworkManager-wifi-1.0.6-27.el7.x86_64.rpm NetworkManager-wwan-1.0.6-27.el7.x86_64.rpm libnm-gtk-1.0.6-2.el7.i686.rpm libnm-gtk-1.0.6-2.el7.x86_64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.i686.rpm network-manager-applet-debuginfo-1.0.6-2.el7.x86_64.rpm nm-connection-editor-1.0.6-2.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: ModemManager-debuginfo-1.1.0-8.git20130913.el7.aarch64.rpm ModemManager-devel-1.1.0-8.git20130913.el7.aarch64.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.aarch64.rpm ModemManager-vala-1.1.0-8.git20130913.el7.aarch64.rpm NetworkManager-config-routing-rules-1.0.6-27.el7.aarch64.rpm NetworkManager-debuginfo-1.0.6-27.el7.aarch64.rpm NetworkManager-devel-1.0.6-27.el7.aarch64.rpm NetworkManager-glib-devel-1.0.6-27.el7.aarch64.rpm NetworkManager-libnm-devel-1.0.6-27.el7.aarch64.rpm libnm-gtk-devel-1.0.6-2.el7.aarch64.rpm network-manager-applet-1.0.6-2.el7.aarch64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.aarch64.rpm ppc64: ModemManager-1.1.0-8.git20130913.el7.ppc.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.ppc.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.ppc64.rpm ModemManager-devel-1.1.0-8.git20130913.el7.ppc.rpm ModemManager-devel-1.1.0-8.git20130913.el7.ppc64.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.ppc.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.ppc64.rpm ModemManager-vala-1.1.0-8.git20130913.el7.ppc64.rpm NetworkManager-config-routing-rules-1.0.6-27.el7.ppc64.rpm NetworkManager-debuginfo-1.0.6-27.el7.ppc.rpm NetworkManager-debuginfo-1.0.6-27.el7.ppc64.rpm NetworkManager-devel-1.0.6-27.el7.ppc.rpm NetworkManager-devel-1.0.6-27.el7.ppc64.rpm NetworkManager-glib-devel-1.0.6-27.el7.ppc.rpm NetworkManager-glib-devel-1.0.6-27.el7.ppc64.rpm NetworkManager-libnm-devel-1.0.6-27.el7.ppc.rpm NetworkManager-libnm-devel-1.0.6-27.el7.ppc64.rpm libnm-gtk-devel-1.0.6-2.el7.ppc.rpm libnm-gtk-devel-1.0.6-2.el7.ppc64.rpm network-manager-applet-1.0.6-2.el7.ppc64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.ppc.rpm network-manager-applet-debuginfo-1.0.6-2.el7.ppc64.rpm ppc64le: ModemManager-debuginfo-1.1.0-8.git20130913.el7.ppc64le.rpm ModemManager-devel-1.1.0-8.git20130913.el7.ppc64le.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.ppc64le.rpm ModemManager-vala-1.1.0-8.git20130913.el7.ppc64le.rpm NetworkManager-config-routing-rules-1.0.6-27.el7.ppc64le.rpm NetworkManager-debuginfo-1.0.6-27.el7.ppc64le.rpm NetworkManager-devel-1.0.6-27.el7.ppc64le.rpm NetworkManager-glib-devel-1.0.6-27.el7.ppc64le.rpm NetworkManager-libnm-devel-1.0.6-27.el7.ppc64le.rpm libnm-gtk-devel-1.0.6-2.el7.ppc64le.rpm network-manager-applet-1.0.6-2.el7.ppc64le.rpm network-manager-applet-debuginfo-1.0.6-2.el7.ppc64le.rpm s390x: ModemManager-1.1.0-8.git20130913.el7.s390.rpm ModemManager-1.1.0-8.git20130913.el7.s390x.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.s390.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.s390x.rpm ModemManager-devel-1.1.0-8.git20130913.el7.s390.rpm ModemManager-devel-1.1.0-8.git20130913.el7.s390x.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.s390.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.s390x.rpm ModemManager-vala-1.1.0-8.git20130913.el7.s390x.rpm NetworkManager-adsl-1.0.6-27.el7.s390x.rpm NetworkManager-config-routing-rules-1.0.6-27.el7.s390x.rpm NetworkManager-debuginfo-1.0.6-27.el7.s390.rpm NetworkManager-debuginfo-1.0.6-27.el7.s390x.rpm NetworkManager-devel-1.0.6-27.el7.s390.rpm NetworkManager-devel-1.0.6-27.el7.s390x.rpm NetworkManager-glib-devel-1.0.6-27.el7.s390.rpm NetworkManager-glib-devel-1.0.6-27.el7.s390x.rpm NetworkManager-libnm-devel-1.0.6-27.el7.s390.rpm NetworkManager-libnm-devel-1.0.6-27.el7.s390x.rpm libnm-gtk-devel-1.0.6-2.el7.s390.rpm libnm-gtk-devel-1.0.6-2.el7.s390x.rpm network-manager-applet-1.0.6-2.el7.s390x.rpm network-manager-applet-debuginfo-1.0.6-2.el7.s390.rpm network-manager-applet-debuginfo-1.0.6-2.el7.s390x.rpm x86_64: ModemManager-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-devel-1.1.0-8.git20130913.el7.i686.rpm ModemManager-devel-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.i686.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-vala-1.1.0-8.git20130913.el7.x86_64.rpm NetworkManager-config-routing-rules-1.0.6-27.el7.x86_64.rpm NetworkManager-debuginfo-1.0.6-27.el7.i686.rpm NetworkManager-debuginfo-1.0.6-27.el7.x86_64.rpm NetworkManager-devel-1.0.6-27.el7.i686.rpm NetworkManager-devel-1.0.6-27.el7.x86_64.rpm NetworkManager-glib-devel-1.0.6-27.el7.i686.rpm NetworkManager-glib-devel-1.0.6-27.el7.x86_64.rpm NetworkManager-libnm-devel-1.0.6-27.el7.i686.rpm NetworkManager-libnm-devel-1.0.6-27.el7.x86_64.rpm libnm-gtk-devel-1.0.6-2.el7.i686.rpm libnm-gtk-devel-1.0.6-2.el7.x86_64.rpm network-manager-applet-1.0.6-2.el7.x86_64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.i686.rpm network-manager-applet-debuginfo-1.0.6-2.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: ModemManager-1.1.0-8.git20130913.el7.src.rpm NetworkManager-1.0.6-27.el7.src.rpm NetworkManager-libreswan-1.0.6-3.el7.src.rpm network-manager-applet-1.0.6-2.el7.src.rpm x86_64: ModemManager-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-glib-1.1.0-8.git20130913.el7.i686.rpm ModemManager-glib-1.1.0-8.git20130913.el7.x86_64.rpm NetworkManager-1.0.6-27.el7.x86_64.rpm NetworkManager-adsl-1.0.6-27.el7.x86_64.rpm NetworkManager-bluetooth-1.0.6-27.el7.x86_64.rpm NetworkManager-debuginfo-1.0.6-27.el7.i686.rpm NetworkManager-debuginfo-1.0.6-27.el7.x86_64.rpm NetworkManager-glib-1.0.6-27.el7.i686.rpm NetworkManager-glib-1.0.6-27.el7.x86_64.rpm NetworkManager-libnm-1.0.6-27.el7.i686.rpm NetworkManager-libnm-1.0.6-27.el7.x86_64.rpm NetworkManager-libreswan-1.0.6-3.el7.x86_64.rpm NetworkManager-libreswan-debuginfo-1.0.6-3.el7.x86_64.rpm NetworkManager-libreswan-gnome-1.0.6-3.el7.x86_64.rpm NetworkManager-team-1.0.6-27.el7.x86_64.rpm NetworkManager-tui-1.0.6-27.el7.x86_64.rpm NetworkManager-wifi-1.0.6-27.el7.x86_64.rpm NetworkManager-wwan-1.0.6-27.el7.x86_64.rpm libnm-gtk-1.0.6-2.el7.i686.rpm libnm-gtk-1.0.6-2.el7.x86_64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.i686.rpm network-manager-applet-debuginfo-1.0.6-2.el7.x86_64.rpm nm-connection-editor-1.0.6-2.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: ModemManager-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.i686.rpm ModemManager-debuginfo-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-devel-1.1.0-8.git20130913.el7.i686.rpm ModemManager-devel-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.i686.rpm ModemManager-glib-devel-1.1.0-8.git20130913.el7.x86_64.rpm ModemManager-vala-1.1.0-8.git20130913.el7.x86_64.rpm NetworkManager-config-routing-rules-1.0.6-27.el7.x86_64.rpm NetworkManager-config-server-1.0.6-27.el7.x86_64.rpm NetworkManager-debuginfo-1.0.6-27.el7.i686.rpm NetworkManager-debuginfo-1.0.6-27.el7.x86_64.rpm NetworkManager-devel-1.0.6-27.el7.i686.rpm NetworkManager-devel-1.0.6-27.el7.x86_64.rpm NetworkManager-glib-devel-1.0.6-27.el7.i686.rpm NetworkManager-glib-devel-1.0.6-27.el7.x86_64.rpm NetworkManager-libnm-devel-1.0.6-27.el7.i686.rpm NetworkManager-libnm-devel-1.0.6-27.el7.x86_64.rpm libnm-gtk-devel-1.0.6-2.el7.i686.rpm libnm-gtk-devel-1.0.6-2.el7.x86_64.rpm network-manager-applet-1.0.6-2.el7.x86_64.rpm network-manager-applet-debuginfo-1.0.6-2.el7.i686.rpm network-manager-applet-debuginfo-1.0.6-2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-0272 https://access.redhat.com/security/cve/CVE-2015-2924 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkH8XlSAg2UNWIIRAuVNAKCVVIORm3NeM0KxvLDddDS07uOX3wCfS+Yj hQ8aOjAAuv4E0k7Euesjn3U= =SZOw -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:41:38 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:41:38 -0500 Subject: [RHSA-2015:2345-01] Moderate: net-snmp security and bug fix update Message-ID: <201511192141.tAJLfc2K017725@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: net-snmp security and bug fix update Advisory ID: RHSA-2015:2345-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2345.html Issue date: 2015-11-19 CVE Names: CVE-2014-3565 ===================================================================== 1. Summary: Updated net-snmp packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser. A denial of service flaw was found in the way snmptrapd handled certain SNMP traps when started with the "-OQ" option. If an attacker sent an SNMP trap containing a variable with a NULL type where an integer variable type was expected, it would cause snmptrapd to crash. (CVE-2014-3565) This update also fixes the following bugs: * Previously, the clientaddr option in the snmp.conf file affected outgoing messages sent only over IPv4. With this release, outgoing IPv6 messages are correctly sent from the interface specified by clientaddr. (BZ#1190679) * The Net-SNMP daemon, snmpd, did not properly clean memory when reloading its configuration file with multiple "exec" entries. Consequently, the daemon terminated unexpectedly. Now, the memory is properly cleaned, and snmpd no longer crashes on reload. (BZ#1228893) * Prior to this update, snmpd did not parse complete IPv4 traffic statistics, but reported the number of received or sent bytes in the IP-MIB::ipSystemStatsTable only for IPv6 packets and not for IPv4. This affected objects ipSystemStatsInOctets, ipSystemStatsOutOctets, ipSystemStatsInMcastOctets, and ipSystemStatsOutMcastOctets. Now, the statistics reported by snmpd are collected for IPv4 as well. (BZ#1235697) * The Net-SNMP daemon, snmpd, did not correctly detect the file system change from read-only to read-write. Consequently, after remounting the file system into the read-write mode, the daemon reported it to be still in the read-only mode. A patch has been applied, and snmpd now detects the mode changes as expected. (BZ#1241897) All net-snmp users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1092308 - backport diskio device filtering 1125155 - CVE-2014-3565 net-snmp: snmptrapd crash when handling an SNMP trap containing a ifMtu with a NULL type 1151310 - snmptrap can't create (or write to) /var/lib/net-snmp/snmpapp.conf if isn't run under root 1184433 - udpTable has wrong indices 1190679 - In IPv6, snmp packet does not send from specified interface assigned by clientaddr option in snmpd.conf. 1193006 - net-snmp "storageUseNFS 2" option does not report NFS mount as "Fixed Disks" 1252034 - net-snmp-python contains zeros in IP address (IPADDR type) on big-endian architectures 1252048 - net-snmp snmpd fork() overhead [fix available] 1252053 - net-snmp does not display correct lm_sensors sensor data / missing CPU cores 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: net-snmp-5.7.2-24.el7.src.rpm x86_64: net-snmp-5.7.2-24.el7.x86_64.rpm net-snmp-agent-libs-5.7.2-24.el7.i686.rpm net-snmp-agent-libs-5.7.2-24.el7.x86_64.rpm net-snmp-debuginfo-5.7.2-24.el7.i686.rpm net-snmp-debuginfo-5.7.2-24.el7.x86_64.rpm net-snmp-libs-5.7.2-24.el7.i686.rpm net-snmp-libs-5.7.2-24.el7.x86_64.rpm net-snmp-utils-5.7.2-24.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: net-snmp-debuginfo-5.7.2-24.el7.i686.rpm net-snmp-debuginfo-5.7.2-24.el7.x86_64.rpm net-snmp-devel-5.7.2-24.el7.i686.rpm net-snmp-devel-5.7.2-24.el7.x86_64.rpm net-snmp-gui-5.7.2-24.el7.x86_64.rpm net-snmp-perl-5.7.2-24.el7.x86_64.rpm net-snmp-python-5.7.2-24.el7.x86_64.rpm net-snmp-sysvinit-5.7.2-24.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: net-snmp-5.7.2-24.el7.src.rpm x86_64: net-snmp-5.7.2-24.el7.x86_64.rpm net-snmp-agent-libs-5.7.2-24.el7.i686.rpm net-snmp-agent-libs-5.7.2-24.el7.x86_64.rpm net-snmp-debuginfo-5.7.2-24.el7.i686.rpm net-snmp-debuginfo-5.7.2-24.el7.x86_64.rpm net-snmp-libs-5.7.2-24.el7.i686.rpm net-snmp-libs-5.7.2-24.el7.x86_64.rpm net-snmp-utils-5.7.2-24.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: net-snmp-debuginfo-5.7.2-24.el7.i686.rpm net-snmp-debuginfo-5.7.2-24.el7.x86_64.rpm net-snmp-devel-5.7.2-24.el7.i686.rpm net-snmp-devel-5.7.2-24.el7.x86_64.rpm net-snmp-gui-5.7.2-24.el7.x86_64.rpm net-snmp-perl-5.7.2-24.el7.x86_64.rpm net-snmp-python-5.7.2-24.el7.x86_64.rpm net-snmp-sysvinit-5.7.2-24.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: net-snmp-5.7.2-24.el7.src.rpm aarch64: net-snmp-5.7.2-24.el7.aarch64.rpm net-snmp-agent-libs-5.7.2-24.el7.aarch64.rpm net-snmp-debuginfo-5.7.2-24.el7.aarch64.rpm net-snmp-devel-5.7.2-24.el7.aarch64.rpm net-snmp-libs-5.7.2-24.el7.aarch64.rpm net-snmp-utils-5.7.2-24.el7.aarch64.rpm ppc64: net-snmp-5.7.2-24.el7.ppc64.rpm net-snmp-agent-libs-5.7.2-24.el7.ppc.rpm net-snmp-agent-libs-5.7.2-24.el7.ppc64.rpm net-snmp-debuginfo-5.7.2-24.el7.ppc.rpm net-snmp-debuginfo-5.7.2-24.el7.ppc64.rpm net-snmp-devel-5.7.2-24.el7.ppc.rpm net-snmp-devel-5.7.2-24.el7.ppc64.rpm net-snmp-libs-5.7.2-24.el7.ppc.rpm net-snmp-libs-5.7.2-24.el7.ppc64.rpm net-snmp-utils-5.7.2-24.el7.ppc64.rpm ppc64le: net-snmp-5.7.2-24.el7.ppc64le.rpm net-snmp-agent-libs-5.7.2-24.el7.ppc64le.rpm net-snmp-debuginfo-5.7.2-24.el7.ppc64le.rpm net-snmp-devel-5.7.2-24.el7.ppc64le.rpm net-snmp-libs-5.7.2-24.el7.ppc64le.rpm net-snmp-utils-5.7.2-24.el7.ppc64le.rpm s390x: net-snmp-5.7.2-24.el7.s390x.rpm net-snmp-agent-libs-5.7.2-24.el7.s390.rpm net-snmp-agent-libs-5.7.2-24.el7.s390x.rpm net-snmp-debuginfo-5.7.2-24.el7.s390.rpm net-snmp-debuginfo-5.7.2-24.el7.s390x.rpm net-snmp-devel-5.7.2-24.el7.s390.rpm net-snmp-devel-5.7.2-24.el7.s390x.rpm net-snmp-libs-5.7.2-24.el7.s390.rpm net-snmp-libs-5.7.2-24.el7.s390x.rpm net-snmp-utils-5.7.2-24.el7.s390x.rpm x86_64: net-snmp-5.7.2-24.el7.x86_64.rpm net-snmp-agent-libs-5.7.2-24.el7.i686.rpm net-snmp-agent-libs-5.7.2-24.el7.x86_64.rpm net-snmp-debuginfo-5.7.2-24.el7.i686.rpm net-snmp-debuginfo-5.7.2-24.el7.x86_64.rpm net-snmp-devel-5.7.2-24.el7.i686.rpm net-snmp-devel-5.7.2-24.el7.x86_64.rpm net-snmp-libs-5.7.2-24.el7.i686.rpm net-snmp-libs-5.7.2-24.el7.x86_64.rpm net-snmp-utils-5.7.2-24.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: net-snmp-debuginfo-5.7.2-24.el7.aarch64.rpm net-snmp-gui-5.7.2-24.el7.aarch64.rpm net-snmp-perl-5.7.2-24.el7.aarch64.rpm net-snmp-python-5.7.2-24.el7.aarch64.rpm net-snmp-sysvinit-5.7.2-24.el7.aarch64.rpm ppc64: net-snmp-debuginfo-5.7.2-24.el7.ppc64.rpm net-snmp-gui-5.7.2-24.el7.ppc64.rpm net-snmp-perl-5.7.2-24.el7.ppc64.rpm net-snmp-python-5.7.2-24.el7.ppc64.rpm net-snmp-sysvinit-5.7.2-24.el7.ppc64.rpm ppc64le: net-snmp-debuginfo-5.7.2-24.el7.ppc64le.rpm net-snmp-gui-5.7.2-24.el7.ppc64le.rpm net-snmp-perl-5.7.2-24.el7.ppc64le.rpm net-snmp-python-5.7.2-24.el7.ppc64le.rpm net-snmp-sysvinit-5.7.2-24.el7.ppc64le.rpm s390x: net-snmp-debuginfo-5.7.2-24.el7.s390x.rpm net-snmp-gui-5.7.2-24.el7.s390x.rpm net-snmp-perl-5.7.2-24.el7.s390x.rpm net-snmp-python-5.7.2-24.el7.s390x.rpm net-snmp-sysvinit-5.7.2-24.el7.s390x.rpm x86_64: net-snmp-debuginfo-5.7.2-24.el7.x86_64.rpm net-snmp-gui-5.7.2-24.el7.x86_64.rpm net-snmp-perl-5.7.2-24.el7.x86_64.rpm net-snmp-python-5.7.2-24.el7.x86_64.rpm net-snmp-sysvinit-5.7.2-24.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: net-snmp-5.7.2-24.el7.src.rpm x86_64: net-snmp-5.7.2-24.el7.x86_64.rpm net-snmp-agent-libs-5.7.2-24.el7.i686.rpm net-snmp-agent-libs-5.7.2-24.el7.x86_64.rpm net-snmp-debuginfo-5.7.2-24.el7.i686.rpm net-snmp-debuginfo-5.7.2-24.el7.x86_64.rpm net-snmp-devel-5.7.2-24.el7.i686.rpm net-snmp-devel-5.7.2-24.el7.x86_64.rpm net-snmp-libs-5.7.2-24.el7.i686.rpm net-snmp-libs-5.7.2-24.el7.x86_64.rpm net-snmp-utils-5.7.2-24.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: net-snmp-debuginfo-5.7.2-24.el7.x86_64.rpm net-snmp-gui-5.7.2-24.el7.x86_64.rpm net-snmp-perl-5.7.2-24.el7.x86_64.rpm net-snmp-python-5.7.2-24.el7.x86_64.rpm net-snmp-sysvinit-5.7.2-24.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3565 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkIQXlSAg2UNWIIRAlbcAJwLsO5iPdIeUwdJqaoUF43N7RM7kgCcDynZ 3JFzBVf00U2C1LZ1RmCKJlQ= =iYnO -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:42:09 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:42:09 -0500 Subject: [RHSA-2015:2355-01] Low: sssd security, bug fix, and enhancement update Message-ID: <201511192142.tAJLg9iQ013636@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: sssd security, bug fix, and enhancement update Advisory ID: RHSA-2015:2355-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2355.html Issue date: 2015-11-19 CVE Names: CVE-2015-5292 ===================================================================== 1. Summary: Updated sssd packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. (CVE-2015-5292) The sssd packages have been upgraded to upstream version 1.13.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#1205554) Several enhancements are described in the Red Hat Enterprise Linux 7.2 Release Notes, linked to in the References section: * SSSD smart card support (BZ#854396) * Cache authentication in SSSD (BZ#910187) * SSSD supports overriding automatically discovered AD site (BZ#1163806) * SSSD can now deny SSH access to locked accounts (BZ#1175760) * SSSD enables UID and GID mapping on individual clients (BZ#1183747) * Background refresh of cached entries (BZ#1199533) * Multi-step prompting for one-time and long-term passwords (BZ#1200873) * Caching for initgroups operations (BZ#1206575) Bugs fixed: * When the SELinux user content on an IdM server was set to an empty string, the SSSD SELinux evaluation utility returned an error. (BZ#1192314) * If the ldap_child process failed to initialize credentials and exited with an error multiple times, operations that create files in some cases started failing due to an insufficient amount of i-nodes. (BZ#1198477) * The SRV queries used a hard coded TTL timeout, and environments that wanted the SRV queries to be valid for a certain time only were blocked. Now, SSSD parses the TTL value out of the DNS packet. (BZ#1199541) * Previously, initgroups operation took an excessive amount of time. Now, logins and ID processing are faster for setups with AD back end and disabled ID mapping. (BZ#1201840) * When an IdM client with Red Hat Enterprise Linux 7.1 or later was connecting to a server with Red Hat Enterprise Linux 7.0 or earlier, authentication with an AD trusted domain caused the sssd_be process to terminate unexpectedly. (BZ#1202170) * If replication conflict entries appeared during HBAC processing, the user was denied access. Now, the replication conflict entries are skipped and users are permitted access. (BZ#1202245) * The array of SIDs no longer contains an uninitialized value and SSSD no longer crashes. (BZ#1204203) * SSSD supports GPOs from different domain controllers and no longer crashes when processing GPOs from different domain controllers. (BZ#1205852) * SSSD could not refresh sudo rules that contained groups with special characters, such as parentheses, in their name. (BZ#1208507) * The IPA names are not qualified on the client side if the server already qualified them, and IdM group members resolve even if default_domain_suffix is used on the server side. (BZ#1211830) * The internal cache cleanup task has been disabled by default to improve performance of the sssd_be process. (BZ#1212489) * Now, default_domain_suffix is not considered anymore for autofs maps. (BZ#1216285) * The user can set subdomain_inherit=ignore_group-members to disable fetching group members for trusted domains. (BZ#1217350) * The group resolution failed with an error message: "Error: 14 (Bad address)". The binary GUID handling has been fixed. (BZ#1226119) Enhancements added: * The description of default_domain_suffix has been improved in the manual pages. (BZ#1185536) * With the new "%0" template option, users on SSSD IdM clients can now use home directories set on AD. (BZ#1187103) All sssd users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 854396 - [RFE] Support for smart cards 1007968 - sssd does not create AAAA record in AD 1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option 1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD 1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain 1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u 1199445 - Does sssd-ad use the most suitable attribute for group name? 1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA 1201840 - SSSD downloads too much information when fetching information about groups 1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries 1202724 - [RFE] Add a way to lookup users based on CAC identity certificates 1203642 - GPO access control looks for computer object in user's domain only 1205144 - RFE: Support one-way trusts for IPA 1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab 1205554 - Rebase SSSD to 1.13.x 1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys 1206565 - [RFE] Add dualstack and multihomed support 1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain 1206571 - [RFE] Expose D-BUS interface 1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf 1214337 - Overrides with --login work in second attempt 1214716 - idoverridegroup for ipa group with --group-name does not work 1214718 - Overridde with --login fails trusted adusers group membership resolution 1214719 - Group resolution is inconsistent with group overrides 1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set 1217127 - Override for IPA users with login does not list user all groups 1217559 - [RFE] Support GPOs from different domain controllers 1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust 1234722 - sssd ad provider fails to start in rhel7.2 1242942 - well-known SID check is broken for NetBIOS prefixes 1244949 - getgrgid for user's UID on a trust client prevents getpw* 1246489 - sss_obfuscate fails with "ImportError: No module named pysss" 1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled 1250135 - Detect re-established trusts in the IPA subdomain code 1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True' 1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help 1254518 - Fix crash in nss responder 1259512 - sss_override : The local override user is not found 1261155 - nsupdate exits on first GSSAPI error instead of processing other commands 1263587 - sss_override --name doesn't work with RFC2307 and ghost users 1263735 - Could not resolve AD user from root domain 1266107 - AD: Conditional jump or move depends on uninitialised value 1267176 - Memory leak / possible DoS with krb auth. [rhel 7.2] 1267580 - CVE-2015-5292 sssd: memory leak in the sssd_pac_plugin 1267836 - PAM responder crashed if user was not set 1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step 1270827 - local overrides: don't contact server with overridden name/id 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: sssd-1.13.0-40.el7.src.rpm noarch: python-sssdconfig-1.13.0-40.el7.noarch.rpm x86_64: libipa_hbac-1.13.0-40.el7.i686.rpm libipa_hbac-1.13.0-40.el7.x86_64.rpm libsss_idmap-1.13.0-40.el7.i686.rpm libsss_idmap-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-1.13.0-40.el7.i686.rpm libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm python-libipa_hbac-1.13.0-40.el7.x86_64.rpm python-sss-1.13.0-40.el7.x86_64.rpm python-sss-murmur-1.13.0-40.el7.x86_64.rpm sssd-1.13.0-40.el7.x86_64.rpm sssd-ad-1.13.0-40.el7.x86_64.rpm sssd-client-1.13.0-40.el7.i686.rpm sssd-client-1.13.0-40.el7.x86_64.rpm sssd-common-1.13.0-40.el7.i686.rpm sssd-common-1.13.0-40.el7.x86_64.rpm sssd-common-pac-1.13.0-40.el7.x86_64.rpm sssd-dbus-1.13.0-40.el7.x86_64.rpm sssd-debuginfo-1.13.0-40.el7.i686.rpm sssd-debuginfo-1.13.0-40.el7.x86_64.rpm sssd-ipa-1.13.0-40.el7.x86_64.rpm sssd-krb5-1.13.0-40.el7.x86_64.rpm sssd-krb5-common-1.13.0-40.el7.i686.rpm sssd-krb5-common-1.13.0-40.el7.x86_64.rpm sssd-ldap-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-1.13.0-40.el7.x86_64.rpm sssd-proxy-1.13.0-40.el7.x86_64.rpm sssd-tools-1.13.0-40.