Red Hat OVAL Patch Definition Merger 2 5.3 2008-01-23T07:25:08 Red Hat Enterprise Linux 3 The htdig system is a complete world wide web indexing and searching system for a small domain or intranet. This system is not meant to replace the need for powerful internet-wide search systems like Lycos, Infoseek, Webcrawler and AltaVista. Instead it is meant to cover the search needs for a single company, campus, or even a particular sub section of a web site. As opposed to some WAIS-based or web-server based search engines, htdig can span several web servers at a site. The type of these different web servers doesn't matter as long as they understand the HTTP 1.0 protocol. htdig is also used by KDE to search KDE's HTML documentation. Bugs fixed in this update include: * rundig script (/usr/bin/rundig) missed "$opts" on two calls to htfuzzy. * htfuzzy segfaulted when database is empty. * htdig was unable to open empty database on 64bits. * htdig showed full path to configuration file when accessed from the web. Users should upgrade to this updated package, which resolves these issues. Copyright 2007 Red Hat, Inc. CVE-2000-1191 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 4 New features introduced in this update include: * Xen paravirt kernels for x86/x86_64* * CONFIG_SERIAL_8250_NR_UARTS is increased to 64 * implement diskdump support for sata_nv driver * implement diskdump support for ibmvscsi driver * add netdump support to 8139cp driver * update CIFS to 1.45 Added Platform support: * add support to allow disabling of MSI on PHX6700/6702 SHPC * add support for Intel ICH9 chipset * add PCIe power management quirk * add support for H206 processor PowerNow! with new freqency control * add support for AMD quad-core systems * add support for RDTSCP * add MCE Thresholding support for AMD 0x10 family processors * add PCI-Express support for Altix * add support for eClipz * add new ppc host ethernet adapter device driver * update SHUB2 hardware support The following device drivers have been upgraded to new versions: 3w-9xxx: 2.26.04.010 to 2.26.05.007 ahci: 1.2 to 2.0 ata_piix: 1.05 to 2.00ac7 bnx2: 1.4.38 to 1.4.43-rh bonding: 2.6.3 to 2.6.3-rh cciss: 2.6.10 to 2.6.14 e1000: 7.0.33-k2-NAPI to 7.2.7-k2-NAPI ibmvscsic: 1.5.6 to 1.5.7 ipr: 2.0.11.2 to 2.0.11.4 ixgb: 1.0.100-k2-NAPI to 1.0.109-k2-NAPI libata: 1.20 to 2.00 megaraid_mm: 2.20.2.6 to 2.20.2.6rh megaraid_sas: 00.00.02.03-RH1 to 00.00.03.05 mptbase: 3.02.62.01rh to 3.02.73rh pdc_adma: 0.03 to 0.04 qla2100: 8.01.04-d7 to 8.01.04-d8-rh1 qla2200: 8.01.04-d7 to 8.01.04-d8-rh1 qla2300: 8.01.04-d7 to 8.01.04-d8-rh1 qla2322: 8.01.04-d7 to 8.01.04-d8-rh1 qla2400: 8.01.04-d7 to 8.01.04-d8-rh1 qla2xxx: 8.01.04-d7 to 8.01.04-d8-rh1 qla6312: 8.01.04-d7 to 8.01.04-d8-rh1 r8169: 1.2 to 2.2LK-NAPI sata_mv: 0.6 to 0.7 sata_nv: 0.8 to 3.2 sata_promise: 1.04 to 1.05 sata_qstor: 0.05 to 0.06 sata_sil: 0.9 to 2.0 sata_sis: 0.5 to 0.6 sata_svw: 1.07 to 2.0 sata_sx4: 0.8 to 0.9 sata_uli: 0.5 to 1.0 sata_via: 1.1 to 2.0 sata_vsc: 1.2 to 2.0 sky2: 1.1 to 1.6 stex: 2.9.0.13 to 3.0.0.1 tg3: 3.52-rh to 3.64-rh Infiniband update from 1.0 to OFED-1.1 code base There were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4. Copyright 2007 Red Hat, Inc. CVE-2005-2873 CVE-2005-3257 CVE-2006-0557 CVE-2006-1863 CVE-2007-1592 CVE-2007-3379 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 3 The unzip utility is used to list, test, or extract files from a zip archive. This update addresses the following issues: * a TOCTOU bug that could be exploited to change file permissions (CVE-2005-2475) * a long filename buffer overflow vulnerability (CVE-2005-4667) All users of unzip should upgrade to these updated packages, which resolve these issues. Copyright 2007 Red Hat, Inc. CVE-2005-2475 CVE-2005-4667 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Several integer overflow bugs were found in the OpenOffice.org WMF file processor. An attacker could create a carefully crafted WMF file that could cause OpenOffice.org to execute arbitrary code when the file was opened by a victim. (CVE-2006-5870) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported fix for this issue. Important Copyright 2007 Red Hat, Inc. CVE-2006-5870 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported three integer overflow flaws in the XFree86 Render and DBE extensions. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-6101, CVE-2006-6102, CVE-2006-6103) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2007 Red Hat, Inc. CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 4 X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported three integer overflow flaws in the X.org Render and DBE extensions. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-6101, CVE-2006-6102, CVE-2006-6103) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. Important Copyright 2007 Red Hat, Inc. CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 D-BUS is a system for sending messages between applications. It is used both for the systemwide message bus service, and as a per-user-login-session messaging facility. Kimmo Hämäläinen discovered a flaw in the way D-BUS processes certain messages. It is possible for a local unprivileged D-BUS process to disrupt the ability of another D-BUS process to receive messages. (CVE-2006-6107) Users of dbus are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-6107 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 The flash-plugin package contains a Firefox-compatible Adobe Flash Player browser plug-in. A flaw was found in the way the Adobe Flash Player generates HTTP requests. It was possible for a malicious Adobe Flash file to modify the HTTP header of the client request, which could be leveraged to exploit certain HTTP proxy and web server flaws. (CVE-2006-5330) Users of Adobe Flash Player should upgrade to this updated package, which contains version 7.0.69 and is not vulnerable to this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-5330 cpe://redhat:rhel_extras:3 cpe://redhat:rhel_extras:4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The GNOME Structured File Library is a utility library for reading and writing structured file formats. A heap based buffer overflow flaw was found in the way GNOME Structured File Library processes and certain OLE documents. If an person opened a specially crafted OLE file, it could cause the client application to crash or execute arbitrary code. (CVE-2006-4514) Users of GNOME Structured File Library should upgrade to these updated packages, which contain a backported patch that resolves this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-4514 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the get_fdb_entries function of the network bridging support that allowed a local user to cause a denial of service (crash) or allow a potential privilege escalation (CVE-2006-5751, Important) * an information leak in the _block_prepare_write function that allowed a local user to read kernel memory (CVE-2006-4813, Important) * an information leak in the copy_from_user() implementation on s390 and s390x platforms that allowed a local user to read kernel memory (CVE-2006-5174, Important) * a flaw in the handling of /proc/net/ip6_flowlabel that allowed a local user to cause a denial of service (infinite loop) (CVE-2006-5619, Important) * a flaw in the AIO handling that allowed a local user to cause a denial of service (panic) (CVE-2006-5754, Important) * a race condition in the mincore system core that allowed a local user to cause a denial of service (system hang) (CVE-2006-4814, Moderate) * a flaw in the ELF handling on ia64 and sparc architectures which triggered a cross-region memory mapping and allowed a local user to cause a denial of service (CVE-2006-4538, Moderate) * a flaw in the dev_queue_xmit function of the network subsystem that allowed a local user to cause a denial of service (data corruption) (CVE-2006-6535, Moderate) * a flaw in the handling of CAPI messages over Bluetooth that allowed a remote system to cause a denial of service or potential code execution. This flaw is only exploitable if a privileged user establishes a connection to a malicious remote device (CVE-2006-6106, Moderate) * a flaw in the listxattr system call that allowed a local user to cause a denial of service (data corruption) or potential privilege escalation. To successfully exploit this flaw the existence of a bad inode is required first (CVE-2006-5753, Moderate) * a flaw in the __find_get_block_slow function that allowed a local privileged user to cause a denial of service (CVE-2006-5757, Low) * various flaws in the supported filesystems that allowed a local privileged user to cause a denial of service (CVE-2006-5823, CVE-2006-6053, CVE-2006-6054, CVE-2006-6056, Low) In addition to the security issues described above, fixes for the following bugs were included: * initialization error of the tg3 driver with some BCM5703x network card * a memory leak in the audit subsystem * x86_64 nmi watchdog timeout is too short * ext2/3 directory reads fail intermittently Red Hat would like to thank Dmitriy Monakhov and Kostantin Khorenko for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Important Copyright 2007 Red