Red Hat OVAL Patch Definition Merger 2 5.3 2011-03-22T14:48:54 Red Hat Enterprise Linux 3 The initscripts package contains the basic system scripts used to boot your Red Hat system, change runlevels, and shut the system down cleanly. Initscripts also contains the scripts that activate and deactivate most network interfaces. A bug was found in the way initscripts handled various environment variables when the /sbin/service command is run. It is possible for a local user with permissions to execute /sbin/service via sudo to execute arbitrary commands as the 'root' user. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3629 to this issue. The following issues have also been fixed in this update: * extraneous characters were logged on bootup. * fsck would be attempted on filesystems marked with _netdev in rc.sysinit before they were available. Additionally, support for multi-core Itanium processors has been added to redhat-support-check. All users of initscripts should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3629 Automount of the emcpower device fails if fsck is enabled for the device in /etc/fstab. Bogus messages in system log (/var/log/messages) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The initscripts package contains the basic system scripts used to boot your Red Hat system, change runlevels, and shut the system down cleanly. Initscripts also contains the scripts that activate and deactivate most network interfaces. A bug was found in the way initscripts handled various environment variables when the /sbin/service command is run. It is possible for a local user with permissions to execute /sbin/service via sudo to execute arbitrary commands as the 'root' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-3629 to this issue. The following issues have also been fixed in this update: * extraneous characters were logged on bootup * fsck was attempted on file systems marked with _netdev in rc.sysinit before they were available * the dynamically-linked /sbin/multipath was called instead of the correct /sbin/multiplath.static Additionally, this update includes support for partitioned multipath devices and a technology preview of static IP over InifiniBand. All users of initscripts should upgrade to this updated package, which resolves these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3629 RHEL4: Infiniband support rc.sysinit call dynamicly linked multipath rather than multipath.static Bogus messages in system log (/var/log/messages) Automount of the emcpower device fails if fsck is enabled for the device in /etc/fstab. CVE-2005-3629 root shell can be gained from service if ran through sudo cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. An arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0225 to this issue. The following issue has also been fixed in this update: * If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice. Additionally, this update implements auditing of user logins through the system audit service. All users of openssh should upgrade to these updated packages, which resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2006-0225 CVE-2006-0225 local to local copy uses shell expansion twice init script kills all running sshd's if listening server is stopped add audit message to sshd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A denial of service flaw was found in the way squid processes certain NTLM authentication requests. A remote attacker could send a specially crafted NTLM authentication request which would cause the Squid server to crash. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2917 to this issue. Several bugs have also been addressed in this update: * An error introduced in 2.5.STABLE3-6.3E.14 where Squid can crash if a user visits a site which has a long DNS record. * Some authentication helpers were missing needed setuid rights. * Squid couldn't handle a reply from a HTTP server when the reply began with the new-line character or wasn't HTTP/1.0 or HTTP/1.1 compliant. * User-defined error pages were not kept when the squid package was upgraded. All users of squid should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-2917 Error pages should not be replaced by updates Squid doesn't handle headers split across packets Squid blocks page served by broken server Squid dies with signal 6 and restarts and dies ... Error in script /usr/lib/squid/wbinfo_group.pl pam authentication fails One translated Polish language error is missing preventing squid from startup CVE-2005-2917 Squid malformed NTLM authentication DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A denial of service flaw was found in the way squid processes certain NTLM authentication requests. It is possible for a remote attacker to crash the Squid server by sending a specially crafted NTLM authentication request. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-2917 to this issue. The following issues have also been fixed in this update: * An error introduced in squid-2.5.STABLE6-3.4E.12 can crash Squid when a user visits a site that has a bit longer DNS record. * An error introduced in the old package prevented Squid from returning correct information about large file systems. The new package is compiled with the IDENT lookup support so that users who want to use it do not have to recompile it. * Some authentication helpers needed SETUID rights but did not have them. If administrators wanted to use cache administrator, they had to change the SETUID bit manually. The updated package sets this bit so the new package can be updated without manual intervention from administrators. * Squid could not handle a reply from an HTTP server when the reply began with the new-line character. * An issue was discovered when a reply from an HTTP server was not HTTP 1.0 or 1.1 compliant. * The updated package keeps user-defined error pages when the package is updated and it adds new ones. All users of squid should upgrade to this updated package, which resolves these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-2917 squid child processes exit with signal 6.. squid crashes pam authentication fails CVE-2005-2917 Squid malformed NTLM authentication DoS Squid blocks page served by broken server Error pages should not be replaced by updates One translated Polish language error is missing preventing squid from startup Squid doesn't handle headers split across packets cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2002-2185 CVE-2004-1190 CVE-2005-2458 CVE-2005-2709 CVE-2005-2800 CVE-2005-3044 CVE-2005-3106 CVE-2005-3109 CVE-2005-3276 CVE-2005-3356 CVE-2005-3358 CVE-2005-3784 CVE-2005-3806 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2005-4605 CVE-2004-1190 Continued raw access issues CVE-2005-2458 gzip/zlib flaws CVE-2005-2800 SCSI proc DoS CVE-2005-3044 lost fput and sockfd_put could lead to DoS CVE-2005-3276 sys_get_thread_area minor info leak CVE-2005-2709 More sysctl flaws CVE-2005-3356 double decrement of mqueue_mnt->mnt_count in sys_mq_open CVE-2005-3106 exec_mmap race DoS CVE-2005-3109 HFS oops [RHEL4] CVE-2005-3784 auto-reap DoS CVE-2005-3806 ipv6 DOS [RHEL4] CVE-2005-3857 lease printk DoS CVE-2005-3858 ip6_input_finish DoS CVE-2005-3848 dst_entry leak DoS CVE-2002-2185 IGMP DoS CVE-2005-3358 panic caused by bad args to set_mempolicy CVE-2005-4605 Kernel memory disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A bug was found in the way vixie-cron installs new crontab files. It is possible for a local attacker to execute the crontab command in such a way that they can view the contents of another user's crontab file. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1038 to this issue. This update also fixes an issue where cron jobs could start before their scheduled time. All users of vixie-cron should upgrade to this updated package, which contains backported patches and is not vulnerable to these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-1038 [RHEL-3] cronjobs start too early CVE-2005-1038 vixie-cron information leak prediction: vixie-cron-4.1's pam_unix session log messages will be most unpopular network service interruption can cause initgroups() to delay cron job execution by more than one minute cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A denial of service bug was found in SpamAssassin. An attacker could construct a message in such a way that would cause SpamAssassin to crash. If a number of these messages are sent, it could lead to a denial of service, potentially preventing the delivery or filtering of email. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-3351 to this issue. The following issues have also been fixed in this update: * service spamassassin restart sometimes fails * Content Boundary "--" throws off message parser * sa-learn: massive memory usage on large messages * High memory usage with many newlines * service spamassassin messages not translated * Numerous other bug fixes that improve spam filter accuracy and safety Users of SpamAssassin should upgrade to this updated package containing version 3.0.5, which is not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3351 CVE-2005-3351 Upgrade to spamassassin-3.0.5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. This is the third regular kernel update to Red Hat Enterprise Linux 4. New features introduced in this update include: - Open InfiniBand (OpenIB) support - Serial Attached SCSI support - NFS access control lists, asynchronous I/O - IA64 multi-core support and sgi updates - Large SMP CPU limits increased using the largesmp kernel: Up to 512 CPUs in ia64, 128 in ppc64, and 64 in AMD64 and Intel EM64T - Improved read-ahead performance - Common Internet File System (CIFS) update - Error Detection and Correction (EDAC) modules - Unisys support There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. The following security bug was fixed in this update: - dm-crypt did not clear a structure before freeing it, which could allow local users to discover information about cryptographic keys (CVE-2006-0095) The following device drivers have been upgraded to new versions: cciss: 2.6.8 to 2.6.8-rh1 ipmi_devintf: 33.4 to 33.11 ipmi_msghandler: 33.4 to 33.11 ipmi_poweroff: 33.4 to 33.11 ipmi_si: 33.4 to 33.11 ipmi_watchdog: 33.4 to 33.11 mptbase: 3.02.18 to 3.02.60.01rh e1000: 6.0.54-k2-NAPI to 6.1.16-k2-NAPI ixgb: 1.0.95-k2-NAPI to 1.0.100-k2-NAPI tg3: 3.27-rh to 3.43-rh aacraid: 1.1.2-lk2 to 1.1-5[2412] ahci: 1.01 to 1.2 ata_piix: 1.03 to 1.05 iscsi_sfnet: 4:0.1.11-1 to 4:0.1.11-2 libata: 1.11 to 1.20 qla2100: 8.01.00b5-rh2 to 8.01.02-d3 qla2200: 8.01.00b5-rh2 to 8.01.02-d3 qla2300: 8.01.00b5-rh2 to 8.01.02-d3 qla2322: 8.01.00b5-rh2 to 8.01.02-d3 qla2xxx: 8.01.00b5-rh2 to 8.01.02-d3 qla6312: 8.01.00b5-rh2 to 8.01.02-d3 sata_nv: 0.6 to 0.8 sata_promise: 1.01 to 1.03 sata_svw: 1.06 to 1.07 sata_sx4: 0.7 to 0.8 sata_vsc: 1.0 to 1.1 cifs: 1.20 to 1.34 Added drivers: bnx2: 1.4.25 dell_rbu: 0.7 hangcheck-timer: 0.9.0 ib_mthca: 0.06 megaraid_sas: 00.00.02.00 qla2400: 8.01.02-d3 typhoon: 1.5.7 All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-0095 RHEL4 (IPF): Support for Additional function in Intel's Monticeto processor (HW) RHEL4: Infiniband support RHEL4 U2: SATA ATAPI support (including ESB2) sym driver creates voluminous /var/log/messages entries FEAT: RHEL 4 U3: ia64 needs hint@pause in spinloop spin loops on both ia32 and ia32e need cpu_relax bonding mode=6 + dhcp doesn't work correctly ia32 apps that are not large file aware can access files >= 4GB SMART support in SATA driver (P1) qlogic fabric rediscovery functionality missing On few Nocona based platforms, acpi-cpufreq driver assumes the wrong CPU freq at boot time RHEL 4 Kernel does not provide ACL support over NFS Amanda hangs on backup in case of ip_conntrack_amanda is used (RHEL4) large usb flash drive require reboot to mount more than once umount fails on nfs server side when nfs client does heavy io Unisys' x86_64 ES7000 loses legacy devices during boot when using latest ES7000 platform code Writing large file to 1TB ext3 volume sometimes very slow SCTP memory consumption, additional fixes Missing SHUTDOWN notification with SCTP stream socket [RHEL4-U3] PCI Hotplug - Slot powered off after enabling ES7000 systems won't boot with large configuration Diskdump fails through ipr driver USB Key stops working after upgrade to U1 dangling POSIX locks after close Assertion failure in journal_commit_transaction() at fs/jbd/commit.c:790: "jh->b_next_transaction == ((void *)0)" Oracle Hangs with directio and aio using NFS sysfs_remove_dir() de-references NULL pointer RHEL4 Panics at smp_apic_timer_interrupt Problem with b44: SIOCSIFFLAGS: Cannot allocate memory read() with count > 0xffffffff panics kernel at fs/direct-io.c:886 [RHEL4] 'getpriority/setpriority' broken with PRIO_USER, who=0 io_cancel doesn't work properly System occasionally experienced system hangs. Assertion failure in log_do_checkpoint request backport of fc transport class HBA port_id for dm-multipath Kernel PANIC - not syncing: fatal exception qetharp 'Operation not supported' on non-layer2 guestlan PANIC at rpc_wake_up_status Bug in IPv6 address adding error path Bonding driver fails to switch to backup link Bugs in kernel key managment syscall interface Bad order for release_region in error exit from i810_probe acct does not have Large File Support 2.6: /sbin/service iptables stop hangs on modprobe -r ipt_state NFS/RPC - timestamp conversion is wrong rpmbuild --rebuild glibc-2.3.4-2.12.src.rpm hangs (same problem with glibc-2.3.4-2.9.src.rpm) Erratic behaviour when system fd limit reached 2.6.9-16.ELsmp null pointer dereference in __bounce_end_io_read on x86_64 mount/umount can cause the block device reads to fail [RHEL4 U1] OOPS removing ahci driver [RHEL4 U1] Bonding driver does not switch to backup interface upon active interface failure under heavy UDP traffic NFSv3 locking misses important kernel patches RHEL4 Panic in __wake_up_common (networking) Multicast domain membership doesn't follow bonding failover RHEL4 __copy_user breaks on unaligned src RHEL4 U2 performance regression running enterprise workload FEAT RHEL4 U3: 10GigE Neterion Driver Update (S2io) [RHEL4] hangcheck-timer not compiled in RHEL4 on IA64 SCTP association restart problem, possible backport ipmi_poweroff driver update for Dell <8G servers [RHEL4 U1][diskdump] Diskdump from OS_INIT fails. autofs removes leading path components of /net mounts on timeout FEAT: [RHEL4 U3] kernel dm: Statistic information about dm devices (*) wait() and waitpid() return inconsistencies under high load [FEAT:][RHEL 4 U3]LVM2 Snapshot support of root [Texas Instruments] nfs bindresvport: Address already in use oops in gss_pipe_release() ls hangs on krb5 mountd when user has not kinit-ed NFS client oops when debugging is on CRM648268: kernel reporting init process cutime as very large negative value Cache invalidation bug in nfs v3 Bad: kernel panic on boot (kernel-2.6.9-22.EL) kernel_lock() problem through NFS mount iSCSI connection recovery uses session address instead of portal address device-mapper mirroring backwards compatibility issue Neterion(S2io) adapter not functional after running offline diagnostics RHEL 4 Update 2 Incompatibility with VMware ESX 2.5.2 Marvell Yukon 88E8050 ethernet interface not supported Kernel oops killing process with open files on a NFS3 krb5 mount after /var/lib/nfs/rpc_pipefs has been unmounted FEAT RHEL4 U3 [diskdump]: kernel - support compressing dump data USB: khubd deadlock on error path Kernel key management facility improvements nfsd: clear signals before exiting the nfsd() thread linux-2.6.13-key-reiserfs.patch is incomplete Can't reboot on IBM xSeries 236. rhel4 u2 - Null pointer dereference in alc880_auto_fill_dac_nids rhel4 modules loading signing issue rename(2) onto an empty directory fails on NFS file systems Large LUNS can't be seen with Hitachi Open-L SAN No analog audio with the "Intel Corporation Enterprise Southbridge High Definition Audio (rev 08)" Difficulty with some iSCSI targets in iscsi_sfnet netpoll can dereference a null pointer, causing a system crash [RHEL4] tuxstat SIGSEGV NMI watchdog panic during cache_alloc_refill with corrupt size-128 slabcache kernel dm: dm-ioctl memory leak on attempt to load non-existing mapping Lock at "Initializing hardware... storage network" caused by ULi HD Audio controller enabled. autofs doesn't remount if nfs server is unreachable at expire time kernel dm: DM_LIST_VERSIONS_CMD ioctl reponse truncated kernel dm: Notify userspace when a device is renamed. kernel dm-log: big endian 64-bit corruption kernel dm-log: Make mirror log arch-independent kernel dm: move bdget outside lockfs kernel dm: Make lock_fs optional. kernel dm snapshot: Separate out metadata reading. kernel dm snapshot: Load metadata on table creation not resumption. kernel dm snapshot: Reduce PF_MEMALLOC usage kernel dm multipath: Fix do_end_io locking. race condition when expiring ghosted autofs mounts kernel dm snapshot: bio_list_merge fix Fix for SystemTap bugzilla #1345 - return probe on do_execve unable to create sgi_sn/ptc_statistics" printed to the console Further key management facility improvements Permit key management to request already running process to instantiate a key GFS deadlock - gfs_write (do_write_direct) and gfs_setattr (do_truncate) kernel bug at mm/prio_tree.c SCSI errors with latest qlogic driver Provide support for more than 8 logical processors System became unresponsive to local commands. Diskdump overwrite by SATA update Audit fails to record syscall failures when asked to via auditctl [audit][PATCH] New user space message types broken U3 modsyms autofs doesn't attempt to remount failed mount points Kernel panic. Server hangs and is totally unresponsive until a power cycle brings it back online. setxattr() to a file on NFS returns EIO hang-check timer needs to be build on S390/S390x broken memsets in s390 drivers. device-mapper mirror log: avoid overrun while syncing CVE-2006-0095 dm-crypt key leak Please consider upping NR_CPUS to 16 for x86_64 Early panic in "io_apic_get_unique_id" on 4CPU, dual-core HT enabled EM64T System Kernel panic while running NFS ACL test Add aic94xx and sas code into RHEL4 U3 Largesmp kernel does not see all logical CPUs on IBM x460 kernel device-mapper snapshot: barriers are not supported AIM7 File Server Performance -15% relative to U2 BIOS bug shows the wrong number of CPUs CPU's being incorrectly numbered /proc/cpuinfo shows wrong value SCSI LLDD's oops on rmmod if devices scan w/ PQ=3 lvremove panic in dm_mod:kcopyd_client_destroy while attempting to remove a snapshot NPTL: under xterm -e process receives SIGHUP when child thread exits kabi violation in multi-core detection patch device-mapper mirror removal stuck on kcopyd_client_destroy (pvmove hangs) RHEL4 U3 "noht" boot parameter sometimes disables dual core support as well as ht support cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw in remap_page_range() with O_DIRECT writes that allowed a local user to cause a denial of service (crash) (CVE-2004-1057, important) - a flaw in exec() handling on some 64-bit architectures that allowed a local user to cause a denial of service (crash) (CVE-2005-2708, important) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in IPv6 network UDP port hash table lookups that allowed a local user to cause a denial of service (hang) (CVE-2005-2973, important) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a network buffer info leak using the orinoco driver that allowed a remote user to possibly view uninitialized data (CVE-2005-3180, important) - a flaw in IPv4 network TCP and UDP netfilter handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3275, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2002-2185 CVE-2004-1057 CVE-2005-2708 CVE-2005-2709 CVE-2005-2973 CVE-2005-3044 CVE-2005-3180 CVE-2005-3275 CVE-2005-3806 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2004-1057 VM_IO refcount issue CVE-2005-2708 user code panics kernel in exec.c CVE-2005-3044 lost fput could lead to DoS CVE-2005-2709 More sysctl flaws CVE-2005-3180 orinoco driver information