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: libipa_hbac-devel-1.13.0-40.el7.i686.rpm libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm libsss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-1.13.0-40.el7.i686.rpm libsss_simpleifp-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm sssd-debuginfo-1.13.0-40.el7.i686.rpm sssd-debuginfo-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: sssd-1.13.0-40.el7.src.rpm noarch: python-sssdconfig-1.13.0-40.el7.noarch.rpm x86_64: libipa_hbac-1.13.0-40.el7.i686.rpm libipa_hbac-1.13.0-40.el7.x86_64.rpm libsss_idmap-1.13.0-40.el7.i686.rpm libsss_idmap-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-1.13.0-40.el7.i686.rpm libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm python-libipa_hbac-1.13.0-40.el7.x86_64.rpm python-sss-1.13.0-40.el7.x86_64.rpm python-sss-murmur-1.13.0-40.el7.x86_64.rpm sssd-1.13.0-40.el7.x86_64.rpm sssd-ad-1.13.0-40.el7.x86_64.rpm sssd-client-1.13.0-40.el7.i686.rpm sssd-client-1.13.0-40.el7.x86_64.rpm sssd-common-1.13.0-40.el7.i686.rpm sssd-common-1.13.0-40.el7.x86_64.rpm sssd-common-pac-1.13.0-40.el7.x86_64.rpm sssd-dbus-1.13.0-40.el7.x86_64.rpm sssd-debuginfo-1.13.0-40.el7.i686.rpm sssd-debuginfo-1.13.0-40.el7.x86_64.rpm sssd-ipa-1.13.0-40.el7.x86_64.rpm sssd-krb5-1.13.0-40.el7.x86_64.rpm sssd-krb5-common-1.13.0-40.el7.i686.rpm sssd-krb5-common-1.13.0-40.el7.x86_64.rpm sssd-ldap-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-1.13.0-40.el7.x86_64.rpm sssd-proxy-1.13.0-40.el7.x86_64.rpm sssd-tools-1.13.0-40.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: libipa_hbac-devel-1.13.0-40.el7.i686.rpm libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm libsss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-1.13.0-40.el7.i686.rpm libsss_simpleifp-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm sssd-debuginfo-1.13.0-40.el7.i686.rpm sssd-debuginfo-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: sssd-1.13.0-40.el7.src.rpm aarch64: libipa_hbac-1.13.0-40.el7.aarch64.rpm libsss_idmap-1.13.0-40.el7.aarch64.rpm libsss_nss_idmap-1.13.0-40.el7.aarch64.rpm libsss_simpleifp-1.13.0-40.el7.aarch64.rpm python-libipa_hbac-1.13.0-40.el7.aarch64.rpm python-sss-1.13.0-40.el7.aarch64.rpm python-sss-murmur-1.13.0-40.el7.aarch64.rpm sssd-1.13.0-40.el7.aarch64.rpm sssd-ad-1.13.0-40.el7.aarch64.rpm sssd-client-1.13.0-40.el7.aarch64.rpm sssd-common-1.13.0-40.el7.aarch64.rpm sssd-common-pac-1.13.0-40.el7.aarch64.rpm sssd-dbus-1.13.0-40.el7.aarch64.rpm sssd-debuginfo-1.13.0-40.el7.aarch64.rpm sssd-ipa-1.13.0-40.el7.aarch64.rpm sssd-krb5-1.13.0-40.el7.aarch64.rpm sssd-krb5-common-1.13.0-40.el7.aarch64.rpm sssd-ldap-1.13.0-40.el7.aarch64.rpm sssd-libwbclient-1.13.0-40.el7.aarch64.rpm sssd-proxy-1.13.0-40.el7.aarch64.rpm sssd-tools-1.13.0-40.el7.aarch64.rpm noarch: python-sssdconfig-1.13.0-40.el7.noarch.rpm ppc64: libipa_hbac-1.13.0-40.el7.ppc.rpm libipa_hbac-1.13.0-40.el7.ppc64.rpm libsss_idmap-1.13.0-40.el7.ppc.rpm libsss_idmap-1.13.0-40.el7.ppc64.rpm libsss_nss_idmap-1.13.0-40.el7.ppc.rpm libsss_nss_idmap-1.13.0-40.el7.ppc64.rpm libsss_simpleifp-1.13.0-40.el7.ppc.rpm libsss_simpleifp-1.13.0-40.el7.ppc64.rpm python-libipa_hbac-1.13.0-40.el7.ppc64.rpm python-sss-1.13.0-40.el7.ppc64.rpm python-sss-murmur-1.13.0-40.el7.ppc64.rpm sssd-1.13.0-40.el7.ppc64.rpm sssd-ad-1.13.0-40.el7.ppc64.rpm sssd-client-1.13.0-40.el7.ppc.rpm sssd-client-1.13.0-40.el7.ppc64.rpm sssd-common-1.13.0-40.el7.ppc.rpm sssd-common-1.13.0-40.el7.ppc64.rpm sssd-common-pac-1.13.0-40.el7.ppc64.rpm sssd-dbus-1.13.0-40.el7.ppc64.rpm sssd-debuginfo-1.13.0-40.el7.ppc.rpm sssd-debuginfo-1.13.0-40.el7.ppc64.rpm sssd-ipa-1.13.0-40.el7.ppc64.rpm sssd-krb5-1.13.0-40.el7.ppc64.rpm sssd-krb5-common-1.13.0-40.el7.ppc.rpm sssd-krb5-common-1.13.0-40.el7.ppc64.rpm sssd-ldap-1.13.0-40.el7.ppc64.rpm sssd-libwbclient-1.13.0-40.el7.ppc64.rpm sssd-proxy-1.13.0-40.el7.ppc64.rpm sssd-tools-1.13.0-40.el7.ppc64.rpm ppc64le: libipa_hbac-1.13.0-40.el7.ppc64le.rpm libsss_idmap-1.13.0-40.el7.ppc64le.rpm libsss_nss_idmap-1.13.0-40.el7.ppc64le.rpm libsss_simpleifp-1.13.0-40.el7.ppc64le.rpm python-libipa_hbac-1.13.0-40.el7.ppc64le.rpm python-sss-1.13.0-40.el7.ppc64le.rpm python-sss-murmur-1.13.0-40.el7.ppc64le.rpm sssd-1.13.0-40.el7.ppc64le.rpm sssd-ad-1.13.0-40.el7.ppc64le.rpm sssd-client-1.13.0-40.el7.ppc64le.rpm sssd-common-1.13.0-40.el7.ppc64le.rpm sssd-common-pac-1.13.0-40.el7.ppc64le.rpm sssd-dbus-1.13.0-40.el7.ppc64le.rpm sssd-debuginfo-1.13.0-40.el7.ppc64le.rpm sssd-ipa-1.13.0-40.el7.ppc64le.rpm sssd-krb5-1.13.0-40.el7.ppc64le.rpm sssd-krb5-common-1.13.0-40.el7.ppc64le.rpm sssd-ldap-1.13.0-40.el7.ppc64le.rpm sssd-libwbclient-1.13.0-40.el7.ppc64le.rpm sssd-proxy-1.13.0-40.el7.ppc64le.rpm sssd-tools-1.13.0-40.el7.ppc64le.rpm s390x: libipa_hbac-1.13.0-40.el7.s390.rpm libipa_hbac-1.13.0-40.el7.s390x.rpm libsss_idmap-1.13.0-40.el7.s390.rpm libsss_idmap-1.13.0-40.el7.s390x.rpm libsss_nss_idmap-1.13.0-40.el7.s390.rpm libsss_nss_idmap-1.13.0-40.el7.s390x.rpm libsss_simpleifp-1.13.0-40.el7.s390.rpm libsss_simpleifp-1.13.0-40.el7.s390x.rpm python-libipa_hbac-1.13.0-40.el7.s390x.rpm python-sss-1.13.0-40.el7.s390x.rpm python-sss-murmur-1.13.0-40.el7.s390x.rpm sssd-1.13.0-40.el7.s390x.rpm sssd-ad-1.13.0-40.el7.s390x.rpm sssd-client-1.13.0-40.el7.s390.rpm sssd-client-1.13.0-40.el7.s390x.rpm sssd-common-1.13.0-40.el7.s390.rpm sssd-common-1.13.0-40.el7.s390x.rpm sssd-common-pac-1.13.0-40.el7.s390x.rpm sssd-dbus-1.13.0-40.el7.s390x.rpm sssd-debuginfo-1.13.0-40.el7.s390.rpm sssd-debuginfo-1.13.0-40.el7.s390x.rpm sssd-ipa-1.13.0-40.el7.s390x.rpm sssd-krb5-1.13.0-40.el7.s390x.rpm sssd-krb5-common-1.13.0-40.el7.s390.rpm sssd-krb5-common-1.13.0-40.el7.s390x.rpm sssd-ldap-1.13.0-40.el7.s390x.rpm sssd-libwbclient-1.13.0-40.el7.s390x.rpm sssd-proxy-1.13.0-40.el7.s390x.rpm sssd-tools-1.13.0-40.el7.s390x.rpm x86_64: libipa_hbac-1.13.0-40.el7.i686.rpm libipa_hbac-1.13.0-40.el7.x86_64.rpm libsss_idmap-1.13.0-40.el7.i686.rpm libsss_idmap-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-1.13.0-40.el7.i686.rpm libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-1.13.0-40.el7.i686.rpm libsss_simpleifp-1.13.0-40.el7.x86_64.rpm python-libipa_hbac-1.13.0-40.el7.x86_64.rpm python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm python-sss-1.13.0-40.el7.x86_64.rpm python-sss-murmur-1.13.0-40.el7.x86_64.rpm sssd-1.13.0-40.el7.x86_64.rpm sssd-ad-1.13.0-40.el7.x86_64.rpm sssd-client-1.13.0-40.el7.i686.rpm sssd-client-1.13.0-40.el7.x86_64.rpm sssd-common-1.13.0-40.el7.i686.rpm sssd-common-1.13.0-40.el7.x86_64.rpm sssd-common-pac-1.13.0-40.el7.x86_64.rpm sssd-dbus-1.13.0-40.el7.x86_64.rpm sssd-debuginfo-1.13.0-40.el7.i686.rpm sssd-debuginfo-1.13.0-40.el7.x86_64.rpm sssd-ipa-1.13.0-40.el7.x86_64.rpm sssd-krb5-1.13.0-40.el7.x86_64.rpm sssd-krb5-common-1.13.0-40.el7.i686.rpm sssd-krb5-common-1.13.0-40.el7.x86_64.rpm sssd-ldap-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-1.13.0-40.el7.x86_64.rpm sssd-proxy-1.13.0-40.el7.x86_64.rpm sssd-tools-1.13.0-40.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: libipa_hbac-devel-1.13.0-40.el7.aarch64.rpm libsss_idmap-devel-1.13.0-40.el7.aarch64.rpm libsss_nss_idmap-devel-1.13.0-40.el7.aarch64.rpm libsss_simpleifp-devel-1.13.0-40.el7.aarch64.rpm python-libsss_nss_idmap-1.13.0-40.el7.aarch64.rpm sssd-debuginfo-1.13.0-40.el7.aarch64.rpm sssd-libwbclient-devel-1.13.0-40.el7.aarch64.rpm ppc64: libipa_hbac-devel-1.13.0-40.el7.ppc.rpm libipa_hbac-devel-1.13.0-40.el7.ppc64.rpm libsss_idmap-devel-1.13.0-40.el7.ppc.rpm libsss_idmap-devel-1.13.0-40.el7.ppc64.rpm libsss_nss_idmap-devel-1.13.0-40.el7.ppc.rpm libsss_nss_idmap-devel-1.13.0-40.el7.ppc64.rpm libsss_simpleifp-devel-1.13.0-40.el7.ppc.rpm libsss_simpleifp-devel-1.13.0-40.el7.ppc64.rpm python-libsss_nss_idmap-1.13.0-40.el7.ppc64.rpm sssd-debuginfo-1.13.0-40.el7.ppc.rpm sssd-debuginfo-1.13.0-40.el7.ppc64.rpm sssd-libwbclient-devel-1.13.0-40.el7.ppc.rpm sssd-libwbclient-devel-1.13.0-40.el7.ppc64.rpm ppc64le: libipa_hbac-devel-1.13.0-40.el7.ppc64le.rpm libsss_idmap-devel-1.13.0-40.el7.ppc64le.rpm libsss_nss_idmap-devel-1.13.0-40.el7.ppc64le.rpm libsss_simpleifp-devel-1.13.0-40.el7.ppc64le.rpm python-libsss_nss_idmap-1.13.0-40.el7.ppc64le.rpm sssd-debuginfo-1.13.0-40.el7.ppc64le.rpm sssd-libwbclient-devel-1.13.0-40.el7.ppc64le.rpm s390x: libipa_hbac-devel-1.13.0-40.el7.s390.rpm libipa_hbac-devel-1.13.0-40.el7.s390x.rpm libsss_idmap-devel-1.13.0-40.el7.s390.rpm libsss_idmap-devel-1.13.0-40.el7.s390x.rpm libsss_nss_idmap-devel-1.13.0-40.el7.s390.rpm libsss_nss_idmap-devel-1.13.0-40.el7.s390x.rpm libsss_simpleifp-devel-1.13.0-40.el7.s390.rpm libsss_simpleifp-devel-1.13.0-40.el7.s390x.rpm python-libsss_nss_idmap-1.13.0-40.el7.s390x.rpm sssd-debuginfo-1.13.0-40.el7.s390.rpm sssd-debuginfo-1.13.0-40.el7.s390x.rpm sssd-libwbclient-devel-1.13.0-40.el7.s390.rpm sssd-libwbclient-devel-1.13.0-40.el7.s390x.rpm x86_64: libipa_hbac-devel-1.13.0-40.el7.i686.rpm libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm libsss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm sssd-debuginfo-1.13.0-40.el7.i686.rpm sssd-debuginfo-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: sssd-1.13.0-40.el7.src.rpm noarch: python-sssdconfig-1.13.0-40.el7.noarch.rpm x86_64: libipa_hbac-1.13.0-40.el7.i686.rpm libipa_hbac-1.13.0-40.el7.x86_64.rpm libsss_idmap-1.13.0-40.el7.i686.rpm libsss_idmap-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-1.13.0-40.el7.i686.rpm libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm python-libipa_hbac-1.13.0-40.el7.x86_64.rpm python-libsss_nss_idmap-1.13.0-40.el7.x86_64.rpm python-sss-1.13.0-40.el7.x86_64.rpm python-sss-murmur-1.13.0-40.el7.x86_64.rpm sssd-1.13.0-40.el7.x86_64.rpm sssd-ad-1.13.0-40.el7.x86_64.rpm sssd-client-1.13.0-40.el7.i686.rpm sssd-client-1.13.0-40.el7.x86_64.rpm sssd-common-1.13.0-40.el7.i686.rpm sssd-common-1.13.0-40.el7.x86_64.rpm sssd-common-pac-1.13.0-40.el7.x86_64.rpm sssd-dbus-1.13.0-40.el7.x86_64.rpm sssd-debuginfo-1.13.0-40.el7.i686.rpm sssd-debuginfo-1.13.0-40.el7.x86_64.rpm sssd-ipa-1.13.0-40.el7.x86_64.rpm sssd-krb5-1.13.0-40.el7.x86_64.rpm sssd-krb5-common-1.13.0-40.el7.i686.rpm sssd-krb5-common-1.13.0-40.el7.x86_64.rpm sssd-ldap-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-1.13.0-40.el7.x86_64.rpm sssd-proxy-1.13.0-40.el7.x86_64.rpm sssd-tools-1.13.0-40.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: libipa_hbac-devel-1.13.0-40.el7.i686.rpm libipa_hbac-devel-1.13.0-40.el7.x86_64.rpm libsss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_nss_idmap-devel-1.13.0-40.el7.i686.rpm libsss_nss_idmap-devel-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-1.13.0-40.el7.i686.rpm libsss_simpleifp-1.13.0-40.el7.x86_64.rpm libsss_simpleifp-devel-1.13.0-40.el7.i686.rpm libsss_simpleifp-devel-1.13.0-40.el7.x86_64.rpm sssd-debuginfo-1.13.0-40.el7.i686.rpm sssd-debuginfo-1.13.0-40.el7.x86_64.rpm sssd-libwbclient-devel-1.13.0-40.el7.i686.rpm sssd-libwbclient-devel-1.13.0-40.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5292 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkIwXlSAg2UNWIIRAnINAKDBmatLRvKwJPaSwuYki3fC/SD7XACfbUYi 8kOYYPRD0XDmFgAHtGvq2XU= =v0PG -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:42:24 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:42:24 -0500 Subject: [RHSA-2015:2360-01] Moderate: cups-filters security, bug fix, and enhancement update Message-ID: <201511192142.tAJLgO3S004794@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cups-filters security, bug fix, and enhancement update Advisory ID: RHSA-2015:2360-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2360.html Issue date: 2015-11-19 CVE Names: CVE-2015-3258 CVE-2015-3279 ===================================================================== 1. Summary: Updated cups-filters packages that fix two security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The cups-filters packages contain back ends, filters, and other software that was once part of the core Common UNIX Printing System (CUPS) distribution but is now maintained independently. A heap-based buffer overflow flaw and an integer overflow flaw leading to a heap-based buffer overflow were discovered in the way the texttopdf utility of cups-filter processed print jobs with a specially crafted line size. An attacker able to submit print jobs could use these flaws to crash texttopdf or, possibly, execute arbitrary code with the privileges of the "lp" user. (CVE-2015-3258, CVE-2015-3279) The CVE-2015-3258 issue was discovered by Petr Sklenar of Red Hat. Notably, this update also fixes the following bug: * Previously, when polling CUPS printers from a CUPS server, when a printer name contained an underscore (_), the client displayed the name containing a hyphen (-) instead. This made the print queue unavailable. With this update, CUPS allows the underscore character in printer names, and printers appear as shown on the CUPS server as expected. (BZ#1167408) In addition, this update adds the following enhancement: * Now, the information from local and remote CUPS servers is cached during each poll, and the CUPS server load is reduced. (BZ#1191691) All cups-filters users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1167408 - Cups is failing to poll Printers containing a "_" in the Name 1191691 - cups-browsed very inefficient 1223719 - Cups is not pulling Description of Printers from Cups server 1235385 - CVE-2015-3258 cups-filters: texttopdf heap-based buffer overflow 1238990 - CVE-2015-3279 cups-filters: texttopdf integer overflow 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: cups-filters-1.0.35-21.el7.src.rpm x86_64: cups-filters-1.0.35-21.el7.x86_64.rpm cups-filters-debuginfo-1.0.35-21.el7.i686.rpm cups-filters-debuginfo-1.0.35-21.el7.x86_64.rpm cups-filters-libs-1.0.35-21.el7.i686.rpm cups-filters-libs-1.0.35-21.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: cups-filters-debuginfo-1.0.35-21.el7.i686.rpm cups-filters-debuginfo-1.0.35-21.el7.x86_64.rpm cups-filters-devel-1.0.35-21.el7.i686.rpm cups-filters-devel-1.0.35-21.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: cups-filters-1.0.35-21.el7.src.rpm x86_64: cups-filters-1.0.35-21.el7.x86_64.rpm cups-filters-debuginfo-1.0.35-21.el7.i686.rpm cups-filters-debuginfo-1.0.35-21.el7.x86_64.rpm cups-filters-libs-1.0.35-21.el7.i686.rpm cups-filters-libs-1.0.35-21.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: cups-filters-debuginfo-1.0.35-21.el7.i686.rpm cups-filters-debuginfo-1.0.35-21.el7.x86_64.rpm cups-filters-devel-1.0.35-21.el7.i686.rpm cups-filters-devel-1.0.35-21.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: cups-filters-1.0.35-21.el7.src.rpm aarch64: cups-filters-1.0.35-21.el7.aarch64.rpm cups-filters-debuginfo-1.0.35-21.el7.aarch64.rpm cups-filters-libs-1.0.35-21.el7.aarch64.rpm ppc64: cups-filters-1.0.35-21.el7.ppc64.rpm cups-filters-debuginfo-1.0.35-21.el7.ppc.rpm cups-filters-debuginfo-1.0.35-21.el7.ppc64.rpm cups-filters-libs-1.0.35-21.el7.ppc.rpm cups-filters-libs-1.0.35-21.el7.ppc64.rpm ppc64le: cups-filters-1.0.35-21.el7.ppc64le.rpm cups-filters-debuginfo-1.0.35-21.el7.ppc64le.rpm cups-filters-libs-1.0.35-21.el7.ppc64le.rpm s390x: cups-filters-1.0.35-21.el7.s390x.rpm cups-filters-debuginfo-1.0.35-21.el7.s390.rpm cups-filters-debuginfo-1.0.35-21.el7.s390x.rpm cups-filters-libs-1.0.35-21.el7.s390.rpm cups-filters-libs-1.0.35-21.el7.s390x.rpm x86_64: cups-filters-1.0.35-21.el7.x86_64.rpm cups-filters-debuginfo-1.0.35-21.el7.i686.rpm cups-filters-debuginfo-1.0.35-21.el7.x86_64.rpm cups-filters-libs-1.0.35-21.el7.i686.rpm cups-filters-libs-1.0.35-21.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: cups-filters-debuginfo-1.0.35-21.el7.aarch64.rpm cups-filters-devel-1.0.35-21.el7.aarch64.rpm ppc64: cups-filters-debuginfo-1.0.35-21.el7.ppc.rpm cups-filters-debuginfo-1.0.35-21.el7.ppc64.rpm cups-filters-devel-1.0.35-21.el7.ppc.rpm cups-filters-devel-1.0.35-21.el7.ppc64.rpm ppc64le: cups-filters-debuginfo-1.0.35-21.el7.ppc64le.rpm cups-filters-devel-1.0.35-21.el7.ppc64le.rpm s390x: cups-filters-debuginfo-1.0.35-21.el7.s390.rpm cups-filters-debuginfo-1.0.35-21.el7.s390x.rpm cups-filters-devel-1.0.35-21.el7.s390.rpm cups-filters-devel-1.0.35-21.el7.s390x.rpm x86_64: cups-filters-debuginfo-1.0.35-21.el7.i686.rpm cups-filters-debuginfo-1.0.35-21.el7.x86_64.rpm cups-filters-devel-1.0.35-21.el7.i686.rpm cups-filters-devel-1.0.35-21.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: cups-filters-1.0.35-21.el7.src.rpm x86_64: cups-filters-1.0.35-21.el7.x86_64.rpm cups-filters-debuginfo-1.0.35-21.el7.i686.rpm cups-filters-debuginfo-1.0.35-21.el7.x86_64.rpm cups-filters-libs-1.0.35-21.el7.i686.rpm cups-filters-libs-1.0.35-21.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: cups-filters-debuginfo-1.0.35-21.el7.i686.rpm cups-filters-debuginfo-1.0.35-21.el7.x86_64.rpm cups-filters-devel-1.0.35-21.el7.i686.rpm cups-filters-devel-1.0.35-21.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3258 https://access.redhat.com/security/cve/CVE-2015-3279 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkI/XlSAg2UNWIIRAu9zAJ9td8pVwkyhBcvi9q99BN0vXX0l1wCdF9ja xBqT9SbAPOIsTorB4nlIdyI= =Bpsc -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:54:23 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:54:23 -0500 Subject: [RHSA-2015:2369-01] Low: openhpi security, bug fix, and enhancement update Message-ID: <201511192154.tAJLsNjt022697@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: openhpi security, bug fix, and enhancement update Advisory ID: RHSA-2015:2369-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2369.html Issue date: 2015-11-19 CVE Names: CVE-2015-3248 ===================================================================== 1. Summary: Updated openhpi packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenHPI is an open source project created with the intent of providing an implementation of the SA Forum's Hardware Platform Interface (HPI). HPI provides an abstracted interface to managing computer hardware, typically for chassis and rack based servers. HPI includes resource modeling, access to and control over sensor, control, watchdog, and inventory data associated with resources, abstracted System Event Log interfaces, hardware events and alerts, and a managed hotswap interface. It was found that the "/var/lib/openhpi" directory provided by OpenHPI used world-writeable and world-readable permissions. A local user could use this flaw to view, modify, and delete OpenHPI-related data, or even fill up the storage device hosting the /var/lib directory. (CVE-2015-3248) This issue was discovered by Marko Myllynen of Red Hat. The openhpi packages have been upgraded to upstream version 3.4.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#1127908) This update also fixes the following bug: * Network timeouts were handled incorrectly in the openhpid daemon. As a consequence, network connections could fail when external plug-ins were used. With this update, handling of network socket timeouts has been improved in openhpid, and the described problem no longer occurs. (BZ#1208127) All openhpi users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1233520 - CVE-2015-3248 openhpi: world writable /var/lib/openhpi directory 6. Package List: Red Hat Enterprise Linux ComputeNode (v. 7): Source: openhpi-3.4.0-2.el7.src.rpm x86_64: openhpi-3.4.0-2.el7.i686.rpm openhpi-3.4.0-2.el7.x86_64.rpm openhpi-debuginfo-3.4.0-2.el7.i686.rpm openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm openhpi-libs-3.4.0-2.el7.i686.rpm openhpi-libs-3.4.0-2.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: openhpi-debuginfo-3.4.0-2.el7.i686.rpm openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm openhpi-devel-3.4.0-2.el7.i686.rpm openhpi-devel-3.4.0-2.