Hat, Inc. CVE-2006-4538 CVE-2006-4813 CVE-2006-4814 CVE-2006-5174 CVE-2006-5619 CVE-2006-5751 CVE-2006-5753 CVE-2006-5754 CVE-2006-5757 CVE-2006-5823 CVE-2006-6053 CVE-2006-6054 CVE-2006-6056 CVE-2006-6106 CVE-2006-6535 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Several security flaws were discovered in the way ImageMagick decodes DCM, PALM, and SGI graphic files. An attacker may be able to execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted image file (CVE-2006-5456, CVE-2006-5868). A heap overflow flaw was found in ImageMagick. An attacker may be able to execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted file (CVE-2006-2440). This issue only affected the version of ImageMagick distributed with Red Hat Enterprise Linux 4. Users of ImageMagick should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-2440 CVE-2006-5456 CVE-2006-5868 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux Extras 4 The Adobe Acrobat Reader allows users to view and print documents in portable document format (PDF). A cross site scripting flaw was found in the way the Adobe Reader Plugin processes certain malformed URLs. A malicious web page could inject arbitrary javascript into the browser session which could possibly lead to a cross site scripting attack. (CVE-2007-0045) Two arbitrary code execution flaws were found in the way Adobe Reader processes malformed document files. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious PDF file. (CVE-2006-5857, CVE-2007-0046) All users of Acrobat Reader are advised to upgrade to these updated packages, which contain Acrobat Reader version 7.0.9 and are not vulnerable to these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2006-5857 CVE-2007-0045 CVE-2007-0046 cpe://redhat:rhel_extras:4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Fetchmail is a remote mail retrieval and forwarding utility. A denial of service flaw was found when Fetchmail was run in multidrop mode. A malicious mail server could send a message without headers which would cause Fetchmail to crash (CVE-2005-4348). This issue did not affect the version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3. A flaw was found in the way Fetchmail used TLS encryption to connect to remote hosts. Fetchmail provided no way to enforce the use of TLS encryption and would not authenticate POP3 protocol connections properly (CVE-2006-5867). This update corrects this issue by enforcing TLS encryption when the "sslproto" configuration directive is set to "tls1". Users of Fetchmail should update to these packages, which contain backported patches to correct these issues. Note: This update may break configurations which assumed that Fetchmail would use plain-text authentication if TLS encryption is not supported by the POP3 server even if the "sslproto" directive is set to "tls1". If you are using a custom configuration that depended on this behavior you will need to modify your configuration appropriately after installing this update. Moderate Copyright 2007 Red Hat, Inc. CVE-2005-4348 CVE-2006-5867 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. A bug was found in the way the gtk2 GdkPixbufLoader() function processed invalid input. Applications linked against gtk2 could crash if they loaded a malformed image file. (CVE-2007-0010) Users of gtk2 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0010 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux Extras 3 The Adobe Reader allows users to view and print documents in portable document format (PDF). A cross site scripting flaw was found in the way the Adobe Reader Plugin processes certain malformed URLs. A malicious web page could inject arbitrary javascript into the browser session which could possibly lead to a cross site scripting attack. (CVE-2007-0045) Two arbitrary code execution flaws were found in the way Adobe Reader processes malformed document files. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious PDF file. (CVE-2006-5857, CVE-2007-0046) Please note that Adobe Reader 7.0.9 requires versions of several system libraries that were not shipped with Red Hat Enterprise Linux 3. This update contains additional packages that provide the required system library versions for Adobe Reader. These additional packages are only required by Adobe Reader and do not replace or affect any other aspects of a Red Hat Enterprise Linux 3 system. All users of Adobe Reader are advised to upgrade to these updated packages, which contain Adobe Reader version 7.0.9 and additional libraries to correct these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2006-5857 