leakage CVE-2005-2973 ipv6 infinite loop CVE-2005-3275 NAT DoS CVE-2005-3806 ipv6 DOS CVE-2005-3857 lease printk DoS CVE-2005-3858 ip6_input_finish DoS CVE-2005-3848 dst_entry leak DoS CVE-2002-2185 IGMP DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the seventh regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include: - addition of the bnx2, dell_rbu, and megaraid_sas device drivers - support for multi-core, multi-threaded Intel Itanium processors - upgrade of the SATA subsystem to include ATAPI and SMART support - optional tuning via the new numa_memory_allocator, arp_announce, and printk_ratelimit sysctls There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the VM subsystem, NPTL handling, autofs4, the USB subsystem, CPU enumeration, and 32-bit-exec-mode handling on 64-bit architectures. The following device drivers have been upgraded to new versions: aacraid -------- 1.1.5-2412 bnx2 ----------- 1.4.30 (new) dell_rbu ------- 2.1 (new) e1000 ---------- 6.1.16-k3 emulex --------- 7.3.3 fusion --------- 2.06.16.02 ipmi ----------- 35.11 megaraid2 ------ v2.10.10.1 megaraid_sas --- 00.00.02.00 (new) tg3 ------------ 3.43RH The following security bugs were fixed in this update: - a flaw in gzip/zlib handling internal to the kernel that allowed a local user to cause a denial of service (crash) (CVE-2005-2458,low) - a flaw in ext3 EA/ACL handling of attribute sharing that allowed a local user to gain privileges (CVE-2005-2801, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-2458 CVE-2005-2801 CVE-2005-3276 CVE-2005-4798 pppd receives error "Couldn't get channel number: bad address" RHEL3 U5: Support for SATA features of ICH6R (for U3, AHCI only) RHEL3 U3: ICH6 SATA support in ACHI mode RHEL3 U6: SATA ATAPI support (HW) kernel's Makefile not suited for long directory paths RHEL3 U4: SATA AHCI (ICH6) kernel panic when repeatedly accessing /proc/bus/usb/devices and hot-swapping usb device Processes with Large memory requirment causes swap usage with free memory is present. kernel kills db2 processes because of OOM error on RHEL Update2 and Update3 RHEL3 U7: Add SMART capabilities to libata. Hugepages configured on kernel boot line causes x86_64 kernel boot to fail with OOM. oops when "scsi add-single-device" sent to /proc/scsi/scsi using aic79xx [RHEL3 U3] kernel BUG at exit.c:620! LTC18371- [RHEL3 U4]cpu_sibling_map[] is incorrect on x445/x440 'noht' does not work for ia32e Cannot disable hyperthreading on x86_64 platform autofs removes leading path components of /net mounts on timeout LTC12369-In RHEL 3 U4 -- top command gave segmentation fault Viper: install kernel panics on DP system with 4GB all on cpu#2 [RHEL3] poll() seems to ignore large timeout SMART support in SATA driver pl2303 kernel module doesn't work with 'Aten UC-232A' O_DIRECT to sparse areas of files give incomplete writes Can't install RHEL3 on system with Adaptec AAR 1210SA SATA controller (sata_sil - siimage problem) RHEL3 U5: rhgb-client shows illegal instruction and fails. aacraid driver in RHEL 3 U4 em64t causes kernel panic megaraid2 driver causes panic if loaded for a second time Crash on relocated automounts with --bind System crash when dump or tar 64k blocksize to tape from raid LTC13414-32-bit ping6 on 64-bit kernel not working [RHEL3 U5] fails to boot installer on multiple platforms FEAT: RHEL3 U5: need hint@pause in ia64 spinloops FEAT RHEL3 U7 IPF - performance improvement for the system which CPEI occur continuously. RHEL 3 U6: Support for cache identification through 'Deterministic Cache Parameters' [cpuid(4)] [ CRM 488904 ] driver update for Adaptec 2410SA needed (1.1.5-2361 > 1.1.5-2371 or higher) RHEL3 does not support USBDEVFS 32-bit ioctls on x86_64 Advanced server 3 ARP timeout messages RSS limited to 1.8GB if process pinned to one CPU [RHEL3] Does not boot on system with ACPI table crossing page boundary [RHEL 3 U5] adding hotplug drive causes kernel panic [RHEL3] vi --- files getting deleted agpgart will not load for kernel 2.4.21-32 on tyan S2885 motherboard with AMD-8151 agp tunnel Keyboard "jammed" during smp runlevel 5 boot on IBM HS20-8843 BladeServer [RHEL3] hidden bomb of kmap_atomic/kunmap_atomic bug? CVE-2005-2801 Lost ACLs on ext3 Reproducable panic in mdadm multipathing Sometimes data/bss can be executable xserver issue on blade center Race condition accessing PCI config space autofs doesn't remount if nfs server is unreachable at expire time aacraid driver hangs if Adaptec 2230SLP array not optimal st causes system hang and kernel panic when writing to tape on x86_64 Problem with b44: SIOCSIFFLAGS: Cannot allocate memory (VM) Excessive swapping when free memory is ample [RHEL3 and RHEL2.1] ps command core dump LTC8356-LSB runtime testcase T.c_oflag_X failed [PATCH] Endless loop printing traceback during kernel OOPs Explain why the SCSI inquiry is not being returned from the sd for nearly 5 minutes [RHEL3] change_page_attr may set _PAGE_NX for kernel code pages LTC13178-panic on i5 - sys_ppc32.c 32 bit sys_recvmsg corrupting kernel data structures RHEL3U5 x86-64 : xw9300 & numa=on swaps behaviour is unexpected FEAT: RHEL3 U6: ia64 multi-core and multi-threading detection [RHEL3] [x86_64/ia64] sys_time and sys_gettimeofday disagree U5 beta encounters NMI watchdog on Celestica Quartet with 4 Opteron 875 dualcores [RHEL3 U5] __wtd_down_from_wakeup not in EL3 ia64 tree LTC12403-CMVC482920:I/O errors caused by eeh error injection-drive unavailable NFS lockd deadlock /usr/src/linux-2.4.21-32.EL/Documentation/networking/e100.txt contians bad info RHEL 3 - request to add bnx2 driver acct does not have Large File Support FEAT RHEL3U7: Need Intel e1000 driver update for the Dell Ophir/Rimon based PCI-E NICs SMP kernel does not honor boot parameter "noht" [RHEL3] The system hangs when SysRq + c is pressed Panic after ENXIO with usb-uhci Problem removing a USB device CVE-2005-2458 gzip/zlib flaws Inquiry (sg) command hang after a write to tape with mptscsi driver The msync(MS_SYNC) call should fail after cable pulled from scsi disk HA NFS Cluster Problem cciss disk dump hangs if module is ever unloaded/reloaded Erratic behaviour when system fd limit reached aacraid driver needs to be updated to support IBM ServeRAID 8i aacraid driver needs to be updated to support IBM ServeRAID 8i CRM619504: setrlimit RLIMIT_FSIZE limited to 32-bit values, even on 64-bit kernels [RHEL3 U5] waitpid() returns unexpected ECHILD RHEL3: need updated forcedeth.o driver? CRM648268: kernel reporting init process cutime as very large negative value FEAT RHEL3 U7: Need 'bnx2' driver inclusion to support Broadcom 5708C B0 NIC and 5708S BO LOM FEAT RHEL3 U7: LSI megaraid_sas driver Potential netconsole regression in transmit path LTC17567-Fields 'system_potential_processor' and 'partition_max_entiteled_capacity' fields are missing from lparcfg file FEAT RHEL3 U7: ipmi driver speedup patch FEAT RHEL3 U7: ipmi_poweroff driver update for Dell <8G servers Large O_DIRECT write will hang system (MPT fusion) kill -6 of multi-threaded application takes 30 minutes to finish FEAT RHEL3-U7: Support for HT1000 IDE chipset needed RHEL3 U7: x86_64: Remove unique APIC/IO-APIC ID check RH EL 3 U7: add support for Broadcom 5714 and 5715C NICs FEAT RHEL3 U7: add dell_rbu driver for Dell BIOS updates FEAT RHEL3 U7: Need TG3 update to support Broadcom 5721 C1 stepping kernel BUG at page_alloc.c:391! CVE-2005-3276 sys_get_thread_area minor info leak RHEL3U7: ipmi driver fix for PE2650 LSI MegaRAID RHEL3 Feature - Updated SCSI driver submission CVE-2005-4798 nfs client: handle long symlinks properly [RHEL3 U6] __copy_user/memcpy causes random kernel panic on IA-64 systems CRM# 685278 scsi scan not seeing all luns when one lun removed [RHEL3] 'getpriority/setpriority' broken with PRIO_USER, who=0 [RHEL3 U5] Performance problem while extracting tarballs on Fujitsu Siemens Computing D1409, Adaptec S30 array, connected to an aacraid controller. LTC18779-Lost dirty bit in kernel memory managment [PATCH] RHEL-3: 'physical id' field in /proc/cpuinfo incorrect on AMD-64 hosts [RHEL3 U5] Kernel crashing, multiple panics in aacraid driver [RHEL3 U7] netdump hangs in processing of CPU stop after diskdump failed. LTC17955-82222: Support for Serverworks chipset HT2000 Ethernet Driver (BCM5700 & TG3) Broadcom 5706/5708 support System Stops responding with "queue 6 full" messages RedHat / XW9300 / system panic when logout from GNOME with USB mouse LTC18818-pfault interupt race rename(2) onto an empty directory fails on NFS file systems Invalid message 'Aieee!!! Remote IRR still set after unlock' Updated header file with modified author permissions New icache prune export Update Emulex lpfc driver for RHEL 3 Assertion failed! idx >= ARRAY_SIZE(xfer_mode_str),libata-core.c,ata_dev_set_mode,line=1673 [RHEL3 U6] IOs hang in __wait_on_buffer when segments > 170 Multicast domain membership doesn't follow bonding failover LTC19816-Cannot see a concho adapter on U7 kernel [RHEL3 U7 PATCH] LSI PCI Express chips to operate properly [RHEL3 U7] x86-64: Can't boot with 16 logical processors Installer appears to hang when loading mptbase module x366 NMI error logged in infinite loop - [crm#769552] Possible regression U7 beta CRM 724200: when an active USB serial port device is removed, the system panics and locks up. autofs doesn't attempt to remount failed mount points negative dentry caching causes long delay when dentry becomes valid RHEL3U7Beta-32: Booting/Installing with SATA ATAPI Optical panics cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Ethereal is a program for monitoring network traffic. Two denial of service bugs were found in Ethereal's IRC and GTP protocol dissectors. Ethereal could crash or stop responding if it reads a malformed IRC or GTP packet off the network. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2005-3313 and CVE-2005-4585 to these issues. A buffer overflow bug was found in Ethereal's OSPF protocol dissector. Ethereal could crash or execute arbitrary code if it reads a malformed OSPF packet off the network. (CVE-2005-3651) Users of ethereal should upgrade to these updated packages containing version 0.10.14, which is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-3313 CVE-2005-3651 CVE-2005-4585 CVE-2005-3313 Ethereal IRC dissector DoS CVE-2005-4585 ethereal GTP dissector could go into an infinite loop CVE-2005-3651 ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular and freely-available Web server. A memory leak in the worker MPM could allow remote attackers to cause a denial of service (memory consumption) via aborted connections, which prevents the memory for the transaction pool from being reused for other connections. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2970 to this issue. This vulnerability only affects users who are using the non-default worker MPM. A flaw in mod_imap when using the Referer directive with image maps was discovered. With certain site configurations, a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers. (CVE-2005-3352) A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the non-default worker MPM. (CVE-2005-3357) Users of httpd should update to these erratum packages which contain backported patches to correct these issues along with some additional bugs. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-2970 CVE-2005-3352 CVE-2005-3357 mod_ssl per-directory renegotiation with request body CVE-2005-2970 httpd worker MPM memory consumption DoS CVE-2005-3352 cross-site scripting flaw in mod_imap CVE-2005-3357 mod_ssl crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 TeTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. Several flaws were discovered in the teTeX PDF parsing library. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these issues. Users of teTeX should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 CVE-2005-3193 xpdf issues (CVE-2005-3191 CVE-2005-3192 CVE-2005-3628) [RHEL4] CVE-2005-3624 Additional xpdf issues (CVE-2005-3625 CVE-2005-3626 CVE-2005-3627) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Chris Evans discovered several flaws in the way CUPS processes PDF files. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. All users of CUPS should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2006 Red Hat, Inc. CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3624 Additional xpdf issues (CVE-2005-3625 CVE-2005-3626 CVE-2005-3627) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue. This issue does not affect the mod_auth_pgsql package supplied with Red Hat Enterprise Linux 2.1. Red Hat would like to thank iDefense for reporting this issue. Critical Copyright 2006 Red Hat, Inc. CVE-2005-3656 CVE-2005-3656 mod_auth_pgsql format string issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 gpdf is a GNOME based viewer for Portable Document Format (PDF) files. Chris Evans discovered several flaws in the way gpdf processes PDF files. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. Users of gpdf should upgrade to this updated package, which contains a backported patch to resolve these issues. Important Copyright 2006 Red Hat, Inc. CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 [RHEL4] CVE-2005-3624 Additional xpdf issues (CVE-2005-3625 CVE-2005-3626 CVE-2005-3627) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A shell command injection flaw was found in ImageMagick's "display" command. It is possible to execute arbitrary commands by tricking a user into running "display" on a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-4601 to this issue. A format string flaw was discovered in the way ImageMagick handles filenames. It may be possible to execute arbitrary commands by tricking a user into running a carefully crafted ImageMagick command. (CVE-2006-0082) Users of ImageMagick should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-4601 CVE-2006-0082 CVE-2005-4601 ImageMagick display command shell command injection CVE-2006-0082 ImageMagick format string vulnerability. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 kdelibs contains libraries for the K Desktop Environment (KDE). A heap overflow flaw was discovered affecting kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. An attacker could create a malicious web site containing carefully crafted JavaScript code that would trigger this flaw and possibly lead to arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0019 to this issue. NOTE: this issue does not affect KDE in Red Hat Enterprise Linux 3 or 2.1. Users of KDE should upgrade to these updated packages, which contain a backported patch from the KDE security team correcting this issue as well as two bug fixes. Critical Copyright 2006 Red Hat, Inc. CVE-2006-0019 kdegraphics applications crash when Open or Save dialog is opened CVE-2006-0019 kjs encodeuri/decodeuri heap overflow vulnerability pwMutex destroy failure: Device or resource busy cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Several buffer overflow flaws were found in the way gd allocates memory. An attacker could create a carefully crafted image that could execute arbitrary code if opened by a victim using a program linked against the gd library. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0941 to these issues. Users of gd should upgrade to these updated packages, which contain a backported patch and is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2004-0941 CVE-2004-0941 additional overflows in gd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. In 2002, a path traversal flaw was found in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access (CVE-2002-0399). Red Hat included a backported security patch to correct this issue in Red Hat Enterprise Linux 3, and an erratum for Red Hat Enterprise Linux 2.1 users was issued. During internal testing, we discovered that our backported security patch contained an incorrect optimization and therefore was not sufficient to completely correct this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-1918 to this issue. Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue. Low Copyright 2006 Red Hat, Inc. CVE-2005-1918 CVE-2005-1918 tar archive path traversal issue CVE-2005-1918 tar archive path traversal issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Python is an interpreted, interactive, object-oriented programming language. An integer overflow flaw was found in Python's PCRE library that could be triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2491 to this issue. Users of Python should upgrade to these updated packages, which contain a backported patch that is not vulnerable to this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-2491 CVE-2005-2491 PCRE heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Igor Bukanov discovered a bug in the way Mozilla's Javascript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Mozilla's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Mozilla to execute arbitrary javascript when a user runs Mozilla. (CVE-2006-0296) A denial of service bug was found in the way Mozilla saves history information. If a user visits a web page with a very long title, it is possible Mozilla will crash or take a very long time the next time it is run. (CVE-2005-4134) Note that the Red Hat Enterprise Linux 3 packages also fix a bug when using XSLT to transform documents. Passing DOM Nodes as parameters to functions expecting an xsl:param could cause Mozilla to throw an exception. Users of Mozilla are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2005-4134 CVE-2006-0292 CVE-2006-0296 CVE-2005-4134 Very long topic history.dat DoS CVE-2006-0292 javascript unrooted access CVE-2006-0296 XULDocument.persist() RDF data injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Igor Bukanov discovered a bug in the way Firefox's Javascript interpreter derefernces objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Firefox's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Firefox to execute arbitrary javascript when a user runs Firefox. (CVE-2006-0296) A denial of service bug was found in the way Firefox saves history information. If a user visits a web page with a very long title, it is possible Firefox will crash or take a very long time the next time it is run. (CVE-2005-4134) This update also fixes a bug when using XSLT to transform documents. Passing DOM Nodes as parameters to functions expecting an xsl:param could cause Firefox to throw an exception. Users of Firefox are advised to upgrade to this updated package, which contains backported patches to correct these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2005-4134 CVE-2006-0292 CVE-2006-0296 CVE-2005-4134 Very long topic history.dat DoS CVE-2006-0292 javascript unrooted access CVE-2006-0296 XULDocument.persist() RDF data injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. A heap based buffer overflow bug was discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0301 to this issue. Users of Xpdf should upgrade to this updated package, which contains a backported patch to resolve these issues. Red Hat would like to thank Dirk Mueller for reporting this issue and providing a patch. Important Copyright 2008 Red Hat, Inc. CVE-2006-0301 CVE-2006-0301 PDF splash handling heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman is software to help manage email discussion lists. A flaw in handling of UTF8 character encodings was found in Mailman. An attacker could send a carefully crafted email message to a mailing list run by Mailman which would cause that particular mailing list to stop working. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3573 to this issue. A flaw in date handling was found in Mailman version 2.1.4 through 2.1.6. An attacker could send a carefully crafted email message to a mailing list run by Mailman which would cause the Mailman server to crash. (CVE-2005-4153). Users of Mailman should upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3573 CVE-2005-4153 CVE-2005-3573 Mailman Denial of Service CVE-2005-4153 Mailman DOS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A heap based buffer overflow bug was found in the way libpng strips alpha channels from a PNG image. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash or execute arbitrary code when the file is opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-0481 to this issue. Please note that the vunerable libpng function is only used by TeTeX and XEmacs on Red Hat Enterprise Linux 4. All users of libpng are advised to update to these updated packages which contain a backported patch that is not vulnerable to this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-0481 CVE-2006-0481 libpng heap based buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a pdf file viewer. A heap based buffer overflow bug was discovered in kpdf. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0301 to this issue. Users of kpdf should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-0301 CVE-2006-0301 PDF splash handling heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GNU TLS Library provides support for cryptographic algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0645 to this issue. In Red Hat Enterprise Linux 4, the GNU TLS library is only used by the Evolution client when connecting to an Exchange server or when publishing calendar information to a WebDAV server. Users are advised to upgrade to these updated packages, which contain a backported patch from the GNU TLS maintainers to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-0645 CVE-2006-0645 GnuTLS x509 DER DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Jim Meyering discovered a buffer overflow bug in the way GNU tar extracts malformed archives. By tricking a user into extracting a malicious tar archive, it is possible to execute arbitrary code as the user running tar. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0300 to this issue. Users of tar should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-0300 CVE-2006-0300 GNU tar heap overlfow bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a PDF file viewer. Marcelo Ricardo Leitner discovered that a kpdf security fix, CVE-2005-3627, was incomplete. Red Hat issued kdegraphics packages with this incomplete fix in RHSA-2005:868. An attacker could construct a carefully crafted PDF file that could cause kpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0746 to this issue. Users of kpdf should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-0746 CVE-2006-0746 kpdf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Sendmail is a Mail Transport Agent (MTA) used to send mail between machines. A flaw in the handling of asynchronous signals was discovered in Sendmail. A remote attacker may be able to exploit a race condition to execute arbitrary code as root. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0058 to this issue. By default on Red Hat Enterprise Linux 3 and 4, Sendmail is configured to only accept connections from the local host. Therefore, only users who have configured Sendmail to listen to remote hosts would be able to be remotely exploited by this vulnerability. Users of Sendmail are advised to upgrade to these erratum packages, which contain a backported patch from the Sendmail team to correct this issue. Critical Copyright 2008 Red Hat, Inc. CVE-2006-0058 CVE-2006-0058 Sendmail race condition issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, giving the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-0049 CVE-2006-0455 initial gpg run doesn't create .gnupg/secring.gpg RHEL3, gnupg-1.2.1-10, gpg: Creates corrupt files (probably 2GB problem) CVE-2006-0455 gpg will quietly exit when attempting to verify a malformed message CVE-2006-0049 Gnupg incorrect malformed message verification cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The ipsec-tools package is used in conjunction with the IPsec functionality in the linux kernel and includes racoon, an IKEv1 keying daemon. A denial of service flaw was found in the ipsec-tools racoon daemon. If a victim's machine has racoon configured in a non-recommended insecure manner, it is possible for a remote attacker to crash the racoon daemon. (CVE-2005-3732) Users of ipsec-tools should upgrade to these updated packages, which contain backported patches, and are not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-3732 CVE-2005-3732 ipsec-tools IKE DoS CVE-2005-3732 ipsec-tools IKE DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2 protocol. It is possible for a remote attacker to authenticate as a victim by sending a malformed MSCHAP V2 login request to the FreeRADIUS server. (CVE-2006-1354) Please note that FreeRADIUS installations not using the MSCHAP V2 protocol for authentication are not vulnerable to this issue. A bug was also found in the way FreeRADIUS logs SQL errors from the sql_unixodbc module. It may be possible for an attacker to cause FreeRADIUS to crash or execute arbitrary code if they are able to manipulate the SQL database FreeRADIUS is connecting to. (CVE-2005-4744) Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-1354 CVE-2005-4744 CVE-2005-4744 Multiple freeradius security issues CVE-2006-1354 FreeRADIUS authentication bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenMotif provides libraries which implement the Motif industry standard graphical user interface. A number of buffer overflow flaws were discovered in OpenMotif's libUil library. It is possible for an attacker to execute arbitrary code as a victim who has been tricked into executing a program linked against OpenMotif, which then loads a malicious User Interface Language (UIL) file. (CVE-2005-3964) Users of OpenMotif are advised to upgrade to these erratum packages, which contain a backported security patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-3964 CVE-2005-3964 openmotif libUil buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the "html_entity_decode()" function with untrusted input from the user and displayed the result. (CVE-2006-1490) The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208) An input validation error was found in the "mb_send_mail()" function. An attacker could use this flaw to inject arbitrary headers in a mail sent via a script calling the "mb_send_mail()" function where the "To" parameter can be controlled by the attacker. (CVE-2005-3883) A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. This issue only affected Red Hat Enterprise Linux 3. (CVE-2005-2933). Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2003-1303 CVE-2005-2933 CVE-2005-3883 CVE-2006-0208 CVE-2006-0996 CVE-2006-1490 PEAR::DB autoExecute function does not work when updating with WHERE clause CVE-2005-3883 PHP mb_send_mail() header parsing issue CVE-2005-2933 imap buffer overflow CVE-2006-0208 PHP Cross Site Scripting (XSS) flaw ImageCreateFromGif does not clean up its temporary file CVE-2006-1490 PHP memory disclosure issue CVE-2006-0996 phpinfo() XSS issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Dia drawing program is designed to draw various types of diagrams. infamous41md discovered three buffer overflow bugs in Dia's xfig file format importer. If an attacker is able to trick a Dia user into opening a carefully crafted xfig file, it may be possible to execute arbitrary code as the user running Dia. (CVE-2006-1550) Users of Dia should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-1550 CVE-2006-1550 Dia multiple buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SquirrelMail is a standards-based webmail package written in PHP4. A bug was found in the way SquirrelMail presents the right frame to the user. If a user can be tricked into opening a carefully crafted URL, it is possible to present the user with arbitrary HTML data. (CVE-2006-0188) A bug was found in the way SquirrelMail filters incoming HTML email. It is possible to cause a victim's web browser to request remote content by opening a HTML email while running a web browser that processes certain types of invalid style sheets. Only Internet Explorer is known to process such malformed style sheets. (CVE-2006-0195) A bug was found in the way SquirrelMail processes a request to select an IMAP mailbox. If a user can be tricked into opening a carefully crafted URL, it is possible to execute arbitrary IMAP commands as the user viewing their mail with SquirrelMail. (CVE-2006-0377) Users of SquirrelMail are advised to upgrade to this updated package, which contains SquirrelMail version 1.4.6 and is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-0188 CVE-2006-0195 CVE-2006-0377 CVE-2006-0188 Possible XSS through right_frame parameter in webmail.php CVE-2006-0195 Possible XSS in MagicHTML (IE only) CVE-2006-0377 IMAP injection in sqimap_mailbox_select mailbox parameter cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. An arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally. (CVE-2006-0225) The SSH daemon, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2003-0386) The following issues have also been fixed in this update: * If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice. * When privilege separation was enabled, the last login message was printed only for the root user. * The sshd daemon was sending messages to the system log from a signal handler when debug logging was enabled. This could cause a deadlock of the user's connection. All users of openssh should upgrade to these updated packages, which resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2006-0225 CVE-2003-0386 CVE-2003-0386 host based access bypass init script kills all running sshd's if listening server is stopped CVE-2006-0225 local to local copy uses shell expansion twice I can't see "Last login" message after logged via ssh cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several bugs were found in the way Firefox processes malformed javascript. A malicious web page could modify the content of a different open web page, possibly stealing sensitive information or conducting a cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Firefox processes certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Firefox processes malformed web pages. A carefully crafted malicious web page could cause the execution of arbitrary code as the user running Firefox. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Firefox displays the secure site icon. If a browser is configured to display the non-default secure site modal warning dialog, it may be possible to trick a user into believing they are viewing a secure site. (CVE-2006-1740) A bug was found in the way Firefox allows javascript mutation events on "input" form elements. A malicious web page could be created in such a way that when a user submits a form, an arbitrary file could be uploaded to the attacker. (CVE-2006-1729) Users of Firefox are advised to upgrade to these updated packages containing Firefox version 1.0.8 which corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-0748 CVE-2006-0749 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790 CVE-2006-0749 Firefox Tag Order Vulnerability CVE-2006-1741 Cross-site JavaScript injection using event handlers CVE-2006-1742 JavaScript garbage-collection hazard audit CVE-2006-1737 Crashes with evidence of memory corruption (CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)) CVE-2006-1740 Secure-site spoof (requires security warning dialog) CVE-2006-1735 Privilege escalation via XBL.method.eval CVE-2006-1734 Privilege escalation using a JavaScript function's cloned parent CVE-2006-1733 Accessing XBL compilation scope via valueOf.call() CVE-2006-1732 cross-site scripting through window.controllers CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability CVE-2006-1731 Cross-site scripting using .valueOf.call() CVE-2006-1724 Crashes with evidence of memory corruption (1.5.0.2) CVE-2006-1730 CSS Letter-Spacing Heap Overflow Vulnerability CVE-2006-1729 File stealing by changing input type CVE-2006-1728 Privilege escalation using crypto.generateCRMFRequest CVE-2006-1727 Privilege escalation through Print Preview CVE-2006-0748 Table Rebuilding Code Execution Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found in the way Mozilla processes malformed javascript. A malicious web page could modify the content of a different open web page, possibly stealing sensitive information or conducting a cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Mozilla processes certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Mozilla processes malformed web pages. A carefully crafted malicious web page could cause the execution of arbitrary code as the user running Mozilla. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Mozilla displays the secure site icon. If a browser is configured to display the non-default secure site modal warning dialog, it may be possible to trick a user into believing they are viewing a secure site. (CVE-2006-1740) A bug was found in the way Mozilla allows javascript mutation events on "input" form elements. A malicious web page could be created in such a way that when a user submits a form, an arbitrary file could be uploaded to the attacker. (CVE-2006-1729) A bug was found in the way Mozilla executes in-line mail forwarding. If a user can be tricked into forwarding a maliciously crafted mail message as in-line content, it is possible for the message to execute javascript with the permissions of "chrome". (CVE-2006-0884) Users of Mozilla are advised to upgrade to these updated packages containing Mozilla version 1.7.13 which corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-0748 CVE-2006-0749 CVE-2006-0884 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790 CVE-2006-1741 Cross-site JavaScript injection using event handlers CVE-2006-1742 JavaScript garbage-collection hazard audit CVE-2006-1737 Crashes with evidence of memory corruption (CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) CVE-2006-1740 Secure-site spoof (requires security warning dialog) CVE-2006-1735 Privilege escalation via XBL.method.eval CVE-2006-1734 Privilege escalation using a JavaScript function's cloned parent CVE-2006-1733 Accessing XBL compilation scope via valueOf.call() CVE-2006-1732 cross-site scripting through window.controllers CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability CVE-2006-1731 Cross-site scripting using .valueOf.call() CVE-2006-0884 JavaScript execution in mail when forwarding in-line CVE-2006-1730 CSS Letter-Spacing Heap Overflow Vulnerability CVE-2006-1729 File stealing by changing input type CVE-2006-1728 Privilege escalation using crypto.generateCRMFRequest CVE-2006-1727 Privilege escalation through Print Preview CVE-2006-0748 Table Rebuilding Code Execution Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several bugs were found in the way Thunderbird processes malformed javascript. A malicious HTML mail message could modify the content of a different open HTML mail message, possibly stealing sensitive information or conducting a cross-site scripting attack. Please note that JavaScript support is disabled by default in Thunderbird. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Thunderbird processes certain javascript actions. A malicious HTML mail message could execute arbitrary javascript instructions with the permissions of 'chrome', allowing the page to steal sensitive information or install browser malware. Please note that JavaScript support is disabled by default in Thunderbird. (CVE-2006-0292, CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Thunderbird processes malformed HTML mail messages. A carefully crafted malicious HTML mail message could cause the execution of arbitrary code as the user running Thunderbird. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Thunderbird processes certain inline content in HTML mail messages. It may be possible for a remote attacker to send a carefully crafted mail message to the victim, which will fetch remote content, even if Thunderbird is configured not to fetch remote content. (CVE-2006-1045) A bug was found in the way Thunderbird executes in-line mail forwarding. If a user can be tricked into forwarding a maliciously crafted mail message as in-line content, it is possible for the message to execute javascript with the permissions of "chrome". (CVE-2006-0884) Users of Thunderbird are advised to upgrade to these updated packages containing Thunderbird version 1.0.8, which is not vulnerable to these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-0292 CVE-2006-0296 CVE-2006-0748 CVE-2006-0749 CVE-2006-0884 CVE-2006-1045 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790 CVE-2006-1741 Cross-site JavaScript injection using event handlers CVE-2006-1742 JavaScript garbage-collection hazard audit CVE-2006-1737 Crashes with evidence of memory corruption (CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) CVE-2006-1735 Privilege escalation via XBL.method.eval CVE-2006-1734 Privilege escalation using a JavaScript function's cloned parent CVE-2006-1733 Accessing XBL compilation scope via valueOf.call() CVE-2006-1732 cross-site scripting through window.controllers CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability CVE-2006-1731 Cross-site scripting using .valueOf.call() CVE-2006-1724 Crashes with evidence of memory corruption (1.5.0.2) CVE-2006-0884 JavaScript execution in mail when forwarding in-line CVE-2006-1730 CSS Letter-Spacing Heap Overflow Vulnerability CVE-2006-1728 Privilege escalation using crypto.generateCRMFRequest CVE-2006-1727 Privilege escalation through Print Preview CVE-2006-1045 Mail Multiple Information Disclosure CVE-2006-0748 Table Rebuilding Code Execution Vulnerability CVE-2006-0292 javascript unrooted access CVE-2006-0296 XULDocument.persist() RDF data injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code. The elfutils packages that originally shipped with Red Hat Enterprise Linux 4 were GPL-licensed versions which lacked some functionality. Previous updates provided fully functional versions of elfutils only under the OSL license. This update provides a fully functional, GPL-licensed version of elfutils. In the OSL-licensed elfutils versions provided in previous updates, some tools could sometimes crash when given corrupted input files. (CVE-2005-1704) Also, when the eu-strip tool was used to create separate debuginfo files from relocatable objects such as kernel modules (.ko), the resulting debuginfo files (.ko.debug) were sometimes corrupted. Both of these problems are fixed in the new version. Users of elfutils should upgrade to these updated packages, which resolve these issues. Low Copyright 2006 Red Hat, Inc. CVE-2005-1704 eu-strip mangles separate debuginfo with relocation sections CVE-2005-1704 Integer overflow in libelf Elfutils license upgrade cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code. The elfutils packages that originally shipped with Red Hat Enterprise Linux 3 were GPL-licensed versions which lacked some functionality. Previous updates provided fully functional versions of elfutils only under the OSL license. This update provides a fully functional, GPL-licensed version of elfutils. In the OSL-licensed elfutils versions provided in previous updates, some tools could sometimes crash when given corrupted input files. (CVE-2005-1704) Also, when the eu-strip tool was used to create separate debuginfo files from relocatable objects such as kernel modules (.ko), the resulting debuginfo files (.ko.debug) were sometimes corrupted. Both of these problems are fixed in the new version. Users of elfutils should upgrade to these updated packages, which resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-1704 CVE-2005-1704 Integer overflow in libelf RHEL3 U8: Elfutils license upgrade eu-strip mangles separate debuginfo with relocation sections cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Network Time Protocol (NTP) is used to synchronize a computer's time with a reference time source. The NTP daemon (ntpd), when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes ntpd to run with different privileges than intended. (CVE-2005-2496) The following issues have also been addressed in this update: - The init script had several problems - The script executed on upgrade could fail - The man page for ntpd indicated