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: openhpi-3.4.0-2.el7.src.rpm aarch64: openhpi-3.4.0-2.el7.aarch64.rpm openhpi-debuginfo-3.4.0-2.el7.aarch64.rpm openhpi-libs-3.4.0-2.el7.aarch64.rpm ppc64: openhpi-3.4.0-2.el7.ppc.rpm openhpi-3.4.0-2.el7.ppc64.rpm openhpi-debuginfo-3.4.0-2.el7.ppc.rpm openhpi-debuginfo-3.4.0-2.el7.ppc64.rpm openhpi-libs-3.4.0-2.el7.ppc.rpm openhpi-libs-3.4.0-2.el7.ppc64.rpm ppc64le: openhpi-3.4.0-2.el7.ppc64le.rpm openhpi-debuginfo-3.4.0-2.el7.ppc64le.rpm openhpi-libs-3.4.0-2.el7.ppc64le.rpm s390x: openhpi-3.4.0-2.el7.s390.rpm openhpi-3.4.0-2.el7.s390x.rpm openhpi-debuginfo-3.4.0-2.el7.s390.rpm openhpi-debuginfo-3.4.0-2.el7.s390x.rpm openhpi-libs-3.4.0-2.el7.s390.rpm openhpi-libs-3.4.0-2.el7.s390x.rpm x86_64: openhpi-3.4.0-2.el7.i686.rpm openhpi-3.4.0-2.el7.x86_64.rpm openhpi-debuginfo-3.4.0-2.el7.i686.rpm openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm openhpi-libs-3.4.0-2.el7.i686.rpm openhpi-libs-3.4.0-2.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: openhpi-debuginfo-3.4.0-2.el7.aarch64.rpm openhpi-devel-3.4.0-2.el7.aarch64.rpm ppc64: openhpi-debuginfo-3.4.0-2.el7.ppc.rpm openhpi-debuginfo-3.4.0-2.el7.ppc64.rpm openhpi-devel-3.4.0-2.el7.ppc.rpm openhpi-devel-3.4.0-2.el7.ppc64.rpm ppc64le: openhpi-debuginfo-3.4.0-2.el7.ppc64le.rpm openhpi-devel-3.4.0-2.el7.ppc64le.rpm s390x: openhpi-debuginfo-3.4.0-2.el7.s390.rpm openhpi-debuginfo-3.4.0-2.el7.s390x.rpm openhpi-devel-3.4.0-2.el7.s390.rpm openhpi-devel-3.4.0-2.el7.s390x.rpm x86_64: openhpi-debuginfo-3.4.0-2.el7.i686.rpm openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm openhpi-devel-3.4.0-2.el7.i686.rpm openhpi-devel-3.4.0-2.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: openhpi-3.4.0-2.el7.src.rpm x86_64: openhpi-3.4.0-2.el7.i686.rpm openhpi-3.4.0-2.el7.x86_64.rpm openhpi-debuginfo-3.4.0-2.el7.i686.rpm openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm openhpi-libs-3.4.0-2.el7.i686.rpm openhpi-libs-3.4.0-2.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: openhpi-debuginfo-3.4.0-2.el7.i686.rpm openhpi-debuginfo-3.4.0-2.el7.x86_64.rpm openhpi-devel-3.4.0-2.el7.i686.rpm openhpi-devel-3.4.0-2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3248 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkUOXlSAg2UNWIIRAuJyAJ9a80MvBwQ4f9eQ0EdzTO6Ihi3pMACglfQc wrC52WABEXFR4qEOS+K6Eqk= =Cqgp -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:54:33 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:54:33 -0500 Subject: [RHSA-2015:2378-01] Moderate: squid security and bug fix update Message-ID: <201511192154.tAJLsXxX022793@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: squid security and bug fix update Advisory ID: RHSA-2015:2378-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2378.html Issue date: 2015-11-19 CVE Names: CVE-2015-3455 ===================================================================== 1. Summary: Updated squid packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. It was found that Squid configured with client-first SSL-bump did not correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a Squid server using a specially crafted X.509 certificate. (CVE-2015-3455) This update fixes the following bugs: * Previously, the squid process did not handle file descriptors correctly when receiving Simple Network Management Protocol (SNMP) requests. As a consequence, the process gradually accumulated open file descriptors. This bug has been fixed and squid now handles SNMP requests correctly, closing file descriptors when necessary. (BZ#1198778) * Under high system load, the squid process sometimes terminated unexpectedly with a segmentation fault during reboot. This update provides better memory handling during reboot, thus fixing this bug. (BZ#1225640) Users of squid are advised to upgrade to these updated packages, which fix these bugs. After installing this update, the squid service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1102842 - missing /var/run/squid needed for smp mode 1161600 - Squid does not serve cached responses with Vary headers 1198778 - Filedescriptor leaks on snmp 1204375 - squid sends incorrect ssl chain breaking newer gnutls using applications 1218118 - CVE-2015-3455 squid: incorrect X509 server certificate validation (SQUID-2015:1) 1263338 - squid with digest auth on big endian systems start looping 6. Package List: Red Hat Enterprise Linux Server (v. 7): Source: squid-3.3.8-26.el7.src.rpm aarch64: squid-3.3.8-26.el7.aarch64.rpm squid-debuginfo-3.3.8-26.el7.aarch64.rpm ppc64: squid-3.3.8-26.el7.ppc64.rpm squid-debuginfo-3.3.8-26.el7.ppc64.rpm ppc64le: squid-3.3.8-26.el7.ppc64le.rpm squid-debuginfo-3.3.8-26.el7.ppc64le.rpm s390x: squid-3.3.8-26.el7.s390x.rpm squid-debuginfo-3.3.8-26.el7.s390x.rpm x86_64: squid-3.3.8-26.el7.x86_64.rpm squid-debuginfo-3.3.8-26.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: squid-debuginfo-3.3.8-26.el7.aarch64.rpm squid-sysvinit-3.3.8-26.el7.aarch64.rpm ppc64: squid-debuginfo-3.3.8-26.el7.ppc64.rpm squid-sysvinit-3.3.8-26.el7.ppc64.rpm ppc64le: squid-debuginfo-3.3.8-26.el7.ppc64le.rpm squid-sysvinit-3.3.8-26.el7.ppc64le.rpm s390x: squid-debuginfo-3.3.8-26.el7.s390x.rpm squid-sysvinit-3.3.8-26.el7.s390x.rpm x86_64: squid-debuginfo-3.3.8-26.el7.x86_64.rpm squid-sysvinit-3.3.8-26.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: squid-3.3.8-26.el7.src.rpm x86_64: squid-3.3.8-26.el7.x86_64.rpm squid-debuginfo-3.3.8-26.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: squid-debuginfo-3.3.8-26.el7.x86_64.rpm squid-sysvinit-3.3.8-26.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3455 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkUYXlSAg2UNWIIRAmt+AJ0UKKM0S/EznZMtJ2MjAWiSoVJYewCeLxlB OsBIyCrEW9EYlvDhwY46l2w= =c8ZS -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:54:44 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:54:44 -0500 Subject: [RHSA-2015:2383-01] Moderate: pacemaker security, bug fix, and enhancement update Message-ID: <201511192154.tAJLsiRv015220@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: pacemaker security, bug fix, and enhancement update Advisory ID: RHSA-2015:2383-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2383.html Issue date: 2015-11-19 CVE Names: CVE-2015-1867 ===================================================================== 1. Summary: Updated pacemaker packages that fix one security issue, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server High Availability (v. 7) - s390x, x86_64 Red Hat Enterprise Linux Server Resilient Storage (v. 7) - s390x, x86_64 3. Description: The Pacemaker Resource Manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. A flaw was found in the way pacemaker, a cluster resource manager, evaluated added nodes in certain situations. A user with read-only access could potentially assign any other existing roles to themselves and then add privileges to other users as well. (CVE-2015-1867) The pacemaker packages have been upgraded to upstream version 1.1.13, which provides a number of bug fixes and enhancements over the previous version. (BZ#1234680) This update also fixes the following bugs: * When a Pacemaker cluster included an Apache resource, and Apache's mod_systemd module was enabled, systemd rejected notifications sent by Apache. As a consequence, a large number of errors in the following format appeared in the system log: Got notification message from PID XXXX, but reception only permitted for PID YYYY With this update, the lrmd daemon now unsets the "NOTIFY_SOCKET" variable in the described circumstances, and these error messages are no longer logged. (BZ#1150184) * Previously, specifying a remote guest node as a part of a group resource in a Pacemaker cluster caused the node to stop working. This update adds support for remote guests in Pacemaker group resources, and the described problem no longer occurs. (BZ#1168637) * When a resource in a Pacemaker cluster failed to start, Pacemaker updated the resource's last failure time and incremented its fail count even if the "on-fail=ignore" option was used. This in some cases caused unintended resource migrations when a resource start failure occurred. Now, Pacemaker does not update the fail count when "on-fail=ignore" is used. As a result, the failure is displayed in the cluster status output, but is properly ignored and thus does not cause resource migration. (BZ#1200849) * Previously, Pacemaker supported semicolon characters (";") as delimiters when parsing the pcmk_host_map string, but not when parsing the pcmk_host_list string. To ensure consistent user experience, semicolons are now supported as delimiters for parsing pcmk_host_list, as well. (BZ#1206232) In addition, this update adds the following enhancements: * If a Pacemaker location constraint has the "resource-discovery=never" option, Pacemaker now does not attempt to determine whether a specified service is running on the specified node. In addition, if multiple location constraints for a given resource specify "resource-discovery=exclusive", then Pacemaker attempts resource discovery only on the nodes specified in those constraints. This allows Pacemaker to skip resource discovery on nodes where attempting the operation would lead to error or other undesirable behavior. (BZ#1108853) * The procedure of configuring fencing for redundant power supplies has been simplified in order to prevent multiple nodes accessing cluster resources at the same time and thus causing data corruption. For further information, see the "Fencing: Configuring STONITH" chapter of the High Availability Add-On Reference manual. (BZ#1206647) * The output of the "crm_mon" and "pcs_status" commands has been modified to be clearer and more concise, and thus easier to read when reporting the status of a Pacemaker cluster with a large number of remote nodes and cloned resources. (BZ#1115840) All pacemaker users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1162727 - member weirdness when adding/removing nodes 1172539 - Node ends up in a reboot loop when a resource with the same name exists 1182244 - crm_resource --restart broken 1182614 - Logs full of: error: gio_poll_dispatch_update: Adaptor for descriptor 8 is not in-use 1187321 - pacemaker - libqb dependency needs update 1194475 - edge case causes colocation constraint not to be honored. 1200785 - pacemaker-cli requires pacemaker but does not depend on it 1200849 - crmd: Resource marked with failcount=INFINITY on start failure with on-fail=ignore 1203053 - Nagios metadata is missing 1205188 - debug-promote implementation 1206232 - fencing: Allow semi-colon delimiter for pcmk_host_list 1211370 - CVE-2015-1867 pacemaker: acl read-only access allow role assignment 1211833 - systemd resources are shut down before the cluster at reboot 1212647 - crm_resource -C works inconsistently with clearing resources on baremetal remote nodes 1225854 - Error in `/usr/sbin/crm_resource': free(): invalid pointer: 0x00007f7199482848 1234680 - Rebase Pacemaker to obtain pacemaker-remote fixes for OSP 1246291 - lrmd killed by SIGSEGV 1267265 - A change in "crm_resource --set-parameter is-managed" introduces regression for Clone and M/S resources 6. Package List: Red Hat Enterprise Linux Server High Availability (v. 7): Source: pacemaker-1.1.13-10.el7.src.rpm s390x: pacemaker-1.1.13-10.el7.s390x.rpm pacemaker-cli-1.1.13-10.el7.s390x.rpm pacemaker-cluster-libs-1.1.13-10.el7.s390x.rpm pacemaker-cts-1.1.13-10.el7.s390x.rpm pacemaker-debuginfo-1.1.13-10.el7.s390x.rpm pacemaker-doc-1.1.13-10.el7.s390x.rpm pacemaker-libs-1.1.13-10.el7.s390x.rpm pacemaker-libs-devel-1.1.13-10.el7.s390x.rpm pacemaker-nagios-plugins-metadata-1.1.13-10.el7.s390x.rpm pacemaker-remote-1.1.13-10.el7.s390x.rpm x86_64: pacemaker-1.1.13-10.el7.x86_64.rpm pacemaker-cli-1.1.13-10.el7.x86_64.rpm pacemaker-cluster-libs-1.1.13-10.el7.i686.rpm pacemaker-cluster-libs-1.1.13-10.el7.x86_64.rpm pacemaker-cts-1.1.13-10.el7.x86_64.rpm pacemaker-debuginfo-1.1.13-10.el7.i686.rpm pacemaker-debuginfo-1.1.13-10.el7.x86_64.rpm pacemaker-doc-1.1.13-10.el7.x86_64.rpm pacemaker-libs-1.1.13-10.el7.i686.rpm pacemaker-libs-1.1.13-10.el7.x86_64.rpm pacemaker-libs-devel-1.1.13-10.el7.i686.rpm pacemaker-libs-devel-1.1.13-10.el7.x86_64.rpm pacemaker-nagios-plugins-metadata-1.1.13-10.el7.x86_64.rpm pacemaker-remote-1.1.13-10.el7.x86_64.rpm Red Hat Enterprise Linux Server Resilient Storage (v. 7): Source: pacemaker-1.1.13-10.el7.src.rpm s390x: pacemaker-1.1.13-10.el7.s390x.rpm pacemaker-cli-1.1.13-10.el7.s390x.rpm pacemaker-cluster-libs-1.1.13-10.el7.s390x.rpm pacemaker-cts-1.1.13-10.el7.s390x.rpm pacemaker-debuginfo-1.1.13-10.el7.s390x.rpm pacemaker-doc-1.1.13-10.el7.s390x.rpm pacemaker-libs-1.1.13-10.el7.s390x.rpm pacemaker-libs-devel-1.1.13-10.el7.s390x.rpm pacemaker-nagios-plugins-metadata-1.1.13-10.el7.s390x.rpm pacemaker-remote-1.1.13-10.el7.s390x.rpm x86_64: pacemaker-1.1.13-10.el7.x86_64.rpm pacemaker-cli-1.1.13-10.el7.x86_64.rpm pacemaker-cluster-libs-1.1.13-10.el7.i686.rpm pacemaker-cluster-libs-1.1.13-10.el7.x86_64.rpm pacemaker-cts-1.1.13-10.el7.x86_64.rpm pacemaker-debuginfo-1.1.13-10.el7.i686.rpm pacemaker-debuginfo-1.1.13-10.el7.x86_64.rpm pacemaker-doc-1.1.13-10.el7.x86_64.rpm pacemaker-libs-1.1.13-10.el7.i686.rpm pacemaker-libs-1.1.13-10.el7.x86_64.rpm pacemaker-libs-devel-1.1.13-10.el7.i686.rpm pacemaker-libs-devel-1.1.13-10.el7.x86_64.rpm pacemaker-nagios-plugins-metadata-1.1.13-10.el7.x86_64.rpm pacemaker-remote-1.1.13-10.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-1867 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkUjXlSAg2UNWIIRAsbmAJsFI1hYdZwuk0s123R9+pEQqqZJxwCfQpPS NoRgbmrSRnBxJWZIxO/3Sc8= =gz9X -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:54:58 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:54:58 -0500 Subject: [RHSA-2015:2393-01] Moderate: wireshark security, bug fix, and enhancement update Message-ID: <201511192154.tAJLswTv015312@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: wireshark security, bug fix, and enhancement update Advisory ID: RHSA-2015:2393-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2393.html Issue date: 2015-11-19 CVE Names: CVE-2014-8710 CVE-2014-8711 CVE-2014-8712 CVE-2014-8713 CVE-2014-8714 CVE-2015-0562 CVE-2015-0563 CVE-2015-0564 CVE-2015-2188 CVE-2015-2189 CVE-2015-2191 CVE-2015-3182 CVE-2015-3810 CVE-2015-3811 CVE-2015-3812 CVE-2015-3813 CVE-2015-6243 CVE-2015-6244 CVE-2015-6245 CVE-2015-6246 CVE-2015-6248 ===================================================================== 1. Summary: Updated wireshark packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The wireshark packages contain a network protocol analyzer used to capture and browse the traffic running on a computer network. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2015-2188, CVE-2015-2189, CVE-2015-2191, CVE-2015-3810, CVE-2015-3811, CVE-2015-3812, CVE-2015-3813, CVE-2014-8710, CVE-2014-8711, CVE-2014-8712, CVE-2014-8713, CVE-2014-8714, CVE-2015-0562, CVE-2015-0563, CVE-2015-0564, CVE-2015-3182, CVE-2015-6243, CVE-2015-6244, CVE-2015-6245, CVE-2015-6246, CVE-2015-6248) The CVE-2015-3182 issue was discovered by Martin ?ember of Red Hat. The wireshark packages have been upgraded to upstream version 1.10.14, which provides a number of bug fixes and enhancements over the previous version. (BZ#1238676) This update also fixes the following bug: * Prior to this update, when using the tshark utility to capture packets over the interface, tshark failed to create output files in the .pcap format even if it was specified using the "-F" option. This bug has been fixed, the "-F" option is now honored, and the result saved in the .pcap format as expected. (BZ#1227199) In addition, this update adds the following enhancement: * Previously, wireshark included only microseconds in the .pcapng format. With this update, wireshark supports nanosecond time stamp precision to allow for more accurate time stamps. (BZ#1213339) All wireshark users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. All running instances of Wireshark must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1163581 - CVE-2014-8714 wireshark: TN5250 infinite loop (wnpa-sec-2014-23) 1163582 - CVE-2014-8712 CVE-2014-8713 wireshark: NCP dissector crashes (wnpa-sec-2014-22) 1163583 - CVE-2014-8711 wireshark: AMQP dissector crash (wnpa-sec-2014-21) 1163584 - CVE-2014-8710 wireshark: SigComp dissector crash (wnpa-sec-2014-20) 1180182 - CVE-2015-0562 wireshark: DEC DNA Routing Protocol dissector crash (wnpa-sec-2015-03) 1180195 - CVE-2015-0563 wireshark: SMTP dissector crash (wnpa-sec-2015-04) 1180197 - CVE-2015-0564 wireshark: TLS/SSL decryption crash (wnpa-sec-2015-05) 1199163 - CVE-2015-2188 wireshark: The WCP dissector could crash while decompressing data (wnpa-sec-2015-07) 1199165 - CVE-2015-2189 wireshark: The pcapng file parser could crash (wnpa-sec-2015-08) 1199167 - CVE-2015-2191 wireshark: The TNEF dissector could go into an infinite loop on 32-bit architectures (wnpa-sec-2015-10) 1219409 - CVE-2015-3182 wireshark: crash on sample file genbroad.snoop 1222434 - CVE-2015-3810 wireshark: WebSocket DoS (wnpa-sec-2015-13) 1222436 - CVE-2015-3811 wireshark: WCP dissector crash (wnpa-sec-2015-14) 1222437 - CVE-2015-3812 wireshark: X11 memory leak (wnpa-sec-2015-15) 1222438 - CVE-2015-3813 wireshark: Reassembly memory leak (wnpa-sec-2015-16) 1253354 - CVE-2015-6243 wireshark: Dissector table crash (wnpa-sec-2015-23) 1253355 - CVE-2015-6244 wireshark: ZigBee dissector crash (wnpa-sec-2015-24) 1253356 - CVE-2015-6245 wireshark: GSM RLC/MAC dissector infinite loop (wnpa-sec-2015-25) 1253357 - CVE-2015-6246 wireshark: WaveAgent dissector crash (wnpa-sec-2015-26) 1253360 - CVE-2015-6248 wireshark: Ptvcursor crash (wnpa-sec-2015-28) 1267959 - wireshark segfaults 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: wireshark-1.10.14-7.el7.src.rpm x86_64: wireshark-1.10.14-7.el7.i686.rpm wireshark-1.10.14-7.el7.x86_64.rpm wireshark-debuginfo-1.10.14-7.el7.i686.rpm wireshark-debuginfo-1.10.14-7.el7.x86_64.rpm wireshark-gnome-1.10.14-7.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: wireshark-debuginfo-1.10.14-7.el7.i686.rpm wireshark-debuginfo-1.10.14-7.el7.x86_64.rpm wireshark-devel-1.10.14-7.el7.i686.rpm wireshark-devel-1.10.14-7.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: wireshark-1.10.14-7.el7.src.rpm aarch64: wireshark-1.10.14-7.el7.aarch64.rpm wireshark-debuginfo-1.10.14-7.el7.aarch64.rpm wireshark-gnome-1.10.14-7.el7.aarch64.rpm ppc64: wireshark-1.10.14-7.el7.ppc.rpm wireshark-1.10.14-7.el7.ppc64.rpm wireshark-debuginfo-1.10.14-7.el7.ppc.rpm wireshark-debuginfo-1.10.14-7.el7.ppc64.rpm wireshark-gnome-1.10.14-7.el7.ppc64.rpm ppc64le: wireshark-1.10.14-7.el7.ppc64le.rpm wireshark-debuginfo-1.10.14-7.el7.ppc64le.rpm wireshark-gnome-1.10.14-7.el7.ppc64le.rpm s390x: wireshark-1.10.14-7.el7.s390.rpm wireshark-1.10.14-7.el7.s390x.rpm wireshark-debuginfo-1.10.14-7.el7.s390.rpm wireshark-debuginfo-1.10.14-7.el7.s390x.rpm wireshark-gnome-1.10.14-7.el7.s390x.rpm x86_64: wireshark-1.10.14-7.el7.i686.rpm wireshark-1.10.14-7.el7.x86_64.rpm wireshark-debuginfo-1.10.14-7.el7.i686.rpm wireshark-debuginfo-1.10.14-7.el7.x86_64.rpm wireshark-gnome-1.10.14-7.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: wireshark-debuginfo-1.10.14-7.el7.aarch64.rpm wireshark-devel-1.10.14-7.el7.aarch64.rpm ppc64: wireshark-debuginfo-1.10.14-7.el7.ppc.rpm wireshark-debuginfo-1.10.14-7.el7.ppc64.rpm wireshark-devel-1.10.14-7.el7.ppc.rpm wireshark-devel-1.10.14-7.el7.ppc64.rpm ppc64le: wireshark-debuginfo-1.10.14-7.el7.ppc64le.rpm wireshark-devel-1.10.14-7.el7.ppc64le.rpm s390x: wireshark-debuginfo-1.10.14-7.el7.s390.rpm wireshark-debuginfo-1.10.14-7.el7.s390x.rpm wireshark-devel-1.10.14-7.el7.s390.rpm wireshark-devel-1.10.14-7.el7.s390x.rpm x86_64: wireshark-debuginfo-1.10.14-7.el7.i686.rpm wireshark-debuginfo-1.10.14-7.el7.x86_64.rpm wireshark-devel-1.10.14-7.el7.i686.rpm wireshark-devel-1.10.14-7.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: wireshark-1.10.14-7.el7.src.rpm x86_64: wireshark-1.10.14-7.el7.i686.rpm wireshark-1.10.14-7.el7.x86_64.rpm wireshark-debuginfo-1.10.14-7.el7.i686.rpm wireshark-debuginfo-1.10.14-7.el7.x86_64.rpm wireshark-gnome-1.10.14-7.