Red Hat Enterprise Linux by default does respond to ICMP echo requests, although it’s likely that in a production environment those would be filtered by some firewall on entry to your network. However you can happily block ICMP ping responses using iptables if you so wish, but note that there is no known vulnerability in allowing them. For more details, please see: http://kbase.redhat.com/faq/FAQ_43_4304.shtm Red Hat does not consider CVE-1999-0997 to be a security vulnerability. The wu-ftpd process chroots itself into the target ftp directory and will only run external commands as the user logged into the ftp server. Because the process chroots itself, an attacker needs a valid login with write access to the ftp server, and even then they could only potentially execute commands as themselves. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 2.1 ships with wu-ftp version 2.6.2 which is not vulnerable to this issue. CVE-2001-0935 refers to vulnerabilities found when SUSE did a code audit of the wu-ftpd glob.c file in wu-ftpd 2.6.0. They shared these details with the wu-ftpd upstream authors who clarified that some of the issues did not apply, and all were addressed by the version of glob.c in upstream wu-ftpd 2.6.1. Therefore we believe that the issues labelled as CVE-2001-0935 do not affect wu-ftpd 2.6.1 or later versions and therefore do not affect Red Hat Enterprise Linux 2.1. Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This is not a security issue. The mod_usertrack cookies are not designed to be used for authentication. This is a duplicate CVE name and is a combination of CVE-2003-0020 and CVE-2003-0083. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat does not intend to take any action on this issue. This is the expected behavior of Mailman and is not considered to be a security flaw by upstream. If Mailman upstream addresses this issue in a future update, we may revisit our decision. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat do not consider this to be a security issue and there are many ways that you can identify or fingerprint a Linux machine. Users that wish to block fingerprinting can use various techniques to disguise their operating system, for example see http://www.infosecwriters.com/text_resources/pdf/nmap.pdf Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 3 or later. This issue did not affect the OpenSSL packages as shipped with Red Hat Enterprise Linux 2.1 as they were not compiled with S/Key or BSD_AUTH support. The upstream patch for this issue and CVE-2002-0640 was included in an errata so that users recompiling OpenSSL with support for those authentication methods would also be protected: https://rhn.redhat.com/errata/RHSA-2002-131.html Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the versions of SquirrelMail as shipped with Red Hat Enterprise Linux 3 or 4. Not vulnerable. This issue did not affect the versions of SquirrelMail as shipped with Red Hat Enterprise Linux 3 or 4. Not vulnerable. This issue did not affect the versions of SquirrelMail as shipped with Red Hat Enterprise Linux 3 or 4. Not vulnerable. This issue did not affect the versions of Apache HTTP server as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162899 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of Mozilla as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue only affects a third-party patch to Cyrus SASL, not distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the versions of Mozilla as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the versions of Apache HTTP server as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue did not affect the versions of Samba as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. We do not believe this is a security vulnerability. This is the documented and expected behaviour of rpm. Not vulnerable. This issue did not affect the RPM packages of OpenOffice as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it: http://rhn.redhat.com/errata/RHSA-2003-244.html Red Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293. The OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release. The OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a). For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293. The OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release. The OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a). Not vulnerable. The OpenSSL packages in Red Hat Enterprise Linux 2.1 were not affected by this issue. The OpenSSL packages in Red Hat Enterprise Linux 3 and 4 contain a backported patch since their initial release (openssl), or were not affected by this issue (openssl096b). The OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a). Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=114923 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 4. Not vulnerable. This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280. This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch. The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA. This flaw does not affect any subsequent versions of Red Hat Enterprise Linux. Not vulnerable. This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280. This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch. The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA. This flaw does not affect any subsequent versions of Red Hat Enterprise Linux. Not vulnerable. This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280. This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch. The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA. This flaw does not affect any subsequent versions of Red Hat Enterprise Linux. Not affected. Red Hat did not ship iptables-devel or anything else that used these vulnerable functions with Red Hat Enterprise Linux 2.1 or 3. Red Hat Enterprise Linux 4 and 5 contained a backported patch to correct this issue. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1. The PHP packages in Red Hat Enterprise Linux 3 contain a backported patch to address this issue since release. The issue was fixed upstream in PHP 4.3.3. The PHP packages in Red Hat Enterprise Linux 4 and 5 are based on fixed upstream versions. This issue did not affect the versions of Xscreensaver as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue. This is not a vulnerability. When PHP scripts are interpreted using the dynamically loaded mod_php DSO, the PHP interpreter executes with the privileges of the httpd child process. The PHP intepreter does not "sandbox" PHP scripts from the environment in which they run. On any modern Unix system a process can easily obtain access to all the parent file descriptors anyway, even if they have been closed. Not vulnerable. Red Hat Enterprise Linux 2.1 shipped with fvwm, however this issue does not affect the included version of fvwm. Red Hat does not consider this issue to be a security vulnerability since no trust boundary is crossed. The user must voluntarily interact with the attack mechanism to exploit this flaw, with the result being the ability to run code as themselves. Not vulnerable. This issue did not affect the versions of SpamAssassin as shipped with Red Hat Enterprise Linux 3, 4, or 5. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which is in maintenance mode. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. This issue did not affect Linux. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The DHS advisory is a good source of background information about the issue: http://www.us-cert.gov/cas/techalerts/TA04-111A.html It is important to note that the issue described is a known function of TCP. In order to perform a connection reset an attacker would need to know the source and destination ip address and ports as well as being able to guess the sequence number within the window. These requirements seriously reduce the ability to trigger a connection reset on normal TCP connections. The DHS advisory explains that BGP routing is a specific case where being able to trigger a reset is easier than expected as the end points can be easily determined and large window sizes are used. BGP routing is also signficantly affected by having it’s connections terminated. The major BGP peers have recently switched to requiring md5 signatures which mitigates against this attack. The following article from Linux Weekly News also puts the flaw into context and shows why it does not pose a significant threat: http://lwn.net/Articles/81560/ Red Hat does not have any plans for action regarding this issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. cdrecord is not shipped setuid and does not need to be made setuid with Red Hat Enterprise Linux 2.1, 3, or 4 packages. Not Vulnerable. This issue only affected Apache 2.0.51, which was not shipped in any version of Red Hat Enterprise Linux. We do not class this as a security issue; this can only cause a denial of service for the attacker. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140074 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140058 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. cscope packages shipped with Red Hat Enterprise Linux 3, 4, and 5 contain a backported patch since their first release. This issue is only will only cause a denial of service on the connection the attacker is using. It therefore is not a security issue. Red Hat does not consider this issue to be a security vulnerability since no trust boundary is crossed. There are no known uses of this function which could allow a remote attacker to execute arbitrary code. We do not consider this to be a security issue: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139478#c1 We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect the versions of mailman shipped with Red Hat Enterprise Linux 2.1, 3, or 4. In addition, we believe this issue does not apply to the 2.0.x versions of mailman due to setting of STEALTH_MODE Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue was resolved in all affected libtiff versions as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 via a patch for CVE-2004-0886. For updates containing patches for CVE-2004-0886, see: https://rhn.redhat.com/errata/CVE-2004-0886.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 Permitting TCP forwarding is the expected and known default configuration. If it is not desired, it can disabled using the AllowTcpForwarding option in the /etc/ssh/sshd_config configuration file. However, only disabling TCP forwarding does not improve security unless users are also denied shell access. For more information, see man sshd_config. This CVE is a duplicate (rediscovery) of CVE-2002-0838 The Red Hat Security Response Team rated this issue as having low security impact. This issue affected Red Hat Enterprise Linux 2.1 but due to the low severity will not be fixed. metamail was not shipped in Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. These issues did not affect the versions of OpenLDAP as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. We did not ship snmpd setuid root in Red Hat Enterprise Linux 2.1, 3, or 4. The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required. For more information please see: http://www.apacheweek.com/issues/03-01-24#news Red Hat does not consider this to be a security issue. Not vulnerable. This issue did not affect the versions of Samba as distributed with Red Hat Enterprise Linux 3, or 4. Red Hat Enterprise Linux 2.1 shipped with a version of Samba prior to 3.0.6, but we verified by code audit that it is not affected by this issue. Not vulnerable. This issue only affected 2.5 STABLE4 and 2.5 STABLE5 versions of Squid and does not affect the versions of Squid distributed with Red Hat Enterprise Linux. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2004-2680 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. The Linux kernel as shipped with with Red Hat Enterprise Linux 2.1, 3, 4 and 5 did not include the Sbus PROM module and therefore are not affected by this issue. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Please see http://kbase.redhat.com/faq/docs/DOC-15379 Not vulnerable. These issues did not affect the versions of htdig as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144263 Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Red Hat Enterprise Linux 2.1 shipped with wu-ftpd, however we were unable to reproduce this issue. Additionally, a code analysis showed that attempts to exploit this issue would be caught in the versions we shipped. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=149720 Not vulnerable. This issue did not affect the versions of Cyrus SASL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider this a security vulnerability; this is the expected behaviour. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider this a security issue, the bug can only manifest if the software is invoked on a sudoers file that is contained in a world writable directory. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This is defined and documented behaviour: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156313 Not vulnerable. Adobe told us this issue did not affect the Linux version of Adobe Reader. Red Hat does not consider this to be a vulnerability. htdigest is not supplied setuid or setgid and should not be run from a CGI program. Not vulnerable. This issue did not affect the versions of libtiff as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Based on our research we believe that the "OpenSSL ASN.1 brute forcer." is actually exploiting flaws CVE-2003-0543, CVE-2003-0544, CVE-2003-0545. Those issues are all addressed in Red Hat Enterprise Linux and therefore CVE-2005-1730 is a duplicate assignment. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158995 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ We do not believe this is a security issue; this is a deliberate circumvention of the Javamail API. The Javamail API provides a comprehensive and secure method to retrieve mail. In this example, the author retreives the message directly from the mail directory on the filesystem. Even if the user insists on using this incorrect way of accessing mail, then the permissions set by the dovecot and tomcat packages are enough to protect against direct access to most of the files listed in the bug report. The OpenSSL Team do not consider this issue to be a practical threat. Conducting an attack such as this has shown to be impractical outside of a controlled lab environment. If the OpenSSL Team decide to produce an update to correct this issue, we will consider including it in a future security update. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164927 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. This is the documented and expected behaviour of tar. Not vulnerable. These issues did not affect the version of BlueZ as shipped with Red Hat Enterprise Linux 4. Not vulnerable. This issue did not affect the Linux versions of Mutt. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162681 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3 or 4. This issue does not affect Red Hat Enterprise Linux 2.1 and 3. This flaw was fixed in Red Hat Enterprise Linux 4 via errata RHSA-2005:527: http://rhn.redhat.com/errata/RHSA-2005-527.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169803 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ We do not consider this to be a security issue: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139478#c1 Not vulnerable. These issues did not affect the versions of Mozilla and Firefox as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. This issue did not affect the ncompress packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Updated packages to correct this issue are available along with our advisory: http://rhn.redhat.com/errata/CVE-2005-3011.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170518 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. These issues do not affect the versions of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. We do not class this as a security issue as it only allows local users who have the privileges to create .htaccess files the ability to cause a denial of service. Untrusted users should never be given the ability to create .htaccess files. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 Not vulnerable. This issue is caused by the way ImageMagick was packaged by Gentoo and does not affect Red Hat Enterprise Linux packages. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider this to be a security issue. http:bugzilla.redhat.combugzillashow_bug.cgi?id=139478#c1 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172865 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The Red Hat Security Response Team has rated this issue as having low security impact. An update is available for Red Hat Enterprise Linux 4 to correct this issue: http://rhn.redhat.com/errata/RHSA-2007-0018.html This issue did not affect Red Hat Enterprise Linux 2.1 and 3. This issue did not affect the versions of OpenLDAP as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. This issue did not affect the versions of OpenOffice.org as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178960 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Not vulnerable. This issue did not affect the FreeRADIUS packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the FreeRADIUS packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. This issue did not affect the Linux glibc. gas (and gcc) make no promise that they are fault tolerant to bad input. We do not plan on producing security updates for Red Hat Enterprise Linux to correct these bugs. gas (and gcc) make no promise that they are fault tolerant to bad input. We do not plan on producing security updates for Red Hat Enterprise Linux to correct these bugs. