Red Hat OVAL Patch Definition Merger 2 5.3 2011-05-02T14:35:25 Red Hat Enterprise Linux 3 The kdelibs packages include libraries for the K Desktop Environment. The kdebase packages include core applications for the K Desktop Environment. Secunia Research discovered a window injection spoofing vulnerability affecting the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1158 to this issue. A bug was discovered in the way kioslave handles URL-encoded newline (%0a) characters before the FTP command. It is possible that a specially crafted URL could be used to execute any ftp command on a remote server, or potentially send unsolicited email. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1165 to this issue. A bug was discovered that can crash KDE screensaver under certain local circumstances. This could allow an attacker with physical access to the workstation to take over a locked desktop session. Please note that this issue only affects Red Hat Enterprise Linux 2.1. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0078 to this issue. All users of KDE are advised to upgrade to this updated packages, which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1158 CVE-2004-1165 CVE-2005-0078 CAN-2004-1158 Frame injection vulnerability. CAN-2005-0078 password bypass in kde screensaver CAN-2004-1165 kioslave command injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. Ciaran McCreesh discovered a modeline vulnerability in VIM. It is possible that a malicious user could create a file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1138 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain a backported patch for this issue. Low Copyright 2005 Red Hat, Inc. CVE-2004-1138 CAN-2004-1138 vim arbitrary command execution vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws. A flaw in the DICOM dissector could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1139 to this issue. A invalid RTP timestamp could hang Ethereal and create a large temporary file, possibly filling available disk space. (CAN-2004-1140) The HTTP dissector could access previously-freed memory, causing a crash. (CAN-2004-1141) An improperly formatted SMB packet could make Ethereal hang, maximizing CPU utilization. (CAN-2004-1142) The COPS dissector could go into an infinite loop. (CAN-2005-0006) The DLSw dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0007) The DNP dissector could cause memory corruption. (CAN-2005-0008) The Gnutella dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0009) The MMSE dissector could free static memory, causing a crash. (CAN-2005-0010) The X11 protocol dissector is vulnerable to a string buffer overflow. (CAN-2005-0084) Users of Ethereal should upgrade to these updated packages which contain version 0.10.9 that is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1139 CVE-2004-1140 CVE-2004-1141 CVE-2004-1142 CVE-2005-0006 CVE-2005-0007 CVE-2005-0008 CVE-2005-0009 CVE-2005-0010 CVE-2005-0084 CAN-2004-1139 Ethereal flaws (CAN-2004-1140 CAN-2004-1141 CAN-2004-1142) CAN-2005-0006 multiple ethereal issues (CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1189 to this issue. Additionally a temporary file bug was found in the Kerberos krb5-send-pr program. It is possible that an attacker could create a temporary file that would allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0971 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0971 CVE-2004-1189 CAN-2004-0971 temporary file vulnerabilities in krb5-send-pr script CAN-2004-0971 temporary file vulnerabilities in krb5-send-pr script CAN-2004-1189 buffer overflow in krb5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow was found in the CUPS pdftops filter, which uses code from the Xpdf package. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1267 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit these buffer overflow vulnerabilities on x86 architectures. The lppasswd utility ignores write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1268 and CAN-2004-1269 to these issues. The lppasswd utility does not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1270 to this issue. In addition to these security issues, two other problems not relating to security have been fixed: Resuming a job with "lp -H resume", which had previously been held with "lp -H hold" could cause the scheduler to stop. This has been fixed in later versions of CUPS, and has been backported in these updated packages. The cancel-cups(1) man page is a symbolic link to another man page. The target of this link has been corrected. All users of cups should upgrade to these updated packages, which resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2004-1267 CVE-2004-1268 CVE-2004-1269 CVE-2004-1270 cancel-cups man page missing from errata package CAN-2004-1267 Bernstein cups issues (CAN-2004-1268 CAN-2004-1269 CAN-2004-1270) CAN-2004-1125 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit this vulnerability on x86 architectures. All users of the Xpdf packages should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1125 CAN-2004-1125 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. iDEFENSE has reported an integer overflow bug that affects libtiff. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1308 to this issue. Dmitry V. Levin reported another integer overflow in the tiffdump utility. An atacker who has the ability to trick a user into opening a malicious TIFF file with tiffdump could possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1183 to this issue. All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1308 CVE-2004-1183 CAN-2004-1308 LibTIFF Directory Entry Count Integer Overflow Vulnerability CVE-2004-1183 libtiff: tiffdump integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdegraphics package contains graphics applications for the K Desktop Environment. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0886 and CAN-2004-0804 to these issues. Additionally, a number of buffer overflow bugs that affect libtiff have been found. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0803 to this issue. Users of kfax should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0803 CVE-2004-0886 CVE-2004-0804 CVE-2004-1307 CVE-2004-1308 CAN-2004-0803 buffer overflows in libtiff CAN-2004-0886 multiple integer overflows in libtiff cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow was discovered in the spa_base64_to_bits function in Exim, as originally obtained from Samba code. If SPA authentication is enabled, a remote attacker may be able to exploit this vulnerability to execute arbitrary code as the 'exim' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0022 to this issue. Please note that SPA authentication is not enabled by default in Red Hat Enterprise Linux 4. Buffer overflow flaws were discovered in the host_aton and dns_build_reverse functions in Exim. A local user can trigger these flaws by executing exim with carefully crafted command line arguments and may be able to gain the privileges of the 'exim' account. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0021 to this issue. Users of Exim are advised to update to these erratum packages which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0021 CVE-2005-0022 CAN-2005-0021 exim security issues (CAN-2005-0022) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The tetex packages (teTeX) contain an implementation of TeX for Linux or UNIX systems. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects teTeX due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects teTeX due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. Users should update to these erratum packages which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0064 CVE-2004-1125 CAN-2004-1125 xpdf buffer overflow CAN-2005-0064 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Flaws including possible information disclosure, double free, and negative reference index array underflow were found in the deserialization code of PHP. PHP applications may use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1019 to this issue. A flaw in the exif extension of PHP was found which lead to a stack overflow. An attacker could create a carefully crafted image file in such a way which, if parsed by a PHP script using the exif extension, could cause a crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1065 to this issue. Flaws were found in shmop_write, pack, and unpack PHP functions. These functions are not normally passed user supplied data, so would require a malicious PHP script to be exploited. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to this issue. Users of PHP should upgrade to these updated packages, which contain fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1018 CVE-2004-1019 CVE-2004-1065 CAN-2004-1018 Multiple issues in PHP (CAN-2004-1019 CAN-2004-1020) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The alsa-lib package provides a library of functions for communication with kernel sound drivers. A flaw in the alsa mixer code was discovered that caused stack execution protection to be disabled for the libasound.so library. The effect of this flaw is that stack execution protection, through NX or Exec-Shield, would be disabled for any application linked to libasound. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0087 to this issue Users are advised to upgrade to this updated package, which contains a patched version of the library which correctly enables stack execution protection. Important Copyright 2005 Red Hat, Inc. CVE-2005-0087 CAN-2005-0087 alsa-lib disables stack protection for it's users cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. All users of Xpdf should upgrade to this updated package, which contains backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2005-0064 CVE-2005-0206 PDF is displayed garbled, older xpdf works CAN-2004-1125 xpdf buffer overflow CAN-2005-0064 xpdf buffer overflow CAN-2004-0888 xpdf integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. infamous41md discovered integer overflow flaws in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to overflow a heap buffer when the file was opened by a victim. Due to the nature of the overflow it is unlikely that it is possible to use this flaw to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1308 to this issue. Dmitry V. Levin discovered an integer overflow flaw in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1183 to this issue. All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1308 CVE-2004-1183 CAN-2004-1308 LibTIFF Directory Entry Count Integer Overflow Vulnerability CAN-2004-1183 libtiff integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. Ciaran McCreesh discovered a modeline vulnerability in VIM. An attacker could create a text file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim using VIM. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1138 to this issue. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Debian Security Audit Project discovered an insecure temporary file usage in VIM. A local user could overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0069 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain backported patches for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1138 CVE-2005-0069 CAN-2004-1138 vim arbitrary command execution vulnerability CAN-2005-0069 vim unsafe temporary file usage. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ethereal is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws. A flaw in the DICOM dissector could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1139 to this issue. A invalid RTP timestamp could hang Ethereal and create a large temporary file, possibly filling available disk space. (CAN-2004-1140) The HTTP dissector could access previously-freed memory, causing a crash. (CAN-2004-1141) An improperly formatted SMB packet could make Ethereal hang, maximizing CPU utilization. (CAN-2004-1142) The COPS dissector could go into an infinite loop. (CAN-2005-0006) The DLSw dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0007) The DNP dissector could cause memory corruption. (CAN-2005-0008) The Gnutella dissector could cause an assertion, making Ethereal exit prematurely. (CAN-2005-0009) The MMSE dissector could free static memory, causing a crash. (CAN-2005-0010) The X11 protocol dissector is vulnerable to a string buffer overflow. (CAN-2005-0084) Users of Ethereal should upgrade to these updated packages which contain version 0.10.9 that is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1139 CVE-2004-1140 CVE-2004-1141 CVE-2004-1142 CVE-2005-0006 CVE-2005-0007 CVE-2005-0008 CVE-2005-0009 CVE-2005-0010 CVE-2005-0084 CAN-2004-1139 Ethereal flaws (CAN-2004-1140 CAN-2004-1141 CAN-2004-1142) CAN-2005-0006 multiple ethereal issues (CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. iSEC Security Research has discovered a buffer overflow bug in the way Mozilla handles NNTP URLs. If a user visits a malicious web page or is convinced to click on a malicious link, it may be possible for an attacker to execute arbitrary code on the victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1316 to this issue. Users of Mozilla should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1316 CAN-2004-1316 buffer overflow in mozilla cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1185 and CAN-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1184 CVE-2004-1185 CVE-2004-1186 CAN-2004-1184 multiple security issues in enscript (CAN-2004-1185 CAN-2004-1186) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1185 and CAN-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1184 CVE-2004-1185 CVE-2004-1186 CAN-2004-1184 multiple security issues in enscript (CAN-2004-1185 CAN-2004-1186) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues: iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1235 to this issue. A flaw was discovered where an executable could cause a VMA overlap leading to a crash. A local user could trigger this flaw by creating a carefully crafted a.out binary on 32-bit systems or a carefully crafted ELF binary on Itanium systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0003 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0001 to this issue. A patch that coincidentally fixed this issue was committed to the Update 4 kernel release in December 2004. Therefore Red Hat Enterprise Linux 3 kernels provided by RHBA-2004:550 and subsequent updates are not vulnerable to this issue. A flaw in the system call filtering code in the audit subsystem included in Red Hat Enterprise Linux 3 allowed a local user to cause a crash when auditing was enabled. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1237 to this issue. Olaf Kirch discovered that the recent security fixes for cmsg_len handling (CAN-2004-1016) broke 32-bit compatibility on 64-bit platforms such as AMD64 and Intel EM64T. A patch to correct this issue is included. A recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2004-0791 CVE-2004-1074 CVE-2004-1235 CVE-2004-1237 CVE-2005-0003 CAN-2004-1237 Kernel panic when stopping Lotus Domino 6.52 CAN-2004-1237 instant kernel panic from one line perl program - BAD CAN-2004-1237 kernel oops captured, system hangs CAN-2004-1237 kernel panic ( __audit_get_target) CAN-2004-1237 kernel panic caused by auditd CAN-2004-1237 kernel panic when Oracle agentctl is run CAN-2004-1235 isec.pl uselib() privilege escalation CAN-2005-0003 huge vma-in-executable bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1189 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1189 CAN-2004-1189 buffer overflow in krb5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit these buffer overflow vulnerabilities on x86 architectures. All users of cups should upgrade to these updated packages, which resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0064 CAN-2005-0064 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects CUPS due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the ParseCommand function in the hpgltops program. An attacker who has the ability to send a malicious HPGL file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1267 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects the CUPS pdftops filter due to a shared codebase. An attacker who has the ability to send a malicious PDF file to a printer could possibly execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. The lppasswd utility was found to ignore write errors when modifying the CUPS passwd file. A local user who is able to fill the associated file system could corrupt the CUPS password file or prevent future uses of lppasswd. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1268 and CAN-2004-1269 to these issues. The lppasswd utility was found to not verify that the passwd.new file is different from STDERR, which could allow local users to control output to passwd.new via certain user input that triggers an error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1270 to this issue. All users of cups should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2004-1267 CVE-2004-1268 CVE-2004-1269 CVE-2004-1270 CVE-2005-0064 CVE-2005-0206 CAN-2004-1267 Bernstein cups issues (CAN-2004-1268 CAN-2004-1269 CAN-2004-1270) CAN-2004-1125 xpdf buffer overflow CAN-2005-0064 xpdf buffer overflow CAN-2004-0888 xpdf issues affect cups (CAN-2005-0206) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GPdf is a viewer for Portable Document Format (PDF) files for GNOME. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf which also affects GPdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause GPdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects GPdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause GPdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf, which also affects GPdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause GPdf to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). Red Hat Enterprise Linux 4 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. Users should update to this erratum package which contains backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1125 CVE-2005-0064 CVE-2005-0206 CAN-2004-1125 gpdf buffer overflow CAN-2005-0064 xpdf buffer overflow CAN-2004-0888 xpdf integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. A buffer overflow flaw was found when processing the /Encrypt /Length tag. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to exploit this vulnerability on x86 architectures. All users of the Xpdf package should upgrade to this updated package, which resolves this issue Important Copyright 2005 Red Hat, Inc. CVE-2005-0064 CAN-2005-0064 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Squid is a full-featured Web proxy cache. A buffer overflow flaw was found in the Gopher relay parser. This bug could allow a remote Gopher server to crash the Squid proxy that reads data from it. Although Gopher servers are now quite rare, a malicious webpage (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's "home router". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. It is possible that a malicious Web server could send a series of HTTP responses in such a way that the Squid cache could be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0174 and CAN-2005-0175 to these issues. A bug was found in the way Squid handled oversized HTTP response headers. It is possible that a malicious Web server could send a specially crafted HTTP header which could cause the Squid cache to be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0241 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0211 to this issue. Users of Squid should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0173 CVE-2005-0174 CVE-2005-0175 CVE-2005-0211 CVE-2005-0241 CAN-2005-0094 Multiple issues with squid (CAN-2005-0095 CAN-2005-0096 CAN-2005-0097) CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175) CAN-2005-0211 Buffer overflow in WCCP recvfrom() call CAN-2005-0241 Correct handling of oversized reply headers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A buffer overflow flaw was found in the Gopher relay parser. This bug could allow a remote Gopher server to crash the Squid proxy that reads data from it. Although Gopher servers are now quite rare, a malicious web page (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's "home router". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. It is possible that a malicious web server could send a series of HTTP responses in such a way that the Squid cache could be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0174 and CAN-2005-0175 to these issues. A bug was found in the way Squid handled oversized HTTP response headers. It is possible that a malicious web server could send a specially crafted HTTP header which could cause the Squid cache to be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0241 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0211 to this issue. Users of Squid should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0173 CVE-2005-0174 CVE-2005-0175 CVE-2005-0211 CVE-2005-0241 CAN-2005-0094 Multiple issues with squid (CAN-2005-0095 CAN-2005-0096 CAN-2005-0097) CAN-2005-0173 Multiple squid issues (CAN-2005-0174 CAN-2005-0175) CAN-2005-0241 Correct handling of oversized reply headers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdelibs packages include libraries for the K Desktop Environment. Two flaws were found in the sandbox environment used to run Java-applets in the Konqueror web browser. If a user has Java enabled in Konqueror and visits a malicious website, the website could run a carefully crafted Java-applet and obtain escalated privileges allowing reading and writing of arbitrary files with the privileges of the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1145 to this issue. A flaw was discovered in the FTP kioslave. KDE applications such as Konqueror could be forced to execute arbitrary FTP commands via a carefully crafted ftp URL. The URL could also be crafted in such a way as to send an arbitrary email via SMTP. An attacker could make use of this flaw if a victim visits a malicious web site. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1165 to this issue. Users should update to these erratum packages which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1145 CVE-2004-1165 CAN-2004-1145 Konqueror Java Vulnerability CAN-2004-1165 kioslave command injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer. A buffer overflow flaw was found in the Gfx::doImage function of Xpdf that also affects kpdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. A buffer overflow flaw was found in the Decrypt::makeFileKey2 function of Xpdf which also affects kpdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf which also affects kpdf due to a shared codebase. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0888 to this issue. Users should update to these erratum packages which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0888 CVE-2004-1125 CVE-2005-0064 CAN-2004-1125 kpdf buffer overflows (CAN-2005-0064) CAN-2004-0888 xpdf integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The less utility is a text file browser that resembles more, but has extended capabilities. Victor Ashik discovered a heap based buffer overflow in less, caused by a patch added to the less package in Red Hat Enterprise Linux 3. An attacker could construct a carefully crafted file that could cause less to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0086 to this issue. Note that this issue only affects the version of less distributed with Red Hat Enterprise Linux 3. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit this vulnerability on x86 architectures. All users of the less package should upgrade to this updated package, which resolves this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0086 CAN-2005-0086 less crashes on scrolling of binary files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 DBI is a database access Application Programming Interface (API) for the Perl programming language. The Debian Security Audit Project discovered that the DBI library creates a temporary PID file in an insecure manner. A local user could overwrite or create files as a different user who happens to run an application which uses DBI::ProxyServer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0077 to this issue. Users should update to this erratum package which disables the temporary PID file unless configured. Low Copyright 2005 Red Hat, Inc. CVE-2005-0077 CAN-2005-0077 perl-DBI insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 ImageMagick is an image display and manipulation tool for the X Window System. Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0005 to this issue. A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0397 to this issue. A bug was found in the way ImageMagick handles TIFF tags. It is possible that a TIFF image file with an invalid tag could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0759 to this issue. A bug was found in ImageMagick's TIFF decoder. It is possible that a specially crafted TIFF image file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0760 to this issue. A bug was found in the way ImageMagick parses PSD files. It is possible that a specially crafted PSD file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0761 to this issue. A heap overflow bug was found in ImageMagick's SGI parser. It is possible that an attacker could execute arbitrary code by tricking a user into opening a specially crafted SGI image file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0762 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain backported patches, and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0005 CVE-2005-0397 CVE-2005-0759 CVE-2005-0760 CVE-2005-0761 CVE-2005-0762 CAN-2005-0005 buffer overflow in ImageMagick CAN-2005-0397 ImageMagick format string flaw CAN-2005-0759 Denial of Service in .tiff images with invalid TAG CAN-2005-0760 Accessing memory outside of image during decoding of TIFF CAN-2005-0761 Bug in parsing PSD files CAN-2005-0762 Buffer overflow in SGI parser cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 ImageMagick is an image display and manipulation tool for the X Window System. Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0005 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0005 CAN-2005-0005 buffer overflow in ImageMagick cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 DBI is a database access Application Programming Interface (API) for the Perl programming language. The Debian Security Audit Project discovered that the DBI library creates a temporary PID file in an insecure manner. A local user could overwrite or create files as a different user who happens to run an application which uses DBI::ProxyServer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0077 to this issue. Users should update to this erratum package which disables the temporary PID file unless configured. Low Copyright 2005 Red Hat, Inc. CVE-2005-0077 CAN-2005-0077 perl-DBI insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GNU cpio copies files into or out of a cpio or tar archive. It was discovered that cpio uses a 0 umask when creating files using the -O (archive) option. This creates output files with mode 0666 (all can read and write) regardless of the user's umask setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-1999-1572 to this issue. Users of cpio should upgrade to this updated package, which resolves this issue. Red Hat would like to thank Mike O'Connor for bringing this issue to our attention. Low Copyright 2005 Red Hat, Inc. CVE-1999-1572 CAN-1999-1572 cpio insecure file creation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The rsh package contains a set of programs that allow users to run commands on remote machines, login to other machines, and copy files between machines, using the rsh, rlogin, and rcp commands. All three of these commands use rhosts-style authentication. The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses rcp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also address the following bugs: The rexec command failed with "Invalid Argument", because the code used sigaction() as an unsupported signal. The rlogind server reported "SIGCHLD set to SIG_IGN but calls wait()" message to the system log because the original BSD code was ported incorrectly to linux. The rexecd server did not function on systems where client hostnames were not in the DNS service, because server code called gethostbyaddr() for each new connection. The rcp command incorrectly used the "errno" variable and produced erroneous error messages. The rexecd command ignored settings in the /etc/security/limits file, because the PAM session was incorrectly initialized. The rexec command prompted for username and password regardless of the ~/.netrc configuration file contents. This updated package contains a patch that no longer skips the ~/.netrc file. All users of rsh should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0175 rcp gives incorrect error report when file system writes fai rexec fails with "Invalid Argument" RHEL3: rexec prompts for username/password before checking ~/.netrc RHEL3: rexecd does not set limits on /etc/security/limits malicious rsh server can cause rcp to write to arbitrary files (like scp CAN-2004-0175) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GNU cpio copies files into or out of a cpio or tar archive. It was discovered that cpio uses a 0 umask when creating files using the -O (archive) option. This creates output files with mode 0666 (all can read and write) regardless of the user's umask setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-1999-1572 to this issue. All users of cpio should upgrade to this updated package, which resolves this issue, and adds support for large files (> 2GB). Low Copyright 2005 Red Hat, Inc. CVE-1999-1572 cpio does not support large files > 2GB cpio fails to unpack initrd on ppc CAN-1999-1572 cpio insecure file creation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ghostscript is a program for displaying PostScript files or printing them to non-PostScript printers. A bug was found in the way several of Ghostscript's utility scripts created temporary files. A local user could cause these utilities to overwrite files that the victim running the utility has write access to. The Common Vulnerabilities and Exposures project assigned the name CAN-2004-0967 to this issue. Additionally, this update addresses the following issue: A problem has been identified in the PDF output driver, which can cause output to be delayed indefinitely on some systems. The fix has been backported from GhostScript 7.07. All users of ghostscript should upgrade to these updated packages, which contain backported patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0967 [7.05-20.1] gs gets stuck reading /dev/random CAN-2004-0967 temporary file vulnerabilities in various ghostscript scripts. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The ht://Dig system is a Web search and indexing system for a small domain or intranet. Michael Krax reported a cross-site scripting bug affecting htdig. An attacker could construct a carefully crafted URL which can cause a web browser to execute malicious script once visited. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0085 to this issue. Users of htdig should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0085 CAN-2005-0085 XSS vulnerability in htdig 3.2.0b6 htdig packaging cleanups cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues: iSEC Security Research discovered multiple vulnerabilities in the IGMP functionality. These flaws could allow a local user to cause a denial of service (crash) or potentially gain privileges. Where multicast applications are being used on a system, these flaws may also allow remote users to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1137 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. (CAN-2005-0001) iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. (CAN-2004-1235) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architecture was discovered. A local user could use this flaw to write to privileged IO ports. (CAN-2005-0204) The Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) or possibly modify the video output. (CAN-2004-1056) OGAWA Hirofumi discovered incorrect tables sizes being used in the filesystem Native Language Support ASCII translation table. This could lead to a denial of service (system crash). (CAN-2005-0177) Michael Kerrisk discovered a flaw in the 2.6.9 kernel which allows users to unlock arbitrary shared memory segments. This flaw could lead to applications not behaving as expected. (CAN-2005-0176) Improvements in the POSIX signal and tty standards compliance exposed a race condition. This flaw can be triggered accidentally by threaded applications or deliberately by a malicious user and can result in a denial of service (crash) or in occasional cases give access to a small random chunk of kernel memory. (CAN-2005-0178) The PaX team discovered a flaw in mlockall introduced in the 2.6.9 kernel. An unprivileged user could use this flaw to cause a denial of service (CPU and memory consumption or crash). (CAN-2005-0179) Brad Spengler discovered multiple flaws in sg_scsi_ioctl in the 2.6 kernel. An unprivileged user may be able to use this flaw to cause a denial of service (crash) or possibly other actions. (CAN-2005-0180) Kirill Korotaev discovered a missing access check regression in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch. On systems using the hugemem kernel, a local unprivileged user could use this flaw to cause a denial of service (crash). (CAN-2005-0090) A flaw in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch can allow syscalls to read and write arbitrary kernel memory. On systems using the hugemem kernel, a local unprivileged user could use this flaw to gain privileges. (CAN-2005-0091) An additional flaw in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch was discovered. On x86 systems using the hugemem kernel, a local unprivileged user may be able to use this flaw to cause a denial of service (crash). (CAN-2005-0092) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2004-1056 CVE-2004-1137 CVE-2004-1235 CVE-2005-0001 CVE-2005-0090 CVE-2005-0091 CVE-2005-0092 CVE-2005-0176 CVE-2005-0177 CVE-2005-0178 CVE-2005-0179 CVE-2005-0180 CVE-2005-0204 CAN-2004-1137 IGMP flaws CAN-2005-0090 4GB split DoS CAN-2004-1235 isec.pl do_brk() privilege escalation CAN-2004-1056 insufficient locking checks in DRM code CAN-2005-0001 page fault @ SMP privilege escalation CAN-2005-0176 unlock someone elses ipc memory CAN-2005-0180 2.6 scsi ioctl integer overflow and information leak CAN-2005-0179 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS random poolsize sysctl handler integer overflow CAN-2005-0091 4g4g PROT_NONE fix (CAN-2005-0092) 20041212 Clear ebp on sysenter return CAN-2005-0177 nls_ascii incorrect table size CAN-2005-0178 tty/setsid race cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Thunderbird is a standalone mail and newsgroup client. A bug was found in the way Thunderbird handled synthetic middle click events. It is possible for a malicious web page to steal the contents of a victim's clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0146 to this issue. A bug was found in the way Thunderbird handled cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0149 to this issue. Users of Thunderbird are advised to upgrade to this updated package, which contains Thunderbird version 1.0 and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0146 CVE-2005-0149 CAN-2005-0149 Mail responds to cookie requests CAN-2005-0146 Synthetic middle-click event can steal clipboard contents cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SquirrelMail is a standards-based webmail package written in PHP4. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue. A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue. A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue. Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0075 CVE-2005-0103 CVE-2005-0104 CAN-2005-0075 Arbitrary code injection in Squirrelmail CAN-2005-0103 Multiple issues in squirrelmail (CAN-2005-0104) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0088 CAN-2005-0088 mod_python information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 D-BUS is a system for sending messages between applications. It is used both for the systemwide message bus service, and as a per-user-login-session messaging facility. Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0201 to this issue. In Red Hat Enterprise Linux 4, the per-user session bus is only used for printing notifications, therefore this issue would only allow a local user to examine or send additional print notification messages. Users of dbus are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0201 CAN-2005-0201 dbus information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0155 to this issue. An unsafe file permission bug was discovered in the rmtree() function in the File::Path module. The rmtree() function removes files and directories in an insecure manner, which could allow a local user to read or delete arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0452 to this issue. Users of Perl are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0452 CVE-2005-0155 CVE-2005-0156 CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156 ) CAN-2004-0452 File::Path::rmtree() issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0088 CAN-2005-0088 mod_python information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0155 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-0452 CVE-2005-0155 CVE-2005-0156 Potential insecurity in CGI.pm CAN-2005-0155 multiple setuid perl issues (CAN-2005-0156) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, and provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over a secure channel. Public key authentication can be used for "passwordless" access to servers. The scp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses scp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also correct the following bugs: On systems where direct ssh access for the root user was disabled by configuration (setting "PermitRootLogin no"), attempts to guess the root password could be judged as sucessful or unsucessful by observing a delay. On systems where the privilege separation feature was turned on, the user resource limits were not correctly set if the configuration specified to raise them above the defaults. It was also not possible to change an expired password. Users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0175 CAN-2004-0175 malicious ssh server can cause scp to write to arbitrary files OpenSSH does not allow users to change expired passwords when privsep is used SSH allows attacker to divine root password cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Python is an interpreted, interactive, object-oriented programming language. An object traversal bug was found in the Python SimpleXMLRPCServer. This bug could allow a remote untrusted user to do unrestricted object traversal and allow them to access or change function internals using the im_* and func_* attributes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0089 to this issue. Users of Python are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0089 CAN-2005-0089 python SimpleXMLRPCServer security issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Python is an interpreted, interactive, object-oriented programming language. An object traversal bug was found in the Python SimpleXMLRPCServer. This bug could allow a remote untrusted user to do unrestricted object traversal and allow them to access or change function internals using the im_* and func_* attributes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0089 to this issue. Users of Python are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0089 CAN-2005-0089 python SimpleXMLRPCServer security issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Emacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of Emacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Emacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of Emacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. The Debian Security Audit Project discovered an insecure temporary file usage in VIM. A local user could overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0069 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain a backported patche for this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0069 CAN-2005-0069 vim unsafe temporary file usage. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A logic error in the CRAM-MD5 code in the University of Washington IMAP (UW-IMAP) server was discovered. When Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, UW-IMAP does not properly enforce all the required conditions for successful authentication, which could allow remote attackers to authenticate as arbitrary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0198 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0198 CAN-2005-0198 user validation issue in imap when using CRAM-MD5 authetication cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) is a print spooler. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect Xpdf. CUPS contained a copy of the Xpdf code used for parsing PDF files and was therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2004-0888 to this issue, and Red Hat released erratum RHSA-2004:543 with updated packages. It was found that the patch used to correct this issue was not sufficient and did not fully protect CUPS running on 64-bit architectures. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. These updated packages also include a fix that prevents the CUPS initscript from being accidentally replaced. All users of CUPS on 64-bit architectures should upgrade to these updated packages, which contain a corrected patch and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0206 CAN-2004-0888 xpdf issues affect cups cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 XEmacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of XEmacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running xemacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of XEmacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XEmacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of XEmacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running xemacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0100 to this issue. Users of XEmacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0100 CAN-2005-0100 Arbitrary code execution in *emacs* cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SquirrelMail is a standards-based webmail package written in PHP4. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue. A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue. A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue. Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0075 CVE-2005-0103 CVE-2005-0104 CAN-2005-0075 Arbitrary code injection in Squirrelmail CAN-2005-0103 Multiple issues in squirrelmail (CAN-2005-0104) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The mailman package is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0202 CAN-2005-0202 mailman flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mailman is software to help manage email discussion lists. A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of Mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0202 CAN-2005-0202 mailman flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared libraries and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0227 to this issue. A permission checking flaw in PostgreSQL was discovered. A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue. Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues. A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246 to this issue. The update also fixes some minor problems, notably conflicts with SELinux. Users of postgresql should update to these erratum packages that contain patches and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0227 CVE-2005-0244 CVE-2005-0245 CVE-2005-0246 CVE-2005-0247 CAN-2005-0227 Multiple security issues in PostgreSQL (CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS). A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared librarys and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0227 to this issue. A permission checking flaw in PostgreSQL was discovered. A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue. Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues. A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246 to this issue. Users of PostgreSQL are advised to update to these erratum packages which are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0227 CVE-2005-0244 CVE-2005-0245 CVE-2005-0246 CVE-2005-0247 CAN-2005-0227 Multiple security issues in PostgreSQL (CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. A flaw was found in the ipv6 patch used with Postfix. When the file /proc/net/if_inet6 is not available and permit_mx_backup is enabled in smtpd_recipient_restrictions, this flaw could allow remote attackers to bypass e-mail restrictions and perform mail relaying by sending mail to an IPv6 hostname. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0337 to this issue. These updated packages also fix the following problems: - wrong permissions on doc directory - segfault when gethostbyname or gethostbyaddr fails All users of postfix should upgrade to these updated packages, which contain patches which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0337 newaliases segfaults when gethostbyname or gethostbyaddr fails CAN-2005-0337 open relay bug in postfix ipv6 patch Permissions on doc directory is wrong cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The rsh package contains a set of programs that allow users to run commands on remote machines, login to other machines, and copy files between machines, using the rsh, rlogin, and rcp commands. All three of these commands use rhosts-style authentication. The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses rcp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also address the following bugs: The rlogind server reported "SIGCHLD set to SIG_IGN but calls wait()" message to the system log because the original BSD code was ported incorrectly to linux. The rexecd server did not function on systems where client hostnames were not in the DNS service, because server code called gethostbyaddr() for each new connection. The rcp command incorrectly used the "errno" variable and produced erroneous error messages. The rexecd command ignored settings in the /etc/security/limits file, because the PAM session was incorrectly initialized. All users of rsh should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-0175 RHEL4: rexecd does not set limits on /etc/security/limits RHEL4: rcp gives incorrect error report when file system writes fai cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A bug was found in the way Squid handles FQDN lookups. It was possible to crash the Squid server by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0446 to this issue. Users of squid should upgrade to this updated package, which contains a backported patch, and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0446 CAN-2005-0446 Squid DoS from bad DNS response cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdenetwork packages contain a collection of networking applications for the K Desktop Environment. A bug was found in the way kppp handles privileged file descriptors. A malicious local user could make use of this flaw to modify the /etc/hosts or /etc/resolv.conf files, which could be used to spoof domain information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0205 to this issue. Please note that the default installation of kppp on Red Hat Enterprise Linux uses consolehelper and is not vulnerable to this issue. However, the kppp FAQ provides instructions for removing consolehelper and running kppp suid root, which is a vulnerable configuration. Users of kdenetwork should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0205 CAN-2005-0205 kppp local domain name hijacking cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A bug was found in the Firefox string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0255 to this issue. A bug was found in the way Firefox handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A bug was found in the way Firefox allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527). A flaw was found in the way Firefox displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Firefox handles plug-in temporary files. A malicious local user could create a symlink to a victims directory, causing it to be deleted when the victim exits Firefox. (CAN-2005-0578) A bug has been found in one of Firefox's UTF-8 converters. It may be possible for an attacker to supply a specially crafted UTF-8 string to the buggy converter, leading to arbitrary code execution. (CAN-2005-0592) A bug was found in the Firefox javascript security manager. If a user drags a malicious link to a tab, the javascript security manager is bypassed which could result in remote code execution or information disclosure. (CAN-2005-0231) A bug was found in the way Firefox displays the HTTP authentication prompt. When a user is prompted for authentication, the dialog window is displayed over the active tab, regardless of the tab that caused the pop-up to appear and could trick a user into entering their username and password for a trusted site. (CAN-2005-0584) A bug was found in the way Firefox displays the save file dialog. It is possible for a malicious webserver to spoof the Content-Disposition header, tricking the user into thinking they are downloading a different filetype. (CAN-2005-0586) A bug was found in the way Firefox handles users "down-arrow" through auto completed choices. When an autocomplete choice is selected, the information is copied into the input control, possibly allowing a malicious web site to steal information by tricking a user into arrowing through autocompletion choices. (CAN-2005-0589) Several bugs were found in the way Firefox displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CAN-2005-0593) A bug was found in the way Firefox displays the download dialog window. A malicious site can obfuscate the content displayed in the source field, tricking a user into thinking they are downloading content from a trusted source. (CAN-2005-0585) A bug was found in the way Firefox handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CAN-2005-0588) A bug was found in the way Firefox displays the installation confirmation dialog. An attacker could add a long user:pass before the true hostname, tricking a user into thinking they were installing content from a trusted source. (CAN-2005-0590) A bug was found in the way Firefox displays download and security dialogs. An attacker could cover up part of a dialog window tricking the user into clicking "Allow" or "Open", which could potentially lead to arbitrary code execution. (CAN-2005-0591) Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.1 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2004-1156 CVE-2005-0231 CVE-2005-0232 CVE-2005-0233 CVE-2005-0255 CVE-2005-0527 CVE-2005-0578 CVE-2005-0584 CVE-2005-0585 CVE-2005-0586 CVE-2005-0588 CVE-2005-0589 CVE-2005-0590 CVE-2005-0591 CVE-2005-0592 CVE-2005-0593 CAN-2004-1156 Frame injection vulnerability. CAN-2005-0585 download dialog URL spoofing CAN-2005-0233 homograph spoofing CAN-2005-0232 fireflashing vulnerability (CAN-2005-0527) CAN-2005-0231 firefox javascript tab security bypass CAN-2005-0255 Memory overwrite in string library CAN-2005-0578 Unsafe /tmp/plugtmp directory exploitable to erase user's files CAN-2005-0584 HTTP auth prompt tab spoofing CAN-2005-0586 Download dialog spoofing using Content-Disposition header CAN-2005-0588 XSLT can include stylesheets from arbitrary hosts CAN-2005-0589 Autocomplete data leak CAN-2005-0590 Install source spoofing with user:pass@host CAN-2005-0591 Spoofing download and security dialogs with overlapping windows CAN-2005-0592 Heap overflow possible in UTF8 to Unicode conversion CAN-2005-0593 SSL "secure site" indicator spoofing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.Org X11 is the X Window System which provides the core functionality of the Linux GUI desktop. An integer overflow flaw was found in libXpm, which is used by some applications for loading of XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with libXpm to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0605 to this issue. Since the initial release of Red Hat Enterprise Linux 4, a number of issues have been addressed in the X.Org X11 X Window System. This erratum also updates X11R6.8 to the latest stable point release (6.8.2), which includes various stability and reliability fixes including (but not limited to) the following: - The 'radeon' driver has been modified to disable "RENDER" acceleration by default, due to a bug in the implementation which has not yet been isolated. This can be manually re-enabled by using the following option in the device section of the X server config file: Option "RenderAccel" - The 'vmware' video driver is now available on 64-bit AMD64 and compatible systems. - The Intel 'i810' video driver is now available on 64-bit EM64T systems. - Stability fixes in the X Server's PCI handling layer for 64-bit systems, which resolve some issues reported by "vesa" and "nv" driver users. - Support for Hewlett Packard's Itanium ZX2 chipset. - Nvidia "nv" video driver update provides support for some of the newer Nvidia chipsets, as well as many stability and reliability fixes. - Intel i810 video driver stability update, which fixes the widely reported i810/i815 screen refresh issues many have experienced. - Packaging fixes for multilib systems, which permit both 32-bit and 64-bit X11 development environments to be simultaneously installed without file conflicts. In addition to the above highlights, the X.Org X11 6.8.2 release has a large number of additional stability fixes which resolve various other issues reported since the initial release of Red Hat Enterprise Linux 4. All users of X11 should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0605 font corruption on openoffice.org menus X is unusable on GeForce 6600GT with nForce4 CAN-2005-0605 XPM buffer overflow xorg-x11-6.8.1-23 missing half of Lucida fonts cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Squid is a full-featured Web proxy cache. A bug was found in the way Squid handles fully qualified domain name (FQDN) lookups. A malicious DNS server could crash Squid by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0446 to this issue. This erratum also includes two minor patches to the LDAP helpers. One corrects a slight malformation in ldap search requests (although all known LDAP servers accept the requests). The other adds documentation for the -v option to the ldap helpers. Users of Squid should upgrade to this updated package, which contains a backported patch, and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0446 CAN-2005-0446 Squid DoS from bad DNS response cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. During a source code audit, Chris Evans and others discovered a number of integer overflow bugs that affected all versions of Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. This issue was assigned the name CAN-2004-0888 by The Common Vulnerabilities and Exposures project (cve.mitre.org). RHSA-2004:592 contained a fix for this issue, but it was found to be incomplete and left 64-bit architectures vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0206 to this issue. All users of xpdf should upgrade to this updated package, which contains backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0206 CAN-2004-0888 xpdf integer overflows (CAN-2005-0206) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Gaim application is a multi-protocol instant messaging client. Two HTML parsing bugs were discovered in Gaim. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0208 and CAN-2005-0473 to these issues. A bug in the way Gaim processes SNAC packets was discovered. It is possible that a remote attacker could send a specially crafted SNAC packet to a Gaim client, causing the client to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0472 to this issue. Additionally, various client crashes, memory leaks, and protocol issues have been resolved. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 1.1.4 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0208 CVE-2005-0472 CVE-2005-0473 CAN-2005-0472 Gaim DoS issues (CAN-2005-0473) CAN-2005-0208 Gaim HTML parsing DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The ipsec-tools package is used in conjunction with the IPsec functionality in the linux kernel. The ipsec-tools package includes: - setkey, a program to directly manipulate policies and SAs - racoon, an IKEv1 keying daemon A bug was found in the way the racoon daemon handled incoming ISAKMP requests. It is possible that an attacker could crash the racoon daemon by sending a specially crafted ISAKMP packet. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0398 to this issue. Additionally, the following issues have been fixed: - racoon mishandled restarts in the presence of stale administration sockets. - on Red Hat Enterprise Linux 4, racoon and setkey did not properly set up forward policies, which prevented tunnels from working. Users of ipsec-tools should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0398 CAN-2005-0398 racoon DoS CAN-2005-0398 racoon DoS racoon unable to start with stale socket /tmp/.racoon ipsec/racoon/setkey does not properly forward packets to vpn peer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman manages electronic mail discussion and e-newsletter lists. A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1177 to this issue. Users of mailman should update to this erratum package, which corrects this issue by turning on STEALTH_MODE by default and using Utils.websafe() to quote the html. Important Copyright 2005 Red Hat, Inc. CVE-2004-1177 Mailman doesn't work with courier init script doesn't use /var/lock/subsys mailman logrotate has wrong location for mailmanctl CAN-2004-1177 - mailman cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Evolution is the GNOME collection of personal information management (PIM) tools. Evolution includes a mailer, calendar, contact manager, and communication facility. The tools which make up Evolution are tightly integrated with one another and act as a seamless personal information management tool. A bug was found in Evolution's helper program camel-lock-helper. This bug could allow a local attacker to gain root privileges if camel-lock-helper has been built to execute with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0102 to this issue. On Red Hat Enterprise Linux, camel-lock-helper is not built to execute with elevated privileges by default. Please note however that if users have rebuilt Evolution from the source RPM, as the root user, camel-lock-helper may be given elevated privileges. Additionally, these updated packages address the following issues: -- If evolution ran during a GNOME session, the evolution-wombat process did not exit when the user logged out of the desktop. -- For folders marked for Offline Synchronization: if a user moved a message from a Local Folder to an IMAP folder while in Offline mode, the message was not present in either folder after returning to Online mode. This update fixes this problem. Email messages that have been lost this way may still be present in the following path: ~/evolution/&lt;NAME_OF_MAIL_STORE&gt;/ \ &lt;path-to-folder-via-subfolder-directories&gt;/ \ &lt;temporary-uid-of-message&gt; If this bug has affected you it may be possible to recover data by examining the contents of this directory. All users of evolution should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0102 Moving to IMAP folder while offline eats mail CAN-2005-0102 Integer overflow in camel-lock-helper .ics import crashes Evolution Creating a meeting crashes evolution Cannot create all day event in calendar cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The GNU libc packages (known as glibc) contain the standard C libraries used by applications. It was discovered that the use of LD_DEBUG, LD_SHOW_AUXV, and LD_DYNAMIC_WEAK were not restricted for a setuid program. A local user could utilize this flaw to gain information, such as the list of symbols used by the program. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1453 to this issue. This erratum addresses the following bugs in the GNU C Library: - fix stack alignment in IA-32 clone - fix double free in globfree - fix fnmatch to avoid jumping based on unitialized memory read - fix fseekpos after ungetc - fix TZ env var handling if the variable ends with + or - - avoid depending on values read from unitialized memory in strtold on certain architectures - fix mapping alignment computation in dl-load - fix i486+ strncat inline assembly - make gethostid/sethostid work on bi-arch platforms - fix ppc64 getcontext/swapcontext - fix pthread_exit if called after pthread_create, but before the created thread actually started - fix return values for tgamma (+-0) - fix handling of very long lines in /etc/hosts - avoid page aliasing of thread stacks on AMD64 - avoid busy loop in malloc if concurrent with fork - allow putenv and setenv in shared library constructors - fix restoring of CCR in swapcontext and getcontext on ppc64 - avoid using sigaction (SIGPIPE, ...) in syslog implementation All users of glibc should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1453 telnet: 0: Name or service not known re_compile_pattern segfault [RHEL3] glibc behavior with long lines in /etc/hosts [RHEL3] libc's getXXent and getXXbyYY are inefficient for large groups x86_64 ecvt() returns "inf" for valid denormalized doubles zdump -v GMT segfaults in x86_64 CAN-2004-1453 Information leak with LD_DEBUG pthread_getspecific gets non-NULL value for new key nscd fails with big group in ldap malloc: top chunk is corrupt w/ MALLOC_CHECK_=3 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Evolution is the GNOME collection of personal information management (PIM) tools. A format string bug was found in Evolution. If a user tries to save a carefully crafted meeting or appointment, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2550 to this issue. Additionally, several other format string bugs were found in Evolution. If a user views a malicious vCard, connects to a malicious LDAP server, or displays a task list from a malicious remote server, arbitrary code may be executed as the user running Evolution. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2549 to this issue. Please note that this issue only affects Red Hat Enterprise Linux 4. All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2549 CVE-2005-2550 CAN-2005-2549 Sitic Vulnerability Advisory: SA05-001 Evolution multiple remote format string bugs (RHEL4) (CAN-2005-2550) CAN-2005-2550 Sitic Vulnerability Advisory: SA05-001 Evolution multiple remote format string bugs (RHEL3) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A stack based buffer overflow bug was found in HelixPlayer's Synchronized Multimedia Integration Language (SMIL) file processor. An attacker could create a specially crafted SMIL file which would execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0455 to this issue. A buffer overflow bug was found in the way HelixPlayer decodes WAV files. An attacker could create a specially crafted WAV file which could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0611 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer 1.0.3 which is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0455 CVE-2005-0611 CAN-2005-0455 buffer overflow in helixplayer CAN-2005-0611 .wav overflow in helixplayer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A bug was found in the Mozilla string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0255 to this issue. Please note that other security issues have been found that affect Mozilla. These other issues have a lower severity, and are therefore planned to be released as additional security updates in the future. Users of Mozilla should upgrade to these updated packages, which contain a backported patch and are not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0255 CAN-2005-0255 Memory overwrite in string library cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The following security issues were fixed: The Vicam USB driver did not use the copy_from_user function to access userspace, crossing security boundaries. (CAN-2004-0075) The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CAN-2004-0177) The terminal layer did not properly lock line discipline changes or pending IO. An unprivileged local user could read portions of kernel memory, or cause a denial of service (system crash). (CAN-2004-0814) A race condition was discovered. Local users could use this flaw to read the environment variables of another process that is still spawning via /proc/.../cmdline. (CAN-2004-1058) A flaw in the execve() syscall handling was discovered, allowing a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CAN-2004-1073). Red Hat originally reported this as being fixed by RHSA-2004:549, but the associated fix was missing from that update. Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function. A local user could use this flaw to cause a denial of service (system crash) on the Itanium architecture. (CAN-2005-0135) A missing Itanium syscall table entry could allow an unprivileged local user to cause a denial of service (system crash) on the Itanium architecture. (CAN-2005-0137) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architectures was discovered. A local user could use this flaw to access privileged IO ports. (CAN-2005-0204) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CAN-2005-0384) A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was discovered that left a pointer to a freed tty structure. A local user could potentially use this flaw to cause a denial of service (system crash) or possibly gain read or write access to ttys that should normally be prevented. (CAN-2005-0403) A flaw in fragment queuing was discovered affecting the netfilter subsystem. On systems configured to filter or process network packets (for example those configured to do firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know (or guess) some aspects of the firewall ruleset in place on the target system to be able to craft the right fragmented packets. (CAN-2005-0449) Missing validation of an epoll_wait() system call parameter could allow a local user to cause a denial of service (system crash) on the IBM S/390 and zSeries architectures. (CAN-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (system crash). (CAN-2005-0749) A flaw was discovered in the bluetooth driver system. On system where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CAN-2005-0750) In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()'ed data for file system update. (BZ 147969) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures/configurations Please note that the fix for CAN-2005-0449 required changing the external symbol linkages (kernel module ABI) for the ip_defrag() and ip_ct_gather_frags() functions. Any third-party module using either of these would also need to be fixed. Important Copyright 2005 Red Hat, Inc. CVE-2004-0075 CVE-2004-0177 CVE-2004-0814 CVE-2004-1058 CVE-2004-1073 CVE-2005-0135 CVE-2005-0137 CVE-2005-0204 CVE-2005-0384 CVE-2005-0403 CVE-2005-0449 CVE-2005-0736 CVE-2005-0749 CVE-2005-0750 CAN-2004-0177 ext3 infoleak CAN-2004-0075 Vicam USB user/kernel copying oops in drivers/char/tty_io.c:init_dev() CAN-2004-0814 potential race condition in RHEL 2.1/3 tty layer CAN-2004-0814 input/serio local DOS CAN-2004-1058 /proc/<PID>/cmdline information disclosure CAN-2005-0403 panic in tty init_dev random poolsize sysctl handler integer overflow msync(..., ..., MS_SYNC) returning before data written to disk CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports CAN-2005-0135 ia64 local DoS Kernel panic: Code: Bad EIP value kernel locks up tty/psuedo-tty access CAN-2005-0384 pppd remote DoS CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker CAN-2005-0750 bluetooth security flaw CAN-2005-0749 load_elf_library possible DoS CAN-2004-1073 looks unfixed in RHEL3 CAN-2005-0137 ia64 syscall_table DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the fifth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include: - support for 2-TB partitions on block devices - support for new disk, network, and USB devices - support for clustered APIC mode on AMD64 NUMA systems - netdump support on AMD64, Intel EM64T, Itanium, and ppc64 systems - diskdump support on sym53c8xx and SATA piix/promise adapters - NMI switch support on AMD64 and Intel EM64T systems There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. Some key areas affected by these fixes include the kernel's networking, SATA, TTY, and USB subsystems, as well as the architecture-dependent handling under the ia64, ppc64, and x86_64 directories. Scalability improvements were made primarily in the memory management and file system areas. A flaw in offset handling in the xattr file system code backported to Red Hat Enterprise Linux 3 was fixed. On 64-bit systems, a user who can access an ext3 extended-attribute-enabled file system could cause a denial of service (system crash). This issue is rated as having a moderate security impact (CAN-2005-0757). The following device drivers have been upgraded to new versions: 3c59x ------ LK1.1.18 3w-9xxx ---- 2.24.00.011fw (new in Update 5) 3w-xxxx ---- 1.02.00.037 8139too ---- (upstream 2.4.29) b44 -------- 0.95 cciss ------ v2.4.54.RH1 e100 ------- 3.3.6-k2 e1000 ------ 5.6.10.1-k2 lpfcdfc ---- 1.0.13 (new in Update 5) tg3 -------- 3.22RH Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0757 BLKPG_ADD_PARTITION op of BLKPG ioctl doesn't let you add partitions >= 1TB Getting OOM errors on an unconstrained system CAN-2004-0177 ext3 infoleak Raw device I/O transfer size limited to 32KB. API Breakage: NFS "No locks available" with kernel 2.4.21-15.ELsmp Unexpected error: VFS: Busy inodes after unmount. Self-destruct in 5 seconds. CAN-2004-0075 Vicam USB user/kernel copying Panic is occurring in the I/O completion interrupt handling for the character interface driver (sg). Add the 3w-9xxx module (required for the 9000 series 3ware cards) ICH6 SATA support Strange output of /proc/mtrr Request to include EMC Celerra and iSCSI devices to the black list oops in drivers/char/tty_io.c:init_dev() CAN-2004-0814 potential race condition in RHEL 2.1/3 tty layer O_DIRECT doesn't work on LVM devices NFS intr flag prevents core dumps LTC-8859: softdog.o need to be included into RHEL distributions x86 compatibility mode apps using signals crash under EM64T POSIX Asynchronous IO support is unstable Kernel Panic: Unable to satisfy kernel paging request... when starting ServerVantage. [RHEL3][IA32E][X86_64]Wrong FPU IP and DP in the SIGFPE signal context CAN-2004-0814 input/serio local DOS CAN-2004-1058 /proc/<PID>/cmdline information disclosure 3c59x: eth0: Transmit error, Tx status register d0. (10Mb hub) kernel crash, fatal exception, accessing /proc, EXT3-fs error Ia32e + Intel SATA 82801EB + kernel 2.4.21-20EL; unable to mount root partition. Panics while backing up LVM snapshots RHEL3U3 panics on boot for HP rx5670 NFS ESTALES returned on open [IT50092] When copying rootfs to /mnt/sdc/, rsync accessed /proc/kcore and kernel crashed NFS direct reads don't flush dirty cached pages RHEL3U2/U3 x86-64 - /proc/mtrr reported incorrectly ps shows bad PPID worktodo does not support NFS aio tg3 fiber auto-negotiation Kernel hang when cat'ting file on intr NFS mount MCA in tulip on ifconfig down/reboot [RHEL3-U5][Diskdump] Stalls before printing "CPU frozen" usb: raced timeout errors when using usb/serial adapter Unkillable processes under 64bit Linux which use Kernel Asynchronous I/O [RHEL3-U4][Diskdump] Diskdump failed with serial console enabled [RHEL3-U4][Diskdump] Segmentation Fault after cliloop [RHEL3-U5][Diskdump] All CPUs are displayed in CPU frozen em64t/ia32e kernel panic: 'interrupt handler - not syncing' during heavy network I/O lx-choptp19 crashed running 2.4.21-20.EL.BZ131027.hotfixhugemem stack overflows can occur on x86_64 under stack pressure when softirq's are handled Kernel wrongly complains about application bug when loading modules [RHEL3][PATCH] SIOCGHWADDR does not clear buffer for ppp connections RHEL3 PATCH dev.c: clear SIOCGIFHWADDR buffer if !dev->addr_len e100 and e1000 drivers should return EINVAL when ethtool tries to set rx-mini or rx-jumbo nptl futex_wait fix [PATCH] memory leak in ipv6 ip6_{push,flush}_pending_frames() FAT32 file system zero length files corruption after remount ATAPI-CDROM not accessible with kernel options ide-scsi and swiotlb Infinite loop when syncing over automounted NFS bonding with mii monitoring does not work with realtek card [PATCH] video1394 fixes sata_sx4 4GB problem Unable to handle kernel NULL pointer dereference at virtual address 00000004 NIC BCM4401 on Dell Inspiron 5100 broken kernel can not register scsi LUNs above 7 for mylexFFx2 FC RAID controller CAN-2005-0403 panic in tty init_dev U4 kernel sound broken on certain AC 97 systems Fibre Channel tape speed regression (qla2200) random poolsize sysctl handler integer overflow Anaconda installer partion error large RAID volume kernel panic in get_signal_to_deliver panic_on_oops hook removed on ia64 by diskdump patch tar crashes DELL server every 4th day. mmap() system call can return Nil recv returns EAGAIN instead of EINTR when interrupted ext2/ext3 w/ 1024 blocksize eats all memory rsync creating truncated files on fat32 filesystem Race condition in md subsystem causes panic laus incorrectly truncates path string when predicate filter is used msync(..., ..., MS_SYNC) returning before data written to disk CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports CAN-2005-0135 ia64 local DoS Kernel panic: Code: Bad EIP value kernel locks up tty/psuedo-tty access CAN-2005-0384 pppd remote DoS CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker Running lshw causes MCA on Olympia rx8620 CAN-2005-0750 bluetooth security flaw CAN-2005-0749 load_elf_library possible DoS CAN-2004-1073 looks unfixed in RHEL3 sata_sil missing PCI IDs for ATI SATA controller Repeated Kernel Panics while using LVM Snapshot CAN-2005-0137 ia64 syscall_table DoS SIGCHLD set to SIG_IGN but calls wait(). aggressively clean bhs sata_promise in 2.4.21-27.0.4.EL doesn't support Promise sataII 150 tx4 yet cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libexif package contains the EXIF library. Applications use this library to parse EXIF image files. A bug was found in the way libexif parses EXIF tags. An attacker could create a carefully crafted EXIF image file which could cause image viewers linked against libexif to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0664 to this issue. Users of libexif should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-0664 CAN-2005-0664 buffer overflow in libexif cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The ethereal package is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code. A buffer overflow flaw was discovered in the Etheric dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0704 to this issue. The GPRS-LLC dissector could crash if the "ignore cipher bit" option was set. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0705 to this issue. A buffer overflow flaw was discovered in the 3GPP2 A11 dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0699 to this issue. A buffer overflow flaw was discovered in the IAPP dissector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0739 to this issue. Users of ethereal should upgrade to these updated packages, which contain version 0.10.10 and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0699 CVE-2005-0704 CVE-2005-0705 CVE-2005-0739 CVE-2005-0765 CVE-2005-0766 CAN-2005-0699 Multiple ethereal issues (CAN-2005-0704 CAN-2005-0705) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdelibs package provides libraries for the K Desktop Environment. Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0396 to this issue. Users of KDE should upgrade to these erratum packages, which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0396 CAN-2005-0396 kdelibs DCOP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 ImageMagick(TM) is an image display and manipulation tool for the X Window System which can read and write multiple image formats. A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0397 to this issue. Additionally, a bug was fixed which caused ImageMagick(TM) to occasionally segfault when writing TIFF images to standard output. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0397 Segmentation fault on conversion to TIFF (possible libtiff bug) CAN-2005-0397 ImageMagick format string flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Mozilla displays dialog windows. It is possible that a malicious web page which is being displayed in a background tab could present the user with a dialog window appearing to come from the active page. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1380 to this issue. A bug was found in the way Mozilla allowed plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0232 to this issue. A bug was found in the way Mozilla Mail handles cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0149 to this issue. A bug was found in the way Mozilla responds to proxy auth requests. It is possible for a malicious webserver to steal credentials from a victims browser by issuing a 407 proxy authentication request. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0147 to this issue. A bug was found in the way Mozilla handles certain start tags followed by a NULL character. A malicious web page could cause Mozilla to crash when viewed by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1613 to this issue. A bug was found in the way Mozilla sets file permissions when installing XPI packages. It is possible for an XPI package to install some files world readable or writable, allowing a malicious local user to steal information or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0906 to this issue. A bug was found in the way Mozilla loads links in a new tab which are middle clicked. A malicious web page could read local files or modify privileged chrom settings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0141 to this issue. A bug was found in the way Mozilla displays the secure site icon. A malicious web page can use a view-source URL targetted at a secure page, while loading an insecure page, yet the secure site icon shows the previous secure state. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0144 to this issue. Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.4.4 and additional backported patches to correct these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2004-0906 CVE-2004-1380 CVE-2004-1613 CVE-2005-0141 CVE-2005-0144 CVE-2005-0147 CVE-2005-0149 CVE-2005-0232 CVE-2005-0399 CAN-2005-0141 Link opened in new tab can load a local file CAN-2005-0144 Secure site lock can be spoofed with view-source: CAN-2004-1380 Input stealing from other tabs (CAN-2004-1381) CAN-2005-0147 Browser responds to proxy auth request from non-proxy server (ssl/https) CAN-2005-0149 Mail responds to cookie requests CAN-2005-0399 mozilla GIF buffer overflow CAN-2004-1613 Mozilla start tag NULL character DoS CAN-2004-0906 Mozilla XPI installer insecure file creation CAN-2005-0232 fireflashing vulnerability (CAN-2005-0527) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdelibs package provides libraries for the K Desktop Environment. The International Domain Name (IDN) support in the Konqueror browser allowed remote attackers to spoof domain names using punycode encoded domain names. Such domain names are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0237 to this issue. Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0396 to this issue. A flaw in the dcopidlng script was discovered. The dcopidlng script would create temporary files with predictable filenames which could allow local users to overwrite arbitrary files via a symlink attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0365 to this issue. Users of KDE should upgrade to these erratum packages which contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0237 CVE-2005-0365 CVE-2005-0396 CAN-2005-0237 homograph spoofing CAN-2005-0365 dcopidlng insecure temporary file usage CAN-2005-0396 kdelibs DCOP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The telnet package provides a command line telnet client. The telnet-server package includes a telnet daemon, telnetd, that supports remote login to the host machine. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues. Additionally, the following bugs have been fixed in these erratum packages for Red Hat Enterprise Linux 2.1 and Red Hat Enterprise Linux 3: - telnetd could loop on an error in the child side process - There was a race condition in telnetd on a wtmp lock on some occasions - The command line in the process table was sometimes too long and caused bad output from the ps command - The 8-bit binary option was not working Users of telnet should upgrade to this updated package, which contains backported patches to correct these issues. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0468 CVE-2005-0469 Too long /proc/X/cmdline: bad ps output when piped to less/more telnetd cleanup() race condition with syslog in signal handler [PATCH] telnetd loops on child IO error [RHEL3] telnetd cleanup() race condition with syslog in signal handler CAN-2005-0469 slc_add_reply() Buffer Overflow Vulnerability CAN-2005-0468 env_opt_add() Buffer Overflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues. Users of krb5 should update to these erratum packages which contain a backported patch to correct this issue. Red Hat would like to thank iDEFENSE for their responsible disclosure of this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0468 CVE-2005-0469 CAN-2005-0469 Multiple Telnet Client issues (CAN-2005-0468) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. An integer overflow flaw was found in libXpm, which is used by some applications for loading of XPM images. An attacker could create a malicious XPM file that would execute arbitrary code if opened by a victim using an application linked to the vulnerable library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0605 to this issue. The updated XFree86 packages also address the following minor issues: - Updated XFree86-4.3.0-keyboard-disable-ioport-access-v3.patch to make warning messages less alarmist. - Backported XFree86-4.3.0-libX11-stack-overflow.patch from xorg-x11-6.8.1 packaging to fix stack overflow in libX11, which was discovered by new security features of gcc4. Users of XFree86 should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0605 libX11 overflows it's own stack CAN-2005-0605 XPM buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). A flaw was discovered in xloadimage where filenames were not properly quoted when calling the gunzip command. An attacker could create a file with a carefully crafted filename so that it would execute arbitrary commands if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0638 to this issue. Another bug in xloadimage would cause it to crash if called with certain invalid TIFF, PNM, PBM, or PPM file names. All users of xloadimage should upgrade to this erratum package which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0638 xloadimage crashes with some TIFF images bad source code CAN-2005-0638 xloadimage multiple issues. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0709 and CAN-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0709 CVE-2005-0710 CVE-2005-0711 CAN-2005-0711 Insecure temporary file creation with CREATE TEMPORARY TABLE CAN-2005-0710 MySQL security attacks via user-defined functions in C (CAN-2005-0709) CAN-2005-0710 MySQL security attacks via user-defined functions in C (CAN-2005-0709) CAN-2005-0711 Insecure temporary file creation with CREATE TEMPORARY TABLE cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Mozilla responds to proxy auth requests. It is possible for a malicious webserver to steal credentials from a victims browser by issuing a 407 proxy authentication request. (CAN-2005-0147) A bug was found in the way Mozilla displays dialog windows. It is possible that a malicious web page which is being displayed in a background tab could present the user with a dialog window appearing to come from the active page. (CAN-2004-1380) A bug was found in the way Mozilla Mail handles cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. (CAN-2005-0149) A flaw was found in the way Mozilla displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Mozilla handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A bug was found in the way Mozilla saves temporary files. Temporary files are saved with world readable permissions, which could allow a local malicious user to view potentially sensitive data. (CAN-2005-0142) A bug was found in the way Mozilla handles synthetic middle click events. It is possible for a malicious web page to steal the contents of a victims clipboard. (CAN-2005-0146) A bug was found in the way Mozilla processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. (CAN-2005-0401) A bug was found in the way Mozilla loads links in a new tab which are middle clicked. A malicious web page could read local files or modify privileged chrom settings. (CAN-2005-0141) A bug was found in the way Mozilla displays the secure site icon. A malicious web page can use a view-source URL targetted at a secure page, while loading an insecure page, yet the secure site icon shows the previous secure state. (CAN-2005-0144) A bug was found in the way Mozilla displays the secure site icon. A malicious web page can display the secure site icon by loading a binary file from a secured site. (CAN-2005-0143) A bug was found in the way Mozilla displays the download dialog window. A malicious site can obfuscate the content displayed in the source field, tricking a user into thinking they are downloading content from a trusted source. (CAN-2005-0585) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.6 to correct these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2004-1380 CVE-2005-0141 CVE-2005-0142 CVE-2005-0143 CVE-2005-0144 CVE-2005-0146 CVE-2005-0149 CVE-2005-0399 CVE-2005-0401 CAN-2004-1156 Frame injection vulnerability. CAN-2005-0585 download dialog URL spoofing CAN-2005-0141 multiple mozilla issues CAN-2004-1316 CAN-2005-0142 CAN-2005-0143 CAN-2005-0144 CAN-2004-1380 CAN-2004-1381 CAN-2005-0146 CAN-2005-0147 CAN-2005-0149 CAN-2005-0233 homograph spoofing CAN-2005-0399 mozilla GIF buffer overflow CAN-2005-0401 Drag and drop loading of privileged XUL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A buffer overflow bug was found in the way Firefox processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Firefox processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0401 to this issue. A bug was found in the way Firefox bookmarks content to the sidebar. If a user can be tricked into bookmarking a malicious web page into the sidebar panel, that page could execute arbitrary programs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0402 to this issue. Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.2 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0399 CVE-2005-0401 CVE-2005-0402 CAN-2005-0399 firefox GIF buffer overflow CAN-2005-0402 arbitrary code execution via sidebar CAN-2005-0401 Drag and drop loading of privileged XUL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. A buffer overflow bug was found in the way Thunderbird processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the Thunderbird string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0255 to this issue. Users of Thunderbird are advised to upgrade to this updated package which contains Thunderbird version 1.0.2 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0399 CVE-2005-0255 CAN-2005-0255 Memory overwrite in string library CAN-2005-0399 thunderbird GIF buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0490 to this issue. All users of curl are advised to upgrade to these updated packages, which contain backported fixes for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0490 CAN-2005-0490 Multiple stack based buffer overflows in curl cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gdk-pixbuf. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0891 to this issue. Users of gdk-pixbuf are advised to upgrade to these packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0891 CAN-2005-0891 gdk-pixbuf BMP double free DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. A bug was found in the way gtk2 processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gtk2. