Red Hat OVAL Patch Definition Merger 2 5.3 2011-09-30T09:51:41 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Several integer overflow bugs were found in the OpenOffice.org WMF file processor. An attacker could create a carefully crafted WMF file that could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. (CVE-2006-5870) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported fix for this issue. Important Copyright 2007 Red Hat, Inc. CVE-2006-5870 CVE-2006-5870 WMF heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported three integer overflow flaws in the XFree86 Render and DBE extensions. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-6101, CVE-2006-6102, CVE-2006-6103) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2007 Red Hat, Inc. CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 CVE-2006-6101 Multiple XFree86 integer overflows (CVE-2006-6102, CVE-2006-6103) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported three integer overflow flaws in the X.org Render and DBE extensions. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-6101, CVE-2006-6102, CVE-2006-6103) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2007 Red Hat, Inc. CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 CVE-2006-6101 Multiple xorg-x11 integer overflows (CVE-2006-6102, CVE-2006-6103) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 D-BUS is a system for sending messages between applications. It is used both for the systemwide message bus service, and as a per-user-login-session messaging facility. Kimmo Hämäläinen discovered a flaw in the way D-BUS processes certain messages. It is possible for a local unprivileged D-BUS process to disrupt the ability of another D-BUS process to receive messages. (CVE-2006-6107) Users of dbus are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-6107 CVE-2006-6107 D-Bus denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The GNOME Structured File Library is a utility library for reading and writing structured file formats. A heap based buffer overflow flaw was found in the way GNOME Structured File Library processes and certain OLE documents. If an person opened a specially crafted OLE file, it could cause the client application to crash or execute arbitrary code. (CVE-2006-4514) Users of GNOME Structured File Library should upgrade to these updated packages, which contain a backported patch that resolves this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-4514 CVE-2006-4514 libgsf heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the get_fdb_entries function of the network bridging support that allowed a local user to cause a denial of service (crash) or allow a potential privilege escalation (CVE-2006-5751, Important) * an information leak in the _block_prepare_write function that allowed a local user to read kernel memory (CVE-2006-4813, Important) * an information leak in the copy_from_user() implementation on s390 and s390x platforms that allowed a local user to read kernel memory (CVE-2006-5174, Important) * a flaw in the handling of /proc/net/ip6_flowlabel that allowed a local user to cause a denial of service (infinite loop) (CVE-2006-5619, Important) * a flaw in the AIO handling that allowed a local user to cause a denial of service (panic) (CVE-2006-5754, Important) * a race condition in the mincore system core that allowed a local user to cause a denial of service (system hang) (CVE-2006-4814, Moderate) * a flaw in the ELF handling on ia64 and sparc architectures which triggered a cross-region memory mapping and allowed a local user to cause a denial of service (CVE-2006-4538, Moderate) * a flaw in the dev_queue_xmit function of the network subsystem that allowed a local user to cause a denial of service (data corruption) (CVE-2006-6535, Moderate) * a flaw in the handling of CAPI messages over Bluetooth that allowed a remote system to cause a denial of service or potential code execution. This flaw is only exploitable if a privileged user establishes a connection to a malicious remote device (CVE-2006-6106, Moderate) * a flaw in the listxattr system call that allowed a local user to cause a denial of service (data corruption) or potential privilege escalation. To successfully exploit this flaw the existence of a bad inode is required first (CVE-2006-5753, Moderate) * a flaw in the __find_get_block_slow function that allowed a local privileged user to cause a denial of service (CVE-2006-5757, Low) * various flaws in the supported filesystems that allowed a local privileged user to cause a denial of service (CVE-2006-5823, CVE-2006-6053, CVE-2006-6054, CVE-2006-6056, Low) In addition to the security issues described above, fixes for the following bugs were included: * initialization error of the tg3 driver with some BCM5703x network card * a memory leak in the audit subsystem * x86_64 nmi watchdog timeout is too short * ext2/3 directory reads fail intermittently Red Hat would like to thank Dmitriy Monakhov and Kostantin Khorenko for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Important Copyright 2008 Red Hat, Inc. CVE-2006-4538 CVE-2006-4813 CVE-2006-4814 CVE-2006-5174 CVE-2006-5619 CVE-2006-5751 CVE-2006-5753 CVE-2006-5754 CVE-2006-5757 CVE-2006-5823 CVE-2006-6053 CVE-2006-6054 CVE-2006-6056 CVE-2006-6106 CVE-2006-6535 CVE-2006-4814 Race condition in mincore can cause "ps -ef" to hang CVE-2006-4538 Local DoS with corrupted ELF CVE-2006-5757 Linux kernel Filesystem Mount Dead Loop CVE-2006-4813 Information leak in __block_prepare_write() CVE-2006-5174 copy_from_user information leak on s390 CVE-2006-6535 unbalanced local_bh_enable() in dev_queue_xmit() CVE-2006-5619 Lockup via /proc/net/ip6_flowlabel SAN file systems becoming read-only CVE-2006-5757 ISO9660 __find_get_block_slow() denial of service CVE-2006-5751 Linux kernel get_fdb_entries() integer overflow CVE-2006-5823 zlib_inflate memory corruption CVE-2006-6056 SELinux superblock_doinit denial of service CVE-2006-6054 ext2_check_page denial of service CVE-2006-6053 ext3fs_dirhash denial of service CVE-2006-6106 Multiple problems in net/bluetooth/cmtp/capi.c CVE-2006-5753 listxattr syscall can corrupt user space programs [rhel-4.4] CVE-2006-5754 kernel panic in aio_free_ring() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Several security flaws were discovered in the way ImageMagick decodes DCM, PALM, and SGI graphic files. An attacker may be able to execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted image file (CVE-2006-5456, CVE-2006-5868). A heap overflow flaw was found in ImageMagick. An attacker may be able to execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted file (CVE-2006-2440). This issue only affected the version of ImageMagick distributed with Red Hat Enterprise Linux 4. Users of ImageMagick should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-2440 CVE-2006-5456 CVE-2006-5868 CVE-2006-2440 ImageMagick heap overflow CVE-2006-5456 Overflows in GraphicsMagick and ImageMagick's DCM and PALM handling routines CVE-2006-5868 Insufficient boundary check in ImageMagick's SGIDecode() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Fetchmail is a remote mail retrieval and forwarding utility. A denial of service flaw was found when Fetchmail was run in multidrop mode. A malicious mail server could send a message without headers which would cause Fetchmail to crash (CVE-2005-4348). This issue did not affect the version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3. A flaw was found in the way Fetchmail used TLS encryption to connect to remote hosts. Fetchmail provided no way to enforce the use of TLS encryption and would not authenticate POP3 protocol connections properly (CVE-2006-5867). This update corrects this issue by enforcing TLS encryption when the "sslproto" configuration directive is set to "tls1". Users of Fetchmail should update to these packages, which contain backported patches to correct these issues. Note: This update may break configurations which assumed that Fetchmail would use plain-text authentication if TLS encryption is not supported by the POP3 server even if the "sslproto" directive is set to "tls1". If you are using a custom configuration that depended on this behavior you will need to modify your configuration appropriately after installing this update. Moderate Copyright 2008 Red Hat, Inc. CVE-2005-4348 CVE-2006-5867 CVE-2005-4348 Fetchmail DOS by malicious server in multidrop mode CVE-2006-5867 fetchmail not enforcing TLS for POP3 properly cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. A bug was found in the way the gtk2 GdkPixbufLoader() function processed invalid input. Applications linked against gtk2 could crash if they loaded a malformed image file. (CVE-2007-0010) Users of gtk2 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-0010 CVE-2007-0010 GdbPixbufLoader fails to handle invalid input from Evolution correctly cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SquirrelMail is a standards-based webmail package written in PHP. Several cross-site scripting bugs were discovered in SquirrelMail. An attacker could inject arbitrary Javascript or HTML content into SquirrelMail pages by tricking a user into visiting a carefully crafted URL. (CVE-2006-6142) Users of SquirrelMail should upgrade to this erratum package, which contains a backported patch to correct these issues. Notes: - After installing this update, users are advised to restart their httpd service to ensure that the updated version functions correctly. - config.php should NOT be modified, please modify config_local.php instead. - Known Bug: The configuration generator may potentially produce bad options that interfere with the operation of this application. Applying specific config changes to config_local.php manually is recommended. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-6142 CVE-2006-6142 Three XSS issues in SquirrelMail cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. iDefense reported an integer overflow flaw in libwpd, a library used internally to OpenOffice.org for handling Word Perfect documents. An attacker could create a carefully crafted Word Perfect file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-1466) John Heasman discovered a stack overflow in the StarCalc parser in OpenOffice.org. An attacker could create a carefully crafted StarCalc file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-0238) Flaws were discovered in the way OpenOffice.org handled hyperlinks. An attacker could create an OpenOffice.org document which could run commands if a victim opened the file and clicked on a malicious hyperlink. (CVE-2007-0239) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues. Red Hat would like to thank Fridrich Štrba for alerting us to the issue CVE-2007-1466 and providing a patch, and John Heasman for CVE-2007-0238. Important Copyright 2008 Red Hat, Inc. CVE-2007-0238 CVE-2007-0239 CVE-2007-1466 CVE-2007-1466 integer overflow CVE-2007-0238 StarCalc overflow CVE-2007-0239 hyperlink escaping issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was found in the way BIND processed certain DNS query responses. On servers that had enabled DNSSEC validation, this could allow an remote attacker to cause a denial of service. (CVE-2007-0494) For users of Red Hat Enterprise Linux 3, the previous BIND update caused an incompatible change to the default configuration that resulted in rndc not sharing the key with the named daemon. This update corrects this bug and restores the behavior prior to that update. Updating the bind package in Red Hat Enterprise Linux 3 could result in nonfunctional configuration in case the bind-libs package was not updated. This update corrects this bug by adding the correct dependency on bind-libs. Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0494 rndc.conf change breaks working bind config CVE-2007-0494 BIND dnssec denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 libwpd is a library for reading and converting Word Perfect documents. iDefense reported several overflow bugs in libwpd. An attacker could create a carefully crafted Word Perfect file that could cause an application linked with libwpd, such as OpenOffice, to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-0002) All users are advised to upgrade to these updated packages, which contain a backported fix for this issue. Red Hat would like to thank Fridrich Štrba for alerting us to these issues and providing a patch. Important Copyright 2008 Red Hat, Inc. CVE-2007-0002 CVE-2007-1466 CVE-2007-0002 buffer overflows cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was found in the way BIND processed certain DNS query responses. On servers that had enabled DNSSEC validation, this could allow a remote attacker to cause a denial of service. (CVE-2007-0494) A use-after-free flaw was found in BIND. On servers that have recursion enabled, this could allow a remote attacker to cause a denial of service. (CVE-2007-0493) Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0493 CVE-2007-0494 CVE-2007-0493 BIND might crash after attempting to read free()-ed memory CVE-2007-0494 BIND dnssec denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service flaw was found in Samba's smbd daemon process. An authenticated user could send a specially crafted request which would cause a smbd child process to enter an infinite loop condition. By opening multiple CIFS sessions, an attacker could exhaust system resources. (CVE-2007-0452) Users of Samba should update to these packages, which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0452 CVE-2007-0452 Samba smbd denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service flaw was found in Samba's smbd daemon process. An authenticated user could send a specially crafted request which would cause a smbd child process to enter an infinite loop condition. By opening multiple CIFS sessions, an attacker could exhaust system resources (CVE-2007-0452). Users of Samba should update to these packages, which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0452 CVE-2007-0452 Samba smbd denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS). A flaw was found in the way the PostgreSQL server handles certain SQL-language functions. An authenticated user could execute a sequence of commands which could crash the PostgreSQL server or possibly read from arbitrary memory locations. A user would need to have permissions to drop and add database tables to be able to exploit this issue (CVE-2007-0555). A denial of service flaw was found affecting the PostgreSQL server running on Red Hat Enterprise Linux 4 systems. An authenticated user could execute an SQL command which could crash the PostgreSQL server. (CVE-2006-5540) Users of PostgreSQL should upgrade to these updated packages containing PostgreSQL version 7.4.16 or 7.3.18, which correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-5540 CVE-2007-0555 CVE-2006-5540 New version fixes three different crash vulnerabilities CVE-2007-0555 PostgreSQL arbitrary memory read flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The bluez-utils package contains Bluetooth daemons and utilities. A flaw was found in the Bluetooth HID daemon (hidd). A remote attacker would have been able to inject keyboard and mouse events via a Bluetooth connection without any authorization. (CVE-2006-6899) Note that Red Hat Enterprise Linux does not come with the Bluetooth HID daemon enabled by default. Users of bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-6899 CVE-2006-6899 Bluetooth HID key events injection flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Several denial of service bugs were found in Wireshark's LLT, IEEE 802.11, http, and tcp protocol dissectors. It was possible for Wireshark to crash or stop responding if it read a malformed packet off the network. (CVE-2007-0456, CVE-2007-0457, CVE-2007-0458, CVE-2007-0459) Users of Wireshark should upgrade to these updated packages containing Wireshark version 0.99.5, which is not vulnerable to these issues. Low Copyright 2008 Red Hat, Inc. CVE-2007-0456 CVE-2007-0457 CVE-2007-0458 CVE-2007-0459 CVE-2007-0456 Multiple Wireshark issues (CVE-2007-0457, CVE-2007-0458, CVE-2007-0459) CVE-2007-0456 Multiple Wireshark issues (CVE-2007-0457, CVE-2007-0458, CVE-2007-0459) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PostgreSQL is an advanced Object-Relational database management system (DBMS). Two flaws were found in the way the PostgreSQL server handles certain SQL-language functions. An authenticated user could execute a sequence of commands which could crash the PostgreSQL server or possibly read from arbitrary memory locations. A user would need to have permissions to drop and add database tables to be able to exploit these issues (CVE-2007-0555, CVE-2007-0556). Several denial of service flaws were found in the PostgreSQL server. An authenticated user could execute certain SQL commands which could crash the PostgreSQL server (CVE-2006-5540, CVE-2006-5541, CVE-2006-5542). Users of PostgreSQL should upgrade to these updated packages containing PostgreSQL version 8.1.8 which corrects these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-5540 CVE-2006-5541 CVE-2006-5542 CVE-2007-0555 CVE-2007-0556 CVE-2006-5540 New version fixes three different crash vulnerabilities (CVE-2006-5541 CVE-2006-5542) CVE-2007-0555 PostgreSQL arbitrary memory read flaws (CVE-2007-0556) Attribute type error when updating varchar column cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. John Heasman discovered a stack overflow in the StarCalc parser in OpenOffice. An attacker could create a carefully crafted StarCalc file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-0238) Flaws were discovered in the way OpenOffice.org handled hyperlinks. An attacker could create an OpenOffice.org document which could run commands if a victim opened the file and clicked on a malicious hyperlink. (CVE-2007-0239) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported fix to correct this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-0238 CVE-2007-0239 CVE-2007-0238 StarCalc overflow CVE-2007-0239 hyperlink escaping issue cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SpamAssassin provides a way to reduce unsolicited commercial email (spam) from incoming email. A flaw was found in the way SpamAssassin processes HTML email containing URIs. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a number of these messages are sent, this could lead to a denial of service, potentially delaying or preventing the delivery of email. (CVE-2007-0451) Users of SpamAssassin should upgrade to these updated packages which contain version 3.1.8 which is not vulnerable to these issues. This is an upgrade from SpamAssassin version 3.0.6 to 3.1.8, which contains many bug fixes and spam detection enhancements. Further details are available in the SpamAssassin 3.1 changelog and upgrade guide. Important Copyright 2007 Red Hat, Inc. CVE-2007-0451 CVE-2007-0451 Spamassassin DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 SpamAssassin provides a way to reduce unsolicited commercial email (spam) from incoming email. A flaw was found in the way SpamAssassin processes HTML email containing URIs. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a number of these messages are sent, this could lead to a denial of service, potentially delaying or preventing the delivery of email. (CVE-2007-0451) Users of SpamAssassin should upgrade to these updated packages which contain version 3.1.8 which is not vulnerable to these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-0451 CVE-2007-0451 Spamassassin DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A number of buffer overflow flaws were found in the PHP session extension, the str_replace() function, and the imap_mail_compose() function. If very long strings under the control of an attacker are passed to the str_replace() function then an integer overflow could occur in memory allocation. If a script uses the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker who is able to access a PHP application affected by any these issues could trigger these flaws and possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906) If unserializing untrusted data on 64-bit platforms, the zend_hash_init() function can be forced to enter an infinite loop, consuming CPU resources for a limited length of time, until the script timeout alarm aborts execution of the script. (CVE-2007-0988) If the wddx extension is used to import WDDX data from an untrusted source, certain WDDX input packets may allow a random portion of heap memory to be exposed. (CVE-2007-0908) If the odbc_result_all() function is used to display data from a database, and the contents of the database table are under the control of an attacker, a format string vulnerability is possible which could lead to the execution of arbitrary code. (CVE-2007-0909) A one byte memory read will always occur before the beginning of a buffer, which could be triggered for example by any use of the header() function in a script. However it is unlikely that this would have any effect. (CVE-2007-0907) Several flaws in PHP could allows attackers to "clobber" certain super-global variables via unspecified vectors. (CVE-2007-0910) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. Red Hat would like to thank Stefan Esser for his help diagnosing these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-0906 CVE-2007-0907 CVE-2007-0908 CVE-2007-0909 CVE-2007-0910 CVE-2007-0988 CVE-2007-1380 CVE-2007-1701 CVE-2007-1825 CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A malicious web page could execute JavaScript code in such a way that may result in SeaMonkey crashing or executing arbitrary code as the user running SeaMonkey. (CVE-2007-0775, CVE-2007-0777) Several cross-site scripting (XSS) flaws were found in the way SeaMonkey processed certain malformed web pages. A malicious web page could display misleading information which may result in a user unknowingly divulging sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995, CVE-2007-0996) A flaw was found in the way SeaMonkey cached web pages on the local disk. A malicious web page may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-0778) A flaw was found in the way SeaMonkey displayed certain web content. A malicious web page could generate content which could overlay user interface elements such as the hostname and security indicators, tricking a user into thinking they are visiting a different site. (CVE-2007-0779) Two flaws were found in the way SeaMonkey displayed blocked popup windows. If a user can be convinced to open a blocked popup, it is possible to read arbitrary local files, or conduct an XSS attack against the user. (CVE-2007-0780, CVE-2007-0800) Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running SeaMonkey. (CVE-2007-0008, CVE-2007-0009) A flaw was found in the way SeaMonkey handled the "location.hostname" value during certain browser domain checks. This flaw could allow a malicious web site to set domain cookies for an arbitrary site, or possibly perform an XSS attack. (CVE-2007-0981) Users of SeaMonkey are advised to upgrade to these erratum packages, which contain SeaMonkey version 1.0.8 that corrects these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2006-6077 CVE-2007-0008 CVE-2007-0009 CVE-2007-0775 CVE-2007-0777 CVE-2007-0778 CVE-2007-0779 CVE-2007-0780 CVE-2007-0800 CVE-2007-0981 CVE-2007-0994 CVE-2007-0995 CVE-2007-0996 CVE-2007-1092 CVE-2007-1282 mozilla-config points to the wrong places CVE-2007-0775 Multiple Seamonkey flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981) seamonkey-1.0.8-x (critical) update prevents evolution from starting seamonkey-1.0.8-x (critical) update prevents evolution from starting cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A malicious HTML mail message could execute JavaScript code in such a way that may result in Thunderbird crashing or executing arbitrary code as the user running Thunderbird. JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript. (CVE-2007-0775, CVE-2007-0777, CVE-2007-1092) A flaw was found in the way Thunderbird processed text/enhanced and text/richtext formatted mail message. A specially crafted mail message could execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2007-1282) Several cross-site scripting (XSS) flaws were found in the way Thunderbird processed certain malformed HTML mail messages. A malicious HTML mail message could display misleading information which may result in a user unknowingly divulging sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995, CVE-2007-0996) A flaw was found in the way Thunderbird cached web content on the local disk. A malicious HTML mail message may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-0778) A flaw was found in the way Thunderbird displayed certain web content. A malicious HTML mail message could generate content which could overlay user interface elements such as the hostname and security indicators, tricking a user into thinking they are visiting a different site. (CVE-2007-0779) Two flaws were found in the way Thunderbird displayed blocked popup windows. If a user can be convinced to open a blocked popup, it is possible to read arbitrary local files, or conduct an XSS attack against the user. (CVE-2007-0780, CVE-2007-0800) Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running Thunderbird. (CVE-2007-0008, CVE-2007-0009) A flaw was found in the way Thunderbird handled the "location.hostname" value during certain browser domain checks. This flaw could allow a malicious HTML mail message to set domain cookies for an arbitrary site, or possibly perform an XSS attack. (CVE-2007-0981) Users of Thunderbird are advised to apply this update, which contains Thunderbird version 1.5.0.10 that corrects these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2006-6077 CVE-2007-0008 CVE-2007-0009 CVE-2007-0775 CVE-2007-0777 CVE-2007-0778 CVE-2007-0779 CVE-2007-0780 CVE-2007-0800 CVE-2007-0981 CVE-2007-0995 CVE-2007-0996 CVE-2007-1092 CVE-2007-1282 [PATCH] Thunderbird's remote doesn't allow attachments Thunderbird startup script not updated for the add-on based locale CVE-2007-0775 Multiple Thunderbird flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981, CVE-2007-1092) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A malicious web page could execute JavaScript code in such a way that may result in Firefox crashing or executing arbitrary code as the user running Firefox. (CVE-2007-0775, CVE-2007-0777) Several cross-site scripting (XSS) flaws were found in the way Firefox processed certain malformed web pages. A malicious web page could display misleading information which may result in a user unknowingly divulging sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995, CVE-2007-0996) A flaw was found in the way Firefox cached web pages on the local disk. A malicious web page may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-0778) A flaw was found in the way Firefox displayed certain web content. A malicious web page could generate content which could overlay user interface elements such as the hostname and security indicators, tricking a user into thinking they are visiting a different site. (CVE-2007-0779) Two flaws were found in the way Firefox displayed blocked popup windows. If a user can be convinced to open a blocked popup, it is possible to read arbitrary local files, or conduct an XSS attack against the user. (CVE-2007-0780, CVE-2007-0800) Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running Firefox. (CVE-2007-0008, CVE-2007-0009) A flaw was found in the way Firefox handled the "location.hostname" value during certain browser domain checks. This flaw could allow a malicious web site to set domain cookies for an arbitrary site, or possibly perform an XSS attack. (CVE-2007-0981) Users of Firefox are advised to upgrade to these erratum packages, which contain Firefox version 1.5.0.10 that corrects these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2006-6077 CVE-2007-0008 CVE-2007-0009 CVE-2007-0775 CVE-2007-0777 CVE-2007-0778 CVE-2007-0779 CVE-2007-0780 CVE-2007-0800 CVE-2007-0981 CVE-2007-0994 CVE-2007-0995 CVE-2007-0996 CVE-2007-1092 Firefox 1.5.0.5 startup script not updated for the add-on based locale CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A number of buffer overflow flaws were found in the PHP session extension; the str_replace() function; and the imap_mail_compose() function. If very long strings were passed to the str_replace() function, an integer overflow could occur in memory allocation. If a script used the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker with access to a PHP application affected by any these issues could trigger the flaws and possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906) When unserializing untrusted data on 64-bit platforms, the zend_hash_init() function could be forced into an infinite loop, consuming CPU resources for a limited time, until the script timeout alarm aborted execution of the script. (CVE-2007-0988) If the wddx extension was used to import WDDX data from an untrusted source, certain WDDX input packets could expose a random portion of heap memory. (CVE-2007-0908) If the odbc_result_all() function was used to display data from a database, and the database table contents were under an attacker's control, a format string vulnerability was possible which could allow arbitrary code execution. (CVE-2007-0909) A one byte memory read always occurs before the beginning of a buffer. This could be triggered, for example, by any use of the header() function in a script. However it is unlikely that this would have any effect. (CVE-2007-0907) Several flaws in PHP could allow attackers to "clobber" certain super-global variables via unspecified vectors. (CVE-2007-0910) An input validation bug allowed a remote attacker to trigger a denial of service attack by submitting an input variable with a deeply-nested-array. (CVE-2007-1285) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-0906 CVE-2007-0907 CVE-2007-0908 CVE-2007-0909 CVE-2007-0988 CVE-2007-0910 CVE-2007-1285 CVE-2007-1380 CVE-2007-1701 CVE-2007-1825 CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988) CVE-2007-1285 PHP Variable Destructor Deep Recursion Stack Overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for two security issues: * a flaw in the key serial number collision avoidance algorithm of the keyctl subsystem that allowed a local user to cause a denial of service (CVE-2007-0006, Important) * a flaw in the file watch implementation of the audit subsystems that allowed a local user to cause a denial of service (panic). To exploit this flaw a privileged user must have previously created a watch for a file (CVE-2007-0001, Moderate) In addition to the security issues described above, a fix for the SCTP subsystem to address a system crash which may be experienced in Telco environments has been included. Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Important Copyright 2007 Red Hat, Inc. CVE-2007-0001 CVE-2007-0006 CVE-2007-0001 kernel panic watching /etc/passwd kernel panic in sctp module CVE-2007-0006 Key serial number collision problem cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GnomeMeeting is a tool to communicate with video and audio over the Internet. A format string flaw was found in the way GnomeMeeting processes certain messages. If a user is running GnomeMeeting, a remote attacker who can connect to GnomeMeeting could trigger this flaw and potentially execute arbitrary code with the privileges of the user. (CVE-2007-1007) Users of GnomeMeeting should upgrade to these updated packages which contain a backported patch to correct this issue. Critical Copyright 2007 Red Hat, Inc. CVE-2007-1007 CVE-2007-1007 gnomemeeting format string flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Ekiga is a tool to communicate with video and audio over the Internet. Format string flaws were found in the way Ekiga processes certain messages. If a user is running Ekiga, a remote attacker who can connect to Ekiga could trigger this flaw and potentially execute arbitrary code with the privileges of the user. (CVE-2007-0999, CVE-2007-1006) Users of Ekiga should upgrade to these updated packages which contain a backported patch to correct this issue. Critical Copyright 2008 Red Hat, Inc. CVE-2007-0999 CVE-2007-1006 CVE-2007-0999 Ekiga format string flaw (CVE-2007-1006) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues: Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities. Critical Copyright 2008 Red Hat, Inc. CVE-2007-0956 CVE-2007-0957 CVE-2007-1216 CVE-2007-0956 Unauthorized access via krb5-telnet daemon CVE-2007-0957 krb5_klog_syslog() stack buffer overflow CVE-2007-1216 krb5 double free flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Flaws were found in the way Firefox executed malformed JavaScript code. A malicious web page could cause Firefox to crash or allow arbitrary code to be executed as the user running Firefox. (CVE-2007-0775, CVE-2007-0777) Cross-site scripting (XSS) flaws were found in Firefox. A malicious web page could display misleading information, allowing a user to unknowingly divulge sensitive information, such as a password. (CVE-2006-6077, CVE-2007-0995, CVE-2007-0996) A flaw was found in the way Firefox processed JavaScript contained in certain tags. A malicious web page could cause Firefox to execute JavaScript code with the privileges of the user running Firefox. (CVE-2007-0994) A flaw was found in the way Firefox cached web pages on the local disk. A malicious web page may have been able to inject arbitrary HTML into a browsing session if the user reloaded a targeted site. (CVE-2007-0778) Certain web content could overlay Firefox user interface elements such as the hostname and security indicators. A malicious web page could trick a user into thinking they were visiting a different site. (CVE-2007-0779) Two flaws were found in Firefox's displaying of blocked popup windows. If a user could be convinced to open a blocked popup, it was possible to read arbitrary local files, or conduct a cross-site scripting attack against the user. (CVE-2007-0780, CVE-2007-0800) Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running Firefox. (CVE-2007-0008, CVE-2007-0009) A flaw was found in the way Firefox handled the "location.hostname" value. A malicious web page could set domain cookies for an arbitrary site, or possibly perform a cross-site scripting attack. (CVE-2007-0981) Users of Firefox are advised to upgrade to this erratum package, containing Firefox version 1.5.0.10 which is not vulnerable to these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2006-6077 CVE-2007-0008 CVE-2007-0009 CVE-2007-0775 CVE-2007-0777 CVE-2007-0778 CVE-2007-0779 CVE-2007-0780 CVE-2007-0800 CVE-2007-0981 CVE-2007-0994 CVE-2007-0995 CVE-2007-0996 CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0994, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues: * a flaw in the key serial number collision avoidance algorithm of the keyctl subsystem that allowed a local user to cause a denial of service (CVE-2007-0006, Important) * a flaw in the Omnikey CardMan 4040 driver that allowed a local user to execute arbitrary code with kernel privileges. In order to exploit this issue, the Omnikey CardMan 4040 PCMCIA card must be present and the local user must have access rights to the character device created by the driver. (CVE-2007-0005, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) In addition to the security issues described above, a fix for a kernel panic in the powernow-k8 module, and a fix for a kernel panic when booting the Xen domain-0 on system with large memory installations have been included. Red Hat would like to thank Daniel Roethlisberger for reporting an issue fixed in this erratum. Red Hat Enterprise Linux 5 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Important Copyright 2007 Red Hat, Inc. CVE-2007-0005 CVE-2007-0006 CVE-2007-0958 CVE-2007-0006 Key serial number collision problem CVE-2007-0005 Buffer Overflow in Omnikey CardMan 4040 cmx driver CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GnuPG is a utility for encrypting data and creating digital signatures. Gerardo Richarte discovered that a number of applications that make use of GnuPG are prone to a vulnerability involving incorrect verification of signatures and encryption. An attacker could add arbitrary content to a signed message in such a way that a receiver of the message would not be able to distinguish between the properly signed parts of a message and the forged, unsigned, parts. (CVE-2007-1263) Whilst this is not a vulnerability in GnuPG itself, the GnuPG team have produced a patch to protect against messages with multiple plaintext packets. Users should update to these erratum packages which contain the backported patch for this issue. Red Hat would like to thank Core Security Technologies for reporting this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-1263 CVE-2007-1263 gnupg signed message spoofing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GnuPG is a utility for encrypting data and creating digital signatures. Gerardo Richarte discovered that a number of applications that make use of GnuPG are prone to a vulnerability involving incorrect verification of signatures and encryption. An attacker could add arbitrary content to a signed message in such a way that a receiver of the message would not be able to distinguish between the properly signed parts of a message and the forged, unsigned, parts. (CVE-2007-1263) Whilst this is not a vulnerability in GnuPG itself, the GnuPG team have produced a patch to protect against messages with multiple plaintext packets. Users should update to these erratum packages which contain the backported patch for this issue. Red Hat would like to thank Core Security Technologies for reporting this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-1263 CVE-2007-1263 gnupg signed message spoofing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A malicious HTML mail message could execute JavaScript code in such a way that may result in Thunderbird crashing or executing arbitrary code as the user running Thunderbird. JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript. (CVE-2007-0775, CVE-2007-0777) Several cross-site scripting (XSS) flaws were found in the way Thunderbird processed certain malformed HTML mail messages. A malicious HTML mail message could display misleading information which may result in a user unknowingly divulging sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995, CVE-2007-0996) A flaw was found in the way Thunderbird processed text/enhanced and text/richtext formatted mail message. A specially crafted mail message could execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2007-1282) A flaw was found in the way Thunderbird cached web content on the local disk. A malicious HTML mail message may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-0778) A flaw was found in the way Thunderbird displayed certain web content. A malicious HTML mail message could generate content which could overlay user interface elements such as the hostname and security indicators, tricking a user into thinking they are visiting a different site. (CVE-2007-0779) Two flaws were found in the way Thunderbird displayed blocked popup windows. If a user can be convinced to open a blocked popup, it is possible to read arbitrary local files, or conduct an XSS attack against the user. (CVE-2007-0780, CVE-2007-0800) Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running Thunderbird. (CVE-2007-0008, CVE-2007-0009) A flaw was found in the way Thunderbird handled the "location.hostname" value during certain browser domain checks. This flaw could allow a malicious HTML mail message to set domain cookies for an arbitrary site, or possibly perform an XSS attack. (CVE-2007-0981) Users of Thunderbird are advised to apply this update, which contains Thunderbird version 1.5.0.10 that corrects these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2006-6077 CVE-2007-0008 CVE-2007-0009 CVE-2007-0775 CVE-2007-0777 CVE-2007-0778 CVE-2007-0779 CVE-2007-0780 CVE-2007-0800 CVE-2007-0981 CVE-2007-0995 CVE-2007-0996 CVE-2007-1282 CVE-2007-0775 Multiple Thunderbird flaws (CVE-2007-0777, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981, CVE-2007-1282) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Xen package contains the tools for managing the virtual machine monitor in Red Hat Enterprise Linux virtualization. A flaw was found affecting the VNC server code in QEMU. On a fullyvirtualized guest VM, where qemu monitor mode is enabled, a user who had access to the VNC server could gain the ability to read arbitrary files as root in the host filesystem. (CVE-2007-0998) In addition to disabling qemu monitor mode, the following bugs were also fixed: * Fix IA64 fully virtualized (VTi) shadow page table mode initialization. * Fix network bonding in balanced-rr mode. Without this update, a network path loss could result in packet loss. Users of Xen should update to these erratum packages containing backported patches which correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-0998 CVE-2007-0998 HVM guest VNC server allows compromise of entire host OS by any VNC console user cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A bug was found in the way CUPS handled SSL negotiation. A remote user capable of connecting to the CUPS daemon could cause a denial of service to other CUPS users. (CVE-2007-0720) All users of CUPS should upgrade to these updated packages, which contain a backported patch introducing a timeout, which prevents connections being kept open for an arbitrarily long time. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-0720 CVE-2007-0720 Incomplete SSL negotiation prevents other clients from connecting to CUPS server cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The file command is used to identify a particular file according to the type of data contained by the file. An integer underflow flaw was found in the file utility. An attacker could create a carefully crafted file which, if examined by a victim using the file utility, could lead to arbitrary code execution. (CVE-2007-1536) This issue did not affect the version of the file utility distributed with Red Hat Enterprise Linux 2.1 or 3. Users should upgrade to this erratum package, which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1536 CVE-2007-1536 file 4.20 fixes a heap overflow in that can result in arbitrary code execution CVE-2007-1536 file 4.20 fixes a heap overflow in that can result in arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported an integer overflow flaw in the XFree86 XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) An integer overflow flaw was found in the XFree86 XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2008 Red Hat, Inc. CVE-2007-1003 CVE-2007-1667 CVE-2007-1351 CVE-2007-1352 CVE-2007-1667 XGetPixel() integer overflow CVE-2007-1003 xserver XC-MISC integer overflow CVE-2007-1351 Multiple font integer overflows (CVE-2007-1352) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported an integer overflow flaw in the X.org XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) An integer overflow flaw was found in the X.org XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-1003 CVE-2007-1351 CVE-2007-1352 CVE-2007-1667 CVE-2007-1667 XGetPixel() integer overflow CVE-2007-1003 xserver XC-MISC integer overflow CVE-2007-1351 Multiple font integer overflows (CVE-2007-1352) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported an integer overflow flaw in the X.org X11 server XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2007-1003) Users of the X.org X11 server should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-1003 CVE-2007-1003 xserver XC-MISC integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A denial of service flaw was found in the way Squid processed the TRACE request method. It was possible for an attacker behind the Squid proxy to issue a malformed TRACE request, crashing the Squid daemon child process. As long as these requests were sent, it would prevent legitimate usage of the proxy server. (CVE-2007-1560) This flaw does not affect the version of Squid shipped in Red Hat Enterprise Linux 2.1, 3, or 4. Users of Squid should upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1560 CVE-2007-1560 Squid TRACE DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) Users of X.org libXfont should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-1351 CVE-2007-1352 CVE-2007-1351 Multiple font integer overflows (CVE-2007-1352) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 FreeType is a free, high-quality, portable font engine. An integer overflow flaw was found in the way the FreeType font engine processed BDF font files. If a user loaded a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2007-1351) This flaw did not affect the version of FreeType shipped in Red Hat Enterprise Linux 2.1. Users of FreeType should upgrade to these updated packages, which contain a backported patch to correct this issue. Red Hat would like to thank iDefense for reporting this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1351 CVE-2007-1351 BDF font integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way MySQL handled case sensitive database names. A user with the ability to create databases could gain unauthorized access to other databases hosted by the MySQL server. (CVE-2006-4226) This flaw does not affect the version of MySQL distributed with Red Hat Enterprise Linux 2.1, 3, or 5. All users of the MySQL server are advised to upgrade to these updated packages, which contain a backported patch which fixes this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-4226 CVE-2006-4226 mysql-server create database privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0455 CVE-2007-1001 CVE-2007-1718 CVE-2007-1583 CVE-2007-1583 mbstring register_globals activation and mail() header injection (CVE-2007-1718) CVE-2007-1001 gd flaws in wbmp, JIS font handling (CVE-2007-0455) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285) A flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass arbitrary data to PHP's unserialize() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1286) A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) A double free flaw was found in PHP's session_decode() function. If a remote attacker was able to pass arbitrary data to PHP's session_decode() function, they could possibly execute arbitrary code as the apache user. (CVE-2007-1711) A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718) A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001) A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-1285 CVE-2007-1286 CVE-2007-1583 CVE-2007-1711 CVE-2007-1718 CVE-2007-0455 CVE-2007-1001 CVE-2007-1285 "Month of PHP Bugs" security issues (CVE-2007-1286 CVE-2007-1583 CVE-2007-1711 CVE-2007-1718) CVE-2007-1001 gd php flaws (CVE-2007-0455) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. An integer overflow flaw was found in the X.org XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) Users of the X.org X11 server should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1667 CVE-2007-1667 XGetPixel() integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Evolution is the GNOME collection of personal information management (PIM) tools. A format string bug was found in the way Evolution parsed the category field in a memo. If a user tried to save and then view a carefully crafted memo, arbitrary code may be executed as the user running Evolution. (CVE-2007-1002) This flaw did not affect the versions of Evolution shipped with Red Hat Enterprise Linux 2.1, 3, or 4. All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf Härnhammar of Secunia Research for reporting this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1002 CVE-2007-1002 evolution format string flaw cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 IBM's 1.4.2 SR8 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A flaw in GIF image handling was found in the SUN Java Runtime Environment that has now been reported as also affecting IBM Java 2. An untrusted applet or application could use this flaw to elevate its privileges and potentially execute arbitrary code. (CVE-2007-0243) All users of java-1.4.2-ibm should upgrade to these updated packages, which contain IBM's 1.4.2 SR8 Java release which resolves this issue. Critical Copyright 2007 Red Hat, Inc. CVE-2007-0243 CVE-2007-0243 GIF buffer overflow CVE-2007-0243 GIF buffer overflow CVE-2007-0243 GIF buffer overflow cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 IBM's 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A flaw in GIF image handling was found in the SUN Java Runtime Environment that has now been reported as also affecting IBM Java 2. An untrusted applet or application could use this flaw to elevate its privileges and potentially execute arbitrary code. (CVE-2007-0243) This update also resolves the following issues: * The java-1.5.0-ibm-plugin sub-package conflicted with the new java-1.5.0-sun-plugin sub-package. * The java-1.5.0-ibm-plugin package had incorrect dependencies. The java-1.5.0-ibm-alsa package has been merged into the java-1.5.0-ibm package to resolve this issue. All users of java-ibm-1.5.0 should upgrade to these packages, which contain IBM's 1.5.0 SR4 Java release which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-0243 CVE-2007-0243 GIF buffer overflow CVE-2007-0243 GIF buffer overflow Installation of all Extras packages generates package conflict plugin does not initialize cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues: * a flaw in the IPv6 socket option handling that allowed a local user to read arbitrary kernel memory (CVE-2007-1000, Important). * a flaw in the IPv6 socket option handling that allowed a local user to cause a denial of service (CVE-2007-1388, Important). * a flaw in the utrace support that allowed a local user to cause a denial of service (CVE-2007-0771, Important). In addition to the security issues described above, a fix for a memory leak in the audit subsystem and a fix for a data corruption bug on s390 systems have been included. Red Hat Enterprise Linux 5 users are advised to upgrade to these erratum packages, which are not vulnerable to these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-0771 CVE-2007-1000 CVE-2007-1388 CVE-2007-0771 utrace regression / denial of service CVE-2007-1388 NULL pointer dereference in do_ipv6_setsockopt CVE-2007-1000 NULL pointer hole in ipv6 Kernel memory leak in audit subsystem cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The unzip utility is used to list, test, or extract files from a zip archive. A race condition was found in Unzip. Local users could use this flaw to modify permissions of arbitrary files via a hard link attack on a file while it was being decompressed (CVE-2005-2475) A buffer overflow was found in Unzip command line argument handling. If a user could be tricked into running Unzip with a specially crafted long file name, an attacker could execute arbitrary code with that user's privileges. (CVE-2005-4667) As well, this update adds support for files larger than 2GB. All users of unzip should upgrade to these updated packages, which contain backported patches that resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-2475 CVE-2005-4667 CVE-2005-2475 TOCTOU issue in unzip CVE-2005-4667 unzip long filename buffer overflow unzip has not been compiled with large file support and cannot unzip files > 2G unzip-5.51-8 leaves files as read-only (400) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 w3c-libwww is a general-purpose web library. Several buffer overflow flaws in w3c-libwww were found. If a client application that uses w3c-libwww connected to a malicious HTTP server, it could trigger an out of bounds memory access, causing the client application to crash (CVE-2005-3183). This updated version of w3c-libwww also fixes an issue when computing MD5 sums on a 64 bit machine. Users of w3c-libwww should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2007 Red Hat, Inc. CVE-2005-3183 /usr/lib64/libmd5.so is broken. CVE-2005-3183 Multiple bugs in libwww - one exploitable - in Library/src/HTBound.c cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gcc packages include C, C++, Java, Fortran 77, Objective C, and Ada 95 GNU compilers and related support libraries. Jürgen Weigert discovered a directory traversal flaw in fastjar. An attacker could create a malicious JAR file which, if unpacked using fastjar, could write to any files the victim had write access to. (CVE-2006-3619) These updated packages also fix several bugs, including: * two debug information generator bugs * two internal compiler errors In addition to this, protoize.1 and unprotoize.1 manual pages have been added to the package and __cxa_get_exception_ptr@@CXXABI_1.3.1 symbol has been added into libstdc++.so.6. For full details regarding all fixed bugs, refer to the package changelog as well as the specified list of bug reports from bugzilla. All users of gcc should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-3619 CVE-2006-3619 Directory traversal issue in fastjar ICE related to std::vector<std::vector<...