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2005-4881 This issue has been rated as having moderate security impact. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5, and Red Hat Enterprise MRG. It affects Red Hat Enterprise Linux 3, and 4. It was addressed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2009-1522.html This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ This issue did not affect Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. We do not consider this to be a security issue. http:bugzilla.redhat.combugzillashow_bug.cgi?id=139478#c1 This issue was addressed in Red Hat Enterprise Linux 2.1, 3 and 4: https://rhn.redhat.com/errata/CVE-2006-0225.html https://www.redhat.com/security/data/cve/CVE-2006-0225.html Issue was fixed upstream in version 4.3. The openssh packages in Red Hat Enterprise Linux 5 are based on the fixed upstream version and were not affected by this flaw. Not vulnerable. We verified that this issue does not affect Linux versions of Thunderbird. This issue did not affect the versions of Fetchmail as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. This issue did not affect the versions of libtiff as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This vulnerability was introduced into the Linux kernel in version 2.6.12 and therefore does not affect users of Red Hat Enterprise Linux 2.1, 3, or 4. This issue only affects parsers which are generated by grammars which either use REJECT or rules with a variable trailing context (in these rules the parser has to keep all backtracking paths). The Red Hat Security Response Team analysed all packages that include flex generated parsers in Red Hat Enterprise Linux (2.1, 3, and 4) and found none were vulnerable. This issue did not affect the versions of PostgreSQL as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 3 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue was fixed for Red Hat Enterprise Linux 4 in the following errata: http://rhn.redhat.com/errata/RHEA-2006-0355.html This issue does not affect Red Hat Enterprise Linux 2 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187945 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 or 3. This issue only affected Dovecot versions 1.0beta1 and 1.0beta2. Red Hat Enterprise Linux 4 shipped with an earlier version of Dovecot and is therefore not vulnerable to this issue. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include log4net. This issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 2.1 and 3: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194613 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has been fixed for Red Hat Enterprise Linux 4 in RHSA-2006:0544. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188302 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 and 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187385 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 or 3. This issue did not affect the versions of mod_python as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bugs: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193053 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229194 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Not vulnerable. greylistclean.cron is not supplied in the exim packages as distributed with Red Hat Enterprise Linux. This issue did not affect the versions of OpenSSH as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187900 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. We do not consider these to be security issues: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 Red Hat does not consider this to be a security issue. Enabling the -r option is not suggested without the -x option which is clearly documented in the /etc/sysconfig/syslog configuration file. Red Hat does not consider this to be a security issue. The FastCGI server is local trusted code and not under the control of an attacker, no trust boundary is crossed. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2050 This issue did not affect the version of bind as shipped with Red Hat Enterprise Linux 5. We do not believe this issue has a security consequence for earlier versions of Red Hat Enterprise Linux. For details please see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192192 Not vulnerable. This issue does not affect the versions of rsync distributed with Red Hat Enterprise Linux 2.1, 3, or 4. This issue does not affect Red Hat Enterprise Linux 2.1 and 3 This issue was addressed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0848.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. The winbind plugin is not shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue only affected version 4.1.1 and not the versions distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue does not affect the versions of Dovecot distributed with Red Hat Enterprise Linux. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192278 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 or 3. Not vulnerable. This issue does not affect the versions of LibVNCServer as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue does not affect the versions of cyrus-imapd distributed with Red Hat Enterprise Linux. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue was addressed in libtiff packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 via: https://rhn.redhat.com/errata/RHSA-2006-0603.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This is not an issue that affects users of Red Hat Enterprise Linux. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=196255 This issue is not exploitable as the status file is only written to and read by the slurpd process. Therefore this is not a vulnerability that affects Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue does not affect the versions of Evolution as distributed with Red Hat Enterprise Linux. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. We do not ship aRts as setuid root on Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat does not consider this a security issue. It is expected behavior that a large input file will cause the processing program to use a large amount of memory. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Unknown: CVE-2006-3018 has been assigned to an issue in PHP where the cause and fix are unknown, and the impact cannot be verified. The source of the CVE assignment was a single line statement in the PHP 5.1.3 release announcement, http://www.php.net/release_5_1_3.php, reading: "Fixed a heap corruption inside the session extension." Of the changes made to the session extension between releases 5.1.2 and 5.1.3, none would fix a bug matching this description by our analysis. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Adobe told us that this issue does not affect the Linux versions of Adobe Acrobat Reader. This issue did not affect the versions of NetPBM distributed with Red Hat Enterprise Linux 2.1, 3, or 4. This issue has not been able to be reproduced by upstream or after a Red Hat code review. We therefore do not believe this is a security vulnerability. On Red Hat Enterprise Linux 2.1, 3, 4, and 5 this is a two-byte overflow into the middle of the stack and is not exploitable. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue affects the version of the passwd command from the shadow-utils package. Red Hat Enterprise Linux 2.1, 3, and 4 are not vulnerable to this issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0768.html This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1, 3, or 5, and Red Hat Application Stack v1 and v2. We do not consider this issue to have security implications, and therefore have no plans to issue MySQL updates for Red Hat Enterprise Linux 2.1, 3, or 4 to correct this issue. Adobe gave a statement that these issues do not affect the Linux versions of Macromedia Flash Player. Adobe gave a statement that these issues do not affect the Linux versions of Macromedia Flash Player. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198912 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This vulnerability does not affect Red Hat Enterprise Linux 2.1 or 3 as they are based on 2.4 kernels. The exploit relies on the kernel supporting the a.out binary format. Red Hat Enterprise Linux 4, Fedora Core 4, and Fedora Core 5 do not support the a.out binary format, causing the exploit to fail. We are not currently aware of any way to exploit this vulnerability if a.out binary format is not enabled. In addition, a default installation of these OS enables SELinux in enforcing mode. SELinux also completely blocks attempts to exploit this issue. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198973#c10 We do not consider a crash of a client application such as Konqueror to be a security issue. We do not consider a user-assisted crash of a client application such as Firefox to be a security issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler has added padding to the stack immediately after the buffer being overwritten, this issue can not be exploited, and Apache httpd will continue operating normally. The Red Hat Security Response Team analyzed Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4 binaries for all architectures as shipped by Red Hat and determined that these versions cannot be exploited. This issue does not affect the version of Apache httpd as supplied with Red Hat Enterprise Linux 2.1 This issue is not a security issue in Tomcat itself, but is caused when directory listings are enabled. Details on how to disable directory listings are available at: http://tomcat.apache.org/faq/misc.html#listing This issue does not affect versions of Mikmod 3.2.0-beta2 or prior. Versions of Mikmod distributed with Red Hat Enterprise Linux 2.1, 3, and 4 are based on version 3.1.11 and are therefore not vulnerable to this issue. This issue was corrected in all affected mysql packages versions as shipped in Red Hat Enterprise Linux or Red Hat Application Stack via: https://rhn.redhat.com/errata/CVE-2006-4031.html This issue did not affect mysql packages as shipped with Red Hat Enterprise Linux 2.1 or 3 Not Vulnerable. The version of BIND that ships with Red Hat Enterprise Linux is not vulnerable to this issue as it does not handle signed RR records. Not Vulnerable. This issue was found and fixed as part of Red Hat Enterprise Linux 4 update 4: http://rhn.redhat.com/errata/RHBA-2006-0288.html and Red Hat Enterprise Linux 3 update 8: http://rhn.redhat.com/errata/RHBA-2006-0287.html This issue does not affect Red Hat Enterprise Linux 2.1 LessTif is shipped with Red Hat Enterprise Linux 2.1 but not 3 or 4. On Enterprise Linux 2.1 we build LessTif with debugging disabled, so the DEBUG_FILE environment variable is ignored and this issue cannot be exploited. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Updates to address this issue are available for Red Hat Enterprise Linux 3 and 4: https://rhn.redhat.com/cve/CVE-2006-4146.html Red Hat Enterprise Linux 5 was not vulnerable to this issue as it contained a backported patch. Not Vulnerable. Red Hat does not ship GNU Radius in Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203426 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 or 3 This issue did not affect the versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Issue was addressed in MySQL packages as shipped in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0364.html Red Hat Enterprise Linux 5 was not vulnerable to this issue as it contained a backported patch since its first release. In Red Hat Enterprise Linux 3 and 4, this issue was addressed via: https://rhn.redhat.com/errata/RHSA-2009-1101.html Red Hat does not consider this flaw a security issue. This flaw is the result of a NULL pointer dereference, which is not exploitable and can only cause a client crash. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220595 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220595 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220595 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Vulnerable. This issue affects OpenSSL and OpenSSL compatibility packages in Red Hat Enterprise Linux 2.1, 3, and 4. Updates, along with our advisory are available at the URL below. http://rhn.redhat.com/errata/RHSA-2006-0661.html Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider this to be a PHP flaw. The problem is caused by the insufficient input validation performed by Zend platform. This flaw causes a crash but does not result in a denial of service against Sendmail and is therefore not a security issue. Not Vulnerable. This issue does not exist in Red Hat Enterprise Linux 2.1 or 3. This issue not exploitable in Red Hat Enterprise Linux 4. A detailed analysis of this issue can be found in the Red Hat Bug Tracking System: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195555 We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. This issue did not affect versions of wvWare library included in koffice packages as shipped with Red Hat Enterprise Linux 2.1 Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205826 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 4: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204912 This issue does not affect Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205651 The Red Hat Security Response Team has rated this issue as having low security impact and expects to release a future update to address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode. This bug will be addressed in a future update of Red Hat Enterprise Linux 4. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, and 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue also affects other OS that use NSPR. However, Red Hat does not ship any application linked setuid or setgid against NSPR and therefore is not vulnerable to this issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat does not consider this flaw a security issue. This flaw can cause an OpenSSH client to crash when connecting to a malicious server, which does not result in a denial of service condition. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect Red Hat Enterprise Linux 2.1 and 3. This issue was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2007-0703.html and https://rhn.redhat.com/errata/RHSA-2007-0540.html respectively. Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 4: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210128 This issue does not affect Red Hat Enterprise Linux 2.1 or 3. Red Hat does not consider this issue to be a security vulnerability. We have been in contact with the upstream project regarding this problem and agree that this issue currently poses no security threat. In the event more information becomes available, we will revisit this issue in the future. Red Hat does not consider this issue to be a security vulnerability. We have been in contact with the upstream project regarding this problem and agree that this issue currently poses no security threat. In the event more information becomes available, we will revisit this issue in the future. Not Vulnerable. This flaw only affects kernel versions 2.6.14 to 2.6.18. Red Hat Enterprise Linux 2.1, 3, and 4 does not ship with a vulnerable kernel version. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat has been unable to reproduce this flaw and believes that the reporter was experiencing behavior specific to his environment. We will not be releasing update to address this issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211085 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211085 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Not vulnerable. These issues did not affect the versions of libX11 as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213515 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and are tracking it via bug 213214 for Red Hat Enterprise Linux 4: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213214 This issue does not affect Red Hat Enterprise Linux 2.1 or 3 Red Hat does not consider a user-assisted crash of a client application such as Firefox to be a security issue. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat Enterprise Linux 2.1 did not ship for PowerPC architecture. Not Vulnerable. The squashfs module is not distributed as part of Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This flaw does not affect the Linux kernel shipped with Red Hat Enterprise Linux 2.1 or 3. This flaw affects the Linux kernel shipped with Red Hat Enterprise Linux 4. We are tracking this flaw via bug 216452: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216452 Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it only affects x86_64 architectures. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch at release. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not Vulnerable. The OpenLDAP versions shipped with Red Hat Enterprise Linux 4 and earlier do not contain the vulnerable code in question. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect Red Hat Enterprise Linux 2.1. This issue was addressed in Red Hat Enterprise Linux 3 and 4 via https://rhn.redhat.com/errata/RHSA-2006-0738.html . Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The CVE-2006-5823 is about a corrupted cramfs (MOKB-07-11-2006) that can cause a memory corruption and so crash the machine. For Red Hat Enterpise Linux 3 this issue is tracked via Bugzilla #216960 and for Red Hat Enterprise Linux 4 it is tracked via Bugzilla #216958. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue. This issue has been rated as having low impact, because root privileges or physical access to the machine are needed to mount a corrupted filesystem and crash the machine. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 2.1. This issue did not affect Red Hat Enterprise Linux 3 or 4. