Red Hat OVAL Patch Definition Merger 2 5.3 2009-01-05T06:19:42 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent DMTF standard that defines a common information model, and communication protocol for monitoring and controlling resources. During a security audit, a stack buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003) Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux 5. Users of tog-pegasus should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages the tog-pegasus service should be restarted. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0003 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The e2fsprogs packages contain a number of utilities for creating, checking, modifying, and correcting any inconsistencies in second and third extended (ext2/ext3) file systems. Multiple integer overflow flaws were found in the way e2fsprogs processes file system content. If a victim opens a carefully crafted file system with a program using e2fsprogs, it may be possible to execute arbitrary code with the permissions of the victim. It may be possible to leverage this flaw in a virtualized environment to gain access to other virtualized hosts. (CVE-2007-5497) Red Hat would like to thank Rafal Wojtczuk of McAfee Avert Research for responsibly disclosing these issues. Users of e2fsprogs are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5497 CVE-2007-5497 e2fsprogs multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP Server is a popular Web server. A flaw was found in the mod_imap module. On sites where mod_imap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000) A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the "AddDefaultCharset" directive has been removed from the configuration, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) A flaw was found in the mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-3847) A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) Users of Apache httpd should upgrade to these updated packages, which contain backported patches to resolve these issues. Users should restart httpd after installing this update. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3847 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular Web server. A flaw was found in the mod_imap module. On sites where mod_imap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000) A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the "AddDefaultCharset" directive has been removed from the configuration, a cross-site scripting attack was possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) Users of Apache httpd should upgrade to these updated packages, which contain backported patches to resolve these issues. Users should restart httpd after installing this update. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular Web server. A flaw was found in the mod_imagemap module. On sites where mod_imagemap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000) A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the "AddDefaultCharset" directive has been removed from the configuration, a cross-site scripting attack might have been possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer was enabled, a cross-site scripting attack against an authorized user was possible. (CVE-2007-6421) A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer was enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-6422) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) Users of Apache httpd should upgrade to these updated packages, which contain backported patches to resolve these issues. Users should restart httpd after installing this update. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2007-6421 CVE-2007-6422 CVE-2008-0005 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. Two integer overflow flaws were found in the XFree86 server's EVI and MIT-SHM modules. A malicious authorized client could exploit these issues to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2007-6429) A heap based buffer overflow flaw was found in the way the XFree86 server handled malformed font files. A malicious local user could exploit this issue to potentially execute arbitrary code with the privileges of the XFree86 server. (CVE-2008-0006) A memory corruption flaw was found in the XFree86 server's XInput extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2007-6427) An information disclosure flaw was found in the XFree86 server's TOG-CUP extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially view arbitrary memory content within the XFree86 server's address space. (CVE-2007-6428) An integer and heap overflow flaw were found in the X.org font server, xfs. A user with the ability to connect to the font server could have been able to cause a denial of service (crash), or potentially execute arbitrary code with the permissions of the font server. (CVE-2007-4568, CVE-2007-4990) A flaw was found in the XFree86 server's XC-SECURITY extension, that could have allowed a local user to verify the existence of an arbitrary file, even in directories that are not normally accessible to that user. (CVE-2007-5958) Users of XFree86 are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4568 CVE-2007-4990 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 4 The xorg-x11 packages contain