the wrong option for specifying a chroot directory - The ntp daemon could crash with the message "Exiting: No more memory!" - There is a new option for syncing the hardware clock after a successful run of ntpdate Users of ntp should upgrade to these updated packages, which resolve these issues. Low Copyright 2006 Red Hat, Inc. CVE-2005-2496 multiple problems with ntpd init.d script CVE-2005-2496 improper group set when running ntpd ntp %post scriptlet fails on upgrade, if ntpd is disabled. ntpd dies with the error "Exiting: out of memory!" ntpdate not invoked when supplying the -x option cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Ethereal is a program for monitoring network traffic. Several denial of service bugs were found in Ethereal's protocol dissectors. Ethereal could crash or stop responding if it reads a malformed packet off the network. (CVE-2006-1932, CVE-2006-1933, CVE-2006-1937, CVE-2006-1938, CVE-2006-1939, CVE-2006-1940) Several buffer overflow bugs were found in Ethereal's COPS, telnet, and ALCAP dissectors as well as Network Instruments file code and NetXray/Windows Sniffer file code. Ethereal could crash or execute arbitrary code if it reads a malformed packet off the network. (CVE-2006-1934, CVE-2006-1935, CVE-2006-1936) Users of ethereal should upgrade to these updated packages containing version 0.99.0, which is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-1932 CVE-2006-1933 CVE-2006-1934 CVE-2006-1935 CVE-2006-1936 CVE-2006-1937 CVE-2006-1938 CVE-2006-1939 CVE-2006-1940 CVE-2006-1932 Multiple ethereal issues (CVE-2006-1933, CVE-2006-1934, CVE-2006-1935, CVE-2006-1936, CVE-2006-1937, CVE-2006-1938, CVE-2006-1939, CVE-2006-1940) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. An integer overflow flaw was discovered in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to crash or possibly execute arbitrary code. (CVE-2006-2025) A double free flaw was discovered in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to crash or possibly execute arbitrary code. (CVE-2006-2026) Several denial of service flaws were discovered in libtiff. An attacker could create a carefully crafted TIFF file in such a way that it could cause an application linked with libtiff to crash. (CVE-2006-2024, CVE-2006-2120) All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-2024 CVE-2006-2025 CVE-2006-2026 CVE-2006-2120 CVE-2006-2024 multiple libtiff issues (CVE-2006-2025, CVE-2006-2026) CVE-2006-2120 libtiff DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ruby is an interpreted scripting language for object-oriented programming. A bug was found in the way Ruby creates its xmlrpc and http servers. The servers use a non blocking socket, which enables a remote user to cause a denial of service condition if they are able to transmit a large volume of information from the network server. (CVE-2006-1931) Users of Ruby should update to these erratum packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-1931 CVE-2006-1931 Ruby http/xmlrpc server DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the eighth regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include: - addition of the adp94xx and dcdbas device drivers - diskdump support on megaraid_sas, qlogic, and swap partitions - support for new hardware via driver and SCSI white-list updates There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the NFS and autofs4 file systems, the SCSI and USB subsystems, and architecture-specific handling affecting AMD Opteron and Intel EM64T processors. The following device drivers have been added or upgraded to new versions: adp94xx -------- 1.0.8 (new) bnx2 ----------- 1.4.38 cciss ---------- 2.4.60.RH1 dcdbas --------- 5.6.0-1 (new) e1000 ---------- 7.0.33-k2 emulex --------- 7.3.6 forcedeth ------ 0.30 ipmi ----------- 35.13 qlogic --------- 7.07.04b6 tg3 ------------ 3.52RH The following security bugs were fixed in this update: - a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) - a flaw in the exec() handling of multi-threaded tasks using ptrace() that allowed a local user to cause a denial of service (hang of a user process) (CVE-2005-3107, low) - a difference in "sysretq" operation of EM64T (as opposed to Opteron) processors that allowed a local user to cause a denial of service (crash) upon return from certain system calls (CVE-2006-0741 and CVE-2006-0744, important) - a flaw in unaligned accesses handling on Intel Itanium processors that allowed a local user to cause a denial of service (crash) (CVE-2006-0742, important) - an info leak on AMD-based x86 and x86_64 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important) - a flaw in IPv4 packet output handling that allowed a remote user to bypass the zero IP ID countermeasure on systems with a disabled firewall (CVE-2006-1242, low) - a minor info leak in socket option handling in the network code (CVE-2006-1343, low) - a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, moderate) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2008 Red Hat, Inc. CVE-2005-3055 CVE-2005-3107 CVE-2006-0741 CVE-2006-0742 CVE-2006-0744 CVE-2006-1056 CVE-2006-1242 CVE-2006-1343 CVE-2006-2444 i8253 count too high! resetting... cannot reboot on Dell 6450 with RHEL 3 i8253 count too high "i8253 count too high! resetting.." ? panics in generic_aio_complete_rw and unmap_kvec after __iodesc_free calls generic_aio_complete_read() Reboot fails on Dell PowerEdge 6450 kernel panic in umount clock_gettime() triggers audit kill from i386 binary on x86_64 autofs (automount) failover does not work kernel oops when unplugging usb serial adapter using pl2303 and mct_u232 System hangs when rebooting Dell PE6450 kernel panic in md driver (md lacks proper locking of device lists) [PATCH] [RHEL3] dpt_i2o modules in RHEL gets oops Implement a better solution to the dma memory allocation done in the kernel megaraid2 driver fails to recognize all LSI RAID adapters when there are more than 4 with >=4GB Hang with radeon driver when DRM DRI actve timer interrupt received twice on ATI chipset motherboard, clock runs at double speed kernel panic when removing active USB serial converter used as serial console Kernel panic on 8GB machines under stress running e1000 diagnostics I/O Errors when swtiching Blade USB Media Tray kernel oops with usbserial (minicom key pressed) Accessing automounted directories can cause a process to hang forever EHCI Host driver violates USB2.0 Specification leading to device failures. Unable to unmount a local file system exported by NFS GART error during bootup kernel crashes with an Ooops CVE-2005-3055 async usb devio oops CVE-2005-3107 zap_threads DoS MCE arg parsing broken on x86-64 [PATCH] bonding: don't drop non-VLAN traffic sys_io_setup() can leak an mm reference on failure Reboot of Dell 6450 fails Kernel panic : Unable to handle kernel paging request at virtual address 6668c79a [RHEL3] [RFE] forcedeth driver on xw9300 has minimal support for ethtool and mii-tool [RHEL3] dump_stack() isn't implemented on x86_64 syslog-only netdump still tries to dump memory bonding mode=6 + dhcp doesn't work correctly Intermittently unable to mount NFS filesystem using autofs --ghost Data corruption in ext3 FS when running hazard (corrupt inodes) Phantom escalating load due to flawed rq->nr_uninterruptible increment IBM x336, x260, and x460 requires acpi=noirq bootup option. ST Tape Driver Bug!! kernel/libc type mismatch on siginfo_t->si_band - breaks FAM on 64bit arches Kernel BUG at pci_dma:43 encountered BNX2 Patch in 2.4.21-40.EL kills "Network Device Support" config menu CVE-2006-1242 Linux zero IP ID vulnerability? CVE-2006-1343 Small information leak in SO_ORIGINAL_DST RHEL3U7 fails installation using RSA(2). Submission of a patch for non-sequential LUN mapping make menuconfig crashes IPMI startup race condition CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs CVE-2006-2444 SNMP NAT netfilter memory corruption [Beta RHEL3 U8 Regression] Processes hung while allocating stack using gdb cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces such as GNOME and KDE are designed upon. A buffer overflow flaw in the X.org server RENDER extension was discovered. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-1526) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. This issue does not affect Red Hat Enterprise Linux 2.1 or 3. Important Copyright 2006 Red Hat, Inc. CVE-2006-1526 CVE-2006-1526 X.Org buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman is software to help manage email discussion lists. A flaw was found in the way Mailman handles MIME multipart messages. An attacker could send a carefully crafted MIME multipart email message to a mailing list run by Mailman which would cause that particular mailing list to stop working. (CVE-2006-0052) Users of Mailman should upgrade to this updated package, which contains backported patches to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-0052 CVE-2006-0052 Mailman DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the IPv6 implementation that allowed a local user to cause a denial of service (infinite loop and crash) (CVE-2005-2973, important) * a flaw in the bridge implementation that allowed a remote user to cause forwarding of spoofed packets via poisoning of the forwarding table with already dropped frames (CVE-2005-3272, moderate) * a flaw in the atm module that allowed a local user to cause a denial of service (panic) via certain socket calls (CVE-2005-3359, important) * a flaw in the NFS client implementation that allowed a local user to cause a denial of service (panic) via O_DIRECT writes (CVE-2006-0555, important) * a difference in "sysretq" operation of EM64T (as opposed to Opteron) processors that allowed a local user to cause a denial of service (crash) upon return from certain system calls (CVE-2006-0741 and CVE-2006-0744, important) * a flaw in the keyring implementation that allowed a local user to cause a denial of service (OOPS) (CVE-2006-1522, important) * a flaw in IP routing implementation that allowed a local user to cause a denial of service (panic) via a request for a route for a multicast IP (CVE-2006-1525, important) * a flaw in the SCTP-netfilter implementation that allowed a remote user to cause a denial of service (infinite loop) (CVE-2006-1527, important) * a flaw in the sg driver that allowed a local user to cause a denial of service (crash) via a dio transfer to memory mapped (mmap) IO space (CVE-2006-1528, important) * a flaw in the threading implementation that allowed a local user to cause a denial of service (panic) (CVE-2006-1855, important) * two missing LSM hooks that allowed a local user to bypass the LSM by using readv() or writev() (CVE-2006-1856, moderate) * a flaw in the virtual memory implementation that allowed local user to cause a denial of service (panic) by using the lsof command (CVE-2006-1862, important) * a directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864, moderate) * a flaw in the ECNE chunk handling of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2271, moderate) * a flaw in the handling of COOKIE_ECHO and HEARTBEAT control chunks of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2272, moderate) * a flaw in the handling of DATA fragments of SCTP that allowed a remote user to cause a denial of service (infinite recursion and crash) (CVE-2006-2274, moderate) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2005-2973 CVE-2005-3272 CVE-2005-3359 CVE-2006-0555 CVE-2006-0741 CVE-2006-0744 CVE-2006-1522 CVE-2006-1525 CVE-2006-1527 CVE-2006-1528 CVE-2006-1855 CVE-2006-1856 CVE-2006-1862 CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-1528 Possible local crash by dio/mmap sg driver CVE-2005-2973 ipv6 infinite loop CVE-2005-3272 bridge poisoning CVE-2005-3359 incorrect inrement/decrement in atm module leads to panic CVE-2006-0555 NFS client panic using O_DIRECT CVE-2006-0741 bad elf entry address (CVE-2006-0744) CVE-2006-1855 Old thread debugging causes false BUG() in choose_new_parent CVE-2006-1522 DoS/bug in keyring code (security/keys/) CVE-2006-1862 The lsof command triggers a kernel oops under heavy load CVE-2006-1525 ip_route_input() panic CVE-2006-1864 smbfs chroot issue CVE-2006-1527 netfilter/sctp: lockup in sctp_new() CVE-2006-2271 SCTP ECNE chunk handling DoS CVE-2006-2272 SCTP incoming COOKIE_ECHO and HEARTBEAT packets DoS CVE-2006-2274 SCTP DATA fragments DoS CVE-2006-1856 LSM missing readv/writev cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XScreenSaver is a collection of screensavers. A keyboard focus flaw was found in the way XScreenSaver prompts the user to enter their password to unlock the screen. XScreenSaver did not properly ensure it had proper keyboard focus, which could leak a users password to the program with keyboard focus. This behavior is not common, as only certain applications exhibit this focus error. (CVE-2004-2655) Several flaws were found in the way various XScreenSaver screensavers create temporary files. It may be possible for a local attacker to create a temporary file in way that could overwrite a different file to which the user running XScreenSaver has write permissions. (CVE-2003-1294) Users of XScreenSaver should upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2003-1294 CVE-2004-2655 CVE-2003-1294 xscreensaver temporary file flaws CVE-2004-2655 xscreensaver passes password to other applications cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 FreeType is a free, high-quality, and portable font engine. Chris Evans discovered several integer underflow and overflow flaws in the FreeType font engine. If a user loads a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code as the user. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2006-0747, CVE-2006-1861, CVE-2006-3467) A NULL pointer dereference flaw was found in the FreeType font engine. An application linked against FreeType can crash upon loading a malformed font file. (CVE-2006-2661) Users of FreeType should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-0747 CVE-2006-1861 CVE-2006-2661 CVE-2006-3467 CVE-2006-0747 Freetype integer underflow (CVE-2006-2661) CVE-2006-1861 freetype multiple integer overflows (CVE-2006-3467) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Sendmail is a Mail Transport Agent (MTA) used to send mail between machines. A flaw in the handling of multi-part MIME messages was discovered in Sendmail. A remote attacker could create a carefully crafted message that could crash the sendmail process during delivery (CVE-2006-1173). By default on Red Hat Enterprise Linux, Sendmail is configured to only accept connections from the local host. Therefore, only users who have configured Sendmail to listen to remote hosts would be remotely vulnerable to this issue. Users of Sendmail are advised to upgrade to these erratum packages, which contain a backported patch from the Sendmail team to correct this issue. Important Copyright 2008 Red Hat, Inc. CVE-2006-1173 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Quagga manages the TCP/IP based routing protocol. It takes a multi-server and multi-thread approach to resolve the current complexity of the Internet. An information disclosure flaw was found in the way Quagga interprets RIP REQUEST packets. RIPd in Quagga will respond to RIP REQUEST packets for RIP versions that have been disabled or that have authentication enabled, allowing a remote attacker to acquire information about the local network. (CVE-2006-2223) A route injection flaw was found in the way Quagga interprets RIPv1 RESPONSE packets when RIPv2 authentication is enabled. It is possible for a remote attacker to inject arbitrary route information into the RIPd routing tables. This issue does not affect Quagga configurations where only RIPv2 is specified. (CVE-2006-2224) A denial of service flaw was found in Quagga's telnet interface. If an attacker is able to connect to the Quagga telnet interface, it is possible to cause Quagga to consume vast quantities of CPU resources by issuing a malformed 'sh' command. (CVE-2006-2276) Users of Quagga should upgrade to these updated packages, which contain backported patches that correct these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2223 CVE-2006-2224 CVE-2006-2276 CVE-2006-2223 Quagga RIPd information disclosure CVE-2006-2224 Quagga RIPd route injection CVE-2006-2276 quagga locks with command sh ip bgp cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS). A bug was found in the way PostgreSQL's PQescapeString function escapes strings when operating in a multibyte character encoding. It is possible for an attacker to provide an application a carefully crafted string containing invalidly-encoded characters, which may be improperly escaped, allowing the attacker to inject malicious SQL. While this update fixes how PQescapeString operates, the PostgreSQL server has also been modified to prevent such an attack occurring through unpatched clients. (CVE-2006-2313, CVE-2006-2314). More details about this issue are available in the linked PostgreSQL technical documentation. An integer signedness bug was found in the way PostgreSQL generated password salts. The actual salt size is only half the size of the expected salt, making the process of brute forcing password hashes slightly easier. This update will not strengthen already existing passwords, but all newly assigned passwords will have the proper salt length. (CVE-2006-0591) Users of PostgreSQL should upgrade to these updated packages containing PostgreSQL version 7.4.13, which corrects these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-0591 CVE-2006-2313 CVE-2006-2314 CVE-2006-0591 postgresql pgcrypt minor salt generation flaw CVE-2006-2313, CVE-2006-2314: PostgreSQL remote SQL injection vulnerability CVE-2006-2313, CVE-2006-2314: PostgreSQL remote SQL injection vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A privilege escalation flaw was found in the way Vixie Cron runs programs; vixie-cron does not properly verify an attempt to set the current process user id succeeded. It was possible for a malicious local users who exhausted certain limits to execute arbitrary commands as root via cron. (CVE-2006-2607) All users of vixie-cron should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-2607 CVE-2006-2607 Jobs start from root when pam_limits enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Dia drawing program is designed to draw various types of diagrams. Several format string flaws were found in the way dia displays certain messages. If an attacker is able to trick a Dia user into opening a carefully crafted file, it may be possible to execute arbitrary code as the user running Dia. (CVE-2006-2453, CVE-2006-2480) Users of Dia should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2453 CVE-2006-2480 CVE-2006-2480 Dia format string issue (CVE-2006-2453) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email. A flaw was found with the way the Spamassassin spamd daemon processes the virtual pop username passed to it. If a site is running spamd with both the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running the spamd daemon. (CVE-2006-2447) Note: None of the IMAP or POP servers shipped with Red Hat Enterprise Linux 4 support vpopmail delivery. Running spamd with the --vpopmail and --paranoid flags is uncommon and not the default startup option as shipped with Red Hat Enterprise Linux 4. Spamassassin, as shipped in Red Hat Enterprise Linux 4, performs RBL lookups against visi.com to help determine if an email is spam. However, this DNS RBL has recently disappeared, resulting in mail filtering delays and timeouts. Users of SpamAssassin should upgrade to these updated packages containing version 3.0.6 and backported patches, which are not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2447 /etc/sysconfig/spamassasin loses file context and timestamp spamassassin looks up broken NS domain (visi.com) CVE-2006-2447 spamassassin arbitrary command execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-2753 CVE-2006-3081 CVE-2006-4380 CVE-2006-0903 Mysql log file obfuscation Client error in mysql on updates when high concurrency CVE-2006-1517 Mysql information leak CVE-2006-1516 mysql anonymous login information leak CVE-2006-2753 MySQL improper multibyte string escaping cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SquirrelMail is a standards-based webmail package written in PHP4. A local file disclosure flaw was found in the way SquirrelMail loads plugins. In SquirrelMail 1.4.6 or earlier, if register_globals is on and magic_quotes_gpc is off, it became possible for an unauthenticated remote user to view the contents of arbitrary local files the web server has read-access to. This configuration is neither default nor safe, and configuring PHP with the register_globals set on is dangerous and not recommended. (CVE-2006-2842) Users of SquirrelMail should upgrade to this erratum package, which contains a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2842 CVE-2006-2842 Squirrelmail file inclusion cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdebase packages provide the core applications for KDE, the K Desktop Environment. These core packages include the KDE Display Manager (KDM). Ludwig Nussel discovered a flaw in KDM. A malicious local KDM user could use a symlink attack to read an arbitrary file that they would not normally have permissions to read. (CVE-2006-2449) Note: this issue does not affect the version of KDM as shipped with Red Hat Enterprise Linux 2.1 or 3. All users of KDM should upgrade to these updated packages which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-2449 CVE-2006-2449 kdm file disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A directory traversal vulnerability was found in PHP. Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. (CVE-2006-1494) The wordwrap() PHP function did not properly check for integer overflow in the handling of the "break" parameter. An attacker who could control the string passed to the "break" parameter could cause a heap overflow. (CVE-2006-1990) A flaw was found in the zend_hash_del() PHP function. For PHP scripts that rely on the use of the unset() function, a remote attacker could force variable initialization to be bypassed. This would be a security issue particularly for installations that enable the "register_globals" setting. "register_globals" is disabled by default in Red Hat Enterprise Linux. (CVE-2006-3017) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-1494 CVE-2006-1990 CVE-2006-3017 CVE-2006-1494 PHP tempname open_basedir issue CVE-2006-1990 wordwrap integer overflow CVE-2006-3017 zend_hash_del bug cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GnuPG is a utility for encrypting data and creating digital signatures. An integer overflow flaw was found in GnuPG. An attacker could create a carefully crafted message packet with a large length that could cause GnuPG to crash or possibly overwrite memory when opened. (CVE-2006-3082) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3082 CVE-2006-3082 gnupg integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A Sun security specialist reported an issue with the application framework. An attacker could put macros into document locations that could cause OpenOffice.org to execute them when the file was opened by a victim. (CVE-2006-2198) A bug was found in the OpenOffice.org Java virtual machine implementation. An attacker could write a carefully crafted Java applet that can break through the "sandbox" and have full access to system resources with the current user privileges. (CVE-2006-2199) A buffer overflow bug was found in the OpenOffice.org file processor. An attacker could create a carefully crafted XML file that could cause OpenOffice.org to write data to an arbitrary location in memory when the file was opened by a victim. (CVE-2006-3117) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-2198 CVE-2006-2199 CVE-2006-3117 CVE-2006-2198 various OOo advisories (CVE-2006-2199, CVE-2006-3117) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. During security research, Red Hat discovered a behavioral flaw in core dump handling. A local user could create a program that would cause a core file to be dumped into a directory they would not normally have permissions to write to. This could lead to a denial of service (disk consumption), or allow the local user to gain root privileges. (CVE-2006-2451) Prior to applying this update, users can remove the ability to escalate privileges using this flaw by configuring core files to dump to an absolute location. By default, core files are created in the working directory of the faulting application, but this can be overridden by specifying an absolute location for core files in /proc/sys/kernel/core_pattern. To avoid a potential denial of service, a separate partition for the core files should be used. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2006-2451 CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 New features introduced in this update include: * Device Mapper mirroring support * IDE diskdump support * x86, AMD64 and Intel EM64T: Multi-core scheduler support enhancements * Itanium: perfmon support for Montecito * much improved support for IBM x460 * AMD PowerNow! patches to support Opteron Rev G * Vmalloc support > 64MB The following device drivers have been upgraded to new versions: ipmi: 33.11 to 33.13 ib_mthca: 0.06 to 0.08 bnx2: 1.4.30 to 1.4.38 bonding: 2.6.1 to 2.6.3 e100: 3.4.8-k2-NAPI to 3.5.10-k2-NAPI e1000: 6.1.16-k3-NAPI to 7.0.33-k2-NAPI sky2: 0.13 to 1.1 tg3: 3.43-rh to 3.52-rh ipw2100: 1.1.0 to git-1.1.4 ipw2200: 1.0.0 to git-1.0.10 3w-9xxx: 2.26.02.001 to 2.26.04.010 ips: 7.10.18 to 7.12.02 iscsi_sfnet: 4:0.1.11-2 to 4:0.1.11-3 lpfc: 0:8.0.16.18 to 0:8.0.16.27 megaraid_sas: 00.00.02.00 to 00.00.02.03-RH1 qla2xxx: 8.01.02-d4 to 8.01.04-d7 qla6312: 8.01.02-d4 to 8.01.04-d7 sata_promise: 1.03 to 1.04 sata_vsc: 1.1 to 1.2 ibmvscsic: 1.5.5 to 1.5.6 ipr: 2.0.11.1 to 2.0.11.2 Added drivers: dcdbas: 5.6.0-2 sata_mv: 0.6 sata_qstor: 0.05 sata_uli: 0.5 skge: 1.1 stex: 2.9.0.13 pdc_adma: 0.03 This update includes fixes for the security issues: * a flaw in the USB devio handling of device removal that allowed a local user to cause a denial of service (crash) (CVE-2005-3055, moderate) * a flaw in the ACL handling of nfsd that allowed a remote user to bypass ACLs for readonly mounted NFS file systems (CVE-2005-3623, moderate) * a flaw in the netfilter handling that allowed a local user with CAP_NET_ADMIN rights to cause a buffer overflow (CVE-2006-0038, low) * a flaw in the IBM S/390 and IBM zSeries strnlen_user() function that allowed a local user to cause a denial of service (crash) or to retrieve random kernel data (CVE-2006-0456, important) * a flaw in the keyctl functions that allowed a local user to cause a denial of service (crash) or to read sensitive kernel memory (CVE-2006-0457, important) * a flaw in unaligned accesses handling on Itanium processors that allowed a local user to cause a denial of service (crash) (CVE-2006-0742, important) * a flaw in SELinux ptrace logic that allowed a local user with ptrace permissions to change the tracer SID to a SID of another process (CVE-2006-1052, moderate) * an info leak on AMD-based x86 and x86_64 systems that allowed a local user to retrieve the floating point exception state of a process run by a different user (CVE-2006-1056, important) * a flaw in IPv4 packet output handling that allowed a remote user to bypass the zero IP ID countermeasure on systems with a disabled firewall (CVE-2006-1242, low) * a minor info leak in socket option handling in the network code (CVE-2006-1343, low) * a flaw in the HB-ACK chunk handling of SCTP that allowed a remote user to cause a denial of service (crash) (CVE-2006-1857, moderate) * a flaw in the SCTP implementation that allowed a remote user to cause a denial of service (deadlock) (CVE-2006-2275, moderate) * a flaw in the socket buffer handling that allowed a remote user to cause a denial of service (panic) (CVE-2006-2446, important) * a flaw in the signal handling access checking on PowerPC that allowed a local user to cause a denial of service (crash) or read arbitrary kernel memory on 64-bit systems (CVE-2006-2448, important) * a flaw in the netfilter SCTP module when receiving a chunkless packet that allowed a remote user to cause a denial of service (crash) (CVE-2006-2934, important) There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. Important Copyright 2008 Red Hat, Inc. CVE-2005-3055 CVE-2005-3623 CVE-2006-0038 CVE-2006-0456 CVE-2006-0457 CVE-2006-0742 CVE-2006-1052 CVE-2006-1056 CVE-2006-1242 CVE-2006-1343 CVE-2006-1857 CVE-2006-2275 CVE-2006-2446 CVE-2006-2448 CVE-2006-2934 install hangs on Dell PowerVault 745 with SATA drives (sata_vsc module) fix missing wakeup in ipc/sem udevd fails to create /dev files after misc_register Sound Blaster Audigy 2 Value audio does not work [RHEL4-U2][Diskdump] OS_INIT dump function is broken kernel may oops if more than 4k worth of string data returned in /proc/devices Can't install from SATA CD/DVD drive Loss of SATA ICH device hangs RAID1 [PATCH] ata_piix fails on some ICH7 hardware snd-nm256 module hangs Dell Latitude CSx kernel build broken when 4KSTACKS disabled EHCI Host driver violates USB2.0 Specification leading to device failures mdadm --grow infinite resync No (useful) logging of parameters to execve CVE-2005-3055 async usb devio oops COMM_LOST problem with SCTP stream socket SMP kernel crash when use as LVS router rm command hangs when removing a symlink on ext2 loop filesystem Deadlock in fc_target_unblock while shutting down the system sata_promise: missing PCI ID for SATA300 TX4 RHEL4 U3 feature request: add some new lm sensors modules to the i2c module Oops kernel NULL pointer ipw2100 modules crashes and restarts whenever in use Spurious keyboard repeats and clock is fast kernel panic after a few hours/days of operation with pulse vmalloc limited to 64Mb kernel panics when rebooting Kernel panic with this comment: <4>VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day... Kernel panic on install on 64BG EM64T TG3 driver crashes with BCM4704C chipset with heavy traffic Documentation mismatch RFE: tg3 support for Broadcom 5751 PCIe System hangs with kernel panic when using current 3ware drivers [PATCH] bonding: don't drop non-VLAN traffic CRM# 717690: crash possibly related to ipvsadm [RHEL 4 U2] kernel panic on EM64T with long cmdline args misleading overcommit_memory reference in Documentation/filesystems/proc.txt Accessing automounted directories can cause a process to hang forever [RHEL4-U3] Checking dump partition fails when a swap partition whose size is less than memory size is configured for diskdump. sata-nv crashes on multiple SATA disks The hash.h hash_long function, when used on a 64 bit machine, ignores many of the middle-order bits. io_setup() fails for 32bit tasks in x86-64 Oprofile unsupported recent Pentium4 xw6400 System panic while installing RHEL4-U3 SELinux MLS compatibility No i915 DRM module Last AIO read of a file opened with O_DIRECT returns wrong length O_DIRECT bug when reading last block of sparse file RHEL4u4 FEAT: Provide support for Opteron Rev G and Power Now! clean-up Please backport the sata_mv Marvell MV88SX5081 driver? kernel boot can Oops in work queue code when console blanks Request to update lpfc driver in RHEL 4 U4 deadlocks on ext2,sync mounted fs kmir_mon worker thread doesn't exit aic7xxx and aic79xx Drivers Don't Support 16-byte CDBs typo in spinlock.h? line 407 ipv6 ready logo-P1 ND Test24 fails- RA Lifetime=5 not understood [RHEL4] MCE arg parsing broken on x86-64 Console redirection on DRAC 3 results in repeated key strokes (P1) lpfc driver: add managment ioctl module to kernel tree Gettimeofday() timer related slowdown and scaling issue add MCP51/ NVidia 430 IDE support Error given when duplicate non-updateable key (eg: keyring) added Key quota handling incorrect in allocation CVE-2006-0457 Key syscalls use get length of strings before copying, and assume terminating NUL copied from userspace CVE-2006-0456 s390/s390x strnlen_user() is broken NFS lockd recovery is broken in U3 due to missing code. [EMC/Oracle RHEL 4.4] ISCSI MODULE SHOWS MULTIPLE DEVICES FOR A SINGLE LUN IN RHEL 4.0 U2 Possible hang when ptracing and using hugepages [RHEL4] [RFE] Add diskdump capability to IDE DoS attack possible via nfsservctl CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic ramfs: update dir mtime and ctime dm: make sure don't give out the same minor number twice Large LUNS can't be seen with Hitachi Open- SAN PCI interrupts on ioapic pins 0-15 always get "legacy" IRQs. [BETA RHEL4 U3] brokenness in cfq_dispatch_requests Kernel should export number and state of local APICs CVE-2005-3623 ACL setting on read-only fs CVE-2006-1052 SELinux flaw kernel dm: bad argument count check in dm-log.c kernel dm: missing bdput kernel dm: fix free_dev del_gendisk kernel dm: flush queued bios if suspend is interrupted kernel dm: log bitset fix BE find_next_zero_bit kernel device-mapper mirroring: table output incorrect kernel dm snapshots: replace siblings list kernel dm mirroring: suspend operation is not well behaved kernel dm snapshots: fix invalidation kernel dm: striped access beyond end of device [RHEL4 U3] kernel dm mirror: unrelated mirror devices stall if any log device fails [RHEL4 U3] device-mapper mirror: Data corruption if the default mirror fails during recovery. [RHEL4 U3] device-mapper mirror: Data corruption by temporal errors during recovery. kernel dm: bio split bvec fix [RHEL4 U3] device-mapper mirror: Write failure region becomes in-sync when suspension. CVE-2006-1242 Linux zero IP ID vulnerability? Connectathon tests fail against newer Irix server NFSD fails SETCLIENTID_CONFIRM kernel dm mirror: lvs Copy% overs 100% by lvreduce/lvresize. CVE-2006-1343 Small information leak in SO_ORIGINAL_DST CVE-2006-0038 netfilters do_replace() overflow nvidia cache aliasing problem: change_page_attr drops GLOBAL bit from executable kernel pages ACPI 2.0 systems with no XSDT fail to boot kernel problem to deal with 3ware 9500SX-12 RAID cards [RHEL4 U3] dm-mirror: read stalls if all mirrors failed CVE-2006-2275 SCTP traffic probably never resumes diskdump_sysfs_store() needs to check sscanf retval diskdump_sysfs_store() should check partition number device_to_gendisk() is lacking mntput(nd.mnt) on exit diskdump - device_to_gendisk() is both racy CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs Replication failover fails if the NFS permissions are incorrect on one of the servers... kernel dm snapshots: Incorrect processing of incorrect chunk size Kernel appears too conservative in memory use tlb_clear_slave races with tlb_choose_channel Update Qlogic qla2xxx driver in RHEL 4 U4 Trouble with recent module - one packet is seen more than one time VLAN not working on initial startup [Stratus RHEL4 U4 bug] unchecked error path in usb_alloc_dev can lead to an Oops. RHEL4-U3: openipmi: startup race condition Submit Promise RHEL4 driver in-box to RHEL4 CD Submit Promise RHEL4 driver in-box to RHEL4 CD Submit Promise RHEL4 driver in-box to RHEL4 CD dm: Fix mapped device references REGRESSION: kabi breakage on ia64_mv CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic installer does not see SATA HDs attached to JMB360 chipset which in legacy mode MCE arg parsing broken on x86-64 device-mapper mirror: Need proper notification of sync status chage on write failure REGRESSION: kernel-2.6.9.36 does not boot on ALTIX systems Fix problems with MSI-X on 64-bit platforms CVE-2006-1857 SCTP HB-ACK chunk overflow CVE-2006-2446 LTC20512-kernel BUG in __kfree_skb while running TCP+Kernel stress RFE: add pci ids for atiixp Not using all available system memory - swapping too aggressive - high load average (iowait) A write to a cluster mirror volume not in sync will hang and also cause the sync to hang as well gettimeofday goes backwards on IBM x460 merged servers CVE-2006-2448 missing access_ok checks in powerpc signal*.c veritas storage foundation 32bit apps crash in glibc during post-process installation RHEL4 U4 i386 partner beta will not install on ES7000/one HP xw9400 network card not getting seen Regression: cluster mirror creation cmd hangs even though mirror gets created VLANs, tg3 driver, and 2.6.9-34.EL kernel update O=/objdir builds fail for out-of-tree builds with 2.6.9-39.4 CVE-2006-2934 SCTP netfilter DoS with chunkless packets kernel freeze at "kernel BUG at kernel/timer.c:420!" kernel deadlock on reading /proc/meminfo on 4 CPU's at the same time cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdebase packages provide the core applications for KDE, the K Desktop Environment. A flaw was found in KDE where the kdesktop_lock process sometimes failed to terminate properly. This issue could either block the user's ability to manually lock the desktop or prevent the screensaver to activate, both of which could have a security impact for users who rely on these functionalities. (CVE-2006-2933) Please note that this issue only affected Red Hat Enterprise Linux 3. All users of kdebase should upgrade to these updated packages, which contain a patch to resolve this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-2933 CVE-2006-2933 occasionally KDE screensaver fails to start cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mutt is a text-mode mail user agent. A buffer overflow flaw was found in the way Mutt processes an overly long namespace from a malicious imap server. In order to exploit this flaw a user would have to use Mutt to connect to a malicious IMAP server. (CVE-2006-3242) Users of Mutt are advised to upgrade to these erratum packages, which contain a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3242 CVE-2006-3242 Mutt IMAP namespace buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. The Mozilla Foundation has discontinued support for the Mozilla Suite. This update deprecates the Mozilla Suite in Red Hat Enterprise Linux 3 in favor of the supported SeaMonkey Suite. This update also resolves a number of outstanding Mozilla security issues: Several flaws were found in the way Mozilla processed certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-2776, CVE-2006-2784, CVE-2006-2785, CVE-2006-2787) Several denial of service flaws were found in the way Mozilla processed certain web content. A malicious web page could crash firefox or possibly execute arbitrary code. These issues to date were not proven to be exploitable, but do show evidence of memory corruption. (CVE-2006-2779, CVE-2006-2780) A double-free flaw was found in the way Mozilla-mail displayed malformed inline vcard attachments. If a victim viewed an email message containing a carefully crafted vcard it could execute arbitrary code as the user running Mozilla-mail. (CVE-2006-2781) A cross site scripting flaw was found in the way Mozilla processed Unicode Byte-order-Mark (BOM) markers in UTF-8 web pages. A malicious web page could execute a script within the browser that a web input sanitizer could miss due to a malformed "script" tag. (CVE-2006-2783) A form file upload flaw was found in the way Mozilla handled javascript input object mutation. A malicious web page could upload an arbitrary local file at form submission time without user interaction. (CVE-2006-2782) A denial of service flaw was found in the way Mozilla called the crypto.signText() javascript function. A malicious web page could crash the browser if the victim had a client certificate loaded. (CVE-2006-2778) Two HTTP response smuggling flaws were found in the way Mozilla processed certain invalid HTTP response headers. A malicious web site could return specially crafted HTTP response headers which may bypass HTTP proxy restrictions. (CVE-2006-2786) A double free flaw was found in the way the nsIX509::getRawDER method was called. If a victim visited a carefully crafted web page it could execute arbitrary code as the user running Mozilla. (CVE-2006-2788) Users of Mozilla are advised to upgrade to this update, which contains SeaMonkey version 1.0.2 that is not vulnerable to these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-2779 CVE-2006-2780 CVE-2006-2781 CVE-2006-2783 CVE-2006-2782 