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215593 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. The vulnerable code is not used by any application likned with libsoup shipped with Red Hat Enterprise Linux 2.1, 3, and 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Red Hat Enterprise Linux 2.1 shipped with fvwm, however this issue does not affect the included version of fvwm. Not vulnerable. This issue does not affect the versions of fetchmail distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat does not consider unexploitable client application crashes to be security flaws. This bug causes a stack recursion crash which is not exploitable. Not vulnerable. This issue did not affect Linux versions of Adobe Reader. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not Vulnerable. The kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 do not contain gfs2 filesystem support. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. This flaw was first introduced in gdm version 2.14. Therefore these issues did not affect the earlier versions of gdm as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat is aware of this issue and is tracking it for Red Hat Enterprise Linux 4 via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218602 This issue does not affect the version of the Linux kernel shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 ship with versions of Kerberos 5 prior to version 1.4 and are therefore not affected by these vulnerabilities. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 ship with versions of Kerberos 5 prior to version 1.4 and are therefore not affected by these vulnerabilities. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat does not consider this bug to be a security flaw. In order for this flaw to be exploited, a user would be required to enter shellcode into an interactive GnuPG session. Red Hat considers this to be an unlikely scenario. Red Hat Enterprise Linux 5 contains a backported patch to address this issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. This issue does not affect the Linux version of Adobe Reader. We do not consider a crash of a client application such as Konqueror or other KFile users to be a security issue. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. For other versions of Red Hat Enterprise Linux see http://rhn.redhat.com/cve/CVE-2006-6303.html Not vulnerable. This issue does not affect the versions of net-smtp as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not Vulnerable. eEye Research advisory AD20061207 (Intel Network Adapter Driver Local Privilege Escalation) describes a flaw in the Linux Kernel drivers for the e100, e1000, and ixgb Intel network cards. The flaw affects the NDIS miniport drivers and its OID support. The Linux Kernel drivers do not support the NDIS API and the OID concept from Microsoft Windows. Not vulnerable. OpenLDAP as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 does not support the LDAP_AUTH_KRBV41 authentication method. Red Hat does not consider this flaw a security issue. This flaw will only crash OpenOffice.org and presents no possibility for arbitrary code execution. Not vulnerable. This issue did not affect the versions of KDE as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221459 We do not consider a crash of a client application such as wget to be a security issue. This flaw was fixed in wget shipped in Red Hat Enterprise Linux 5 before the initial release of the product. Version of wget shipped in Red Hat Enterprise Linux 3 and 4 are affected by this bug. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. We do not consider a crash of a client application such as KsIRC to be a security issue. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223072 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue can only be exploited if pending signals (ulimit -i) is set to "unlimited". In case of Red Hat Enterprise Linux version 2.1, 3 and 4 this is not the case and therefore they are not vulnerable to this issue. Not vulnerable. This issue was specific to a Debian patch to Apache HTTP Server. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This flaw has been rated as having a low severity by the Red Hat Security Response Team. More information about this rating can be found here: http://www.redhat.com/security/updates/classification/ This flaw is currently being tracked via the following bugs: https://bugzilla.redhat.com/show_bug.cgi?id=231449 https://bugzilla.redhat.com/show_bug.cgi?id=231448 The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode. Not vulnerable. Our testing found that this issue did not affect the versions of Kmail as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. ** DISPUTED ** Sendmail classes the CipherList directive as "for future release"; currently unsupported and undocumented. Therefore the lack of support for the CipherList directive in various Red Hat products is not a vulnerability. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php The memory_limit configuration option is used to constrain the amount of memory which a script can consume during execution. If this setting is disabled (or set unreasonably high), it is expected behaviour that scripts will be able to consume large amounts of memory during script execution. The memory_limit setting is enabled by default in all versions of PHP distributed in Red Hat Enterprise Linux and Application Stack. Red Hat does not consider a user assisted client crash such as this to be a security flaw. This issue did not affect the MySQL packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 as they did not support INFORMATION_SCHEMA, introduced in MySQL version 5. MySQL packages as shipped in Red Hat Enterprise Linux 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0364.html The MySQL packages as shipped in Red Hat Application Stack v1 and v2 are based on upstream version which has the fix included. Not vulnerable. This issue did not affect the versions of the xterm package, as shipped with Red Hat Enterprise Linux 3, 4, and 5, and the version of the XFree86 (providing xterm) and hanterm-xf packages, as shipped with Red Hat Enterprise Linux 2.1. Not vulnerable. These issues did not affect the versions of pam as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Not vulnerable. This issue did not affect the versions of dhcp as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1, 3, 4, or 5: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-0062 This issue is the same as CVE-2007-5365. The affected dhcp versions were fixed via: https://rhn.redhat.com/errata/RHSA-2007-0970.html Not vulnerable. The affected code is in an optional module that is not shipped in Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat does not consider this issue to be a security vulnerability. The pottential attacker has to send acknowledgement packets periodically to make server generate traffic. Exactly the same effect could be achieved by simply downloading the file. The statement that setting the TCP window size to arbitrarily high value would permit the attacker to disconnect and stop sending ACKs is false, because Red Hat Enterprise Linux limits the size of the TCP send buffer to 4MB by default. Some implementations of the PDF specification erroneously allow page tree objects that refer back to themselves. As a result, an infinite loop could be created. We believe this could only result in a denial of service against the application. We do not consider a user-assisted DoS of a client application to be a security issue. Not Vulnerable. This flaw is the result of an infinite recursion flaw in xpdf, which cannot result in arbitrary code execution. Not vulnerable. This issue does not affect the older versions of neon as shipped with Red Hat Enterprise Linux 2.1, 3, and 4. This issue also does not affect the older versions of neon included in the cadaver package. Not vulnerable. This issue did not affect the versions of slocate as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the versions of libgtop as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This flaw affects Red Hat Enterprise Linux 4 and is being tracked via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249884 Not vulnerable. This issue did not affect Zope included within the conga package shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. This issue did not affect the versions of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. These issues did not affect Linux versions of Samba. Not vulnerable. These issues affect the AFS ACL module which is not distributed with Samba in Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=234312 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of ISC BIND as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225414 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat does not consider this issue to be a security vulnerability. The user would have to voluntarily interact with the attack mechanism to exploit the flaw, and the result would be the ability to run code as themselves. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228013 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228013 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. Red Hat did not ship the incomplete patch for CVE-2006-5456 and is therefore not affected by this issue. Red Hat does not consider this issue to be a security vulnerability. On Red Hat Enterprise Linux processes that change their effective UID do not dump core by default when they receive a fatal signal. Therefore the NULL pointer dereference does not lead to an information leak. Red Hat does not consider this issue to be a security vulnerability. It is correct and expected behavior for xterm not to zero-fill its scrollback buffer upon reception of terminal clear excape sequence. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. This flaw is a regression of the fix for CVE-2007-0906 affecting PHP version 5.2.1 only which results in any use of str_replace() causing a crash regardless of user input. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue was fixed in php package updates for Red Hat Enterprise Linux and Red Hat Application Stack: http://rhn.redhat.com/cve/CVE-2007-1001.html This issue did not affect the versions of gd as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of libevent as shipped with Red Hat Enterprise Linux 5. The JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-1199 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The phpinfo function should not be used in publically-accessible PHP scripts. Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5. We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed. This flaw exists in versions of PHP as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack 1. These issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, Stronghold 4.0, or Red Hat Application Stack 2. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Our previous fixes for CVE-2007-0906 included a patch that also addressed the issue now given CVE name CVE-2007-1380. For a full list of versions that contained a fix for this issue please see: https://rhn.redhat.com/cve/CVE-2007-1380.html Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Red Hat does not consider this to be a security vulnerability. Using import_request_variables() is generally a discouraged practice and it is improper use that can lead to security problems, not flaw of PHP itself. Not vulnerable. The zip extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include Cracklib support. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include mssql support. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include ClibPDF support. Not vulnerable. The php-snmp package as shipped with Red Hat Enterprise Linux 4 and 5 use net-snmp which is not vulnerable to this issue. This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4. Issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0364.html Not vulnerable. The filter extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. The filter extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. The filter extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. The zip extension was not shipped in versions of PHP provided for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not include ibase support. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233592 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ We do not consider a crash of a client application such as Konqueror to be a security issue. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0907. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0910. Not vulnerable. PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack, and Stronghold 4.0 do not include PHPDoc support. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233581 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has no security impact. Not vulnerable. This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration These attacks are reliant on an insecure configuration of the server - that the user the server runs as has write access to the document root. The suexec security model is not intented to protect against privilege escalation in such a configuration Not vulnerable. The zip extension was not distributed with PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0906. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Not vulnerable. This issue was specific to httpd version 2.2.4 and did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This CVE name is a duplicate as the vulnerability is addressed by CVE-2007-0906. We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=mopb#c37 Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Not vulnerable. The filter extension was not shipped in the versions of PHP supplied for Red Hat Enterprise Linux 2.1, 3, 4, 5, Stronghold 4.0, or Red Hat Application Stack 1. Not vulnerable. These issues did not affect the versions of file as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affected Red Hat Enterprise Linux 4 and 5. Update packages were released to correct it via: http://rhn.redhat.com/errata/RHSA-2009-1471.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236585 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235093 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue is a flaw in the way Java and Quicktime interact. This issue did not affect Red Hat Enterprise Linux prior to version 5. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html Not vulnerable. These issues did not affect the versions of BIND as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. OpenSSH supplied with Red Hat Enterprise Linux 2.1, 3, 4, and 5 does not contain S/KEY support. This issue was fixed in RealPlayer for Red Hat Enterprise Linux 3 Extras, 4 Extras, 5 Supplementary by RHSA-2007:0841 on 17th August 2007: http://rhn.redhat.com/errata/RHSA-2007-0841.html)on (Our original advisory did not mention this issue was fixed as the details of the issue were not made public by RealNetworks until 25th October 2007) This issue was fixed in RealPlayer for Red Hat Enterprise Linux 3 Extras, 4 Extras, 5 Supplementary by RHSA-2007:0841 on 17th August 2007: http://rhn.redhat.com/errata/RHSA-2007-0841.html)on (Our original advisory did not mention this issue was fixed as the details of the issue were not made public by RealNetworks until 25th October 2007) This issue does not affect lftp as supplied with Red Hat Enterprise Linux 3. This issue was addressed for Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1278.html The Red Hat Security Response Team has rated this issue as having low security impact, a future update to Red Hat Enterprise Linux 4 may address this flaw. Red Hat ship Axis in a number of products; however the installation path of Axis is fixed and deterministic, so this flaw does not disclose otherwise unknown information. We do not plan on issuing updates to fix this issue. Not vulnerable. This flaw is specific to Mac OS X and does not affect any version of Red Hat Enterprise Linux. Red Hat does not consider a user assisted client crash such as this to be a security flaw. Not vulnerable. These issues did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-2448 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. Red Hat did not ship GNU locate in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue does not affect the ’mlocate’ or ’slocate’ packages that are supplied with Red Hat Enterprise Linux. This issue did not affect the versions of the the Linux kernel supplied with Red Hat Enterprise Linux 2.1, 3, or 4. For systems based on Red Hat Enterprise Linux 5, this is only an issue for systems without a real time clock, harddrive activity, or user input during boot time. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241718 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or Red Hat Application Stack v2. Updates to correct this issue for Red Hat Enterprise Linux 5, and Red Hat Application Stack v1 are available at http://rhn.redhat.com/cve/CVE-2007-2510.html The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. This bug described in CVE-2007-2511 can only be triggered by a script author since no trust boundary is crossed, this issue is not treated as security-sensitive. Installation of a PEAR package from an untrusted source could allow malicious code to be installed and potentially executed by the root user. This is true regardless of the existence of this particular bug in the PEAR installer, so the bug would not be treated as security-sensitive. As when handling system RPM packages, the root user must always ensure that any packages installed are from a trusted source and have been packaged correctly. This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4. Issue was addressed in mysql packages as shipped in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0364.html Red Hat does not consider this flaw to have security consequences. For more details please see the following: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240055 Updates for Red Hat Enterprise Linux are available from http://rhn.redhat.com/errata/RHSA-2007-0386.