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: wireshark-debuginfo-1.10.14-7.el7.i686.rpm wireshark-debuginfo-1.10.14-7.el7.x86_64.rpm wireshark-devel-1.10.14-7.el7.i686.rpm wireshark-devel-1.10.14-7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8710 https://access.redhat.com/security/cve/CVE-2014-8711 https://access.redhat.com/security/cve/CVE-2014-8712 https://access.redhat.com/security/cve/CVE-2014-8713 https://access.redhat.com/security/cve/CVE-2014-8714 https://access.redhat.com/security/cve/CVE-2015-0562 https://access.redhat.com/security/cve/CVE-2015-0563 https://access.redhat.com/security/cve/CVE-2015-0564 https://access.redhat.com/security/cve/CVE-2015-2188 https://access.redhat.com/security/cve/CVE-2015-2189 https://access.redhat.com/security/cve/CVE-2015-2191 https://access.redhat.com/security/cve/CVE-2015-3182 https://access.redhat.com/security/cve/CVE-2015-3810 https://access.redhat.com/security/cve/CVE-2015-3811 https://access.redhat.com/security/cve/CVE-2015-3812 https://access.redhat.com/security/cve/CVE-2015-3813 https://access.redhat.com/security/cve/CVE-2015-6243 https://access.redhat.com/security/cve/CVE-2015-6244 https://access.redhat.com/security/cve/CVE-2015-6245 https://access.redhat.com/security/cve/CVE-2015-6246 https://access.redhat.com/security/cve/CVE-2015-6248 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkUwXlSAg2UNWIIRAi2EAKCqdf1sSesmxH1Xf3ghhMZrC/S7/wCfYgKM Ms5OV4aYZ0M4QaDf+vWekYA= =9BRe -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 21:55:10 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 16:55:10 -0500 Subject: [RHSA-2015:2401-01] Low: grub2 security, bug fix, and enhancement update Message-ID: <201511192155.tAJLtA4Z019394@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: grub2 security, bug fix, and enhancement update Advisory ID: RHSA-2015:2401-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2401.html Issue date: 2015-11-19 CVE Names: CVE-2015-5281 ===================================================================== 1. Summary: Updated grub2 packages that fix one security issue, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The grub2 packages provide version 2 of the Grand Unified Bootloader (GRUB), a highly configurable and customizable bootloader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. It was discovered that grub2 builds for EFI systems contained modules that were not suitable to be loaded in a Secure Boot environment. An attacker could use this flaw to circumvent the Secure Boot mechanisms and load non-verified code. Attacks could use the boot menu if no password was set, or the grub2 configuration file if the attacker has root privileges on the system. (CVE-2015-5281) This update also fixes the following bugs: * In one of the earlier updates, GRUB2 was modified to escape forward slash (/) characters in several different places. In one of these places, the escaping was unnecessary and prevented certain types of kernel command-line arguments from being passed to the kernel correctly. With this update, GRUB2 no longer escapes the forward slash characters in the mentioned place, and the kernel command-line arguments work as expected. (BZ#1125404) * Previously, GRUB2 relied on a timing mechanism provided by legacy hardware, but not by the Hyper-V Gen2 hypervisor, to calibrate its timer loop. This prevented GRUB2 from operating correctly on Hyper-V Gen2. This update modifies GRUB2 to use a different mechanism on Hyper-V Gen2 to calibrate the timing. As a result, Hyper-V Gen2 hypervisors now work as expected. (BZ#1150698) * Prior to this update, users who manually configured GRUB2 to use the built-in GNU Privacy Guard (GPG) verification observed the following error on boot: alloc magic is broken at [addr]: [value] Aborted. Consequently, the boot failed. The GRUB2 built-in GPG verification has been modified to no longer free the same memory twice. As a result, the mentioned error no longer occurs. (BZ#1167977) * Previously, the system sometimes did not recover after terminating unexpectedly and failed to reboot. To fix this problem, the GRUB2 packages now enforce file synchronization when creating the GRUB2 configuration file, which ensures that the required configuration files are written to disk. As a result, the system now reboots successfully after crashing. (BZ#1212114) * Previously, if an unconfigured network driver instance was selected and configured when the GRUB2 bootloader was loaded on a different instance, GRUB2 did not receive notifications of the Address Resolution Protocol (ARP) replies. Consequently, GRUB2 failed with the following error message: error: timeout: could not resolve hardware address. With this update, GRUB2 selects the network driver instance from which it was loaded. As a result, ARP packets are processed correctly. (BZ#1257475) In addition, this update adds the following enhancement: * Sorting of GRUB2 boot menu has been improved. GRUB2 now uses the rpmdevtools package to sort available kernels and the configuration file is being generated correctly with the most recent kernel version listed at the top. (BZ#1124074) All grub2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1001279 - grub2 can't boot new xfs CRC-capable disk format 1124074 - grub2-mkconfig wrong sorting 1125404 - [RHEL 7] grub2 improperly escapes spaces in kernel parameters 1148650 - no docs explaining what config path GRUB expects when netbooting 1177003 - yum reinstall kernel causes duplicate entry in grub menu 1211101 - grub2 fw_path variable is incorrect for x86 EFI network boot: too many path components stripped 1264103 - CVE-2015-5281 grub2: modules built in on EFI builds that allow loading arbitrary code, circumventing secure boot 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: grub2-2.02-0.29.el7.src.rpm x86_64: grub2-2.02-0.29.el7.x86_64.rpm grub2-debuginfo-2.02-0.29.el7.x86_64.rpm grub2-efi-2.02-0.29.el7.x86_64.rpm grub2-tools-2.02-0.29.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: grub2-debuginfo-2.02-0.29.el7.x86_64.rpm grub2-efi-modules-2.02-0.29.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: grub2-2.02-0.29.el7.src.rpm x86_64: grub2-2.02-0.29.el7.x86_64.rpm grub2-debuginfo-2.02-0.29.el7.x86_64.rpm grub2-efi-2.02-0.29.el7.x86_64.rpm grub2-tools-2.02-0.29.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: grub2-debuginfo-2.02-0.29.el7.x86_64.rpm grub2-efi-modules-2.02-0.29.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: grub2-2.02-0.29.el7.src.rpm aarch64: grub2-debuginfo-2.02-0.29.el7.aarch64.rpm grub2-efi-2.02-0.29.el7.aarch64.rpm grub2-tools-2.02-0.29.el7.aarch64.rpm ppc64: grub2-2.02-0.29.el7.ppc64.rpm grub2-debuginfo-2.02-0.29.el7.ppc64.rpm grub2-tools-2.02-0.29.el7.ppc64.rpm ppc64le: grub2-2.02-0.29.el7.ppc64le.rpm grub2-debuginfo-2.02-0.29.el7.ppc64le.rpm grub2-tools-2.02-0.29.el7.ppc64le.rpm x86_64: grub2-2.02-0.29.el7.x86_64.rpm grub2-debuginfo-2.02-0.29.el7.x86_64.rpm grub2-efi-2.02-0.29.el7.x86_64.rpm grub2-tools-2.02-0.29.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: grub2-debuginfo-2.02-0.29.el7.aarch64.rpm grub2-efi-modules-2.02-0.29.el7.aarch64.rpm x86_64: grub2-debuginfo-2.02-0.29.el7.x86_64.rpm grub2-efi-modules-2.02-0.29.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: grub2-2.02-0.29.el7.src.rpm x86_64: grub2-2.02-0.29.el7.x86_64.rpm grub2-debuginfo-2.02-0.29.el7.x86_64.rpm grub2-efi-2.02-0.29.el7.x86_64.rpm grub2-tools-2.02-0.29.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: grub2-debuginfo-2.02-0.29.el7.x86_64.rpm grub2-efi-modules-2.02-0.29.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5281 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkU9XlSAg2UNWIIRAsNIAJ9OfHBNdKKGRKKEjq3bv/x3pSmkEgCgspTp 4rD+3S4RfC+1XEgS8cKI+vA= =T2Ds -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 22:02:05 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 17:02:05 -0500 Subject: [RHSA-2015:2411-01] Important: kernel-rt security, bug fix, and enhancement update Message-ID: <201511192202.tAJM25oe024895@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security, bug fix, and enhancement update Advisory ID: RHSA-2015:2411-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2411.html Issue date: 2015-11-19 CVE Names: CVE-2013-7421 CVE-2014-8171 CVE-2014-9419 CVE-2014-9644 CVE-2015-2925 CVE-2015-3339 CVE-2015-4170 CVE-2015-5283 CVE-2015-7613 CVE-2015-7837 ===================================================================== 1. Summary: Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64 3. Description: The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system. (CVE-2015-2925, Important) * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker able to continuously spawn new processes within a single memory-constrained cgroup during an OOM event could use this flaw to lock up the system. (CVE-2014-8171, Moderate) * A race condition flaw was found between the chown and execve system calls. When changing the owner of a setuid user binary to root, the race condition could momentarily make the binary setuid root. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate) * A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system by holding a reference to the ldisc lock during tty shutdown, causing a deadlock. (CVE-2015-4170, Moderate) * A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate) * A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low) * An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process. (CVE-2014-9419, Low) * A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low) Red Hat would like to thank Linn Crosetto of HP for reporting the CVE-2015-7837 issue. The CVE-2015-5283 issue was discovered by Ji Jianwen from Red Hat engineering. The kernel-rt packages have been upgraded to version 3.10.0-326.rt56.204, which provides a number of bug fixes and enhancements. (BZ#1201915, BZ#1211724) This update also fixes several bugs and adds multiple enhancements. Refer to the following Red Hat Knowledgebase article for information on the most significant of these changes: https://access.redhat.com/articles/2055783 All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1177260 - CVE-2014-9419 kernel: partial ASLR bypass through TLS base addresses leak 1185469 - CVE-2013-7421 Linux kernel: crypto api unprivileged arbitrary module load via request_module() 1190546 - CVE-2014-9644 Linux kernel: crypto api unprivileged arbitrary module load via request_module() 1198109 - CVE-2014-8171 kernel: memcg: OOM handling DoS 1209190 - kernel-rt: rebase tree to match RHEL7.1.z source tree 1209367 - CVE-2015-2925 Kernel: vfs: Do not allow escaping from bind mounts 1211724 - kernel-rt: rebase to the RHEL7.1.z batch3 source tree 1214030 - CVE-2015-3339 kernel: race condition between chown() and execve() 1218879 - CVE-2015-4170 kernel: pty layer race condition on tty ldisc shutdown. 1230391 - kernel-rt: update to the RHEL7.1.z batch 4 source tree 1230395 - kernel-rt: update to the RHEL7.1.z batch 5 source tree 1257528 - CVE-2015-5283 kernel: Creating multiple sockets when SCTP module isn't loaded leads to kernel panic 1265251 - kernel-rt: update to the RHEL7.1.z batch 6 source tree 1268270 - CVE-2015-7613 kernel: Unauthorized access to IPC objects with SysV shm 1272472 - CVE-2015-7837 kernel: securelevel disabled after kexec 6. Package List: Red Hat Enterprise Linux for Real Time (v. 7): Source: kernel-rt-3.10.0-327.rt56.204.el7.src.rpm noarch: kernel-rt-doc-3.10.0-327.rt56.204.el7.noarch.rpm x86_64: kernel-rt-3.10.0-327.rt56.204.el7.x86_64.rpm kernel-rt-debug-3.10.0-327.rt56.204.el7.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-327.rt56.204.el7.x86_64.rpm kernel-rt-debug-devel-3.10.0-327.rt56.204.el7.x86_64.rpm kernel-rt-debuginfo-3.10.0-327.rt56.204.el7.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-327.rt56.204.el7.x86_64.rpm kernel-rt-devel-3.10.0-327.rt56.204.el7.x86_64.rpm kernel-rt-trace-3.10.0-327.rt56.204.el7.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-327.rt56.204.el7.x86_64.rpm kernel-rt-trace-devel-3.10.0-327.rt56.204.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-7421 https://access.redhat.com/security/cve/CVE-2014-8171 https://access.redhat.com/security/cve/CVE-2014-9419 https://access.redhat.com/security/cve/CVE-2014-9644 https://access.redhat.com/security/cve/CVE-2015-2925 https://access.redhat.com/security/cve/CVE-2015-3339 https://access.redhat.com/security/cve/CVE-2015-4170 https://access.redhat.com/security/cve/CVE-2015-5283 https://access.redhat.com/security/cve/CVE-2015-7613 https://access.redhat.com/security/cve/CVE-2015-7837 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/2055783 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkbbXlSAg2UNWIIRApO8AKCeU6CpaFJRebMmnQ7E5rofZwVrmACdGn4x kfpGeRn7D+E3FnWTlDrWlqM= =U9gm -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 22:02:17 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 17:02:17 -0500 Subject: [RHSA-2015:2417-01] Moderate: autofs security, bug fix and enhancement update Message-ID: <201511192202.tAJM2HBF001274@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: autofs security, bug fix and enhancement update Advisory ID: RHSA-2015:2417-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2417.html Issue date: 2015-11-19 CVE Names: CVE-2014-8169 ===================================================================== 1. Summary: Updated autofs packages that fix one security issue, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The autofs utility controls the operation of the automount daemon. The daemon automatically mounts file systems when in use and unmounts them when they are not busy. It was found that program-based automounter maps that used interpreted languages such as Python used standard environment variables to locate and load modules of those languages. A local attacker could potentially use this flaw to escalate their privileges on the system. (CVE-2014-8169) Note: This issue has been fixed by adding the "AUTOFS_" prefix to the affected environment variables so that they are not used to subvert the system. A configuration option ("force_standard_program_map_env") to override this prefix and to use the environment variables without the prefix has been added. In addition, warnings have been added to the manual page and to the installed configuration file. Now, by default the standard variables of the program map are provided only with the prefix added to its name. Red Hat would like to thank the Georgia Institute of Technology for reporting this issue. Notably, this update fixes the following bugs: * When the "ls *" command was run in the root of an indirect mount, autofs attempted to literally mount the wildcard character (*) causing it to be added to the negative cache. If done before a valid mount, autofs then failed on further mount attempts inside the mount point, valid or not. This has been fixed, and wildcard map entries now function in the described situation. (BZ#1166457) * When autofs encountered a syntax error consisting of a duplicate entry in a multimap entry, it reported an error and did not mount the map entry. With this update, autofs has been amended to report the problem in the log to alert the system administrator and use the last seen instance of the duplicate entry rather than fail. (BZ#1205600) * In the ldap and sss lookup modules, the map reading functions did not distinguish between the "no entry found" and "service not available" errors. Consequently, when the "service not available" response was returned from a master map read, autofs did not update the mounts. An "entry not found" return does not prevent the map update, so the ldap and sss lookup modules were updated to distinguish between these two returns and now work as expected. (BZ#1233065) In addition, this update adds the following enhancement: * The description of the configuration parameter map_hash_table_size was missing from the autofs.conf(5) man page and its description in the configuration file comments was insufficient. A description of the parameter has been added to autofs.conf(5), and the configuration file comments have been updated. (BZ#1238573) All autofs users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1161474 - automount segment fault in parse_sun.so for negative parser tests 1166457 - Autofs unable to mount indirect after attempt to mount wildcard 1192565 - CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps 1201582 - autofs: MAPFMT_DEFAULT is not macro in lookup_program.c 1218045 - Similar but unrelated NFS exports block proper mounting of "parent" mount point 1233067 - autofs is performing excessive direct mount map re-reads 1233069 - Direct map does not expire if map is initially empty 1263508 - Heavy program map usage can lead to a hang 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: autofs-5.0.7-54.el7.src.rpm x86_64: autofs-5.0.7-54.el7.x86_64.rpm autofs-debuginfo-5.0.7-54.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: autofs-5.0.7-54.el7.src.rpm x86_64: autofs-5.0.7-54.el7.x86_64.rpm autofs-debuginfo-5.0.7-54.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: autofs-5.0.7-54.el7.src.rpm aarch64: autofs-5.0.7-54.el7.aarch64.rpm autofs-debuginfo-5.0.7-54.el7.aarch64.rpm ppc64: autofs-5.0.7-54.el7.ppc64.rpm autofs-debuginfo-5.0.7-54.el7.ppc64.rpm ppc64le: autofs-5.0.7-54.el7.ppc64le.rpm autofs-debuginfo-5.0.7-54.el7.ppc64le.rpm s390x: autofs-5.0.7-54.el7.s390x.rpm autofs-debuginfo-5.0.7-54.el7.s390x.rpm x86_64: autofs-5.0.7-54.el7.x86_64.rpm autofs-debuginfo-5.0.7-54.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: autofs-5.0.7-54.el7.src.rpm x86_64: autofs-5.0.7-54.el7.x86_64.rpm autofs-debuginfo-5.0.7-54.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8169 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkboXlSAg2UNWIIRAlLIAJ49bKCm2+qYZRH9gwk3pUtr+o5nFwCgxRtT yUcwOpRJg8s0OdmEXLAw7kI= =oRom -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 22:02:36 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 17:02:36 -0500 Subject: [RHSA-2015:2455-01] Low: unbound security and bug fix update Message-ID: <201511192202.tAJM2aNY025332@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: unbound security and bug fix update Advisory ID: RHSA-2015:2455-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2455.html Issue date: 2015-11-19 CVE Names: CVE-2014-8602 ===================================================================== 1. Summary: Updated unbound packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. A denial of service flaw was found in unbound that an attacker could use to trick the unbound resolver into following an endless loop of delegations, consuming an excessive amount of resources. (CVE-2014-8602) This update also fixes the following bugs: * Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured. (BZ#1180267) * Previously, the unbound packages were installing their configuration file for the systemd-tmpfiles utility into the /etc/tmpfiles.d/ directory. As a consequence, changes to unbound made by the administrator in /etc/tmpfiles.d/ could be overwritten on package reinstallation or update. To fix this bug, unbound has been amended to install the configuration file into the /usr/lib/tmpfiles.d/ directory. As a result, the system administrator's configuration in /etc/tmpfiles.d/ is preserved, including any changes, on package reinstallation or update. (BZ#1180995) * The unbound server default configuration included validation of DNS records using the DNSSEC Look-aside Validation (DLV) registry. The Internet Systems Consortium (ISC) plans to deprecate the DLV registry service as no longer needed, and unbound could execute unnecessary steps. Therefore, the use of the DLV registry has been removed from the unbound server default configuration. Now, unbound does not try to perform DNS records validation using the DLV registry. (BZ#1223339) All unbound users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1172065 - CVE-2014-8602 unbound: specially crafted request can lead to denial of service 1180267 - root key management does not comply with RFC5011 1180995 - unbound is installing files under /etc/tmpfiles.d/ 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: unbound-1.4.20-26.el7.src.rpm x86_64: unbound-1.4.20-26.el7.x86_64.rpm unbound-debuginfo-1.4.20-26.el7.i686.rpm unbound-debuginfo-1.4.20-26.el7.x86_64.rpm unbound-libs-1.4.20-26.el7.i686.rpm unbound-libs-1.4.20-26.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: unbound-debuginfo-1.4.20-26.el7.i686.rpm unbound-debuginfo-1.4.20-26.el7.x86_64.rpm unbound-devel-1.4.20-26.el7.i686.rpm unbound-devel-1.4.20-26.el7.x86_64.rpm unbound-python-1.4.20-26.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: unbound-1.4.20-26.el7.src.rpm x86_64: unbound-debuginfo-1.4.20-26.el7.i686.rpm unbound-debuginfo-1.4.20-26.el7.x86_64.rpm unbound-libs-1.4.20-26.el7.i686.rpm unbound-libs-1.4.20-26.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: unbound-1.4.20-26.el7.x86_64.rpm unbound-debuginfo-1.4.20-26.el7.i686.rpm unbound-debuginfo-1.4.20-26.el7.x86_64.rpm unbound-devel-1.4.20-26.el7.i686.rpm unbound-devel-1.4.20-26.el7.x86_64.rpm unbound-python-1.4.20-26.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: unbound-1.4.20-26.el7.src.rpm aarch64: unbound-1.4.20-26.el7.aarch64.rpm unbound-debuginfo-1.4.20-26.el7.aarch64.rpm unbound-libs-1.4.20-26.el7.aarch64.rpm ppc64: unbound-1.4.20-26.el7.ppc64.rpm unbound-debuginfo-1.4.20-26.el7.ppc.rpm unbound-debuginfo-1.4.20-26.el7.ppc64.rpm unbound-libs-1.4.20-26.el7.ppc.rpm unbound-libs-1.4.20-26.el7.ppc64.rpm ppc64le: unbound-1.4.20-26.el7.ppc64le.rpm unbound-debuginfo-1.4.20-26.el7.ppc64le.rpm unbound-libs-1.4.20-26.el7.ppc64le.rpm s390x: unbound-1.4.20-26.el7.s390x.rpm unbound-debuginfo-1.4.20-26.el7.s390.rpm unbound-debuginfo-1.4.20-26.el7.s390x.rpm unbound-libs-1.4.20-26.el7.s390.rpm unbound-libs-1.4.20-26.el7.s390x.rpm x86_64: unbound-1.4.20-26.el7.x86_64.rpm unbound-debuginfo-1.4.20-26.el7.i686.rpm unbound-debuginfo-1.4.20-26.el7.x86_64.rpm unbound-libs-1.4.20-26.el7.i686.rpm unbound-libs-1.4.20-26.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: unbound-debuginfo-1.4.20-26.el7.aarch64.rpm unbound-devel-1.4.20-26.el7.aarch64.rpm unbound-python-1.4.20-26.el7.aarch64.rpm ppc64: unbound-debuginfo-1.4.20-26.el7.ppc.rpm unbound-debuginfo-1.4.20-26.el7.ppc64.rpm unbound-devel-1.4.20-26.el7.ppc.rpm unbound-devel-1.4.20-26.el7.ppc64.rpm unbound-python-1.4.20-26.el7.ppc64.rpm ppc64le: unbound-debuginfo-1.4.20-26.el7.ppc64le.rpm unbound-devel-1.4.20-26.el7.ppc64le.rpm unbound-python-1.4.20-26.el7.ppc64le.rpm s390x: unbound-debuginfo-1.4.20-26.el7.s390.rpm unbound-debuginfo-1.4.20-26.el7.s390x.rpm unbound-devel-1.4.20-26.el7.s390.rpm unbound-devel-1.4.20-26.el7.s390x.rpm unbound-python-1.4.20-26.el7.s390x.rpm x86_64: unbound-debuginfo-1.4.20-26.el7.i686.rpm unbound-debuginfo-1.4.20-26.el7.x86_64.rpm unbound-devel-1.4.20-26.el7.i686.rpm unbound-devel-1.4.20-26.el7.x86_64.rpm unbound-python-1.4.20-26.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: unbound-1.4.20-26.el7.src.rpm x86_64: unbound-1.4.20-26.el7.x86_64.rpm unbound-debuginfo-1.4.20-26.el7.i686.rpm unbound-debuginfo-1.4.20-26.el7.x86_64.rpm unbound-libs-1.4.20-26.el7.i686.rpm unbound-libs-1.4.20-26.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: unbound-debuginfo-1.4.20-26.el7.i686.rpm unbound-debuginfo-1.4.20-26.el7.x86_64.rpm unbound-devel-1.4.20-26.el7.i686.rpm unbound-devel-1.4.20-26.el7.x86_64.rpm unbound-python-1.4.20-26.