> > > g++: internal compiler error: Segmentation fault cannot rebuild gcc when build_java is 0 gcc-3.4.6-3 didn't produce correct debug_line info for some kernel functions g++ compile runs forever on test file with optimization and debug info cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GDB, the GNU debugger, allows debugging of programs written in C, C++, and other languages by executing them in a controlled fashion and then printing their data. Various buffer overflows and underflows were found in the DWARF expression computation stack in GDB. If a user loaded an executable containing malicious debugging information into GDB, an attacker might be able to execute arbitrary code with the privileges of the user. (CVE-2006-4146) This updated package also addresses the following issues: * Fixed bogus 0x0 unwind of the thread's topmost function clone(3). * Fixed deadlock accessing invalid address; for corrupted backtraces. * Fixed a race which occasionally left the detached processes stopped. * Fixed 'gcore' command for 32bit debugged processes on 64bit hosts. * Added support for TLS 'errno' for threaded programs missing its '-debuginfo' package.. * Suggest TLS 'errno' resolving by hand if no threading was found.. * Added a fix to prevent stepping into asynchronously invoked signal handlers. * Added a fix to avoid false warning on shared objects bfd close on Itanium. * Fixed segmentation fault on the source display by ^X 1. * Fixed object names keyboard completion. * Added a fix to avoid crash of 'info threads' if stale threads exist. * Fixed a bug where shared libraries occasionally failed to load . * Fixed handling of exec() called by a threaded debugged program. * Fixed rebuilding requirements of the gdb package itself on multilib systems. * Fixed source directory pathname detection for the edit command. All users of gdb should upgrade to this updated package, which contains backported patches to resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2006-4146 p errno does not work when stopped at a breakpoint Buffer overrun in add_minsym_members info threads crashes if zombie threads exist print call foo where foo is in library SEGV Cannot find user-level thread for LWP 4256: generic error CVE-2006-4146 GDB buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The util-linux package contains a collection of basic system utilities. A flaw was found in the way the login process handled logins which did not require authentication. Certain processes which conduct their own authentication could allow a remote user to bypass intended access policies which would normally be enforced by the login process. (CVE-2006-7108) This update also fixes the following bugs: * The partx, addpart and delpart commands were not documented. * The "umount -l" command did not work on hung NFS mounts with cached data. * The mount command did not mount NFS V3 share where sec=none was specified. * The mount command did not read filesystem LABEL from unpartitioned disks. * The mount command did not recognize labels on VFAT filesystems. * The fdisk command did not support 4096 sector size for the "-b" option. * The mount man page did not list option "mand" or information about /etc/mtab limitations. All users of util-linux should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2008 Red Hat, Inc. CVE-2006-7108 umount -l should work on hung NFS mounts with cached data CVE-2006-7108 login omits pam_acct_mgmt & pam_chauthtok when authentication is skipped. Unable to mount NFS V3 share where sec=none is specified can't mount iscsi ext3 fs by label. man mount' does not list option 'mand' cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Busybox is a single binary which includes versions of a large number of system commands, including a shell. This package can be useful for recovering from certain types of system failures. BusyBox did not use a salt when generating passwords. This made it easier for local users to guess passwords from a stolen password file. (CVE-2006-1058) All users of busybox are advised to upgrade to these updated packages, which contain a patch to resolve this issue. Low Copyright 2008 Red Hat, Inc. CVE-2006-1058 CVE-2006-1058 BusyBox passwd command fails to generate password with salt cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GNU cpio copies files into or out of a cpio or tar archive. A buffer overflow was found in cpio on 64-bit platforms. By tricking a user into adding a specially crafted large file to a cpio archive, a local attacker may be able to exploit this flaw to execute arbitrary code with the target user's privileges. (CVE-2005-4268) This erratum also addresses the following bugs: * cpio did not set exit codes appropriately. * cpio did not create a ram disk properly. All users of cpio are advised to upgrade to this updated package, which contains backported fixes to correct these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-4268 CVE-2005-4268 cpio large filesize buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Sendmail is a very widely used Mail Transport Agent (MTA). MTAs deliver mail from one machine to another. Sendmail is not a client program, but rather a behind-the-scenes daemon that moves email over networks or the Internet to its final destination. The configuration of Sendmail on Red Hat Enterprise Linux was found to not reject the "localhost.localdomain" domain name for e-mail messages that came from external hosts. This could have allowed remote attackers to disguise spoofed messages (CVE-2006-7176). This updated package also fixes the following bugs: * Infinite loop within tls read. * Incorrect path to selinuxenabled in initscript. * Build artifacts from sendmail-cf package. * Missing socketmap support. * Add support for CipherList configuration directive. * Path for aliases file. * Failure of shutting down sm-client. * Allows to specify persistent queue runners. * Missing dnl for SMART_HOST define. * Fixes connections stay in CLOSE_WAIT. All users of Sendmail should upgrade to these updated packages, which contains backported patches to resolve these issues. Low Copyright 2007 Red Hat, Inc. CVE-2006-7176 [PATCH] infinite loop within tls_read Incorrect path to selinuxenabled in /etc/init.d/sendmail sendmail-cf contains rpm build artifacts Changelog says 'Socketmap Supported' but it's not compiled in. aliases man page specifies incorrect location of aliases file CVE-2006-7176 sendmail allows external mail with from address xxx@localhost.localdomain Sendmail allows SSLv2 during STARTTLS, and the CipherList config option isn't supported so you can't turn it off shutting down sm-client fails [PATCH] method to specify persistent queue runners? sendmail.mc missing dnl on SMART_HOST define cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. OpenSSH stores hostnames, IP addresses, and keys in plaintext in the known_hosts file. A local attacker that has already compromised a user's SSH account could use this information to generate a list of additional targets that are likely to have the same password or key. (CVE-2005-2666) The following bugs have also been fixed in this update: * The ssh client could abort the running connection when the server application generated a large output at once. * When 'X11UseLocalhost' option was set to 'no' on systems with IPv6 networking enabled, the X11 forwarding socket listened only for IPv6 connections. * When the privilege separation was enabled in /etc/ssh/sshd_config, some log messages in the system log were duplicated and also had timestamps from an incorrect timezone. All users of openssh should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2008 Red Hat, Inc. CVE-2005-2666 CVE-2005-2666 openssh vulnerable to known_hosts address harvesting buffer_append_space: alloc not supported Error [PATCH] audit patch for openssh missing #include "loginrec.h" in auth.c sshd does not create ipv4 listen socket for X11 forwarding additional (time skewed) log entries in /var/log/secure since U4 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The shadow-utils package includes the necessary programs for converting UNIX password files to the shadow password format, as well as programs for managing user and group accounts. A flaw was found in the useradd tool in shadow-utils. A new user's mailbox, when created, could have random permissions for a short period. This could allow a local attacker to read or modify the mailbox. (CVE-2006-1174) This update also fixes the following bugs: * shadow-utils debuginfo package was empty. * faillog was unusable on 64-bit systems. It checked every UID from 0 to the max UID, which was an excessively large number on 64-bit systems. * typo bug in login.defs file All users of shadow-utils are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Low Copyright 2007 Red Hat, Inc. CVE-2006-1174 shadow-utils-debuginfo is empty faillog doesn't handle large UIDs well typo in /etc/login.defs CVE-2006-1174 shadow-utils mailbox creation race condition cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Gdm (the GNOME Display Manager) is a highly configurable reimplementation of xdm, the X Display Manager. Gdm allows you to log into your system with the X Window System running and supports running several different X sessions on your local machine at the same time. Marcus Meissner discovered a race condition issue in the way Gdm modifies the permissions on the .ICEauthority file. A local attacker could exploit this flaw to gain privileges. Due to the nature of the flaw, however, a successful exploitation was unlikely. (CVE-2006-1057) This erratum also includes a bug fix to correct the pam configuration for the audit system. All users of gdm should upgrade to this updated package, which contains backported patches to resolve these issues. Low Copyright 2007 Red Hat, Inc. CVE-2006-1057 gdm update for new audit system CVE-2006-1057 GDM file permissions race condition cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. A flaw was found in the way OpenLDAP handled selfwrite access. Users with selfwrite access were able to modify the distinguished name of any user. (CVE-2006-4600) All users are advised to upgrade to these updated openldap packages, which contain a backported patch to correct this issue. Low Copyright 2007 Red Hat, Inc. CVE-2006-4600 CVE-2006-4600 openldap improper selfwrite access cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 XScreenSaver is a collection of screensavers. Alex Yamauchi discovered a flaw in the way XScreenSaver verifies user passwords. When a system is using a remote directory service for login credentials, a local attacker may be able to cause a network outage causing XScreenSaver to crash, unlocking the screen. (CVE-2007-1859) Users of XScreenSaver should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1859 CVE-2007-1859 xscreensaver authentication bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Xen package contains the tools for managing the virtual machine monitor in Red Hat Enterprise Linux virtualization. The following security flaws are fixed in the updated Xen package: Joris van Rantwijk found a flaw in the Pygrub utility which is used as a boot loader for guest domains. A malicious local administrator of a guest domain could create a carefully crafted grub.conf file which would trigger the execution of arbitrary code outside of that domain. (CVE-2007-4993) Tavis Ormandy discovered a heap overflow flaw during video-to-video copy operations in the Cirrus VGA extension code used in Xen. A malicious local administrator of a guest domain could potentially trigger this flaw and execute arbitrary code outside of the domain. (CVE-2007-1320) Tavis Ormandy discovered insufficient input validation leading to a heap overflow in the Xen NE2000 network driver. If the driver is in use, a malicious local administrator of a guest domain could potentially trigger this flaw and execute arbitrary code outside of the domain. Xen does not use this driver by default. (CVE-2007-1321) Users of Xen should update to these erratum packages containing backported patches which correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-1320 CVE-2007-1321 CVE-2007-4993 CVE-2007-1320 xen/qemu Cirrus LGD-54XX "bitblt" Heap Overflow CVE-2007-1321 xen QEMU NE2000 emulation issues CVE-2007-4993 xen guest root can escape to domain 0 through pygrub cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090) Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450) The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195) Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues. Updated jakarta-commons-modeler packages are also included which correct a bug when used with Tomcat 5.5.23. Important Copyright 2008 Red Hat, Inc. CVE-2005-2090 CVE-2006-7195 CVE-2007-1358 CVE-2007-0450 CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS). A flaw was found in the way PostgreSQL allows authenticated users to execute security-definer functions. It was possible for an unprivileged user to execute arbitrary code with the privileges of the security-definer function. (CVE-2007-2138) Users of PostgreSQL should upgrade to these updated packages containing PostgreSQL version 8.1.9, 7.4.17, and 7.3.19 which corrects this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2138 CVE-2007-2138 PostgreSQL security-definer function privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A memory leak flaw was found in the way FreeRADIUS parses certain authentication requests. A remote attacker could send a specially crafted authentication request which could cause FreeRADIUS to leak a small amount of memory. If enough of these requests are sent, the FreeRADIUS daemon would consume a vast quantity of system memory leading to a possible denial of service. (CVE-2007-2028) Users of FreeRADIUS should update to these erratum packages, which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2028 CVE-2007-2028 Freeradius EAP-TTLS denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The ipsec-tools package is used in conjunction with the IPsec functionality in the linux kernel and includes racoon, an IKEv1 keying daemon. A denial of service flaw was found in the ipsec-tools racoon daemon. It was possible for a remote attacker, with knowledge of an existing ipsec tunnel, to terminate the ipsec connection between two machines. (CVE-2007-1841) Users of ipsec-tools should upgrade to these updated packages, which contain a backported patch that resolves this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1841 CVE-2007-1841 ipsec-tools racoon DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 The GIMP (GNU Image Manipulation Program) is an image composition and editing program. Marsu discovered a stack overflow bug in The GIMP RAS file loader. An attacker could create a carefully crafted file that could cause The GIMP to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-2356) For users of Red Hat Enterprise Linux 5, the previous GIMP packages had a bug that concerned the execution order in which the symbolic links to externally packaged GIMP plugins are installed and removed, causing the symbolic links to vanish when the package is updated. Users of The GIMP should update to these erratum packages which contain a backported fix to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2356 CVE-2007-2356 Stack overflow in gimp's sunras plugin gimp removes symlinks to plugins of other packages when updated cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The evolution-data-server package provides a unified backend for programs that work with contacts, tasks, and calendar information. A flaw was found in the way evolution-data-server processed certain APOP authentication requests. By sending certain responses when evolution-data-server attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) All users of evolution-data-server should upgrade to these updated packages, which contain a backported patch which resolves this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1558 CVE-2007-1558 Evolution APOP information disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. Raphael Marichez discovered a denial of service bug in the way vixie-cron verifies crontab file integrity. A local user with the ability to create a hardlink to /etc/crontab can prevent vixie-cron from executing certain system cron jobs. (CVE-2007-1856) All users of vixie-cron should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-1856 crond failed "Days of week" after a few hours on 1st/Jan CVE-2007-1856 crontab denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 VIM (VIsual editor iMproved) is a version of the vi editor. An arbitrary command execution flaw was found in the way VIM processes modelines. If a user with modelines enabled opened a text file containing a carefully crafted modeline, arbitrary commands could be executed as the user running VIM. (CVE-2007-2438) Users of VIM are advised to upgrade to these updated packages, which resolve this issue. Please note: this issue did not affect VIM as distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2438 CVE-2007-2438 vim-7 modeline security issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues: * a flaw in the handling of IPv6 type 0 routing headers that allowed remote users to cause a denial of service that led to a network amplification between two routers (CVE-2007-2242, Important). * a flaw in the nfnetlink_log netfilter module that allowed a local user to cause a denial of service (CVE-2007-1496, Important). * a flaw in the flow list of listening IPv6 sockets that allowed a local user to cause a denial of service (CVE-2007-1592, Important). * a flaw in the handling of netlink messages that allowed a local user to cause a denial of service (infinite recursion) (CVE-2007-1861, Important). * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access (CVE-2007-2172, Important). * a flaw in the nf_conntrack netfilter module for IPv6 that allowed remote users to bypass certain netfilter rules using IPv6 fragments (CVE-2007-1497, Moderate). In addition to the security issues described above, fixes for the following have been included: * a regression in ipv6 routing. * an error in memory initialization that caused gdb to output inaccurate backtraces on ia64. * the nmi watchdog timeout was updated from 5 to 30 seconds. * a flaw in distributed lock management that could result in errors during virtual machine migration. * an omitted include in kernel-headers that led to compile failures for some packages. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-1496 CVE-2007-1497 CVE-2007-1592 CVE-2007-1861 CVE-2007-2172 CVE-2007-2242 oops and panics bringing up/down interfaces on 128p Altix, 8 interfaces dlm locking error from gfs dio/aio during virt machine migration The patch "xen: Add PACKET_AUXDATA cmsg" cause /usr/include/linux/if_packet.h broken CVE-2007-1592 IPv6 oops triggerable by any user CVE-2007-1496 Various NULL pointer dereferences in netfilter code CVE-2007-1497 IPv6 fragments bypass in nf_conntrack netfilter code CVE-2007-2172 fib_semantics.c out of bounds access vulnerability CVE-2007-2242 IPv6 routing headers issue CVE-2007-1861 infinite recursion in netlink cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864) A flaw was found in the PHP 'ftp' extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to send arbitrary FTP commands to the server. (CVE-2007-2509) A buffer overflow flaw was found in the PHP 'soap' extension, regarding the handling of an HTTP redirect response when using the SOAP client provided by this extension with an untrusted SOAP server. No mechanism to trigger this flaw remotely is known. (CVE-2007-2510) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-1864 CVE-2007-2509 CVE-2007-2510 CVE-2007-1864 various PHP security issues (CVE-2007-2509 CVE-2007-2510) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864) A flaw was found in the PHP 'ftp' extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to send arbitrary FTP commands to the server. (CVE-2007-2509) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-1864 CVE-2007-2509 CVE-2007-1864 various PHP security issues (CVE-2007-2509) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Evolution is the GNOME collection of personal information management (PIM) tools. A flaw was found in the way Evolution processed certain APOP authentication requests. A remote attacker could potentially acquire certain portions of a user's authentication credentials by sending certain responses when evolution-data-server attempted to authenticate against an APOP server. (CVE-2007-1558) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1558 CVE-2007-1558 Evolution APOP information disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Samba provides file and printer sharing services to SMB/CIFS clients. Various bugs were found in NDR parsing, used to decode MS-RPC requests in Samba. A remote attacker could have sent carefully crafted requests causing a heap overflow, which may have led to the ability to execute arbitrary code on the server. (CVE-2007-2446) Unescaped user input parameters were being passed as arguments to /bin/sh. A remote, authenticated, user could have triggered this flaw and executed arbitrary code on the server. Additionally, on Red Hat Enterprise Linux 5 only, this flaw could be triggered by a remote unauthenticated user if Samba was configured to use the non-default "username map script" option. (CVE-2007-2447) Users of Samba should upgrade to these packages, which contain backported patches to correct these issues. After upgrading, Samba should be restarted using "service smb restart" On Red Hat Enterprise Linux 5 the impact of these issues is reduced as Samba is constrained by the default SELinux "targeted" policy. Red Hat would like to thank the Samba developers, TippingPoint, and iDefense for reporting these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-2446 CVE-2007-2447 CVE-2007-2446 samba heap overflows CVE-2007-2447 samba code injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was found in the handling of malformed images in libpng. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash when the file was manipulated. (CVE-2007-2445) A flaw was found in the sPLT chunk handling code in libpng. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash when the file was opened. (CVE-2006-5793) Users of libpng should update to these updated packages which contain backported patches to correct these issues. Red Hat would like to thank Glenn Randers-Pehrson, Mats Palmgren, and Tavis Ormandy for supplying details and patches for these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-5793 CVE-2007-2445 CVE-2006-5793 libpng DoS CVE-2007-2445 libpng png_handle_tRNS flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 SquirrelMail is a standards-based webmail package written in PHP4. Several HTML filtering bugs were discovered in SquirrelMail. An attacker could inject arbitrary JavaScript leading to cross-site scripting attacks by sending an e-mail viewed by a user within SquirrelMail. (CVE-2007-1262) Squirrelmail did not sufficiently check arguments to IMG tags in HTML e-mail messages. This could be exploited by an attacker by sending arbitrary e-mail messages on behalf of a squirrelmail user tricked into opening a maliciously crafted HTML e-mail message. (CVE-2007-2589) Users of SquirrelMail should upgrade to this erratum package, which contains a backported patch to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1262 CVE-2007-2589 CVE-2007-1262 XSS through HTML message in squirrelmail CVE-2007-2589 CSRF through HTML message in squirrelmail cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed: * The arpwatch service initialization script would exit prematurely, returning an incorrect successful exit status and preventing the status command from running in case networking is not available. * Tcpdump would not drop root privileges completely when launched with the -C option. This might have been abused by an attacker to gain root privileges in case a security problem was found in tcpdump. Users of tcpdump are encouraged to specify meaningful arguments to the -Z option in case they want tcpdump to write files with privileges other than of the pcap user. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-1218 CVE-2007-3798 CVE-2007-1218 tcpdump denial of service Wrong init script tcpdump -Z -C should drop root privileges completely CVE-2007-3798 tcpdump BGP integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues: * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (CVE-2006-7203, Important). * a flaw in the PPP over Ethernet implementation that allowed a remote user to cause a denial of service (CVE-2007-2525, Important). * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak (CVE-2007-1353, Low). * a bug in the random number generator that prevented the manual seeding of the entropy pool (CVE-2007-2453, Low). In addition to the security issues described above, fixes for the following have been included: * a race condition between ext3_link/unlink that could create an orphan inode list corruption. * a bug in the e1000 driver that could lead to a watchdog timeout panic. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2006-7203 CVE-2007-1353 CVE-2007-2453 CVE-2007-2525 watchdog timeout panic in e1000 driver CVE-2006-7203 oops in compat_sys_mount() when data pointer is NULL CVE-2007-1353 Bluetooth setsockopt() information leaks CVE-2007-2525 PPPoE socket PPPIOCGCHAN denial of service CVE-2007-2453 Slightly degraded pool mixing for entropy extraction cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash or potentially execute arbitrary code as root. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) For Red Hat Enterprise Linux 2.1, several portability bugs which would lead to unexpected crashes on the ia64 platform have also been fixed. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-2442 CVE-2007-2443 CVE-2007-2798 kadmin core dumps on ia64 CVE-2007-2442 krb5 RPC library unitialized pointer free CVE-2007-2443 krb5 RPC library stack overflow CVE-2007-2798 krb5 kadmind buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, like SLIP or PPP connections. A flaw was found in the way fetchmail processed certain APOP authentication requests. By sending certain responses when fetchmail attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) All users of fetchmail should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1558 CVE-2007-1558 fetchmail/mutt/evolution/...: APOP password disclosure vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Mutt is a text-mode mail user agent. A flaw was found in the way Mutt used temporary files on NFS file systems. Due to an implementation issue in the NFS protocol, Mutt was not able to exclusively open a new file. A local attacker could conduct a time-dependent attack and possibly gain access to e-mail attachments opened by a victim. (CVE-2006-5297) A flaw was found in the way Mutt processed certain APOP authentication requests. By sending certain responses when mutt attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Mutt handled certain characters in gecos fields which could lead to a buffer overflow. The gecos field is an entry in the password database typically used to record general information about the user. A local attacker could give themselves a carefully crafted "Real Name" which could execute arbitrary code if a victim uses Mutt and expands the attackers alias. (CVE-2007-2683) All users of mutt should upgrade to this updated package, which contains a backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-5297 CVE-2007-1558 CVE-2007-2683 CVE-2006-5297 Multiple mutt tempfile race conditions CVE-2007-2683 Buffer overflow in mutt's gecos structure handling CVE-2007-1558 fetchmail/mutt/evolution/...: APOP password disclosure vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed: * if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. * the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-1218 CVE-2007-3798 tcpdump gives 'permission denied' at 2nd file when dumping to >1 file CVE-2007-1218 tcpdump denial of service CVE-2007-3798 tcpdump BGP integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Quagga is a TCP/IP based routing software suite. An out of bounds memory read flaw was discovered in Quagga's bgpd. A configured peer of bgpd could cause Quagga to crash, leading to a denial of service (CVE-2007-1995). All users of Quagga should upgrade to this updated package, which contains a backported patch to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1995 CVE-2007-1995 Quagga bgpd DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The file command is used to identify a particular file according to the type of data contained by the file. The fix for CVE-2007-1536 introduced a new integer underflow flaw in the file utility. An attacker could create a carefully crafted file which, if examined by a victim using the file utility, could lead to arbitrary code execution. (CVE-2007-2799) This issue did not affect the version of the file utility distributed with Red Hat Enterprise Linux 2.1 or 3. Users should upgrade to this erratum package, which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2799 CVE-2007-2799 file integer overflow CVE-2007-2799 file integer overflow CVE-2007-2799 file integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Mod_perl incorporates a Perl interpreter into the Apache web server, so that the Apache web server can directly execute Perl code. An issue was found in the "namespace_from_uri" method of the ModPerl::RegistryCooker class. If a server implemented a mod_perl registry module using this method, a remote attacker requesting a carefully crafted URI can cause resource consumption, which could lead to a denial of service (CVE-2007-1349). Users of mod_perl should update to these erratum packages which contain a backported fix to correct this issue. Low Copyright 2007 Red Hat, Inc. CVE-2007-1349 CVE-2007-1349 mod_perl PerlRun denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. (CVE-2007-2867, CVE-2007-2868) A flaw was found in the way Firefox handled certain FTP PASV commands. A malicious FTP server could use this flaw to perform a rudimentary port-scan of machines behind a user's firewall. (CVE-2007-1562) Several denial of service flaws were found in the way Firefox handled certain form and cookie data. A malicious web site that is able to set arbitrary form and cookie data could prevent Firefox from functioning properly. (CVE-2007-1362, CVE-2007-2869) A flaw was found in the way Firefox handled the addEventListener JavaScript method. A malicious web site could use this method to access or modify sensitive data from another web site. (CVE-2007-2870) A flaw was found in the way Firefox displayed certain web content. A malicious web page could generate content that would overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. (CVE-2007-2871) Users of Firefox are advised to upgrade to these erratum packages, which contain Firefox version 1.5.0.12 that corrects these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-1362 CVE-2007-1562 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871 CVE-2007-1362 Multiple Firefox flaws (CVE-2007-1562, CVE-2007-2867, CVE-2007-2868, CVE-2007-2869, CVE-2007-2870, CVE-2007-2871) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. (CVE-2007-2867, CVE-2007-2868) Several denial of service flaws were found in the way Thunderbird handled certain form and cookie data. A malicious web site that is able to set arbitrary form and cookie data could prevent Thunderbird from functioning properly. (CVE-2007-1362, CVE-2007-2869) A flaw was found in the way Thunderbird processed certain APOP authentication requests. By sending certain responses when Thunderbird attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Thunderbird displayed certain web content. A malicious web page could generate content which could overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. (CVE-2007-2871) Users of Thunderbird are advised to apply this update, which contains Thunderbird version 1.5.0.12 that corrects these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-1362 CVE-2007-1558 