Red Hat OVAL Patch Definition Merger 2 5.3 2008-01-23T07:23:28 Red Hat Enterprise Linux 3 vsftpd is an FTP (File Transfer Protocol) daemon. vsftpd was calling unsafe functions from within signal handlers; under heavy load, this could lead to deadlock, leading the service to stop accepting connections. Users of vsftpd should upgrade to this updated package, which resolves this issue. Copyright 2004 Red Hat, Inc. CVE-2004-2259 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 LVM includes all of the support for handling read/write operations on physical volumes, creating volume groups from one or more physical volumes and creating one or more logical volumes in volume groups. This updated version of lvm contains a number of enhancements, including the ability to use EMC PowerPath pseudo-devices. In addition, a number of minor bugs have been addressed. All users of lvm should upgrade to this updated package, which resolves these issues. Copyright 2004 Red Hat, Inc. CVE-2004-0972 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. Two security issues have been found that affect Ethereal. By exploiting these issues it may be possible to make Ethereal crash by injecting an intentionally malformed packet onto the wire or by convincing someone to read a malformed packet trace file. It is not known if these issues could allow arbitrary code execution. The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-1012 to this issue. The Q.931 dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-1013 to this issue. Users of Ethereal should update to these erratum packages containing Ethereal version 0.10.0, which is not vulnerable to these issues. Low Copyright 2004 Red Hat, Inc. CVE-2003-1012 CVE-2003-1013 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. A flaw was found in versions of CVS prior to 1.11.10 where a malformed module request could cause the CVS server to attempt to create files or directories at the root level of the file system. However, normal file system permissions would prevent the creation of these misplaced directories. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0977 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue. For Red Hat Enterprise Linux 2.1, these updates also fix an off-by-one overflow in the CVS PreservePermissions code. The PreservePermissions feature is not used by default (and can only be used for local CVS). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0844 to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2002-0844 CVE-2003-0977 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The K Desktop Environment (KDE) is a graphical desktop for the X Window System. The KDE Personal Information Management (kdepim) suite helps you to organize your mail, tasks, appointments, and contacts. The KDE team found a buffer overflow in the file information reader of VCF files. An attacker could construct a VCF file so that when it was opened by a victim it would execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue. Users of kdepim are advised to upgrade to these erratum packages which contain a backported security patch that corrects this issue. Important Copyright 2004 Red Hat, Inc. CVE-2003-0988 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Tcpdump is a command-line tool for monitoring network traffic. George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue. Jonathan Heusser discovered an additional flaw in the ISAKMP decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue. Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these pakets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0989 CVE-2004-0055 CVE-2004-0057 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. An issue in the handling of regular expressions from configuration files was discovered in releases of the Apache HTTP Server version 2.0 prior to 2.0.48. To exploit this issue an attacker would need to have the ability to write to Apache configuration files such as .htaccess or httpd.conf. A carefully-crafted configuration file can cause an exploitable buffer overflow and would allow the attacker to execute arbitrary code in the context of the server (in default configurations as the 'apache' user). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0542 to this issue. Users of the Apache HTTP Server should upgrade to these erratum packages, which contain backported patches correcting these issues, and are applied to Apache version 2.0.46. This update also includes fixes for a number of minor bugs found in this version of the Apache HTTP Server. Low Copyright 2004 Red Hat, Inc. CVE-2003-0542 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the first regular kernel update for Red Hat Enterprise Linux version 3. It contains a new critical security fix, many other bug fixes, several device driver updates, and numerous performance and scalability enhancements. On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue. Other bug fixes were made in the following kernel areas: VM, NPTL, IPC, kernel timer, ext3, NFS, netdump, SCSI, ACPI, several device drivers, and machine-dependent support for the x86_64, ppc64, and s390 architectures. The VM subsystem was improved to better handle extreme loads and resource contention (such as might occur during heavy database application usage). This has resulted in a significantly reduced possibility of hangs, OOM kills, and low-mem exhaustion. Several NPTL fixes were made to resolve POSIX compliance issues concerning process IDs and thread IDs. A section in the Release Notes elaborates on a related issue with file record locking in multi-threaded applications. AMD64 kernels are now configured with NUMA support, S390 kernels now have CONFIG_BLK_STATS enabled, and DMA capability was restored in the IA64 agpgart driver. The following drivers have been upgraded to new versions: cmpci ------ 6.36 e100 ------- 2.3.30-k1 e1000 ------ 5.2.20-k1 ips -------- 6.10.52 megaraid --- v1.18k megaraid2 -- v2.00.9 All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2003-0986 CVE-2004-0001 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The Net-SNMP project includes various Simple Network Management Protocol (SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0935 to this issue. Users of Net-SNMP are advised to upgrade to these errata packages containing Net-SNMP 5.0.9, which is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0935 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. A number of temporary file bugs have been found in versions of NetPBM. These could make it possible for a local user to overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0924 to this issue. Users are advised to upgrade to the erratum packages, which contain patches from Debian that correct these bugs. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0924 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Gaim is an instant messenger client that can handle multiple protocols. Stefan Esser audited the Gaim source code and found a number of bugs that have security implications. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. However at least one of the buffer overflows could be exploited by an attacker sending a carefully-constructed malicious message through a server. The issues include: Multiple buffer overflows that affect versions of Gaim 0.75 and earlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0006 to these issues. A buffer overflow in Gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0007 to this issue. An integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0008 to this issue. All users of Gaim should upgrade to these erratum packages, which contain backported security patches correcting these issues. Red Hat would like to thank Steffan Esser for finding and reporting these issues and Jacques A. Vidrine for providing initial patches. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0006 CVE-2004-0007 CVE-2004-0008 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Slocate is a security-enhanced version of locate, designed to find files on a system via a central database. Patrik Hornik discovered a vulnerability in Slocate versions up to and including 2.7 where a carefully crafted database could overflow a heap-based buffer. A local user could exploit this vulnerability to gain "slocate" group privileges and then read the entire slocate database. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0848 to this issue. Users of Slocate should upgrade to these erratum packages, which contain Slocate version 2.7 with the addition of a patch from Kevin Lindsay that causes slocate to drop privileges before reading a user-supplied database. For Red Hat Enterprise Linux 2.1 these packages also fix a buffer overflow that affected unpatched versions of Slocate prior to 2.7. This vulnerability could also allow a local user to gain "slocate" group privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0056 to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2003-0848 CVE-2003-0056 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 PWLib is a cross-platform class library designed to support the OpenH323 project. OpenH323 provides an implementation of the ITU H.323 teleconferencing protocol, used by packages such as Gnome Meeting. A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue. Users are advised to upgrade to the erratum packages, which contain backported security fixes and are not vulnerable to these issues. Red Hat would like to thank Craig Southeren of the OpenH323 project for providing the fixes for these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0097 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Mutt is a text-mode mail user agent. A bug was found in the index menu code in versions of mutt. A remote attacker could send a carefully crafted mail message that can cause mutt to segfault and possibly execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0078 to this issue. It is recommended that all mutt users upgrade to these updated packages, which contain a backported security patch and are not vulnerable to this issue. Red Hat would like to thank Niels Heinen for reporting this issue. Note: mutt-1.2.5.1 in Red Hat Enterprise Linux 2.1 is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0078 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Sysstat is a tool for gathering system statistics. Isag is a utility for graphically displaying these statistics. A bug was found in the Red Hat sysstat package post and trigger scripts, which used insecure temporary file names. A local attacker could overwrite system files using carefully-crafted symbolic links in the /tmp directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0107 to this issue. While fixing this issue, a flaw was discovered in the isag utility, which also used insecure temporary file names. A local attacker could overwrite files that the user running isag has write access to using carefully-crafted symbolic links in the /tmp directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0108 to this issue. Other issues addressed in this advisory include: * iostat -x should return all partitions on the system (up to a maximum of 1024) * sar should handle network device names with more than 8 characters properly * mpstat should work correctly with more than 7 CPUs as well as generate correct statistics when accessing individual CPUs. This issue only affected Red Hat Enterprise Linux 2.1 * The sysstat package was not built with the proper dependencies; therefore, it was possible that isag could not be run because the necessary tools were not available. Therefore, isag was split off into its own subpackage with the required dependencies in place. This issue only affects Red Hat Enterprise Linux 2.1. Users of sysstat and isag should upgrade to these updated packages, which contain patches to correct these issues. NOTE: In order to use isag on Red Hat Enterprise Linux 2.1, you must install the sysstat-isag package after upgrading. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0107 CVE-2004-0108 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 mod_python embeds the Python language interpreter within the Apache httpd server. A bug has been found in mod_python versions 2.7.10 and earlier that can lead to a denial of service vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0973 to this issue. Although Red Hat Enterprise Linux shipped with a version of mod_python that contains this bug, our testing was unable to trigger the denial of service vulnerability. However, mod_python users are advised to upgrade to these errata packages, which contain a backported patch that corrects this bug. Low Copyright 2004 Red Hat, Inc. CVE-2003-0973 CVE-2004-0096 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. iDefense discovered two buffer overflows in the parsing of the 'font.alias' file. A local attacker could exploit this vulnerability by creating a carefully-crafted file and gaining root privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0083 and CAN-2004-0084 to these issues. Additionally David Dawes discovered additional flaws in reading font files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0106 to these issues. All users of XFree86 are advised to upgrade to these erratum packages, which contain a backported fix and are not vulnerable to these issues. Red Hat would like to thank David Dawes from XFree86 for the patches and notification of these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0083 CVE-2004-0084 CVE-2004-0106 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. The Samba team discovered an issue that affects version 3.0.0 and 3.0.1 of Samba. If an account for a user is created, but marked as disabled using the mksmbpasswd script, it is possible for Samba to overwrite the user's password with the contents of an uninitialized buffer. This might lead to a disabled account becoming enabled with a password that could be guessed by an attacker. Although this is likely to be a low risk issue for most Samba users, we have provided updated packages, which contain a backported patch correcting this issue. Red Hat would like to thank the Samba team for reporting this issue and providing us with a patch. Note: Due to a packaging error in samba-3.0.0-14.3E, the winbind daemon is not automatically restarted when the Samba package is upgraded. After up2date has installed the samba-3.0.2-4.3E packages, you must run "/sbin/service winbind condrestart" as root to restart the winbind daemon. Low Copyright 2004 Red Hat, Inc. CVE-2004-0082 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0077 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting this issue. For the IBM S/390 and IBM eServer zSeries architectures, the upstream version of the s390utils package (which fixes a bug in the zipl bootloader) is also included. Important Copyright 2004 Red Hat, Inc. CVE-2004-0077 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The nfs-utils package contains the rpc.mountd program, which implements the NFS mount protocol. A flaw was discovered in versions of rpc.mountd in nfs-utils versions after 1.0.3 and prior to 1.0.6. When mounting a directory, rpc.mountd could crash if the reverse lookup of the client in DNS failed to match the forward lookup. An attacker who has the ability to mount remote directories from a server could make use of this flaw to cause a denial of service by making rpc.mountd crash. Users are advised to upgrade to these updated packages, which contain nfs-utils 1.0.6 and is not vulnerable to this issue. NOTE: Red Hat Enterprise Linux 2.1 includes a version of rpc.mountd that is not vulnerable to this issue. Low Copyright 2004 Red Hat, Inc. CVE-2004-0154 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49 allows a remote denial of service attack against an SSL-enabled server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0113 to this issue. This update also includes various bug fixes, including: - Improvements to the mod_expires, mod_dav, mod_ssl, and mod_proxy modules - A fix for a bug causing core dumps during configuration parsing on the IA64 platform - An updated version of mod_include fixing several edge cases in the SSI parser Additionally, the mod_logio module is now included. Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0113 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 libxml2 is a library for manipulating XML files. Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110 to this issue. All users are advised to upgrade to these updated packages, which contain a backported fix and are not vulnerable to this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0110 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. Thomas Kristensen discovered a bitmap file that would cause versions of gdk-pixbuf prior to 0.20 to crash. To exploit this flaw, an attacker would need to get a victim to open a carefully-crafted BMP file in an application that used gdk-pixbuf. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0111 to this issue. Users are advised to upgrade to these updated packages containing gdk-pixbuf version 0.22, which is not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0111 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Mozilla is a Web browser and mail reader, designed for standards compliance, performance and portability. Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. NISCC testing of implementations of the S/MIME protocol uncovered a number of bugs in NSS versions prior to 3.9. The parsing of unexpected ASN.1 constructs within S/MIME data could cause Mozilla to crash or consume large amounts of memory. A remote attacker could potentially trigger these bugs by sending a carefully-crafted S/MIME message to a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0564 to this issue. Andreas Sandblad discovered a cross-site scripting issue that affects various versions of Mozilla. When linking to a new page it is still possible to interact with the old page before the new page has been successfully loaded. Any Javascript events will be invoked in the context of the new page, making cross-site scripting possible if the different pages belong to different domains. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0191 to this issue. Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0594 to this issue. Users of Mozilla are advised to upgrade to these updated packages, which contain Mozilla version 1.4.2 and are not vulnerable to these issues. Important Copyright 2004 Red Hat, Inc. CVE-2003-0564 CVE-2003-0594 CVE-2004-0191 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1) protocols, and serves as a full-strength general purpose cryptography library. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function in OpenSSL 0.9.6c-0.9.6k and 0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue. Stephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites in OpenSSL 0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to this issue. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that may lead to a denial of service attack (infinite loop). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0081 to this issue. This issue affects only the OpenSSL compatibility packages shipped with Red Hat Enterprise Linux 3. These updated packages contain patches provided by the OpenSSL group that protect against these issues. Additionally, the version of libica included in the OpenSSL packages has been updated to 1.3.5. This only affects IBM s390 and IBM eServer zSeries customers and is required for the latest openCryptoki packages. NOTE: Because server applications are affected by this issue, users are advised to either restart all services that use OpenSSL functionality or restart their systems after installing these updates. Important Copyright 2004 Red Hat, Inc. CVE-2004-0079 CVE-2004-0081 CVE-2004-0112 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A bug was found in the processing of %-encoded characters in a URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could create URLs that would not be correctly tested against Squid's ACLs, potentially allowing clients to access prohibited URLs. Users of Squid should update to these erratum packages which are not vulnerable to this issue. In addition, these packages contain a new Access Control type, "urllogin", which can be used to protect vulnerable Microsoft Internet Explorer clients from accessing URLs that contain login information. Such URLs are often used by fraudsters to trick web users into revealing valuable personal data. Note that the default Squid configuration does not make use of this new access control type. You must explicitly configure Squid with ACLs that use this new type, in accordance with your own site policies. Low Copyright 2004 Red Hat, Inc. CVE-2004-0189 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. Stefan Esser reported that Ethereal versions 0.10.1 and earlier contain stack overflows in the IGRP, PGM, Metflow, ISUP, TCAP, or IGAP dissectors. On a system where Ethereal is being run a remote attacker could send malicious packets that could cause Ethereal to crash or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0176 to this issue. Jonathan Heussser discovered that a carefully-crafted RADIUS packet could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0365 to this issue. Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0367 to this issue. Users of Ethereal should upgrade to these updated packages, which contain a version of Ethereal that is not vulnerable to these issues. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0176 CVE-2004-0365 CVE-2004-0367 CVE-2004-1761 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. Sebastian Krahmer discovered a flaw in CVS clients where rcs diff files can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0180 to this issue. Derek Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing "../". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0405 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0180 CVE-2004-0405 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 OpenOffice.org is an Open Source, community-developed, multi-platform office productivity suite. OpenOffice internally uses inbuilt code from neon, an HTTP and WebDAV client library. Versions of the neon client library up to and including 0.24.4 have been found to contain a number of format string bugs. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using OpenOffice. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0179 to this issue. Users of OpenOffice are advised to upgrade to these updated packages, which contain a patch correcting this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0179 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 IPSEC uses strong cryptography to provide both authentication and encryption services. With versions of ipsec-tools prior to 0.2.3, it was possible for an attacker to cause unauthorized deletion of SA (Security Associations.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0164 to this issue. With versions of ipsec-tools prior to 0.2.5, the RSA signature on x.509 certificates was not properly verified when using certificate based authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0155 to this issue. When ipsec-tools receives an ISAKMP header, it will attempt to allocate sufficient memory for the entire ISAKMP message according to the header's length field. If an attacker crafts an ISAKMP header with a extremely large value in the length field, racoon may exceed operating system resource limits and be terminated, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0403 to this issue. User of IPSEC should upgrade to this updated package, which contains ipsec-tools version 0.25 along with a security patch for CAN-2004-0403 which resolves all these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0155 CVE-2004-0164 CVE-2004-0403 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Utempter is a utility that allows terminal applications such as xterm and screen to update utmp and wtmp without requiring root privileges. Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as '/../'. In combination with an application that trusts the utmp or wtmp files, this could allow a local attacker the ability to overwrite privileged files using a symlink. Users should upgrade to this new version of utempter, which fixes this vulnerability. Moderate Copyright 2004 Red Hat, Inc. CVE-2004-0233 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 LHA is an archiving and compression utility for LHarc format archives. Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0234 to this issue. An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0235 to this issue. Users of LHA should update to this updated package which contains backported patches not vulnerable to these issues. Red Hat would like to thank Ulf Harnhammar for disclosing and providing test cases and patches for these issues. Important Copyright 2004 Red Hat, Inc. CVE-2004-0234 CVE-2004-0235 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. Steve Grubb discovered a out of bounds memory access flaw in libpng. An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash when opened by a victim. This issue may not be used to execute arbitrary code. Users are advised to upgrade to these updated packages that contain a backported security fix not vulnerable to this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0421 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. iSEC Security Research discovered a flaw in the ip_setsockopt() function code of the Linux kernel versions 2.4.22 to 2.4.25 inclusive. This flaw also affects the 2.4.21 kernel in Red Hat Enterprise Linux 3 which contained a backported version of the affected code. A local user could use this flaw to gain root privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0424 to this issue. iDefense reported a buffer overflow flaw in the ISO9660 filesystem code. An attacker could create a malicious filesystem in such a way that root privileges may be obtained if the filesystem is mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0109 to this issue. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2004-0109 CVE-2004-0424 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the second regular kernel update to Red Hat Enterprise Linux version 3. It contains several minor security fixes, many bug fixes, device driver updates, new hardware support, and the introduction of Linux Syscall Auditing support. There were bug fixes in many different parts of the kernel, the bulk of which addressed unusual situations such as error handling, race conditions, and resource starvation. The combined effect of the approximately 140 fixes is a strong improvement in the reliability and durability of Red Hat Enterprise Linux. Some of the key areas affected are disk drivers, network drivers, USB support, x86_64 and ppc64 platform support, ia64 32-bit emulation layer enablers, and the VM, NFS, IPv6, and SCSI subsystems. A significant change in the SCSI subsystem (the disabling of the scsi-affine-queue patch) should significantly improve SCSI disk driver performance in many scenarios. There were 10 Bugzillas against SCSI performance problems addressed by this change. The following drivers have been upgraded to new versions: bonding ---- 2.4.1 cciss ------ 2.4.50.RH1 e1000 ------ 5.2.30.1-k1 fusion ----- 2.05.11.03 ipr -------- 1.0.3 ips -------- 6.11.07 megaraid2 -- 2.10.1.1 qla2x00 ---- 6.07.02-RH1 tg3 -------- 3.1 z90crypt --- 1.1.4 This update introduces support for the new Intel EM64T processor. A new "ia32e" architecture has been created to support booting on platforms based on either the original AMD Opteron CPU or the new Intel EM64T CPU. The existing "x86_64" architecture has remained optimized for Opteron systems. Kernels for both types of systems are built from the same x86_64-architecture sources and share a common kernel source RPM (kernel-source-2.4.21-15.EL.x86_64.rpm). Other highlights in this update include a major upgrade to the SATA infrastructure, addition of IBM JS20 Power Blade support, and creation of an optional IBM eServer zSeries On-Demand Timer facility for reducing idle CPU overhead. The following security issues were addressed in this update: A minor flaw was found where /proc/tty/driver/serial reveals the exact character counts for serial links. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0461 to this issue. The kernel strncpy() function in Linux 2.4 and 2.5 does not pad the target buffer with null bytes on architectures other than x86, as opposed to the expected libc behavior, which could lead to information leaks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0465 to this issue. A minor data leak was found in two real time clock drivers (for /dev/rtc). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0984 to this issue. A flaw in the R128 Direct Render Infrastructure (dri) driver could allow local privilege escalation. This driver is part of the kernel-unsupported package. The Common Vulnera- bilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0003 to this issue. A flaw in ncp_lookup() in ncpfs could allow local privilege escalation. The ncpfs module allows a system to mount volumes of NetWare servers or print to NetWare printers and is in the kernel-unsupported package. The Common Vulnera- bilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0010 to this issue. (Note that the kernel-unsupported package contains drivers and other modules that are unsupported and therefore might contain security problems that have not been addressed.) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2004 Red Hat, Inc. CVE-2003-0461 CVE-2003-0465 CVE-2003-0984 CVE-2003-1040 CVE-2004-0003 CVE-2004-0010 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. Stefan Esser discovered a flaw in cvs where malformed "Entry" lines could cause a heap overflow. An attacker who has access to a CVS server could use this flaw to execute arbitrary code under the UID which the CVS server is executing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0396 to this issue. Users of CVS are advised to upgrade to this updated package, which contains a backported patch correcting this issue. Red Hat would like to thank Stefan Esser for notifying us of this issue and Derek Price for providing an updated patch. Critical Copyright 2004 Red Hat, Inc. CVE-2004-0396 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Rsync is a program for synchronizing files over a network. Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot. This could allow a remote attacker to write files outside of the module's "path", depending on the privileges assigned to the rsync daemon. Users not running an rsync daemon, running a read-only daemon, or running a chrooted daemon are not affected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0426 to this issue. Users of Rsync are advised to upgrade to this updated package, which contains a backported patch and is not affected by this issue. Important Copyright 2004 Red Hat, Inc. CVE-2004-0426 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Tcpdump is a command-line tool for monitoring network traffic. Tcpdump v3.8.1 and earlier versions contained multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP would try to read beyond the end of the packet capture buffer and subsequently crash. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Low Copyright 2004 Red Hat, Inc. CVE-2004-0183 CVE-2004-0184 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 CVS is a version control system frequently used to manage source code repositories. While investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed "Entry" lines which lead to a missing NULL terminator. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0414 to this issue. Stefan Esser and Sebastian Krahmer c