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8602 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkb6XlSAg2UNWIIRAkAXAJ4h6OpGWAUNRaLI5/FBteX0DopmegCfUj5F 9/XUQcht/SadIQ1cs/ycdNY= =481X -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 19 22:03:02 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 19 Nov 2015 17:03:02 -0500 Subject: [RHSA-2015:2172-01] Important: glibc security update Message-ID: <201511192203.tAJM32Od029490@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: glibc security update Advisory ID: RHSA-2015:2172-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2172.html Issue date: 2015-11-19 CVE Names: CVE-2015-5277 ===================================================================== 1. Summary: Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap (depending on adjacent heap contents) in certain cases. A local attacker could potentially use this flaw to escalate their privileges. (CVE-2015-5277) This issue was discovered by Sumit Bose and Luk?? Slebodn?k of Red Hat. All glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1262914 - CVE-2015-5277 glibc: data corruption while reading the NSS files database 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: glibc-2.17-106.el7_2.1.src.rpm x86_64: glibc-2.17-106.el7_2.1.i686.rpm glibc-2.17-106.el7_2.1.x86_64.rpm glibc-common-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.1.x86_64.rpm glibc-devel-2.17-106.el7_2.1.i686.rpm glibc-devel-2.17-106.el7_2.1.x86_64.rpm glibc-headers-2.17-106.el7_2.1.x86_64.rpm glibc-utils-2.17-106.el7_2.1.x86_64.rpm nscd-2.17-106.el7_2.1.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: glibc-debuginfo-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.1.x86_64.rpm glibc-static-2.17-106.el7_2.1.i686.rpm glibc-static-2.17-106.el7_2.1.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: glibc-2.17-106.el7_2.1.src.rpm x86_64: glibc-2.17-106.el7_2.1.i686.rpm glibc-2.17-106.el7_2.1.x86_64.rpm glibc-common-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.1.x86_64.rpm glibc-devel-2.17-106.el7_2.1.i686.rpm glibc-devel-2.17-106.el7_2.1.x86_64.rpm glibc-headers-2.17-106.el7_2.1.x86_64.rpm glibc-utils-2.17-106.el7_2.1.x86_64.rpm nscd-2.17-106.el7_2.1.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: glibc-debuginfo-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.1.x86_64.rpm glibc-static-2.17-106.el7_2.1.i686.rpm glibc-static-2.17-106.el7_2.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: glibc-2.17-106.el7_2.1.src.rpm aarch64: glibc-2.17-106.el7_2.1.aarch64.rpm glibc-common-2.17-106.el7_2.1.aarch64.rpm glibc-debuginfo-2.17-106.el7_2.1.aarch64.rpm glibc-devel-2.17-106.el7_2.1.aarch64.rpm glibc-headers-2.17-106.el7_2.1.aarch64.rpm glibc-utils-2.17-106.el7_2.1.aarch64.rpm nscd-2.17-106.el7_2.1.aarch64.rpm ppc64: glibc-2.17-106.el7_2.1.ppc.rpm glibc-2.17-106.el7_2.1.ppc64.rpm glibc-common-2.17-106.el7_2.1.ppc64.rpm glibc-debuginfo-2.17-106.el7_2.1.ppc.rpm glibc-debuginfo-2.17-106.el7_2.1.ppc64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.ppc.rpm glibc-debuginfo-common-2.17-106.el7_2.1.ppc64.rpm glibc-devel-2.17-106.el7_2.1.ppc.rpm glibc-devel-2.17-106.el7_2.1.ppc64.rpm glibc-headers-2.17-106.el7_2.1.ppc64.rpm glibc-utils-2.17-106.el7_2.1.ppc64.rpm nscd-2.17-106.el7_2.1.ppc64.rpm ppc64le: glibc-2.17-106.el7_2.1.ppc64le.rpm glibc-common-2.17-106.el7_2.1.ppc64le.rpm glibc-debuginfo-2.17-106.el7_2.1.ppc64le.rpm glibc-debuginfo-common-2.17-106.el7_2.1.ppc64le.rpm glibc-devel-2.17-106.el7_2.1.ppc64le.rpm glibc-headers-2.17-106.el7_2.1.ppc64le.rpm glibc-utils-2.17-106.el7_2.1.ppc64le.rpm nscd-2.17-106.el7_2.1.ppc64le.rpm s390x: glibc-2.17-106.el7_2.1.s390.rpm glibc-2.17-106.el7_2.1.s390x.rpm glibc-common-2.17-106.el7_2.1.s390x.rpm glibc-debuginfo-2.17-106.el7_2.1.s390.rpm glibc-debuginfo-2.17-106.el7_2.1.s390x.rpm glibc-debuginfo-common-2.17-106.el7_2.1.s390.rpm glibc-debuginfo-common-2.17-106.el7_2.1.s390x.rpm glibc-devel-2.17-106.el7_2.1.s390.rpm glibc-devel-2.17-106.el7_2.1.s390x.rpm glibc-headers-2.17-106.el7_2.1.s390x.rpm glibc-utils-2.17-106.el7_2.1.s390x.rpm nscd-2.17-106.el7_2.1.s390x.rpm x86_64: glibc-2.17-106.el7_2.1.i686.rpm glibc-2.17-106.el7_2.1.x86_64.rpm glibc-common-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.1.x86_64.rpm glibc-devel-2.17-106.el7_2.1.i686.rpm glibc-devel-2.17-106.el7_2.1.x86_64.rpm glibc-headers-2.17-106.el7_2.1.x86_64.rpm glibc-utils-2.17-106.el7_2.1.x86_64.rpm nscd-2.17-106.el7_2.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: glibc-debuginfo-2.17-106.el7_2.1.aarch64.rpm glibc-static-2.17-106.el7_2.1.aarch64.rpm ppc64: glibc-debuginfo-2.17-106.el7_2.1.ppc.rpm glibc-debuginfo-2.17-106.el7_2.1.ppc64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.ppc.rpm glibc-debuginfo-common-2.17-106.el7_2.1.ppc64.rpm glibc-static-2.17-106.el7_2.1.ppc.rpm glibc-static-2.17-106.el7_2.1.ppc64.rpm ppc64le: glibc-debuginfo-2.17-106.el7_2.1.ppc64le.rpm glibc-debuginfo-common-2.17-106.el7_2.1.ppc64le.rpm glibc-static-2.17-106.el7_2.1.ppc64le.rpm s390x: glibc-debuginfo-2.17-106.el7_2.1.s390.rpm glibc-debuginfo-2.17-106.el7_2.1.s390x.rpm glibc-debuginfo-common-2.17-106.el7_2.1.s390.rpm glibc-debuginfo-common-2.17-106.el7_2.1.s390x.rpm glibc-static-2.17-106.el7_2.1.s390.rpm glibc-static-2.17-106.el7_2.1.s390x.rpm x86_64: glibc-debuginfo-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.1.x86_64.rpm glibc-static-2.17-106.el7_2.1.i686.rpm glibc-static-2.17-106.el7_2.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: glibc-2.17-106.el7_2.1.src.rpm x86_64: glibc-2.17-106.el7_2.1.i686.rpm glibc-2.17-106.el7_2.1.x86_64.rpm glibc-common-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.1.x86_64.rpm glibc-devel-2.17-106.el7_2.1.i686.rpm glibc-devel-2.17-106.el7_2.1.x86_64.rpm glibc-headers-2.17-106.el7_2.1.x86_64.rpm glibc-utils-2.17-106.el7_2.1.x86_64.rpm nscd-2.17-106.el7_2.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: glibc-debuginfo-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-2.17-106.el7_2.1.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.1.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.1.x86_64.rpm glibc-static-2.17-106.el7_2.1.i686.rpm glibc-static-2.17-106.el7_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5277 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWTkcUXlSAg2UNWIIRAuLzAJ9MIlXkz75MOB+juZLHdy6iq52CbACfSvSg DUChbd+L4K88clLC28YqzTI= =TDbK -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 23 09:54:25 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Nov 2015 09:54:25 +0000 Subject: [RHSA-2015:2504-01] Moderate: libreport security update Message-ID: <201511230954.tAN9sQse019861@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libreport security update Advisory ID: RHSA-2015:2504-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2504.html Issue date: 2015-11-23 CVE Names: CVE-2015-5302 ===================================================================== 1. Summary: Updated libreport packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: libreport provides an API for reporting different problems in applications to different bug targets, such as Bugzilla, FTP, and Trac. ABRT (Automatic Bug Reporting Tool) uses libreport. It was found that ABRT may have exposed unintended information to Red Hat Bugzilla during crash reporting. A bug in the libreport library caused changes made by a user in files included in a crash report to be discarded. As a result, Red Hat Bugzilla attachments may contain data that was not intended to be made public, including host names, IP addresses, or command line options. (CVE-2015-5302) This flaw did not affect default installations of ABRT on Red Hat Enterprise Linux as they do not post data to Red Hat Bugzilla. This feature can however be enabled, potentially impacting modified ABRT instances. As a precaution, Red Hat has identified bugs filed by such non-default Red Hat Enterprise Linux users of ABRT and marked them private. This issue was discovered by Bastien Nocera of Red Hat. All users of libreport are advised to upgrade to these updated packages, which corrects this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1270903 - CVE-2015-5302 libreport: Possible private data leak in Bugzilla bugs opened by ABRT 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: libreport-2.0.9-25.el6_7.src.rpm i386: libreport-2.0.9-25.el6_7.i686.rpm libreport-cli-2.0.9-25.el6_7.i686.rpm libreport-compat-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-filesystem-2.0.9-25.el6_7.i686.rpm libreport-gtk-2.0.9-25.el6_7.i686.rpm libreport-newt-2.0.9-25.el6_7.i686.rpm libreport-plugin-kerneloops-2.0.9-25.el6_7.i686.rpm libreport-plugin-logger-2.0.9-25.el6_7.i686.rpm libreport-plugin-mailx-2.0.9-25.el6_7.i686.rpm libreport-plugin-reportuploader-2.0.9-25.el6_7.i686.rpm libreport-plugin-rhtsupport-2.0.9-25.el6_7.i686.rpm libreport-plugin-ureport-2.0.9-25.el6_7.i686.rpm libreport-python-2.0.9-25.el6_7.i686.rpm x86_64: libreport-2.0.9-25.el6_7.i686.rpm libreport-2.0.9-25.el6_7.x86_64.rpm libreport-cli-2.0.9-25.el6_7.x86_64.rpm libreport-compat-2.0.9-25.el6_7.x86_64.rpm libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.x86_64.rpm libreport-filesystem-2.0.9-25.el6_7.x86_64.rpm libreport-gtk-2.0.9-25.el6_7.i686.rpm libreport-gtk-2.0.9-25.el6_7.x86_64.rpm libreport-newt-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-kerneloops-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-logger-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-mailx-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-reportuploader-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-rhtsupport-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-ureport-2.0.9-25.el6_7.x86_64.rpm libreport-python-2.0.9-25.el6_7.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-devel-2.0.9-25.el6_7.i686.rpm libreport-gtk-devel-2.0.9-25.el6_7.i686.rpm libreport-plugin-bugzilla-2.0.9-25.el6_7.i686.rpm x86_64: libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.x86_64.rpm libreport-devel-2.0.9-25.el6_7.i686.rpm libreport-devel-2.0.9-25.el6_7.x86_64.rpm libreport-gtk-devel-2.0.9-25.el6_7.i686.rpm libreport-gtk-devel-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-bugzilla-2.0.9-25.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: libreport-2.0.9-25.el6_7.src.rpm x86_64: libreport-2.0.9-25.el6_7.i686.rpm libreport-2.0.9-25.el6_7.x86_64.rpm libreport-cli-2.0.9-25.el6_7.x86_64.rpm libreport-compat-2.0.9-25.el6_7.x86_64.rpm libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.x86_64.rpm libreport-filesystem-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-kerneloops-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-logger-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-mailx-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-reportuploader-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-rhtsupport-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-ureport-2.0.9-25.el6_7.x86_64.rpm libreport-python-2.0.9-25.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.x86_64.rpm libreport-devel-2.0.9-25.el6_7.i686.rpm libreport-devel-2.0.9-25.el6_7.x86_64.rpm libreport-gtk-2.0.9-25.el6_7.i686.rpm libreport-gtk-2.0.9-25.el6_7.x86_64.rpm libreport-gtk-devel-2.0.9-25.el6_7.i686.rpm libreport-gtk-devel-2.0.9-25.el6_7.x86_64.rpm libreport-newt-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-bugzilla-2.0.9-25.el6_7.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: libreport-2.0.9-25.el6_7.src.rpm i386: libreport-2.0.9-25.el6_7.i686.rpm libreport-cli-2.0.9-25.el6_7.i686.rpm libreport-compat-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-filesystem-2.0.9-25.el6_7.i686.rpm libreport-gtk-2.0.9-25.el6_7.i686.rpm libreport-newt-2.0.9-25.el6_7.i686.rpm libreport-plugin-kerneloops-2.0.9-25.el6_7.i686.rpm libreport-plugin-logger-2.0.9-25.el6_7.i686.rpm libreport-plugin-mailx-2.0.9-25.el6_7.i686.rpm libreport-plugin-reportuploader-2.0.9-25.el6_7.i686.rpm libreport-plugin-rhtsupport-2.0.9-25.el6_7.i686.rpm libreport-plugin-ureport-2.0.9-25.el6_7.i686.rpm libreport-python-2.0.9-25.el6_7.i686.rpm ppc64: libreport-2.0.9-25.el6_7.ppc.rpm libreport-2.0.9-25.el6_7.ppc64.rpm libreport-cli-2.0.9-25.el6_7.ppc64.rpm libreport-compat-2.0.9-25.el6_7.ppc64.rpm libreport-debuginfo-2.0.9-25.el6_7.ppc.rpm libreport-debuginfo-2.0.9-25.el6_7.ppc64.rpm libreport-filesystem-2.0.9-25.el6_7.ppc64.rpm libreport-gtk-2.0.9-25.el6_7.ppc.rpm libreport-gtk-2.0.9-25.el6_7.ppc64.rpm libreport-newt-2.0.9-25.el6_7.ppc64.rpm libreport-plugin-kerneloops-2.0.9-25.el6_7.ppc64.rpm libreport-plugin-logger-2.0.9-25.el6_7.ppc64.rpm libreport-plugin-mailx-2.0.9-25.el6_7.ppc64.rpm libreport-plugin-reportuploader-2.0.9-25.el6_7.ppc64.rpm libreport-plugin-rhtsupport-2.0.9-25.el6_7.ppc64.rpm libreport-plugin-ureport-2.0.9-25.el6_7.ppc64.rpm libreport-python-2.0.9-25.el6_7.ppc64.rpm s390x: libreport-2.0.9-25.el6_7.s390.rpm libreport-2.0.9-25.el6_7.s390x.rpm libreport-cli-2.0.9-25.el6_7.s390x.rpm libreport-compat-2.0.9-25.el6_7.s390x.rpm libreport-debuginfo-2.0.9-25.el6_7.s390.rpm libreport-debuginfo-2.0.9-25.el6_7.s390x.rpm libreport-filesystem-2.0.9-25.el6_7.s390x.rpm libreport-gtk-2.0.9-25.el6_7.s390.rpm libreport-gtk-2.0.9-25.el6_7.s390x.rpm libreport-newt-2.0.9-25.el6_7.s390x.rpm libreport-plugin-kerneloops-2.0.9-25.el6_7.s390x.rpm libreport-plugin-logger-2.0.9-25.el6_7.s390x.rpm libreport-plugin-mailx-2.0.9-25.el6_7.s390x.rpm libreport-plugin-reportuploader-2.0.9-25.el6_7.s390x.rpm libreport-plugin-rhtsupport-2.0.9-25.el6_7.s390x.rpm libreport-plugin-ureport-2.0.9-25.el6_7.s390x.rpm libreport-python-2.0.9-25.el6_7.s390x.rpm x86_64: libreport-2.0.9-25.el6_7.i686.rpm libreport-2.0.9-25.el6_7.x86_64.rpm libreport-cli-2.0.9-25.el6_7.x86_64.rpm libreport-compat-2.0.9-25.el6_7.x86_64.rpm libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.x86_64.rpm libreport-filesystem-2.0.9-25.el6_7.x86_64.rpm libreport-gtk-2.0.9-25.el6_7.i686.rpm libreport-gtk-2.0.9-25.el6_7.x86_64.rpm libreport-newt-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-kerneloops-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-logger-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-mailx-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-reportuploader-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-rhtsupport-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-ureport-2.0.9-25.el6_7.x86_64.rpm libreport-python-2.0.9-25.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-devel-2.0.9-25.el6_7.i686.rpm libreport-gtk-devel-2.0.9-25.el6_7.i686.rpm libreport-plugin-bugzilla-2.0.9-25.el6_7.i686.rpm ppc64: libreport-debuginfo-2.0.9-25.el6_7.ppc.rpm libreport-debuginfo-2.0.9-25.el6_7.ppc64.rpm libreport-devel-2.0.9-25.el6_7.ppc.rpm libreport-devel-2.0.9-25.el6_7.ppc64.rpm libreport-gtk-devel-2.0.9-25.el6_7.ppc.rpm libreport-gtk-devel-2.0.9-25.el6_7.ppc64.rpm libreport-plugin-bugzilla-2.0.9-25.el6_7.ppc64.rpm s390x: libreport-debuginfo-2.0.9-25.el6_7.s390.rpm libreport-debuginfo-2.0.9-25.el6_7.s390x.rpm libreport-devel-2.0.9-25.el6_7.s390.rpm libreport-devel-2.0.9-25.el6_7.s390x.rpm libreport-gtk-devel-2.0.9-25.el6_7.s390.rpm libreport-gtk-devel-2.0.9-25.el6_7.s390x.rpm libreport-plugin-bugzilla-2.0.9-25.el6_7.s390x.rpm x86_64: libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.x86_64.rpm libreport-devel-2.0.9-25.el6_7.i686.rpm libreport-devel-2.0.9-25.el6_7.x86_64.rpm libreport-gtk-devel-2.0.9-25.el6_7.i686.rpm libreport-gtk-devel-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-bugzilla-2.0.9-25.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: libreport-2.0.9-25.el6_7.src.rpm i386: libreport-2.0.9-25.el6_7.i686.rpm libreport-cli-2.0.9-25.el6_7.i686.rpm libreport-compat-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-filesystem-2.0.9-25.el6_7.i686.rpm libreport-gtk-2.0.9-25.el6_7.i686.rpm libreport-newt-2.0.9-25.el6_7.i686.rpm libreport-plugin-kerneloops-2.0.9-25.el6_7.i686.rpm libreport-plugin-logger-2.0.9-25.el6_7.i686.rpm libreport-plugin-mailx-2.0.9-25.el6_7.i686.rpm libreport-plugin-reportuploader-2.0.9-25.el6_7.i686.rpm libreport-plugin-rhtsupport-2.0.9-25.el6_7.i686.rpm libreport-plugin-ureport-2.0.9-25.el6_7.i686.rpm libreport-python-2.0.9-25.el6_7.i686.rpm x86_64: libreport-2.0.9-25.el6_7.i686.rpm libreport-2.0.9-25.el6_7.x86_64.rpm libreport-cli-2.0.9-25.el6_7.x86_64.rpm libreport-compat-2.0.9-25.el6_7.x86_64.rpm libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.x86_64.rpm libreport-filesystem-2.0.9-25.el6_7.x86_64.rpm libreport-gtk-2.0.9-25.el6_7.i686.rpm libreport-gtk-2.0.9-25.el6_7.x86_64.rpm libreport-newt-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-kerneloops-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-logger-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-mailx-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-reportuploader-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-rhtsupport-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-ureport-2.0.9-25.el6_7.x86_64.rpm libreport-python-2.0.9-25.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-devel-2.0.9-25.el6_7.i686.rpm libreport-gtk-devel-2.0.9-25.el6_7.i686.rpm libreport-plugin-bugzilla-2.0.9-25.el6_7.i686.rpm x86_64: libreport-debuginfo-2.0.9-25.el6_7.i686.rpm libreport-debuginfo-2.0.9-25.el6_7.x86_64.rpm libreport-devel-2.0.9-25.el6_7.i686.rpm libreport-devel-2.0.9-25.el6_7.x86_64.rpm libreport-gtk-devel-2.0.9-25.el6_7.i686.rpm libreport-gtk-devel-2.0.9-25.el6_7.x86_64.rpm libreport-plugin-bugzilla-2.0.9-25.el6_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5302 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWUuJGXlSAg2UNWIIRAhLoAJ0YjnSOU9hNHJplossw4z8RCPzyOwCfQJOp Et4OtPj39ApsqFuTEbFnIwA= =WkI9 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 23 13:00:24 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Nov 2015 13:00:24 +0000 Subject: [RHSA-2015:2506-01] Critical: java-1.7.1-ibm security update Message-ID: <201511231300.tAND0Pwi025419@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.1-ibm security update Advisory ID: RHSA-2015:2506-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2506.html Issue date: 2015-11-23 CVE Names: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-5006 ===================================================================== 1. Summary: Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64 3. Description: IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR3-FP20 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1233687 - CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) 1273022 - CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383) 1273053 - CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) 1273304 - CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) 1273308 - CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) 1273311 - CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) 1273318 - CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) 1273338 - CVE-2015-4840 OpenJDK: OOB access in CMS code (2D, 8086092) 1273414 - CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387) 1273425 - CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427) 1273430 - CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030) 1273496 - CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) 1273637 - CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842) 1273638 - CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733) 1273734 - CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) 1273858 - CVE-2015-4810 Oracle JDK: unspecified vulnerability fixed in 7u91 and 8u65 (Deployment) 1273859 - CVE-2015-4871 Oracle JDK: unspecified vulnerability fixed in 7u91 (Libraries) 1273860 - CVE-2015-4902 Oracle JDK: unspecified vulnerability fixed in 6u105, 7u91 and 8u65 (Deployment) 1282379 - CVE-2015-5006 IBM JDK: local disclosure of kerberos credentials cache 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.i686.rpm x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.i686.rpm ppc64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm s390x: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.i686.rpm x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Client Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 7): ppc64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.ppc.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.ppc.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7.ppc.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.ppc64.rpm ppc64le: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm s390x: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.s390.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.s390.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.s390x.rpm x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4734 https://access.redhat.com/security/cve/CVE-2015-4803 https://access.redhat.com/security/cve/CVE-2015-4805 https://access.redhat.com/security/cve/CVE-2015-4806 https://access.redhat.com/security/cve/CVE-2015-4810 https://access.redhat.com/security/cve/CVE-2015-4835 https://access.redhat.com/security/cve/CVE-2015-4840 https://access.redhat.com/security/cve/CVE-2015-4842 https://access.redhat.com/security/cve/CVE-2015-4843 https://access.redhat.com/security/cve/CVE-2015-4844 https://access.redhat.com/security/cve/CVE-2015-4860 https://access.redhat.com/security/cve/CVE-2015-4871 https://access.redhat.com/security/cve/CVE-2015-4872 https://access.redhat.com/security/cve/CVE-2015-4882 https://access.redhat.com/security/cve/CVE-2015-4883 https://access.redhat.com/security/cve/CVE-2015-4893 https://access.redhat.com/security/cve/CVE-2015-4902 https://access.redhat.com/security/cve/CVE-2015-4903 https://access.redhat.com/security/cve/CVE-2015-5006 https://access.