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2871 CVE-2007-1362 Miltiple Thunderbird flaws (CVE-2007-1558, CVE-2007-2867, CVE-2007-2868, CVE-2007-2869, CVE-2007-2871) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. (CVE-2007-2867, CVE-2007-2868) A flaw was found in the way SeaMonkey handled certain FTP PASV commands. A malicious FTP server could use this flaw to perform a rudimentary port-scan of machines behind a user's firewall. (CVE-2007-1562) Several denial of service flaws were found in the way SeaMonkey handled certain form and cookie data. A malicious web site that is able to set arbitrary form and cookie data could prevent SeaMonkey from functioning properly. (CVE-2007-1362, CVE-2007-2869) A flaw was found in the way SeaMonkey processed certain APOP authentication requests. By sending certain responses when SeaMonkey attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way SeaMonkey handled the addEventListener JavaScript method. A malicious web site could use this method to access or modify sensitive data from another web site. (CVE-2007-2870) A flaw was found in the way SeaMonkey displayed certain web content. A malicious web page could generate content that would overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. (CVE-2007-2871) Users of SeaMonkey are advised to upgrade to these erratum packages, which contain SeaMonkey version 1.0.9 that corrects these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-1362 CVE-2007-1562 CVE-2007-1558 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871 CVE-2007-1362 Miltiple Seamonkey flaws (CVE-2007-1562, CVE-2007-1558, CVE-2007-2867, CVE-2007-2868, CVE-2007-2869, CVE-2007-2870, CVE-2007-2871) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 FreeType is a free, high-quality, portable font engine. An integer overflow flaw was found in the way the FreeType font engine processed TTF font files. If a user loaded a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2007-2754) Users of FreeType should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2754 CVE-2007-2754 freetype integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A heap overflow flaw was found in the RTF import filer. An attacker could create a carefully crafted RTF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-0245) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported fix to correct this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-0245 CVE-2007-0245 openoffice.org rtf filter buffer overflow cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications, libraries and development tools. A flaw was found in the way OpenLDAP handled selfwrite access. Users with selfwrite access were able to modify the distinguished name of any user. Users with selfwrite access should only be able to modify their own distinguished name. (CVE-2006-4600) A memory leak bug was found in OpenLDAP's ldap_start_tls_s() function. An application using this function could result in an Out Of Memory (OOM) condition, crashing the application. All users are advised to upgrade to this updated openldap package, which contains a backported fix and is not vulnerable to these issues. Low Copyright 2007 Red Hat, Inc. CVE-2006-4600 ldap_start_tls_s() leaks CVE-2006-4600 openldap improper selfwrite access cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The shadow-utils package includes the necessary programs for converting UNIX password files to the shadow password format, as well as programs for managing user and group accounts. A flaw was found in the useradd tool in shadow-utils. A new user's mailbox, when created, could have random permissions for a short period. This could allow a local attacker to read or modify the mailbox. (CVE-2006-1174) This update also fixes the following bugs: * shadow-utils debuginfo package was empty. * chage.1 and chage -l gave incorrect information about sp_inact. All users of shadow-utils are advised to upgrade to this updated package, which contains backported patches to resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2006-1174 shadow-utils-debuginfo is empty chage does not show the Account Expires if its shadow field is 0. CVE-2006-1174 shadow-utils mailbox creation race condition cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. This is the ninth regular kernel update to Red Hat Enterprise Linux 3. There were no new features introduced by this update. The only changes that have been included address critical customer needs or security issues (elaborated below). Key areas affected by fixes in this update include the networking subsystem, dcache handling, the ext2 and ext3 file systems, the USB subsystem, ACPI handling, and the audit subsystem. There were also several isolated fixes in the tg3, e1000, megaraid_sas, and aacraid device drivers. The following security bugs were fixed in this update: * a flaw in the cramfs file system that allowed invalid compressed data to cause memory corruption (CVE-2006-5823, low) * a flaw in the ext2 file system that allowed an invalid inode size to cause a denial of service (system hang) (CVE-2006-6054, low) * a flaw in IPV6 flow label handling that allowed a local user to cause a denial of service (crash) (CVE-2007-1592, important) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2008 Red Hat, Inc. CVE-2006-5823 CVE-2006-6054 CVE-2007-1592 acl permissions over nfs Need fix for: [NETFILTER]: Fix checksum bug for multicast/broadcast packets on postrouting hook. tg3 driver on BCM5703X won't load. Says tg3: Could not obtain valid ethernet address, aborting. u5 patch that turned on Dprintk's in arch/x86_64/kernel/smpboot.c powermate module does not recognize Griffin Powermate device jbd I/O errors after ext3 orphan processing on readonly device hugetlb_get_unmapped_area may overflow in X86_64 compat mode Kernel panic on shutdown or poweroff on SMP cut/paste bug in kscand Data corruption after IO error on swap (RHEL3) High speed USB HID devices not working in RHEL3 32-bit fstat on 64-bit kernel returns EOVERFLOW when st_ino gets too large CVE-2006-5823 zlib_inflate memory corruption CVE-2006-6054 ext2_check_page denial of service [RHEL3] Netdump for 8139cp driver running 32-bit executables on x86_64/ia64/s390x causes negative "vm_committed_space" value Kernel oops when loading ipmi_si module Laus doesn't audit detach event Laus dev.audit.attach-all doesn't attach to init Enable use of PAL_HALT_LIGHT for idle loop as non-default option ipv6 OOPS triggerable by any user cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs that handle authentication. A flaw was found in the way the Linux kernel handled certain SG_IO commands. Console users with access to certain device files had the ability to damage recordable CD drives. The way pam_console handled permissions of these files has been modified to disallow access. This change also required modifications to the cdrecord application. (CVE-2004-0813) A flaw was found in the way pam_console set console device permissions. It was possible for various console devices to retain ownership of the console user after logging out, possibly leaking information to an unauthorized user. (CVE-2007-1716) The pam_unix module provides authentication against standard /etc/passwd and /etc/shadow files. The pam_stack module provides support for stacking PAM configuration files. Both of these modules contained small memory leaks which caused problems in applications calling PAM authentication repeatedly in the same process. All users of PAM should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2004-0813 CVE-2007-1716 CVE-2004-0813 SG_IO unsafe user command execution Possibly memory leak in pam modules. 4byte leak in pam_unix.so CVE-2004-0813 SG_IO unsafe user command execution CVE-2007-1716 Ownership of devices not returned to root after logout from console cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GDB, the GNU debugger, allows debugging of programs written in C, C++, and other languages by executing them in a controlled fashion and then printing their data. Various buffer overflows and underflows were found in the DWARF expression computation stack in GDB. If an attacker could trick a user into loading an executable containing malicious debugging information into GDB, they may be able to execute arbitrary code with the privileges of the user. (CVE-2006-4146) This updated package also addresses the following issues: * Support on 64-bit hosts shared libraries debuginfo larger than 2GB. * Fix a race occasionally leaving the detached processes stopped. * Fix segmentation fault on the source display by ^X 1. * Fix a crash on an opaque type dereference. All users of gdb should upgrade to this updated package, which contains backported patches to resolve these issues. Low Copyright 2007 Red Hat, Inc. CVE-2006-4146 gdb internal error with incomplete type pstack can cause process to suspend CVE-2006-4146 GDB buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gcc packages include C, C++, Java, Fortran 77, Objective C, and Ada 95 GNU compilers and related support libraries. Jürgen Weigert discovered a directory traversal flaw in fastjar. An attacker could create a malicious JAR file which, if unpacked using fastjar, could write to any files the victim had write access to. (CVE-2006-3619) These updated packages also fix a reload internal compiler error with -fnon-call-exceptions option. All users of gcc should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-3619 CVE-2006-3619 Directory traversal issue in jar Attached code crashes the compiler, error at: reload1.c:9508 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed: * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn't return to userspace correct values for the rt_sigtimedwait system call. * the count for unused inodes could be incorrect at times, resulting in dirty data not being written to disk in a timely manner. * the cciss driver had an incorrect disk size calculation (off-by-one error) which prevented disk dumps. Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux kernel team for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Important Copyright 2007 Red Hat, Inc. CVE-2006-5158 CVE-2006-7203 CVE-2007-0773 CVE-2007-0958 CVE-2007-1353 CVE-2007-2172 CVE-2007-2525 CVE-2007-2876 CVE-2007-3104 kernel spinlock panic in inode.c dirty data is not flushed on a timely manner CVE-2007-3104 Null pointer to an inode in a dentry can cause an oops in sysfs_readdir CVE-2006-5158 NFS lockd deadlock CVE-2007-0773 lost fput in a 32-bit ioctl on 64-bit x86 systems CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP CVE-2007-1353 Bluetooth setsockopt() information leaks CVE-2007-2172 fib_semantics.c out of bounds access vulnerability CVE-2007-2525 PPPoE socket PPPIOCGCHAN denial of service CVE-2006-7203 oops in compat_sys_mount() when data pointer is NULL CVE-2007-2876 {ip, nf}_conntrack_sctp: remotely triggerable NULL ptr dereference diskdump to cciss fails due to off-by-one size calculation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 SpamAssassin provides a way to reduce unsolicited commercial email (spam) from incoming email. Martin Krafft discovered a symlink issue in SpamAssassin that affects certain non-default configurations. A local user could use this flaw to create or overwrite files writable by the spamd process (CVE-2007-2873). Users of SpamAssassin should upgrade to these updated packages which contain a backported patch to correct this issue. Note: This issue did not affect the version of SpamAssassin shipped with Red Hat Enterprise Linux 3. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2873 CVE-2007-2873 spamassassin symlink attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 The kdebase packages provide the core applications for KDE, the K Desktop Environment. These core packages include Konqueror, the web browser and file manager. A problem with the interaction between the Flash Player and the Konqueror web browser was found. The problem could lead to key presses leaking to the Flash Player applet instead of the browser (CVE-2007-2022). Users of Konqueror who have installed the Adobe Flash Player plugin should upgrade to these updated packages, which contain a patch provided by Dirk Müller that protects against this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-2022 CVE-2007-2022 kdebase3 flash-player interaction problem cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The iscsi package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks. Olaf Kirch discovered two flaws in open-iscsi. A local attacker could use these flaws to cause the server daemon to stop responding, leading to a denial of service. (CVE-2007-3099, CVE-2007-3100). All users of open-iscsi should upgrade to this updated package which resolves these issues. Note: This issue did not affect Red Hat Enterprise Linux 2.1, 3, or 4. open-iscsi is available in Red Hat Enterprise Linux 5 as a Technology Preview. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3099 CVE-2007-3100 CVE-2007-3099 dos flaws in open-iscsi (CVE-2007-3100) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The libexif package contains the EXIF library. Applications use this library to parse EXIF image files. An integer overflow flaw was found in the way libexif parses EXIF image tags. If a victim opens a carefully crafted EXIF image file it could cause the application linked against libexif to execute arbitrary code or crash. (CVE-2007-4168) Users of libexif should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-4168 CVE-2006-4168 libexif integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Evolution is the GNOME collection of personal information management (PIM) tools. A flaw was found in the way Evolution processes certain IMAP server messages. If a user can be tricked into connecting to a malicious IMAP server it may be possible to execute arbitrary code as the user running evolution. (CVE-2007-3257) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Important Copyright 2008 Red Hat, Inc. CVE-2007-3257 CVE-2007-3257 evolution malicious server arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The evolution-data-server package provides a unified backend for programs that work with contacts, tasks, and calendar information. A flaw was found in the way evolution-data-server processes certain IMAP server messages. If a user can be tricked into connecting to a malicious IMAP server it may be possible to execute arbitrary code as the user running the evolution-data-server process. (CVE-2007-3257) All users of evolution-data-server should upgrade to these updated packages, which contain a backported patch which resolves this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-3257 CVE-2007-3257 evolution malicious server arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The GIMP (GNU Image Manipulation Program) is an image composition and editing program. Multiple integer overflow and input validation flaws were found in The GIMP's image loaders. An attacker could create a carefully crafted image file that could cause The GIMP to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2006-4519, CVE-2007-2949, CVE-2007-3741) Users of The GIMP should update to these erratum packages, which contain a backported fix to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-4519 CVE-2007-2949 CVE-2007-3741 CVE-2007-2949 Gimp PSD integer overflow CVE-2006-4519 GIMP multiple image loader integer overflows CVE-2007-3741 Gimp image loader multiple input validation flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. A temporary file flaw was found in the way the X.Org X11 xfs font server startup script executes. A local user could modify the permissions of the file of their choosing, possibly elevating their local privileges (CVE-2007-3103). Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3103 CVE-2007-3103 init.d xfs script chown race condition vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The X.Org X11 xfs font server provides a standard mechanism for an X server to communicate with a font renderer. A temporary file flaw was found in the way the X.Org X11 xfs font server startup script executes. A local user could modify the permissions of a file of their choosing, possibly elevating their local privileges. (CVE-2007-3103) Users of the X.org X11 xfs font server should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3103 CVE-2007-3103 init.d xfs script chown race condition vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP Server is a popular Web server. A flaw was found in the Apache HTTP Server mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) A flaw was found in the Apache HTTP Server mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-1863) In addition, two bugs were fixed: * when the ProxyErrorOverride directive was enabled, responses with 3xx status-codes would be overriden at the proxy. This has been changed so that only 4xx and 5xx responses are overriden. * the "ProxyTimeout" directive was not inherited across virtual host definitions. Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues. Users should restart Apache after installing this update. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-5752 CVE-2007-1863 Reverse Proxy Unexpected Timeout Mod_proxy_http ProxyErrorOverride eating cookies CVE-2007-1863 httpd mod_cache segfault CVE-2006-5752 httpd mod_status XSS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular Web server. A flaw was found in the Apache HTTP Server mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) A bug was found in the Apache HTTP Server mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-1863) Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues. Users should restart Apache after installing this update. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-5752 CVE-2007-1863 CVE-2007-1863 httpd mod_cache segfault CVE-2006-5752 httpd mod_status XSS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Advanced Intrusion Detection Environment (AIDE) is a file integrity checker and intrusion detection program. A flaw was discovered in the way file checksums were stored in the AIDE database. A packaging flaw in the Red Hat AIDE rpm resulted in the file database not containing any file checksum information. This could prevent AIDE from detecting certain file modifications. (CVE-2007-3849) This update also fixes the following bugs: * certain configurations could result in a segmentation fault upon initialization. * AIDE was unable to open its log file in the LSPP evaluated configuration. * if AIDE found SELinux context differences, the changed files report it generated only included the first 32 characters of the context. All users of AIDE are advised to upgrade to this updated package containing AIDE version 0.13.1 which is not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3849 aide Segmentation fault on initialization LSPP: aide can't write its log file CVE-2007-3849 Rebase aide to 0.13.1 [LSPP] aide report output limits context to 32char -- not evaluation blocking cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A flaw was found in the way the ssh server wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages, which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102) A flaw was found in the way the OpenSSH server processes GSSAPI authentication requests. When GSSAPI authentication was enabled in the OpenSSH server, a remote attacker was potentially able to determine if a username is valid. (CVE-2006-5052) The following bugs in SELinux MLS (Multi-Level Security) support has also been fixed in this update: * It was sometimes not possible to select a SELinux role and level when logging in using ssh. * If the user obtained a non-default SELinux role or level, the role change was not recorded in the audit subsystem. * In some cases, on labeled networks, sshd allowed logins from level ranges it should not allow. The updated packages also contain experimental support for using private keys stored in PKCS#11 tokens for client authentication. The support is provided through the NSS (Network Security Services) library. All users of openssh should upgrade to these updated packages, which contain patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-5052 CVE-2007-3102 [LSPP] unable to ssh into a system as root/auditadm_r LSPP: ssh-mls allows a level through that it should not LSPP: user unable to ssh to system with user/role/level context CVE-2006-5052 GSSAPI information leak [LSPP] openssh server fails to parse level correctly CVE-2007-3102 audit logging of failed logins cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 mcstrans is the translation daemon used on SELinux machines to translate program context into human readable form. An algorithmic complexity weakness was found in the way the mcstrans daemon handled ranges of compartments in sensitivity labels. A local user could trigger this flaw causing mctransd to temporarily stop responding to other requests; a partial denial of service. (CVE-2007-4570) This update also fixes a problem where the mcstrans daemon was preventing SSH connections into an SELinux box, that was running a Multi-Level Security (MLS) Policy with multiple categories. Users of mcstrans are advised to upgrade to this updated package, which resolves this issue. Low Copyright 2008 Red Hat, Inc. CVE-2007-4570 LSPP: Not able to ssh into the machine with multiple categories CVE-2007-4570 mctransd DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs that handle authentication. A flaw was found in the way pam_console set console device permissions. It was possible for various console devices to retain ownership of the console user after logging out, possibly leaking information to another local user. (CVE-2007-1716) A flaw was found in the way the PAM library wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102) As well, these updated packages fix the following bugs: * truncated MD5-hashed passwords in "/etc/shadow" were treated as valid, resulting in insecure and invalid passwords. * the pam_namespace module did not convert context names to raw format and did not unmount polyinstantiated directories in some cases. It also crashed when an unknown user name was used in "/etc/security/namespace.conf", the pam_namespace configuration file. * the pam_selinux module was not relabeling the controlling tty correctly, and in some cases it did not send complete information about user role and level change to the audit subsystem. These updated packages add the following enhancements: * pam_limits module now supports parsing additional config files placed into the /etc/security/limits.d/ directory. These files are read after the main configuration file. * the modules pam_limits, pam_access, and pam_time now send a message to the audit subsystem when a user is denied access based on the number of login sessions, origin of user, and time of login. * pam_unix module security properties were improved. Functionality in the setuid helper binary, unix_chkpwd, which was not required for user authentication, was moved to a new non-setuid helper binary, unix_update. All users of PAM should upgrade to these updated packages, which resolve these issues and add these enhancements. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-1716 CVE-2007-3102 pam_namespace should convert the context names before it uses them as filenames LSPP: Not able to log into the machine with large number of categories FIPS 200: audit rejection based on number of sessions, origin and time CVE-2007-1716 Ownership of devices not returned to root after logout from console [LSPP] pam_namespace crashes with non-existent users in namespace.conf [LSPP] incorrect information in pam_selinux audit record LSPP: Unable to change expired password on ssh login namespace.conf: $HOME used in polyinstantiated directory name not being expanded LSPP: polyinstantiation behavior correct and documented CVE-2007-3102 audit logging of failed logins cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular Web server. The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service (CVE-2007-3304). This issue is not exploitable on Red Hat Enterprise Linux 5 if using the default SELinux targeted policy. A flaw was found in the Apache HTTP Server mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) A bug was found in the Apache HTTP Server mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-1863) Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues. Users should restart Apache after installing this update. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-5752 CVE-2007-1863 CVE-2007-3304 CVE-2007-1863 httpd mod_cache segfault CVE-2007-3304 httpd scoreboard lack of PID protection CVE-2006-5752 httpd mod_status XSS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 cman is the Red Hat Cluster Manager. A flaw was found in the cman daemon. A local attacker could connect to the cman daemon and trigger a static buffer overflow leading to a denial of service or, potentially, an escalation of privileges. (CVE-2007-3374) Users of Cluster Manager should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-3374 CVE-2007-3374 possible buffer overflow could cause local DoS by crashing cman cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux 4 and 5, glibc detects attempts to free invalid pointers. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-2442 CVE-2007-2443 CVE-2007-2798 CVE-2007-2442 krb5 RPC library unitialized pointer free CVE-2007-2443 krb5 RPC library stack overflow CVE-2007-2798 krb5 kadmind buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Tomcat is a servlet container for Java Servlet and JavaServer Pages (JSP) technologies. Some JSPs within the 'examples' web application did not escape user provided data. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks (CVE-2007-2449). Note: it is recommended the 'examples' web application not be installed on a production system. The Manager and Host Manager web applications did not escape user provided data. If a user is logged in to the Manager or Host Manager web application, an attacker could perform a cross-site scripting attack (CVE-2007-2450). Users of Tomcat should update to these erratum packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2449 CVE-2007-2450 CVE-2007-2449 tomcat examples jsp XSS CVE-2007-2450 tomcat host manager XSS /var/tmp/rpm-tmp.25596: line 5: /usr/bin/rebuild-gcj-db: No such file or directory cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain a fix for the following security issue: * a flaw in the signal handling on PowerPC-based systems that allowed a local user to cause a denial of service (floating point corruption). (CVE-2007-3107, Moderate). In addition to the security issue described above, a fix for the following have been included: * a bug that can lead to data corruption with ServerWorks IDE controllers. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3107 CVE-2007-3107 Data buffer miscompare on PowerPC when running HTX cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue. Critical Copyright 2007 Red Hat, Inc. CVE-2007-3410 CVE-2007-3410 RealPlayer/HelixPlayer buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 coolkey contains the driver support for the CoolKey and Common Access Card (CAC) Smart Card products. The CAC is used by the U.S. Government. Steve Grubb discovered a flaw in the way coolkey created a temporary directory. A local attacker could perform a symlink attack and cause arbitrary files to be overwritten. (CVE-2007-4129) In addition, the updated packages contain fixes for the following bugs in the CAC Smart Card support: * CAC Smart Cards can have from 1 to 3 certificates. The coolkey driver, however, was not recognizing cards if they had less than 3 certificates. * logging into a CAC Smart Card token with a new application would cause other, already authenticated, applications to lose their login status unless the Smart Card was then removed from the reader and re-inserted. All CAC users should upgrade to these updated packages, which resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2007-4129 Coolkey does not support CAC cards with less than 3 certs Open apps loose the CAC card after a C_logout from another app. CVE-2007-4129 coolkey file and directory permission flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Conga package is a web-based administration tool for remote cluster and storage management. A flaw was found in ricci during a code audit. A remote attacker who is able to connect to ricci could cause ricci to temporarily refuse additional connections, a denial of service (CVE-2007-4136). Fixes in this updated package include: * The nodename is now set for manual fencing. * The node log no longer displays in random order. * A bug that prevented a node from responding when a cluster was deleted is now fixed. * A PAM configuration that incorrectly called the deprecated module pam_stack was removed. * A bug that prevented some quorum disk configurations from being accepted is now fixed. * Setting multicast addresses now works properly. * rpm -V on luci no longer fails. * The user interface rendering time for storage interface is now faster. * An error message that incorrectly appeared when rebooting nodes during cluster creation was removed. * Cluster snaps configuration (an unsupported feature) has been removed altogether to prevent user confusion. * A user permission bug resulting from a luci code error is now fixed. * luci and ricci init script return codes are now LSB-compliant. * VG creation on cluster nodes now defaults to "clustered". * An SELinux AVC bug that prevented users from setting up shared storage on nodes is now fixed. * An access error that occurred when attempting to access a cluster node after its cluster was deleted is now fixed. * IP addresses can now be used to create clusters. * Attempting to configure a fence device no longer results in an AttributeError. * Attempting to create a new fence device to a valid cluster no longer results in a KeyError. * Several minor user interface validation errors have been fixed, such as enforcing cluster name length and fence port, etc. * A browser lock-up that could occur during storage configuration has been fixed. * Virtual service creation now works without error. * The fence_xvm tag is no longer misspelled in the cluster.conf file. * Luci failover forms are complete and working. * Rebooting a fresh cluster install no longer generates an error message. * A bug that prevented failed cluster services from being started is now fixed. * A bug that caused some cluster operations (e.g., node delete) to fail on clusters with mixed-cased cluster names is now fixed. * Global cluster resources can be reused when constructing cluster services. Enhancements in this updated package include: * Users can now access Conga through Internet Explorer 6. * Dead nodes can now be evicted from a cluster. * Shared storage on new clusters is now enabled by default. * The fence user-interface flow is now simpler. * A port number is now shown in ricci error messages. * The kmod-gfs-xen kernel module is now installed when creating a cluster. * Cluster creation status is now shown visually. * User names are now sorted for display. * The fence_xvmd tag can now be added from the dom0 cluster nodes. * The ampersand character (&) can now be used in fence names. * All packaged files are now installed with proper owners and permissions. * New cluster node members are now properly initialized. * Storage operations can now be completed even if an LVM snapshot is present. * Users are now informed via dialog when nodes are rebooted as part of a cluster operation. * Failover domains are now properly listed for virtual services and traditional clustered services. * Luci can now create and distribute keys for fence_xvmd. All Conga users are advised to upgrade to this update, which applies these fixes and enhancements. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-4136 create cluster does not show status as cluster is being created cannot create cluster using ip addresses luci - should display usernames in some logical/sorted order (usability) luci - adding node to a cluster - confirm dialog displays cluster name in place of node name (minor) Node log displayed in partially random order Combining reauthentication/deletion options in one luci display can cause user confusion (usability - post RHEL5 GA) Error trying to create a new fence device for a cluster node SELinux AVC denied { read } for pid=2390 comm="mdadm" - accessing storage on a node Conga allows creation/rename of clusters with name greater than 15 characters Cluster cannot be deleted (from 'Manage Systems') - but no error results luci web app does not enforce selection of fence port Create/delete cluster - then access disk on node = Generic error on host: cluster tools: cman_tool errored Need more luci service information on startup - no info written to log about failed start cause cman cluster needs restart when going from >=3 to 2 nodes and 2 to >= 3 nodes saslauthd[2274]: Deprecated pam_stack module called from service "ricci" Intermittent/recurring problem - when cluster is deleted, sometimes a node is not affected Entering bad password when creating a new cluster = UnboundLocalError: local variable 'e' referenced before assignment Lack of debugging information in logs - support issue luci failover domain forms are missing/empty fence_xvm is incorrectly listed as "xmv" in virtual cluster Advanced options parameters settings don't do anything Unable to configure a virtual service kmod-gfs-xen not installed with Conga install 'enable shared storage' option cleared whenever there is a configuration error Must manually edit cluster.conf on the dom0 cluster to add "<fence_xvmd/>" conga does not set the "nodename" attribute for manual fencing Conga provides no way to remove a dead node from a cluster Online User Manual needs modification conga storage: default VG creation should be clustered if a cluster node conga cluster: make 'enable shared storage' the default rpm verify fails on luci Conga storage UI front-end is too slow rendering storage Installation using Conga shows "error" in message during reboot cycle. Conga tries to configurage cluster snaps, though they are not available. Eliminate confusion in add fence flow can't set user permissions in luci luci init script can return non-LSB-compliant return codes ricci init script can exit with non-LSB-compliant return codes Add port number to message when ricci is not started/firewalled on cluster nodes. Successful login results in an infinite redirection loop with MSIE Conga needs to support Internet Explorer 6.0 and later luci sets incorrect permissions on /usr/lib64/luci and /var/lib/luci AttributeError when attempting to configure a fence device Unable to add a new fence device to cluster RFE: tell user they are about to kill all their nodes delete node task fails to do all items listed in the help document conga is unable to do storage operations if there is an lvm snapshot present Use of failover domain not correctly shown storage name warning utility produces a storm of warnings which can lock your browser ZeroDivisionError when attempting to click an empty lvm volume group conga doesn't allow you to reuse nfs export and nfs client resources Cannot specify multicast address for a cluster Impossible to set many valid quorum disk configurations via conga CVE-2007-4136 ricci is vulnerable to a connect DoS attack cpe:/a:redhat:rhel_cluster Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Apache HTTP Server is a popular Web server. The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service. (CVE-2007-3304). Users of httpd should upgrade to these updated packages, which contain backported patches to correct this issue. Users should restart Apache after installing this update. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3304 CVE-2007-3304 httpd scoreboard lack of PID protection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential privilege escalation. (CVE-2007-1217, Moderate) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition to the security issues described above, fixes for the following have been included: * a race condition in the e1000 network driver that could cause ESB2 systems to be started without the RX unit being turned on. * a related e1000 bug on ESB2 systems that could cause rlogin to fail. Red Hat would like to thank Ilja van Sprundel for reporting an issue fixed in this erratum. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-1217 CVE-2007-1353 CVE-2007-1217 Overflow in CAPI subsystem CVE-2007-1353 Bluetooth setsockopt() information leaks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Net::DNS is a collection of Perl modules that act as a Domain Name System (DNS) resolver. A flaw was found in the way Net::DNS generated the ID field in a DNS query. This predictable ID field could be used by a remote attacker to return invalid DNS data. (CVE-2007-3377) A denial of service flaw was found in the way Net::DNS parsed certain DNS requests. A malformed response to a DNS request could cause the application using Net::DNS to crash or stop responding. (CVE-2007-3409) Users of Net::DNS should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3377 CVE-2007-3409 CVE-2007-3377 perl-Net-DNS security issue CVE-2007-3409 Perl Net::DNS denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Net::DNS is a collection of Perl modules that act as a Domain Name System (DNS) resolver. A flaw was found in the way Net::DNS generated the ID field in a DNS query. This predictable ID field could be used by a remote attacker to return invalid DNS data. (CVE-2007-3377) Users of Net::DNS should upgrade to this updated package, which contains backported patches to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3377 CVE-2007-3377 perl-Net-DNS security issue cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Firefox-compatible Adobe Flash Player browser plug-in. An input validation flaw was found in the way Flash Player displayed certain content. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Adobe Flash file. (CVE-2007-3456) Users of Adobe Flash Player should upgrade to this updated package, which contains version 9.0.47.0. and is not vulnerable to this issue. Critical Copyright 2007 Red Hat, Inc. CVE-2007-3456 CVE-2007-3456 flash-plugin input validation flaw cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 The xterm program is a terminal emulator for the X Window System. It provides DEC VT102 and Tektronix 4014 compatible terminals for programs that cannot use the window system directly. A bug was found in the way xterm packages were built that caused the pseudo-terminal device files of the xterm emulated terminals to be owned by the incorrect group. This flaw did not affect Red Hat Enterprise Linux 4 Update 4 and earlier. (CVE-2007-2797) All users of xterm are advised to upgrade to this updated package, which contains a patch to correct this issue. Low Copyright 2007 Red Hat, Inc. CVE-2007-2797 CVE-2007-2797 Wrong settings for the tty (mesg: error: tty device is not owned by group `tty') cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A flaw was found in the way the ssh server wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102) A flaw was found in the way the OpenSSH server processes GSSAPI authentication requests. When GSSAPI authentication was enabled in OpenSSH server, a remote attacker may have been able to determine if a username is valid. (CVE-2006-5052) The following bugs were also fixed: * the ssh daemon did not generate audit messages when an ssh session was closed. * GSSAPI authentication sometimes failed on clusters using DNS or load-balancing. * the sftp client and server leaked small amounts of memory in some cases. * the sftp client didn't properly exit and return non-zero status in batch mode when the destination disk drive was full. * when restarting the ssh daemon with the initscript, the ssh daemon was sometimes not restarted successfully because the old running ssh daemon was not properly killed. * with challenge/response authentication enabled, the pam sub-process was not terminated if the user authentication timed out. All users of openssh should upgrade to these updated packages, which contain patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-5052 CVE-2007-3102 CVE-2006-5052 Kerberos information leak memory leak fixed in RHEL3 but present in RHEL4 Trying to restart a hung/frozen sshd daemon doesn't show correct status sftp problem while transferring files to a partition which is 100% full CVE-2007-3102 audit logging of failed logins cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues: * a flaw in the DRM driver for Intel graphics cards that allowed a local user to access any part of the main memory. To access the DRM functionality a user must have access to the X server which is granted through the graphical login. This also only affected systems with an Intel 965 or later graphic chipset. (CVE-2007-3851, Important) * a flaw in the VFAT compat ioctl handling on 64-bit systems that allowed a local user to corrupt a kernel_dirent struct and cause a denial of service (system crash). (CVE-2007-2878, Important) * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * flaw in the CIFS filesystem which could cause the umask values of a process to not be honored. This affected CIFS filesystems where the Unix extensions are supported. (CVE-2007-3740, Important) * a flaw in the stack expansion when using the hugetlb kernel on PowerPC systems that allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim's machine. (CVE-2007-1217, Moderate) * a flaw in the cpuset support that allowed a local user to obtain sensitive information from kernel memory. To exploit this the cpuset filesystem would have to already be mounted. (CVE-2007-2875, Moderate) * a flaw in the CIFS handling of the mount option "sec=" that didn't enable integrity checking and didn't produce any error message. (CVE-2007-3843, Low) Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-1217 CVE-2007-2875 CVE-2007-2876 CVE-2007-2878 CVE-2007-3739 CVE-2007-3740 CVE-2007-3843 CVE-2007-3851 CVE-2007-1217 Overflow in CAPI subsystem CVE-2007-2875 cpuset information leak CVE-2007-2876 {ip, nf}_conntrack_sctp: remotely triggerable NULL ptr dereference CVE-2007-2878 VFAT compat ioctls DoS on 64-bit CVE-2007-3851 i965 DRM allows insecure packets CVE-2007-3739 LTC36188-Don't allow the stack to grow into hugetlb reserved regions CVE-2007-3740 CIFS should honor umask CVE-2007-3843 CIFS signing sec= mount options don't work correctly cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Wireshark is a program for monitoring network traffic. Several denial of service bugs were found in Wireshark's HTTP, iSeries, DCP ETSI, SSL, MMS, DHCP and BOOTP protocol dissectors. It was possible for Wireshark to crash or stop responding if it read a malformed packet off the network. (CVE-2007-3389, CVE-2007-3390, CVE-2007-3391, CVE-2007-3392, CVE-2007-3393) Wireshark would interpret certain completion codes incorrectly when dissecting IPMI traffic. Additionally, IPMI 2.0 packets would be reported as malformed IPMI traffic. Users of Wireshark should upgrade to these updated packages containing Wireshark version 0.99.6, which correct these issues. Low Copyright 2007 Red Hat, Inc. CVE-2007-3389 CVE-2007-3390 CVE-2007-3391 CVE-2007-3392 CVE-2007-3393 CVE-2007-3389 Wireshark crashes when inspecting HTTP traffic CVE-2007-3391 Wireshark loops infinitely when inspecting DCP ETSI traffic CVE-2007-3392 Wireshark loops infinitely when inspecting SSL traffic CVE-2007-3393 Wireshark corrupts the stack when inspecting BOOTP traffic CVE-2007-3390 Wireshark crashes when inspecting iSeries traffic CVE-2007-3392 Wireshark crashes when inspecting MMS traffic cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Several denial of service bugs were found in Wireshark's HTTP, iSeries, DCP ETSI, SSL, MMS, DHCP and BOOTP protocol dissectors. It was possible for Wireshark to crash or stop responding if it read a malformed packet off the network. (CVE-2007-3389, CVE-2007-3390, CVE-2007-3391, CVE-2007-3392, CVE-2007-3393) Users of Wireshark and Ethereal should upgrade to these updated packages, containing Wireshark version 0.99.6, which is not vulnerable to these issues. Low Copyright 2007 Red Hat, Inc. CVE-2007-3389 CVE-2007-3390 CVE-2007-3391 CVE-2007-3392 CVE-2007-3393 CVE-2007-3389 Wireshark crashes when inspecting HTTP traffic CVE-2007-3391 Wireshark loops infinitely when inspecting DCP ETSI traffic CVE-2007-3392 Wireshark loops infinitely when inspecting SSL traffic CVE-2007-3393 Wireshark corrupts the stack when inspecting BOOTP traffic CVE-2007-3390 Wireshark crashes when inspecting iSeries traffic CVE-2007-3392 Wireshark crashes when inspecting MMS traffic cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Maurycy Prodeus discovered an integer overflow flaw in the way CUPS processes PDF files. An attacker could create a malicious PDF file that could potentially execute arbitrary code when printed. (CVE-2007-3387) All users of CUPS should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2007-3387 CVE-2007-3387 xpdf integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. Several format string flaws were found in Qt error message handling. If an application linked against Qt created an error message from user supplied data in a certain way, it could lead to a denial of service or possibly allow the execution of arbitrary code. (CVE-2007-3388) Users of Qt should upgrade to these updated packages, which contain a backported patch to correct these issues. Red Hat would like to acknowledge Tim Brown of Portcullis Computer Security and Dirk Mueller for these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3388 CVE-2007-3388 qt3 format string flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. (CVE-2007-3734, CVE-2007-3735, CVE-2007-3737, CVE-2007-3738) Several content injection flaws were found in the way SeaMonkey handled certain JavaScript code. A web page containing malicious JavaScript code could inject arbitrary content into other web pages. (CVE-2007-3736, CVE-2007-3089) A flaw was found in the way SeaMonkey cached web pages on the local disk. A malicious web page may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-3656) Users of SeaMonkey are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-3089 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 CVE-2007-3089 various flaws in mozilla products (CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3656 CVE-2007-3738) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A malicious HTML email message containing JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript. (CVE-2007-3089, CVE-2007-3734, CVE-2007-3735, CVE-2007-3736, CVE-2007-3737, CVE-2007-3738) Users of Thunderbird are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3089 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 CVE-2007-3089 various flaws in mozilla products (CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3656 CVE-2007-3738) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. (CVE-2007-3734, CVE-2007-3735, CVE-2007-3737, CVE-2007-3738) Several content injection flaws were found in the way Firefox handled certain JavaScript code. A web page containing malicious JavaScript code could inject arbitrary content into other web pages. (CVE-2007-3736, CVE-2007-3089) A flaw was found in the way Firefox cached web pages on the local disk. A malicious web page may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-3656) Users of Firefox are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-3089 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 CVE-2007-3089 various flaws in mozilla products (CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3656 CVE-2007-3738) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment including kpdf, a PDF file viewer. Maurycy Prodeus discovered an integer overflow flaw in the processing of PDF files. An attacker could create a malicious PDF file that would cause kpdf to crash or potentially execute arbitrary code when opened. (CVE-2007-3387) All users of kdegraphics should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-3387 CVE-2007-3387 xpdf integer overflow cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 gpdf is a GNOME based viewer for Portable Document Format (PDF) files. Maurycy Prodeus discovered an integer overflow flaw in the processing of PDF files. An attacker could create a malicious PDF file that would cause gpdf to crash or potentially execute arbitrary code when opened. (CVE-2007-3387) All users of gpdf should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-3387 CVE-2007-3387 xpdf integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 TeTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. Maurycy Prodeus discovered an integer overflow flaw in the processing of PDF files. An attacker could create a malicious PDF file that would cause TeTeX to crash or potentially execute arbitrary code when opened. (CVE-2007-3387) All users of TeTeX should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-3387 CVE-2007-3387 xpdf integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Poppler is a PDF rendering library, used by applications such as evince. Maurycy Prodeus discovered an integer overflow flaw in the processing of PDF files. An attacker could create a malicious PDF file that would cause an application linked with poppler to crash or potentially execute arbitrary code when opened. (CVE-2007-3387) All users of poppler should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-3387 CVE-2007-3387 xpdf integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Xpdf is an X Window System-based viewer for Portable Document Format (PDF) files. Maurycy Prodeus discovered an integer overflow flaw in the processing of PDF files. An attacker could create a malicious PDF file that would cause Xpdf to crash or potentially execute arbitrary code when opened. (CVE-2007-3387) All users of Xpdf should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-3387 CVE-2007-3387 xpdf integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs that handle authentication. A flaw was found in the way pam_console set console device permissions. It was possible for various console devices to retain ownership of the console user after logging out, possibly leaking information to another local user. (CVE-2007-1716) A flaw was found in the way the PAM library wrote account names to the audit subsystem. An attacker could inject strings containing parts of audit messages, which could possibly mislead or confuse audit log parsing tools. (CVE-2007-3102) As well, these updated packages fix the following bugs: * the pam_xauth module, which is used for copying the X11 authentication cookie, did not reset the "XAUTHORITY" variable in certain circumstances, causing unnecessary delays when using su command. * when calculating password similarity, pam_cracklib disregarded changes to the last character in passwords when "difok=x" (where "x" is the number of characters required to change) was configured in "/etc/pam.d/system-auth". This resulted in password changes that should have been successful to fail with the following error: BAD PASSWORD: is too similar to the old one This issue has been resolved in these updated packages. * the pam_limits module, which provides setting up system resources limits for user sessions, reset the nice priority of the user session to "0" if it was not configured otherwise in the "/etc/security/limits.conf" configuration file. These updated packages add the following enhancement: * a new PAM module, pam_tally2, which allows accounts to be locked after a maximum number of failed log in attempts. All users of PAM should upgrade to these updated packages, which resolve these issues and add this enhancement. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-1716 CVE-2007-3102 XAUTHORITY env var not reset on 'su -' CVE-2007-1716 Ownership of devices not returned to root after logout from console CVE-2007-3102 audit logging of failed logins pam_cracklib.so disregards changes to last char when calculating similarity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was found in the way BIND generates outbound DNS query ids. If an attacker is able to acquire a finite set of query IDs, it becomes possible to accurately predict future query IDs. Future query ID prediction may allow an attacker to conduct a DNS cache poisoning attack, which can result in the DNS server returning incorrect client query data. (CVE-2007-2926) Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2926 CVE-2007-2926 bind cryptographically weak query ids cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular and freely-available Web server. A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-3847) As well, these updated packages fix the following bugs: * Set-Cookie headers with a status code of 3xx are not forwarded to clients when the "ProxyErrorOverride" directive is enabled. These responses are overridden at the proxy. Only the responses with status codes of 4xx and 5xx are overridden in these updated packages. * the default "/etc/logrotate.d/httpd" script incorrectly invoked the kill command, instead of using the "/sbin/service httpd restart" command. If you configured the httpd PID to be in a location other than "/var/run/httpd.pid", the httpd logs failed to be rotated. This has been resolved in these updated packages. * the "ProxyTimeout" directive was not inherited across virtual host definitions. * the logresolve utility was unable to read lines longer the 1024 bytes. This update adds the following enhancements: * a new configuration option has been added, "ServerTokens Full-Release", which adds the package release to the server version string, which is returned in the "Server" response header. * a new module has been added, mod_version, which allows configuration files to be written containing sections, which are evaluated only if the version of httpd used matches a specified condition. Users of httpd are advised to upgrade to these updated packages, which resolve these issues and add these enhancements. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3847 Mod_proxy_http ProxyErrorOverride eating cookies [RFE] Apache does not report patch level when scanned logrotate.d/httpd postrotate must use initscripts mod_proxy configuration inheritance issue long lines incorrectly handled by Apache's logresolve CVE-2007-3847 httpd out of bounds read cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular and freely-available Web server. A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-3847) As well, these updated packages fix the following bugs: * the default "/etc/logrotate.d/httpd" script incorrectly invoked the kill command, instead of using the "/sbin/service httpd restart" command. If you configured the httpd PID to be in a location other than "/var/run/httpd.pid", the httpd logs failed to be rotated. This has been resolved in these updated packages. * Set-Cookie headers with a status code of 3xx are not forwarded to clients when the "ProxyErrorOverride" directive is enabled. These responses are overridden at the proxy. Only the responses with status codes of 4xx and 5xx are overridden in these updated packages. * mod_proxy did not correctly handle percent-encoded characters (ie %20) when configured as a reverse proxy. * invalid HTTP status codes could be logged if output filters returned errors. * the "ProxyTimeout" directive was not inherited across virtual host definitions. * in some cases the Content-Length header was dropped from HEAD responses. This resulted in certain sites not working correctly with mod_proxy, such as www.windowsupdate.com. This update adds the following enhancements: * a new configuration option has been added, "ServerTokens Full-Release", which adds the package release to the server version string, which is returned in the "Server" response header. * a new module has been added, mod_version, which allows configuration files to be written containing sections, which are evaluated only if the version of httpd used matches a specified condition. Users of httpd are advised to upgrade to these updated packages, which resolve these issues and add these enhancements. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3847 windowsupdate.microsoft.com does not work with mod_proxy %>s incorrectly logs status code as 70007 - default handler returns output filter apr_status_t value mod_proxy not handling percent chars in URLs correctly Mod_proxy_http ProxyErrorOverride eating cookies logrotate.d/httpd postrotate must use initscripts Reverse Proxy Unexpected Timeout Identify httpd version to configuration CVE-2007-3847 httpd out of bounds read cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libgtop2 package contains a library for obtaining information about a running system, such as cpu, memory and disk usage; active processes; and PIDs. A flaw was found in the way libgtop2 handled long filenames mapped into the address space of a process. An attacker could execute arbitrary code on behalf of the user running gnome-system-monitor by executing a process and mapping a file with a specially crafted name into the processes' address space. (CVE-2007-0235) This update also fixes the following bug: * when a version of libgtop2 compiled to run on a 32-bit architecture was used to inspect a process running in 64-bit mode, it failed to report certain information regarding address space mapping correctly. All users of gnome-system-monitor are advised to upgrade to this updated libgtop2 package, which contains backported patches that resolve these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0235 LTC27411-bad PROC_MAPS_FORMAT in libgtop2-devel CVE-2007-0235 Stack overflow libgtop when pathname of mmap()-ed file is too long cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim's machine. (CVE-2007-1217, Moderate) * a flaw in the perfmon subsystem on ia64 platforms that allowed a local user to cause a denial of service. (CVE-2006-0558, Moderate) In addition, the following bugs were addressed: * a panic after reloading of the LSI Fusion driver. * a vm performance problem was corrected by balancing inactive page lists. * added a nodirplus option to address NFSv3 performance issues with large directories. * changed the personality handling to disallow personality changes of setuid and setgid binaries. This ensures they keep any randomization and Exec-shield protection. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-0558 CVE-2007-1217 CVE-2007-1217 Overflow in CAPI subsystem lockup in shrink_zone when node out of memory CVE-2006-0558 ia64 crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Gdm (the GNOME Display Manager) is a highly configurable reimplementation of xdm, the X Display Manager. Gdm allows you to log into your system with the X Window System running and supports running several different X sessions on your local machine at the same time. A flaw was found in the way Gdm listens on its unix domain socket. A local user could crash a running X session by writing malicious data to Gdm's unix domain socket. (CVE-2007-3381) All users of gdm should upgrade to this updated package, which contains a backported patch that resolves this issue. Red Hat would like to thank JLANTHEA for reporting this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3381 CVE-2007-3381 Gdm denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mailman is a program used to help manage email discussion lists. A flaw was found in Mailman. A remote attacker could spoof messages in the error log, and possibly trick the administrator into visiting malicious URLs via a carriage return/line feed sequence in the URI. (CVE-2006-4624) As well, these updated packages fix the following bugs: * canceling a subscription on the confirm subscription request page caused mailman to crash. * editing the sender filter caused all spam filter rules to be deleted. * the migrate-fhs script was not included. * the mailman init script returned a zero (success) exit code even when an incorrect command was given. For example, the "mailman foo" command returned a zero exit code. In these updated packages the mailmain init script returns the correct exit codes. Users of Mailman are advised to upgrade to these updated packages, which resolve these issues. Low Copyright 2007 Red Hat, Inc. CVE-2006-4624 Canceling subscription confirmation crashes mailman CVE-2006-4624 mailman logfile CRLF injection Spam filters gets deleted when sender filter is edited mailman-2.1.5.1-34.rhel4.5 is missing migrate-fhs script Wrong init script cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. A bug was found in cyrus-sasl's DIGEST-MD5 authentication mechanism. As part of the DIGEST-MD5 authentication exchange, the client is expected to send a specific set of information to the server. If one of these items (the "realm") was not sent or was malformed, it was possible for a remote unauthenticated attacker to cause a denial of service (segmentation fault) on the server. (CVE-2006-1721) This errata also fixes the following bugs: * the Kerberos 5 library included in Red Hat Enterprise Linux 4 was not thread safe. This update adds functionality which allows it to be used safely in a threaded application. * several memory leak bugs were fixed in cyrus-sasl's DIGEST-MD5 authentication plug-in. * /dev/urandom is now used by default on systems which don't support hwrandom. Previously, dev/random was the default. * cyrus-sasl needs zlib-devel to build properly. This dependency information is now included in the package. Users are advised to upgrade to this updated cyrus-sasl package, which resolves these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-1721 [RFE] cyrus-sasl should use /dev/urandom by default CVE-2006-1721 cyrus-sasl digest-md5 DoS Missing build dependancy for zlib-devel in cyrus-sasl krb5-libs are not thread-safe Memory leaks in digest-md5 plugin sasl-sample-server crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer with a single byte (CVE-2007-5135). Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging. A number of possible side-channel attacks were discovered affecting OpenSSL. A local attacker could possibly obtain RSA private keys being used on a system. In practice these attacks would be difficult to perform outside of a lab environment. This update contains backported patches designed to mitigate these issues. (CVE-2007-3108). Users of OpenSSL should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3108 CVE-2007-5135 CVE-2007-3108 openssl: RSA side-channel attack CVE-NONE openssl branch prediction attacks CVE-2007-5135 openssl SSL_get_shared_ciphers() off-by-one cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 IBM's 1.4.2 SR9 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A security vulnerability in the Java Web Start component was discovered. An untrusted application could elevate it's privileges and read and write local files that are accessible to the user running the Java Web Start application. (CVE-2007-2435) A buffer overflow in the Java Runtime Environment image handling code was found. An untrusted applet or application could use this flaw to elevate its privileges and potentially execute arbitrary code as the user running the java virtual machine. (CVE-2007-3004) An unspecified vulnerability was discovered in the Java Runtime Environment. An untrusted applet or application could cause the java virtual machine to become unresponsive. (CVE-2007-3005) All users of java-1.4.2-ibm should upgrade to these updated packages, which contain IBM's 1.4.2 SR9 Java release that resolves these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 CVE-2007-2435 javaws vulnerabilities CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser CVE-2007-3005 Unspecified vulnerability in Sun JRE cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 IBM's 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A security vulnerability in the Java Web Start component was discovered. An untrusted application could elevate it's privileges, allowing it to read and write local files that are accessible to the user running the Java Web Start application. (CVE-2007-2435) A buffer overflow in the Java Runtime Environment image handling code was found. An untrusted applet or application could use this flaw to elevate its privileges and potentially execute arbitrary code as the user running the java virtual machine. (CVE-2007-2788, CVE-2007-2789, CVE-2007-3004) An unspecified vulnerability was discovered in the Java Runtime Environment. An untrusted applet or application could cause the java virtual machine to become unresponsive. (CVE-2007-3005) The Javadoc tool was able to generate HTML documentation pages that contained cross-site scripting (XSS) vulnerabilities. A remote attacker could use this to inject arbitrary web script or HTML. (CVE-2007-3503) The Java Web Start URL parsing component contains a buffer overflow vulnerability within the parsing code for JNLP files. A remote attacker could create a malicious JNLP file that could trigger this flaw and execute arbitrary code when opened. (CVE-2007-3655) A flaw was found in the applet class loader. An untrusted applet could use this flaw to circumvent network access restrictions, possibly connecting to services hosted on the machine that executed the applet. (CVE-2007-3922) All users of java-ibm-1.5.0 should upgrade to these updated packages, which contain IBM's 1.5.0 SR5a Java release that resolves these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 CVE-2007-3503 CVE-2007-3655 CVE-2007-3922 CVE-2007-4381 CVE-2007-2435 javaws vulnerabilities CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser CVE-2007-3503 HTML files generated with Javadoc are vulnerable to a XSS CVE-2007-3655 A buffer overflow vulnerability in Java Web Start URL parsing code CVE-2007-3922 Vulnerability in the Java Runtime Environment May Allow an Untrusted Applet to Circumvent Network Access Restrictions CVE-2007-2788 Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit CVE-2007-2789 BMP image parser vulnerability CVE-2007-3005 Unspecified vulnerability in Sun JRE cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 The libvorbis package contains runtime libraries for use in programs that support Ogg Voribs. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format. Several flaws were found in the way libvorbis processed audio data. An attacker could create a carefully crafted OGG audio file in such a way that it could cause an application linked with libvorbis to crash or execute arbitrary code when it was opened. (CVE-2007-3106, CVE-2007-4029, CVE-2007-4065, CVE-2007-4066) Users of libvorbis are advised to upgrade to this updated package, which contains backported patches that resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-3106 CVE-2007-4029 CVE-2007-4065 CVE-2007-4066 CVE-2007-3106 libvorbis array boundary condition CVE-2007-4065 Multiple libvorbis flaws (CVE-2007-4066, CVE-2007-4029) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A heap overflow flaw was found in the TIFF parser. An attacker could create a carefully crafted document containing a malicious TIFF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if opened by a victim. (CVE-2007-2834) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported fix to correct this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-2834 CVE-2007-2834 openoffice.org TIFF parsing heap overflow cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. Tenable Network Security discovered a stack buffer overflow flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-3999) Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-4000) These issues did not affect the versions of Kerberos distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-3999 CVE-2007-4000 CVE-2007-3999 krb5 RPC library buffer overflow CVE-2007-4000 krb5 kadmind uninitialized pointer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. A path traversal flaw was discovered in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar had write access. (CVE-2007-4131) Red Hat would like to thank Dmitry V. Levin for reporting this issue. Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-4131 CVE-2007-4131 tar directory traversal vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Tomcat is a servlet container for Java Servlet and Java Server Pages technologies. Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382). It was reported Tomcat did not properly handle the following character sequence in a cookie: \" (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385). A cross-site scripting (XSS) vulnerability existed in the Host Manager Servlet. This allowed remote attackers to inject arbitrary HTML and web script via crafted requests (CVE-2007-3386). Users of Tomcat should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 CVE-2007-3382 tomcat handling of cookies CVE-2007-3385 tomcat handling of cookie values CVE-2007-3386 tomcat host manager xss cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Star is a tar-like archiver. It saves multiple files into a single tape or disk archive, and can restore individual files from the archive. Star includes multi-volume support, automatic archive format detection and ACL support. A path traversal flaw was discovered in the way star extracted archives. A malicious user could create a tar archive that would cause star to write to arbitrary files to which the user running star had write access. (CVE-2007-4134) Red Hat would like to thank Robert Buchholz for reporting this issue. As well, this update adds the command line argument "-.." to the Red Hat Enterprise Linux 3 version of star. This allows star to extract files containing "/../" in their pathname. Users of star should upgrade to this updated package, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-4134 CVE-2007-4134 star directory traversal vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was discovered in MySQL's authentication protocol. It is possible for a remote unauthenticated attacker to send a specially crafted authentication request to the MySQL server causing it to crash. (CVE-2007-3780) All users of the MySQL server are advised to upgrade to these updated packages, which contain a backported patch which fixes this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-3780 CVE-2007-3780 mysql malformed password crasher cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. A bug was found in cyrus-sasl's DIGEST-MD5 authentication mechanism. As part of the DIGEST-MD5 authentication exchange, the client is expected to send a specific set of information to the server. If one of these items (the "realm") was not sent or was malformed, it was possible for a remote unauthenticated attacker to cause a denial of service (segmentation fault) on the server. (CVE-2006-1721) Users of cyrus-sasl should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-1721 CVE-2006-1721 cyrus-sasl digest-md5 DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. A flaw was found in the way Qt expanded certain UTF8 characters. It was possible to prevent a Qt-based application from properly sanitizing user supplied input. This could, for example, result in a cross-site scripting attack against the Konqueror web browser. (CVE-2007-0242) A buffer overflow flaw was found in the way Qt expanded malformed Unicode strings. If an application linked against Qt parsed a malicious Unicode string, it could lead to a denial of service or possibly allow the execution of arbitrary code. (CVE-2007-4137) Users of Qt should upgrade to these updated packages, which contain a backported patch to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-0242 CVE-2007-4137 CVE-2007-0242 QT UTF8 improper character expansion CVE-2007-4137 QT off by one buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. These updated packages address the following vulnerabilities: Various integer overflow flaws were found in the PHP gd extension script that could be forced to resize images from an untrusted source, possibly allowing a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_split function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable web site if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable web site. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that it is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) A flaw was found in the PHP "ftp" extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to send arbitrary FTP commands to the server. (CVE-2007-2509) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2509 CVE-2007-2756 CVE-2007-2872 CVE-2007-3799 CVE-2007-3996 CVE-2007-3998 CVE-2007-4658 CVE-2007-4670 CVE-2007-2509 php CRLF injection CVE-2007-2872 php chunk_split integer overflow CVE-2007-2756 gd / php-gd ImageCreateFromPng infinite loop caused by truncated PNG CVE-2007-3799 php cross-site cookie insertion CVE-2007-3998 php floating point exception inside wordwrap CVE-2007-4658 php money_format format string issue CVE-2007-3996 php multiple integer overflows in gd CVE-2007-4670 php malformed cookie handling cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Various integer overflow flaws were found in the PHP gd extension. A script that could be forced to resize images from an untrusted source could possibly allow a remote attacker to execute arbitrary code as the apache user. (CVE-2007-3996) An integer overflow flaw was found in the PHP chunk_split function. If a remote attacker was able to pass arbitrary data to the third argument of chunk_split they could possibly execute arbitrary code as the apache user. Note that it is unusual for a PHP script to use the chunk_script function with a user-supplied third argument. (CVE-2007-2872) A previous security update introduced a bug into PHP session cookie handling. This could allow an attacker to stop a victim from viewing a vulnerable web site if the victim has first visited a malicious web page under the control of the attacker, and that page can set a cookie for the vulnerable web site. (CVE-2007-4670) A flaw was found in the PHP money_format function. If a remote attacker was able to pass arbitrary data to the money_format function this could possibly result in an information leak or denial of service. Note that is is unusual for a PHP script to pass user-supplied data to the money_format function. (CVE-2007-4658) A flaw was found in the PHP wordwrap function. If a remote attacker was able to pass arbitrary data to the wordwrap function this could possibly result in a denial of service. (CVE-2007-3998) A bug was found in PHP session cookie handling. This could allow an attacker to create a cross-site cookie insertion attack if a victim follows an untrusted carefully-crafted URL. (CVE-2007-3799) An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. (CVE-2007-2756) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-2756 CVE-2007-2872 CVE-2007-3799 CVE-2007-3996 CVE-2007-3998 CVE-2007-4658 CVE-2007-4670 CVE-2007-2872 php chunk_split integer overflow CVE-2007-2756 gd / php-gd ImageCreateFromPng infinite loop caused by truncated PNG CVE-2007-3799 php cross-site cookie insertion CVE-2007-3998 php floating point exception inside wordwrap CVE-2007-4658 php money_format format string issue CVE-2007-3996 php multiple integer overflows in gd CVE-2007-4670 php malformed cookie handling cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. The MIT Kerberos Team discovered a problem with the originally published patch for svc_auth_gss.c (CVE-2007-3999). A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-4743) This issue did not affect the versions of Kerberos distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Users of krb5-server are advised to update to these erratum packages which contain a corrected backported fix for this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-4743 CVE-2007-4743 krb5 incomplete fix for CVE-2007-3999 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. A flaw was found in the way X.Org's composite extension handles 32 bit color depth windows while running in 16 bit color depth mode. If an X.org server has enabled the composite extension, it may be possible for a malicious authorized client to cause a denial of service (crash) or potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-4730) Please note this flaw can only be triggered when using a compositing window manager. Red Hat Enterprise Linux 4 does not ship with a compositing window manager. Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-4730 CVE-2007-4730 X.org composite extension buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The kdebase packages provide the core applications for KDE, the K Desktop Environment. These core packages include Konqueror, the web browser and file manager. These updated packages address the following vulnerabilities: Kees Huijgen found a flaw in the way KDM handled logins when autologin and "shutdown with password" were enabled. A local user would have been able to login via KDM as any user without requiring a password. (CVE-2007-4569) Two Konqueror address spoofing flaws were discovered. A malicious web site could spoof the Konqueror address bar, tricking a victim into believing the page was from a different site. (CVE-2007-3820, CVE-2007-4224) Users of KDE should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-4569 CVE-2007-3820 CVE-2007-4224 CVE-2007-3820 Spoofing of URI possible in Konqueror's address bar CVE-2007-4224 URL spoof in address bar CVE-2007-4569 kdm password-less login vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The kdelibs package provides libraries for the K Desktop Environment (KDE). Two cross-site-scripting flaws were found in the way Konqueror processes certain HTML content. This could result in a malicious attacker presenting misleading content to an unsuspecting user. (CVE-2007-0242, CVE-2007-0537) A flaw was found in KDE JavaScript implementation. A web page containing malicious JavaScript code could cause Konqueror to crash. (CVE-2007-1308) A flaw was found in the way Konqueror handled certain FTP PASV commands. A malicious FTP server could use this flaw to perform a rudimentary port-scan of machines behind a user's firewall. (CVE-2007-1564) Two Konqueror address spoofing flaws have been discovered. It was possible for a malicious website to cause the Konqueror address bar to display information which could trick a user into believing they are at a different website than they actually are. (CVE-2007-3820, CVE-2007-4224) Users of KDE should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-0242 CVE-2007-0537 CVE-2007-1308 CVE-2007-1564 CVE-2007-3820 CVE-2007-4224 CVE-2007-0537 konqueror XSS CVE-2007-1564 FTP protocol PASV design flaw affects konqueror CVE-2007-0242 QT UTF8 improper character expansion CVE-2007-3820 Spoofing of URI possible in Konqueror's address bar CVE-2007-4224 URL spoof in address bar CVE-2007-1308 kdelibs KDE JavaScript denial of service (crash) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The nfs-utils-lib package contains support libraries that are needed by the commands and daemons of the nfs-utils package. Tenable Network Security discovered a stack buffer overflow flaw in the RPC library used by nfs-utils-lib. A remote unauthenticated attacker who can access an application linked against nfs-utils-lib could trigger this flaw and cause the application to crash. On Red Hat Enterprise Linux 4 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-3999) Users of nfs-utils-lib are advised to upgrade to this updated package, which contains a backported patch that resolves this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-3999 CVE-2007-3999 krb5 RPC library buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PWLib is a library used to support cross-platform applications. In Red Hat Enterprise Linux 5, the Ekiga teleconferencing application uses PWLib. A memory management flaw was discovered in PWLib. An attacker could use this flaw to crash an application, such as Ekiga, which is linked with pwlib (CVE-2007-4897). Users should upgrade to these updated packages which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-4897 CVE-2007-4897 ekiga GetHostAddress remote DoS cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 ELinks is a text mode Web browser used from the command line that supports rendering modern web pages. An information disclosure flaw was found in the way ELinks passes https POST data to a proxy server. POST data sent via a proxy to an https site is not properly encrypted by ELinks, possibly allowing the disclosure of sensitive information. (CVE-2007-5034) All users of Elinks are advised to upgrade to this updated package, which contains a backported patch that resolves this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-5034 CVE-2007-5034 elinks reveals POST data to HTTPS proxy cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-4573 CVE-2007-4573 x86_64 syscall vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-4573 CVE-2007-4573 x86_64 syscall vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Linux kernel handles the basic functions of the operating system. A flaw was found in ia32 emulation affecting users running 64-bit versions of Red Hat Enterprise Linux on x86_64 architectures. A local user could use this flaw to gain elevated privileges. (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 3 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-4573 CVE-2007-4573 x86_64 syscall vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues: * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option "sec=" did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool. (CVE-2007-3105, Low) Additionally, the following bugs were fixed: * A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately. * A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space; and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. Please see the Red Hat Knowledgebase for more detailed information. * A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Enterprise Linux 5.1 hypervisor. The fix is to allow your Enterprise Linux 4 Xen SMP guests to boot under a 5.1 hypervisor. Please see the Red Hat Knowledgebase for more detailed information. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2006-6921 CVE-2007-2878 CVE-2007-3105 CVE-2007-3739 CVE-2007-3740 CVE-2007-3843 CVE-2007-3848 CVE-2007-4308 CVE-2007-4571 CVE-2007-2878 VFAT compat ioctls DoS on 64-bit autofs problem with symbolic links CVE-2007-3105 Bound check ordering issue in random driver CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG CVE-2007-4308 kernel: Missing ioctl() permission checks in aacraid driver CVE-2007-3740 CIFS should honor umask CVE-2007-3843 CIFS signing sec= mount options don't work correctly [PATCH] Fix memory leak of dma_alloc_coherent() on x86_64 CVE-2007-4571 ALSA memory disclosure flaw CVE-2007-3739 LTC36188-Don't allow the stack to grow into hugetlb reserved regions CVE-2006-6921 kernel: denial of service with wedged processes EL4.5: Improperly flushed TLBs may lead to Machine check errors cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues: * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-3105 CVE-2007-3380 CVE-2007-3513 CVE-2007-3731 CVE-2007-3848 CVE-2007-3850 CVE-2007-4308 CVE-2007-4133 CVE-2007-4574 CVE-2007-3380 A TCP connection to DLM port blocks DLM operations CVE-2007-3513 Locally triggerable memory consumption in usblcd CVE-2007-3731 NULL pointer dereference triggered by ptrace CVE-2007-3105 Bound check ordering issue in random driver CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG CVE-2007-4308 kernel: Missing ioctl() permission checks in aacraid driver CVE-2007-4133 prio_tree unit kernel panic CVE-2007-4574 EM64T local DoS CVE-2007-3850 kernel LTC31426-4k page mapping support for userspace in 64k kernels cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The nfs-utils-lib package contains support libraries that are needed by the commands and daemons of the nfs-utils package. The updated nfs-utils package fixes the following vulnerabilities: Tenable Network Security discovered a stack buffer overflow flaw in the RPC library used by nfs-utils-lib. A remote unauthenticated attacker who can access an application linked against nfs-utils-lib could trigger this flaw and cause the application to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-3999) Tony Ernst from SGI has discovered a flaw in the way nfsidmap maps NFSv4 unknown uids. If an unknown user ID is encountered on an NFSv4 mounted filesystem, the files will default to being owned by 'root' rather than 'nobody'. (CVE-2007-4135) Users of nfs-utils-lib are advised to upgrade to this updated package, which contains backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-3999 CVE-2007-4135 CVE-2007-3999 krb5 RPC library buffer overflow CVE-2007-4135 nfs-utils-lib NFSv4 user id mapping flaw cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The BEA WebLogic JRockit 1.5.0_11 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.5.0_11 and are certified for the Java 5 Platform, Standard Edition, v1.5.0. A flaw was found in the BEA Java Runtime Environment GIF image handling. If an application processes untrusted GIF image input, it may be possible to execute arbitrary code as the user running the Java Virtual Machine. (CVE-2007-0243) A buffer overflow in the Java Runtime Environment image handling code was found. If an attacker is able to cause a server application to process a specially crafted image file, it may be possible to execute arbitrary code as the user running the Java Virtual Machine. (CVE-2007-2788, CVE-2007-2789, CVE-2007-3004) A denial of service flaw was discovered in the Java Applet Viewer. An untrusted Java applet could cause the Java Virtual Machine to become unresponsive. Please note that the BEA WebLogic JRockit 1.5.0_11 does not ship with a browser plug-in and therefore this issue could only be triggered by a user running the "appletviewer" application. (CVE-2007-3005) A cross site scripting (XSS) flaw was found in the Javadoc tool. An attacker could inject arbitrary content into a Javadoc generated HTML documentation page, possibly tricking a user or stealing sensitive information. (CVE-2007-3503) A denial of service flaw was found in the way the JSSE component processed SSL/TLS handshake requests. A remote attacker able to connect to a JSSE enabled service could send a specially crafted handshake which would cause the Java Runtime Environment to stop responding to future requests. (CVE-2007-3698) A flaw was found in the way the Java Runtime Environment processes font data. An applet viewed via the 'appletviewer' application could elevate its privileges, allowing the applet to perform actions with the same permissions as the user running the "appletviewer" application. It may also be possible to crash a server application which processes untrusted font information from a third party. (CVE-2007-4381) All users of java-bea-1.5.0 should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.5.0_11 release that resolves these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0243 CVE-2007-2788 CVE-2007-2789 CVE-2007-3503 CVE-2007-3698 CVE-2007-4381 CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser CVE-2007-3503 HTML files generated with Javadoc are vulnerable to a XSS CVE-2007-3698 Java Secure Socket Extension Does Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial of Service (DoS) Condition CVE-2007-2788 Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit CVE-2007-2789 BMP image parser vulnerability CVE-2007-3005 Unspecified vulnerability in Sun JRE CVE-2007-4381 java: Vulnerability in the font parsing code CVE-2007-0243 java-jre: GIF buffer overflow cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Open Phone Abstraction Library (opal) is implementation of various telephony and video communication protocols for use over packet based networks. In Red Hat Enterprise Linux 5, the Ekiga application uses opal. A flaw was discovered in the way opal handled certain Session Initiation Protocol (SIP) packets. An attacker could use this flaw to crash an application, such as Ekiga, which is linked with opal. (CVE-2007-4924) Users should upgrade to these updated opal packages which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-4924 CVE-2007-4924 ekiga remote crash caused by insufficient input validation cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The hplip (Hewlett-Packard Linux Imaging and Printing Project) package provides drivers for HP printers and multi-function peripherals. Kees Cook discovered a flaw in the way the hplip hpssd daemon handled user input. A local attacker could send a specially crafted request to the hpssd daemon, possibly allowing them to run arbitrary commands as the root user. (CVE-2007-5208). On Red Hat Enterprise Linux 5, the SELinux targeted policy for hpssd which is enabled by default, blocks the ability to exploit this issue to run arbitrary code. Users of hplip are advised to upgrade to this updated package, which contains backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2007-5208 CVE-2007-5208 hplip arbitrary command execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ruby is an interpreted scripting language for object-oriented programming. A flaw was discovered in the way Ruby's CGI module handles certain HTTP requests. If a remote attacker sends a specially crafted request, it is possible to cause the ruby CGI script to enter an infinite loop, possibly causing a denial of service. (CVE-2006-6303) An SSL certificate validation flaw was discovered in several Ruby Net modules. The libraries were not checking the requested host name against the common name (CN) in the SSL server certificate, possibly allowing a man in the middle attack. (CVE-2007-5162, CVE-2007-5770) Users of Ruby should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-6303 CVE-2007-5162 CVE-2007-5770 CVE-2006-6303 ruby's cgi.rb vulnerable infinite loop DoS CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate CVE-2007-5770 ruby insufficient verification of SSL certificate in various net::* modules cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. A flaw in the applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Multiple vulnerabilities existed in Java Web Start allowing an untrusted application to determine the location of the Java Web Start cache. (CVE-2007-5238) Untrusted Java Web Start Applications or Java Applets were able to drag and drop a file to a Desktop Application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment (JRE) allowed untrusted Java Applets or applications to display oversized Windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached, malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Unsigned Applets loaded with Mozilla Firefox or Opera browsers allowed remote attackers to violate the Java security model. A cached, malicious Applet could create network connections to services on other machines. (CVE-2007-5274) In Red Hat Enterprise Linux a Java Web Start application requesting elevated permissions is only started automatically when signed with a trusted code signing certificate and otherwise requires user confirmation to access privileged resources. All users of java-sun-1.5.0 should upgrade to these packages, which contain Sun Java 1.5.0 Update 13 that corrects these issues. Please note that during our quality testing we discovered that the Java browser plug-in may not function perfectly when visiting some sites that make use of multiple applets on a single HTML page. We have verified that this issue is not due to our packaging and affects Sun Java 1.5.0 Update 13. Important Copyright 2007 Red Hat, Inc. CVE-2007-5232 CVE-2007-5238 CVE-2007-5239 CVE-2007-5240 CVE-2007-5273 CVE-2007-5274 CVE-2007-5689 CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching CVE-2007-5238 Vulnerabilities in Java Web Start allow to determine the location of the Java Web Start cache CVE-2007-5239 Untrusted Application or Applet May Move or Copy Arbitrary Files CVE-2007-5240 Applets or Applications are allowed to display an oversized window CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy CVE-2007-5274 Anti-DNS Pinning and Java Applets with Opera and Firefox cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Datagram TLS (DTLS) is a protocol based on TLS that is capable of securing datagram transport (UDP for instance). The OpenSSL security team discovered a flaw in DTLS support. An attacker could create a malicious client or server that could trigger a heap overflow. This is possibly exploitable to run arbitrary code, but it has not been verified (CVE-2007-4995). Note that this flaw only affects applications making use of DTLS. Red Hat does not ship any DTLS client or server applications in Red Hat Enterprise Linux. A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer with a single byte (CVE-2007-5135). Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging. A number of possible side-channel attacks were discovered affecting OpenSSL. A local attacker could possibly obtain RSA private keys being used on a system. In practice these attacks would be difficult to perform outside of a lab environment. This update contains backported patches designed to mitigate these issues. (CVE-2007-3108). Users of OpenSSL should upgrade to these updated packages, which contain backported patches to resolve these issues. Please note that the fix for the DTLS flaw involved an overhaul of the DTLS handshake processing which may introduce incompatibilities if a new client is used with an older server. After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Important Copyright 2007 Red Hat, Inc. CVE-2007-3108 CVE-2007-4995 CVE-2007-5135 CVE-2007-3108 openssl: RSA side-channel attack CVE-2007-5135 openssl SSL_get_shared_ciphers() off-by-one CVE-2007-4995 openssl dtls out of order vulnerabilitiy cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Ruby is an interpreted scripting language for object-oriented programming. An SSL certificate validation flaw was discovered in several Ruby Net modules. The libraries were not checking the requested host name against the common name (CN) in the SSL server certificate, possibly allowing a man in the middle attack. (CVE-2007-5162, CVE-2007-5770) Users of Ruby should upgrade to these updated packages, which contain a backported patch to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5162 CVE-2007-5770 CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate CVE-2007-5770 ruby insufficient verification of SSL certificate in various net::* modules cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Perl is a high-level programming language commonly used for system administration utilities and Web programming. A flaw was found in Perl's regular expression engine. Specially crafted input to a regular expression can cause Perl to improperly allocate memory, possibly resulting in arbitrary code running with the permissions of the user running Perl. (CVE-2007-5116) Users of Perl are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Red Hat would like to thank Tavis Ormandy and Will Drewry for properly disclosing this issue. Important Copyright 2008 Red Hat, Inc. CVE-2007-5116 CVE-2007-5116 perl regular expression UTF parsing errors cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PCRE is a Perl-compatible regular expression library. Multiple flaws were found in the way pcre handles certain malformed regular expressions. If an application linked against pcre, such as Konqueror, parses a malicious regular expression, it may be possible to run arbitrary code as the user running the application. (CVE-2007-1659, CVE-2007-1660) Users of pcre are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Red Hat would like to thank Tavis Ormandy and Will Drewry for properly disclosing these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-1659 CVE-2007-1660 CVE-2007-1659 pcre regular expression flaws CVE-2007-1660 pcre regular expression flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PCRE is a Perl-compatible regular expression library. Multiple flaws were found in the way pcre handles certain malformed regular expressions. If an application linked against pcre, such as Konqueror, parses a malicious regular expression, it may be possible to run arbitrary code as the user running the application. (CVE-2007-1660) Users of pcre are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Red Hat would like to thank Tavis Ormandy and Will Drewry for properly disclosing these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-1660 CVE-2007-1660 pcre regular expression flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. A flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper applications such as, mount.nfs, with additional privileges (CVE-2007-5191). Users are advised to update to these erratum packages which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-5191 CVE-2007-5191 util-linux (u)mount doesn't drop privileges properly when calling helpers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 FLAC is a Free Lossless Audio Codec. The flac package consists of a FLAC encoder and decoder in library form, a program to encode and decode FLAC files, a metadata editor for FLAC files and input plugins for various music players. A security flaw was found in the way flac processed audio data. An attacker could create a carefully crafted FLAC audio file in such a way that it could cause an application linked with flac libraries to crash or execute arbitrary code when it was opened. (CVE-2007-4619) Users of flac are advised to upgrade to this updated package, which contains a backported patch that resolves this issue. Important Copyright 2008 Red Hat, Inc. CVE-2007-4619 CVE-2007-6277 CVE-2007-4619 FLAC Integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several flaws were found in the way in which Firefox processed certain malformed web content. A web page containing malicious content could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5338, CVE-2007-5339, CVE-2007-5340) Several flaws were found in the way in which Firefox displayed malformed web content. A web page containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334) A flaw was found in the Firefox sftp protocol handler. A malicious web page could access data from a remote sftp site, possibly stealing sensitive user data. (CVE-2007-5337) A request-splitting flaw was found in the way in which Firefox generates a digest authentication request. If a user opened a specially-crafted URL, it was possible to perform cross-site scripting attacks, web cache poisoning, or other, similar exploits. (CVE-2007-2292) All users of Firefox are advised to upgrade to these updated packages, which contain backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-3844 CVE-2007-5334 CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340 firefox crashes when searching for word "do" Mozilla products security update (CVE-2007-1095, CVE-2007-2292, CVE-2007-3511, CVE-2007-3844, CVE-2007-5334, CVE-2007-5337, CVE-2007-5338, CVE-2007-5339, CVE-2007-5340) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way in which SeaMonkey processed certain malformed web content. A web page containing malicious content could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. (CVE-2007-5338, CVE-2007-5339, CVE-2007-5340) Several flaws were found in the way in which SeaMonkey displayed malformed web content. A web page containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334) A flaw was found in the SeaMonkey sftp protocol handler. A malicious web page could access data from a remote sftp site, possibly stealing sensitive user data. (CVE-2007-5337) A request-splitting flaw was found in the way in which SeaMonkey generates a digest authentication request. If a user opened a specially-crafted URL, it was possible to perform cross-site scripting attacks, web cache poisoning, or other, similar exploits. (CVE-2007-2292) Users of SeaMonkey are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-3844 CVE-2007-5334 CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340 Mozilla products security update (CVE-2007-1095, CVE-2007-2292, CVE-2007-3511, CVE-2007-3844, CVE-2007-5334, CVE-2007-5337, CVE-2007-5338, CVE-2007-5339, CVE-2007-5340) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way in which Thunderbird processed certain malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript. (CVE-2007-5338, CVE-2007-5339, CVE-2007-5340) Several flaws were found in the way in which Thunderbird displayed malformed HTML mail content. An HTML mail message containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334) A flaw was found in the Thunderbird sftp protocol handler. A malicious HTML mail message could access data from a remote sftp site, possibly stealing sensitive user data. (CVE-2007-5337) A request-splitting flaw was found in the way in which Thunderbird generates a digest authentication request. If a user opened a specially-crafted URL, it was possible to perform cross-site scripting attacks, web cache poisoning, or other, similar exploits. (CVE-2007-2292) Users of Thunderbird are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-3844 CVE-2007-5334 CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340 Mozilla products security update (CVE-2007-1095, CVE-2007-2292, CVE-2007-3511, CVE-2007-3844, CVE-2007-5334, CVE-2007-5337, CVE-2007-5338, CVE-2007-5339, CVE-2007-5340) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. Several flaws were discovered in the way libpng handled various PNG image chunks. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash when the file was manipulated. (CVE-2007-5269) Users should update to these updated packages which contain a backported patch to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-5269 CVE-2007-5269 libpng DoS via multiple out-of-bounds reads cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues: A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important) A flaw was found in the handling of IEEE 802.11 frames affecting several wireless LAN modules. In certain circumstances, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network and cause a denial of service (kernel crash). (CVE-2007-4997, Important). A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate). In addition to the security issues described above, several bug fixes preventing possible memory corruption, system crashes, SCSI I/O fails, networking drivers performance regression and journaling block device layer issue were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. Red Hat would like to credit Vasily Averin, Chris Evans, and Neil Kettle for reporting the security issues corrected by this update. Important Copyright 2008 Red Hat, Inc. CVE-2007-4571 CVE-2007-4997 CVE-2007-5494 CVE-2007-4571 ALSA memory disclosure flaw [RHEL 5.1.z]: Tick divider bugs on x86_64 CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry [PATCH] jbd: wait for already submitted t_sync_datalist buffer to complete (Possibility of in-place data destruction) LSPP: audit rule causes kernel 'out of memory' condition and auditd failure [EL5][BUG] Unexpected SIGILL on NFS/Montecito(ia64) task->mm or slab corruption with CIFS CVE-2007-4997 kernel ieee80211 off-by-two integer underflow LSPP: audit enable not picking up all processes [Broadcom 5.1.z bug] Performance regression on 5705 TG3 NICs LTC35628-kexec/kdump kernel hung on Power5+ and Power6 based systems LTC38135-vSCSI client reports 'Device sdX not ready' after deactive/active device on vSCSI server forcedeth driver mishandles MSI interrupts under high load cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, and is also a full-strength general-purpose cryptography library. A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer by a single byte (CVE-2007-5135). Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging. A number of possible side-channel attacks were discovered affecting OpenSSL. A local attacker could possibly obtain RSA private keys being used on a system. In practice these attacks would be difficult to perform outside of a lab environment. This update contains backported patches to mitigate these issues. (CVE-2007-3108) As well, these updated packages fix the following bugs: * multithreaded applications could cause a segmentation fault or deadlock when calling the random number generator initialization (RAND_poll) in the OpenSSL library, for a large number of threads simultaneously. * in certain circumstances, if an application using the OpenSSL library reused the SSL session cache for multiple purposes (with various parameters of the SSL protocol), the session parameters could be mismatched. * a segmentation fault could occur when a corrupted pkcs12 file was being loaded using the "openssl pkcs12 -in [pkcs12-file]" command, where [pkcs12-file] is the pkcs12 file. Users of OpenSSL should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-3108 CVE-2007-5135 openssl RAND_poll segfault when fd >= FD_SETSIZE (affects apache2 startup with many SSL vhosts) openssl crashes on pkcs12 file CVE-2007-3108 openssl: RSA side-channel attack CVE-NONE openssl branch prediction attacks CVE-2007-5135 openssl SSL_get_shared_ciphers() off-by-one cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-4572 CVE-2007-5398 CVE-2007-4572 samba buffer overflow CVE-2007-5398 Samba "reply_netbios_packet()" Buffer Overflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the "winbind nss info" parameter in smb.conf is set to either "sfu" or "rfc2307", Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138) Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues. All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-4572 CVE-2007-4138 CVE-2007-5398 CVE-2007-4138 samba incorrect primary group assignment for domain users using the rfc2307 or sfu winbind nss info plugin CVE-2007-4572 samba buffer overflow CVE-2007-5398 Samba "reply_netbios_packet()" Buffer Overflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the "winbind nss info" parameter in smb.conf is set to either "sfu" or "rfc2307", Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138) Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues. All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-4572 CVE-2007-4138 CVE-2007-5398 CVE-2007-4138 samba incorrect primary group assignment for domain users using the rfc2307 or sfu winbind nss info plugin CVE-2007-4572 samba buffer overflow CVE-2007-5398 Samba "reply_netbios_packet()" Buffer Overflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A flaw was found in the way CUPS handles certain Internet Printing Protocol (IPP) tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash, or potentially execute arbitrary code. Please note that the default CUPS configuration does not allow remote hosts to connect to the IPP TCP port. (CVE-2007-4351) Red Hat would like to thank Alin Rad Pop for reporting this issue. All CUPS users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. In addition, the following bugs were fixed: * the CUPS service has been changed to start after sshd, to avoid causing delays when logging in when the system is booted. * the logrotate settings have been adjusted so they do not cause CUPS to reload its configuration. This is to avoid re-printing the current job, which could occur when it was a long-running job. * a bug has been fixed in the handling of the If-Modified-Since: HTTP header. * in the LSPP configuration, labels for labeled jobs did not line-wrap. This has been fixed. * an access check in the LSPP configuration has been made more secure. * the cups-lpd service no longer ignores the "-odocument-format=..." option. * a memory allocation bug has been fixed in cupsd. * support for UNIX domain sockets authentication without passwords has been added. * in the LSPP configuration, a problem that could lead to cupsd crashing has been fixed. * the error handling in the initscript has been improved. * The job-originating-host-name attribute was not correctly set for jobs submitted via the cups-lpd service. This has been fixed. * a problem with parsing IPv6 addresses in the configuration file has been fixed. * a problem that could lead to cupsd crashing when it failed to open a "file:" URI has been fixed. Important Copyright 2007 Red Hat, Inc. CVE-2007-4351 Cups starts as S55cups, before sshd [LSPP] Labels for labeled printing don't linewrap [LSPP] cups is overriding mls when querying jobs with lpq -al cups-lpd : server-args has no effect [LSPP] cups is allowing users to delete other user's job [LSPP] cupsd crash Wrong init script cups-lpd doesn't set 'job-originating-host-name' IPV6 addresses not accepted in "Allow From" directives cupsd crashes when failing to open a file: URI CVE-2007-4351 cups boundary error cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause CUPS to crash or potentially execute arbitrary code when printed. (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393) All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit() CVE-2007-5392 xpdf buffer overflow in DCTStream::reset() CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause CUPS to crash or potentially execute arbitrary code when printed. (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393) Alin Rad Pop discovered a flaw in in the way CUPS handles certain IPP tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash. (CVE-2007-4351) A flaw was found in the way CUPS handled SSL negotiation. A remote attacker capable of connecting to the CUPS daemon could cause CUPS to crash. (CVE-2007-4045) All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-4045 CVE-2007-4351 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 CVE-2007-4045 Incomplete fix for CVE-2007-0720 CUPS denial of service CVE-2007-4351 cups boundary error CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit() CVE-2007-5392 xpdf buffer overflow in DCTStream::reset() CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Alin Rad Pop discovered a flaw in the handling of PDF files. An attacker could create a malicious PDF file that would cause CUPS to crash or potentially execute arbitrary code when printed. (CVE-2007-5393) Alin Rad Pop discovered a flaw in in the way CUPS handles certain IPP tags. A remote attacker who is able to connect to the IPP TCP port could send a malicious request causing the CUPS daemon to crash. (CVE-2007-4351) A flaw was found in the way CUPS handled SSL negotiation. A remote attacker capable of connecting to the CUPS daemon could cause CUPS to crash. (CVE-2007-4045) All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-4045 CVE-2007-4351 CVE-2007-5393 CVE-2007-4045 Incomplete fix for CVE-2007-0720 CUPS denial of service CVE-2007-4351 cups boundary error CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment. This includes kpdf, a PDF file viewer. Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause kpdf to crash, or potentially execute arbitrary code when opened. (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393) All kdegraphics users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit() CVE-2007-5392 xpdf buffer overflow in DCTStream::reset() CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 gpdf is a GNOME-based viewer for Portable Document Format (PDF) files. Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause gpdf to crash, or potentially execute arbitrary code when opened. (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393) Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit() CVE-2007-5392 xpdf buffer overflow in DCTStream::reset() CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Poppler is a PDF rendering library, used by applications such as evince. Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause an application linked with poppler to crash, or potentially execute arbitrary code when opened. (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393) Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit() CVE-2007-5392 xpdf buffer overflow in DCTStream::reset() CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 TeTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input, and creates a typesetter-independent DeVice Independent (dvi) file as output. Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause TeTeX to crash or potentially execute arbitrary code when opened. (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393) A flaw was found in the t1lib library, used in the handling of Type 1 fonts. An attacker could create a malicious file that would cause TeTeX to crash, or potentially execute arbitrary code when opened. (CVE-2007-4033) Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-4033 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit() CVE-2007-5392 xpdf buffer overflow in DCTStream::reset() CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() CVE-2007-4033 t1lib font filename string overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 TeTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input, and creates a typesetter-independent DeVice Independent (dvi) file as output. Alin Rad Pop discovered a flaw in the handling of PDF files. An attacker could create a malicious PDF file that would cause TeTeX to crash, or potentially execute arbitrary code when opened. (CVE-2007-5393) Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-5393 CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Xpdf is an X Window System-based viewer for Portable Document Format (PDF) files. Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause Xpdf to crash, or potentially execute arbitrary code when opened. (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393) Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit() CVE-2007-5392 xpdf buffer overflow in DCTStream::reset() CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System-based viewer for Portable Document Format (PDF) files. Alin Rad Pop discovered several flaws in the handling of PDF files. An attacker could create a malicious PDF file that would cause Xpdf to crash, or potentially execute arbitrary code when opened. (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393) A flaw was found in the t1lib library, used in the handling of Type 1 fonts. An attacker could create a malicious file that would cause Xpdf to crash, or potentially execute arbitrary code when opened. (CVE-2007-4033) Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-4033 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit() CVE-2007-5392 xpdf buffer overflow in DCTStream::reset() CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() CVE-2007-4033 t1lib font filename string overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. A flaw was found in the way OpenLDAP's slapd daemon handled malformed objectClasses LDAP attributes. A local or remote attacker could create an LDAP request which could cause a denial of service by crashing slapd. (CVE-2007-5707) In addition, the following feature was added: * OpenLDAP client tools now have new option to configure their bind timeout. All users are advised to upgrade to these updated openldap packages, which contain a backported patch to correct this issue and provide this security enhancement. Important Copyright 2007 Red Hat, Inc. CVE-2007-5707 CVE-2007-5707 openldap slapd DoS via objectClasses attribute cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. A flaw was found in the way OpenLDAP's slapd daemon handled malformed objectClasses LDAP attributes. An authenticated local or remote attacker could create an LDAP request which could cause a denial of service by crashing slapd. (CVE-2007-5707) In addition, the following feature was added: * OpenLDAP client tools now have new option to configure their bind timeout. All users are advised to upgrade to these updated openldap packages, which contain a backported patch to correct this issue and provide this security enhancement. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-5707 CVE-2007-5707 openldap slapd DoS via objectClasses attribute cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 IBM's 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. The applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Multiple vulnerabilities existed in Java Web Start allowing an untrusted application to determine the location of the Java Web Start cache. (CVE-2007-5238) Untrusted Java Web Start Applications or Java Applets were able to drag and drop a file to a Desktop Application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment allowed untrusted Java Applets or applications to display oversized Windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Unsigned Applets loaded with Mozilla Firefox or Opera browsers allowed remote attackers to violate the Java security model. A cached malicious Applet could create network connections to services on other machines. (CVE-2007-5274) All users of java-ibm-1.5.0 are advised to upgrade to these updated packages, that contain IBM's 1.5.0 SR6 Java release which resolves these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-5232 CVE-2007-5238 CVE-2007-5240 CVE-2007-5239 CVE-2007-5273 CVE-2007-5274 CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching CVE-2007-5238 Vulnerabilities in Java Web Start allow to determine the location of the Java Web Start cache CVE-2007-5239 Untrusted Application or Applet May Move or Copy Arbitrary Files CVE-2007-5240 Applets or Applications are allowed to display an oversized window CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy CVE-2007-5274 Anti-DNS Pinning and Java Applets with Opera and Firefox cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was discovered in the way net-snmp handled certain requests. A remote attacker who can connect to the snmpd UDP port (161 by default) could send a malicious packet causing snmpd to crash, resulting in a denial of service. (CVE-2007-5846) All users of net-snmp are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-5846 CVE-2007-5846 net-snmp remote DoS via udp packet cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenOffice.org is an office productivity suite. HSQLDB is a Java relational database engine used by OpenOffice.org Base. It was discovered that HSQLDB could allow the execution of arbitrary public static Java methods. A carefully crafted odb file opened in OpenOffice.org Base could execute arbitrary commands with the permissions of the user running OpenOffice.org. (CVE-2007-4575) It was discovered that HSQLDB did not have a password set on the 'sa' user. If HSQLDB has been configured as a service, a remote attacker who could connect to the HSQLDB port (tcp 9001) could execute arbitrary SQL commands. (CVE-2003-0845) Note that in Red Hat Enterprise Linux 5, HSQLDB is not enabled as a service by default, and needs manual configuration in order to work as a service. Users of OpenOffice.org or HSQLDB should update to these errata packages which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2003-0845 CVE-2007-4575 CVE-2007-4575 OpenOffice.org-base allows Denial-of-Service and command injection CVE-2003-0845 JBoss HSQLDB component remote command injection cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) A flaw was found in the IPv4 forwarding base. This allowed a local user to cause a denial of service. (CVE-2007-2172, Important) A flaw was found where a corrupted executable file could cause cross-region memory mappings on Itanium systems. This allowed a local user to cause a denial of service. (CVE-2006-4538, Moderate) A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) As well, these updated packages fix the following bug: * a bug in the TCP header prediction code may have caused "TCP: Treason uncloaked!" messages to be logged. In certain situations this may have lead to TCP connections hanging or aborting. Red Hat Enterprise Linux 3 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-2172 CVE-2007-3848 CVE-2006-4538 CVE-2007-3739 CVE-2007-4308 IPV4 'Treason uncloaked' message - hints at a more general kernel/net bug CVE-2007-2172 fib_semantics.c out of bounds access vulnerability CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG CVE-2007-4308 kernel: Missing ioctl() permission checks in aacraid driver CVE-2006-4538 kernel: Local DoS with corrupted ELF CVE-2007-3739 LTC36188-Don't allow the stack to grow into hugetlb reserved regions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kdegraphics packages contain applications for the K Desktop Environment. This includes kpdf, a PDF file viewer. Alin Rad Pop discovered a flaw in the handling of PDF files. An attacker could create a malicious PDF file that would cause kpdf to crash, or potentially execute arbitrary code when opened. (CVE-2007-5393) All kdegraphics users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-5393 CVE-2007-5393 xpdf buffer overflow in CCITTFaxStream::lookChar() cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 PCRE is a Perl-compatible regular expression library. Flaws were found in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parses a malicious regular expression, it may be possible to run arbitrary code as the user running the application. (CVE-2005-4872, CVE-2006-7227) Users of PCRE are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. Important Copyright 2007 Red Hat, Inc. CVE-2005-4872 CVE-2006-7227 CVE-2006-7227 pcre integer overflow CVE-2005-4872 pcre incorrect memory requirement computation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PCRE is a Perl-compatible regular expression library. Flaws were discovered in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parses a malicious regular expression, it may have been possible to run arbitrary code as the user running the application. (CVE-2006-7225, CVE-2006-7226, CVE-2006-7228, CVE-2006-7230) Users of PCRE are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Red Hat would like to thank Ludwig Nussel for reporting these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-7225 CVE-2006-7226 CVE-2006-7228 CVE-2006-7230 CVE-2006-7228 pcre integer overflow CVE-2006-7225 pcre miscalculation of memory requirements for malformed Posix character class CVE-2006-7226 pcre miscalculation of memory requirements for repeated subpattern containing a named recursion or subroutine reference CVE-2006-7230 pcre miscalculation of memory requirements if options are changed during pattern compilation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PCRE is a Perl-compatible regular expression library. Flaws were discovered in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parsed a malicious regular expression, it may have been possible to run arbitrary code as the user running the application. (CVE-2006-7228, CVE-2007-1660) Users of PCRE are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Red Hat would like to thank Ludwig Nussel for reporting these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-7228 CVE-2007-1660 CVE-2007-1660 pcre regular expression flaws CVE-2006-7228 pcre integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PCRE is a Perl-compatible regular expression library. Flaws were discovered in the way PCRE handles certain malformed regular expressions. If an application linked against PCRE, such as Konqueror, parses a malicious regular expression, it may have been possible to run arbitrary code as the user running the application. (CVE-2006-7225, CVE-2006-7226, CVE-2006-7228, CVE-2006-7230, CVE-2007-1659) Users of PCRE are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Red Hat would like to thank Ludwig Nussel for reporting these issues. Important Copyright 2007 Red Hat, Inc. CVE-2006-7225 CVE-2006-7226 CVE-2006-7228 CVE-2006-7230 CVE-2007-1659 CVE-2007-1659 pcre regular expression flaws CVE-2006-7228 pcre integer overflow CVE-2006-7225 pcre miscalculation of memory requirements for malformed Posix character class CVE-2006-7226 pcre miscalculation of memory requirements for repeated subpattern containing a named recursion or subroutine reference CVE-2006-7230 pcre miscalculation of memory requirements if options are changed during pattern compilation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Python is an interpreted, interactive, object-oriented programming language. An integer overflow flaw was discovered in the way Python's pcre module handled certain regular expressions. If a Python application used the pcre module to compile and execute untrusted regular expressions, it may be possible to cause the application to crash, or allow arbitrary code execution with the privileges of the Python interpreter. (CVE-2006-7228) A flaw was discovered in the strxfrm() function of Python's locale module. Strings generated by this function were not properly NULL-terminated. This may possibly cause disclosure of data stored in the memory of a Python application using this function. (CVE-2007-2052) Multiple integer overflow flaws were discovered in Python's imageop module. If an application written in Python used the imageop module to process untrusted images, it could cause the application to crash, enter an infinite loop, or possibly execute arbitrary code with the privileges of the Python interpreter. (CVE-2007-4965) Users of Python are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-7228 CVE-2007-2052 CVE-2007-4965 CVE-2007-2052 python off-by-one locale.strxfrm() (possible memory disclosure) CVE-2007-4965 python imageop module heap corruption CVE-2006-7228 pcre integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Cairo is a vector graphics library designed to provide high-quality display and print output. An integer overflow flaw was found in the way Cairo processes PNG images. If an application linked against Cairo processes a malicious PNG image, it is possible to execute arbitrary code as the user running the application. (CVE-2007-5503) Users of Cairo are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-5503 CVE-2007-5503 cairo integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. A cross-site scripting flaw was found in the way Firefox handled the jar: URI scheme. It was possible for a malicious website to leverage this flaw and conduct a cross-site scripting attack against a user running Firefox. (CVE-2007-5947) Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5959) A race condition existed when Firefox set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960) Users of Firefox are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-5947 CVE-2007-5959 CVE-2007-5960 CVE-2007-5947 Mozilla jar: protocol XSS CVE-2007-5959 Multiple flaws in Firefox CVE-2007-5960 Mozilla Cross-site Request Forgery flaw cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A cross-site scripting flaw was found in the way Thunderbird handled the jar: URI scheme. It may be possible for a malicious HTML mail message to leverage this flaw, and conduct a cross-site scripting attack against a user running Thunderbird. (CVE-2007-5947) Several flaws were found in the way Thunderbird processed certain malformed HTML mail content. A HTML mail message containing malicious content could cause Thunderbird to crash, or potentially execute arbitrary code as the user running Thunderbird. (CVE-2007-5959) A race condition existed when Thunderbird set the "window.location" property when displaying HTML mail content. This flaw could allow a HTML mail message to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960) All users of thunderbird are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-5947 CVE-2007-5959 CVE-2007-5960 CVE-2007-5947 Mozilla jar: protocol XSS CVE-2007-5959 Multiple flaws in Firefox CVE-2007-5960 Mozilla Cross-site Request Forgery flaw cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A cross-site scripting flaw was found in the way SeaMonkey handled the jar: URI scheme. It was possible for a malicious website to leverage this flaw and conduct a cross-site scripting attack against a user running SeaMonkey. (CVE-2007-5947) Several flaws were found in the way SeaMonkey processed certain malformed web content. A webpage containing malicious content could cause SeaMonkey to crash, or potentially execute arbitrary code as the user running SeaMonkey. (CVE-2007-5959) A race condition existed when Seamonkey set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960) Users of SeaMonkey are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5947 CVE-2007-5959 CVE-2007-5960 CVE-2007-5947 Mozilla jar: protocol XSS CVE-2007-5959 Multiple flaws in Firefox CVE-2007-5960 Mozilla Cross-site Request Forgery flaw cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite. HSQLDB is the default database engine shipped with OpenOffice.org 2. It was discovered that HSQLDB could allow the execution of arbitrary public static Java methods. A carefully crafted odb file opened in OpenOffice.org Base could execute arbitrary commands with the permissions of the user running OpenOffice.org. (CVE-2007-4575) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-4575 CVE-2007-4575 OpenOffice.org-base allows Denial-of-Service and command injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The ht://Dig system is a complete World Wide Web indexing and searching system for a small domain or intranet. A cross-site scripting flaw was discovered in a htdig search page. An attacker could construct a carefully crafted URL, which once visited by an unsuspecting user, could cause a user's Web browser to execute malicious script in the context of the visited htdig search Web page. (CVE-2007-6110) Users of htdig are advised to upgrade to these updated packages, which contain backported patch to resolve this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-6110 CVE-2007-6110 htdig htsearch XSS vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: A flaw was found in the handling of IEEE 802.11 frames, which affected several wireless LAN modules. In certain situations, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network, causing a denial of service (kernel crash). (CVE-2007-4997, Important) A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important) Additionally, the following bugs were fixed: * when running the "ls -la" command on an NFSv4 mount point, incorrect file attributes, and outdated file size and timestamp information were returned. As well, symbolic links may have been displayed as actual files. * a bug which caused the cmirror write path to appear deadlocked after a successful recovery, which may have caused syncing to hang, has been resolved. * a kernel panic which occurred when manually configuring LCS interfaces on the IBM S/390 has been resolved. * when running a 32-bit binary on a 64-bit system, it was possible to mmap page at address 0 without flag MAP_FIXED set. This has been resolved in these updated packages. * the Non-Maskable Interrupt (NMI) Watchdog did not increment the NMI interrupt counter in "/proc/interrupts" on systems running an AMD Opteron CPU. This caused systems running NMI Watchdog to restart at regular intervals. * a bug which caused the diskdump utility to run very slowly on devices using Fusion MPT has been resolved. All users are advised to upgrade to these updated packages, which resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-4997 CVE-2007-5494 CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry CVE-2007-4997 kernel ieee80211 off-by-two integer underflow NFS problem#3 of IT 106473 - 32-bit jiffy wrap around - NFS inode cmirror write path appears deadlocked after recovery is successful LTC39618-kernel panic making lcs interfaces online on LPAR [RHEL4] Odd behaviour in mmap [RHEL4] NMI Watchdog Not Working in RHEL 4 U6 Opteron Systems RHEL4.6 [REGRESSION] diskdump works with mpt fusion too slow. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Samba is a suite of programs used by machines to share files, printers, and other information. A stack buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-6015 Critical Regression caused by CVE-2007-4572 CVE-2007-6015 samba: send_mailslot() buffer overflow Critical Regression caused by CVE-2007-4572 Critical Regression caused by CVE-2007-4572 cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in. Several input validation flaws were found in the way Flash Player displays certain content. It may be possible to execute arbitrary code on a victim's machine, if the victim opens a malicious Adobe Flash file. (CVE-2007-4768, CVE-2007-6242, CVE-2007-6246) A flaw was found in the way Flash Player handled the asfunction: protocol. Malformed SWF files could perform a cross-site scripting attack. (CVE-2007-6244) A flaw was found in the way Flash Player modified HTTP request headers. Malicious content could allow Flash Player to conduct a HTTP response splitting attack. (CVE-2007-6245) A flaw was found in the way Flash Player processes certain SWF content. A malicious SWF file could allow a remote attacker to conduct a port scanning attack from the client's machine. (CVE-2007-4324) A flaw was found in the way Flash Player establishes TCP sessions. A remote attacker could use Flash Player to conduct a DNS rebinding attack. (CVE-2007-5275) Users of Adobe Flash Player are advised to upgrade to this updated package, which contains version 9.0.115.0 and resolves these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2007-5275 CVE-2007-4324 CVE-2007-4768 CVE-2007-6242 CVE-2007-6243 CVE-2007-6244 CVE-2007-6245 CVE-2007-6246 CVE-2007-4324 Flash movie can determine whether a TCP port is open CVE-2007-5275 Flash plugin DNS rebinding CVE-2007-4768: pcre before 7.3 incorrect unicode in char class optimization CVE-2007-6242 flash: abitrary code execution CVE-2007-6244 flash: XSS via asfunction protocol CVE-2007-6245 flash: HTTP headers modification CVE-2007-6246 flash: privilege escalation cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The autofs utility controls the operation of the automount daemon, which automatically mounts and unmounts file systems after a period of inactivity. There was a security issue with the default installed configuration of autofs version 5 whereby the entry for the "hosts" map did not specify the "nosuid" mount option. A local user with control of a remote nfs server could create a setuid root executable within an exported filesystem on the remote nfs server that, if mounted using the default hosts map, would allow the user to gain root privileges. (CVE-2007-5964) Due to the fact that autofs always mounted hosts map entries suid by default, autofs has now been altered to always use the "nosuid" option when mounting from the default hosts map. The "suid" option must be explicitly given in the master map entry to revert to the old behavior. This change affects only the hosts map which corresponds to the /net entry in the default configuration. Users are advised to upgrade to these updated autofs packages, which resolve this issue. Red Hat would like to thank Josh Lange for reporting this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-5964 CVE-2007-5964 autofs defaults don't restrict suid in /net cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The autofs utility controls the operation of the automount daemon, which automatically mounts and unmounts file systems after a period of inactivity. The autofs version 5 package was made available as a technology preview in Red Hat Enterprise Linux version 4.6. There was a security issue with the default installed configuration of autofs version 5 whereby the entry for the "hosts" map did not specify the "nosuid" mount option. A local user with control of a remote nfs server could create a setuid root executable within an exported filesystem on the remote nfs server that, if mounted using the default hosts map, would allow the user to gain root privileges. (CVE-2007-5964) Due to the fact that autofs version 5 always mounted hosts map entries suid by default, autofs has now been altered to always use the "nosuid" option when mounting from the default hosts map. The "suid" option must be explicitly given in the master map entry to revert to the old behavior. This change affects only the hosts map which corresponds to the /net entry in the default configuration. Users are advised to upgrade to these updated autofs5 packages, which resolve this issue. Red Hat would like to thank Josh Lange for reporting this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-5964 CVE-2007-5964 autofs defaults don't restrict suid in /net cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A flaw was found in the way squid stored HTTP headers for cached objects in system memory. An attacker could cause squid to use additional memory, and trigger high CPU usage when processing requests for certain cached objects, possibly leading to a denial of service. (CVE-2007-6239) Users of squid are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-6239 CVE-2007-6239 squid: DoS in cache updates cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. A flaw was found in a way MySQL handled symbolic links when database tables were created with explicit "DATA" and "INDEX DIRECTORY" options. An authenticated user could create a table that would overwrite tables in other databases, causing destruction of data or allowing the user to elevate privileges. (CVE-2007-5969) A flaw was found in a way MySQL's InnoDB engine handled spatial indexes. An authenticated user could create a table with spatial indexes, which are not supported by the InnoDB engine, that would cause the mysql daemon to crash when used. This issue only causes a temporary denial of service, as the mysql daemon will be automatically restarted after the crash. (CVE-2007-5925) All mysql users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2007 Red Hat, Inc. CVE-2007-5969 CVE-2007-5925 CVE-2007-5925 mysql DoS in the InnoDB Engine CVE-2007-5969 mysql: possible system table information overwrite using symlinks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The libexif packages contain the Exif library. Exif is an image file format specification that enables metadata tags to be added to existing JPEG, TIFF and RIFF files. The Exif library makes it possible to parse an Exif file and read this metadata. An infinite recursion flaw was found in the way libexif parses Exif image tags. If a victim opens a carefully crafted Exif image file, it could cause the application linked against libexif to crash. (CVE-2007-6351) An integer overflow flaw was found in the way libexif parses Exif image tags. If a victim opens a carefully crafted Exif image file, it could cause the application linked against libexif to execute arbitrary code, or crash. (CVE-2007-6352) Users of libexif are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-6351 CVE-2007-6352 CVE-2007-6351 libexif infinite recursion flaw (DoS) CVE-2007-6352 libexif integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libexif packages contain the Exif library. Exif is an image file format specification that enables metadata tags to be added to existing JPEG, TIFF and RIFF files. The Exif library makes it possible to parse an Exif file and read this metadata. An integer overflow flaw was found in the way libexif parses Exif image tags. If a victim opens a carefully crafted Exif image file, it could cause the application linked against libexif to execute arbitrary code, or crash. (CVE-2007-6352) Users of libexif are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-6352 CVE-2007-6352 libexif integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The autofs utility controls the operation of the automount daemon, which automatically mounts file systems when you use them, and unmounts them when you are not using them. This can include network file systems and CD-ROMs. There was a security issue with the default configuration of autofs version 5, whereby the entry for the "-hosts" map did not specify the "nodev" mount option. A local user with control of a remote NFS server could create special device files on the remote file system, that if mounted using the default "-hosts" map, could allow the user to access important system devices. (CVE-2007-6285) This issue is similar to CVE-2007-5964, which fixed a missing "nosuid" mount option in autofs. Both the "nodev" and "nosuid" options should be enabled to prevent a possible compromise of machine integrity. Due to the fact that autofs always mounted "-hosts" map entries "dev" by default, autofs has now been altered to always use the "nodev" option when mounting from the default "-hosts" map. The "dev" option must be explicitly given in the master map entry to revert to the old behavior. This change affects only the "-hosts" map which corresponds to the "/net" entry in the default configuration. All autofs users are advised to upgrade to these updated packages, which resolve this issue. Red Hat would like to thank Tim Baum for reporting this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-6285 CVE-2007-6285 autofs default doesn't set nodev in /net cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The autofs utility controls the operation of the automount daemon, which automatically mounts file systems when you use them, and unmounts them when you are not using them. This can include network file systems and CD-ROMs. The autofs5 packages were made available as a technology preview in Red Hat Enterprise Linux 4.6. There was a security issue with the default configuration of autofs version 5, whereby the entry for the "-hosts" map did not specify the "nodev" mount option. A local user with control of a remote NFS server could create special device files on the remote file system, that if mounted using the default "-hosts" map, could allow the user to access important system devices. (CVE-2007-6285) This issue is similar to CVE-2007-5964, which fixed a missing "nosuid" mount option in autofs. Both the "nodev" and "nosuid" options should be enabled to prevent a possible compromise of machine integrity. Due to the fact that autofs always mounted "-hosts" map entries "dev" by default, autofs has now been altered to always use the "nodev" option when mounting from the default "-hosts" map. The "dev" option must be explicitly given in the master map entry to revert to the old behavior. This change affects only the "-hosts" map which corresponds to the "/net" entry in the default configuration. All autofs5 users are advised to upgrade to these updated packages, which resolve this issue. Red Hat would like to thank Tim Baum for reporting this issue. Important Copyright 2007 Red Hat, Inc. CVE-2007-6285 CVE-2007-6285 autofs default doesn't set nodev in /net cpe:/o:redhat:enterprise_linux