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0891 to this issue. Users of gtk2 are advised to upgrade to these packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-0891 CAN-2005-0891 gdk-pixbuf BMP double free DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Slocate is a security-enhanced version of locate. Like locate, slocate searches through a central database (updated nightly) for files that match a given pattern. Slocate allows you to quickly find files anywhere on your system. A bug was found in the way slocate scans the local filesystem. A carefully prepared directory structure could cause updatedb's file system scan to fail silently, resulting in an incomplete slocate database. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2499 to this issue. Additionally this update addresses the following issues: - Files with a size of 2 GB and larger were not entered into the slocate database. - File system type exclusions were processed only when starting updatedb and did not reflect file systems mounted while updatedb was running (for example, automounted file systems). - File system type exclusions were ignored for file systems that were mounted to a path containing a symbolic link. - Databases created by slocate were owned by the slocate group even if they were created by regular users. Users of slocate are advised to upgrade to this updated package, which contains backported patches and is not affected by these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2499 Files > 2 GB are not entered into slocate data base slocate collects .automount files over nfs CAN-2005-2499 slocate DOS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Slocate is a security-enhanced version of locate. Like locate, slocate searches through a central database (updated nightly) for files that match a given pattern. Slocate allows you to quickly find files anywhere on your system. A bug was found in the way slocate scans the local filesystem. A carefully prepared directory structure could cause updatedb's file system scan to fail silently, resulting in an incomplete slocate database. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2499 to this issue. Additionally this update addresses the following issues: - File system type exclusions were processed only when starting updatedb and did not reflect file systems mounted while updatedb was running (for example, automounted file systems.) - File system type exclusions were ignored for file systems that were mounted to a path containing a symbolic link. - Databases created by slocate were owned by the slocate group even if they were created by regular users. - The default configuration excluded /mnt/floppy, but not /media. - The default configuration did not exclude nfs4 file systems. Users of slocate are advised to upgrade to this updated package, which contains backported patches and is not affected by these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2499 slocate collects .automount files over nfs Incorrect path in /etc/updatedb.conf updatedb indexes nfs4 filesystems CAN-2005-2499 slocate DOS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 TeTeX is an implementation of TeX for Linux or UNIX systems. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. A number of security flaws have been found affecting libraries used internally within teTeX. An attacker who has the ability to trick a user into processing a malicious file with teTeX could cause teTeX to crash or possibly execute arbitrary code. A number of integer overflow bugs that affect Xpdf were discovered. The teTeX package contains a copy of the Xpdf code used for parsing PDF files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0888 and CAN-2004-1125 to these issues. A number of integer overflow bugs that affect libtiff were discovered. The teTeX package contains an internal copy of libtiff used for parsing TIFF image files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0803, CAN-2004-0804 and CAN-2004-0886 to these issues. Also latex2html is added to package tetex-latex for 64bit platforms. Users of teTeX should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0803 CVE-2004-0804 CVE-2004-0886 CVE-2004-0888 CVE-2004-1125 CAN-2004-0888 xpdf integer overflows CAN-2004-0803 multiple issues in libtiff (CAN-2004-0804 CAN-2004-0886) tetex-latex package missing latex2html CAN-2004-1125 xpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim. gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0758 CVE-2005-0988 CVE-2005-1228 CAN-2005-0758 zgrep has security issue in sed usage CAN-2005-0988 Race condition in gzip CAN-2005-1228 directory traversal bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. An integer overflow flaw was found in PCRE, a Perl-compatible regular expression library included within Exim. A local user could create a maliciously crafted regular expression in such as way that they could gain the privileges of the 'exim' user. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2491 to this issue. These erratum packages change Exim to use the system PCRE library instead of the internal one. These packages also fix a minor flaw where the Exim Monitor was incorrectly computing free space on very large file systems. Users should upgrade to these erratum packages and also ensure they have updated the system PCRE library, for which erratum packages are available seperately in RHSA-2005:761 Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2491 CAN-2005-2491 PCRE heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A bug was found in the way vixie-cron installs new crontab files. It is possible for a local attacker to execute the crontab command in such a way that they can view the contents of another user's crontab file. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1038 to this issue. Additionally, this update addresses the following issues: o Fixed improper limits on filename and command line lengths o Improved PAM access control conforming to EAL certification requirements o Improved reliability when running in a chroot environment o Mail recipient name checking disabled by default, can be re-enabled o Added '-p' "permit all crontabs" option to disable crontab mode checking All users of vixie-cron should upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1038 cron fails to run user jobs and gives vague error message CAN-2005-1038 vixie-cron information leak vixie-cron updates for new audit system Cron no longer allows read-only crontabs, enforces write access cron fails with pam_access crontab truncates file names greater than 100 characters. CAN-2005-1038 vixie-cron information leak [PATCH] List corruption when items are removed from /etc/cron.d cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Gaim application is a multi-protocol instant messaging client. A buffer overflow bug was found in the way gaim escapes HTML. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0965 to this issue. A bug was found in several of gaim's IRC processing functions. These functions fail to properly remove various markup tags within an IRC message. It is possible that a remote attacker could send a specially crafted message to a Gaim client connected to an IRC server, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0966 to this issue. A bug was found in gaim's Jabber message parser. It is possible for a remote Jabber user to send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0967 to this issue. In addition to these denial of service issues, multiple minor upstream bugfixes are included in this update. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 1.2.1 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0965 CVE-2005-0966 CVE-2005-0967 CAN-2005-0965 Gaim remote DoS issues (CAN-2005-0966) CAN-2005-0967 jabber DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CAN-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CAN-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CAN-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0207) A small memory leak when defragmenting local packets was discovered that affected the Linux 2.6 kernel netfilter subsystem. A local user could send a large number of carefully crafted fragments leading to memory exhaustion (CAN-2005-0210) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CAN-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CAN-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CAN-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CAN-2005-0529, CAN-2005-0530, CAN-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CAN-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CAN-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CAN-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CAN-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CAN-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CAN-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that Important Copyright 2005 Red Hat, Inc. CVE-2005-0135 CVE-2005-0207 CVE-2005-0210 CVE-2005-0384 CVE-2005-0400 CVE-2005-0449 CVE-2005-0529 CVE-2005-0530 CVE-2005-0531 CVE-2005-0736 CVE-2005-0749 CVE-2005-0750 CVE-2005-0767 CVE-2005-0815 CVE-2005-0839 CVE-2005-0867 CVE-2005-0977 CVE-2005-1041 CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker CAN-2005-0135 ia64 local DoS CAN-2005-0207 nfs client O_DIRECT oops CAN-2005-0529 Sign handling issues on v2.6 (CAN-2005-0530 CAN-2005-0531) CAN-2005-0209 netfilter SKB problem CAN-2005-0384 pppd remote DoS CAN-2005-0736 epoll overflow CAN-2005-0767 drm race in radeon CAN-2005-0750 bluetooth security flaw CAN-2005-0400 ext2 mkdir() directory entry random kernel memory leak CAN-2005-0815 isofs range checking flaws CAN-2005-0749 load_elf_library possible DoS CAN-2005-0839 N_MOUSE line discipline flaw CAN-2005-0977 tmpfs truncate bug CAN-2005-0867 sysfs signedness problem CAN-2005-1041 crash while reading /proc/net/route cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SNMP (Simple Network Management Protocol) is a protocol used for network management. A denial of service bug was found in the way net-snmp uses network stream protocols. It is possible for a remote attacker to send a net-snmp agent a specially crafted packet which will crash the agent. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2177 to this issue. An insecure temporary file usage bug was found in net-snmp's fixproc command. It is possible for a local user to modify the content of temporary files used by fixproc which can lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1740 to this issue. Additionally the following bugs have been fixed: - snmpwalk no longer hangs when a non-existant pid is listed. - snmpd no longer segfaults due to incorrect handling of lmSensors. - an incorrect assignment leading to invalid values in ASN mibs has been fixed. - on systems running a 64-bit kernel, the values in /proc/net/dev no longer become too large to fit in a 32-bit object. - the net-snmp-devel packages correctly depend on elfutils-libelf-devel. - large file systems are correctly handled - snmp daemon now reports gigabit Ethernet speeds correctly - fixed consistency between IP adresses and hostnames in configuration file All users of net-snmp should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2177 CVE-2005-1740 CVE-2005-4837 net-snmp-devel should depend on elfutils-libelf-devel snmpd.conf hostname vs. IP inconsistancy 64bit network counters peg instead of wrapping CAN-2005-2177 net-snmp denial of service CAN-2005-1740 net-snmp insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A heap based buffer overflow bug was found in the OpenOffice.org DOC file processor. An attacker could create a carefully crafted DOC file in such a way that it could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0941 to this issue. All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0941 CAN-2005-0941 openoffice.org heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. A stack based overflow bug was found in the way shar handles the -o option. If a user can be tricked into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1772 to this issue. Please note that this issue does not affect Red Hat Enterprise Linux 4. Two buffer overflow bugs were found in sharutils. If an attacker can place a malicious 'wc' command on a victim's machine, or trick a victim into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1773 to this issue. A bug was found in the way unshar creates temporary files. A local user could use symlinks to overwrite arbitrary files the victim running unshar has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0990 to this issue. All users of sharutils should upgrade to this updated package, which includes backported fixes to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1772 CVE-2004-1773 CVE-2005-0990 CAN-2004-1772 buffer overflow with -o option CAN-2004-1773 Buffer overflows in unshar CAN-2005-0990 insecure temp file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1111 to this issue. Additionally, this update adds cpio support for archives larger than 2GB. However, the size of individual files within an archive is limited to 4GB. All users of cpio are advised to upgrade to this updated package, which contains backported fixes for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1111 cpio does not support large files > 2GB cpio fails to unpack initrd on ppc 511278 - needs fix for RHEL 4 on cpio bugzilla 105617 CVE-2005-1111 Race condition in cpio cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 NASM is an 80x86 assembler. Two stack based buffer overflow bugs have been found in nasm. An attacker could create an ASM file in such a way that when compiled by a victim, could execute arbitrary code on their machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1287 and CAN-2005-1194 to these issues. All users of nasm are advised to upgrade to this updated package, which contains backported fixes for these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1287 CVE-2005-1194 CAN-2004-1287 Bernstein class reports buffer overflow in nasm CAN-2005-1194 Buffer overflow in the ieee_putascii() function cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Vladimir V. Perepelitsa discovered a bug in the way Firefox handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0989 to this issue. Omar Khan discovered a bug in the way Firefox processes the PLUGINSPAGE tag. It is possible for a malicious web page to trick a user into pressing the "manual install" button for an unknown plugin leading to arbitrary javascript code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0752 to this issue. Doron Rosenberg discovered a bug in the way Firefox displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1153 to this issue. A bug was found in the way Firefox handles the javascript global scope for a window. It is possible for a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of the site. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1154 to this issue. Michael Krax discovered a bug in the way Firefox handles favicon links. A malicious web page can programatically define a favicon link tag as javascript, executing arbitrary javascript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1155 to this issue. Michael Krax discovered a bug in the way Firefox installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and steal sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1156 and CAN-2005-1157 to these issues. Kohei Yoshino discovered a bug in the way Firefox opens links in its sidebar. A malicious web page could construct a link in such a way that, when clicked on, could execute arbitrary javascript with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1158 to this issue. A bug was found in the way Firefox validated several XPInstall related javascript objects. A malicious web page could pass other objects to the XPInstall objects, resulting in the javascript interpreter jumping to arbitrary locations in memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1159 to this issue. A bug was found in the way the Firefox privileged UI code handled DOM nodes from the content window. A malicious web page could install malicious javascript code or steal data requiring a user to do commonplace actions such as clicking a link or opening the context menu. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1160 to this issue. Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.3 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0752 CVE-2005-0989 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1158 CVE-2005-1159 CVE-2005-1160 CAN-2005-0752 Multiple firefox issues. (CAN-2005-0989) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found with the way Mozilla displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CAN-2005-0143 CAN-2005-0593) A bug was found in the way Mozilla handles synthetic middle click events. It is possible for a malicious web page to steal the contents of a victims clipboard. (CAN-2005-0146) Several bugs were found with the way Mozilla handles temporary files. A local user could view sensitive temporary information or delete arbitrary files. (CAN-2005-0142 CAN-2005-0578) A bug was found in the way Mozilla handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A flaw was found in the way Mozilla displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Mozilla processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. (CAN-2005-0401) A bug was found in the way Mozilla handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CAN-2005-0588) Several bugs were found in the way Mozilla displays alert dialogs. It is possible for a malicious webserver or website to trick a user into thinking the dialog window is being generated from a trusted site. (CAN-2005-0586 CAN-2005-0591 CAN-2005-0585 CAN-2005-0590 CAN-2005-0584) A bug was found in the Mozilla javascript security manager. If a user drags a malicious link to a tab, the javascript security manager is bypassed, which could result in remote code execution or information disclosure. (CAN-2005-0231) A bug was found in the way Mozilla allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527) A bug was found in the way Mozilla handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. (CAN-2005-0989) A bug was found in the way Mozilla displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. (CAN-2005-1153) A bug was found in the way Mozilla installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and stealm sensitive information. (CAN-2005-1156 CAN-2005-1157) Several bugs were found in the Mozilla javascript engine. A malicious web page could leverage these issues to execute javascript with elevated privileges or steal sensitive information. (CAN-2005-1154 CAN-2005-1155 CAN-2005-1159 CAN-2005-1160) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.7 to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-1156 CVE-2005-0142 CVE-2005-0143 CVE-2005-0146 CVE-2005-0231 CVE-2005-0232 CVE-2005-0233 CVE-2005-0401 CVE-2005-0527 CVE-2005-0578 CVE-2005-0584 CVE-2005-0585 CVE-2005-0586 CVE-2005-0588 CVE-2005-0590 CVE-2005-0591 CVE-2005-0593 CVE-2005-0989 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1159 CVE-2005-1160 CAN-2004-1156 Frame injection vulnerability. CAN-2005-0585 download dialog URL spoofing CAN-2005-0142 Opened attachments are temporarily saved world-readable CAN-2005-0143 Secure site lock can be spoofed with a binary download CAN-2005-0146 Synthetic middle-click event can steal clipboard contents CAN-2005-0233 homograph spoofing CAN-2005-0401 Drag and drop loading of privileged XUL CAN-2005-0578 Mozilla issues (CAN-2005-0232 CAN-2005-0527 CAN-2005-0231 CAN-2005-0584 CAN-2005-0585 CAN-2005-0586 CAN-2005-0588 CAN-2005-0590 CAN-2005-0591 CAN-2005-0593) CAN-2005-0989 Multiple Mozilla issues. (CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1156 CAN-2005-1157 CAN-2005-1159 CAN-2005-1160) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Vladimir V. Perepelitsa discovered a bug in the way Mozilla handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0989 to this issue. Doron Rosenberg discovered a bug in the way Mozilla displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. (CAN-2005-1153) A bug was found in the way Mozilla handles the javascript global scope for a window. It is possible for a malicious web page to define a global variable known to be used by a different site, allowing malicious code to be executed in the context of the site. (CAN-2005-1154) Michael Krax discovered a bug in the way Mozilla handles favicon links. A malicious web page can programatically define a favicon link tag as javascript, executing arbitrary javascript with elevated privileges. (CAN-2005-1155) Michael Krax discovered a bug in the way Mozilla installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and stealm sensitive information. (CAN-2005-1156 CAN-2005-1157) A bug was found in the way Mozilla validated several XPInstall related javascript objects. A malicious web page could pass other objects to the XPInstall objects, resulting in the javascript interpreter jumping to arbitrary locations in memory. (CAN-2005-1159) A bug was found in the way the Mozilla privileged UI code handled DOM nodes from the content window. A malicious web page could install malicious javascript code or steal data requiring a user to do commonplace actions such as clicking a link or opening the context menu. (CAN-2005-1160) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.7 to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0989 CVE-2005-1153 CVE-2005-1154 CVE-2005-1155 CVE-2005-1156 CVE-2005-1157 CVE-2005-1159 CVE-2005-1160 CAN-2005-0989 Multiple Mozilla issues. (CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1156 CAN-2005-1157 CAN-2005-1159 CAN-2005-1160) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 CVS (Concurrent Version System) is a version control system. A buffer overflow bug was found in the way the CVS client processes version and author information. If a user can be tricked into connecting to a malicious CVS server, an attacker could execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0753 to this issue. Additionally, a bug was found in which CVS freed an invalid pointer. However, this issue does not appear to be exploitable. All users of cvs should upgrade to this updated package, which includes a backported patch to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0753 CAN-2005-0753 multiple issues in cvs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A buffer overflow bug was found in the way HelixPlayer processes RAM files. An attacker could create a specially crafted RAM file which could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0755 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer version 10.0.4 and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-0755 CAN-2005-0755 HelixPlayer buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 KDE is a graphical desktop environment for the X Window System. Konqueror is the file manager for the K Desktop Environment. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers. A buffer overflow was found in the kimgio library for KDE 3.4.0. An attacker could create a carefully crafted PCX image in such a way that it would cause kimgio to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1046 to this issue. All users of kdelibs should upgrade to these updated packages, which contain a backported security patch to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1046 CAN-2005-1046 PCX file integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SNMP (Simple Network Management Protocol) is a protocol used for network management. A denial of service bug was found in the way net-snmp uses network stream protocols. It is possible for a remote attacker to send a net-snmp agent a specially crafted packet that will crash the agent. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2177 to this issue. An insecure temporary file usage bug was found in net-snmp's fixproc command. It is possible for a local user to modify the content of temporary files used by fixproc that can lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1740 to this issue. Additionally, the following bugs have been fixed: - The lmSensors are correctly recognized, snmp deamon no longer segfaults - The larger swap partition sizes are correctly reported - Querying hrSWInstalledLastUpdateTime no longer crashes the snmp deamon - Fixed error building ASN.1 representation - The 64-bit network counters correctly wrap - Large file systems are correctly handled - Snmptrapd initscript correctly reads options from its configuration file /etc/snmp/snmptrapd.options - Snmp deamon no longer crashes when restarted using the agentX protocol - snmp daemon now reports gigabit Ethernet speeds correctly - MAC adresses are shown when requested instead of IP adresses All users of net-snmp should upgrade to these updated packages, which resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1740 CVE-2005-2177 CVE-2005-4837 snmpd dies when getting enterprises.ucdavis.memory.memTotalSwap.0 snmpd exits without a diagnostic: SIGSEGV 64bit network counters peg instead of wrapping /etc/init.d/snmptrapd wrong order in setting variables... x86_64: net-snmp dies when querying hrSWInstalledLastUpdateTime CAN-2005-1740 net-snmp insecure temporary file usage CAN-2005-2177 net-snmp denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. Several integer overflow bugs were found in the way X.org parses pixmap images. It is possible for a user to gain elevated privileges by loading a specially crafted pixmap image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2495 to this issue. Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2495 CAN-2005-2495 multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Evolution is a GNOME-based collection of personal information management (PIM) tools. A bug was found in the way Evolution displays mail messages. It is possible that an attacker could create a specially crafted mail message that when opened by a victim causes Evolution to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0806 to this issue. A bug was also found in Evolution's helper program camel-lock-helper. This bug could allow a local attacker to gain root privileges if camel-lock-helper has been built to execute with elevated privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0102 to this issue. On Red Hat Enterprise Linux, camel-lock-helper is not built to execute with elevated privileges by default. Please note however that if users have rebuilt Evolution from the source RPM, as the root user, camel-lock-helper may be given elevated privileges. All users of evolution should upgrade to these updated packages, which include backported fixes to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0102 CVE-2005-0806 CAN-2005-0102 Integer overflow in camel-lock-helper CAN-2005-0806 DoS from mail message cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0524 and CAN-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1043 to this issue. Several bug fixes are also included in this update: - The security fixes in RHSA-2004-687 to the "unserializer" code introduced some performance issues. - In the gd extension, the "imagecopymerge" function did not correctly handle transparency. The original image was being obscured in the resultant image. - In the curl extension, safe mode was not enforced for 'file:///' URL lookups (CAN-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1392 CVE-2005-0524 CVE-2005-0525 CVE-2005-1042 CVE-2005-1043 PHP pages slow, HTTPD eating cpu php curl open_basedir bypass make PHP oci8 driver support Oracle Instant Client RPM PHP GD ImageCopyMerge broken CAN-2005-0524 PHP getimagesize() Multiple Denial of Service Vulnerabilities CAN-2005-0525 CAN-2005-1042 PHP exif buffer overflow CAN-2005-1043 PHP exif infinite stack recursion cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0524 and CAN-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1043 to this issue. Several bug fixes are also included in this update: - some performance issues in the unserialize() function have been fixed - the behaviour of the interpreter when handling integer overflow during conversion of a floating variable to an integer has been reverted to match the behaviour used upstream; the integer will now be wrapped rather than truncated - a fix for the virtual() function in the Apache httpd module which would flush the response prematurely - the hard-coded default "safe mode" setting is now "disabled" rather than "enabled"; to match the default /etc/php.ini setting - in the curl extension, safe mode was not enforced for 'file:///' URL lookups (CAN-2004-1392). Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-1392 CVE-2005-0524 CVE-2005-0525 CVE-2005-1042 CVE-2005-1043 Error in configure prevents php SRPM rebuild on x86_64 w/ mssql module CAN-2005-0524 PHP getimagesize() Multiple Denial of Service Vulnerabilities CAN-2005-0525 CAN-2005-1042 PHP exif buffer overflow CAN-2005-1043 PHP exif infinite stack recursion cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0546 CAN-2005-0546 multiple buffer overflows in cyrus-imapd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 gFTP is a multi-threaded FTP client for the X Window System. A directory traversal bug was found in gFTP. If a user can be tricked into downloading a file from a malicious ftp server, it is possible to overwrite arbitrary files owned by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0372 to this issue. Users of gftp should upgrade to this updated package, which contains a backported fix for this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0372 CAN-2005-0372 directory traversal issue in gftp cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenMotif provides libraries which implement the Motif industry standard graphical user interface. An integer overflow flaw was found in libXpm, which is used to decode XPM (X PixMap) images. A vulnerable version of this library was found within OpenMotif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0605 to this issue. Users of OpenMotif are advised to upgrade to these erratum packages, which contains a backported security patch to the embedded libXpm library. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-0605 CAN-2005-0605 libxpm issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 ImageMagick(TM) is an image display and manipulation tool for the X Window System which can read and write multiple image formats. A heap based buffer overflow bug was found in the way ImageMagick parses PNM files. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted PNM file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1275 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-1275 CAN-2005-1275 ImageMagick PNM heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A race condition bug was found in the way Squid handles the now obsolete Set-Cookie header. It is possible that Squid can leak Set-Cookie header information to other clients connecting to Squid. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0626 to this issue. Please note that this issue only affected Red Hat Enterprise Linux 4. A bug was found in the way Squid handles PUT and POST requests. It is possible for an authorised remote user to cause a failed PUT or POST request which can cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0718 to this issue. A bug was found in the way Squid processes errors in the access control list. It is possible that an error in the access control list could give users more access than intended. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1345 to this issue. A bug was found in the way Squid handles access to the cachemgr.cgi script. It is possible for an authorised remote user to bypass access control lists with this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue. A bug was found in the way Squid handles DNS replies. If the port Squid uses for DNS requests is not protected by a firewall it is possible for a remote attacker to spoof DNS replies, possibly redirecting a user to spoofed or malicious content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1519 to this issue. Additionally this update fixes the following bugs: - LDAP Authentication fails with an assertion error when using Red Hat Enterprise Linux 4 Users of Squid should upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-1999-0710 CVE-2005-0626 CVE-2005-0718 CVE-2005-1345 CVE-2005-1519 insecure permissions for squid.conf CAN-2005-0626 Cookie leak in squid LDAP Authentication fails with an assertion error. CAN-2005-1345 Unexpected access control results on configuration errors CAN-2005-0718 Segmentation fault on failed PUT/POST request CVE-1999-0710 cachemgr.cgi access control bypass CAN-2005-1519 DNS lookups unreliable on untrusted networks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Tcpdump is a command-line tool for monitoring network traffic. Several denial of service bugs were found in the way tcpdump processes certain network packets. It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280 to these issues. The tcpdump utility can now write a file larger than 2 GB. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1278 CVE-2005-1279 CVE-2005-1280 tcpdump can't write to a file greater than 2G CAN-2005-1280 Multiple DoS issues in tcpdump (CAN-2005-1279 CAN-2005-1278) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. This is the first regular kernel update to Red Hat Enterprise Linux 4. A flaw affecting the auditing code was discovered. On Itanium architectures a local user could use this flaw to cause a denial of service (crash). This issue is rated as having important security impact (CAN-2005-0136). A flaw was discovered in the servicing of a raw device ioctl. A local user who has access to raw devices could use this flaw to write to kernel memory and cause a denial of service or potentially gain privileges. This issue is rated as having moderate security impact (CAN-2005-1264). A flaw in fragment forwarding was discovered that affected the netfilter subsystem for certain network interface cards. A remote attacker could send a set of bad fragments and cause a denial of service (system crash). Acenic and SunGEM network interfaces were the only adapters affected, which are in widespread use. (CAN-2005-0209) A flaw in the futex functions was discovered affecting the Linux 2.6 kernel. A local user could use this flaw to cause a denial of service (system crash). (CAN-2005-0937) New features introduced by this update include: - Fixed TCP BIC congestion handling. - Diskdump support for more controllers (megaraid, SATA) - Device mapper multipath support - AMD64 dual core support. - Intel ICH7 hardware support. There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. The following device drivers have been upgraded to new versions: ata_piix -------- 1.03 bonding --------- 2.6.1 e1000 ----------- 5.6.10.1-k2-NAPI e100 ------------ 3.3.6-k2-NAPI ibmveth --------- 1.03 libata ---------- 1.02 to 1.10 lpfc ------------ 0:8.0.16 to 0:8.0.16.6_x2 megaraid_mbox --- 2.20.4.0 to 2.20.4.5 megaraid_mm ----- 2.20.2.0-rh1 to 2.20.2.5 sata_nv --------- 0.03 to 0.6 sata_promise ---- 1.00 to 1.01 sata_sil -------- 0.8 sata_sis -------- 0.5 sata_svw -------- 1.05 sata_sx4 -------- 0.7 sata_via -------- 1.0 sata_vsc -------- 1.0 tg3 ------------- 3.22-rh ipw2100 --------- 1.0.3 ipw2200 --------- 1.0.0 All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2005-0136 CVE-2005-0209 CVE-2005-0937 CVE-2005-1264 CVE-2005-3107 PTRACE_ATTACH race with real parent's wait calls can produced bogus wait returns Intolerable Disk I/O Performance under 64-bit VM: fix I/O buffers "waitid(POSIX Interface)" cannot run properly. [PATCH] RHEL4 U1: EFI GPT: reduce alternate header probing lx-choptp19 crashed running 2.4.21-20.EL.BZ131027.hotfixhugemem BLKFLSBUF ioctl can cause other reads x86, x86_64 and IA64 scsi inquiry command hangs in wait_for_completion FEAT: RHEL 4 U3: ia64 needs hint@pause in spinloop RHEL4 U2: DBS: quiet warning messages from cpufreq.c [RHEL4][Diskdump] smp_call_function issue [PATCH] "RPC: garbage, exit EIO" when using NFSv3 with Kerberos 5 traced process cannot be killed hugetlb mmap failed in compatibility mode in em64t ext2 and device dm-0 byond 2Terabyte causes /var/log/messages file size to crash system RHEL4 U1: ICH7 Support patch problems with ipsec from rhel3 to rhel4 [PATCH] Channel bonding driver configured in 802.3 ad mode causes kernel panic when shutdwon 20050115 ptrace/kill and ptrace/dump race fixes NLM (NFSv3) problems when mounting with "sec=krb5" SCTP memory consumption and system freezes Thread suspension via async signal fails on rhel4-rc2 oom-killer triggered during Red Hat Cert chipset identifier for zx2 Lockd callbacks to NFS clients fail completely mmap of file over NFS corrupts data host panics when mounting nfs4 volumes host loses connection to nfs server when the server is solaris 20050117 Oopsable NFS locking Thread exits siliently via __RESTORE_ALL exeception for iret kernel thread current->mm dereference in grab_swap_token causes oops unexplained SIGSEGV death in SIGSEGV signal handler CAN-2005-0136 ptrace corner cases on ia64 oops on 2.6.9-5.0.5.ELsmp libata - master supports lba48 but slave does not CAN-2005-1263 Linux kernel ELF core dump privilege elevation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Tcpdump is a command-line tool for monitoring network traffic. Several denial of service bugs were found in the way tcpdump processes certain network packets. It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280 to these issues. Additionally, the tcpdump utility can now write a file larger than 2 GB, parse some new VLAN IDs, and parse messages on 64bit architectures. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1278 CVE-2005-1279 CVE-2005-1280 [RHEL3] tcpdump not decoding NFS traffic properly on ia64 tcpdump can't write to a file greater than 2G CAN-2005-1280 Multiple DoS issues in tcpdump (CAN-2005-1279 CAN-2005-1278) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The ethereal package is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1456, CAN-2005-1457, CAN-2005-1458, CAN-2005-1459, CAN-2005-1460, CAN-2005-1461, CAN-2005-1462, CAN-2005-1463, CAN-2005-1464, CAN-2005-1465, CAN-2005-1466, CAN-2005-1467, CAN-2005-1468, CAN-2005-1469, and CAN-2005-1470 to these issues. Users of ethereal should upgrade to these updated packages, which contain version 0.10.11 which is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1456 CVE-2005-1457 CVE-2005-1458 CVE-2005-1459 CVE-2005-1460 CVE-2005-1461 CVE-2005-1462 CVE-2005-1463 CVE-2005-1464 CVE-2005-1465 CVE-2005-1466 CVE-2005-1467 CVE-2005-1468 CVE-2005-1469 CVE-2005-1470 multiple ethereal security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Gaim application is a multi-protocol instant messaging client. A stack based buffer overflow bug was found in the way gaim processes a message containing a URL. A remote attacker could send a carefully crafted message resulting in the execution of arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1261 to this issue. A bug was found in the way gaim handles malformed MSN messages. A remote attacker could send a carefully crafted MSN message causing gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1262 to this issue. Users of Gaim are advised to upgrade to this updated package which contains backported patches and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-1261 CVE-2005-1262 CAN-2005-1261 Gaim long url buffer overflow CAN-2005-1262 Gaim MSN DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GnuTLS library implements Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1) protocols. A denial of service bug was found in the GnuTLS library versions prior to 1.0.25. A remote attacker could perform a carefully crafted TLS handshake against a service that uses the GnuTLS library causing the service to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1431 to this issue. All users of GnuTLS are advised to upgrade to these updated packages and to restart any services which use GnuTLS. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1431 CAN-2005-1431 gnutls record packet parsing DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The PostgreSQL community discovered two distinct errors in initial system catalog entries that could allow authorized database users to crash the database and possibly escalate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1409 and CAN-2005-1410 to these issues. Although installing this update will protect new (freshly initdb'd) database installations from these errors, administrators MUST TAKE MANUAL ACTION to repair the errors in pre-existing databases. The appropriate procedures are explained at http://www.postgresql.org/docs/8.0/static/release-7-4-8.html for Red Hat Enterprise Linux 4 users, or http://www.postgresql.org/docs/8.0/static/release-7-3-10.html for Red Hat Enterprise Linux 3 users. This update corrects several problems that might occur while trying to upgrade a Red Hat Enterprise Linux 3 installation (containing rh-postgresql packages) to Red Hat Enterprise Linux 4 (containing postgresql packages). These updated packages correctly supersede the rh-postgresql packages. The original release of Red Hat Enterprise Linux 4 failed to initialize the database correctly if started for the first time with SELinux in enforcement mode. This update corrects that problem. If you already have a nonfunctional database in place, shut down the postgresql service if running, install this update, then do "sudo rm -rf /var/lib/pgsql/data" before restarting the postgresql service. This update also solves the problem that the PostgreSQL server might fail to restart after a system reboot, due to a stale lockfile. This update also corrects a problem with wrong error messages in libpq, the postgresql client library. The library would formerly report kernel error messages incorrectly when the locale setting was not C. This update also includes fixes for several other errors, including two race conditions that could result in apparent data inconsistency or actual data loss. All users of PostgreSQL are advised to upgrade to these updated packages and to apply the recommended manual corrections to existing databases. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1409 CVE-2005-1410 selinux <<EOF bug breaks PostgreSQL too PostgreSQL server does not start after crash because wrong PID file location upgrade from rhel-3 rh-postgresql to rhel-4 postgresql removes user "postgres" CAN-2005-1409 Multiple postgresql issues (CAN-2005-1410) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several bugs were found in the way Firefox executes javascript code. Javascript executed from a web page should run with a restricted access level, preventing dangerous actions. It is possible that a malicious web page could execute javascript code with elevated privileges, allowing access to protected data and functions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1476, CAN-2005-1477, CAN-2005-1531, and CAN-2005-1532 to these issues. Please note that the effects of CAN-2005-1477 are mitigated by the default setup, which allows only the Mozilla Update site to attempt installation of Firefox extensions. The Mozilla Update site has been modified to prevent this attack from working. If other URLs have been manually added to the whitelist, it may be possible to execute this attack. Users of Firefox are advised to upgrade to this updated package which contains Firefox version 1.0.4 which is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1476 CVE-2005-1477 CVE-2005-1531 CVE-2005-1532 CAN-2005-1476 Multiple Firefox issues (CAN-2005-1477 CAN-2005-1531 CAN-2005-1532) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found in the way Mozilla executes javascript code. Javascript executed from a web page should run with a restricted access level, preventing dangerous actions. It is possible that a malicious web page could execute javascript code with elevated privileges, allowing access to protected data and functions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1476, CAN-2005-1477, CAN-2005-1531, and CAN-2005-1532 to these issues. Users of Mozilla are advised to upgrade to this updated package, which contains Mozilla version 1.7.8 to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1476 CVE-2005-1477 CVE-2005-1531 CVE-2005-1532 CAN-2005-1476 Multiple Mozilla issues (CAN-2005-1477 CAN-2005-1531 CAN-2005-1532) devhelp not updated for new mozilla cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the three security issues described below as well as an important fix for a problem that could lead to data corruption on x86-architecture SMP systems with greater than 4GB of memory through heavy usage of multi-threaded applications. A flaw between execve() syscall handling and core dumping of ELF-format executables allowed local unprivileged users to cause a denial of service (system crash) or possibly gain privileges. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-1263 to this issue. A flaw in shared memory locking allowed local unprivileged users to lock and unlock regions of shared memory segments they did not own (CAN-2005-0176). A flaw in the locking of SysV IPC shared memory regions allowed local unprivileged users to bypass their RLIMIT_MEMLOCK resource limit (CAN-2004-0491). Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please also consult the RHEL3 Update 5 advisory RHSA-2005:294 for the complete list of features added and bugs fixed in U5, which was released only a week prior to this security update. Important Copyright 2005 Red Hat, Inc. CVE-2004-0491 CVE-2005-0176 CVE-2005-1263 CVE-2004-0491 mlock accounting issue Memory corruption with kernel 2.4.21-27.EL kernel 2.4.21-25.ELsmp panic (kscand) CVE-2005-0176 unlock someone elses ipc memory Kernel panic regression in 2.4.21-27.0.2.ELsmp Page corruption in U5 Beta Memory corruption CVE-2005-1263 Linux kernel ELF core dump crash vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Bzip2 is a data compressor. A bug was found in the way bzgrep processes file names. If a user can be tricked into running bzgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running bzgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way bzip2 modifies file permissions during decompression. If an attacker has write access to the directory into which bzip2 is decompressing files, it is possible for them to modify permissions on files owned by the user running bzip2 (CVE-2005-0953). A bug was found in the way bzip2 decompresses files. It is possible for an attacker to create a specially crafted bzip2 file which will cause bzip2 to cause a denial of service (by filling disk space) if decompressed by a victim (CVE-2005-1260). Users of Bzip2 should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-0758 CVE-2005-0953 CVE-2005-1260 CAN-2005-0953 bzip2 race condition CAN-2005-1260 bzip2 decompression bomb (DoS) CVE-2005-0758 bzgrep has security issue in sed usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Colin Percival reported a cache timing attack that could allow a malicious local user to gain portions of cryptographic keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-0109 to the issue. The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private-key operations. This patch is designed to mitigate cache timing and potentially related attacks. A flaw was found in the way the der_chop script creates temporary files. It is possible that a malicious local user could cause der_chop to overwrite files (CAN-2004-0975). The der_chop script was deprecated and has been removed from these updated packages. Red Hat Enterprise Linux 4 did not ship der_chop and is therefore not vulnerable to this issue. Users are advised to update to these erratum packages which contain patches to correct these issues. Please note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0975 CVE-2005-0109 CAN-2004-0975 temporary file vulnerabilities in der_chop script CAN-2004-0975 temporary file vulnerabilities in der_chop script CAN-2005-0109 timing attack on OpenSSL with HT cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A denial of service bug was found in the way ImageMagick parses XWD files. A user or program executing ImageMagick to process a malicious XWD file can cause ImageMagick to enter an infinite loop causing a denial of service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1739 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain a backported patch, and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1739 CAN-2005-1739 ImageMagick XWD denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A denial of service bug has been found in SpamAssassin. An attacker could construct a message in such a way that would cause SpamAssassin to consume CPU resources. If a number of these messages were sent it could lead to a denial of service, potentially preventing the delivery or filtering of email. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1266 to this issue. SpamAssassin version 3.0.4 additionally solves a number of bugs including: - #156390 Spamassassin consumes too much memory during learning - #155423 URI blacklist spam bypass - #147464 Users may now disable subject rewriting - Smarter default Bayes scores - Numerous other bug fixes that improve spam filter accuracy and safety For full details, please refer to the change details of 3.0.2, 3.0.3, and 3.0.4 in SpamAssassin's online documentation at the following address: http://wiki.apache.org/spamassassin/NextRelease Users of SpamAssassin should update to this updated package, containing version 3.0.4 which is not vulnerable to this issue and resolves these bugs. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1266 spamassassin no longer allows disabling subject rewriting spamd generate child processes which occupies all memory CAN-2005-1266 spamassassin DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 gEdit is a small text editor designed specifically for the GNOME GUI desktop. A file name format string vulnerability has been discovered in gEdit. It is possible for an attacker to create a file with a carefully crafted name which, when the file is opened, executes arbitrary instructions on a victim's machine. Although it is unlikely that a user would manually open a file with such a carefully crafted file name, a user could, for example, be tricked into opening such a file from within an email client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1686 to this issue. Users of gEdit should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1686 CAN-2005-1686 filename format string vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. Several integer overflow bugs were found in the way XFree86 parses pixmap images. It is possible for a user to gain elevated privileges by loading a specially crafted pixmap image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2495 to this issue. Additionally this update adds the following new features in this release: - Support for ATI RN50/ES1000 chipsets has been added. The following bugs were also fixed in this release: - A problem with the X server's module loading system that led to cache incoherency on the Itanium architecture. - The X server's PCI config space accesses caused contention with the kernel if accesses occurred while the kernel lock was held. - X font server (xfs) crashed when accessing Type 1 fonts via showfont. - A problem with the X transport library prevented X applications from starting if the hostname started with a digit. - An issue where refresh rates were being restricted to 60Hz on some Intel i8xx systems Users of XFree86 should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2495 no refresh > 60 Hz for i810 (xtrans bug) Can't open display: 50dhcp26:0.0 X Font Server crashes when accessing Type 1 fonts via showfont. ia64 elfloader cache flush CAN-2005-2495 multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Sysreport is a utility that gathers information about a system's hardware and configuration. The information can then be used for diagnostic purposes and debugging. When run by the root user, sysreport includes the contents of the /etc/sysconfig/rhn/up2date configuration file. If up2date has been configured to connect to a proxy server that requires an authentication password, that password is included in plain text in the system report. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1760 to this issue. Users of sysreport should update to this erratum package, which contains a patch that removes any proxy authentication passwords. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1760 CAN-2005-1760 sysreport includes proxy password in cleartext cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The telnet package provides a command line telnet client. Gaël Delalleau discovered an information disclosure issue in the way the telnet client handles messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0488 to this issue. Users of telnet should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2005-0488 CAN-2005-0488 telnet Information Disclosure Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Tcpdump is a command line tool for monitoring network traffic. A denial of service bug was found in tcpdump during the processing of certain network packets. It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1267 to this issue. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1267 CAN-2005-1267 tcpdump BGP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 MikMod is a well known MOD music file player for UNIX-based systems. A buffer overflow bug was found in mikmod during the processing of archive filenames. An attacker could create a malicious archive that when opened by mikmod could result in arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0427 to this issue. Users of mikmod are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2003-0427 CAN-2003-0427 mikmod flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. This is the second regular kernel update to Red Hat Enterprise Linux 4. New features introduced in this update include: - Audit support - systemtap - kprobes, relayfs - Keyring support - iSCSI Initiator - iscsi_sfnet 4:0.1.11-1 - Device mapper multipath support - Intel dual core support - esb2 chipset support - Increased exec-shield coverage - Dirty page tracking for HA systems - Diskdump -- allow partial diskdumps and directing to swap There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. The following security bugs were fixed in this update, detailed below with corresponding CAN names available from the Common Vulnerabilities and Exposures project (cve.mitre.org): - flaws in ptrace() syscall handling on 64-bit systems that allowed a local user to cause a denial of service (crash) (CAN-2005-0756, CAN-2005-1761, CAN-2005-1762, CAN-2005-1763) - flaws in IPSEC network handling that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2456, CAN-2005-2555) - a flaw in sendmsg() syscall handling on 64-bit systems that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2490) - a flaw in sendmsg() syscall handling that allowed a local user to cause a denial of service by altering hardware state (CAN-2005-2492) - a flaw that prevented the topdown allocator from allocating mmap areas all the way down to address zero (CAN-2005-1265) - flaws dealing with keyrings that could cause a local denial of service (CAN-2005-2098, CAN-2005-2099) - a flaw in the 4GB split patch that could allow a local denial of service (CAN-2005-2100) - a xattr sharing bug in the ext2 and ext3 file systems that could cause default ACLs to disappear (CAN-2005-2801) - a flaw in the ipt_recent module on 64-bit architectures which could allow a remote denial of service (CAN-2005-2872) The following device drivers have been upgraded to new versions: qla2100 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2200 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2300 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2322 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2xxx --------- 8.00.00b21-k to 8.01.00b5-rh2 qla6312 --------- 8.00.00b21-k to 8.01.00b5-rh2 megaraid_mbox --- 2.20.4.5 to 2.20.4.6 megaraid_mm ----- 2.20.2.5 to 2.20.2.6 lpfc ------------ 0:8.0.16.6_x2 to 0:8.0.16.17 cciss ----------- 2.6.4 to 2.6.6 ipw2100 --------- 1.0.3 to 1.1.0 tg3 ------------- 3.22-rh to 3.27-rh e100 ------------ 3.3.6-k2-NAPI to 3.4.8-k2-NAPI e1000 ----------- 5.6.10.1-k2-NAPI to 6.0.54-k2-NAPI 3c59x ----------- LK1.1.19 mptbase --------- 3.01.16 to 3.02.18 ixgb ------------ 1.0.66 to 1.0.95-k2-NAPI libata ---------- 1.10 to 1.11 sata_via -------- 1.0 to 1.1 sata_ahci ------- 1.00 to 1.01 sata_qstor ------ 0.04 sata_sil -------- 0.8 to 0.9 sata_svw -------- 1.05 to 1.06 s390: crypto ---- 1.31 to 1.57 s390: zfcp ------ s390: CTC-MPC --- s390: dasd ------- s390: cio ------- s390: qeth ------ All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2005-0756 CVE-2005-1265 CVE-2005-1761 CVE-2005-1762 CVE-2005-1763 CVE-2005-2098 CVE-2005-2099 CVE-2005-2100 CVE-2005-2456 CVE-2005-2490 CVE-2005-2492 CVE-2005-2555 CVE-2005-2801 CVE-2005-2872 CVE-2005-3105 CVE-2005-3274 CVE-2005-3275 CVE-2005-4886 CVE-2006-5871 RHEL4 U1: File Delegation, at least read-only. RHEL4: keyring support (OpenAFS enabler) Inspiron 8500 practically hangs when configuring b44 NIC with 1.5G memory tcsendbreak fails in compat mode RH40-beta1, embedded IDE/PCI drivers not honoring Sub ID's/Class code [PATCH] i2o_block timeout Adaptec 2400A raid card domain validation fails on DVD-305 when CD in drive Terminated threads' resource usage is hidden from procps System doesn't reboot even if kernel.panic is > 0 on RHEL-4 Beta-2. [RHEL4-U2][Diskdump] Partial dump Socket option IP_FREEBIND has no effect on SCTP socket. Socket option SO_BINDTODEVICE problems with SCTP listening socket. Sub-second mtime changes without modifying file [RHEL4RC1] chicony usb keyboard fails, with side effects NFSv3 over Kerberos: gss_get_mic FAILED during xdm login attempt Sense data errors are seen when trying to access a travan tape device Bug / data corruption on error handling in Ext3 under I/O failure condition highmem.c: fix bio error propagation kernel panic when tar'ing data to IDE Tape device nfsv4 callback authentication patch smp_apic_timer_interrupt() executes on kernel thread stack kernel BUG() at pageattr:107 with rmmod e1000 Kernel BUG at pageattr:107 Fusion MPT doesn't handle multiple PCI domains correctly LVM snapshots over md raid1 cause corruption ppc64 arches can crash when single setpping a debugger through syscall return code openipmi drivers missing compat_ioctl's on x86_64 kernel fail to mount nfs4 servers RHEL4 U1 Oracle 10G 10.0.3 aio hang running tpc-c assertion failrue in semaphore.h caused by perfmon spin_lock already locked by xfrm4_output kernel dm-emc: Fix spinlock reset kernel dm-multipath: multiple pg_inits can be issued in parallel CAN-2005-1762 x86_64 sysret exception leads to DoS oops when catting /proc/net/ip_conntrack_expect Debugger killed by kernel when looking at the lowest addressed vmalloc page add fix for IPMI/ACPI OOPS 20050313 SCSI tape security CAN-2005-2801 xattr sharing bug [RHEL4-U2][Diskdump] hangs when SCSI drive is busy [RHEL4-U2] Diskdump - swap partition support Serial console corrupt on boot Systemtap patches to be ported to RHEL4 U2 kernel sysctl -A returns an error [not quite PATCH] tg3 driver crashes kernel with BCM5752 chip, newer driver is OK Serial console turns into garbage after initialising 16550A nfs server