X.Org, an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Two integer overflow flaws were found in the X.Org server's EVI and MIT-SHM modules. A malicious authorized client could exploit these issues to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6429) A heap based buffer overflow flaw was found in the way the X.Org server handled malformed font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.Org server. (CVE-2008-0006) A memory corruption flaw was found in the X.Org server's XInput extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6427) An input validation flaw was found in the X.Org server's XFree86-Misc extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-5760) An information disclosure flaw was found in the X.Org server's TOG-CUP extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially view arbitrary memory content within the X server's address space. (CVE-2007-6428) An integer and heap overflow flaw were found in the X.Org font server, xfs. A user with the ability to connect to the font server could have been able to cause a denial of service (crash), or potentially execute arbitrary code with the permissions of the font server. (CVE-2007-4568, CVE-2007-4990) A flaw was found in the X.Org server's XC-SECURITY extension, that could have allowed a local user to verify the existence of an arbitrary file, even in directories that are not normally accessible to that user. (CVE-2007-5958) Users of xorg-x11 should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4568 CVE-2007-4990 CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 5 X.Org is an open source implementation of the X Window System. It provides basic low-level functionality that full-fledged graphical user interfaces are designed upon. Two integer overflow flaws were found in the X.Org server's EVI and MIT-SHM modules. A malicious authorized client could exploit these issues to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6429) A memory corruption flaw was found in the X.Org server's XInput extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6427) An input validation flaw was found in the X.Org server's XFree86-Misc extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-5760) An information disclosure flaw was found in the X.Org server's TOG-CUP extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially view arbitrary memory content within the X server's address space. (CVE-2007-6428) A flaw was found in the X.Org server's XC-SECURITY extension, that could have allowed a local user to verify the existence of an arbitrary file, even in directories that are not normally accessible to that user. (CVE-2007-5958) Users of xorg-x11-server should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The libxml2 packages provide a library that allows you to manipulate XML files. It includes support to read, modify, and write XML and HTML files. A denial of service flaw was found in the way libxml2 processes certain content. If an application linked against libxml2 processes malformed XML content, it could cause the application to stop responding. (CVE-2007-6284) Red Hat would like to thank the Google Security Team for responsibly disclosing this issue. All users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2007-6284 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 PostgreSQL is an advanced Object-Relational database management system (DBMS). The postgresql packages include the client programs and libraries needed to access a PostgreSQL DBMS server. Will Drewry discovered multiple flaws in PostgreSQL's regular expression engine. An authenticated attacker could use these flaws to cause a denial of service by causing the PostgreSQL server to crash, enter an infinite loop, or use extensive CPU and memory resources while processing queries containing specially crafted regular expressions. Applications that accept regular expressions from untrusted sources may expose this problem to unauthorized attackers. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067) A privilege escalation flaw was discovered in PostgreSQL. An authenticated attacker could create an index function that would be executed with administrator privileges during database maintenance tasks, such as database vacuuming. (CVE-2007-6600) A privilege escalation flaw was discovered in PostgreSQL's Database Link library (dblink). An authenticated attacker could use dblink to possibly escalate privileges on systems with "trust" or "ident" authentication configured. Please note that dblink functionality is not enabled by default, and can only by enabled by a database administrator on systems with the postgresql-contrib package installed. (CVE-2007-3278, CVE-2007-6601) All postgresql users should upgrade to these updated packages, which include PostgreSQL 7.4.19 and 8.1.11, and resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3278 CVE-2007-4769 CVE-2007-4772 CVE-2007-6067 CVE-2007-6600 CVE-2007-6601 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS). The postgresql packages include the client programs and libraries needed to access a PostgreSQL DBMS server. A privilege escalation flaw was discovered in PostgreSQL. An authenticated attacker could create an index function that would be executed with administrator privileges during database maintenance tasks, such as database vacuuming. (CVE-2007-6600) A