CVE-2006-2778 CVE-2006-2776 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CVE-2006-2788 CVE-2006-2783 multiple Seamonkey issues (CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788) CVE-2006-2779 Multiple Mozilla issues (CVE-2006-2780, CVE-2006-2781) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdebase packages provide the core applications for KDE, the K Desktop Environment. These core packages include the file manager Konqueror. Ilja van Sprundel discovered a lock file handling flaw in kcheckpass. If the directory /var/lock is writable by a user who is allowed to run kcheckpass, that user could gain root privileges. In Red Hat Enterprise Linux, the /var/lock directory is not writable by users and therefore this flaw could only have been exploited if the permissions on that directory have been badly configured. A patch to block this issue has been included in this update. (CVE-2005-2494) The following bugs have also been addressed: - kstart --tosystray does not send the window to the system tray in Kicker - When the customer enters or selects URLs in Firefox's address field, the desktop freezes for a couple of seconds - fish kioslave is broken on 64-bit systems All users of kdebase should upgrade to these updated packages, which contain patches to resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-2494 CVE-2005-2494 kcheckpass privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service bug was found in the way the smbd daemon tracks active connections to shares. It was possible for a remote attacker to cause the smbd daemon to consume a large amount of system memory by sending carefully crafted smb requests. (CVE-2006-3403) Users of Samba are advised to upgrade to these packages, which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-3403 CVE-2006-3403 Samba denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Libwmf is a library for reading and converting Windows MetaFile vector graphics (WMF). Libwmf is used by packages such as The GIMP and ImageMagick. An integer overflow flaw was discovered in libwmf. An attacker could create a carefully crafted WMF flaw that could execute arbitrary code if opened by a victim. (CVE-2006-3376). Users of libwmf should update to these packages which contain a backported security patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-3376 CVE-2006-3376 libwmf integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GIMP (GNU Image Manipulation Program) is an image composition and editing program. Henning Makholm discovered a buffer overflow bug in The GIMP XCF file loader. An attacker could create a carefully crafted image that could execute arbitrary code if opened by a victim. (CVE-2006-3404) Please note that this issue did not affect the gimp packages in Red Hat Enterprise Linux 2.1, or 3. Users of The GIMP should update to these erratum packages which contain a backported fix to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3404 CVE-2006-3404 gimp xcf buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Mailman is a program used to help manage email discussion lists. A flaw was found in the way Mailman handled MIME multipart messages. An attacker could send a carefully crafted MIME multipart email message to a mailing list run by Mailman which caused that particular mailing list to stop working. (CVE-2006-2941) Several cross-site scripting (XSS) issues were found in Mailman. An attacker could exploit these issues to perform cross-site scripting attacks against the Mailman administrator. (CVE-2006-3636) Red Hat would like to thank Barry Warsaw for disclosing these vulnerabilities. Users of Mailman should upgrade to these updated packages, which contain backported patches to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-2941 CVE-2006-3636 CVE-2006-2941 Mailman DoS CVE-2006-3636 Mailman XSS issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Ethereal is a program for monitoring network traffic. In May 2006, Ethereal changed its name to Wireshark. This update deprecates the Ethereal packages in Red Hat Enterprise Linux 2.1, 3, and 4 in favor of the supported Wireshark packages. Several denial of service bugs were found in Ethereal's protocol dissectors. It was possible for Ethereal to crash or stop responding if it read a malformed packet off the network. (CVE-2006-3627, CVE-2006-3629, CVE-2006-3631) Several buffer overflow bugs were found in Ethereal's ANSI MAP, NCP NMAS, and NDPStelnet dissectors. It was possible for Ethereal to crash or execute arbitrary code if it read a malformed packet off the network. (CVE-2006-3630, CVE-2006-3632) Several format string bugs were found in Ethereal's Checkpoint FW-1, MQ, XML, and NTP dissectors. It was possible for Ethereal to crash or execute arbitrary code if it read a malformed packet off the network. (CVE-2006-3628) Users of Ethereal should upgrade to these updated packages containing Wireshark version 0.99.2, which is not vulnerable to these issues Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3627 CVE-2006-3628 CVE-2006-3629 CVE-2006-3630 CVE-2006-3631 CVE-2006-3632 Replace (EOL) Ethereal with Wireshark CVE-2006-3627 Mulitple security issues (CVE-2006-3628 CVE-2006-3629 CVE-2006-3630 CVE-2006-3631 CVE-2006-3632) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) files. Tavis Ormandy of Google discovered a number of flaws in libtiff during a security audit. An attacker could create a carefully crafted TIFF file in such a way that it was possible to cause an application linked with libtiff to crash or possibly execute arbitrary code. (CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465) All users are advised to upgrade to these updated packages, which contain backported fixes for these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-2656 CVE-2006-3459 CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465 CVE-2006-3459 Multiple libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Ruby is an interpreted scripting language for object-oriented programming. A number of flaws were found in the safe-level restrictions in Ruby. It was possible for an attacker to create a carefully crafted malicious script that can allow the bypass of certain safe-level restrictions. (CVE-2006-3694) Users of Ruby should update to these erratum packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3694 CVE-2006-3694 Insecure operations in the certain safe-level restrictions CVE-2006-3694 ruby safe-level bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and Web programming. Kevin Finisterre discovered a flaw in sperl, the Perl setuid wrapper, which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. (CVE-2005-0155) A fix for this issue was first included in the update RHSA-2005:103 released in February 2005. However the patch to correct this issue was dropped from the update RHSA-2005:674 made in October 2005. This regression has been assigned CVE-2006-3813. Users of Perl are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-3813 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-3807, CVE-2006-3809, CVE-2006-3812) Several denial of service flaws were found in the way SeaMonkey processed certain web content. A malicious web page could crash the browser or possibly execute arbitrary code as the user running SeaMonkey. (CVE-2006-3801, CVE-2006-3677, CVE-2006-3113, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3811) A buffer overflow flaw was found in the way SeaMonkey Messenger displayed malformed inline vcard attachments. If a victim viewed an email message containing a carefully crafted vcard, it was possible to execute arbitrary code as the user running SeaMonkey Messenger. (CVE-2006-3804) Several flaws were found in the way SeaMonkey processed certain javascript actions. A malicious web page could conduct a cross-site scripting attack or steal sensitive information (such as cookies owned by other domains). (CVE-2006-3802, CVE-2006-3810) A flaw was found in the way SeaMonkey processed Proxy AutoConfig scripts. A malicious Proxy AutoConfig server could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-3808) Users of SeaMonkey are advised to upgrade to this update, which contains SeaMonkey version 1.0.3 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-3801 CVE-2006-3677 CVE-2006-3113 CVE-2006-3802 CVE-2006-3803 CVE-2006-3804 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812 CVE-2006-3801 Multiple Seamonkey issues (CVE-2006-3677, CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Seamonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. The Mozilla Foundation has discontinued support for the Mozilla Suite. This update deprecates the Mozilla Suite in Red Hat Enterprise Linux 4 in favor of the supported Seamonkey Suite. This update also resolves a number of outstanding Mozilla security issues: Several flaws were found in the way Seamonkey processed certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-2776, CVE-2006-2784, CVE-2006-2785, CVE-2006-2787, CVE-2006-3807, CVE-2006-3809, CVE-2006-3812) Several denial of service flaws were found in the way Seamonkey processed certain web content. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Seamonkey. (CVE-2006-2779, CVE-2006-2780, CVE-2006-3801, CVE-2006-3677, CVE-2006-3113, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3811) Two flaws were found in the way Seamonkey-mail displayed malformed inline vcard attachments. If a victim viewed an email message containing a carefully crafted vcard it was possible to execute arbitrary code as the user running Mozilla-mail. (CVE-2006-2781, CVE-2006-3804) A cross-site scripting flaw was found in the way Seamonkey processed Unicode Byte-Order-Mark (BOM) markers in UTF-8 web pages. A malicious web page could execute a script within the browser that a web input sanitizer could miss due to a malformed "script" tag. (CVE-2006-2783) Several flaws were found in the way Seamonkey processed certain javascript actions. A malicious web page could conduct a cross-site scripting attack or steal sensitive information (such as cookies owned by other domains). (CVE-2006-3802, CVE-2006-3810) A form file upload flaw was found in the way Seamonkey handled javascript input object mutation. A malicious web page could upload an arbitrary local file at form submission time without user interaction. (CVE-2006-2782) A denial of service flaw was found in the way Seamonkey called the crypto.signText() javascript function. A malicious web page could crash the browser if the victim had a client certificate loaded. (CVE-2006-2778) Two HTTP response smuggling flaws were found in the way Seamonkey processed certain invalid HTTP response headers. A malicious web site could return specially crafted HTTP response headers which may bypass HTTP proxy restrictions. (CVE-2006-2786) A flaw was found in the way Seamonkey processed Proxy AutoConfig scripts. A malicious Proxy AutoConfig server could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-3808) A double free flaw was found in the way the nsIX509::getRawDER method was called. If a victim visited a carefully crafted web page, it was possible to execute arbitrary code as the user running Mozilla. (CVE-2006-2788) Users of Mozilla are advised to upgrade to this update, which contains Seamonkey version 1.0.3 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-2779 CVE-2006-2780 CVE-2006-2781 CVE-2006-2783 CVE-2006-2782 CVE-2006-2778 CVE-2006-2776 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CVE-2006-2788 CVE-2006-3801 CVE-2006-3677 CVE-2006-3113 CVE-2006-3802 CVE-2006-3803 CVE-2006-3804 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812 CVE-2006-2779 Multiple Mozilla issues (CVE-2006-2780, CVE-2006-2781) CVE-2006-2783 multiple Seamonkey issues (CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788) CVE-2006-3801 Multiple Seamonkey issues (CVE-2006-3677, CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. The Mozilla Foundation has discontinued support for the Mozilla Firefox 1.0 branch. This update deprecates the Mozilla Firefox 1.0 branch in Red Hat Enterprise Linux 4 in favor of the supported Mozilla Firefox 1.5 branch. This update also resolves a number of outstanding Firefox security issues: Several flaws were found in the way Firefox processed certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-2776, CVE-2006-2784, CVE-2006-2785, CVE-2006-2787, CVE-2006-3807, CVE-2006-3809, CVE-2006-3812) Several denial of service flaws were found in the way Firefox processed certain web content. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-2779, CVE-2006-2780, CVE-2006-3801, CVE-2006-3677, CVE-2006-3113, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3811) A cross-site scripting flaw was found in the way Firefox processed Unicode Byte-Order-Mark (BOM) markers in UTF-8 web pages. A malicious web page could execute a script within the browser that a web input sanitizer could miss due to a malformed "script" tag. (CVE-2006-2783) Several flaws were found in the way Firefox processed certain javascript actions. A malicious web page could conduct a cross-site scripting attack or steal sensitive information (such as cookies owned by other domains). (CVE-2006-3802, CVE-2006-3810) A form file upload flaw was found in the way Firefox handled javascript input object mutation. A malicious web page could upload an arbitrary local file at form submission time without user interaction. (CVE-2006-2782) A denial of service flaw was found in the way Firefox called the crypto.signText() javascript function. A malicious web page could crash the browser if the victim had a client certificate loaded. (CVE-2006-2778) Two HTTP response smuggling flaws were found in the way Firefox processed certain invalid HTTP response headers. A malicious web site could return specially crafted HTTP response headers which may bypass HTTP proxy restrictions. (CVE-2006-2786) A flaw was found in the way Firefox processed Proxy AutoConfig scripts. A malicious Proxy AutoConfig server could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-3808) A double free flaw was found in the way the nsIX509::getRawDER method was called. If a victim visited a carefully crafted web page, it was possible to execute arbitrary code as the user running Firefox. (CVE-2006-2788) Users of Firefox are advised to upgrade to this update, which contains Firefox version 1.5.0.5 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-2779 CVE-2006-2780 CVE-2006-2783 CVE-2006-2782 CVE-2006-2778 CVE-2006-2776 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CVE-2006-2788 CVE-2006-3801 CVE-2006-3677 CVE-2006-3113 CVE-2006-3802 CVE-2006-3803 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812 CVE-2006-2779 multiple firefox DoS issues (CVE-2006-2780) CVE-2006-2783 multiple Firefox issues (CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788) CVE-2006-3801 Multiple Seamonkey issues (CVE-2006-3677, CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. The Mozilla Foundation has discontinued support for the Mozilla Thunderbird 1.0 branch. This update deprecates the Mozilla Thunderbird 1.0 branch in Red Hat Enterprise Linux 4 in favor of the supported Mozilla Thunderbird 1.5 branch. This update also resolves a number of outstanding Thunderbird security issues: Several flaws were found in the way Thunderbird processed certain javascript actions. A malicious mail message could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install browser malware. (CVE-2006-2776, CVE-2006-2784, CVE-2006-2785, CVE-2006-2787, CVE-2006-3807, CVE-2006-3809) Several denial of service flaws were found in the way Thunderbird processed certain mail messages. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Thunderbird. (CVE-2006-2779, CVE-2006-2780, CVE-2006-3801, CVE-2006-3677, CVE-2006-3113, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3811) Several flaws were found in the way Thunderbird processed certain javascript actions. A malicious mail message could conduct a cross-site scripting attack or steal sensitive information (such as cookies owned by other domains). (CVE-2006-3802, CVE-2006-3810) A form file upload flaw was found in the way Thunderbird handled javascript input object mutation. A malicious mail message could upload an arbitrary local file at form submission time without user interaction. (CVE-2006-2782) A denial of service flaw was found in the way Thunderbird called the crypto.signText() javascript function. A malicious mail message could crash the browser if the victim had a client certificate loaded. (CVE-2006-2778) A flaw was found in the way Thunderbird processed Proxy AutoConfig scripts. A malicious Proxy AutoConfig server could execute arbitrary javascript instructions with the permissions of "chrome", allowing the page to steal sensitive information or install client malware. (CVE-2006-3808) Note: Please note that JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable with JavaScript disabled. Two flaws were found in the way Thunderbird displayed malformed inline vcard attachments. If a victim viewed an email message containing a carefully crafted vcard it was possible to execute arbitrary code as the user running Thunderbird. (CVE-2006-2781, CVE-2006-3804) A cross site scripting flaw was found in the way Thunderbird processed Unicode Byte-order-Mark (BOM) markers in UTF-8 mail messages. A malicious web page could execute a script within the browser that a web input sanitizer could miss due to a malformed "script" tag. (CVE-2006-2783) Two HTTP response smuggling flaws were found in the way Thunderbird processed certain invalid HTTP response headers. A malicious web site could return specially crafted HTTP response headers which may bypass HTTP proxy restrictions. (CVE-2006-2786) A double free flaw was found in the way the nsIX509::getRawDER method was called. If a victim visited a carefully crafted web page, it was possible to crash Thunderbird. (CVE-2006-2788) Users of Thunderbird are advised to upgrade to this update, which contains Thunderbird version 1.5.0.5 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-2779 CVE-2006-2780 CVE-2006-2781 CVE-2006-2783 CVE-2006-2782 CVE-2006-2778 CVE-2006-2776 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 CVE-2006-2788 CVE-2006-3801 CVE-2006-3677 CVE-2006-3113 CVE-2006-3802 CVE-2006-3803 CVE-2006-3804 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-2779 multiple Thunderbird issues (CVE-2006-2780, CVE-2006-2781, CVE-2006-2783,CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788) CVE-2006-3801 Multiple Thunderbird issues (CVE-2006-3677, CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found where some bundled Kerberos-aware applications would fail to check the result of the setuid() call. On Linux 2.6 kernels, the setuid() call can fail if certain user limits are hit. A local attacker could manipulate their environment in such a way to get the applications to continue to run as root, potentially leading to an escalation of privileges. (CVE-2006-3083). Users are advised to update to these erratum packages which contain a backported fix to correct this issue. Important Copyright 2008 Red Hat, Inc. CVE-2006-3083 CVE-2006-3083 krb5 multiple unsafe setuid usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 GnuPG is a utility for encrypting data and creating digital signatures. An integer overflow flaw was found in GnuPG. An attacker could create a carefully crafted message packet with a large length that could cause GnuPG to crash or possibly overwrite memory when opened. (CVE-2006-3746) All users of GnuPG are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3746 CVE-2006-3746 GnuPG Parse_Comment Remote Buffer Overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the proc file system that allowed a local user to use a suid-wrapper for scripts to gain root privileges (CVE-2006-3626, Important) * a flaw in the SCTP implementation that allowed a local user to cause a denial of service (panic) or to possibly gain root privileges (CVE-2006-3745, Important) * a flaw in NFS exported ext2/ext3 partitions when handling invalid inodes that allowed a remote authenticated user to cause a denial of service (filesystem panic) (CVE-2006-3468, Important) * a flaw in the restore_all code path of the 4/4GB split support of non-hugemem kernels that allowed a local user to cause a denial of service (panic) (CVE-2006-2932, Important) * a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, Moderate) * a flaw in the DVD handling of the CDROM driver that could be used together with a custom built USB device to gain root privileges (CVE-2006-2935, Moderate) * a flaw in the handling of O_DIRECT writes that allowed a local user to cause a denial of service (memory consumption) (CVE-2004-2660, Low) * a flaw in the SCTP chunk length handling that allowed a remote user to cause a denial of service (crash) (CVE-2006-1858, Low) * a flaw in the input handling of the ftdi_sio driver that allowed a local user to cause a denial of service (memory consumption) (CVE-2006-2936, Low) In addition a bugfix was added to enable a clean reboot for the IBM Pizzaro machines. Red Hat would like to thank Wei Wang of McAfee Avert Labs and Kirill Korotaev for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2008 Red Hat, Inc. CVE-2004-2660 CVE-2006-1858 CVE-2006-2444 CVE-2006-2932 CVE-2006-2935 CVE-2006-2936 CVE-2006-3468 CVE-2006-3626 CVE-2006-3745 CVE-2004-2660 O_DIRECT write sometimes leaks memory CVE-2006-2444 SNMP NAT netfilter memory corruption CVE-2006-1858 SCTP chunk length overflow CVE-2006-2932 bogus %ds/%es security issue in restore_all CVE-2006-2936 Possible DoS in write routine of ftdi_sio driver CVE-2006-2935 Possible buffer overflow in DVD handling CVE-2006-3626 Nasty /proc privilege escalation CVE-2006-3468 Bogus FH in NFS request causes DoS in file system code Can't reboot/halt on IBM Pizzaro machine CVE-2006-3745 Local SCTP privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular Web server available for free. A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header. (CVE-2006-3918) While a web browser cannot be forced to send an arbitrary Expect header by a third-party attacker, it was recently discovered that certain versions of the Flash plugin can manipulate request headers. If users running such versions can be persuaded to load a web page with a malicious Flash applet, a cross-site scripting attack against the server may be possible. On Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in the handling of malformed Expect headers, the page produced by the cross-site scripting attack will only be returned after a timeout expires (2-5 minutes by default) if not first canceled by the user. Users of httpd should update to these erratum packages, which contain a backported patch to correct these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3918 CVE-2006-3918 Expect header XSS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Tavis Ormandy discovered several integer and buffer overflow flaws in the way ImageMagick decodes XCF, SGI, and Sun bitmap graphic files. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted image file. (CVE-2006-3743, CVE-2006-3744, CVE-2006-4144) Users of ImageMagick should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3743 CVE-2006-3744 CVE-2006-4144 CVE-2006-3743 ImageMagick multiple security issues (CVE-2006-3744) CVE-2006-4144 ImageMagick ReadSGIImage() integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. An integer overflow flaw in the way the X.org server processes PCF files was discovered. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3467) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-3467 CVE-2006-3467 Xorg PCF handling Integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. An integer overflow flaw in the way the XFree86 server processes PCF files was discovered. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-3467) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-3467 CVE-2006-3467 Xorg PCF handling Integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdegraphics package contains graphics applications for the K Desktop Environment. Tavis Ormandy of Google discovered a number of flaws in libtiff during a security audit. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these flaws. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. (CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465) Red Hat Enterprise Linux 4 is not vulnerable to these issues as kfax uses the shared libtiff library which has been fixed in a previous update. Users of kfax should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-2024 CVE-2006-2025 CVE-2006-2026 CVE-2006-3459 CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465 CVE-2006-3459 kfax affected by libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Wireshark is a program for monitoring network traffic. Bugs were found in Wireshark's SCSI and SSCOP protocol dissectors. Ethereal could crash or stop responding if it read a malformed packet off the network. (CVE-2006-4330, CVE-2006-4333) An off-by-one bug was found in the IPsec ESP decryption preference parser. Ethereal could crash or stop responding if it read a malformed packet off the network. (CVE-2006-4331) Users of Wireshark or Ethereal should upgrade to these updated packages containing Wireshark version 0.99.3, which is not vulnerable to these issues. These packages also fix a bug in the PAM configuration of the Wireshark packages which prevented non-root users starting a capture. Low Copyright 2008 Red Hat, Inc. CVE-2006-4330 CVE-2006-4331 CVE-2006-4333 CVE-2006-4330 Wireshark security issues (CVE-2006-4331 CVE-2006-4333) wireshark doesn't work as non root user cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5 signatures. Where an RSA key with exponent 3 is used it may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by implementations that do not check for excess data in the RSA exponentiation result of the signature. The Google Security Team discovered that OpenSSL is vulnerable to this attack. This issue affects applications that use OpenSSL to verify X.509 certificates as well as other uses of PKCS #1 v1.5. (CVE-2006-4339) This errata also resolves a problem where a customized ca-bundle.crt file was overwritten when the openssl package was upgraded. Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Important Copyright 2006 Red Hat, Inc. CVE-2006-4339 Custom ca-bundle.crt overwritten on upgrade Custom ca-bundle.crt overwritten on upgrade CVE-2006-4339 RSA signature forgery cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The ncompress package contains file compression and decompression utilities, which are compatible with the original UNIX compress utility (.Z file extensions). Tavis Ormandy of the Google Security Team discovered a lack of bounds checking in ncompress. An attacker could create a carefully crafted file that could execute arbitrary code if uncompressed by a victim. (CVE-2006-1168) In addition, two bugs that affected Red Hat Enterprise Linux 4 ncompress packages were fixed: * The display statistics and compression results in verbose mode were not shown when operating on zero length files. * An attempt to compress zero length files resulted in an unexpected return code. Users of ncompress are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2008 Red Hat, Inc. CVE-2006-1168 ncompress does not display statistics when compressing 0 length files Bad return code when compressing 0 length files CVE-2006-1168 Possibility to underflow a .bss buffer with attacker controlled data cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-3739 CVE-2006-3740 CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported two integer overflow flaws in the way the XFree86 server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-3739, CVE-2006-3740) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-3739 CVE-2006-3740 CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The gzip package contains the GNU gzip data compression program. Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash. (CVE-2006-4334, CVE-2006-4338) Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code. (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337) Users of gzip should upgrade to these updated packages, which contain a backported patch and is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338 CVE-2006-4334 gzip multiple issues (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SquirrelMail is a standards-based webmail package written in PHP. A dynamic variable evaluation flaw was found in SquirrelMail. Users who have an account on a SquirrelMail server and are logged in could use this flaw to overwrite variables which may allow them to read or write other users' preferences or attachments. (CVE-2006-4019) Users of SquirrelMail should upgrade to this erratum package, which contains SquirrelMail 1.4.8 to correct this issue. This package also contains a number of additional patches to correct various bugs. Note: After installing this update, users are advised to restart their httpd service to ensure that the new version functions correctly. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-4019 [Squirrelmail] sqspell_config.php not listed as a config file squirrelmail cannot handle handle multibyte characters in attachment. "Message Highlighting" help not translated in ja_JP ja_JP help pages are garbled squirrelmail view_text.php cannot handle handle multibyte characters in attachment. Squirrelmail file download issue on JP MS Windows XP. squirrelmail cannot convert Subject to zen-kaku kata-kana. Wrong ja_JP translation for "refresh folder list" CVE-2006-4019 Squirrelmail authenticated user variable overwriting cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the 'apache' user. (CVE-2006-4020) An integer overflow was discovered in the PHP wordwrap() and str_repeat() functions. If a script running on a 64-bit server used either of these functions on untrusted user data, a remote attacker sending a carefully crafted request might be able to cause a heap overflow. (CVE-2006-4482) A buffer overflow was discovered in the PHP gd extension. If a script was set up to process GIF images from untrusted sources using the gd extension, a remote attacker could cause a heap overflow. (CVE-2006-4484) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the "memory_limit" setting was not enforced correctly, which could allow a denial of service attack by a remote user. (CVE-2006-4486) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. These packages also contain a fix for a bug where certain input strings to the metaphone() function could cause memory corruption. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-3016 CVE-2006-4020 CVE-2006-4482 CVE-2006-4484 CVE-2006-4486 CVE-2006-4020 PHP buffer overread flaw CVE-2006-4482 PHP heap overflow metaphone() function causing Apache segfaults CVE-2006-4486 PHP integer overflows in Zend CVE-2006-4484 PHP heap overflow in LWZReadByte CVE-2006-3016 PHP session ID validation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Two flaws were found in the way Firefox processed certain regular expressions. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-4565, CVE-2006-4566) A number of flaws were found in Firefox. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-4571) A flaw was found in the handling of Javascript timed events. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox. (CVE-2006-4253) Daniel Bleichenbacher recently described an implementation error in RSA signature verification. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. Firefox as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which be incorrectly trusted when their site was visited by a victim. (CVE-2006-4340) A flaw was found in the Firefox auto-update verification system. An attacker who has the ability to spoof a victim's DNS could get Firefox to download and install malicious code. In order to exploit this issue an attacker would also need to get a victim to previously accept an unverifiable certificate. (CVE-2006-4567) Firefox did not properly prevent a frame in one domain from injecting content into a sub-frame that belongs to another domain, which facilitates website spoofing and other attacks (CVE-2006-4568) Firefox did not load manually opened, blocked popups in the right domain context, which could lead to cross-site scripting attacks. In order to exploit this issue an attacker would need to find a site which would frame their malicious page and convince the user to manually open a blocked popup. (CVE-2006-4569) Users of Firefox are advised to upgrade to this update, which contains Firefox version 1.5.0.7 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-4340 CVE-2006-4253 CVE-2006-4565 CVE-2006-4566 CVE-2006-4567 CVE-2006-4568 CVE-2006-4569 CVE-2006-4571 CVE-2006-4340 Various Firefox security issues (CVE-2006-4253 CVE-2006-4565 CVE-2006-4566 CVE-2006-4567 CVE-2006-4568 CVE-2006-4569 CVE-2006-4571) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Two flaws were found in the way SeaMonkey processed certain regular expressions. A malicious web page could crash the browser or possibly execute arbitrary code as the user running SeaMonkey. (CVE-2006-4565, CVE-2006-4566) A flaw was found in the handling of Javascript timed events. A malicious web page could crash the browser or possibly execute arbitrary code as the user running SeaMonkey. (CVE-2006-4253) Daniel Bleichenbacher recently described an implementation error in RSA signature verification. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. SeaMonkey as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which be incorrectly trusted when their site was visited by a victim. (CVE-2006-4340) SeaMonkey did not properly prevent a frame in one domain from injecting content into a sub-frame that belongs to another domain, which facilitates website spoofing and other attacks (CVE-2006-4568) A flaw was found in SeaMonkey Messenger triggered when a HTML message contained a remote image pointing to a XBL script. An attacker could have created a carefully crafted message which would execute Javascript if certain actions were performed on the email by the recipient, even if Javascript was disabled. (CVE-2006-4570) A number of flaws were found in SeaMonkey. A malicious web page could crash the browser or possibly execute arbitrary code as the user running SeaMonkey. (CVE-2006-4571) Users of SeaMonkey or Mozilla are advised to upgrade to this update, which contains SeaMonkey version 1.0.5 that corrects these issues. For users of Red Hat Enterprise Linux 2.1 this SeaMonkey update obsoletes Galeon. Galeon was a web browser based on the Mozilla Gecko layout engine. Critical Copyright 2006 Red Hat, Inc. CVE-2006-4253 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4568 CVE-2006-4570 CVE-2006-4571 CVE-2006-4340 Various SeaMonkey security issues (CVE-2006-4253 CVE-2006-4565 CVE-2006-4566 CVE-2006-4568 CVE-2006-4570 CVE-2006-4571) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Two flaws were found in the way Thunderbird processed certain regular expressions. A malicious HTML email could cause a crash or possibly execute arbitrary code as the user running Thunderbird. (CVE-2006-4565, CVE-2006-4566) A flaw was found in the Thunderbird auto-update verification system. An attacker who has the ability to spoof a victim's DNS could get Firefox to download and install malicious code. In order to exploit this issue an attacker would also need to get a victim to previously accept an unverifiable certificate. (CVE-2006-4567) A flaw was found in the handling of Javascript timed events. A malicious HTML email could crash the browser or possibly execute arbitrary code as the user running Thunderbird. (CVE-2006-4253) Daniel Bleichenbacher recently described an implementation error in RSA signature verification. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that which would be incorrectly verified by the NSS library. (CVE-2006-4340) A flaw was found in Thunderbird that triggered when a HTML message contained a remote image pointing to a XBL script. An attacker could have created a carefully crafted message which would execute Javascript if certain actions were performed on the email by the recipient, even if Javascript was disabled. (CVE-2006-4570) A number of flaws were found in Thunderbird. A malicious HTML email could cause a crash or possibly execute arbitrary code as the user running Thunderbird. (CVE-2006-4571) Users of Thunderbird are advised to upgrade to this update, which contains Thunderbird version 1.5.0.7 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-4253 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4567 CVE-2006-4570 CVE-2006-4571 CVE-2006-4340 Various Thunderbird security issues (CVE-2006-4253 CVE-2006-4565 CVE-2006-4566 CVE-2006-4567 CVE-2006-4570 CVE-2006-4571) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GnuTLS Library provides support for cryptographic algorithms and protocols such as TLS. GnuTLS includes libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5 signatures. Where an RSA key with exponent 3 is used it may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by implementations that do not check for excess data in the RSA exponentiation result of the signature. The core GnuTLS team discovered that GnuTLS is vulnerable to a variant of the Bleichenbacker attack. This issue affects applications that use GnuTLS to verify X.509 certificates as well as other uses of PKCS #1 v1.5. (CVE-2006-4790) In Red Hat Enterprise Linux 4, the GnuTLS library is only used by the Evolution client when connecting to an Exchange server or when publishing calendar information to a WebDAV server. Users are advised to upgrade to these updated packages, which contain a backported patch from the GnuTLS maintainers to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-4790 CVE-2006-4790 RSA forgery affects gnutls cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the SCTP support that allowed a local user to cause a denial of service (crash) with a specific SO_LINGER value. (CVE-2006-4535, Important) * a flaw in the hugepage table support that allowed a local user to cause a denial of service (crash). (CVE-2005-4811, Important) * a flaw in the mprotect system call that allowed setting write permission for a read-only attachment of shared memory. (CVE-2006-2071, Moderate) * a flaw in HID0[31] (en_attn) register handling on PowerPC 970 systems that allowed a local user to cause a denial of service. (crash) (CVE-2006-4093, Moderate) * a flaw in the perfmon support of Itanium systems that allowed a local user to cause a denial of service by consuming all file descriptors. (CVE-2006-3741, Moderate) * a flaw in the ATM subsystem. On systems with installed ATM hardware and configured ATM support, a remote user could cause a denial of service (panic) by accessing socket buffers memory after freeing them. (CVE-2006-4997, Moderate) * a flaw in the DVB subsystem. On systems with installed DVB hardware and configured DVB support, a remote user could cause a denial of service (panic) by sending a ULE SNDU packet with length of 0. (CVE-2006-4623, Low) * an information leak in the network subsystem that possibly allowed a local user to read sensitive data from kernel memory. (CVE-2006-0039, Low) In addition, two bugfixes for the IPW-2200 wireless driver were included. The first one ensures that wireless management applications correctly identify IPW-2200 controlled devices, while the second fix ensures that DHCP requests using the IPW-2200 operate correctly. Red Hat would like to thank Olof Johansson, Stephane Eranian and Solar Designer for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2005-4811 CVE-2006-0039 CVE-2006-2071 CVE-2006-3741 CVE-2006-4093 CVE-2006-4535 CVE-2006-4623 CVE-2006-4997 CVE-2005-4811 Hugepage crash on failing mmap() CVE-2006-2071 mprotect gives write permission to a readonly attachment CVE-2006-0039 netfilter do_add_counters race IPW2200 /proc/net/wireless file fields are empty CVE-2006-4093 Local DoS through uncleared HID0[31] Grabbing DHCP address via wireless not always successful CVE-2006-3741 sys_perfmonctl() file descriptor reference count issue CVE-2006-4535 Regression with fix for SCTP abort issue CVE-2006-4623 Wrong handling of DVB ULE SNDU with length of 0 CVE-2006-4997 IP over ATM clip_mkip dereference freed pointer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer overflow in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer (CVE-2006-3738). Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging. Tavis Ormandy and Will Drewry of the Google Security Team discovered a flaw in the SSLv2 client code. When a client application used OpenSSL to create an SSLv2 connection to a malicious server, that server could cause the client to crash. (CVE-2006-4343) Dr S. N. Henson of the OpenSSL core team and Open Network Security recently developed an ASN.1 test suite for NISCC (www.niscc.gov.uk) which uncovered denial of service vulnerabilities: * Certain public key types can take disproportionate amounts of time to process, leading to a denial of service. (CVE-2006-2940) * During parsing of certain invalid ASN.1 structures an error condition was mishandled. This can result in an infinite loop which consumed system memory (CVE-2006-2937). This issue does not affect the OpenSSL version distributed in Red Hat Enterprise Linux 2.1. These vulnerabilities can affect applications which use OpenSSL to parse ASN.1 data from untrusted sources, including SSL servers which enable client authentication and S/MIME applications. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Important Copyright 2008 Red Hat, Inc. CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4343 CVE-2006-3738 OpenSSL issues (CVE-2006-4343) CVE-2006-2940 OpenSSL Parasitic Public Keys CVE-2006-2937 OpenSSL ASN1 DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. Mark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable. Tavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924) All users of openssh should upgrade to these updated packages, which contain backported patches that resolves these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-4924 CVE-2006-5051 CVE-2006-4924 openssh DoS CVE-2006-5051 unsafe GSSAPI signal handler cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the IPC shared-memory implementation that allowed a local user to cause a denial of service (deadlock) that resulted in freezing the system (CVE-2006-4342, Important) * an information leak in the copy_from_user() implementation on s390 and s390x platforms that allowed a local user to read arbitrary kernel memory (CVE-2006-5174, Important) * a flaw in the ATM subsystem affecting systems with installed ATM hardware and configured ATM support that allowed a remote user to cause a denial of service (panic) by accessing socket buffer memory after it has been freed (CVE-2006-4997, Moderate) * a directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864, Moderate) * a flaw in the mprotect system call that allowed enabling write permission for a read-only attachment of shared memory (CVE-2006-2071, Moderate) * a flaw in the DVD handling of the CDROM driver that could be used together with a custom built USB device to gain root privileges (CVE-2006-2935, Moderate) In addition to the security issues described above, a bug fix for a clock skew problem (which could lead to unintended keyboard repeat under X11) was also included. The problem only occurred when running the 32-bit x86 kernel on 64-bit dual-core x86_64 hardware. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Important Copyright 2006 Red Hat, Inc. CVE-2006-1864 CVE-2006-2071 CVE-2006-2935 CVE-2006-4342 CVE-2006-4997 CVE-2006-5174 repetitive keystroke issue on both RH3 U5 32bit and RH4 U1 32bit. CVE-2006-1864 smbfs chroot issue CVE-2006-2071 mprotect gives write permission to a readonly attachment CVE-2006-2935 Possible buffer overflow in DVD handling CVE-2006-4342 shmat hangs by simultaneous shmctl(IPC_RMID) CVE-2006-4997 IP over ATM clip_mkip dereference freed pointer CVE-2006-5174 copy_from_user information leak on s390 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Python is an interpreted, interactive, object-oriented programming language. A flaw was discovered in the way that the Python repr() function handled UTF-32/UCS-4 strings. If an application written in Python used the repr() function on untrusted data, this could lead to a denial of service or possibly allow the execution of arbitrary code with the privileges of the Python application. (CVE-2006-4980) In addition, this errata fixes a regression in the SimpleXMLRPCServer backport for Red Hat Enterprise Linux 3 that was introduced with RHSA-2005:109. Users of Python should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-4980 Error in RHEL3-U4-errata python python-2.2-xmlfix.patch CVE-2006-4980 repr unicode buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 nss_ldap is a set of C library extensions that allow X.500 and LDAP directory servers to be used as primary sources for aliases, ethers, groups, hosts, networks, protocols, users, RPCs, services, and shadow passwords. A flaw was found in the way nss_ldap handled a PasswordPolicyResponse control sent by an LDAP server. If an LDAP server responded to an authentication request with a PasswordPolicyResponse control, it was possible for an application using nss_ldap to improperly authenticate certain users. (CVE-2006-5170) This flaw was only exploitable within applications which did not properly process nss_ldap error messages. Only xscreensaver is currently known to exhibit this behavior. All users of nss_ldap should upgrade to these updated packages, which contain a backported patch that resolves this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-5170 CVE-2006-5170 When using LDAP for authentication, xscreensaver allows access if account locked out. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The kdelibs package provides libraries for the K Desktop Environment (KDE). Qt is a GUI software toolkit for the X Window System. An integer overflow flaw was found in the way Qt handled pixmap images. The KDE khtml library uses Qt in such a way that untrusted parameters could be passed to Qt, triggering the overflow. An attacker could for example create a malicious web page that when viewed by a victim in the Konqueror browser would cause Konqueror to crash or possibly execute arbitrary code with the privileges of the victim. (CVE-2006-4811) Users of KDE should upgrade to these updated packages, which contain a backported patch to correct this issue. Critical Copyright 2006 Red Hat, Inc. CVE-2006-4811 CVE-2006-4811 qt integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. An integer overflow flaw was found in the way Qt handled certain pixmap images. If an application linked against Qt created a pixmap image in a certain way, it could lead to a denial of service or possibly allow the execution of arbitrary code. (CVE-2006-4811) Users of Qt should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-4811 CVE-2006-4811 qt integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Wireshark is a program for monitoring network traffic. Several flaws were found in Wireshark's HTTP, WBXML, LDAP, and XOT protocol dissectors. Wireshark could crash or stop responding if it read a malformed packet off the network. (CVE-2006-4805, CVE-2006-5468, CVE-2006-5469, CVE-2006-5740) A single NULL byte heap based buffer overflow was found in Wireshark's MIME Multipart dissector. Wireshark could crash or possibly execute arbitrary arbitrary code as the user running Wireshark. (CVE-2006-4574) Users of Wireshark should upgrade to these updated packages containing Wireshark version 0.99.4, which is not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-4574 CVE-2006-4805 CVE-2006-5468 CVE-2006-5469 CVE-2006-5740 CVE-2006-4574 Multiple Wireshark issues (CVE-2006-4805, CVE-2006-5468, CVE-2006-5469, CVE-2006-5740) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Texinfo is a documentation system that can produce both online information and printed output from a single source file. A buffer overflow flaw was found in Texinfo's texindex command. An attacker could construct a carefully crafted Texinfo file that could cause texindex to crash or possibly execute arbitrary code when opened. (CVE-2006-4810) A flaw was found in the way Texinfo's texindex command creates temporary files. A local user could leverage this flaw to overwrite files the user executing texindex has write access to. (CVE-2005-3011) Users of Texinfo should upgrade to these updated packages which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2005-3011 CVE-2006-4810 CVE-2005-3011 texindex insecure temporary file usage CVE-2005-3011 texindex insecure temporary file usage CVE-2005-3011 texindex insecure temporary file usage CVE-2006-4810 texindex buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Ruby is an interpreted scripting language for object-oriented programming. A flaw was discovered in the way Ruby's CGI module handles certain multipart/form-data MIME data. If a remote attacker sends a specially crafted multipart-form-data request, it is possible to cause the ruby CGI script to enter an infinite loop, causing a denial of service. (CVE-2006-5467) Users of Ruby should upgrade to these updated packages which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-5467 CVE-2006-5467 Ruby CGI multipart parsing DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the 'apache' user. (CVE-2006-5465) Users of PHP should upgrade to these updated packages which contain a backported patch to correct this issue. Important Copyright 2006 Red Hat, Inc. CVE-2006-5465 CVE-2006-5465 PHP buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processes certain malformed Javascript code. A malicious web page could cause the execution of Javascript code in such a way that could cause Firefox to crash or execute arbitrary code as the user running Firefox. (CVE-2006-5463, CVE-2006-5747, CVE-2006-5748) Several flaws were found in the way Firefox renders web pages. A malicious web page could cause the browser to crash or possibly execute arbitrary code as the user running Firefox. (CVE-2006-5464) A flaw was found in the way Firefox verifies RSA signatures. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. Firefox as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which be incorrectly trusted when their site was visited by a victim. This flaw was previously thought to be fixed in Firefox 1.5.0.7, however Ulrich Kuehn discovered the fix was incomplete (CVE-2006-5462) Users of Firefox are advised to upgrade to these erratum packages, which contain Firefox version 1.5.0.8 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5747 CVE-2006-5748 CVE-2006-5462 Multiple firefox vulnerabilities (CVE-2006-5463, CVE-2006-5464, CVE-2006-5747, CVE-2006-5748) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processes certain malformed Javascript code. A malicious web page could cause the execution of Javascript code in such a way that could cause SeaMonkey to crash or execute arbitrary code as the user running SeaMonkey. (CVE-2006-5463, CVE-2006-5747, CVE-2006-5748) Several flaws were found in the way SeaMonkey renders web pages. A malicious web page could cause the browser to crash or possibly execute arbitrary code as the user running SeaMonkey. (CVE-2006-5464) A flaw was found in the way SeaMonkey verifies RSA signatures. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. SeaMonkey as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which be incorrectly trusted when their site was visited by a victim. This flaw was previously thought to be fixed in SeaMonkey 1.0.5, however Ulrich Kuehn discovered the fix was incomplete (CVE-2006-5462) Users of SeaMonkey are advised to upgrade to these erratum packages, which contains SeaMonkey version 1.0.6 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5747 CVE-2006-5748 CVE-2006-5462 Multiple seamonkey vulnerabilities (CVE-2006-5463, CVE-2006-5464, CVE-2006-5747, CVE-2006-5748) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processes certain malformed Javascript code. A malicious HTML mail message could cause the execution of Javascript code in such a way that could cause Thunderbird to crash or execute arbitrary code as the user running Thunderbird. (CVE-2006-5463, CVE-2006-5747, CVE-2006-5748) Several flaws were found in the way Thunderbird renders HTML mail messages. A malicious HTML mail message could cause the mail client to crash or possibly execute arbitrary code as the user running Thunderbird. (CVE-2006-5464) A flaw was found in the way Thunderbird verifies RSA signatures. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. Thunderbird as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which would be incorrectly trusted when their site was visited by a victim. This flaw was previously thought to be fixed in Thunderbird 1.5.0.7, however Ulrich Kuehn discovered the fix was incomplete (CVE-2006-5462) Users of Thunderbird are advised to upgrade to this update, which contains Thunderbird version 1.5.0.8 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5747 CVE-2006-5748 CVE-2006-5462 Multiple thunderbird vulnerabilities (CVE-2006-5463, CVE-2006-5464, CVE-2006-5747, CVE-2006-5748) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. An authentication flaw was found in OpenSSH's privilege separation monitor. If it ever becomes possible to alter the behavior of the unprivileged process when OpenSSH is using privilege separation, an attacker may then be able to login without possessing proper credentials. (CVE-2006-5794) Please note that this flaw by itself poses no direct threat to OpenSSH users. Without another security flaw that could allow an attacker to alter the behavior of OpenSSH's unprivileged process, this flaw cannot be exploited. There are currently no known flaws to exploit this behavior. However, we have decided to issue this erratum to fix this flaw to reduce the security impact if an unprivileged process flaw is ever found. Users of openssh should upgrade to these updated packages, which contain a backported patch to resolve this issue. Low Copyright 2006 Red Hat, Inc. CVE-2006-5794 CVE-2006-5794 OpenSSH privilege separation flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Elinks is a text mode Web browser used from the command line that supports rendering modern web pages. An arbitrary file access flaw was found in the Elinks SMB protocol handler. A malicious web page could have caused Elinks to read or write files with the permissions of the user running Elinks. (CVE-2006-5925) All users of Elinks are advised to upgrade to this updated package, which resolves this issue by removing support for the SMB protocol from Elinks. Note: this issue did not affect the Elinks package shipped with Red Hat Enterprise Linux 3, or the Links package shipped with Red Hat Enterprise Linux 2.1. Critical Copyright 2006 Red Hat, Inc. CVE-2006-5925 CVE-2006-5925 elinks smb protocol arbitrary file access cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 mod_auth_kerb is module for the Apache HTTP Server designed to provide Kerberos authentication over HTTP. An off by one flaw was found in the way mod_auth_kerb handles certain Kerberos authentication messages. A remote client could send a specially crafted authentication request which could crash an httpd child process (CVE-2006-5989). A bug in the handling of multiple realms configured using the "KrbAuthRealms" directive has also been fixed. All users of mod_auth_kerb should upgrade to these updated packages, which contain backported patches that resolve these issues. Low Copyright 2006 Red Hat, Inc. CVE-2006-5989 CVE-2006-5989 mod_auth_kerb segfault with FC6 client cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Teemu Salmela discovered a path traversal flaw in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access. (CVE-2006-6097) Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue. Moderate Copyright 2006 Red Hat, Inc. CVE-2006-6097 CVE-2006-6097 GNU tar directory traversal cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a stack overwrite flaw in the way GnuPG decrypts messages. An attacker could create carefully crafted message that could cause GnuPG to execute arbitrary code if a victim attempts to decrypt the message. (CVE-2006-6235) A heap based buffer overflow flaw was found in the way GnuPG constructs messages to be written to the terminal during an interactive session. An attacker could create a carefully crafted message which with user interaction could cause GnuPG to execute arbitrary code with the permissions of the user running GnuPG. (CVE-2006-6169) All users of GnuPG are advised to upgrade to this updated package, which contains a backported patch to correct these issues. Important Copyright 2006 Red Hat, Inc. CVE-2006-6169 CVE-2006-6235 CVE-2006-6235 GnuPG references local variable after function returns CVE-2006-6169 GnuPG heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processes certain malformed Javascript code. A malicious web page could cause the execution of Javascript code in such a way that could cause Firefox to crash or execute arbitrary code as the user running Firefox. (CVE-2006-6498, CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504) Several flaws were found in the way Firefox renders web pages. A malicious web page could cause the browser to crash or possibly execute arbitrary code as the user running Firefox. (CVE-2006-6497) Users of Firefox are advised to upgrade to these erratum packages, which contain Firefox version 1.5.0.9 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-6497 CVE-2006-6498 CVE-2006-6501 CVE-2006-6502 CVE-2006-6503 CVE-2006-6504 CVE-2006-6497 Multiple Firefox issues (CVE-2006-6498, CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processes certain malformed Javascript code. A malicious web page could cause the execution of Javascript code in such a way that could cause SeaMonkey to crash or execute arbitrary code as the user running SeaMonkey. (CVE-2006-6498, CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504) Several flaws were found in the way SeaMonkey renders web pages. A malicious web page could cause the browser to crash or possibly execute arbitrary code as the user running SeaMonkey. (CVE-2006-6497) A heap based buffer overflow flaw was found in the way SeaMonkey Mail parses the Content-Type mail header. A malicious mail message could cause the SeaMonkey Mail client to crash or possibly execute arbitrary code as the user running SeaMonkey Mail. (CVE-2006-6505) Users of SeaMonkey are advised to upgrade to these erratum packages, which contain SeaMonkey version 1.0.7 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-6497 CVE-2006-6498 CVE-2006-6501 CVE-2006-6502 CVE-2006-6503 CVE-2006-6504 CVE-2006-6505 CVE-2006-6497 Multiple Seamonkey issues (CVE-2006-6498, CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504, CVE-2006-6505) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processes certain malformed Javascript code. A malicious web page could cause the execution of Javascript code in such a way that could cause Thunderbird to crash or execute arbitrary code as the user running Thunderbird. JavaScript support is disabled by default in Thunderbird; this issue is not exploitable without enabling JavaScript. (CVE-2006-6498, CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504) Several flaws were found in the way Thunderbird renders web pages. A malicious web page could cause the browser to crash or possibly execute arbitrary code as the user running Thunderbird. (CVE-2006-6497) A heap based buffer overflow flaw was found in the way Thunderbird parses the Content-Type mail header. A malicious mail message could cause the Thunderbird client to crash or possibly execute arbitrary code as the user running Thunderbird. (CVE-2006-6505) Users of Thunderbird are advised to apply this update, which contains Thunderbird version 1.5.0.9 that corrects these issues. Critical Copyright 2006 Red Hat, Inc. CVE-2006-6497 CVE-2006-6498 CVE-2006-6501 CVE-2006-6502 CVE-2006-6503 CVE-2006-6504 CVE-2006-6505 CVE-2006-6497 Multiple Thunderbird issues (CVE-2006-6498, CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504, CVE-2006-6505) cpe:/o:redhat:enterprise_linux