intermitently claims ENOENT on existing files or directories CAN-2005-1265 Prevent NULL mmap in topdown model Annoying i2o_config kernel module messages during raidutil run 32-bit GETBLKSIZE ioctl overflows incorrectly on 64-bit hosts. [Patch] modprobling a module signed with a key not known to the kernel can result in a panic. proc and sysctl interface for lockd grace period do not work CAN-2005-1761 local user can use ptrace to crash system [Stratus RHEL4U2] csb5 functions are tagged with __init. This causes a crash in a hot-plug environment RHEL4 Data corruption in spite of using O_SYNC CAN-2005-0756 x86_64 crash (ptrace-check-segment) CAN-2005-1763 x86_64 crash (x86_64-ptrace-overflow) Kernel BUG at pageattr:107 audit: file system and user space filtering by auid audit: teach OOM killer about auditd audit: file system attribute change tracking audit:PATH record mode flags are wrong sometimes audit: file system watch on block device when removing scsi hosts commands are not leaked when removing scsi hosts commands are not leaked audit: kernel audits auditd cable link state ignored on ethernet card (b44). fixes exec-shield to not randomize to between end-of-binary and start-of-brk i2o RAID monitoring memory leak Need export of generic_drop_inode for OCFS2 support 'mt tell' fails - backported kernel bug likely Bluetooth paring did not work anymore since update to 2.6.9-11.EL GET_INDEX macro in aspm pci fixup code can overwrite end of the array kernel panic when rm -rf directory structure on tmpfs filesystem only the main thread is shown by top(1) irq stacks not being used for hardirqs interrupt handlers run on thread's kernel stack JBD race during shutdown of a journal /dev/tty won't open during blocking /dev/ttyS1 open Placeholder for 2.6.x SATA update 20050724-1 Export sys_recvmesg for cluster snapshot fix aio hang when reading beyond EOF RHEL4 [NETFILTER]: Fix deadlock in ip6_queue. [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT) pci_scan_device can cause master abort panic while running fsstress to a filesystem on a mirror CAN-2005-2098 Error during attempt to join key management session can leave semaphore pinned CAN-2005-2099 Destruction of failed keyring oopses acpi_processor_get_performance_states fails on empty table entries (_PSS) audit - syscall performance mirrors possibly reporting invalid blocks to the filesystem cpufreq driver hangs when using SMP Powernow CAN-2005-2100 4G/4G split bounds checking CAN-2005-2456 IPSEC overflow ext on top of mirror attempts to access beyond end of device: dm-5: rw=0, want=16304032720, limit=20971520 CAN-2005-2555 IPSEC lacks restrictions CAN-2005-2490 sendmsg compat stack overflow CAN-2005-2492 sendmsg DoS bad elf check in module-verify.c [RFC] [RHEL4 U2 patch] dual-core detection gap for i386 build LTC17960-Kernel panic at key_put+0x4/0x19 [REGRESSION] CAN-2005-2872 ipt_recent crash LTC18014-powernow-k8 debug messages are enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A buffer overflow bug was found in the way HelixPlayer processes SMIL files. An attacker could create a specially crafted SMIL file, which when combined with a malicious web server, could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1766 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer version 10.0.5 and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-1766 CAN-2005-1766 HelixPlayer heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Gaim application is a multi-protocol instant messaging client. Jacopo Ottaviani discovered a bug in the way Gaim handles Yahoo! Messenger file transfers. It is possible for a malicious user to send a specially crafted file transfer request that causes Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1269 to this issue. Additionally, Hugo de Bokkenrijder discovered a bug in the way Gaim parses MSN Messenger messages. It is possible for a malicious user to send a specially crafted MSN Messenger message that causes Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1934 to this issue. Users of gaim are advised to upgrade to this updated package, which contains version 1.3.1 and is not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1269 CVE-2005-1934 CAN-2005-1269 Gaim yahoo utf8 crasher CAN-2005-1934 Gaim MSN protocol DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A buffer overflow bug was found in the way FreeRADIUS escapes data in an SQL query. An attacker may be able to crash FreeRADIUS if they cause FreeRADIUS to escape a string containing three or less characters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1454 to this issue. Additionally a bug was found in the way FreeRADIUS escapes SQL data. It is possible that an authenticated user could execute arbitrary SQL queries by sending a specially crafted request to FreeRADIUS. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1455 to this issue. Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1454 CVE-2005-1455 CAN-2005-1454 Multiple issues in freeradius (CAN-2005-1455) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. An error in the way OpenSSH handled GSSAPI credential delegation was discovered. OpenSSH as distributed with Red Hat Enterprise Linux 4 contains support for GSSAPI user authentication, typically used for supporting Kerberos. On OpenSSH installations which have GSSAPI enabled, this flaw could allow a user who sucessfully authenticates using a method other than GSSAPI to be delegated with GSSAPI credentials. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2798 to this issue. Additionally, the following bugs have been addressed: The ssh command incorrectly failed when it was issued by the root user with a non-default group set. The sshd daemon could fail to properly close the client connection if multiple X clients were forwarded over the connection and the client session exited. The sshd daemon could bind only on the IPv6 address family for X forwarding if the port on IPv4 address family was already bound. The X forwarding did not work in such cases. This update also adds support for recording login user IDs for the auditing service. The user ID is attached to the audit records generated from the user's session. All users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2798 CVE-2008-1483 sshd update for new audit system CAN-2005-2798 Improper GSSAPI credential delegation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root with logging. A race condition bug was found in the way sudo handles pathnames. It is possible that a local user with limited sudo access could create a race condition that would allow the execution of arbitrary commands as the root user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1993 to this issue. Users of sudo should update to this updated package, which contains a backported patch and is not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1993 CAN-2005-1993 sudo trusted user arbitrary command execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ruby is an interpreted scripting language for object-oriented programming. A bug was found in the way Ruby launched an XMLRPC server. If an XMLRPC server is launched in a certain way, it becomes possible for a remote attacker to execute arbitrary commands within the XMLRPC server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1992 to this issue. Users of Ruby should update to these erratum packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1992 CAN-2005-1992 ruby arbitrary command execution on XMLRPC server cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This includes the core files necessary for both the OpenSSH client and server. A bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. A malicious user could connect to the SSH daemon in such a way that it would prevent additional logins from occuring until the malicious connections are closed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-2069 to this issue. Additionally, the following issues are resolved with this update: - The -q option of the ssh client did not suppress the banner message sent by the server, which caused errors when used in scripts. - The sshd daemon failed to close the client connection if multiple X clients were forwarded over the connection and the client session exited. - The sftp client leaked memory if used for extended periods. - The sshd daemon called the PAM functions incorrectly if the user was unknown on the system. All users of openssh should upgrade to these updated packages, which contain backported patches and resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-2069 [PATCH] SSH -q flag does not suppress banner text sftp over a persistent connection (days/weeks) develops a memory leak. CAN-2004-2069 openssh DoS issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Although no exploit is currently known to exist, this issue could potentially be exploited to allow arbitrary code execution on a Key Distribution Center (KDC). The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CAN-2005-1175). Gaël Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CAN-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CAN-2004-0175). All users of krb5 should update to these erratum packages which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2004-0175 CVE-2005-0488 CVE-2005-1175 CVE-2005-1689 CAN-2005-0488 telnet Information Disclosure Vulnerability CAN-2005-1689 double-free in krb5_recvauth krb5 krb5_principal_compare NULL pointer crash CAN-2004-0175 malicious rsh server can cause rcp to write to arbitrary files CAN-2005-1175 krb5 buffer overflow in KDC cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1921 to this issue. When using the default SELinux "targeted" policy on Red Hat Enterprise Linux 4, the impact of this issue is reduced since the scripts executed by PHP are constrained within the httpd_sys_script_t security context. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1751 CVE-2005-1921 Incorrect descriptions for php-ncurses and php-gd packages CAN-2005-1751 shtool insecure temporary file creation CAN-2005-1921 PHP PEAR XML_RPC arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4 contains checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CAN-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CAN-2005-1174). Gaël Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CAN-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CAN-2004-0175). All users of krb5 should update to these erratum packages, which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues. Important Copyright 2007 Red Hat, Inc. CVE-2004-0175 CVE-2005-1174 CVE-2005-1175 CVE-2005-1689 CAN-2005-1174 krb5 buffer overflow, heap corruption in KDC (CAN-2005-1175) CAN-2005-0488 telnet Information Disclosure Vulnerability CAN-2005-1689 double-free in krb5_recvauth krb5 krb5_principal_compare NULL pointer crash CAN-2004-0175 malicious rsh server can cause rcp to write to arbitrary files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Zlib is a general-purpose lossless data compression library which is used by many different programs. Tavis Ormandy discovered a buffer overflow affecting Zlib version 1.2 and above. An attacker could create a carefully crafted compressed stream that would cause an application to crash if the stream is opened by a user. As an example, an attacker could create a malicious PNG image file which would cause a web browser or mail viewer to crash if the image is viewed. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2096 to this issue. Please note that the versions of Zlib as shipped with Red Hat Enterprise Linux 2.1 and 3 are not vulnerable to this issue. All users should update to these erratum packages which contain a patch from Mark Adler which corrects this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2096 CAN-2005-2096 zlib buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2154 to this issue. Please note that the version of CUPS included in Red Hat Enterprise Linux 4 is not vulnerable to this issue. All users of CUPS should upgrade to these erratum packages which contain a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-2154 CAN-2004-2154 <Location ...> directive is case-sensitive in cupsd.conf but should not cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2088 to this issue. Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL). The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1268 to this issue. Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1268 CVE-2005-2088 Bug 145666 is missing a ',' after REDIRECT_REMOTE_USER CAN-2005-2088 httpd proxy request smuggling CAN-2005-1268 mod_ssl off-by-one cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Zlib is a general-purpose lossless data compression library that is used by many different programs. A previous zlib update, RHSA-2005:569 (CAN-2005-2096) fixed a flaw in zlib that could allow a carefully crafted compressed stream to crash an application. While the original patch corrected the reported overflow, Markus Oberhumer discovered additional ways a stream could trigger an overflow. An attacker could create a carefully crafted compressed stream that would cause an application to crash if the stream is opened by a user. As an example, an attacker could create a malicious PNG image file that would cause a Web browser or mail viewer to crash if the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1849 to this issue. Note that the versions of zlib shipped with Red Hat Enterprise Linux 2.1 and 3 are not vulnerable to this issue. All users should update to these errata packages that contain a patch from Mark Adler that corrects this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-1849 CAN-2005-1849 zlib buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A bug was found in the way Firefox handled synthetic events. It is possible that Web content could generate events such as keystrokes or mouse clicks that could be used to steal data or execute malicious JavaScript code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2260 to this issue. A bug was found in the way Firefox executed Javascript in XBL controls. It is possible for a malicious webpage to leverage this vulnerability to execute other JavaScript based attacks even when JavaScript is disabled. (CAN-2005-2261) A bug was found in the way Firefox set an image as the desktop wallpaper. If a user chooses the "Set As Wallpaper..." context menu item on a specially crafted image, it is possible for an attacker to execute arbitrary code on a victim's machine. (CAN-2005-2262) A bug was found in the way Firefox installed its extensions. If a user can be tricked into visiting a malicious webpage, it may be possible to obtain sensitive information such as cookies or passwords. (CAN-2005-2263) A bug was found in the way Firefox handled the _search target. It is possible for a malicious website to inject JavaScript into an already open webpage. (CAN-2005-2264) A bug was found in the way Firefox handled certain Javascript functions. It is possible for a malicious web page to crash the browser by executing malformed Javascript code. (CAN-2005-2265) A bug was found in the way Firefox handled multiple frame domains. It is possible for a frame as part of a malicious web site to inject content into a frame that belongs to another domain. This issue was previously fixed as CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937) A bug was found in the way Firefox handled child frames. It is possible for a malicious framed page to steal sensitive information from its parent page. (CAN-2005-2266) A bug was found in the way Firefox opened URLs from media players. If a media player opens a URL that is JavaScript, JavaScript is executed with access to the currently open webpage. (CAN-2005-2267) A design flaw was found in the way Firefox displayed alerts and prompts. Alerts and prompts were given the generic title [JavaScript Application] which prevented a user from knowing which site created them. (CAN-2005-2268) A bug was found in the way Firefox handled DOM node names. It is possible for a malicious site to overwrite a DOM node name, allowing certain privileged chrome actions to execute the malicious JavaScript. (CAN-2005-2269) A bug was found in the way Firefox cloned base objects. It is possible for Web content to navigate up the prototype chain to gain access to privileged chrome objects. (CAN-2005-2270) Users of Firefox are advised to upgrade to this updated package that contains Firefox version 1.0.6 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1937 CVE-2005-2114 CVE-2005-2260 CVE-2005-2261 CVE-2005-2262 CVE-2005-2263 CVE-2005-2264 CVE-2005-2265 CVE-2005-2266 CVE-2005-2267 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CAN-2005-1937 multiple firefox security issues (CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A bug was found in the way Mozilla handled synthetic events. It is possible that Web content could generate events such as keystrokes or mouse clicks that could be used to steal data or execute malicious Javascript code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2260 to this issue. A bug was found in the way Mozilla executed Javascript in XBL controls. It is possible for a malicious webpage to leverage this vulnerability to execute other JavaScript based attacks even when JavaScript is disabled. (CAN-2005-2261) A bug was found in the way Mozilla installed its extensions. If a user can be tricked into visiting a malicious webpage, it may be possible to obtain sensitive information such as cookies or passwords. (CAN-2005-2263) A bug was found in the way Mozilla handled certain Javascript functions. It is possible for a malicious webpage to crash the browser by executing malformed Javascript code. (CAN-2005-2265) A bug was found in the way Mozilla handled multiple frame domains. It is possible for a frame as part of a malicious website to inject content into a frame that belongs to another domain. This issue was previously fixed as CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937) A bug was found in the way Mozilla handled child frames. It is possible for a malicious framed page to steal sensitive information from its parent page. (CAN-2005-2266) A bug was found in the way Mozilla opened URLs from media players. If a media player opens a URL which is Javascript, the Javascript executes with access to the currently open webpage. (CAN-2005-2267) A design flaw was found in the way Mozilla displayed alerts and prompts. Alerts and prompts were given the generic title [JavaScript Application] which prevented a user from knowing which site created them. (CAN-2005-2268) A bug was found in the way Mozilla handled DOM node names. It is possible for a malicious site to overwrite a DOM node name, allowing certain privileged chrome actions to execute the malicious Javascript. (CAN-2005-2269) A bug was found in the way Mozilla cloned base objects. It is possible for Web content to traverse the prototype chain to gain access to privileged chrome objects. (CAN-2005-2270) Users of Mozilla are advised to upgrade to these updated packages, which contain Mozilla version 1.7.10 and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-1937 CVE-2005-2114 CVE-2005-2260 CVE-2005-2261 CVE-2005-2263 CVE-2005-2265 CVE-2005-2266 CVE-2005-2267 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CAN-2005-1937 multiple mozilla issues (CAN-2005-2260 CAN-2005-2261 CAN-2005-2263 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SquirrelMail is a standards-based webmail package written in PHP4. A bug was found in the way SquirrelMail handled the $_POST variable. If a user is tricked into visiting a malicious URL, the user's SquirrelMail preferences could be read or modified. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2095 to this issue. Several cross-site scripting bugs were discovered in SquirrelMail. An attacker could inject arbitrary Javascript or HTML content into SquirrelMail pages by tricking a user into visiting a carefully crafted URL, or by sending them a carefully constructed HTML email message. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1769 to this issue. All users of SquirrelMail should upgrade to this updated package, which contains backported patches that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2095 CVE-2005-1769 CAN-2005-1769 Multiple XSS issues in squirrelmail CAN-2005-2095 squirrelmail cross site posting issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Sysreport is a utility that gathers information about a system's hardware and configuration. The information can then be used for diagnostic purposes and debugging. Bill Stearns discovered a bug in the way sysreport creates temporary files. It is possible that a local attacker could obtain sensitive information about the system when sysreport is run. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2104 to this issue. Users of sysreport should update to this erratum package, which contains a patch that resolves this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2104 CAN-2005-2104 sysreport insecure temporary directory usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. A bug was found in the way Thunderbird handled anonymous functions during regular expression string replacement. It is possible for a malicious HTML mail to capture a random block of client memory. The Common Vulnerabilities and Exposures project has assigned this bug the name CAN-2005-0989. A bug was found in the way Thunderbird validated several XPInstall related JavaScript objects. A malicious HTML mail could pass other objects to the XPInstall objects, resulting in the JavaScript interpreter jumping to arbitrary locations in memory. (CAN-2005-1159) A bug was found in the way the Thunderbird privileged UI code handled DOM nodes from the content window. An HTML message could install malicious JavaScript code or steal data when a user performs commonplace actions such as clicking a link or opening the context menu. (CAN-2005-1160) A bug was found in the way Thunderbird executed JavaScript code. JavaScript executed from HTML mail should run with a restricted access level, preventing dangerous actions. It is possible that a malicious HTML mail could execute JavaScript code with elevated privileges, allowing access to protected data and functions. (CAN-2005-1532) A bug was found in the way Thunderbird executed Javascript in XBL controls. It is possible for a malicious HTML mail to leverage this vulnerability to execute other JavaScript based attacks even when JavaScript is disabled. (CAN-2005-2261) A bug was found in the way Thunderbird handled certain Javascript functions. It is possible for a malicious HTML mail to crash the client by executing malformed Javascript code. (CAN-2005-2265) A bug was found in the way Thunderbird handled child frames. It is possible for a malicious framed HTML mail to steal sensitive information from its parent frame. (CAN-2005-2266) A bug was found in the way Thunderbird handled DOM node names. It is possible for a malicious HTML mail to overwrite a DOM node name, allowing certain privileged chrome actions to execute the malicious JavaScript. (CAN-2005-2269) A bug was found in the way Thunderbird cloned base objects. It is possible for HTML content to navigate up the prototype chain to gain access to privileged chrome objects. (CAN-2005-2270) Users of Thunderbird are advised to upgrade to this updated package that contains Thunderbird version 1.0.6 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-0989 CVE-2005-1159 CVE-2005-1160 CVE-2005-1532 CVE-2005-2261 CVE-2005-2265 CVE-2005-2266 CVE-2005-2269 CVE-2005-2270 CAN-2005-0989 multiple thunderbird issues (CAN-2005-1159 CAN-2005-1160 CAN-2005-1532 CAN-2005-2261 CAN-2005-2265 CAN-2005-2266 CAN-2005-2269 CAN-2005-2270) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Apache HTTP Server is a popular and freely-available Web server. A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient" directive. This flaw occurs if a virtual host is configured using "SSLVerifyClient optional" and a directive "SSLVerifyClient required" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2700 to this issue. A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. (CAN-2005-2728) Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-2700 CVE-2005-2728 CAN-2005-2728 byterange memory DoS CAN-2005-2700 SSLVerifyClient flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 kdelibs contains libraries for the K Desktop Environment. A flaw was discovered affecting Kate, the KDE advanced text editor, and Kwrite. Depending on system settings, it may be possible for a local user to read the backup files created by Kate or Kwrite. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1920 to this issue. Please note this issue does not affect Red Hat Enterprise Linux 3 or 2.1. Users of Kate or Kwrite should update to these errata packages which contains a backported patch from the KDE security team correcting this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-1920 CAN-2005-1920 Kate backup file permissions leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Gaim is an Internet Messaging client. A heap based buffer overflow issue was discovered in the way Gaim processes away messages. A remote attacker could send a specially crafted away message to a Gaim user logged into AIM or ICQ that could result in arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2103 to this issue. Daniel Atallah discovered a denial of service issue in Gaim. A remote attacker could attempt to upload a file with a specially crafted name to a user logged into AIM or ICQ, causing Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2102 to this issue. A denial of service bug was found in Gaim's Gadu Gadu protocol handler. A remote attacker could send a specially crafted message to a Gaim user logged into Gadu Gadu, causing Gaim to crash. Please note that this issue only affects PPC and IBM S/390 systems running Gaim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2370 to this issue. Users of gaim are advised to upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2102 CVE-2005-2103 CVE-2005-2370 CAN-2005-2370 gadu gadu memory alignment issue CAN-2005-2102 gaim AIM invalid filename DoS CAN-2005-2103 Gaim malformed away message remote code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdenetwork package contains networking applications for the K Desktop Environment. Kopete is a KDE instant messenger which supports a number of protocols including ICQ, MSN, Yahoo, Jabber, and Gadu-Gadu. Multiple integer overflow flaws were found in the way Kopete processes Gadu-Gadu messages. A remote attacker could send a specially crafted Gadu-Gadu message which would cause Kopete to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1852 to this issue. In order to be affected by this issue, a user would need to have registered with Gadu-Gadu and be signed in to the Gadu-Gadu server in order to receive a malicious message. In addition, Red Hat believes that the Exec-shield technology (enabled by default in Red Hat Enterprise Linux 4) would block attempts to remotely exploit this vulnerability. Note that this issue does not affect Red Hat Enterprise Linux 2.1 or 3. Users of Kopete should update to these packages which contain a patch to correct this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-1852 CVE-2005-2369 CVE-2005-2370 CVE-2005-2448 CAN-2005-1852 Kopete gadu-gadu flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Fetchmail is a remote mail retrieval and forwarding utility. A buffer overflow was discovered in fetchmail's POP3 client. A malicious server could cause send a carefully crafted message UID and cause fetchmail to crash or potentially execute arbitrary code as the user running fetchmail. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2335 to this issue. Users of fetchmail should update to this erratum package which contains a backported patch to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2335 CAN-2005-2335 fetchmail overflow from malicious pop3 server cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Binutils is a collection of utilities used for the creation of executable code. A number of bugs were found in various binutils tools. Several integer overflow bugs were found in binutils. If a user is tricked into processing a specially crafted executable with utilities such as readelf, size, strings, objdump, or nm, it may allow the execution of arbitrary code as the user running the utility. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1704 to this issue. Additionally, the following bugs have been fixed: -- correct alignment of .tbss section if the requested alignment of .tbss is bigger than requested alignment of .tdata section -- by default issue an error if IA-64 hint@pause instruction is put into the B slot, add assembler command line switch to override this behaviour All users of binutils should upgrade to this updated package, which contains backported patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1704 gcc produces inadequate alignment for __thread vars CAN-2005-1704 Integer overflow in the Binary File Descriptor (BFD) library cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the sixth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include: - diskdump support on HP Smart Array devices - netconsole/netdump support over bonded interfaces - new chipset and device support via PCI table updates - support for new "oom-kill" and "kscand_work_percent" sysctls - support for dual core processors and ACPI Power Management timers on AMD64 and Intel EM64T systems There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include kswapd, inode handling, the SATA subsystem, diskdump handling, ptrace() syscall support, and signal handling. The following device drivers have been upgraded to new versions: 3w-9xxx ---- 2.24.03.008RH cciss ------ 2.4.58.RH1 e100 ------- 3.4.8-k2 e1000 ------ 6.0.54-k2 emulex ----- 7.3.2 fusion ----- 2.06.16i.01 iscsi ------ 3.6.2.1 ipmi ------- 35.4 lpfcdfc ---- 1.2.1 qlogic ----- 7.05.00-RH1 tg3 -------- 3.27RH The following security bugs were fixed in this update: - a flaw in syscall argument checking on Itanium systems that allowed a local user to cause a denial of service (crash) (CAN-2005-0136) - a flaw in stack expansion that allowed a local user of mlockall() to cause a denial of service (memory exhaustion) (CAN-2005-0179) - a small memory leak in network packet defragmenting that allowed a remote user to cause a denial of service (memory exhaustion) on systems using netfilter (CAN-2005-0210) - flaws in ptrace() syscall handling on AMD64 and Intel EM64T systems that allowed a local user to cause a denial of service (crash) (CAN-2005-0756, CAN-2005-1762, CAN-2005-2553) - flaws in ISO-9660 file system handling that allowed the mounting of an invalid image on a CD-ROM to cause a denial of service (crash) or potentially execute arbitrary code (CAN-2005-0815) - a flaw in ptrace() syscall handling on Itanium systems that allowed a local user to cause a denial of service (crash) (CAN-2005-1761) - a flaw in the alternate stack switching on AMD64 and Intel EM64T systems that allowed a local user to cause a denial of service (crash) (CAN-2005-1767) - race conditions in the ia32-compat support for exec() syscalls on AMD64, Intel EM64T, and Itanium systems that could allow a local user to cause a denial of service (crash) (CAN-2005-1768) - flaws in IPSEC network handling that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2456, CAN-2005-2555) - a flaw in sendmsg() syscall handling on 64-bit systems that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2490) - flaws in unsupported modules that allowed denial-of-service attacks (crashes) or local privilege escalations on systems using the drm, coda, or moxa modules (CAN-2004-1056, CAN-2005-0124, CAN-2005-0504) - potential leaks of kernel data from jfs and ext2 file system handling (CAN-2004-0181, CAN-2005-0400) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2004-0181 CVE-2004-1056 CVE-2005-0124 CVE-2005-0136 CVE-2005-0179 CVE-2005-0210 CVE-2005-0400 CVE-2005-0504 CVE-2005-0756 CVE-2005-0815 CVE-2005-1761 CVE-2005-1762 CVE-2005-1767 CVE-2005-1768 CVE-2005-2456 CVE-2005-2490 CVE-2005-2553 CVE-2005-2555 CVE-2005-3273 CVE-2005-3274 Request for enhancement for callback function iostat -x shows infeasible avgqu-sz results and max util LTC3549 - ps wchan broken Existence of race condition in Linux SD driver that leads to a deadlock symbolic links have invalid permissions RHEL3_U4 Data corruption in spite of using O_SYNC System can hang while running multiple instances of fdisk CVE-2004-0181 jfs infoleak microcode_ctl errors with modprobe: Can't locate module char-major-10-184 LUN i not getting registered Opteron gettimeofday granularity problem RHEL3 U6: Diskdump support for Compaq Smart Array Controllers (cciss) iostat -x 1 5 give bogus statistics... RHEL3 U4: need netdump to work with the bonding driver gart errors when using 2.4.21-15.0.3.EL.smp or -9.0.1 on AMD64 quad system [Patch] Simultaneous calls to open() on a usb device hangs the kernel __put_task_struct unresolved when loading externally compiled module char-major-10-184 microcode error with kernel 2.4.21-15.ELhugemem bogus data in /proc/partitions for IDE whole-disk device Extraneous data in option name for scsi_mod gart errors when using 2.4.21-20.EL on HP DL585 CVE-2004-1056 insufficient locking checks in DRM code RHEL3 U5: netdump does not work over bonded interfaces System hangs for 15-45 seconds on RHEL3 / kernel 2.4.21-20.EL "fdisk -l" broken when over 26 EMC Powerpath disks Only 16 EMC powerpath LUNs usable with LVM1 error unmounting /var filesystem while shutdown Potential kernel DOS 'ghosted' autofs shares disappear Unable to umount /var during shutdown process when connected with ssh [PATCH] Stale POSIX flock CVE-2005-0179 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS Kernel panic in shutdown path when iSCSI LUNs are mounted netdump client/server problems Use of bonding driver in mode 5 can cause multicast packet loss high loads / high iowait / up 100% cpu time for kscand on oracle box CVE-2005-0124 Coverity: coda fs flaw CVE-2005-0504 moxa CAP_SYS_RAWIO missing (-unsupported) Need openIPMI driver to work with IBM's x336 BMC [PATCH] FEAT: RHEL3 U6: Enable dual-core processors from Intel CVE-2005-0136 ptrace corner cases on ia64 Oracle 8 import of Oracle 9 database can lock system. LTC13257-LTPstress sigaction01 Testcase Ends up Segmentation Fault [PATCH] Kernel panic (EIP is at find_inode) No data avaliable for eth card panic at ia64_leave_kernel [kernel] 0x1 (2.4.21-27.EL) Don't oom kill TASK_UNINTERRUPTIBLE processes e1000 has memory leak when run continuously getting new dhcp leases. Over time, autofs leaks kernel memory in the size-256 slab kernel panic when bringing up and down multiple interfaces simultaneously sk98lin driver drops udp packets 8GB SMP servers appear to hang in VM subsystem under stress CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak CVE-2005-0815 isofs range checking flaws [RHEL3-U6][Diskdump] Backtrace of OS_INIT doesn't work RHEL3 U4 - kswapd/rpciod deadlock [Texas Instruments] nfs bindresvport: Address already in use [RHEL3 U6] diskdump fails with block_order=8 [RHEL3 U6] Diskdump fails if module parameter 'block_order' has too big value Kernel Panics on kernel 2.4.21-27 [LSI Logic] Feature RHEL: Add mpt fusion SAS support, and new PCI IDs [RHEL 3 U6]inode_lock deadlock/race? CVE-2005-3273 ROSE ndigis verification ext3 data corruption under Samba share CVE-2005-1762 x86_64 sysret exception leads to DoS kernel may oops if more than 4k worth of string data returned in /proc/devices [RHEL3] IPv6 Neighbor Cache : RHEL 3.0 does not update the IsRouter flag in the cache entry and improperly remove router from the Default Router List. [RHEL3 U4] The system clock gains much time when netconle is activated. CRM 479318 Unexpected IO-APIC on Opteron system sd _mod doesn't handle removable drives (USB floppy) well PPC64 not setting backchain in signal frames FEAT: RHEL3 U6: cciss driver updates (STOPSHIP) FEAT: RH EL 3 U6: diskdump driver RHEL3 U6: Add 'ht' flag in EM64T /proc/cpuinfo [PATCH] FEAT: RHEL3 U6: Add ICH4L support to kernel (MEDIUM) 529692 - /proc/stat documentation is out of date. RHEL 3 U6: Use of Performance Monitoring Counters based on Model number (x86-64) When an AX100i SP reboot occurs, the Cisco iSCSI driver doesnt log back into array. FEAT RHEL3 U6: Need e1000 driver Update to v.6.0.54 or higher (MUSTFIX) LTC14642-NetDump is too slow to dump...[PATCH] [RFE] [RHEL3 U6]Update 3w-9xxx driver [CRM 511714] bonding and arp ping failure detection attempt to access beyond end of device: ext2 symlink/EA problem Potential kernel panic with stale POSIX locks CVE-2005-3274 IPVS panic at ip_vs_conn_flush() when unloading ip_vs module Updated Qlogic driver is requested in RHEL 3 U6 Update Emulex driver in RHEL 3 U6 Long tape commands (e.g. erase) timeout on dpt_i2o. RHEL 3 configures non-existent SCSI target devices FEAT RHEL3U6: new devices supported by tg3 (STOPSHIP) CVE-2005-0210 dst leak FEAT: [RHEL3 U6] add PCI_VENDOR_ID_NEC to megaraid subsysvid Adding 3pardata to the scsi device whitelist [RHEL3 U4] setsockopt SO_RCVTIMEO call fails from a 32 bit binary running on a x86_64 system [Patch] RHEL3 U6: lower severity of blk: queue xxxx printks (~MF) CVE-2005-1767 x86_64 crashes from context switches on stk-seg-fault stack FEAT: RHEL3 U6: Update e100 driver to later than v.3.4.1 x86_64 kernel stops allocating memory too early when overcommit_memory set to strict RHEL3 U6: ESB2 support (PATA, SATA, USB, SMBUS, LPC, Audio and AHCI) ptrace changes to registers during ia32 syscall tracing stop are lost x86-64 PTRACE_SETOPTIONS does not support most option flags CVE-2005-1761 local user can use ptrace to crash system CVE-2005-1762 x86_64 crash (ptrace-canonical) CVE-2005-0756 x86_64 crash (ptrace-check-segment) Diskdump disk controllers support Fix dangling pointer in acpi_pci_root_add() [RHEL3][PATCH] suppress medum-not-present messages from idefloppy [taroon patch] fix for indefinite postponement under __alloc_pages() Add docs detailing which drivers support netconsole CVE-2005-2553 x86_64 fix for 32-bit ptrace find_target() oops [RHEL3][PATCH] suppress medum-not-present messages from idefloppy CVE-2005-1768 64bit execve() race leads to buffer overflow Memory Leak in autofs The AHCI driver was incorrectly resetting the hardware on error RHEL 3 U5 code base contains duplicate USB ESSENTIAL_REALITY cable link state ignored on ethernet card (b44). accounting of SETITIMER_PROF inaccurate Kernel panic: pci_map_single: high address but no IOMMU. nVidia driver requires upstream page_attr patch CRM 565876: samba-3.0.8pre1-smbmnt.patch to fix smbmount UID wraparound bug for RHEL3 Samba packages superbh function causing a server to crash when Veritas Volume Manager Modules for VxVM 4.0 are loaded. iscsi_sfnet driver does not calculate ConnFailTimeout correctly when greater than 15 secs CRM: 507606 / short freezes on Informix server RHEL3 U5 panic in kmem_cache_grow add SGI scsi devices to list in scsi_scan.c dpt_i2o driver oopses on insmod in U5 Initiator does not retry login on target error when PortalFailover is disabled Placeholder for 2.4.x SATA update 20050723-1 rpm install of -33.EL on ia64 gets unresolved pm_power_off symbol User-mode program run on IA64 AS 3.0 causes system to crash due to invalid stack pointer [RHEL3U6] diskdump - scsi dump fails with module CRC error [RHEL3 U6] Fix to update openipmi drivers for Dell 8G server line (MUSTFIX) CVE-2005-2456 IPSEC overflow LTC14996-IPMI driver is broken on multiple platforms [RHEL3U6] diskdump fails with machine check error on x86_64 Disable FAN processing in Emulex lpfc driver Add Invista to RHEL 3 SCSI Whitelist NFS deadlock when multiple processes creating/deleting a file IBM TapeLibrary 3583 CVE-2005-2555 IPSEC lacks restrictions Kernel crash on 2.4.21-34 base due to kiobuf_init() setting the initialized state when expand_kiobuf() was not called. CVE-2005-2490 sendmsg compat stack overflow cciss, add pci id for P400 [BETA RHEL3 U6] kernel panic while booting numa=off on x86_64 drivers/addon/lpfc/lpfcdfc/Makefile change causing intermittent build failures [RHEL3] cosmetic change to IPMI drivers to update version revision number cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. A flaw was discovered in Xpdf in that an attacker could construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2097 to this issue. Note this issue does not affect the version of Xpdf in Red Hat Enterprise Linux 3 or 2.1. Users of xpdf should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2097 CAN-2005-2097 xpdf DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer. A flaw was discovered in kpdf. An attacker could construct a carefully crafted PDF file that would cause kpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2097 to this issue. Note this issue does not affect Red Hat Enterprise Linux 3 or 2.1. Users of kpdf should upgrade to these updated packages, which contains a backported patch to resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2097 CAN-2005-2097 kpdf DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Binutils is a collection of utilities used for the creation of executable code. A number of bugs were found in various binutils tools. If a user is tricked into processing a specially crafted executable with utilities such as readelf, size, strings, objdump, or nm, it may allow the execution of arbitrary code as the user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1704 to this issue. In addition, the following bugs have been fixed: -- by default issue an error if IA-64 hint@pause instruction is put into the B slot, add assembler command line switch to override this behaviour -- fix linker's --emit-relocs with .gnu.warning.* section symbols -- fix gprof on 64-bit ppc binaries and libraries -- fix gas mapping of register names to dwarf2 register numbers in CFI directives All users of binutils should upgrade to this updated package, which contains patches to resolve these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1704 CAN-2005-1704 Integer overflow in the Binary File Descriptor (BFD) library wrong dwarf register numbers generated cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0448 to this issue. This update also addresses the following issues: -- Perl interpreter caused a segmentation fault when environment changes occurred during runtime. -- Code in lib/FindBin contained a regression that caused problems with MRTG software package. -- Perl incorrectly declared it provides an FCGI interface where it in fact did not. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-0448 perl fails "lib/FindBin" test (breaks MRTG) Packing fault with perl and FCGI perl-suidperl package has an extra .1 release suffix CAN-2005-0448 perl File::Path.pm rmtree race condition cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. An insecure temporary file handling bug was found in the mysql_install_db script. It is possible for a local user to create specially crafted files in /tmp which could allow them to execute arbitrary SQL commands during database installation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1636 to this issue. These packages update mysql to version 4.1.12, fixing a number of problems. Also, support for SSL-encrypted connections to the database server is now provided. All users of mysql are advised to upgrade to these updated packages. Low Copyright 2005 Red Hat, Inc. CVE-2005-1636 CAN-2005-1636 mysql insecure temporary file creation Parser issue with subqueries involving unions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The ethereal package is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-2360, CAN-2005-2361, CAN-2005-2362, CAN-2005-2363, CAN-2005-2364, CAN-2005-2365, CAN-2005-2366, and CAN-2005-2367 to these issues. Users of ethereal should upgrade to these updated packages, which contain version 0.10.12 which is not vulnerable to these issues. Note: To reduce the risk of future vulnerabilities in Ethereal, the ethereal and tethereal programs in this update have been compiled as Position Independant Executables (PIE) for Red Hat Enterprise Linux 3 and 4. In addition FORTIFY_SOURCE has been enabled for Red Hat Enterprise Linux 4 packages to provide compile time and runtime buffer checks. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2360 CVE-2005-2361 CVE-2005-2362 CVE-2005-2363 CVE-2005-2364 CVE-2005-2365 CVE-2005-2366 CVE-2005-2367 CAN-2005-2360 Multiple ethereal flaws (CAN-2005-2361 CAN-2005-2362 CAN-2005-2363 CAN-2005-2364 CAN-2005-2365 CAN-2005-2366 CAN-2005-2367) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. When processing a PDF file, bounds checking was not correctly performed on some fields. This could cause the pdftops filter (running as user "lp") to crash. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2097 to this issue. All users of CUPS should upgrade to these erratum packages, which contain a patch to correct this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-2097 CAN-2005-2097 pdf flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gpdf package is an GNOME based viewer for Portable Document Format (PDF) files. Marcus Meissner reported a flaw in gpdf. An attacker could construct a carefully crafted PDF file that would cause gpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2097 to this issue. Note that this issue does not affect the version of gpdf in Red Hat Enterprise Linux 3 or 2.1. Users of gpdf should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2097 CAN-2005-2097 gpdf DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GDB, the GNU debugger, allows debugging of programs written in C, C++, and other languages by executing them in a controlled fashion, then printing their data. Several integer overflow bugs were found in gdb. If a user is tricked into processing a specially crafted executable file, it may allow the execution of arbitrary code as the user running gdb. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1704 to this issue. A bug was found in the way gdb loads .gdbinit files. When a user executes gdb, the local directory is searched for a .gdbinit file which is then loaded. It is possible for a local user to execute arbitrary commands as the victim running gdb by placing a malicious .gdbinit file in a location where gdb may be run. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1705 to this issue. This updated package also addresses the following issues: - GDB on ia64 had previously implemented a bug fix to work-around a kernel problem when creating a core file via gcore. The bug fix caused a significant slow-down of gcore. - GDB on ia64 issued an extraneous warning when gcore was used. - GDB on ia64 could not backtrace over a sigaltstack. - GDB on ia64 could not successfully do an info frame for a signal trampoline. - GDB on AMD64 and Intel EM64T had problems attaching to a 32-bit process. - GDB on AMD64 and Intel EM64T was not properly handling threaded watchpoints. - GDB could not build with gcc4 when -Werror flag was set. - GDB had problems printing inherited members of C++ classes. - A few updates from mainline sources concerning Dwarf2 partial die in cache support, follow-fork support, interrupted syscall support, and DW_OP_piece read support. All users of gdb should upgrade to this updated package, which resolves these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-1704 CVE-2005-1705 CAN-2005-1704 Integer overflow in gdb CAN-2005-1705 gdb arbitrary command execution GDB fails to correctly report frame information cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps) and others. A bug was found in the way netpbm converts PostScript files into PBM, PGM or PPM files. An attacker could create a carefully crafted PostScript file in such a way that it could execute arbitrary commands when the file is processed by a victim using pstopnm. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2471 to this issue. All users of netpbm should upgrade to the updated packages, which contain a backported patch to resolve this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2471 CAN-2005-2471 netpbm should use the -dSAFER option when calling Ghostscript cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 VIM (VIsual editor iMproved) is a version of the vi editor. A bug was found in the way VIM processes modelines. If a user with modelines enabled opens a text file with a carefully crafted modeline, arbitrary commands may be executed as the user running VIM. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2368 to this issue. Users of VIM are advised to upgrade to these updated packages, which resolve this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2368 CAN-2005-2368 vim modeline arbitrary command execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2498 to this issue. When using the default SELinux "targeted" policy on Red Hat Enterprise Linux 4, the impact of this issue is reduced since the scripts executed by PHP are constrained within the httpd_sys_script_t security context. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-2498 CAN-2005-2498 PHP PEAR:XMLRPC eval code injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has "ssl start_tls" in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2069 to this issue. A bug was also found in the way certain OpenLDAP authentication schemes store hashed passwords. A remote attacker could re-use a hashed password to gain access to unauthorized resources. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0823 to this issue. All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0823 CVE-2005-2069 CAN-2004-0823 openldap hashed password re-use CAN-2005-2069 openldap password disclosure issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 CVS (Concurrent Version System) is a version control system. An insecure temporary file usage was found in the cvsbug program. It is possible that a local user could leverage this issue to execute arbitrary instructions as the user running cvsbug. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2693 to this issue. All users of cvs should upgrade to this updated package, which includes a patch to correct this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2693 CAN-2005-2693 CVS temporary file issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PCRE is a Perl-compatible regular expression library. An integer overflow flaw was found in PCRE, triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2491 to this issue. The security impact of this issue varies depending on the way that applications make use of PCRE. For example, the Apache web server uses the system PCRE library in order to parse regular expressions, but this flaw would only allow a user who already has the ability to write .htaccess files to gain 'apache' privileges. For applications supplied with Red Hat Enterprise Linux, a maximum security impact of moderate has been assigned. Users should update to these erratum packages that contain a backported patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2491 CAN-2005-2491 PCRE heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Squid is a full-featured Web proxy cache. A bug was found in the way Squid displays error messages. A remote attacker could submit a request containing an invalid hostname which would result in Squid displaying a previously used error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-2479 to this issue. Two denial of service bugs were found in the way Squid handles malformed requests. A remote attacker could submit a specially crafted request to Squid that would cause the server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-2794 and CAN-2005-2796 to these issues. Please note that CAN-2005-2796 does not affect Red Hat Enterprise Linux 2.1 Users of Squid should upgrade to this updated package that contains backported patches, and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2004-2479 CVE-2005-2794 CVE-2005-2796 CAN-2004-2479 squid information disclosure issue CAN-2005-2794 Multiple squid DoS issues (CAN-2005-2796) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has "ssl start_tls" in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2069 to this issue. A bug was found in the way the pam_ldap module processed certain failure messages. If the server includes supplemental data in an authentication failure result message, but the data does not include any specific error code, the pam_ldap module would proceed as if the authentication request had succeeded, and authentication would succeed. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2641 to this issue. Additionally the following issues are corrected in this erratum. - The OpenLDAP upgrading documentation has been updated. - Fix a database deadlock locking issue. - A fix where slaptest segfaults on exit after successful check. - The library libslapd_db-4.2.so is now located in an architecture-dependent directory. - The LDAP client no longer enters an infinite loop when the server returns a reference to itself. - The pam_ldap module adds the ability to check user passwords using a directory server to PAM-aware applications. - The directory server can now include supplemental information regarding the state of the user's account if a client indicates that it supports such a feature. All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2069 CVE-2005-2641 Authconfig update creates a problem with OpenLDAP server CAN-2005-2069 openldap password disclosure issue CAN-2005-2641 pam_ldap policy vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A bug was found in the way Firefox processes certain international domain names. An attacker could create a specially crafted HTML file, which when viewed by the victim would cause Firefox to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2871 to this issue. Users of Firefox are advised to upgrade to this updated package that contains a backported patch and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2871 CAN-2005-2871 Firefox buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A bug was found in the way Mozilla processes certain international domain names. An attacker could create a specially crafted HTML file, which when viewed by the victim would cause Mozilla to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2871 to this issue. Users of Mozilla are advised to upgrade to this updated package that contains a backported patch and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2871 CAN-2005-2871 Mozilla buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GNU Wget is a file retrieval utility that can use either the HTTP or FTP protocols. A bug was found in the way wget writes files to the local disk. If a malicious local user has write access to the directory wget is saving a file into, it is possible to overwrite files that the user running wget has write access to. (CAN-2004-2014) A bug was found in the way wget filters redirection URLs. It is possible for a malicious Web server to overwrite files the user running wget has write access to. Note: in order for this attack to succeed the local DNS would need to resolve ".." to an IP address, which is an unlikely situation. (CAN-2004-1487) A bug was found in the way wget displays HTTP response codes. It is possible that a malicious web server could inject a specially crafted terminal escape sequence capable of misleading the user running wget. (CAN-2004-1488) Users should upgrade to this updated package, which contains a version of wget that is not vulnerable to these issues. Low Copyright 2005 Red Hat, Inc. CVE-2004-1487 CVE-2004-1488 CVE-2004-2014 CAN-2004-1487 Several wget vulnerabilities (CAN-2004-1488) CAN-2004-2014 wget symlink race wget man page incomplete cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A bug was found in the way CUPS processes malformed HTTP requests. It is possible for a remote user capable of connecting to the CUPS daemon to issue a malformed HTTP GET request that causes CUPS to enter an infinite loop. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2874 to this issue. Two small bugs have also been fixed in this update. A signal handling problem has been fixed that could occasionally cause the scheduler to stop when told to reload. A problem with tracking open file descriptors under certain specific circumstances has also been fixed. All users of CUPS should upgrade to these erratum packages, which contain a patch to correct this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2874 [PATCH] cupsd segfault when SIGCHLD received Cupsd hangs on reading pipe with recycled file descriptor. CAN-2005-2874 Malformed HTTP Request URL denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. The mount package contains the mount, umount, swapon and swapoff programs. A bug was found in the way the umount command is executed by normal users. It may be possible for a user to gain elevated privileges if the user is able to execute the "umount -r" command on a mounted file system. The file system will be re-mounted only with the "readonly" flag set, clearing flags such as "nosuid" and "noexec". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2876 to this issue. This update also fixes a hardlink bug in the script command for Red Hat Enterprise Linux 2.1. If a local user places a hardlinked file named "typescript" in a directory they have write access to, the file will be overwritten if the user running script has write permissions to the destination file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-1494 to this issue. All users of util-linux and mount should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2876 CVE-2001-1494 CAN-2001-1494 hardlink vulnerability in 'script' command CAN-2005-2876 umount unsafe -r usage CAN-2005-2876 umount unsafe -r usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. A bug was found in the way Firefox processes XBM image files. If a user views a specially crafted XBM file, it becomes possible to execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2701 to this issue. A bug was found in the way Firefox processes certain Unicode sequences. It may be possible to execute arbitrary code as the user running Firefox if the user views a specially crafted Unicode sequence. (CAN-2005-2702) A bug was found in the way Firefox makes XMLHttp requests. It is possible that a malicious web page could leverage this flaw to exploit other proxy or server flaws from the victim's machine. It is also possible that this flaw could be leveraged to send XMLHttp requests to hosts other than the originator; the default behavior of the browser is to disallow this. (CAN-2005-2703) A bug was found in the way Firefox implemented its XBL interface. It may be possible for a malicious web page to create an XBL binding in such a way that would allow arbitrary JavaScript execution with chrome permissions. Please note that in Firefox 1.0.6 this issue is not directly exploitable and will need to leverage other unknown exploits. (CAN-2005-2704) An integer overflow bug was found in Firefox's JavaScript engine. Under favorable conditions, it may be possible for a malicious web page to execute arbitrary code as the user running Firefox. (CAN-2005-2705) A bug was found in the way Firefox displays about: pages. It is possible for a malicious web page to open an about: page, such as about:mozilla, in such a way that it becomes possible to execute JavaScript with chrome privileges. (CAN-2005-2706) A bug was found in the way Firefox opens new windows. It is possible for a malicious web site to construct a new window without any user interface components, such as the address bar and the status bar. This window could then be used to mislead the user for malicious purposes. (CAN-2005-2707) A bug was found in the way Firefox processes URLs passed to it on the command line. If a user passes a malformed URL to Firefox, such as clicking on a link in an instant messaging program, it is possible to execute arbitrary commands as the user running Firefox. (CAN-2005-2968) Users of Firefox are advised to upgrade to this updated package that contains Firefox version 1.0.7 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2968 CVE-2005-3089 CAN-2005-2701 Multiple Firefox issues (CAN-2005-2702, CAN-2005-2703, CAN-2005-2704, CAN-2005-2705, CAN-2005-2706, CAN-2005-2707) CAN-2005-2968 Firefox improper command line URL sanitization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A format string bug was discovered in the way HelixPlayer processes RealPix (.rp) files. It is possible for a malformed RealPix file to execute arbitrary code as the user running HelixPlayer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2710 to this issue. All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer version 10.0.6 and is not vulnerable to this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2629 CVE-2005-2710 CVE-2005-2922 CAN-2005-2710 HelixPlayer Format String Flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A bug was found in the way Mozilla processes XBM image files. If a user views a specially crafted XBM file, it becomes possible to execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2701 to this issue. A bug was found in the way Mozilla processes certain Unicode sequences. It may be possible to execute arbitrary code as the user running Mozilla, if the user views a specially crafted Unicode sequence. (CAN-2005-2702) A bug was found in the way Mozilla makes XMLHttp requests. It is possible that a malicious web page could leverage this flaw to exploit other proxy or server flaws from the victim's machine. It is also possible that this flaw could be leveraged to send XMLHttp requests to hosts other than the originator; the default behavior of the browser is to disallow this. (CAN-2005-2703) A bug was found in the way Mozilla implemented its XBL interface. It may be possible for a malicious web page to create an XBL binding in a way that would allow arbitrary JavaScript execution with chrome permissions. Please note that in Mozilla 1.7.10 this issue is not directly exploitable and would need to leverage other unknown exploits. (CAN-2005-2704) An integer overflow bug was found in Mozilla's JavaScript engine. Under favorable conditions, it may be possible for a malicious web page to execute arbitrary code as the user running Mozilla. (CAN-2005-2705) A bug was found in the way Mozilla displays about: pages. It is possible for a malicious web page to open an about: page, such as about:mozilla, in such a way that it becomes possible to execute JavaScript with chrome privileges. (CAN-2005-2706) A bug was found in the way Mozilla opens new windows. It is possible for a malicious web site to construct a new window without any user interface components, such as the address bar and the status bar. This window could then be used to mislead the user for malicious purposes. (CAN-2005-2707) Users of Mozilla are advised to upgrade to this updated package that contains Mozilla version 1.7.12 and is not vulnerable to these issues. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-3089 CAN-2005-2701 Multiple Mozilla issues (CAN-2005-2702, CAN-2005-2703, CAN-2005-2704, CAN-2005-2705, CAN-2005-2706, CAN-2005-2707) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. A bug was found in the way Thunderbird processes certain international domain names. An attacker could create a specially crafted HTML mail, which when viewed by the victim would cause Thunderbird to crash or possibly execute arbitrary code. Thunderbird as shipped with Red Hat Enterprise Linux 4 must have international domain names enabled by the user in order to be vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2871 to this issue. A bug was found in the way Thunderbird processes certain Unicode sequences. It may be possible to execute arbitrary code as the user running Thunderbird if the user views a specially crafted HTML mail containing Unicode sequences. (CAN-2005-2702) A bug was found in the way Thunderbird makes XMLHttp requests. It is possible that a malicious HTML mail could leverage this flaw to exploit other proxy or server flaws from the victim's machine. It is also possible that this flaw could be leveraged to send XMLHttp requests to hosts other than the originator; the default behavior of Thunderbird is to disallow such actions. (CAN-2005-2703) A bug was found in the way Thunderbird implemented its XBL interface. It may be possible for a malicious HTML mail to create an XBL binding in such a way that would allow arbitrary JavaScript execution with chrome permissions. Please note that in Thunderbird 1.0.6 this issue is not directly exploitable and will need to leverage other unknown exploits. (CAN-2005-2704) An integer overflow bug was found in Thunderbird's JavaScript engine. Under favorable conditions, it may be possible for a malicious mail message to execute arbitrary code as the user running Thunderbird. Please note that JavaScript support is disabled by default in Thunderbird. (CAN-2005-2705) A bug was found in the way Thunderbird displays about: pages. It is possible for a malicious HTML mail to open an about: page, such as about:mozilla, in such a way that it becomes possible to execute JavaScript with chrome privileges. (CAN-2005-2706) A bug was found in the way Thunderbird opens new windows. It is possible for a malicious HTML mail to construct a new window without any user interface components, such as the address bar and the status bar. This window could then be used to mislead the user for malicious purposes. (CAN-2005-2707) A bug was found in the way Thunderbird processes URLs passed to it on the command line. If a user passes a malformed URL to Thunderbird, such as clicking on a link in an instant messaging program, it is possible to execute arbitrary commands as the user running Thunderbird. (CAN-2005-2968) Users of Thunderbird are advised to upgrade to this updated package, which contains Thunderbird version 1.0.7 and is not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-2871 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2968 CAN-2005-2871 Firefox buffer overflow affects thunderbird CAN-2005-2701 Multiple Firefox issues (CAN-2005-2702, CAN-2005-2703, CAN-2005-2704, CAN-2005-2705, CAN-2005-2706, CAN-2005-2707) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps) and others. A bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). The usage of uninitialised variables in the pnmtopng code allows an attacker to change stack contents when converting to PNG files with pnmtopng using the '-trans' option. This may allow an attacker to execute arbitrary code. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2978 to this issue. All users of netpbm should upgrade to the updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2978 CAN-2005-2978 Crash running pnmtopng -trans on some pnm files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Ruby is an interpreted scripting language for object-oriented programming. A bug was found in the way ruby handles eval statements. It is possible for a malicious script to call eval in such a way that can allow the bypass of certain safe-level restrictions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2337 to this issue. Users of Ruby should update to these erratum packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2337 CAN-2005-2337 ruby safe-level mode bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL contained a software work-around for a bug in SSL handling in Microsoft Internet Explorer version 3.0.2. This work-around is enabled in most servers that use OpenSSL to provide support for SSL and TLS. Yutaka Oiwa discovered that this work-around could allow an attacker, acting as a "man in the middle" to force an SSL connection to use SSL 2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2969 to this issue. A bug was also fixed in the way OpenSSL creates DSA signatures. A cache timing attack was fixed in RHSA-2005-476 which caused OpenSSL to do private key calculations with a fixed time window. The DSA fix for this was not complete and the calculations are not always performed within a fixed-window. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0109 to this issue. Users are advised to upgrade to these updated packages, which remove the MISE 3.0.2 work-around and contain patches to correct these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2969 CVE-2005-0109 CAN-2005-2969 Potential SSL 2.0 Rollback CAN-2005-0109 DSA signing not quite constant time cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). A flaw was discovered in xloadimage via which an attacker can construct a NIFF image with a very long embedded image title. This image can cause a buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-3178 to this issue. All users of xloadimage should upgrade to this erratum package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-3178 CAN-2005-3178 xloadimage NIFF buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Lynx is a text-based Web browser. Ulf Härnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3120 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue. Critical Copyright 2007 Red Hat, Inc. CVE-2005-3120 CAN-2005-3120 lynx buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set an authentication policy without having to recompile programs that handle authentication. A bug was found in the way PAM's unix_chkpwd helper program validates user passwords when SELinux is enabled. Under normal circumstances, it is not possible for a local non-root user to verify the password of another local user with the unix_chkpwd command. A patch applied that adds SELinux functionality makes it possible for a local user to use brute force password guessing techniques against other local user accounts. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2977 to this issue. All users of pam should upgrade to this updated package, which contains backported patches to correct these issues. Low Copyright 2005 Red Hat, Inc. CVE-2005-2977 CVE-2005-2977 unix_chkpwd helper doesn't verify requesting user if SELinux is enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. A stack based buffer overflow bug was found in cURL's NTLM authentication module. It is possible to execute arbitrary code on a user's machine if the user can be tricked into connecting to a malicious web server using NTLM authentication. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3185 to this issue. All users of curl are advised to upgrade to these updated packages, which contain a backported patch that resolve this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-3185 CAN-2005-3185 NTLM buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. An issue was discovered that affects how page attributes are changed by the kernel. Video drivers, which sometimes map kernel pages with a different caching policy than write-back, are now expected to function correctly. This change affects the x86, AMD64, and Intel EM64T architectures. In addition the following security bugs were fixed: The set_mempolicy system call did not check for negative numbers in the policy field. An unprivileged local user could use this flaw to cause a denial of service (system panic). (CVE-2005-3053) A flaw in ioremap handling on AMD 64 and Intel EM64T systems. An unprivileged local user could use this flaw to cause a denial of service or minor information leak. (CVE-2005-3108) A race condition in the ebtables netfilter module. On a SMP system that is operating under a heavy load this flaw may allow remote attackers to cause a denial of service (crash). (CVE-2005-3110) A memory leak was found in key handling. An unprivileged local user could use this flaw to cause a denial of service. (CVE-2005-3119) A flaw in the Orinoco wireless driver. On systems running the vulnerable drive, a remote attacker could send carefully crafted packets which would divulge the contents of uninitialized kernel memory. (CVE-2005-3180) A memory leak was found in the audit system. An unprivileged local user could use this flaw to cause a denial of service. (CVE-2005-3181) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2005 Red Hat, Inc. CVE-2005-3053 CVE-2005-3108 CVE-2005-3110 CVE-2005-3119 CVE-2005-3180 CVE-2005-3181 RHEL4 (IPF): Support for Additional function in Intel's Monticeto processor (HW) RHEL4: Infiniband support RHEL4 U2: SATA ATAPI support (including ESB2) sym driver creates voluminous /var/log/messages entries FEAT: RHEL 4 U3: ia64 needs hint@pause in spinloop spin loops on both ia32 and ia32e need cpu_relax bonding mode=6 + dhcp doesn't work correctly ia32 apps that are not large file aware can access files >= 4GB SMART support in SATA driver (P1) qlogic fabric rediscovery functionality missing On few Nocona based platforms, acpi-cpufreq driver assumes the wrong CPU freq at boot time RHEL 4 Kernel does not provide ACL support over NFS Amanda hangs on backup in case of ip_conntrack_amanda is used (RHEL4) large usb flash drive require reboot to mount more than once umount fails on nfs server side when nfs client does heavy io Unisys' x86_64 ES7000 loses legacy devices during boot when using latest ES7000 platform code Writing large file to 1TB ext3 volume sometimes very slow SCTP memory consumption, additional fixes Missing SHUTDOWN notification with SCTP stream socket [RHEL4-U3] PCI Hotplug - Slot powered off after enabling ES7000 systems won't boot with large configuration CVE-2004-1190 Continued raw access issues Diskdump fails through ipr driver USB Key stops working after upgrade to U1 dangling POSIX locks after close Oracle Hangs with directio and aio using NFS sysfs_remove_dir() de-references NULL pointer RHEL4 Panics at smp_apic_timer_interrupt Problem with b44: SIOCSIFFLAGS: Cannot allocate memory read() with count > 0xffffffff panics kernel at fs/direct-io.c:886 [RHEL4] 'getpriority/setpriority' broken with PRIO_USER, who=0 io_cancel doesn't work properly Assertion failure in log_do_checkpoint request backport of fc transport class HBA port_id for dm-multipath Kernel PANIC - not syncing: fatal exception qetharp 'Operation not supported' on non-layer2 guestlan PANIC at rpc_wake_up_status Bug in IPv6 address adding error path Bonding driver fails to switch to backup link Bugs in kernel key managment syscall interface Bad order for release_region in error exit from i810_probe CVE-2005-2458 gzip/zlib flaws acct does not have Large File Support 2.6: /sbin/service iptables stop hangs on modprobe -r ipt_state NFS/RPC - timestamp conversion is wrong rpmbuild --rebuild glibc-2.3.4-2.12.src.rpm hangs (same problem with glibc-2.3.4-2.9.src.rpm) Erratic behaviour when system fd limit reached mount/umount can cause the block device reads to fail [RHEL4 U1] OOPS removing ahci driver [RHEL4 U1] Bonding driver does not switch to backup interface upon active interface failure under heavy UDP traffic NFSv3 locking misses important kernel patches RHEL4 Panic in __wake_up_common (networking) Multicast domain membership doesn't follow bonding failover RHEL4 __copy_user breaks on unaligned src RHEL4 U2 performance regression running enterprise workload CVE-2005-2800 SCSI proc DoS FEAT RHEL4 U3: 10GigE Neterion Driver Update (S2io) [RHEL4] hangcheck-timer not compiled in RHEL4 on IA64 SCTP association restart problem, possible backport ipmi_poweroff driver update for Dell <8G servers [RHEL4 U1][diskdump] Diskdump from OS_INIT fails. autofs removes leading path components of /net mounts on timeout FEAT: [RHEL4 U3] kernel dm: Statistic information about dm devices (*) CVE-2005-3044 lost fput and sockfd_put could lead to DoS wait() and waitpid() return inconsistencies under high load CVE-2005-3276 sys_get_thread_area minor info leak [FEAT:][RHEL 4 U3]LVM2 Snapshot support of root CVE-2005-2709 More sysctl flaws [Texas Instruments] nfs bindresvport: Address already in use CVE-2005-3356 double decrement of mqueue_mnt->mnt_count in sys_mq_open oops in gss_pipe_release() ls hangs on krb5 mountd when user has not kinit-ed NFS client oops when debugging is on CRM648268: kernel reporting init process cutime as very large negative value CVE-2005-3106 exec_mmap race DoS Cache invalidation bug in nfs v3 Bad: kernel panic on boot (kernel-2.6.9-22.EL) kernel_lock() problem through NFS mount iSCSI connection recovery uses session address instead of portal address device-mapper mirroring backwards compatibility issue Neterion(S2io) adapter not functional after running offline diagnostics CVE-2005-3109 HFS oops Kernel oops killing process with open files on a NFS3 krb5 mount after /var/lib/nfs/rpc_pipefs has been unmounted FEAT RHEL4 U3 [diskdump]: kernel - support compressing dump data USB: khubd deadlock on error path Kernel key management facility improvements nfsd: clear signals before exiting the nfsd() thread linux-2.6.13-key-reiserfs.patch is incomplete Can't reboot on IBM xSeries 236. rhel4 modules loading signing issue rename(2) onto an empty directory fails on NFS file systems Large LUNS can't be seen with Hitachi Open-L SAN Difficulty with some iSCSI targets in iscsi_sfnet netpoll can dereference a null pointer, causing a system crash [RHEL4] tuxstat SIGSEGV kernel dm: dm-ioctl memory leak on attempt to load non-existing mapping autofs doesn't remount if nfs server is unreachable at expire time kernel dm: DM_LIST_VERSIONS_CMD ioctl reponse truncated kernel dm: Notify userspace when a device is renamed. kernel dm-log: big endian 64-bit corruption kernel dm-log: Make mirror log arch-independent kernel dm: move bdget outside lockfs kernel dm: Make lock_fs optional. kernel dm snapshot: Separate out metadata reading. kernel dm snapshot: Load metadata on table creation not resumption. kernel dm snapshot: Reduce PF_MEMALLOC usage kernel dm multipath: Fix do_end_io locking. race condition when expiring ghosted autofs mounts kernel dm snapshot: bio_list_merge fix Fix for SystemTap bugzilla #1345 - return probe on do_execve unable to create sgi_sn/ptc_statistics" printed to the console Further key management facility improvements Permit key management to request already running process to instantiate a key kernel bug at mm/prio_tree.c cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The ethereal package is a program for monitoring network traffic. A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project has assigned the names CVE-2005-3241, CVE-2005-3242, CVE-2005-3243, CVE-2005-3244, CVE-2005-3245, CVE-2005-3246, CVE-2005-3247, CVE-2005-3248, CVE-2005-3249, and CVE-2005-3184 to these issues. Users of ethereal should upgrade to these updated packages, which contain version 0.10.13 and are not vulnerable to these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-3241 CVE-2005-3242 CVE-2005-3243 CVE-2005-3244 CVE-2005-3245 CVE-2005-3246 CVE-2005-3247 CVE-2005-3248 CVE-2005-3249 CVE-2005-3184 CVE-2005-3241 Multiple ethereal issues (CVE-2005-3242 CVE-2005-3243 CVE-2005-3244 CVE-2005-3245 CVE-2005-3246 CVE-2005-3247 CVE-2005-3248 CVE-2005-3249 CVE-2005-3184) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3186 to this issue. Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2976 to this issue. Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2975 to this issue. Users of gdk-pixbuf are advised to upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-3186 CVE-2005-2976 CVE-2005-2975 CVE-2005-3186 XPM buffer overflow CVE-2005-2975 Multiple XPM processing issues (CVE-2005-2976) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. A bug was found in the way gtk2 processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gtk2 to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3186 to this issue. Ludwig Nussel discovered an infinite-loop denial of service bug in the way gtk2 processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gtk2 to stop responding when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2975 to this issue. Users of gtk2 are advised to upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-3186 CVE-2005-2975 CVE-2005-3186 XPM buffer overflow CVE-2005-2975 gtk2 XPM DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 GNU Wget is a file retrieval utility that can use either the HTTP or FTP protocols. A stack based buffer overflow bug was found in the wget implementation of NTLM authentication. An attacker could execute arbitrary code on a user's machine if the user can be tricked into connecting to a malicious web server using NTLM authentication. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3185 to this issue. All users of wget are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue. Important Copyright 2005 Red Hat, Inc. CVE-2005-3185 CVE-2005-3185 NTLM buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The lm_sensors package includes a collection of modules for general SMBus access and hardware monitoring. This package requires special support which is not in standard version 2.2 kernels. A bug was found in the way the pwmconfig tool creates temporary files. It is possible that a local attacker could leverage this flaw to overwrite arbitrary files located on the system. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2672 to this issue. Users of lm_sensors are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue. Low Copyright 2005 Red Hat, Inc. CVE-2005-2672 CVE-2005-2672 lm_sensors pwmconfig insecure temporary file usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The libungif package contains a shared library of functions for loading and saving GIF format image files. Several bugs in the way libungif decodes GIF images were discovered. An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim. The Common Vulnerabilities and Exposures project has assigned the names CVE-2005-2974 and CVE-2005-3350 to these issues. All users of libungif are advised to upgrade to these updated packages, which contain backported patches that resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-2974 CVE-2005-3350 CVE-2005-2974 Several libungif issues (CVE-2005-3350) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1) protocols, and serves as a full-strength general purpose cryptography library. OpenSSL 0.9.6b libraries are provided for Red Hat Enterprise Linux 3 and 4 to allow compatibility with legacy applications. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the server this could lead to a denial of service. (CVE-2004-0079) This issue was reported as not affecting OpenSSL versions prior to 0.9.6c, and testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b as shipped as a compatibility library with Red Hat Enterprise Linux 3 and 4 did not crash. However, an alternative reproducer has been written which shows that this issue does affect versions of OpenSSL prior to 0.9.6c. Note that Red Hat does not ship any applications with Red Hat Enterprise Linux 3 or 4 that use these compatibility libraries. Users of the OpenSSL096b compatibility package are advised to upgrade to these updated packages, which contain a patch provided by the OpenSSL group that protect against this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0079 CVE-2004-0079 OpenSSL remote DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue. A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389) A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject javascript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388) A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-3353 CVE-2005-3388 CVE-2005-3389 CVE-2005-3390 CVE-2005-3390 PHP register globals arbitrary code execution CVE-2005-3389 PHP parse_str can enable register_globals CVE-2005-3388 PHP phpinfo() XSS attack CVE-2005-3353 PHP exif data DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Lynx is a text-based Web browser. An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2929 to this issue. Users should update to this erratum package, which contains a backported patch to correct this issue. Critical Copyright 2005 Red Hat, Inc. CVE-2005-2929 CVE-2005-2929 lynx arbitrary command execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues. Users of Xpdf should upgrade to this updated package, which contains a backported patch to resolve these issues. Red Hat would like to thank Derek B. Noonburg for reporting this issue and providing a patch. Important Copyright 2005 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The netpbm package contains a library of functions that support programs for handling various graphics file formats. A stack based buffer overflow bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). A specially crafted PNM file could allow an attacker to execute arbitrary code by attempting to convert a PNM file to a PNG file when using pnmtopng with the '-text' option. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3632 to this issue. An "off by one" bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). If a victim attempts to convert a specially crafted 256 color PNM file to a PNG file, then it can cause the pnmtopng utility to crash. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3662 to this issue. All users of netpbm should upgrade to these updated packages, which contain backported patches that resolve these issues. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-3632 CVE-2005-3662 CVE-2005-3662 netpbm off by one error CVE-2005-3632 Netpbm buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 C-client is a common API for accessing mailboxes. A buffer overflow flaw was discovered in the way C-client parses user supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses C-client to access mailboxes. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of libc-client should upgrade to these updated packages, which contain a backported patch that resolves this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2933 CVE-2005-2933 imap buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A buffer overflow flaw was discovered in the way the c-client library parses user supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses the library. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-2933 CVE-2005-2933 imap buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The udev package contains an implementation of devfs in userspace using sysfs and /sbin/hotplug. Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3631 to this issue. All users of udev should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Important Copyright 2008 Red Hat, Inc. CVE-2005-3631 CVE-2005-3631 /dev/input/* incorrect permissions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gpdf package is a GNOME based viewer for Portable Document Format (PDF) files. Several flaws were discovered in gpdf. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues. Users of gpdf should upgrade to this updated package, which contains a backported patch to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer. Several flaws were discovered in kpdf. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues. Users of kpdf should upgrade to these updated packages, which contain a backported patch to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. Stefan Esser discovered an off-by-one bug in curl. It may be possible to execute arbitrary code on a user's machine if the user can be tricked into executing curl with a carefully crafted URL. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-4077 to this issue. All users of curl are advised to upgrade to these updated packages, which contain a backported patch that resolves this issue. Moderate Copyright 2005 Red Hat, Inc. CVE-2005-4077 CVE-2005-4077 SA17907 cURL/libcURL URL Parsing Off-By-One Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Several flaws were discovered in the way CUPS processes PDF files. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues. All users of CUPS should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2005 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script which passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3962 bits/resource.ph has syntax errors (libperl) could not run system-config-printer getgrnam() crashes with "Out of memory" if /etc/group contains long lines CVE-2005-3962 Perl integer overflow issue MakeMaker::MM_Unix doesn't honor LD_RUN_PATH requirements missing C standard headers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script wich passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. (CVE-2005-0448) Solar Designer discovered several temporary file bugs in various Perl modules. A local attacker could overwrite or create files as the user running a Perl script that uses a vulnerable module. (CVE-2004-0976) Users of Perl are advised to upgrade to these updated packages, which contain backported patches to correct these issues as well as fixes for several bugs. Moderate Copyright 2005 Red Hat, Inc. CVE-2004-0976 CVE-2005-0448 CVE-2005-3962 [RFE] Need new perl rpm release that fixes threaded memory leak Perl's 'study' function breaks regexp matching CVE-2004-0976 temporary file vulnerabilities in Perl Apparent utf8 bug in Perl's join() garbage after split() Man::Pod does not return true CVE-2005-0448 perl File::Path.pm rmtree race condition Broken POSIX in perl-5.8.0 'split'/'index' problem for utf8 perl bug # 22372: SIGSEGV in sv_chop() bits/resource.ph has syntax errors (libperl) could not run system-config-printer CVE-2005-3962 Perl integer overflow issue Cannot set undef timeout in perl 5.8.0 IO::Socket cpe:/o:redhat:enterprise_linux