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWUw2uXlSAg2UNWIIRAuNEAKCoUfgYDqKOPKqVsPWNhhM69MSXxgCggr4c GfWhQE6JGDQHUCMNktgk3T8= =BUGm -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 23 13:04:09 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Nov 2015 13:04:09 +0000 Subject: [RHSA-2015:2507-01] Critical: java-1.7.0-ibm security update Message-ID: <201511231304.tAND4A1T006988@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-ibm security update Advisory ID: RHSA-2015:2507-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2507.html Issue date: 2015-11-23 CVE Names: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-5006 ===================================================================== 1. Summary: Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 3. Description: IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR9-FP20 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1233687 - CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) 1273022 - CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383) 1273053 - CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) 1273304 - CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) 1273308 - CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) 1273311 - CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) 1273318 - CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) 1273338 - CVE-2015-4840 OpenJDK: OOB access in CMS code (2D, 8086092) 1273414 - CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387) 1273425 - CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427) 1273430 - CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030) 1273496 - CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) 1273637 - CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842) 1273638 - CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733) 1273734 - CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) 1273858 - CVE-2015-4810 Oracle JDK: unspecified vulnerability fixed in 7u91 and 8u65 (Deployment) 1273859 - CVE-2015-4871 Oracle JDK: unspecified vulnerability fixed in 7u91 (Libraries) 1273860 - CVE-2015-4902 Oracle JDK: unspecified vulnerability fixed in 6u105, 7u91 and 8u65 (Deployment) 1282379 - CVE-2015-5006 IBM JDK: local disclosure of kerberos credentials cache 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-plugin-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.i386.rpm x86_64: java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-plugin-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-plugin-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.i386.rpm ppc: java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.ppc64.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.ppc64.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.ppc64.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.ppc64.rpm java-1.7.0-ibm-plugin-1.7.0.9.20-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.ppc64.rpm s390x: java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.s390.rpm java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.s390x.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.s390.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.s390x.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.s390.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.s390x.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.s390.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.s390x.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.s390.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.s390x.rpm x86_64: java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-demo-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-devel-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-plugin-1.7.0.9.20-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.i386.rpm java-1.7.0-ibm-src-1.7.0.9.20-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4734 https://access.redhat.com/security/cve/CVE-2015-4803 https://access.redhat.com/security/cve/CVE-2015-4805 https://access.redhat.com/security/cve/CVE-2015-4806 https://access.redhat.com/security/cve/CVE-2015-4810 https://access.redhat.com/security/cve/CVE-2015-4835 https://access.redhat.com/security/cve/CVE-2015-4840 https://access.redhat.com/security/cve/CVE-2015-4842 https://access.redhat.com/security/cve/CVE-2015-4843 https://access.redhat.com/security/cve/CVE-2015-4844 https://access.redhat.com/security/cve/CVE-2015-4860 https://access.redhat.com/security/cve/CVE-2015-4871 https://access.redhat.com/security/cve/CVE-2015-4872 https://access.redhat.com/security/cve/CVE-2015-4882 https://access.redhat.com/security/cve/CVE-2015-4883 https://access.redhat.com/security/cve/CVE-2015-4893 https://access.redhat.com/security/cve/CVE-2015-4902 https://access.redhat.com/security/cve/CVE-2015-4903 https://access.redhat.com/security/cve/CVE-2015-5006 https://access.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWUw6iXlSAg2UNWIIRAp5VAJ93HPZgjvGQK1Rh2AzEQDi4RZ2lwgCgwt+2 R3xOe6Nvu7Xi8lN0N8zrvgQ= =sN7P -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 23 13:15:53 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Nov 2015 13:15:53 +0000 Subject: [RHSA-2015:2508-01] Critical: java-1.6.0-ibm security update Message-ID: <201511231315.tANDFruF004032@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-ibm security update Advisory ID: RHSA-2015:2508-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2508.html Issue date: 2015-11-23 CVE Names: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-5006 ===================================================================== 1. Summary: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP15 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1233687 - CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) 1273022 - CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383) 1273053 - CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) 1273304 - CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) 1273308 - CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) 1273311 - CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) 1273318 - CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) 1273414 - CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387) 1273425 - CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427) 1273430 - CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030) 1273496 - CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) 1273637 - CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842) 1273638 - CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733) 1273734 - CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) 1273860 - CVE-2015-4902 Oracle JDK: unspecified vulnerability fixed in 6u105, 7u91 and 8u65 (Deployment) 1282379 - CVE-2015-5006 IBM JDK: local disclosure of kerberos credentials cache 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.i386.rpm ppc: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-accessibility-1.6.0.16.15-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.s390.rpm java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-accessibility-1.6.0.16.15-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.s390.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.s390.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.s390.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el5.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7.i686.rpm ppc64: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7.ppc64.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7.ppc64.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7.s390x.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7.s390x.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7.s390x.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el6_7.i686.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.15-1jpp.1.el6_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4734 https://access.redhat.com/security/cve/CVE-2015-4803 https://access.redhat.com/security/cve/CVE-2015-4805 https://access.redhat.com/security/cve/CVE-2015-4806 https://access.redhat.com/security/cve/CVE-2015-4835 https://access.redhat.com/security/cve/CVE-2015-4842 https://access.redhat.com/security/cve/CVE-2015-4843 https://access.redhat.com/security/cve/CVE-2015-4844 https://access.redhat.com/security/cve/CVE-2015-4860 https://access.redhat.com/security/cve/CVE-2015-4872 https://access.redhat.com/security/cve/CVE-2015-4882 https://access.redhat.com/security/cve/CVE-2015-4883 https://access.redhat.com/security/cve/CVE-2015-4893 https://access.redhat.com/security/cve/CVE-2015-4902 https://access.redhat.com/security/cve/CVE-2015-4903 https://access.redhat.com/security/cve/CVE-2015-5006 https://access.redhat.com/security/updates/classification/#critical https://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWUw7xXlSAg2UNWIIRAvfBAJ9sZ6SOY/wDqcbrO1vKXXL/EkC7JwCgsgGr gRqvLgc6fmY6yFpHYhxEqsE= =PM0f -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 23 13:17:26 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Nov 2015 13:17:26 +0000 Subject: [RHSA-2015:2509-01] Critical: java-1.8.0-ibm security update Message-ID: <201511231317.tANDHQl8004939@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.8.0-ibm security update Advisory ID: RHSA-2015:2509-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2509.html Issue date: 2015-11-23 CVE Names: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-5006 ===================================================================== 1. Summary: Updated java-1.8.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.8.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 8 SR2 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1233687 - CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) 1273022 - CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383) 1273053 - CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) 1273304 - CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) 1273308 - CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) 1273311 - CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) 1273318 - CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) 1273338 - CVE-2015-4840 OpenJDK: OOB access in CMS code (2D, 8086092) 1273414 - CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387) 1273425 - CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427) 1273430 - CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030) 1273496 - CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) 1273637 - CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842) 1273638 - CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733) 1273734 - CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) 1273858 - CVE-2015-4810 Oracle JDK: unspecified vulnerability fixed in 7u91 and 8u65 (Deployment) 1273859 - CVE-2015-4871 Oracle JDK: unspecified vulnerability fixed in 7u91 (Libraries) 1273860 - CVE-2015-4902 Oracle JDK: unspecified vulnerability fixed in 6u105, 7u91 and 8u65 (Deployment) 1282379 - CVE-2015-5006 IBM JDK: local disclosure of kerberos credentials cache 6. Package List: Red Hat Enterprise Linux Client Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.i686.rpm java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.i686.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.2.0-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.i686.rpm java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.i686.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.2.0-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 7): ppc64: java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.ppc.rpm java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-demo-1.8.0.2.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.ppc.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-jdbc-1.8.0.2.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-plugin-1.8.0.2.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-src-1.8.0.2.0-1jpp.1.el7.ppc64.rpm ppc64le: java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-demo-1.8.0.2.0-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-jdbc-1.8.0.2.0-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-src-1.8.0.2.0-1jpp.1.el7.ppc64le.rpm s390x: java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.s390.rpm java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-demo-1.8.0.2.0-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.s390.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-jdbc-1.8.0.2.0-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-src-1.8.0.2.0-1jpp.1.el7.s390x.rpm x86_64: java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.i686.rpm java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.i686.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.2.0-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.i686.rpm java-1.8.0-ibm-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.i686.rpm java-1.8.0-ibm-devel-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.2.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.2.0-1jpp.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4734 https://access.redhat.com/security/cve/CVE-2015-4803 https://access.redhat.com/security/cve/CVE-2015-4805 https://access.redhat.com/security/cve/CVE-2015-4806 https://access.redhat.com/security/cve/CVE-2015-4810 https://access.redhat.com/security/cve/CVE-2015-4835 https://access.redhat.com/security/cve/CVE-2015-4840 https://access.redhat.com/security/cve/CVE-2015-4842 https://access.redhat.com/security/cve/CVE-2015-4843 https://access.redhat.com/security/cve/CVE-2015-4844 https://access.redhat.com/security/cve/CVE-2015-4860 https://access.redhat.com/security/cve/CVE-2015-4871 https://access.redhat.com/security/cve/CVE-2015-4872 https://access.redhat.com/security/cve/CVE-2015-4882 https://access.redhat.com/security/cve/CVE-2015-4883 https://access.redhat.com/security/cve/CVE-2015-4893 https://access.redhat.com/security/cve/CVE-2015-4902 https://access.redhat.com/security/cve/CVE-2015-4903 https://access.redhat.com/security/cve/CVE-2015-5006 https://access.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWUxGyXlSAg2UNWIIRAvpQAKCW/2Qs9n/f/uEMivBhHxEWBpudNACcDvEC nyuWejVhtKRc4v7SCL5hapg= =HcTV -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 23 14:32:18 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Nov 2015 14:32:18 +0000 Subject: [RHSA-2015:2505-01] Moderate: abrt and libreport security update Message-ID: <201511231432.tANEWJpF024075@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: abrt and libreport security update Advisory ID: RHSA-2015:2505-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2505.html Issue date: 2015-11-23 CVE Names: CVE-2015-5273 CVE-2015-5287 CVE-2015-5302 ===================================================================== 1. Summary: Updated abrt and libreport packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. libreport provides an API for reporting different problems in applications to different bug targets, such as Bugzilla, FTP, and Trac. It was found that the ABRT debug information installer (abrt-action-install-debuginfo-to-abrt-cache) did not use temporary directories in a secure way. A local attacker could use the flaw to create symbolic links and files at arbitrary locations as the abrt user. (CVE-2015-5273) It was discovered that the kernel-invoked coredump processor provided by ABRT did not handle symbolic links correctly when writing core dumps of ABRT programs to the ABRT dump directory (/var/spool/abrt). A local attacker with write access to an ABRT problem directory could use this flaw to escalate their privileges. (CVE-2015-5287) It was found that ABRT may have exposed unintended information to Red Hat Bugzilla during crash reporting. A bug in the libreport library caused changes made by a user in files included in a crash report to be discarded. As a result, Red Hat Bugzilla attachments may contain data that was not intended to be made public, including host names, IP addresses, or command line options. (CVE-2015-5302) This flaw did not affect default installations of ABRT on Red Hat Enterprise Linux as they do not post data to Red Hat Bugzilla. This feature can however be enabled, potentially impacting modified ABRT instances. As a precaution, Red Hat has identified bugs filed by such non-default Red Hat Enterprise Linux users of ABRT and marked them private. Red Hat would like to thank Philip Pettersson of Samsung for reporting the CVE-2015-5273 and CVE-2015-5287 issues. The CVE-2015-5302 issue was discovered by Bastien Nocera of Red Hat. All users of abrt and libreport are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1262252 - CVE-2015-5273 abrt: Insecure temporary directory usage in abrt-action-install-debuginfo-to-abrt-cache 1266837 - CVE-2015-5287 abrt: incorrect permissions on /var/spool/abrt 1270903 - CVE-2015-5302 libreport: Possible private data leak in Bugzilla bugs opened by ABRT 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: abrt-2.1.11-35.el7.src.rpm libreport-2.1.11-31.el7.src.rpm x86_64: abrt-2.1.11-35.el7.x86_64.rpm abrt-addon-ccpp-2.1.11-35.el7.x86_64.rpm abrt-addon-kerneloops-2.1.11-35.el7.x86_64.rpm abrt-addon-pstoreoops-2.1.11-35.el7.x86_64.rpm abrt-addon-python-2.1.11-35.el7.x86_64.rpm abrt-addon-vmcore-2.1.11-35.el7.x86_64.rpm abrt-addon-xorg-2.1.11-35.el7.x86_64.rpm abrt-cli-2.1.11-35.el7.x86_64.rpm abrt-console-notification-2.1.11-35.el7.x86_64.rpm abrt-dbus-2.1.11-35.el7.x86_64.rpm abrt-debuginfo-2.1.11-35.el7.i686.rpm abrt-debuginfo-2.1.11-35.el7.x86_64.rpm abrt-desktop-2.1.11-35.el7.x86_64.rpm abrt-gui-2.1.11-35.el7.x86_64.rpm abrt-gui-libs-2.1.11-35.el7.i686.rpm abrt-gui-libs-2.1.11-35.el7.x86_64.rpm abrt-libs-2.1.11-35.el7.i686.rpm abrt-libs-2.1.11-35.el7.x86_64.rpm abrt-python-2.1.11-35.el7.x86_64.rpm abrt-tui-2.1.11-35.el7.x86_64.rpm libreport-2.1.11-31.el7.i686.rpm libreport-2.1.11-31.el7.x86_64.rpm libreport-anaconda-2.1.11-31.el7.x86_64.rpm libreport-cli-2.1.11-31.el7.x86_64.rpm libreport-debuginfo-2.1.11-31.el7.i686.rpm libreport-debuginfo-2.1.11-31.el7.x86_64.rpm libreport-filesystem-2.1.11-31.el7.x86_64.rpm libreport-gtk-2.1.11-31.el7.i686.rpm libreport-gtk-2.1.11-31.el7.x86_64.rpm libreport-plugin-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-plugin-mailx-2.1.11-31.el7.x86_64.rpm libreport-plugin-reportuploader-2.1.11-31.el7.x86_64.rpm libreport-plugin-rhtsupport-2.1.11-31.el7.x86_64.rpm libreport-plugin-ureport-2.1.11-31.el7.x86_64.rpm libreport-python-2.1.11-31.el7.x86_64.rpm libreport-rhel-2.1.11-31.el7.x86_64.rpm libreport-rhel-anaconda-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-web-2.1.11-31.el7.i686.rpm libreport-web-2.1.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: abrt-python-doc-2.1.11-35.el7.noarch.rpm x86_64: abrt-addon-upload-watch-2.1.11-35.el7.x86_64.rpm abrt-debuginfo-2.1.11-35.el7.i686.rpm abrt-debuginfo-2.1.11-35.el7.x86_64.rpm abrt-devel-2.1.11-35.el7.i686.rpm abrt-devel-2.1.11-35.el7.x86_64.rpm abrt-gui-devel-2.1.11-35.el7.i686.rpm abrt-gui-devel-2.1.11-35.el7.x86_64.rpm abrt-retrace-client-2.1.11-35.el7.x86_64.rpm libreport-compat-2.1.11-31.el7.x86_64.rpm libreport-debuginfo-2.1.11-31.el7.i686.rpm libreport-debuginfo-2.1.11-31.el7.x86_64.rpm libreport-devel-2.1.11-31.el7.i686.rpm libreport-devel-2.1.11-31.el7.x86_64.rpm libreport-gtk-devel-2.1.11-31.el7.i686.rpm libreport-gtk-devel-2.1.11-31.el7.x86_64.rpm libreport-newt-2.1.11-31.el7.x86_64.rpm libreport-plugin-kerneloops-2.1.11-31.el7.x86_64.rpm libreport-plugin-logger-2.1.11-31.el7.x86_64.rpm libreport-rhel-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-web-devel-2.1.11-31.el7.i686.rpm libreport-web-devel-2.1.11-31.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: abrt-2.1.11-35.el7.src.rpm libreport-2.1.11-31.el7.src.rpm x86_64: abrt-2.1.11-35.el7.x86_64.rpm abrt-addon-ccpp-2.1.11-35.el7.x86_64.rpm abrt-addon-kerneloops-2.1.11-35.el7.x86_64.rpm abrt-addon-pstoreoops-2.1.11-35.el7.x86_64.rpm abrt-addon-python-2.1.11-35.el7.x86_64.rpm abrt-addon-vmcore-2.1.11-35.el7.x86_64.rpm abrt-addon-xorg-2.1.11-35.el7.x86_64.rpm abrt-cli-2.1.11-35.el7.x86_64.rpm abrt-console-notification-2.1.11-35.el7.x86_64.rpm abrt-dbus-2.1.11-35.el7.x86_64.rpm abrt-debuginfo-2.1.11-35.el7.i686.rpm abrt-debuginfo-2.1.11-35.el7.x86_64.rpm abrt-libs-2.1.11-35.el7.i686.rpm abrt-libs-2.1.11-35.el7.x86_64.rpm abrt-python-2.1.11-35.el7.x86_64.rpm abrt-tui-2.1.11-35.el7.x86_64.rpm libreport-2.1.11-31.el7.i686.rpm libreport-2.1.11-31.el7.x86_64.rpm libreport-anaconda-2.1.11-31.el7.x86_64.rpm libreport-cli-2.1.11-31.el7.x86_64.rpm libreport-debuginfo-2.1.11-31.el7.i686.rpm libreport-debuginfo-2.1.11-31.el7.x86_64.rpm libreport-filesystem-2.1.11-31.el7.x86_64.rpm libreport-gtk-2.1.11-31.el7.i686.rpm libreport-gtk-2.1.11-31.el7.x86_64.rpm libreport-plugin-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-plugin-mailx-2.1.11-31.el7.x86_64.rpm libreport-plugin-reportuploader-2.1.11-31.el7.x86_64.rpm libreport-plugin-rhtsupport-2.1.11-31.el7.x86_64.rpm libreport-plugin-ureport-2.1.11-31.el7.x86_64.rpm libreport-python-2.1.11-31.el7.x86_64.rpm libreport-rhel-2.1.11-31.el7.x86_64.rpm libreport-rhel-anaconda-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-web-2.1.11-31.el7.i686.rpm libreport-web-2.1.11-31.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: abrt-python-doc-2.1.11-35.el7.noarch.rpm x86_64: abrt-addon-upload-watch-2.1.11-35.el7.x86_64.rpm abrt-debuginfo-2.1.11-35.el7.i686.rpm abrt-debuginfo-2.1.11-35.el7.x86_64.rpm abrt-desktop-2.1.11-35.el7.x86_64.rpm abrt-devel-2.1.11-35.el7.i686.rpm abrt-devel-2.1.11-35.el7.x86_64.rpm abrt-gui-2.1.11-35.el7.x86_64.rpm abrt-gui-devel-2.1.11-35.el7.i686.rpm abrt-gui-devel-2.1.11-35.el7.x86_64.rpm abrt-gui-libs-2.1.11-35.el7.i686.rpm abrt-gui-libs-2.1.11-35.el7.x86_64.rpm abrt-retrace-client-2.1.11-35.el7.x86_64.rpm libreport-compat-2.1.11-31.el7.x86_64.rpm libreport-debuginfo-2.1.11-31.el7.i686.rpm libreport-debuginfo-2.1.11-31.el7.x86_64.rpm libreport-devel-2.1.11-31.el7.i686.rpm libreport-devel-2.1.11-31.el7.x86_64.rpm libreport-gtk-devel-2.1.11-31.el7.i686.rpm libreport-gtk-devel-2.1.11-31.el7.x86_64.rpm libreport-newt-2.1.11-31.el7.x86_64.rpm libreport-plugin-kerneloops-2.1.11-31.el7.x86_64.rpm libreport-plugin-logger-2.1.11-31.el7.x86_64.rpm libreport-rhel-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-web-devel-2.1.11-31.el7.i686.rpm libreport-web-devel-2.1.