CVE-2007-0045 CVE-2007-0046 cpe://redhat:rhel_extras:3 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SquirrelMail is a standards-based webmail package written in PHP. Several cross-site scripting bugs were discovered in SquirrelMail. An attacker could inject arbitrary Javascript or HTML content into SquirrelMail pages by tricking a user into visiting a carefully crafted URL. (CVE-2006-6142) Users of SquirrelMail should upgrade to this erratum package, which contains a backported patch to correct these issues. Notes: - After installing this update, users are advised to restart their httpd service to ensure that the updated version functions correctly. - config.php should NOT be modified, please modify config_local.php instead. - Known Bug: The configuration generator may potentially produce bad options that interfere with the operation of this application. Applying specific config changes to config_local.php manually is recommended. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-6142 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. iDefense reported an integer overflow flaw in libwpd, a library used internally to OpenOffice.org for handling Word Perfect documents. An attacker could create a carefully crafted Word Perfect file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-1466) John Heasman discovered a stack overflow in the StarCalc parser in OpenOffice.org. An attacker could create a carefully crafted StarCalc file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-0238) Flaws were discovered in the way OpenOffice.org handled hyperlinks. An attacker could create an OpenOffice.org document which could run commands if a victim opened the file and clicked on a malicious hyperlink. (CVE-2007-0239) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes for these issues. Red Hat would like to thank Fridrich Štrba for alerting us to the issue CVE-2007-1466 and providing a patch, and John Heasman for CVE-2007-0238. Important Copyright 2007 Red Hat, Inc. CVE-2007-0238 CVE-2007-0239 CVE-2007-1466 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was found in the way BIND processed certain DNS query responses. On servers that had enabled DNSSEC validation, this could allow an remote attacker to cause a denial of service. (CVE-2007-0494) For users of Red Hat Enterprise Linux 3, the previous BIND update caused an incompatible change to the default configuration that resulted in rndc not sharing the key with the named daemon. This update corrects this bug and restores the behavior prior to that update. Updating the bind package in Red Hat Enterprise Linux 3 could result in nonfunctional configuration in case the bind-libs package was not updated. This update corrects this bug by adding the correct dependency on bind-libs. Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0494 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 5 libwpd is a library for reading and converting Word Perfect documents. iDefense reported several overflow bugs in libwpd. An attacker could create a carefully crafted Word Perfect file that could cause an application linked with libwpd, such as OpenOffice, to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-0002) All users are advised to upgrade to these updated packages, which contain a backported fix for this issue. Red Hat would like to thank Fridrich Štrba for alerting us to these issues and providing a patch. Important Copyright 2007 Red Hat, Inc. CVE-2007-0002 CVE-2007-1466 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was found in the way BIND processed certain DNS query responses. On servers that had enabled DNSSEC validation, this could allow a remote attacker to cause a denial of service. (CVE-2007-0494) A use-after-free flaw was found in BIND. On servers that have recursion enabled, this could allow a remote attacker to cause a denial of service. (CVE-2007-0493) Users of BIND are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0493 CVE-2007-0494 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service flaw was found in Samba's smbd daemon process. An authenticated user could send a specially crafted request which would cause a smbd child process to enter an infinite loop condition. By opening multiple CIFS sessions, an attacker could exhaust system resources. (CVE-2007-0452) Users of Samba should update to these packages, which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0452 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 5 Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service flaw was found in Samba's smbd daemon process. An authenticated user could