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-2691 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3 and 4. Affected mysql packages as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack were fixed via: https://rhn.redhat.com/errata/CVE-2007-2692.html Not vulnerable. These issues did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of ghostscript as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5 as they do not include a bundled JasPer library. Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack 1, or 2, as the packages shipped are not compiled with the mcrypt extension affected by this issue. Not vulnerable. This issue did not affect the versions of lcms as shipped with Red Hat Enterprise Linux 5. We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed. This flaw exists in versions of PHP as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack 1. These issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or Red Hat Application Stack 2. Red Hat does not consider this flaw to be a security vulnerability. We are not aware of any long running processes using libgd which could not recover from this condition. Not vulnerable. OPIE for PAM is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat does not consider a user-assisted crash of a user application such as Emacs to be a security issue. Not vulnerable. PHP is not built or supported in a multi-threaded environment in the packages distributed in Red Hat Enterprise Linux or Application Stack. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-2872 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issu did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Updates are available for Red Hat Enterprise Linux 2.1, 3, 4, and 5 to correct this issue: http://rhn.redhat.com/errata/RHSA-2007-0740.html Not vulnerable. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248542 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect version of Sylpheed as shipped with Red Hat Enterprise Linux 2.1. Sylpheed and claws-mail are not shipped with Red Hat Enterprise Linux 3, 4, or 5. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required. For more information please see: http://www.apacheweek.com/issues/03-01-24#news This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. This paper describes a possible side-channel attack that hasn’t been proven outside of a lab environment. In reality many factors would make this harder to exploit. If exploited, a local user could obtain RSA private keys (for example for web sites being run on the server). We have rated this as affecting Red Hat products with moderate security severity. Although the OpenSSL team have produced a patch for this issue, it is non-trivial and will require more testing before we can deploy it in a future update. Our current plan is as follows: - To include a backported fix in an OpenSSL update as part of Enterprise Linux 4.6. This will get testing via beta and give time for more extensive internal and upstream testing - To release an update for OpenSSL for other platforms at the same time as 4.6 is released http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3108 Red Hat does not consider a user-assisted crash of a user application such as GIMP to be a security issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=252169 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. Mozilla is no longer shipped as part of any version of Red Hat Enterprise Linux. Mozilla was replaced by SeaMonkey in Red Hat Enterprise Linux by SeaMonkey which is not affected by this issue. Not vulnerable. Versions of sudo package shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5 are linked with PAM support and never use libkrb5 authentication. This is not a security vulnerability: it is the expected behaviour of parse_str when used without a second parameter. Red Hat does not consider this do be a security issue. dblink is disabled in default configuration of PostgreSQL packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5, and it is a configuration decision whether to grant local users arbitrary access. Fixes to correct this bug were included in PostgreSQL updates: http:rhn.redhat.comcveCVE-2007-3278.html Red Hat does not consider this do be a security issue. Creating functions is intended feature of the PL/pgSQL language and is definitely not a security problem. Weak passwords are generally more likely to be guessed with brute force attacks and choosing a strong password according to good practices is considered to be a sufficent protection against this kind of attack. Red Hat does not consider this do be a security issue. The ability of the superuser to execute code on behalf of the database server is an intended feature and imposes no security threat as the superuser account is restricted to the database administrator. Not vulnerable. PHP is not complied with the tidy library as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack v1 or v2. Not a vulnerability. In the security model used by Apache httpd, the less-privileged child processes (running as the "apache" user) completely handle the servicing of new connections. Any local user who is able to run arbitrary code in those children is therefore able to prevent new requests from being serviced, by design. Such users will also be able to "simulate" server load and force the parent to create children up to the configured limits, by design. Not vulnerable. This issue did not affect the versions of avahi as shipped with Red Hat Enterprise Linux 5. Not vulnerable, Red Hat do not ship the Lhaca file archiver. Note that an identical flaw was found affecting the lha file archiver in 2004, CVE-2004-0234. This issue was corrected by security update RHSA-2004:178 for Red Hat Enterprise Linux 2.1 and 3. Red Hat Enterprise Linux 4 was not vulnerable as it contained a backported patch to correct this issue from release. http://rhn.redhat.com/errata/RHSA-2004-178.html We do not consider this to be security issues. For more details see: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3472 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3473 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of gd as shipped with Red Hat Enterprise Linux 2.1 or 3 as they did not offer GIF image support. We do not plan to backport a fix for this issue to the gd packages as shipped in Red Hat Enterprise Linux 4 and 5 due to the low likelihood of an application affected by this problem being exposed in a way that would allow a trust boundary to be crossed. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3475 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3476 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Due to the minimal impact of this flaw (temporary DoS by high CPU usage) and low likelihood of this problem being exposed in a way that would allow trust boundary crossing, we currently do not plan to backport a fix for this issue to the versions of gd as shipped in Red Hat Enterprise Linux 2.1, 3, 4 or 5. We currently do not plan to backport a fix for this issue to gd packages in current versions of Red Hat Enterprise Linux 2.1, 3, 4, and 5 due to the low likelihood of and application affected by this problem being exposed in a way that would allow trust boundary to be crossed. Not vulnerable. These issues did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. After careful analysis by Red Hat and several Glibc developers, it has been determined that this bug is not exploitable. For more information please see Red Hat Bugzilla bug #247208 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=247208 This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. The curl packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 and 5 are not linked against the gnutls library. Red Hat does not consider bugs which result in a user-assisted crash of end user application to be a security issue. Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux. Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux. Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux. Not vulnerable. These issues did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having moderate security impact. The risks associated with fixing this bug are greater than the moderate severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG. Not vulnerable. libsilc was not shipped with Enterprise Linux 2.1 or 3. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4 or 5. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248553 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248553 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This flaw is specific to PHP on Windows. This issue does not affect the version of tcpdump shipped in Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250275 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3799 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue only affected PHP on Windows platforms. This issue did not affect Red Hat Enterprise Linux 2.1 or 3. For Red Hat Enterprise Linux 4 and 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248537 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250648 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux. This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. For Red Hat Enterprise Linux 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=251200 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-3919 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue affected Red Hat Enterprise Linux 5 with a low security impact. An update to the compiz package was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0485.html Red Hat does not consider a user assisted client crash such as this to be a security flaw. Not vulnerable. fsplib is part of gftp in Red Hat Enterprise Linux 5, but this issue does not affect Linux. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1. Not vulnerable. Versions of PHP packages as shipped with current Red Hat products are not linked with t1lib. Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux. Not vulnerable. This issue does not affect the versions of Firefox or Thunderbird as shipped with Red Hat Enterprise Linux. The CVE description for this bug is incorrect. The backported patch for CVE-2007-2447 missed the character ’c’ in the shell escaping whitelist of allowed characters, therefore not allowing commands with a ’c’ in them to be executed. This is therefore a regression bug and not a security vulnerability. The Red Hat Security Response Team has rated this issue as having low security impact. Updates to correct this are available: https://rhn.redhat.com/cve/CVE-2007-4045.html Not vulnerable. This is a rediscovery and therefore a duplicate of CVE-2000-1205 which was corrected in upstream Apache httpd 1.3.11. Not vulnerable. This flaw did not affect Red Hat Enterprise Linux 2.1, 3, or 4 due to the version of rsync. This flaw does exist in Red Hat Enterprise Linux 5, but due to the nature of the flaw it is not exploitable with any security consequence due to stack-protector. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. These issues did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. These issues did not affect the dovecot versions as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=251708 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. Not vulnerable. These issues did not affect the versions of konqueror as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat does not consider a crash of a client application such as Konqueror to be a security flaw. Red Hat does not consider this flaw a security issue. This flaw will only crash OpenOffice.org if a victim opens a malicious document. Not vulnerable. PHP packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4, and 5 are not compiled with msql library and are not vulnerable to this issue. Vulnerable. This issue affected the CUPS packages in Red Hat Enterprise Linux 5. This issue also affected the versions of CUPS packages in Red Hat Enterprise Linux 3 and 4, but exploitation would only lead to a possible denial of service. Updates are available from https://rhn.redhat.com/cve/CVE-2007-4351.html This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the "AddDefaultCharset" directive and are using directory indexes. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4465 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4476 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, or Red Hat Application Stack 1. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=263261 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue was addressed in fetchmail packages as shipped in Red Hat Enterprise Linux 3, 4, and 5 via: https://rhn.redhat.com/errata/RHSA-2009-1427.html Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Please note this issue only affected Linux kernel versions after 2.6.20 and was fixed in 2.6.22-rc1. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4568 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. This issue affected users who were running 64-bit versions of Red Hat Enterprise Linux 3, 4, or 5 on x86_64 architecture. It did not affect users of Red Hat Enterprise Linux 2.1. Updates are available for Red Hat Enterprise Linux 3, 4, and 5 to correct this issue. New kernel packages along with our advisory are available at the URL below as well as via the Red Hat Network. http://rhn.redhat.com/errata/CVE-2007-4573.html Not vulnerable. This issue did not affect the version of IrcII as shipped with Red Hat Enterprise Linux 2.1. IrcII was not shipped in Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary. Not vulnerable. This issue was specific to a patch from Debian project and did not affect versions of tcp_wrappers packages as shipped with Red Hat Enterprise Linux. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php The only effect of this bug is to cause the process to read from a random segment of memory, if a large "length" parameter is passed to the strspn/strcspn function, which is under the control of the script author. This bug has no security impact. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1. Not vulnerable. These issues did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Application Stack v1. Not vulnerable. Red Hat did not include an incomplete fix for CVE-2007-2872 for PHP in Red Hat Enterprise Linux or Red Hat Application Stack. This bug can only be triggered by supplying a non-default openssl.conf configuration file, which is entirely under the control of the script author or server administrator, and hence is not a security issue. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Duplicate of CVE-2007-6113. This flaw was fixed for Red Hat Enterprise Linux 4 in RHSA-2007-0898: https://rhn.redhat.com/errata/RHSA-2007-0898.html Red Hat Enterprise Linux 5 is not affected by this flaw. More information can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=285991 Red Hat Enterprise Linux 2.1 and 3 do not support the composite extension and are not vulnerable to this flaw. This issue did not affect the OpenSSH packages as distributed with Red Hat Enterprise Linux 2.1 or 3, as they do not support Trusted X11 forwarding. For Red Hat Enterprise Linux 4 and 5, this issue was addressed via: https://rhn.redhat.com/errata/RHSA-2008-0855.html We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=285691 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. The Red Hat Security Response Team does not consider this bug to be a security issue. It is not suggested behavior to extract archives from untrusted sources without prior inspection of the archive contents. We do not consider this to be a security issue. For more information please see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. This flaw does not affect the Linux version of Firefox. Not vulnerable. There is no support for jffs2 in the Linux kernel as distributed with Red Hat Enterprise Linux 2.1 or 3. There is no ACL support for jffs2 in the Linux kernel as distributed with Red Hat Enterprise Linux 4 or 5. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php The argument passed to the dl() function must always be under the control of the script author. We therefore do not consider this to be a security issue. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider a crash of a client application such as RealPlayer or Helix Player to be a security issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=295971 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Note: As the address of the overwritten byte is not under attacker’s control, the worst impact his bug could have is an application crash. It can not be exploited to execute arbitrary code. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4990 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. An update to correct this issue for Enterprise Linux 5 is available. http://rhn.redhat.com/cve/CVE-2007-4995.html Please note that the CVE description is incorrect, this issue did not affect upstream versions of OpenSSL prior to 0.9.8. Not vulnerable. These issues did not affect the versions of Pidgin or Gaim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affects the busybox package in Red Hat Enterprise Linux 2.1, 3, 4, and 5, This issue affects the fileutils package in Red Hat Enterprise Linux 2.1. This issue affects the coreutils package in Red Hat Enterprise Linux 3. The coreutils package in Red Hat Enterprise Linux 4 and 5 are not vulnerable to this issue. Given this issue has minimal risk we do not intend to issues updates to correct this issue in affected versions of Red Hat Enterprise Linux. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=356471 Not vulnerable. This issue did not affect the versions of Pidgin or Gaim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect version of balsa as shipped with Red Hat Enterprise Linux 2.1. According to Abobe this issue affects only the Windows platform and therefore does not affect Adobe Acrobat Reader as distributed with Red Hat Enterprise Linux Extras. http://www.adobe.com/support/security/advisories/apsa07-04.html Not vulnerable. These issues did not affect the versions of Firefox as shipped with Red Hat Enterprise Linux. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181302 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary. This issue was fixed in RealPlayer for Red Hat Enterprise Linux 3 Extras, 4 Extras, 5 Supplementary by RHSA-2007:0841 on 17th August 2007: http://rhn.redhat.com/errata/RHSA-2007-0841.html)on (Our original advisory did not mention this issue was fixed as the details of the issue were not made public by RealNetworks until 25th October 2007) Not vulnerable. These issues did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5137 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Updates are available to address this issue: https://rhn.redhat.com/errata/RHSA-2007-0969.html Not vulnerable. These issues do not affect Linux versions of Sun JDK or JRE. Not vulnerable. These issues did not affect the versions of Sun JDK as shipped with Red Hat Enterprise Linux Extras 4 or 5. Not vulnerable. This issue did not affect the versions of libpng and libpng10 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of libpng and libpng10 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of libpng and libpng10 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5333 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect versions of tog-pegasus as shipped with Red Hat Enterprise Linux 4, or 5. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360 Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 did not include the Tramp extension with Emacs. The version of Tramp included with Emacs in Red Hat Enterprise Linux 5 was not vulnerable to this issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5378 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat does not consider this to be a security issue. The function behaves as documented. Furthermore, the function shouldn’t be considered a security feature, for reasons described at https://bugzilla.redhat.com/show_bug.cgi?id=332451#c3 and http://www.php.net/security-note.php Not vulnerable. The versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 do not support GSS-TSIG and are not linked with libgssapi library. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This vulnerability only affected the OpenSSL FIPS Object Module which is not enabled or used by OpenSSL in Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 and 4 Extras or with Red Hat Enterprise Linux 5 Supplementary. Not vulnerable. These issues did not affect PHP on Linux. Not vulnerable. This issue did not affect the versions of OpenLDAP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5729 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect versions of plone included in conga/luci packages as shipped with Red Hat Enterprise Linux 5 or Red Hat Cluster Suite for Red Hat Enterprise Linux 4. Red Hat does not consider a user assisted client crash such as this to be a security flaw. Not vulnerable. This issue did not affect versions of Emacs as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of geronimo-specs packages as shipped Red Hat Enterprise Linux 5, Red Hat Application Stack, Red Hat Application Server, Red Hat Directory Server and Red Hat Certificate System, as the geronimo-specs package only contains the specification of the Apache Geronimo Server’s services and interfaces and not the vulnerable J2EE server classes. Not vulnerable. After a detailed analysis of this flaw, it has been determined that it is not exploitable on Red Hat Enterprise Linux 3, 4, or 5. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=415141 Not vulnerable. This flaw does not affect the version of CUPS shipped in Red Hat Enterprise Linux 3 or 4. After a detailed analysis of this flaw, it has been determined it does not pose a security threat on Red Hat Enterprise Linux 5. For more details regarding this analysis, please see: https://bugzilla.redhat.com/show_bug.cgi?id=415131 This issue is not a vulnerability, for more information see http://marc.info/?m=119743235325151 Red Hat does not consider this flaw a security issue. This flaw is not exploitable and can only cause a client to stop responding or crash. This issue was fixed in all affected PHP versions shipped in Red Hat products. For list of security advisories, visit: https://rhn.redhat.com/errata/CVE-2007-5898.html The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5901 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue is not a practical vulnerability, for more information see http://marc.info/?m=119743235325151 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5935 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5936 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5937 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5963 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect versions of qt or qt4 packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and 4. It was addressed in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1193.html, and https://rhn.redhat.com/errata/RHSA-2008-0585.html respectively. Not vulnerable. This issue did not affect the mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as the versions shipped do not support table partitioning. The partitioning feature was introduced in development MySQL version 5.1. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5971 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. See http://marc.info/?m=119743235325151 This issue is not a vulnerability, for more information see http://marc.info/?m=119743235325151 Not vulnerable. This issue did not affect the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 4 and 5. Red Hat doesn’t consider this a security issue. The arguments to the functions in question should always be under the control of the script author, rather than untrusted script input, so these issues would not be treated as security-sensitive. Red Hat does not consider this issue to be a security vulnerability since no trust boundary is crossed. The user must voluntarily interact with the attack mechanism to exploit this flaw, with the result being the ability to run code as themselves. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6113 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat does not consider this to be a security issue. Versions of rsync as shipped with Red Hat Enterprise Linux 2.1, 3, 4 and 5 behave as expected and that behavior was well documented. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6200 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat does not consider this issue to be a vulnerability. In order to exploit this for cross-site scripting, the attacker would have to get the victim to supply an arbitrary malformed HTTP method to a target site. Not vulnerable. These issues did not affect the versions of the zsh package as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Xen and KVM, as shipped with Red Hat Enterprise Linux 5 by default use only peripheral device emulation of QEMU and are therefore not vulnerable to this issue. Red Hat does not consider this a security issue. The downloading of arbitrary files will be harmless unless there is a vulnerability in the application handling these other filetypes. This flaw is not exploitable to run arbitrary code and can only cause an application crash. Red Hat does not consider a crash of the flac application or applications that use flac libraries such as media players to be a security issue. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0300.html Not Vulnerable. Red Hat does not ship a version of Apache Tomcat that enables the native APR connector. This issue did not affect the mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affected the mysql packages as shipped in Red Hat Application Stack v1 and v2 and was addressed by RHSA-2007:1157: http://rhn.redhat.com/errata/RHSA-2007-1157.html Not vulnerable. The MySQL versions as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 do not support federated storage engine. The MySQL package as shipped in Red Hat Enterprise Linux 5, Red Hat Application Stack v1, and Red Hat Application Stack v2 are not compiled with support for federated storage engine. Not vulnerable. This issue did not affect the versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat does not consider this flaw to be a security issue. For more information please see: https://bugzilla.redhat.com/show_bug.cgi?id=426437 The versions of SquirrelMail packages shipped in Red Hat Enterprise Linux 3, 4, and 5 were not affected by this issue. In addition, the Red Hat Security Response Team have verified that the malicious code is not part of released Red Hat Enterprise Linux squirrelmail packages. Not vulnerable. Red Hat Enterprise Linux versions 2.1, 3, 4 and 5 do not ship with the alternate pdftops.pl CUPS printing filter that is affected by this flaw. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0885.html mod_proxy_balancer is shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack v2. We do not plan on correcting this issue as it poses a very low security risk: The balancer manager is not enabled by default, the user targeted by the CSRF would need to be authenticated, and the consequences of an exploit would be limited to a web server denial of service. mod_proxy_balancer is included in the version of Apache HTTP Server as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack v2. Red Hat was unable to reproduce this issue. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Old versions of the Linux 2.4 kernel allowed the lookup of names containing backslashes over smbfs -- so there were multiple names which would reference any particular file, allowing the bypass of Apache controls such as AddType. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue was corrected with a backported patch for Red Hat Enterprise Linux 2.1 by RHSA-2007:0672. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6514 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6591 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/#low This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux before version 5. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html Red Hat does not consider this flaw a security issue. This flaw is not exploitable beyond causing the web browser to crash. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6720 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. NVD clarification: To exploit this flaw an attacker needs to print a malicious file through the vulnerable filter (either themselves or by convincing a victim to do so), it should therefore be AC:M In CUPS, print filters run as an unprivileged user no superuser (root), therefore this should be scored C:P, I:P, A:P This issue did not affect the versions of GNU libc as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue affects the versions of libbind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5, however the vulnerable function is not used by any shipped applications. The Red Hat Security Response Team has therefore rated this issue as having low security impact, a future update may address this flaw. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0122 An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0300.html Red Hat does not consider this to be a security issue. Regression introduced break glob() functionality, but does not bypass security restrictions. Furthermore, "open_basedir" bypass issues are not treated as security sensitive as described at https://bugzilla.redhat.com/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This flaw was caused by a third-party vendor patch to the OpenSSL library. This patch has never been used by Red Hat, and this issue therefore does not affect any Fedora, Red Hat, or upstream supplied OpenSSL packages. This issue did not affect the version of boost as shipped with Red Hat Enterprise Linux 4. For Red Hat Enterprise Linux 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0171 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the version of boost as shipped with Red Hat Enterprise Linux 4. For Red Hat Enterprise Linux 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0172 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support. Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support. Not vulnerable. These issues did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0414 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future updates will address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ We do not consider this issue to be security sensitive. Untrusted users should not be permitted to upload files to the directories from where they can be directly served by the web server without prior careful sanitation of both contents and filename. We do not consider this issue to be security sensitive. Untrusted users should not be permitted to upload files to the directories from where they can be directly served by the web server without prior careful sanitation of both contents and filename. We believe this issue is a duplicate of CVE-2007-5360. Not vulnerable. This issue did not affect versions of tog-pegasus as shipped with Red Hat Enterprise Linux 4, or 5. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=431526 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This does not affect the versions of Firefox or SeaMonkey shipped in Red Hat Enterprise Linux. Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, and Red Hat Application Stack v1. For Red Hat Application Stack v2, issue was addressed via: https://rhn.redhat.com/errata/RHSA-2008-0505.html This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4. Updated kernel packages are available to correct this issue for Red Hat Enterprise Linux 5: https://rhn.redhat.com/errata/RHSA-2008-0129.html Not vulnerable. This issue did not affect the versions of PCRE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0883 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of pax as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of pcre as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of cups as shipped with Red Hat Enterprise Linux 3, 4, or 5. The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The risks associated with fixing this bug are greater than the low severity security risk.We therefore currently have no plans to fix this flaw in Red HatEnterprise Linux. For more information please see the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=435420 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1142 This issue does not affect Red Hat Enterprise Linux 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having low security impact. Due to the minimal security consequences of this issue, we do not intend to fix this in Red Hat Enterprise Linux 2.1. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue was addressed in affected versions of Ruby as shipped in Red Hat Enterprise Linux 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2008-0897.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1198 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199 This issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. An update to Red Hat Enterprise Linux 5 was released to correct this issue: https://rhn.redhat.com/errata/RHSA-2008-0297.html Not vulnerable. This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux 4 or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0612.html Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary. Not vulnerable. This issue did not affect the versions of dhcp as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat has re-evaluated the potential impact of this flaw and has released an update which corrects this behavior: http://rhn.redhat.com/errata/RHSA-2008-0893.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1382 This issue does not affect the version of libpng as shipped with Red Hat Enterprise Linux 3. Updates for affected versions of Red Hat Enterprise Linux can be found here: http://rhn.redhat.com/errata/RHSA-2009-0333.html Red Hat do not consider this to be a security vulnerability: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1384 Red Hat does not consider this to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions. http://rhn.redhat.com/errata/RHSA-2008-0533.html Versions of openssh packages as shipped with Red Hat Enterprise Linux 4, and 5 were not vulnerable to this issue as it was mitigated as a side effect of another change. Red Hat Enterprise Linux 2.1 and 3 are affected by this issue. The Red Hat Security Response Team has rated this issue as having low security impact. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1483 This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 5, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2008-0972.html Not vulnerable. This issue does not affect the versions of gnupg packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 or 5. Red Hat does not consider this issue to be a security flaw as SILC is not used in a vulnerable manner in Red Hat Enterprise Linux 4 and 5. More information can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=440049 The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html Red Hat does not consider this libTIFF bug to be a security issue. This issue did not affect the audit packages as shipped with Red Hat Enterprise Linux 4. Red Hat is not treating this issue as a security vulnerability for Red Hat Enterprise Linux 5 as no application used the affected interface, and the only result is a controlled application termination as the overflow is detected by the FORTIFY_SOURCE protection mechanism. We plan to address this as non-security bug fix in updated audit packages for Red Hat Enterprise Linux 5.2. For further details, please see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1628 Not vulnerable. These issues did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This flaw does not affect teh version of wu-ftpd as shipped in Red Hat Enterprise Linux 2.1. Not vulnerable. This issue did not affect versions of KDE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of KDE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2, 3, 4, 5 or Red Hat Enterprise MRG. The but existed on Red Hat Enterprise Linux 3, 4, and 5. However, this is only a security issue if the SLOB or SLUB memory allocators were used (introduced in Linux kernel versions 2.6.16 and 2.6.22, respectively). All Red Hat Enterprise Linux and Red Hat Enterprise MRG kernels use the SLAB memory allocator, which in this case, cannot be exploited to allow arbitrary code execution. As a preventive measure, the underlying bug was addressed in Red Hat Enterprise Linux 3, 4, and 5, via the advisories RHSA-2008:0973, RHSA-2008:0508, and RHSA-2008:0519, respectively. Not vulnerable. This issue did not affect versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of mod_ssl or httpd as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 prior to 5.3. In Red Hat Enterprise Linux 5.3, OpenSSL packages were rebased to upstream version 0.9.8e via RHBA-2009:0181 (https://rhn.redhat.com/errata/RHBA-2009-0181.html), introducing this problem in Red Hat Enterprise Linux 5. Updated httpd packages were released via: https://rhn.redhat.com/errata/RHSA-2009-1075.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1679 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The Red Hat Security Response Team is aware of this new gcc behavior and is currently working to determine what impact these changes will have on the source code processed by the compiler. These changes do not affect Red Hat Enterprise Linux 2, 3, 4, or 5. Red Hat does not consider this to be a security issue. After careful analysis of this issue the Red Hat Security Response Team has determined that this bug has no security impact outside of expected m4 behavior. Red Hat does not consider this to be a security issue. After careful analysis of this issue the Red Hat Security Response Team has determined that this bug has no security impact outside of expected m4 behavior. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1694 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect versions of rsync as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=442005 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of rdesktop as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1891 The risks associated with fixing this flaw outweigh the benefits of the fix. Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux. Red Hat is aware of this issue affecting Red Hat Enterprise Linux 5 and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1926 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue has been addressed in Red Hat Enterprise Linux 4 with the following update: https://rhn.redhat.com/errata/RHSA-2009-0981.html This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values. If user inputs need to be used as part of the tag attributes, the JSP page needs to perform filtering explicitly. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025 This issue does not affect the version of PHP shipped in Red Hat Enterprise Linux 2.1, 3, or 4. We do not consider this issue to be a security flaw for Red Hat Enterprise Linux 5 since no trust boundary is crossed. More information can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2050 This issue did not affect MySQL as supplied with Red Hat Enterprise Linux 3. This issue was addressed for Red Hat Enterprise Linux 4, 5, and Red Hat Application Stack v1, v2: https://rhn.redhat.com/cve/CVE-2008-2079.html Not vulnerable. Red Hat Enterprise Linux 2.1, 3, 4, and 5 do not ship for the SPARC architecture. This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the "AddDefaultCharset" directive. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2168 Not vulnerable. This issue does not affect the version of c++filt as shipped with binutils in Red Hat Enterprise Linux 3 or 4. Although this bug is present in the version of c++filt as shipped with binutils in Red Hat Enterprise Linux 5, the format string protection from FORTIFY_SOURCE makes this unexploitable. Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Affected module was only introduced upstream in python 2.5. This issue does not affect the versions of mtr as shipped with Red Hat Enterprise Linux 4 or 5. For Red Hat Enterprise Linux 2.1 and 3, this issue can only be exploited if an attacker can convince victim to use mtr to trace path to or via the IP, for which an attacker controls PTR DNS records. Additionally, the victim must run mtr in "split mode" by providing -p or --split command line options. The Red Hat Security Response Team has therefore rated this issue as having low security impact, a future update may address this flaw. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0519.html Not vulnerable. This issue did not affect the versions of pan as shipped with Red Hat Enterprise Linux 2.1. No other versions of Red Hat Enterprise Linux have shipped Pan. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2364 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of PCRE as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the version of the Xen package as shipped with Red Hat Enterprise Linux 5. Not vulnerable. OCSP protocol support was only implemented in upstream stunnel version 4.16. Therefore OCSP protocol is not available in the versions of stunnel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php This issue was addressed in fetchmail packages as shipped in Red Hat Enterprise Linux 3, 4, and 5 via: https://rhn.redhat.com/errata/RHSA-2009-1427.html Not vulnerable. These issues did not affect the versions of NASM as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of perl as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, Red Hat Application Stack 1, or Solaris versions of Red Hat Directory Server 7.1 and 8, Certificate System 7.x. Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. For more details see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2829 Not vulnerable. This issue did not affect the versions of XChat as shipped with Red Hat Enterprise Linux. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0885.html Not vulnerable. This issue did not affect the versions of firefox as shipped with Red Hat Enterprise Linux 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ These issue was addressed in all affected httpd versions as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0967.html This issue is tracked via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2939 The Red Hat Security Response Team has rated this issue as having low security impact, future updates may address this flaw in other affected products (such as Red Hat Application Stack). Not vulnerable. This issue did not affect the versions of poppler as shipped with Red Hat Enterprise Linux 5, or other PDF parsing applications derived from the xpdf code as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5. According to RealNetworks this flaw does not affect the Linux version of RealPlayer. According to RealNetworks this issue does not affect the Linux version of RealPlayer. Not vulnerable. This issue did not affect the versions of sudo as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Vim packages, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. Note: This CVE is mentioned in the text of RHSA-2008:0580 (https://rhn.redhat.com/errata/RHSA-2008-0580.html), as it was originally used to track multiple issues. Issues that affected Vim packages in Red Hat Enterprise Linux 5 were later assigned separate CVE identifier - CVE-2008-6235. Neither of issues currently covered by CVE-2008-3076 (insufficient shell escaping in mz and mc commands) affected Vim packages shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-3134 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5 The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html The affected version of Wireshark as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0890.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-3196 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect the version of dnsmasq as shipped with Red Hat Enterprise Linux 5. Upon investigating this issue, the Red Hat Security Response Team has determined that this is not a vulnerability. The ability to specify a desired role when connecting to OpenSSH is a feature of how OpenSSH interacts with SELinux. Users can only assign themselves SELinux roles which they have permission to access. They cannot assign themselves arbitrary roles. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue can only be exploited during the package build and it does not affect users of pre-built packages distributed with Red Hat Enterprise Linux. Therefore, we do not plan to backport a fix for this issue to already released version of Red Hat Enterprise Linux 2.1, 3, 4, and 5. Not vulnerable. This issue did not affect the versions of links as shipped with Red Hat Enterprise Linux 2.1, and versions of elinks as shipped with Red Hat Enterprise Linux 3, 4, or 5. Versions of links / elinks shipped do not support "only proxies" feature. Not vulnerable. These issues did not affect the version of dnsmasq as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of OpenOffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5. The updated Red Hat Enterprise Linux packages are not distributed via the openoffice.org update service, but rather via Red Hat Network, using the package manager capabilities to verify authenticity of updates. Not vulnerable. This issue did not affect the versions of Sun Java packages as shipped with Red Hat Enterprise Linux 4 Extras, or 5 Supplementary. The updated Red Hat Enterprise Linux packages are not distributed via the java.sun.com update service (which is only used for Windows version of Sun Java), but rather via Red Hat Network, using the package manager capabilities to verify authenticity of updates. Red Hat does not consider this flaw a security issue. This flaw is not exploitable beyond causing the web browser to crash. This flaw does not affect the Linux version of RealVNC as shipped in Red Hat Enterprise Linux. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. The uvcvideo driver was first added in kernel packages update RHSA-2009:0225 in Red Hat Enterprise Linux 5.3, and it already contained a fix for this flaw. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html This issue does not affect the versions of the yelp package, as shipped with Red Hat Enterprise Linux 3, 4 and 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html This issue has been addressed in the affected versions of PHP packages shipped in Red Hat Enterprise Linux via advisories listed on the following page: https://rhn.redhat.com/errata/CVE-2008-3658.html The PHP interpreter does not offer a reliable sandboxed security layer (as found in, say, a JVM) in which untrusted scripts can be run any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. We therefore do not classify this issue as security-sensitive since no trust boundary is crossed. This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the version of Xen hypervisor as shipped with Red Hat Enterprise Linux 5, as it does not support XSM. Not vulnerable. This issue did not affect the versions of neon as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html This issue did not affect the version of pam_krb5 shipped in Red Hat Enterprise Linux 2.1, 3, or 4. Not vulnerable. This issue did not affect the version of utrace as shipped with the Red Hat Enterprise Linux 5 kernel. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html Not vulnerable. This issue did not affect the versions Postfix as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat does not consider this to be a security issue. Since these operations can only be executed by root, no trust boundary is crossed as a result of this behaviour. Red Hat does not consider this to be a security issue. Since these operations can only be executed by root, no trust boundary is crossed as a result of this behaviour. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html Not vulnerable. This issue did not affect the versions of the emacs package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue did not affect MySQL as supplied with Red Hat Enterprise Linux 3 or 4. This issue was addressed for Red Hat Enterprise Linux 5 and Red Hat Application Stack v2 https://rhn.redhat.com/cve/CVE-2008-3963.html Not vulnerable. These issues did not affect the versions of libpng as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4098 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the security risk. We therefore currently have no plans to fix this flaw in Red HatEnterprise Linux 2.1, 3, 4, or 5. For more information please see our bug for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=462772 Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. The patch used to fix CVE-2006-5051 in Red Hat Enterprise Linux 2.1, 3, 4, and 5 was complete and does not suffer from this problem. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html Not vulnerable. This flaw does not affect the version of BIND as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue has been addressed via: https://rhn.redhat.com/errata/RHSA-2009-0402.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=460435 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4192 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of rsh-server packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. The glibcs ruserok function is used to check users authorization against rhosts files. That implementation of ruserok never opens /etc/hosts.equiv for superuser. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html Not vulnerable. This issue did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. We do not consider a crash of a client application such as Konqueror to be a security issue. Not vulnerable. ndiswrapper is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of libxml2 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG for RHEL-5 via: https://rhn.redhat.com/errata/RHSA-2008-0857.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4456 This issue was addressed for Red hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1289.html The Red Hat Security Response Team has rated this issue as having low security impact, a future update to Red Hat Enterprise Linux 3, 4, and Red Hat Application Stacks 2 may address this flaw. Not vulnerable. This issue did not affect the versions of freeradius as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not Vulnerable. Red Hat Enterprise MRG does not use Xerces-C++ in a manner that is vulnerable to this flaw. We do not consider a crash of a client application such as Konqueror to be a security issue. This issue affected Red Hat Enterprise Linux 5 and was addressed by https://rhn.redhat.com/errata/RHSA-2009-1321.html The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having low security impact. This issue is addressed in the cman package for Red Hat Enterprise Linux 5: https://rhn.redhat.com/errata/RHSA-2009-1337.html This issue also affects the fence package in Red Hat Cluster Suite for Enterprise Linux 4AS, a future update may address this flaw: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4579 Manual fencing agent is documented to only be provided for testing purposes and should not be used in production environments. Therefore, there is no plan to fix this flaw in Red Hat Cluster Suite for Red Hat Enterprise Linux 4, and in Red Hat Enterprise Linux 5. The attacks reported by Outpost24 AB target the design limitations of the TCP protocol. Due to upstreams decision not to release updates, Red Hat do not plan to release updates to resolve these issues however, the effects of these attacks can be reduced via the mitigation methods as written in http://kbase.redhat.com/faq/docs/DOC-18730. The versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 were not affected by this issue. This issue only affected the version of Linux kernel as shipped with Red Hat Enterprise MRG and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-0009.html Not vulnerable. This issue did not affect the versions of vim as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html Red Hat does not consider this to be a security flaw. Firefox is handling the ftp:// URL as expected. This issue can only cause pamperspective to crash when used on specially crafted messages. We do not consider this to be a security issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4865 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of the dovecot package, as shipped with Red Hat Enterprise Linux 4 or 5. Not vulnerable. This issue did not affect the versions of mgetty as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, as they include patch that resolves this issue. Not vulnerable. This issue did not affect the versions of OpenOffice.org as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of postfix as shipped with Red Hat Enterprise Linux 3, 4, or 5. Mentioned script is not part of the official postfix distribution and is not included in Red Hat Enterprise Linux postfix packages. The affected code is not used by any application shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5. The impact of this flaw is limited to a crash of the applications connecting to a misbehaving SMTP server. Due to those reasons, theres currently no plan to include the fix in the imap packages as shipped in Red Hat Enterprise Linux 2.1 and 3, and the libc-client packages as shipped in Red Hat Enterprise Linux 4 and 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. The issue was addressed in the Linux kernel packages as shipped with Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-0053.html This issue was addressed for Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1287.html After reviewing the upstream fix for this issue, Red Hat does not intend to address this flaw in Red Hat Enterprise Linux 3 or 4 at this time. Not vulnerable. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3, 4, or 5. Versions shipped do not support RSS subscriptions. Not vulnerable. This issue does not affect the versions of imlib as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. This issue has been addressed in Wireshark packages as shipped in Red Hat Enterprise Linux 3, 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-0313.html Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 4, or 5. Those packages do not include ManageSieve server. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-5302 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-5303 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-5374 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3, 4, or 5. Affected script is not part of the upstream CUPS distribution, but rather an addition used by Debian-based distributions (and possibly others). CUPS packages as shipped in Red Hat Enterprise Linux 5 also provide pstopdf filter. However, that filter is different from the one used in Debian-based distributions, and is unaffected by this flaw. Additionally, all filters used by CUPS on all versions of Red Hat Enterprise Linux are run under an unprivileged "lp" user, making the root privilege escalation mentioned in the published exploit impossible. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. It only affected the Ubuntu Privacy Remix (UPR) kernel. Not vulnerable. This issue did not affect the versions of the util-linux packages (providing /bin/login), as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the PA-RISC architecture. Not vulnerable. This issue did not affect the versions of imap as shipped with Red Hat Enterprise Linux 2.1 and 3, and the versions of libc-client as shipped with Red Hat Enterprise Linux 4 and 5. Not vulnerable. This issue did not affect the version of the rsyslog package, as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the version of the rsyslog package, as shipped with Red Hat Enterprise Linux 5. We do not consider these to be security issues. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider this to be a security issue. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1. PHP version in Red Hat Application Stack v2 was fixed via: https://rhn.redhat.com/errata/RHSA-2009-0350.html Red Hat does not consider a crash of a client application such as Konqueror to be a security issue. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the MIPS architecture. Red Hat does not consider a crash of a client application such as Konqueror to be a security issue. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-0264.html Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5. Red Hat does not consider a crash of a client application such as Firefox to be a security issue. Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5. Security update released to address CVE-2008-4405 - https://rhn.redhat.com/errata/RHSA-2009-0003.html - contained correct patch which did not introduce this problem and resolved the original issue. Red Hat does not consider a crash of a client application such as Firefox to be a security issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=479966 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of the php package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, and with Red Hat Application Stack v1 and v2. Only PHP version 5.2.7 was affected by this flaw. Red Hat does not consider this bug to be a security issue. For a more detailed explanation, please see the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5907 Not vulnerable. Red Hat Enterprise Linux 2.1, 3, 4, and 5 do not ship for the SPARC architecture. Red Hat does not consider this bug a security flaw. For more details please see the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=468990 Red Hat does not consider this to be a security issue. The misbehaviour of CMAN is triggered by corrupted / specially crafted cluster.conf configuration file. Ability to edit this file is restricted to system administrator, therefore no privilege boundary is crossed. This is not a security issue. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-7002#c7 This is not a security issue. A user with read and write access to a file can reasonably be expected to manipulate the contents of the file, including truncating it. Instead of using dba_replace(), a user could simply fopen() the file in write mode, which provides the same end-result. Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of nasm as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 and Red Hat Enterprise MRG. This flaw affects most 64-bit architectures, including IBM S/390 and 64-bit PowerPC, but it does not affect x86_64 or Intel Itanium. The risks associated with fixing this flaw are greater than the security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5. Red Hat Enterprise MRG is not affected as it is not supported on 64-bit architectures other than x86_64. Not vulnerable. Red Hat does not ship the vulnerable backend that causes this flaw. Red Hat does not consider a crash of a client application such as Firefox to be a security issue. Not vulnerable. This issue did not affect the versions of hplip as shipped with Red Hat Enterprise Linux 5. Red Hat does not consider this to be a security issue. M2Crypto provides python interfaces to multiple OpenSSL functions. Neither of those interfaces is further used by M2Crypto in an insecure way. Additionally, no application shipped in Red Hat Enterprise Linux is known to use affected interfaces provided by M2Crypto. Further details can be found in the following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127#c1 Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0164 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0179 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0241 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update of Red Hat HPC Solution may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat does not consider this to be a security issue. For more information, please see the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0242 This issue can only result in an OpenOffice.org crash, not allowing arbitrary code execution. Red Hat does not consider a crash of a client application such as OpenOffice.org to be a security issue. Not vulnerable. This issue did not affect the versions of BIND as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, and Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of the pam_krb5 package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the pam_krb5 package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the version of Squid as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of pam as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Only PAM versions 1.x were affected. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0590 This issue was fixed in openssl packages in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1335.html The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw on Red Hat Enterprise Linux 3 and 4. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue affected OpenSSL CMS functionality which is not present in the openssl packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. Red Hat does not consider this to be a security issue. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0601#c3 Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5, or Red Hat Enterprise MRG. Not vulnerable. This issue was addressed in upstream OpenSSL prior to 0.9.6 and therefore does not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Disputed: The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional. This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as the affected driver is not enabled in these kernels by default. The affected driver is enabled by default in Red Hat Enterprise Linux 2.1, 3, 5, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2009-0326.html and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-0360.html . As Red Hat Enterprise Linux 2.1 and 3 are now in Production 3 of their maintenance life-cycle, http://www.redhat.com/security/updates/errata, and this issue has been rated as having moderate impact, the fix for this issue is not currently planned to be included in the future updates. The upstream fix for this issue is not backwards compatible and introduces an ABI change not allowed in Red Hat Enterprise Linux. Therefore, there is no plan to address this problem directly in cyrus-sasl packages. All applications shipped in Red Hat Enterprise Linux and using affected sasl_encode64() function were investigated and patched if their use of the function could have security consequences. See following bug report for further details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0688#c20 This issue affected the dhcp packages as shipped with Red Hat Enterprise Linux 3 and 4. Updated packages to correct this issue are available via Red Hat Network: https://rhn.redhat.com/errata/CVE-2009-0692.html This issue did not affect the dhcp packages as shipped with Red Hat Enterprise Linux 5 due to the use of FORTIFY_SOURCE protection mechanism that changes the exploitability of the issue into a controlled application termination. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1243.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1243.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1243.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. This issue was addressed in Red Hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1243.html Not vulnerable. This issue did not affect the versions of poppler, xpdf, gpdf and kdegraphics as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue is a duplicate of CVE-2009-0166, which was addressed in affected products via following updates: https://rhn.redhat.com/errata/CVE-2009-0166.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVe-2009-0758 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-0326.html . Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0781 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-0473.html . Not vulnerable. This issue only affects a small number of operating systems and does not affect the openssl packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0793 The Red Hat Security Response Team has rated this issue as having low security impact, a future lcms packages update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0796 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future mod_perl package update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0801 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of mysql packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-0451.html . Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0887 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has been addressed in Red Hat Enterprise Linux 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2009-1484.html and in Red Hat Application Stack v2 via: https://rhn.redhat.com/errata/RHSA-2009-1067.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-0451.html . This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG, via https://rhn.redhat.com/errata/RHSA-2009-1132.html , https://rhn.redhat.com/errata/RHSA-2009-1106.html , and https://rhn.redhat.com/errata/RHSA-2009-1081.html . This issue is not planned to be fixed in Red Hat Enterprise Linux 2.1 and 3, due to these products being in Production 3 of their maintenance life-cycles, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ . This issue has been fixed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2009-0427.html . udev packages as shipped in Red Hat Enterprise Linux 4 were not affected by this flaw, as they do not use netlink sockets for communication. udev is not shipped in Red Hat Enterprise Linux 2.1 and 3. Not vulnerable. This issue did not affect the versions of udev as shipped with Red Hat Enterprise Linux 4, or 5. Red Hat does not consider this to be a security issue. Affected file is supposed to be used to exchange information between local system users, therefore open permissions are intentional. Red Hat does not consider this to be a security issue. The checks implemented by screen to protect against race condition attacks on /tmp/screen-exchange file provide sufficient protection for this rarely-used buffer exchange feature. For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=492104 https://bugzilla.mozilla.org/show_bug.cgi?id=485941 Red Hat does not consider a user-assisted crash of a client application such as Firefox to be a security issue. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 4, 5, or Red Hat Enterprise MRG, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. This issue has been rated as having moderate security impact as it does not lead to a denial of service or privilege escalation. As Red Hat Enterprise Linux 3 is now in Production 3 of its maintenance life-cycle, http://www.redhat.com/security/updates/errata, and the affected driver can only be enabled when using the unsupported kernel-unsupported package, a fix for this issue is not currently planned to be included in the future updates. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1. PHP version in Red Hat Application Stack v2 was fixed via: https://rhn.redhat.com/errata/RHSA-2009-0350.html Not vulnerable. This issue did not affect PHP versions as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Red Hat Application Stack v1 and v2. This problem was introduced in the fix for CVE-2008-5658. Patch for CVE-2008-5658 as used in Red Hat Application Stack v2 also includes the fix for this crash too. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1284 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of ecryptfs-utils as shipped with Red Hat Enterprise Linux 5. eCryptfs encrypted home directories are not set up during the system installation, so theres no possibility for leaking encryption passwords to the installation log file. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1081.html . This flaw was caused by a C2Net specific patch added to Apache http_log.c in Stronghold 2.3. C2Net Stronghold 2.3 reached end of life for updates on October 31st 2000. http://www.awe.com/mark/history/stronghold.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG. This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl. This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl. This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl. Not vulnerable. This issue did not affect the versions of squirrelmail as shipped with Red Hat Enterprise Linux 3, 4, or 5. Updates for squirrelmail released via RHSA-2009:1066 (https://rhn.redhat.com/errata/RHSA-2009-1066.html) fixed original flaw CVE-2009-1579 without introducing CVE-2009-1381. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1384 This issue did not affect the versions of the pam_krb5 package, as shipped with Red Hat Enterprise Linux 2.1, 3 or 4. This issue affect the version of the pam_krb5 package as shipped in Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ For further details about PAM configurations affected by this flaw, as well as instructions on how to resolve this problem via configuration changes, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1384#c15 This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise 5 via: https://rhn.redhat.com/errata/RHSA-2009-1193.html Not vulnerable. This issue did not affect the versions of mutt as shipped with Red Hat Enterprise Linux 3, 4, or 5. Only mutt version 1.5.19 was affected by this flaw. Not vulnerable. This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5 as it only affected gnutls 2.6.x versions. Not vulnerable. This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5 as it only affected gnutls 2.6.x versions. The Red Hat Security Response Team has rated this issue as having low security impact. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 4, or 5. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1417 The impact of this flaw is limited to application crash, not allowing code execution. Red Hat does not consider a user-assisted crash of a client application such as media players using GStreamer framework to be a security issue. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1438 Based on our analysis this issue does not have a security consequence and does not lead to a buffer overflow or denial of service. For more details of our technical evaluation see https://bugzilla.redhat.com/show_bug.cgi?id=499252#c18 Not vulnerable. This issue did not affect the versions of libmodplug embedded in gstreamer-plugins as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for the PAT file type. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of zebra as shipped with Red Hat Enterprise Linux 2.1, and the versions of quagga as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, and 3. It was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1132.html , https://rhn.redhat.com/errata/RHSA-2009-1106.html , and https://rhn.redhat.com/errata/RHSA-2009-1157.html . This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, and 3. It was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2009-1211.html , https://rhn.redhat.com/errata/RHSA-2009-1106.html , and https://rhn.redhat.com/errata/RHSA-2009-1157.html . Not vulnerable. This issue did not affect the versions of the kdelibs packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of the kdelibs packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2009-1132.html and https://rhn.redhat.com/errata/RHSA-2009-1106.html . This issue did not affect kernel packages as shipped in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 1. It was addressed in Red Hat Enterprise Linux 4 via https://rhn.redhat.com/errata/RHSA-2009-1438.html . This issue has been rated as having moderate security impact. It is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1885 The Red Hat Security Response Team has rated this issue as having low security impact, a future xerces-c packages update in Red Hat Enterprise MRG 1.1 may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue did not affect Red Hat Enterprise Linux 3. It was addressed in Red Hat Enterprise Linux 4 and 5 via RHSA-2009:1529: https://rhn.redhat.com/errata/RHSA-2009-1529.html Not vulnerable. Red Hat Enterprise Linux 3, 4, and 5 provide earlier versions of ISC DHCP which are not vulnerable to this issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1897 The flaw only affects the Red Hat Enterprise Linux 5.4 beta kernel, which includes a backport of the upstream bug fix introducing this flaw (git commit 33dccbb0). This issue did not affect the final released Red Hat Enterprise Linux 5.4 kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only. This issue does not affect any other released kernel in any Red Hat product. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the SPARC64 architecture. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1157.html The Red Hat Security Response Team does not believe this issue has a security impact: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-2042 Future updates to libpng packages may fix this bug. Not vulnerable. This issue did not affect the versions of openoffice.org and openoffice.org2 packages as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of stardict as shipped with Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise MRG. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG did not include support for eCryptfs, and therefore are not affected by this issue. Red Hat Enterprise Linux 5 was vulnerable to this issue and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-1193.html The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG did not include support for eCryptfs, and therefore are not affected by this issue. Red Hat Enterprise Linux 5 was vulnerable to this issue and was addressed via: https://rhn.redhat.com/errata/RHSA-2009-1193.html Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-2446#c30 This issue was addressed for Red hat Enterprise Linux 5 by https://rhn.redhat.com/errata/RHSA-2009-1289.html The Red Hat Security Response Team has rated this issue as having low security impact, future MySQL package updates may address this flaw for Red Hat Enterprise Linux 3, 4, and Red Hat Application Stack 2. Updated neon packages for Red Hat Enterprise Linux 4 and 5 were released via: https://rhn.redhat.com/errata/RHSA-2009-1452.html Embedded copy of the neon library is included in the versions of gnome-vfs2 packages as shipped with Red Hat Enteprise Linux 4 and Red Hat Enteprise Linux 5. The Red Hat Security Response Team has rated this issue as having low security impact on gnome-vfs2, future updates may address this flaw. Red Hat does not consider a user-assisted crash of a client application such as Konqueror to be a security issue. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2560 Vectors (1) Bluetooth L2CAP and (3) MIOP did not affect the versions of the Wireshark package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2562 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2563 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat does not consider this flaw to be a security issue. The bug can only be triggered by the PHP script author, which does not cross trust boundary. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-2687 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update will address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-2688 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The Red Hat Security Response Team has rated this issue as having moderate security impact. We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, and 5 as it is not possible to trigger the information leak if the suid_dumpable tunable is set to zero (which is the default). It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1540.html Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-18065. Updates for Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2692.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise MRG. Updates for Red Hat Enterprise Linux 3, 4 and 5 to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2698.html This flaw does not affect the version of APR shipped in Red Hat Enterprise Linux. This flaw does affect JBoss Enterprise Web Server running on the Solaris platform. This issue is being tracking via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-2699 Not vulnerable. This issue did not affect the versions of qt and qt4 as shipped with Red Hat Enterprise Linux 3, 4, or 5. Affected code was introduced upstream in version 4.3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2702 This issue did not affect kdelibs packages as shipped in Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw in Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of ia32el as shipped with Red Hat Enterprise Linux 3, 4 or 5. Not vulnerable. This issue only affected kernels version 2.6.28-rc1 and later. Therefore this issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG.. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for flat binary support, and additionally this issue only affected kernels version 2.6.29-rc1 and later. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Please note this issue only affected Linux kernel versions after v2.6.30-rc1 and was fixed in v2.6.31-rc6. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for the Linux kernel on the PA-RISC architecture. This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG: http://rhn.redhat.com/cve/CVE-2009-2847.html This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2849 The flaw was introduced in kernel version 2.6.17-rc1. The Linux kernel as shipped with Red Hat Enterprise Linux 3, and 4 are not affected by this issue. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1540.html A future kernel update for Red Hat Enterprise Linux 5 will address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2855 This issue did not affect the versions of the Squid packages, as shipped with Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this issue as having low security impact, a future Squid package update may address this flaw in Red Hat Enterprise Linux 5. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-19077 This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise MRG. It is also available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. Future kernel updates in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG will address this issue. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG do not include support for eCryptfs, and therefore are not affected by this issue. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1548.html This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, or Red Hat Enterprise MRG, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. Future kernel update in Red Hat Enterprise Linux 3 may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-2910. It affects Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG. This issue has been rated as having moderate security impact, future updates may address this flaw. This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Red Hat does not provide support for PF_LLC sockets in the Linux kernels. CVE-2009-3002 describes a collection of similar information leaks that affect numerous networking protocols. The Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 did not enable support for the AppleTalk DDP protocol, and therefore were not affected by issue (1). It was addressed in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1550.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively. The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG did not enable support for IrDA sockets, and therefore were not affected by issue (2). It was addressed in Red Hat Enterprise Linux 3 via: https://rhn.redhat.com/errata/RHSA-2009-1550.html The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not enable support for the Acorn Econet and AUN protocols, and therefore were not affected by issue (3). The Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG did not enable support for the NET/ROM and ROSE protocols, and therefore were not affected by issues (4) and (5). They were addressed in Red Hat Enterprise Linux 3 via: https://rhn.redhat.com/errata/RHSA-2009-1550.html The raw_getname() leak was introduced in the Linux kernel version 2.6.25-rc1. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG therefore were not affected by issue (6). Not vulnerable. This issue did not affect the versions of pidgin as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat has released updates to correct this issue: https://rhn.redhat.com/errata/RHSA-2009-1453.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG, as they do not contain a backport of the tty ldisc rewrite (upstream commits 65b770468e98 and cbe9352fa08f). Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of Pidgin packages, as shipped with Red Hat Enterprise Linux 3, 4, or 5. List of the errata fixing this flaw in affected products can be found at: https://www.redhat.com/security/data/cve/CVE-2009-3094.html List of the errata fixing this flaw in affected products can be found at: https://www.redhat.com/security/data/cve/CVE-2009-3095.html Not vulnerable. This issue did not affect the versions of libsilc as shipped with Red Hat Enterprise Linux 4, or 5. This issue was addressed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1522.html , https://rhn.redhat.com/errata/RHSA-2009-1548 and https://rhn.redhat.com/errata/RHSA-2009-1540 respectively. It has been rated as having moderate security impact and is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 3, 4, or 5. In PostgreSQL versions prior to 8.2, only database administrator was able to LOAD additional plugins and use it to cause server crash. However, this does not bypass trust boundary, so its not a security flaw for older PostgreSQL versions. Additionally, no plugins are shipped in Red Hat PostgreSQL packages by default. This issue was addressed in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1461.html . Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 3, 4, or 5, as they do not support LDAP authentication, which was introduced upstream in version 8.2. This issue was addressed in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1461.html . Not vulnerable. This issue only affected kernels version v2.6.31-rc1 and later. Therefore this issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Not vulnerable. This vulnerability was introduced into the Linux kernel in version 2.6.30-rc1 via upstream commit 2a519311, and therefore does not affect users of Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1548.html Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. This issue was introduced by upstream commit 10db10d1, and only affected kernels version 2.6.28-rc1 and later. Not vulnerable. This issue does not affect the versions of glib2 as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-3290 This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG as KVM (Kernel-based Virtual Machine) is only supported in Red Hat Enterprise Linux 5. A future kernel update in Red Hat Enterprise Linux 5 will address this flaw. This problem is not a security flaw in the PHP versions 4.3.5 and later. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3293 PHP versions shipped in Red Hat Enterprise Linux 4 and 5 do not need this fix. We do not plan to address this flaw in Red Hat Enterprise Linux 3. Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3550 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. This issue did not affect the versions of wireshark as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555 Additional information can be found in the Red Hat Knowledgebase article: http://kbase.redhat.com/faq/docs/DOC-20491 We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3564 The Red Hat Security Response Team has rated this issue as having low security impact, a future update for Red Hat Enterprise MRG may address this flaw. Not vulnerable. This issue did not affect the version of poppler as shipped with Red Hat Enterprise Linux 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-3612 This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1540.html Future kernel updates in Red Hat Enterprise Linux 4 and 5 will address this flaw. This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about the Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3621 This issue has been rated as having moderate security impact. It was addressed in Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1540.html Future kernel updates in Red Hat Enterprise Linux 4 and 5 will address this flaw. This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important or critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/ Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, or Red Hat Enterprise MRG. Those versions do not include the upstream patch that introduced this vulnerability. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, or Red Hat Enterprise MRG. Those versions do not include the upstream patch that introduced this vulnerability. Not vulnerable. This issue did not affect the versions of perl as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue does not affect Red Hat Enterprise Linux 3, 4, or 5. This flaw can only lead to a denial of service if perl-HTML-Parser is used in conjunction with perl 5.10.1. If perl-HTML-Parser is used with earlier versions of perl, this flaw does not lead to a denial of service. Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5. KVM is only supported on AMD64/x86_64 architecture on Red Hat Enterprise Linux 5. Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability (upstream commit f0a3602c). Not vulnerable. This issue did not affect the version of KVM (Kernel-based Virtual Machine) as shipped with Red Hat Enterprise Linux 5. The flaw was introduced in kernel version 2.6.30-rc1. The KVM package as shipped with Red Hat Enterprise Linux 5 does not include this upstream change, and therefore is not affected by this issue. Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG, as they do not include the upstream change introducing this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3726. The Linux kernel as shipped with Red Hat Enterprise Linux 3 did not have support for NFSv4, and therefore is not affected by this issue. Future kernel updates in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG will address this issue. Not vulnerable. This issue did not affect the versions of mutt as shipped with Red Hat Enterprise Linux 3, 4, or 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3766 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3767 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3829 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. Not vulnerable. The Linux kernels as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG did not have MMU disabled, and therefore are not affected by this issue. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-3889 It affects Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG. It did not affect Red Hat Enterprise Linux 3 as it did not have the affected "dbg_lvl" files on the sysfs file system ("/sys/"). Not vulnerable. This issue did not affect the versions of libexif as shipped with Red Hat Enterprise Linux 4, or 5. Not vulnerable. This issue did not affect the versions of poppler as shipped with Red Hat Enterprise Linux 5. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-3939 It affects Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG. It did not affect Red Hat Enterprise Linux 3 as it did not have the affected "poll_mode_io" files on the sysfs file system ("/sys/"). Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG as KVM (Kernel-based Virtual Machine) is only supported in Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is not vulnerable to this issue because it does not include the change that introduced this buffer overflow vulnerability. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4005. The Linux kernel as shipped with Red Hat Enterprise Linux 3, 5, and Red Hat Enterprise MRG did not include support for the HiSax ISDN driver for Colognechip HFC-S USB chip, and therefore are not affected by this issue. A future update for Red Hat Enterprise Linux 4 may address this flaw. We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4021 The Linux kernel packages as shipped with Red Hat Enterprise Linux 3 and 4 do not include support for FUSE, and therefore are not affected by this issue. Future kernel updates for Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG will address this flaw. Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commits d75636ef and d92684e6 that introduced the problem. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4027. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4 as they do not have support for the mac80211 framework. It did not affect the version of the Linux kernel as shipped with Red Hat Enterprise MRG as they do not include the upstream patch that introduced this vulnerability. A future update will address this flaw in Red Hat Enterprise Linux 5.