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: abrt-2.1.11-35.el7.src.rpm libreport-2.1.11-31.el7.src.rpm aarch64: abrt-2.1.11-35.el7.aarch64.rpm abrt-addon-ccpp-2.1.11-35.el7.aarch64.rpm abrt-addon-kerneloops-2.1.11-35.el7.aarch64.rpm abrt-addon-pstoreoops-2.1.11-35.el7.aarch64.rpm abrt-addon-python-2.1.11-35.el7.aarch64.rpm abrt-addon-vmcore-2.1.11-35.el7.aarch64.rpm abrt-addon-xorg-2.1.11-35.el7.aarch64.rpm abrt-cli-2.1.11-35.el7.aarch64.rpm abrt-console-notification-2.1.11-35.el7.aarch64.rpm abrt-dbus-2.1.11-35.el7.aarch64.rpm abrt-debuginfo-2.1.11-35.el7.aarch64.rpm abrt-desktop-2.1.11-35.el7.aarch64.rpm abrt-gui-2.1.11-35.el7.aarch64.rpm abrt-gui-libs-2.1.11-35.el7.aarch64.rpm abrt-libs-2.1.11-35.el7.aarch64.rpm abrt-python-2.1.11-35.el7.aarch64.rpm abrt-tui-2.1.11-35.el7.aarch64.rpm libreport-2.1.11-31.el7.aarch64.rpm libreport-anaconda-2.1.11-31.el7.aarch64.rpm libreport-cli-2.1.11-31.el7.aarch64.rpm libreport-debuginfo-2.1.11-31.el7.aarch64.rpm libreport-filesystem-2.1.11-31.el7.aarch64.rpm libreport-gtk-2.1.11-31.el7.aarch64.rpm libreport-plugin-bugzilla-2.1.11-31.el7.aarch64.rpm libreport-plugin-mailx-2.1.11-31.el7.aarch64.rpm libreport-plugin-reportuploader-2.1.11-31.el7.aarch64.rpm libreport-plugin-rhtsupport-2.1.11-31.el7.aarch64.rpm libreport-plugin-ureport-2.1.11-31.el7.aarch64.rpm libreport-python-2.1.11-31.el7.aarch64.rpm libreport-rhel-2.1.11-31.el7.aarch64.rpm libreport-rhel-anaconda-bugzilla-2.1.11-31.el7.aarch64.rpm libreport-web-2.1.11-31.el7.aarch64.rpm ppc64: abrt-2.1.11-35.el7.ppc64.rpm abrt-addon-ccpp-2.1.11-35.el7.ppc64.rpm abrt-addon-kerneloops-2.1.11-35.el7.ppc64.rpm abrt-addon-pstoreoops-2.1.11-35.el7.ppc64.rpm abrt-addon-python-2.1.11-35.el7.ppc64.rpm abrt-addon-vmcore-2.1.11-35.el7.ppc64.rpm abrt-addon-xorg-2.1.11-35.el7.ppc64.rpm abrt-cli-2.1.11-35.el7.ppc64.rpm abrt-console-notification-2.1.11-35.el7.ppc64.rpm abrt-dbus-2.1.11-35.el7.ppc64.rpm abrt-debuginfo-2.1.11-35.el7.ppc.rpm abrt-debuginfo-2.1.11-35.el7.ppc64.rpm abrt-desktop-2.1.11-35.el7.ppc64.rpm abrt-gui-2.1.11-35.el7.ppc64.rpm abrt-gui-libs-2.1.11-35.el7.ppc.rpm abrt-gui-libs-2.1.11-35.el7.ppc64.rpm abrt-libs-2.1.11-35.el7.ppc.rpm abrt-libs-2.1.11-35.el7.ppc64.rpm abrt-python-2.1.11-35.el7.ppc64.rpm abrt-tui-2.1.11-35.el7.ppc64.rpm libreport-2.1.11-31.el7.ppc.rpm libreport-2.1.11-31.el7.ppc64.rpm libreport-anaconda-2.1.11-31.el7.ppc64.rpm libreport-cli-2.1.11-31.el7.ppc64.rpm libreport-debuginfo-2.1.11-31.el7.ppc.rpm libreport-debuginfo-2.1.11-31.el7.ppc64.rpm libreport-filesystem-2.1.11-31.el7.ppc64.rpm libreport-gtk-2.1.11-31.el7.ppc.rpm libreport-gtk-2.1.11-31.el7.ppc64.rpm libreport-plugin-bugzilla-2.1.11-31.el7.ppc64.rpm libreport-plugin-mailx-2.1.11-31.el7.ppc64.rpm libreport-plugin-reportuploader-2.1.11-31.el7.ppc64.rpm libreport-plugin-rhtsupport-2.1.11-31.el7.ppc64.rpm libreport-plugin-ureport-2.1.11-31.el7.ppc64.rpm libreport-python-2.1.11-31.el7.ppc64.rpm libreport-rhel-2.1.11-31.el7.ppc64.rpm libreport-rhel-anaconda-bugzilla-2.1.11-31.el7.ppc64.rpm libreport-web-2.1.11-31.el7.ppc.rpm libreport-web-2.1.11-31.el7.ppc64.rpm ppc64le: abrt-2.1.11-35.el7.ppc64le.rpm abrt-addon-ccpp-2.1.11-35.el7.ppc64le.rpm abrt-addon-kerneloops-2.1.11-35.el7.ppc64le.rpm abrt-addon-pstoreoops-2.1.11-35.el7.ppc64le.rpm abrt-addon-python-2.1.11-35.el7.ppc64le.rpm abrt-addon-vmcore-2.1.11-35.el7.ppc64le.rpm abrt-addon-xorg-2.1.11-35.el7.ppc64le.rpm abrt-cli-2.1.11-35.el7.ppc64le.rpm abrt-console-notification-2.1.11-35.el7.ppc64le.rpm abrt-dbus-2.1.11-35.el7.ppc64le.rpm abrt-debuginfo-2.1.11-35.el7.ppc64le.rpm abrt-desktop-2.1.11-35.el7.ppc64le.rpm abrt-gui-2.1.11-35.el7.ppc64le.rpm abrt-gui-libs-2.1.11-35.el7.ppc64le.rpm abrt-libs-2.1.11-35.el7.ppc64le.rpm abrt-python-2.1.11-35.el7.ppc64le.rpm abrt-tui-2.1.11-35.el7.ppc64le.rpm libreport-2.1.11-31.el7.ppc64le.rpm libreport-anaconda-2.1.11-31.el7.ppc64le.rpm libreport-cli-2.1.11-31.el7.ppc64le.rpm libreport-debuginfo-2.1.11-31.el7.ppc64le.rpm libreport-filesystem-2.1.11-31.el7.ppc64le.rpm libreport-gtk-2.1.11-31.el7.ppc64le.rpm libreport-plugin-bugzilla-2.1.11-31.el7.ppc64le.rpm libreport-plugin-mailx-2.1.11-31.el7.ppc64le.rpm libreport-plugin-reportuploader-2.1.11-31.el7.ppc64le.rpm libreport-plugin-rhtsupport-2.1.11-31.el7.ppc64le.rpm libreport-plugin-ureport-2.1.11-31.el7.ppc64le.rpm libreport-python-2.1.11-31.el7.ppc64le.rpm libreport-rhel-2.1.11-31.el7.ppc64le.rpm libreport-rhel-anaconda-bugzilla-2.1.11-31.el7.ppc64le.rpm libreport-web-2.1.11-31.el7.ppc64le.rpm s390x: abrt-2.1.11-35.el7.s390x.rpm abrt-addon-ccpp-2.1.11-35.el7.s390x.rpm abrt-addon-kerneloops-2.1.11-35.el7.s390x.rpm abrt-addon-pstoreoops-2.1.11-35.el7.s390x.rpm abrt-addon-python-2.1.11-35.el7.s390x.rpm abrt-addon-vmcore-2.1.11-35.el7.s390x.rpm abrt-addon-xorg-2.1.11-35.el7.s390x.rpm abrt-cli-2.1.11-35.el7.s390x.rpm abrt-console-notification-2.1.11-35.el7.s390x.rpm abrt-dbus-2.1.11-35.el7.s390x.rpm abrt-debuginfo-2.1.11-35.el7.s390.rpm abrt-debuginfo-2.1.11-35.el7.s390x.rpm abrt-desktop-2.1.11-35.el7.s390x.rpm abrt-gui-2.1.11-35.el7.s390x.rpm abrt-gui-libs-2.1.11-35.el7.s390.rpm abrt-gui-libs-2.1.11-35.el7.s390x.rpm abrt-libs-2.1.11-35.el7.s390.rpm abrt-libs-2.1.11-35.el7.s390x.rpm abrt-python-2.1.11-35.el7.s390x.rpm abrt-tui-2.1.11-35.el7.s390x.rpm libreport-2.1.11-31.el7.s390.rpm libreport-2.1.11-31.el7.s390x.rpm libreport-anaconda-2.1.11-31.el7.s390x.rpm libreport-cli-2.1.11-31.el7.s390x.rpm libreport-debuginfo-2.1.11-31.el7.s390.rpm libreport-debuginfo-2.1.11-31.el7.s390x.rpm libreport-filesystem-2.1.11-31.el7.s390x.rpm libreport-gtk-2.1.11-31.el7.s390.rpm libreport-gtk-2.1.11-31.el7.s390x.rpm libreport-plugin-bugzilla-2.1.11-31.el7.s390x.rpm libreport-plugin-mailx-2.1.11-31.el7.s390x.rpm libreport-plugin-reportuploader-2.1.11-31.el7.s390x.rpm libreport-plugin-rhtsupport-2.1.11-31.el7.s390x.rpm libreport-plugin-ureport-2.1.11-31.el7.s390x.rpm libreport-python-2.1.11-31.el7.s390x.rpm libreport-rhel-2.1.11-31.el7.s390x.rpm libreport-rhel-anaconda-bugzilla-2.1.11-31.el7.s390x.rpm libreport-web-2.1.11-31.el7.s390.rpm libreport-web-2.1.11-31.el7.s390x.rpm x86_64: abrt-2.1.11-35.el7.x86_64.rpm abrt-addon-ccpp-2.1.11-35.el7.x86_64.rpm abrt-addon-kerneloops-2.1.11-35.el7.x86_64.rpm abrt-addon-pstoreoops-2.1.11-35.el7.x86_64.rpm abrt-addon-python-2.1.11-35.el7.x86_64.rpm abrt-addon-vmcore-2.1.11-35.el7.x86_64.rpm abrt-addon-xorg-2.1.11-35.el7.x86_64.rpm abrt-cli-2.1.11-35.el7.x86_64.rpm abrt-console-notification-2.1.11-35.el7.x86_64.rpm abrt-dbus-2.1.11-35.el7.x86_64.rpm abrt-debuginfo-2.1.11-35.el7.i686.rpm abrt-debuginfo-2.1.11-35.el7.x86_64.rpm abrt-desktop-2.1.11-35.el7.x86_64.rpm abrt-gui-2.1.11-35.el7.x86_64.rpm abrt-gui-libs-2.1.11-35.el7.i686.rpm abrt-gui-libs-2.1.11-35.el7.x86_64.rpm abrt-libs-2.1.11-35.el7.i686.rpm abrt-libs-2.1.11-35.el7.x86_64.rpm abrt-python-2.1.11-35.el7.x86_64.rpm abrt-tui-2.1.11-35.el7.x86_64.rpm libreport-2.1.11-31.el7.i686.rpm libreport-2.1.11-31.el7.x86_64.rpm libreport-anaconda-2.1.11-31.el7.x86_64.rpm libreport-cli-2.1.11-31.el7.x86_64.rpm libreport-debuginfo-2.1.11-31.el7.i686.rpm libreport-debuginfo-2.1.11-31.el7.x86_64.rpm libreport-filesystem-2.1.11-31.el7.x86_64.rpm libreport-gtk-2.1.11-31.el7.i686.rpm libreport-gtk-2.1.11-31.el7.x86_64.rpm libreport-plugin-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-plugin-mailx-2.1.11-31.el7.x86_64.rpm libreport-plugin-reportuploader-2.1.11-31.el7.x86_64.rpm libreport-plugin-rhtsupport-2.1.11-31.el7.x86_64.rpm libreport-plugin-ureport-2.1.11-31.el7.x86_64.rpm libreport-python-2.1.11-31.el7.x86_64.rpm libreport-rhel-2.1.11-31.el7.x86_64.rpm libreport-rhel-anaconda-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-web-2.1.11-31.el7.i686.rpm libreport-web-2.1.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: abrt-addon-upload-watch-2.1.11-35.el7.aarch64.rpm abrt-debuginfo-2.1.11-35.el7.aarch64.rpm abrt-devel-2.1.11-35.el7.aarch64.rpm abrt-gui-devel-2.1.11-35.el7.aarch64.rpm abrt-retrace-client-2.1.11-35.el7.aarch64.rpm libreport-compat-2.1.11-31.el7.aarch64.rpm libreport-debuginfo-2.1.11-31.el7.aarch64.rpm libreport-devel-2.1.11-31.el7.aarch64.rpm libreport-gtk-devel-2.1.11-31.el7.aarch64.rpm libreport-newt-2.1.11-31.el7.aarch64.rpm libreport-plugin-kerneloops-2.1.11-31.el7.aarch64.rpm libreport-plugin-logger-2.1.11-31.el7.aarch64.rpm libreport-rhel-bugzilla-2.1.11-31.el7.aarch64.rpm libreport-web-devel-2.1.11-31.el7.aarch64.rpm noarch: abrt-python-doc-2.1.11-35.el7.noarch.rpm ppc64: abrt-addon-upload-watch-2.1.11-35.el7.ppc64.rpm abrt-debuginfo-2.1.11-35.el7.ppc.rpm abrt-debuginfo-2.1.11-35.el7.ppc64.rpm abrt-devel-2.1.11-35.el7.ppc.rpm abrt-devel-2.1.11-35.el7.ppc64.rpm abrt-gui-devel-2.1.11-35.el7.ppc.rpm abrt-gui-devel-2.1.11-35.el7.ppc64.rpm abrt-retrace-client-2.1.11-35.el7.ppc64.rpm libreport-compat-2.1.11-31.el7.ppc64.rpm libreport-debuginfo-2.1.11-31.el7.ppc.rpm libreport-debuginfo-2.1.11-31.el7.ppc64.rpm libreport-devel-2.1.11-31.el7.ppc.rpm libreport-devel-2.1.11-31.el7.ppc64.rpm libreport-gtk-devel-2.1.11-31.el7.ppc.rpm libreport-gtk-devel-2.1.11-31.el7.ppc64.rpm libreport-newt-2.1.11-31.el7.ppc64.rpm libreport-plugin-kerneloops-2.1.11-31.el7.ppc64.rpm libreport-plugin-logger-2.1.11-31.el7.ppc64.rpm libreport-rhel-bugzilla-2.1.11-31.el7.ppc64.rpm libreport-web-devel-2.1.11-31.el7.ppc.rpm libreport-web-devel-2.1.11-31.el7.ppc64.rpm ppc64le: abrt-addon-upload-watch-2.1.11-35.el7.ppc64le.rpm abrt-debuginfo-2.1.11-35.el7.ppc64le.rpm abrt-devel-2.1.11-35.el7.ppc64le.rpm abrt-gui-devel-2.1.11-35.el7.ppc64le.rpm abrt-retrace-client-2.1.11-35.el7.ppc64le.rpm libreport-compat-2.1.11-31.el7.ppc64le.rpm libreport-debuginfo-2.1.11-31.el7.ppc64le.rpm libreport-devel-2.1.11-31.el7.ppc64le.rpm libreport-gtk-devel-2.1.11-31.el7.ppc64le.rpm libreport-newt-2.1.11-31.el7.ppc64le.rpm libreport-plugin-kerneloops-2.1.11-31.el7.ppc64le.rpm libreport-plugin-logger-2.1.11-31.el7.ppc64le.rpm libreport-rhel-bugzilla-2.1.11-31.el7.ppc64le.rpm libreport-web-devel-2.1.11-31.el7.ppc64le.rpm s390x: abrt-addon-upload-watch-2.1.11-35.el7.s390x.rpm abrt-debuginfo-2.1.11-35.el7.s390.rpm abrt-debuginfo-2.1.11-35.el7.s390x.rpm abrt-devel-2.1.11-35.el7.s390.rpm abrt-devel-2.1.11-35.el7.s390x.rpm abrt-gui-devel-2.1.11-35.el7.s390.rpm abrt-gui-devel-2.1.11-35.el7.s390x.rpm abrt-retrace-client-2.1.11-35.el7.s390x.rpm libreport-compat-2.1.11-31.el7.s390x.rpm libreport-debuginfo-2.1.11-31.el7.s390.rpm libreport-debuginfo-2.1.11-31.el7.s390x.rpm libreport-devel-2.1.11-31.el7.s390.rpm libreport-devel-2.1.11-31.el7.s390x.rpm libreport-gtk-devel-2.1.11-31.el7.s390.rpm libreport-gtk-devel-2.1.11-31.el7.s390x.rpm libreport-newt-2.1.11-31.el7.s390x.rpm libreport-plugin-kerneloops-2.1.11-31.el7.s390x.rpm libreport-plugin-logger-2.1.11-31.el7.s390x.rpm libreport-rhel-bugzilla-2.1.11-31.el7.s390x.rpm libreport-web-devel-2.1.11-31.el7.s390.rpm libreport-web-devel-2.1.11-31.el7.s390x.rpm x86_64: abrt-addon-upload-watch-2.1.11-35.el7.x86_64.rpm abrt-debuginfo-2.1.11-35.el7.i686.rpm abrt-debuginfo-2.1.11-35.el7.x86_64.rpm abrt-devel-2.1.11-35.el7.i686.rpm abrt-devel-2.1.11-35.el7.x86_64.rpm abrt-gui-devel-2.1.11-35.el7.i686.rpm abrt-gui-devel-2.1.11-35.el7.x86_64.rpm abrt-retrace-client-2.1.11-35.el7.x86_64.rpm libreport-compat-2.1.11-31.el7.x86_64.rpm libreport-debuginfo-2.1.11-31.el7.i686.rpm libreport-debuginfo-2.1.11-31.el7.x86_64.rpm libreport-devel-2.1.11-31.el7.i686.rpm libreport-devel-2.1.11-31.el7.x86_64.rpm libreport-gtk-devel-2.1.11-31.el7.i686.rpm libreport-gtk-devel-2.1.11-31.el7.x86_64.rpm libreport-newt-2.1.11-31.el7.x86_64.rpm libreport-plugin-kerneloops-2.1.11-31.el7.x86_64.rpm libreport-plugin-logger-2.1.11-31.el7.x86_64.rpm libreport-rhel-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-web-devel-2.1.11-31.el7.i686.rpm libreport-web-devel-2.1.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: abrt-2.1.11-35.el7.src.rpm libreport-2.1.11-31.el7.src.rpm x86_64: abrt-2.1.11-35.el7.x86_64.rpm abrt-addon-ccpp-2.1.11-35.el7.x86_64.rpm abrt-addon-kerneloops-2.1.11-35.el7.x86_64.rpm abrt-addon-pstoreoops-2.1.11-35.el7.x86_64.rpm abrt-addon-python-2.1.11-35.el7.x86_64.rpm abrt-addon-vmcore-2.1.11-35.el7.x86_64.rpm abrt-addon-xorg-2.1.11-35.el7.x86_64.rpm abrt-cli-2.1.11-35.el7.x86_64.rpm abrt-console-notification-2.1.11-35.el7.x86_64.rpm abrt-dbus-2.1.11-35.el7.x86_64.rpm abrt-debuginfo-2.1.11-35.el7.i686.rpm abrt-debuginfo-2.1.11-35.el7.x86_64.rpm abrt-desktop-2.1.11-35.el7.x86_64.rpm abrt-gui-2.1.11-35.el7.x86_64.rpm abrt-gui-libs-2.1.11-35.el7.i686.rpm abrt-gui-libs-2.1.11-35.el7.x86_64.rpm abrt-libs-2.1.11-35.el7.i686.rpm abrt-libs-2.1.11-35.el7.x86_64.rpm abrt-python-2.1.11-35.el7.x86_64.rpm abrt-tui-2.1.11-35.el7.x86_64.rpm libreport-2.1.11-31.el7.i686.rpm libreport-2.1.11-31.el7.x86_64.rpm libreport-anaconda-2.1.11-31.el7.x86_64.rpm libreport-cli-2.1.11-31.el7.x86_64.rpm libreport-debuginfo-2.1.11-31.el7.i686.rpm libreport-debuginfo-2.1.11-31.el7.x86_64.rpm libreport-filesystem-2.1.11-31.el7.x86_64.rpm libreport-gtk-2.1.11-31.el7.i686.rpm libreport-gtk-2.1.11-31.el7.x86_64.rpm libreport-plugin-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-plugin-mailx-2.1.11-31.el7.x86_64.rpm libreport-plugin-reportuploader-2.1.11-31.el7.x86_64.rpm libreport-plugin-rhtsupport-2.1.11-31.el7.x86_64.rpm libreport-plugin-ureport-2.1.11-31.el7.x86_64.rpm libreport-python-2.1.11-31.el7.x86_64.rpm libreport-rhel-2.1.11-31.el7.x86_64.rpm libreport-rhel-anaconda-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-web-2.1.11-31.el7.i686.rpm libreport-web-2.1.11-31.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: abrt-python-doc-2.1.11-35.el7.noarch.rpm x86_64: abrt-addon-upload-watch-2.1.11-35.el7.x86_64.rpm abrt-debuginfo-2.1.11-35.el7.i686.rpm abrt-debuginfo-2.1.11-35.el7.x86_64.rpm abrt-devel-2.1.11-35.el7.i686.rpm abrt-devel-2.1.11-35.el7.x86_64.rpm abrt-gui-devel-2.1.11-35.el7.i686.rpm abrt-gui-devel-2.1.11-35.el7.x86_64.rpm abrt-retrace-client-2.1.11-35.el7.x86_64.rpm libreport-compat-2.1.11-31.el7.x86_64.rpm libreport-debuginfo-2.1.11-31.el7.i686.rpm libreport-debuginfo-2.1.11-31.el7.x86_64.rpm libreport-devel-2.1.11-31.el7.i686.rpm libreport-devel-2.1.11-31.el7.x86_64.rpm libreport-gtk-devel-2.1.11-31.el7.i686.rpm libreport-gtk-devel-2.1.11-31.el7.x86_64.rpm libreport-newt-2.1.11-31.el7.x86_64.rpm libreport-plugin-kerneloops-2.1.11-31.el7.x86_64.rpm libreport-plugin-logger-2.1.11-31.el7.x86_64.rpm libreport-rhel-bugzilla-2.1.11-31.el7.x86_64.rpm libreport-web-devel-2.1.11-31.el7.i686.rpm libreport-web-devel-2.1.11-31.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5273 https://access.redhat.com/security/cve/CVE-2015-5287 https://access.redhat.com/security/cve/CVE-2015-5302 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWUyNqXlSAg2UNWIIRAtmJAJ9qTu+xj8J+qReBtx65aDeMJ9x00wCcDO0e UVHcRLkw43goN46qI7AdciQ= =9fL0 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 25 18:28:18 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 25 Nov 2015 18:28:18 +0000 Subject: [RHSA-2015:2515-01] Moderate: git19-git security update Message-ID: <201511251826.tAPIQewJ024568@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: git19-git security update Advisory ID: RHSA-2015:2515-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2515.html Issue date: 2015-11-25 ===================================================================== 1. Summary: Updated git19-git packages that fix one security issue are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system. (BZ#1269794) All git19-git users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1269794 - git: arbitrary code execution via crafted URLs 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: git19-git-1.9.4-3.el6.1.src.rpm noarch: git19-emacs-git-1.9.4-3.el6.1.noarch.rpm git19-emacs-git-el-1.9.4-3.el6.1.noarch.rpm git19-git-all-1.9.4-3.el6.1.noarch.rpm git19-git-cvs-1.9.4-3.el6.1.noarch.rpm git19-git-email-1.9.4-3.el6.1.noarch.rpm git19-git-gui-1.9.4-3.el6.1.noarch.rpm git19-gitk-1.9.4-3.el6.1.noarch.rpm git19-gitweb-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-SVN-1.9.4-3.el6.1.noarch.rpm x86_64: git19-git-1.9.4-3.el6.1.x86_64.rpm git19-git-daemon-1.9.4-3.el6.1.x86_64.rpm git19-git-debuginfo-1.9.4-3.el6.1.x86_64.rpm git19-git-svn-1.9.4-3.el6.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5): Source: git19-git-1.9.4-3.el6.1.src.rpm noarch: git19-emacs-git-1.9.4-3.el6.1.noarch.rpm git19-emacs-git-el-1.9.4-3.el6.1.noarch.rpm git19-git-all-1.9.4-3.el6.1.noarch.rpm git19-git-cvs-1.9.4-3.el6.1.noarch.rpm git19-git-email-1.9.4-3.el6.1.noarch.rpm git19-git-gui-1.9.4-3.el6.1.noarch.rpm git19-gitk-1.9.4-3.el6.1.noarch.rpm git19-gitweb-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-SVN-1.9.4-3.el6.1.noarch.rpm x86_64: git19-git-1.9.4-3.el6.1.x86_64.rpm git19-git-daemon-1.9.4-3.el6.1.x86_64.rpm git19-git-debuginfo-1.9.4-3.el6.1.x86_64.rpm git19-git-svn-1.9.4-3.el6.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: git19-git-1.9.4-3.el6.1.src.rpm noarch: git19-emacs-git-1.9.4-3.el6.1.noarch.rpm git19-emacs-git-el-1.9.4-3.el6.1.noarch.rpm git19-git-all-1.9.4-3.el6.1.noarch.rpm git19-git-cvs-1.9.4-3.el6.1.noarch.rpm git19-git-email-1.9.4-3.el6.1.noarch.rpm git19-git-gui-1.9.4-3.el6.1.noarch.rpm git19-gitk-1.9.4-3.el6.1.noarch.rpm git19-gitweb-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-SVN-1.9.4-3.el6.1.noarch.rpm x86_64: git19-git-1.9.4-3.el6.1.x86_64.rpm git19-git-daemon-1.9.4-3.el6.1.x86_64.rpm git19-git-debuginfo-1.9.4-3.el6.1.x86_64.rpm git19-git-svn-1.9.4-3.el6.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: git19-git-1.9.4-3.el6.1.src.rpm noarch: git19-emacs-git-1.9.4-3.el6.1.noarch.rpm git19-emacs-git-el-1.9.4-3.el6.1.noarch.rpm git19-git-all-1.9.4-3.el6.1.noarch.rpm git19-git-cvs-1.9.4-3.el6.1.noarch.rpm git19-git-email-1.9.4-3.el6.1.noarch.rpm git19-git-gui-1.9.4-3.el6.1.noarch.rpm git19-gitk-1.9.4-3.el6.1.noarch.rpm git19-gitweb-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-SVN-1.9.4-3.el6.1.noarch.rpm x86_64: git19-git-1.9.4-3.el6.1.x86_64.rpm git19-git-daemon-1.9.4-3.el6.1.x86_64.rpm git19-git-debuginfo-1.9.4-3.el6.1.x86_64.rpm git19-git-svn-1.9.4-3.el6.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: git19-git-1.9.4-3.el6.1.src.rpm noarch: git19-emacs-git-1.9.4-3.el6.1.noarch.rpm git19-emacs-git-el-1.9.4-3.el6.1.noarch.rpm git19-git-all-1.9.4-3.el6.1.noarch.rpm git19-git-cvs-1.9.4-3.el6.1.noarch.rpm git19-git-email-1.9.4-3.el6.1.noarch.rpm git19-git-gui-1.9.4-3.el6.1.noarch.rpm git19-gitk-1.9.4-3.el6.1.noarch.rpm git19-gitweb-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-1.9.4-3.el6.1.noarch.rpm git19-perl-Git-SVN-1.9.4-3.el6.1.noarch.rpm x86_64: git19-git-1.9.4-3.el6.1.x86_64.rpm git19-git-daemon-1.9.4-3.el6.1.x86_64.rpm git19-git-debuginfo-1.9.4-3.el6.1.x86_64.rpm git19-git-svn-1.9.4-3.el6.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: git19-git-1.9.4-3.el7.1.src.rpm noarch: git19-emacs-git-1.9.4-3.el7.1.noarch.rpm git19-emacs-git-el-1.9.4-3.el7.1.noarch.rpm git19-git-all-1.9.4-3.el7.1.noarch.rpm git19-git-bzr-1.9.4-3.el7.1.noarch.rpm git19-git-cvs-1.9.4-3.el7.1.noarch.rpm git19-git-email-1.9.4-3.el7.1.noarch.rpm git19-git-gui-1.9.4-3.el7.1.noarch.rpm git19-git-hg-1.9.4-3.el7.1.noarch.rpm git19-gitk-1.9.4-3.el7.1.noarch.rpm git19-gitweb-1.9.4-3.el7.1.noarch.rpm git19-perl-Git-1.9.4-3.el7.1.noarch.rpm git19-perl-Git-SVN-1.9.4-3.el7.1.noarch.rpm x86_64: git19-git-1.9.4-3.el7.1.x86_64.rpm git19-git-daemon-1.9.4-3.el7.1.x86_64.rpm git19-git-debuginfo-1.9.4-3.el7.1.x86_64.rpm git19-git-svn-1.9.4-3.el7.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1): Source: git19-git-1.9.4-3.el7.1.src.rpm noarch: git19-emacs-git-1.9.4-3.el7.1.noarch.rpm git19-emacs-git-el-1.9.4-3.el7.1.noarch.rpm git19-git-all-1.9.4-3.el7.1.noarch.rpm git19-git-bzr-1.9.4-3.el7.1.noarch.rpm git19-git-cvs-1.9.4-3.el7.1.noarch.rpm git19-git-email-1.9.4-3.el7.1.noarch.rpm git19-git-gui-1.9.4-3.el7.1.noarch.rpm git19-git-hg-1.9.4-3.el7.1.noarch.rpm git19-gitk-1.9.4-3.el7.1.noarch.rpm git19-gitweb-1.9.4-3.el7.1.noarch.rpm git19-perl-Git-1.9.4-3.el7.1.noarch.rpm git19-perl-Git-SVN-1.9.4-3.el7.1.noarch.rpm x86_64: git19-git-1.9.4-3.el7.1.x86_64.rpm git19-git-daemon-1.9.4-3.el7.1.x86_64.rpm git19-git-debuginfo-1.9.4-3.el7.1.x86_64.rpm git19-git-svn-1.9.4-3.el7.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: git19-git-1.9.4-3.el7.1.src.rpm noarch: git19-emacs-git-1.9.4-3.el7.1.noarch.rpm git19-emacs-git-el-1.9.4-3.el7.1.noarch.rpm git19-git-all-1.9.4-3.el7.1.noarch.rpm git19-git-bzr-1.9.4-3.el7.1.noarch.rpm git19-git-cvs-1.9.4-3.el7.1.noarch.rpm git19-git-email-1.9.4-3.el7.1.noarch.rpm git19-git-gui-1.9.4-3.el7.1.noarch.rpm git19-git-hg-1.9.4-3.el7.1.noarch.rpm git19-gitk-1.9.4-3.el7.1.noarch.rpm git19-gitweb-1.9.4-3.el7.1.noarch.rpm git19-perl-Git-1.9.4-3.el7.1.noarch.rpm git19-perl-Git-SVN-1.9.4-3.el7.1.noarch.rpm x86_64: git19-git-1.9.4-3.el7.1.x86_64.rpm git19-git-daemon-1.9.4-3.el7.1.x86_64.rpm git19-git-debuginfo-1.9.4-3.el7.1.x86_64.rpm git19-git-svn-1.9.4-3.el7.