[RHSA-2008:0264-01] Moderate: Red Hat Network Satellite Server Solaris client security update

Tue May 20 14:19:01 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Network Satellite Server Solaris client security update
Advisory ID:       RHSA-2008:0264-01
Product:           Red Hat Network Satellite Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2008-0264.html
Issue date:        2008-05-20
CVE Names:         CVE-2005-2096 CVE-2005-1849 CVE-2006-4343 
                   CVE-2006-4339 CVE-2006-3738 CVE-2006-2940 
                   CVE-2006-2937 CVE-2005-2969 CVE-2007-4965 
                   CVE-2007-2052 CVE-2006-4980 CVE-2006-1542 
=====================================================================

1. Summary:

Red Hat Network Satellite Server version 5.0.2 is now available. This
update includes fixes for a number of security issues in Red Hat Network
Satellite Server Solaris client components.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) - noarch

3. Description:

This release corrects several security vulnerabilities in various
components shipped as part of the Red Hat Network Satellite Server Solaris
client. In a typical operating environment, these components are not used
by the Satellite Server in a vulnerable manner. These security updates will
reduce risk should these components be used by other applications.

Two denial-of-service flaws were fixed in ZLib. (CVE-2005-2096,
CVE-2005-1849)

Multiple flaws were fixed in OpenSSL. (CVE-2006-4343, CVE-2006-4339,
CVE-2006-3738, CVE-2006-2940, CVE-2006-2937, CVE-2005-2969)

Multiple flaws were fixed in Python. (CVE-2007-4965, CVE-2007-2052,
CVE-2006-4980, CVE-2006-1542)

Users of Red Hat Network Satellite Server 5.0.1 are advised to upgrade to
5.0.2, which resolves these issues.

4. Solution:

This update is available via Red Hat Network.  Details on how to use the
Red Hat Network to apply this update are available at
http://www.redhat.com/docs/manuals/satellite/Red_Hat_Network_Satellite-5.0.0/html/Installation_Guide/s1-maintenance-update.html

5. Bugs fixed (http://bugzilla.redhat.com/):

235093 - CVE-2007-2052 python off-by-one locale.strxfrm() (possible memory disclosure)
295971 - CVE-2007-4965 python imageop module heap corruption
430640 - CVE-2006-1542 python buffer overflow
430641 - CVE-2006-4980 python repr unicode buffer overflow
430649 - CVE-2005-1849 zlib DoS
430651 - CVE-2006-4343 openssl sslv2 client code
430652 - CVE-2006-3738 openssl get_shared_ciphers overflow
430654 - CVE-2006-2940 openssl public key DoS
430655 - CVE-2006-2937 openssl ASN.1 DoS
430659 - CVE-2006-4339 openssl signature forgery
430660 - CVE-2005-2969 openssl mitm downgrade attack

6. Package List:

Red Hat Network Satellite Server 5.0 (RHEL v.4 AS):

noarch:
rhn-solaris-bootstrap-5.0.2-3.noarch.rpm
rhn_solaris_bootstrap_5_0_2_3-1-0.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4965
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4980
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1542
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2008 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFIMt3FXlSAg2UNWIIRAnh8AJ4h/l343jeXx38Rt+0Nm/prW5EDqgCfT9JH
xEBjErySlK9e5Y5R1ud4oDA=
=+Npd
-----END PGP SIGNATURE-----