send a specially crafted request which would cause a smbd child process to enter an infinite loop condition. By opening multiple CIFS sessions, an attacker could exhaust system resources (CVE-2007-0452). Users of Samba should update to these packages, which contain a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2007-0452 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 IBM's 1.4.2 SR7 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A number of security issues were found: Vulnerabilities were discovered in the Java Runtime Environment. An untrusted applet could use these vulnerabilities to access data from other applets. (CVE-2006-6736, CVE-2006-6737) Serialization flaws were discovered in the Java Runtime Environment. An untrusted applet or application could use these flaws to elevate its privileges. (CVE-2006-6745) Buffer overflow vulnerabilities were discovered in the Java Runtime Environment. An untrusted applet could use these flaws to elevate its privileges, possibly reading and writing local files or executing local applications. (CVE-2006-6731) Daniel Bleichenbacher discovered an attack on PKCS #1 v1.5 signatures. Where an RSA key with exponent 3 is used it may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by implementations that do not check for excess data in the RSA exponentiation result of the signature. (CVE-2006-4339) All users of java-1.4.2-ibm should upgrade to these updated packages, which contain IBM's 1.4.2 SR7 Java release which resolves these issues. Critical Copyright 2007 Red Hat, Inc. CVE-2006-4339 CVE-2006-6731 CVE-2006-6736 CVE-2006-6737 CVE-2006-6745 cpe://redhat:rhel_extras:3 cpe://redhat:rhel_extras:4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 PostgreSQL is an advanced Object-Relational database management system (DBMS). A flaw was found in the way the PostgreSQL server handles certain SQL-language functions. An authenticated user could execute a sequence of commands which could crash the PostgreSQL server or possibly read from arbitrary memory locations. A user would need to have permissions to drop and add database tables to be able to exploit this issue (CVE-2007-0555). A denial of service flaw was found affecting the PostgreSQL server running on Red Hat Enterprise Linux 4 systems. An authenticated user could execute an SQL command which could crash the PostgreSQL server. (CVE-2006-5540) Users of PostgreSQL should upgrade to these updated packages containing PostgreSQL version 7.4.16 or 7.3.18, which correct these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-5540 CVE-2007-0555 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 The bluez-utils package contains Bluetooth daemons and utilities. A flaw was found in the Bluetooth HID daemon (hidd). A remote attacker would have been able to inject keyboard and mouse events via a Bluetooth connection without any authorization. (CVE-2006-6899) Note that Red Hat Enterprise Linux does not come with the Bluetooth HID daemon enabled by default. Users of bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-6899 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Several denial of service bugs were found in Wireshark's LLT, IEEE 802.11, http, and tcp protocol dissectors. It was possible for Wireshark to crash or stop responding if it read a malformed packet off the network. (CVE-2007-0456, CVE-2007-0457, CVE-2007-0458, CVE-2007-0459) Users of Wireshark should upgrade to these updated packages containing Wireshark version 0.99.5, which is not vulnerable to these issues. Low Copyright 2007 Red Hat, Inc. CVE-2007-0456 CVE-2007-0457 CVE-2007-0458 CVE-2007-0459 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 PostgreSQL is an advanced Object-Relational database management system (DBMS). Two flaws were found in the way the PostgreSQL server handles certain SQL-language functions. An authenticated user could execute a sequence of commands which could crash the PostgreSQL server or possibly read from arbitrary memory locations. A user would need to have permissions to drop and add database tables to be able to exploit these issues (CVE-2007-0555, CVE-2007-0556). Several denial of service flaws were found in the PostgreSQL server. An authenticated user could execute certain SQL commands which could crash the PostgreSQL server (CVE-2006-5540, CVE-2006-5541, CVE-2006-5542). Users of PostgreSQL should upgrade to these updated packages containing PostgreSQL version 8.1.8 which corrects these issues. Moderate Copyright 2007 Red Hat, Inc. CVE-2006-5540 CVE-2006-5541 CVE-2006-5542 CVE-2007-0555 CVE-2007-0556 cpe://redhat:enterprise_linux:5