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWVf0xXlSAg2UNWIIRAnekAKCvh5z9bVlRkeGe9/5wGJUNvHSGEACfX8EU zsqtxmbc4gw+WPGLNg8IbeU= =EIuV -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Nov 25 21:38:00 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 25 Nov 2015 21:38:00 +0000 Subject: [RHSA-2015:2518-01] Important: java-1.5.0-ibm security update Message-ID: <201511252138.tAPLc0LH005898@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.5.0-ibm security update Advisory ID: RHSA-2015:2518-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2518.html Issue date: 2015-11-25 CVE Names: CVE-2015-4805 CVE-2015-4806 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4883 CVE-2015-4902 CVE-2015-4903 ===================================================================== 1. Summary: Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4805, CVE-2015-4806, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4883, CVE-2015-4902, CVE-2015-4903) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. IBM Java SDK and JRE 5.0 will not receive software updates after September 2015. This date is referred to as the End of Service (EOS) date. Customers are advised to migrate to current versions of IBM Java at this time. IBM Java SDK and JRE versions 6 and 7 are available via the Red Hat Enterprise Linux 5 and 6 Supplementary content sets and will continue to receive updates based on IBM's lifecycle policy, linked to in the References section. Customers can also consider OpenJDK, an open source implementation of the Java SE specification. OpenJDK is available by default on supported hardware architectures. All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP14 release. All running instances of IBM Java must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1233687 - CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) 1273053 - CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) 1273304 - CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) 1273308 - CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) 1273311 - CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) 1273318 - CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) 1273496 - CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) 1273734 - CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) 1273860 - CVE-2015-4902 Oracle JDK: unspecified vulnerability fixed in 6u105, 7u91 and 8u65 (Deployment) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.i386.rpm ppc: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-accessibility-1.5.0.16.14-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.ppc64.rpm s390x: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.s390.rpm java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-accessibility-1.5.0.16.14-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.s390.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.s390.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.s390x.rpm java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el5.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7.i686.rpm x86_64: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7.i686.rpm ppc64: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7.ppc64.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7.ppc64.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7.ppc64.rpm s390x: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7.s390x.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7.s390x.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7.s390x.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-jdbc-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-plugin-1.5.0.16.14-1jpp.1.el6_7.i686.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7.i686.rpm x86_64: java-1.5.0-ibm-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm java-1.5.0-ibm-src-1.5.0.16.14-1jpp.1.el6_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4805 https://access.redhat.com/security/cve/CVE-2015-4806 https://access.redhat.com/security/cve/CVE-2015-4843 https://access.redhat.com/security/cve/CVE-2015-4844 https://access.redhat.com/security/cve/CVE-2015-4860 https://access.redhat.com/security/cve/CVE-2015-4872 https://access.redhat.com/security/cve/CVE-2015-4883 https://access.redhat.com/security/cve/CVE-2015-4902 https://access.redhat.com/security/cve/CVE-2015-4903 https://access.redhat.com/security/updates/classification/#important https://www.ibm.com/developerworks/java/jdk/alerts/ https://www.ibm.com/developerworks/java/jdk/lifecycle/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWVinDXlSAg2UNWIIRAgKkAKCoY33rz+sytCgIFNv2k767hFoPBwCdEIwE Mqr5cSV6QrwAozTfrEjrSFI= =9Rqb -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 26 14:14:39 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 26 Nov 2015 14:14:39 +0000 Subject: [RHSA-2015:2519-01] Important: thunderbird security update Message-ID: <201511261414.tAQEEdAK010840@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2015:2519-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2519.html Issue date: 2015-11-26 CVE Names: CVE-2015-4513 CVE-2015-7189 CVE-2015-7193 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 ===================================================================== 1. Summary: An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200) A same-origin policy bypass flaw was found in the way Thunderbird handled certain cross-origin resource sharing (CORS) requests. A web page containing malicious content could cause Thunderbird to disclose sensitive information. (CVE-2015-7193) Note: All of the above issues cannot be exploited by a specially crafted HTML mail message because JavaScript is disabled by default for mail messages. However, they could be exploited in other ways in Thunderbird (for example, by viewing the full remote content of an RSS feed). Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, Gary Kwong, Looben Yang, Shinto K Anto, Ronald Crane, and Ehsan Akhgari as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 38.4.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 38.4.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1277332 - CVE-2015-4513 Mozilla: Miscellaneous memory safety hazards (rv:38.4) (MFSA 2015-116) 1277344 - CVE-2015-7189 Mozilla: Buffer overflow during image interactions in canvas (MFSA 2015-123) 1277346 - CVE-2015-7193 Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127) 1277350 - CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131) 1277351 - CVE-2015-7197 Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: thunderbird-38.4.0-1.el5_11.src.rpm i386: thunderbird-38.4.0-1.el5_11.i386.rpm thunderbird-debuginfo-38.4.0-1.el5_11.i386.rpm x86_64: thunderbird-38.4.0-1.el5_11.x86_64.rpm thunderbird-debuginfo-38.4.0-1.el5_11.x86_64.rpm RHEL Optional Productivity Applications (v. 5 server): Source: thunderbird-38.4.0-1.el5_11.src.rpm i386: thunderbird-38.4.0-1.el5_11.i386.rpm thunderbird-debuginfo-38.4.0-1.el5_11.i386.rpm x86_64: thunderbird-38.4.0-1.el5_11.x86_64.rpm thunderbird-debuginfo-38.4.0-1.el5_11.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: thunderbird-38.4.0-1.el6_7.src.rpm i386: thunderbird-38.4.0-1.el6_7.i686.rpm thunderbird-debuginfo-38.4.0-1.el6_7.i686.rpm x86_64: thunderbird-38.4.0-1.el6_7.x86_64.rpm thunderbird-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: thunderbird-38.4.0-1.el6_7.src.rpm i386: thunderbird-38.4.0-1.el6_7.i686.rpm thunderbird-debuginfo-38.4.0-1.el6_7.i686.rpm ppc64: thunderbird-38.4.0-1.el6_7.ppc64.rpm thunderbird-debuginfo-38.4.0-1.el6_7.ppc64.rpm s390x: thunderbird-38.4.0-1.el6_7.s390x.rpm thunderbird-debuginfo-38.4.0-1.el6_7.s390x.rpm x86_64: thunderbird-38.4.0-1.el6_7.x86_64.rpm thunderbird-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: thunderbird-38.4.0-1.el6_7.src.rpm i386: thunderbird-38.4.0-1.el6_7.i686.rpm thunderbird-debuginfo-38.4.0-1.el6_7.i686.rpm x86_64: thunderbird-38.4.0-1.el6_7.x86_64.rpm thunderbird-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: thunderbird-38.4.0-1.el7_2.src.rpm x86_64: thunderbird-38.4.0-1.el7_2.x86_64.rpm thunderbird-debuginfo-38.4.0-1.el7_2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: thunderbird-38.4.0-1.el7_2.src.rpm aarch64: thunderbird-38.4.0-1.el7_2.aarch64.rpm thunderbird-debuginfo-38.4.0-1.el7_2.aarch64.rpm ppc64le: thunderbird-38.4.0-1.el7_2.ppc64le.rpm thunderbird-debuginfo-38.4.0-1.el7_2.ppc64le.rpm x86_64: thunderbird-38.4.0-1.el7_2.x86_64.rpm thunderbird-debuginfo-38.4.0-1.el7_2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: thunderbird-38.4.0-1.el7_2.src.rpm x86_64: thunderbird-38.4.0-1.el7_2.x86_64.rpm thunderbird-debuginfo-38.4.0-1.el7_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4513 https://access.redhat.com/security/cve/CVE-2015-7189 https://access.redhat.com/security/cve/CVE-2015-7193 https://access.redhat.com/security/cve/CVE-2015-7197 https://access.redhat.com/security/cve/CVE-2015-7198 https://access.redhat.com/security/cve/CVE-2015-7199 https://access.redhat.com/security/cve/CVE-2015-7200 https://access.redhat.com/security/updates/classification/#important https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.4 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWVxOoXlSAg2UNWIIRAlVdAKCxjI/GR+wq1qDd5sD8NvHFHErztwCfbjkp 7NfGxszglQ4aArlQrhRWiiM= =GCT8 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 26 14:16:17 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 26 Nov 2015 14:16:17 +0000 Subject: [RHSA-2015:2520-01] Important: ntp security update Message-ID: <201511261416.tAQEGHYx020867@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: ntp security update Advisory ID: RHSA-2015:2520-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2520.html Issue date: 2015-11-26 CVE Names: CVE-2015-7704 ===================================================================== 1. Summary: Updated ntp packages that fix one security issue are now available for Red Hat Enterprise Linux 6.5 and 6.6 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.5) - noarch, x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.6) - noarch, x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.5) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.6) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.5) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.5) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.6) - i386, noarch, ppc64, s390x, x86_64 3. Description: The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. (CVE-2015-7704) Red Hat would like to thank Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg of Boston University for reporting this issue. All ntp users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1271070 - CVE-2015-7704 ntp: disabling synchronization via crafted KoD packet 6. Package List: Red Hat Enterprise Linux HPC Node EUS (v. 6.5): Source: ntp-4.2.6p5-2.el6_5.1.src.rpm x86_64: ntp-4.2.6p5-2.el6_5.1.x86_64.rpm ntp-debuginfo-4.2.6p5-2.el6_5.1.x86_64.rpm ntpdate-4.2.6p5-2.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node EUS (v. 6.6): Source: ntp-4.2.6p5-3.el6_6.1.src.rpm x86_64: ntp-4.2.6p5-3.el6_6.1.x86_64.rpm ntp-debuginfo-4.2.6p5-3.el6_6.1.x86_64.rpm ntpdate-4.2.6p5-3.el6_6.1.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.5): Source: ntp-4.2.6p5-2.el6_5.1.src.rpm noarch: ntp-doc-4.2.6p5-2.el6_5.1.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-2.el6_5.1.x86_64.rpm ntp-perl-4.2.6p5-2.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.6): noarch: ntp-doc-4.2.6p5-3.el6_6.1.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-3.el6_6.1.x86_64.rpm ntp-perl-4.2.6p5-3.el6_6.1.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.5): Source: ntp-4.2.6p5-2.el6_5.1.src.rpm i386: ntp-4.2.6p5-2.el6_5.1.i686.rpm ntp-debuginfo-4.2.6p5-2.el6_5.1.i686.rpm ntpdate-4.2.6p5-2.el6_5.1.i686.rpm ppc64: ntp-4.2.6p5-2.el6_5.1.ppc64.rpm ntp-debuginfo-4.2.6p5-2.el6_5.1.ppc64.rpm ntpdate-4.2.6p5-2.el6_5.1.ppc64.rpm s390x: ntp-4.2.6p5-2.el6_5.1.s390x.rpm ntp-debuginfo-4.2.6p5-2.el6_5.1.s390x.rpm ntpdate-4.2.6p5-2.el6_5.1.s390x.rpm x86_64: ntp-4.2.6p5-2.el6_5.1.x86_64.rpm ntp-debuginfo-4.2.6p5-2.el6_5.1.x86_64.rpm ntpdate-4.2.6p5-2.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.6): Source: ntp-4.2.6p5-3.el6_6.1.src.rpm i386: ntp-4.2.6p5-3.el6_6.1.i686.rpm ntp-debuginfo-4.2.6p5-3.el6_6.1.i686.rpm ntpdate-4.2.6p5-3.el6_6.1.i686.rpm ppc64: ntp-4.2.6p5-3.el6_6.1.ppc64.rpm ntp-debuginfo-4.2.6p5-3.el6_6.1.ppc64.rpm ntpdate-4.2.6p5-3.el6_6.1.ppc64.rpm s390x: ntp-4.2.6p5-3.el6_6.1.s390x.rpm ntp-debuginfo-4.2.6p5-3.el6_6.1.s390x.rpm ntpdate-4.2.6p5-3.el6_6.1.s390x.rpm x86_64: ntp-4.2.6p5-3.el6_6.1.x86_64.rpm ntp-debuginfo-4.2.6p5-3.el6_6.1.x86_64.rpm ntpdate-4.2.6p5-3.el6_6.1.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.5): Source: ntp-4.2.6p5-2.el6_5.1.src.rpm i386: ntp-debuginfo-4.2.6p5-2.el6_5.1.i686.rpm ntp-perl-4.2.6p5-2.el6_5.1.i686.rpm noarch: ntp-doc-4.2.6p5-2.el6_5.1.noarch.rpm ppc64: ntp-debuginfo-4.2.6p5-2.el6_5.1.ppc64.rpm ntp-perl-4.2.6p5-2.el6_5.1.ppc64.rpm s390x: ntp-debuginfo-4.2.6p5-2.el6_5.1.s390x.rpm ntp-perl-4.2.6p5-2.el6_5.1.s390x.rpm x86_64: ntp-debuginfo-4.2.6p5-2.el6_5.1.x86_64.rpm ntp-perl-4.2.6p5-2.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.6): i386: ntp-debuginfo-4.2.6p5-3.el6_6.1.i686.rpm ntp-perl-4.2.6p5-3.el6_6.1.i686.rpm noarch: ntp-doc-4.2.6p5-3.el6_6.1.noarch.rpm ppc64: ntp-debuginfo-4.2.6p5-3.el6_6.1.ppc64.rpm ntp-perl-4.2.6p5-3.el6_6.1.ppc64.rpm s390x: ntp-debuginfo-4.2.6p5-3.el6_6.1.s390x.rpm ntp-perl-4.2.6p5-3.el6_6.1.s390x.rpm x86_64: ntp-debuginfo-4.2.6p5-3.el6_6.1.x86_64.rpm ntp-perl-4.2.6p5-3.el6_6.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7704 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWVxQRXlSAg2UNWIIRAn3FAJ9kauV52JaskxqIQrOKCK9OQ3zn/ACfbn/9 IGHD8SGjeD8S9bWrpmj4v2I= =ub4I -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 30 16:56:34 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 30 Nov 2015 16:56:34 +0000 Subject: [RHSA-2015:2521-01] Important: jakarta-commons-collections security update Message-ID: <201511301656.tAUGuVZB014418@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jakarta-commons-collections security update Advisory ID: RHSA-2015:2521-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2521.html Issue date: 2015-11-30 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch 3. Description: The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property "org.apache.commons.collections.enableUnsafeSerialization" to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of jakarta-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 6. Package List: Red Hat Enterprise Linux Desktop Optional (v. 6): Source: jakarta-commons-collections-3.2.1-3.5.el6_7.src.rpm noarch: jakarta-commons-collections-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-javadoc-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-testframework-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-testframework-javadoc-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-tomcat5-3.2.1-3.5.el6_7.noarch.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: jakarta-commons-collections-3.2.1-3.5.el6_7.src.rpm noarch: jakarta-commons-collections-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-javadoc-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-testframework-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-testframework-javadoc-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-tomcat5-3.2.1-3.5.el6_7.noarch.rpm Red Hat Enterprise Linux Server (v. 6): Source: jakarta-commons-collections-3.2.1-3.5.el6_7.src.rpm noarch: jakarta-commons-collections-3.2.1-3.5.el6_7.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 6): noarch: jakarta-commons-collections-javadoc-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-testframework-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-testframework-javadoc-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-tomcat5-3.2.1-3.5.el6_7.noarch.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: jakarta-commons-collections-3.2.1-3.5.el6_7.src.rpm noarch: jakarta-commons-collections-3.2.1-3.5.el6_7.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): noarch: jakarta-commons-collections-javadoc-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-testframework-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-testframework-javadoc-3.2.1-3.5.el6_7.noarch.rpm jakarta-commons-collections-tomcat5-3.2.1-3.5.el6_7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/solutions/2045023 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXH+sXlSAg2UNWIIRAnSpAKCkr7BSLgKMdj0i0GrrSEUDMPNIlgCeOLej BM1F8f3p4LkhjPWCsw5f7KE= =03UL -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 30 16:57:38 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 30 Nov 2015 16:57:38 +0000 Subject: [RHSA-2015:2522-01] Important: apache-commons-collections security update Message-ID: <201511301657.tAUGvZP6014951@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: apache-commons-collections security update Advisory ID: RHSA-2015:2522-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2522.html Issue date: 2015-11-30 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: Updated apache-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property "org.apache.commons.collections.enableUnsafeSerialization" to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of apache-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: apache-commons-collections-3.2.1-22.el7_2.src.rpm noarch: apache-commons-collections-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-javadoc-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-testframework-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-testframework-javadoc-3.2.1-22.el7_2.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: apache-commons-collections-3.2.1-22.el7_2.src.rpm noarch: apache-commons-collections-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-javadoc-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-testframework-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-testframework-javadoc-3.2.1-22.el7_2.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: apache-commons-collections-3.2.1-22.el7_2.src.rpm noarch: apache-commons-collections-3.2.1-22.el7_2.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: apache-commons-collections-3.2.1-22.el7_2.src.rpm noarch: apache-commons-collections-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-javadoc-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-testframework-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-testframework-javadoc-3.2.1-22.el7_2.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: apache-commons-collections-3.2.1-22.el7_2.src.rpm noarch: apache-commons-collections-3.2.1-22.el7_2.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: apache-commons-collections-javadoc-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-testframework-3.2.1-22.el7_2.noarch.rpm apache-commons-collections-testframework-javadoc-3.2.1-22.el7_2.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/solutions/2045023 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXH/iXlSAg2UNWIIRAr9NAJ9KUlWFEfzWOS7QrttD6onvrLmbDwCdFOvr 7WzdzTds9n3w37TFqv0FRb8= =1YGf -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 30 16:58:42 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 30 Nov 2015 16:58:42 +0000 Subject: [RHSA-2015:2523-01] Important: rh-java-common-apache-commons-collections security update Message-ID: <201511301658.tAUGwemv015564@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: rh-java-common-apache-commons-collections security update Advisory ID: RHSA-2015:2523-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2523.html Issue date: 2015-11-30 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: Updated rh-java-common-apache-commons-collections packages which fix one security issue are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch 3. Description: The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property "org.apache.commons.collections.enableUnsafeSerialization" to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of rh-java-common-apache-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-java-common-apache-commons-collections-3.2.1-21.13.el6.src.rpm noarch: rh-java-common-apache-commons-collections-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-javadoc-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-testframework-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-testframework-javadoc-3.2.1-21.13.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: rh-java-common-apache-commons-collections-3.2.1-21.13.el6.src.rpm noarch: rh-java-common-apache-commons-collections-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-javadoc-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-testframework-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-testframework-javadoc-3.2.1-21.13.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: rh-java-common-apache-commons-collections-3.2.1-21.13.el6.src.rpm noarch: rh-java-common-apache-commons-collections-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-javadoc-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-testframework-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-testframework-javadoc-3.2.1-21.13.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: rh-java-common-apache-commons-collections-3.2.1-21.13.el6.src.rpm noarch: rh-java-common-apache-commons-collections-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-javadoc-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-testframework-3.2.1-21.13.el6.noarch.rpm rh-java-common-apache-commons-collections-testframework-javadoc-3.2.1-21.13.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-java-common-apache-commons-collections-3.2.1-21.13.el7.src.rpm noarch: rh-java-common-apache-commons-collections-3.2.1-21.13.el7.noarch.rpm rh-java-common-apache-commons-collections-javadoc-3.2.1-21.13.el7.noarch.rpm rh-java-common-apache-commons-collections-testframework-3.2.1-21.13.el7.noarch.rpm rh-java-common-apache-commons-collections-testframework-javadoc-3.2.1-21.13.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1): Source: rh-java-common-apache-commons-collections-3.2.1-21.13.el7.src.rpm noarch: rh-java-common-apache-commons-collections-3.2.1-21.13.el7.noarch.rpm rh-java-common-apache-commons-collections-javadoc-3.2.1-21.13.el7.noarch.rpm rh-java-common-apache-commons-collections-testframework-3.2.1-21.13.el7.noarch.rpm rh-java-common-apache-commons-collections-testframework-javadoc-3.2.1-21.13.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-java-common-apache-commons-collections-3.2.1-21.13.el7.src.rpm noarch: rh-java-common-apache-commons-collections-3.2.1-21.13.el7.noarch.rpm rh-java-common-apache-commons-collections-javadoc-3.2.1-21.13.el7.noarch.rpm rh-java-common-apache-commons-collections-testframework-3.2.1-21.13.el7.noarch.rpm rh-java-common-apache-commons-collections-testframework-javadoc-3.2.1-21.13.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/solutions/2045023 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWXIAaXlSAg2UNWIIRApVHAJ9C9VJRqYCNY6ZV705YdZ504WQNMACfSP7r 8SJCkYRsomfqP2sWRBSJbS4= =p5tK -----END PGP SIGNATURE-----