privilege escalation flaw was discovered in PostgreSQL's Database Link library (dblink). An authenticated attacker could use dblink to possibly escalate privileges on systems with "trust" or "ident" authentication configured. Please note that dblink functionality is not enabled by default, and can only by enabled by a database administrator on systems with the postgresql-contrib package installed. (CVE-2007-3278, CVE-2007-6601) All postgresql users should upgrade to these updated packages, which include PostgreSQL 7.3.21 and resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3278 CVE-2007-6600 CVE-2007-6601 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 5 Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. A directory traversal vulnerability existed in the Apache Tomcat webdav servlet. In some configurations it allowed remote authenticated users to read files accessible to the local tomcat process. (CVE-2007-5461) The default security policy in the JULI logging component did not restrict access permissions to files. This could be misused by untrusted web applications to access and write arbitrary files in the context of the tomcat process. (CVE-2007-5342) Users of Tomcat should update to these errata packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5461 CVE-2007-5342 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages fix the following security issues: A flaw was found in the virtual filesystem (VFS). A local unprivileged user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the implementation of ptrace. A local unprivileged user could trigger this flaw and possibly cause a denial of service (system hang). (CVE-2007-5500, Important) A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). (CVE-2007-4130, Important) A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate) Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) As well, these updated packages fix the following bug: * when moving volumes that contain multiple segments, and a mirror segment is not the first in the mapping table, running the "pvmove /dev/[device] /dev/[device]" command caused a kernel panic. A "kernel: Unable to handle kernel paging request at virtual address [address]" error was logged by syslog. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4130 CVE-2007-5500 CVE-2007-6063 CVE-2007-6151 CVE-2007-6206 CVE-2007-6694 CVE-2008-0001 CVE-2007-4130 panic caused by set_mempolicy with MPOL_BIND CVE-2007-5500 kernel hang via userspace PTRACE+waitid CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow CVE-2007-6694 /proc/cpuinfo DoS on some ppc machines CVE-2007-6206 Issue with core dump owner CVE-2007-6151 I4L: fix isdn_ioctl memory issue pvmove causes kernel panic CVE-2008-0001 kernel: filesystem corruption by unprivileged user via directory truncation cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. Several flaws were found in Wireshark. Wireshark could crash or possibly execute arbitrary code as the user running Wireshark if it read a malformed packet off the network. (CVE-2007-6112, CVE-2007-6114, CVE-2007-6115, CVE-2007-6117) Several denial of service bugs were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off the network. (CVE-2007-6111, CVE-2007-6113, CVE-2007-6116, CVE-2007-6118, CVE-2007-6119, CVE-2007-6120, CVE-2007-6121, CVE-2007-6438, CVE-2007-6439, CVE-2007-6441, CVE-2007-6450, CVE-2007-6451) As well, Wireshark switched from using net-snmp to libsmi, which is included in this errata. Users of wireshark should upgrade to these updated packages, which contain Wireshark version 0.99.7, and resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-6111 CVE-2007-6112 CVE-2007-6113 CVE-2007-6114 CVE-2007-6115 CVE-2007-6116 CVE-2007-6117 CVE-2007-6118 CVE-2007-6119 CVE-2007-6120 CVE-2007-6121 CVE-2007-6438 CVE-2007-6439 CVE-2007-6441 CVE-2007-6450 CVE-2007-6451 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. Several flaws were found in Wireshark. Wireshark could crash or possibly execute arbitrary code as the user running Wireshark if it read a malformed packet off the network. (CVE-2007-6114, CVE-2007-6115, CVE-2007-6117) Several denial of service bugs were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off the network. (CVE-2007-3389, CVE-2007-3390, CVE-2007-3391, CVE-2007-3392, CVE-2007-3392, CVE-2007-3393, CVE-2007-6113, CVE-2007-6118, CVE-2007-6120, CVE-2007-6121, CVE-2007-6450, CVE-2007-6451) As well, Wireshark switched from using net-snmp to libsmi, which is included in this errata. Users of wireshark should upgrade to these updated packages, which contain Wireshark version 0.99.7, and resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3389 CVE-2007-3390 CVE-2007-3391 CVE-2007-3392 CVE-2007-3393 CVE-2007-6113 CVE-2007-6114 CVE-2007-6115 CVE-2007-6117 CVE-2007-6118 CVE-2007-6120 CVE-2007-6121 CVE-2007-6450 CVE-2007-6451 cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 5 The setroubleshoot packages provide tools to help diagnose SELinux problems. When AVC messages occur, an alert is generated that gives information about the problem, and how to create a resolution. A flaw was found in the way sealert wrote diagnostic messages to a temporary file. A local unprivileged user could perform a symbolic link attack, and cause arbitrary files, writable by other users, to be overwritten when a victim runs sealert. (CVE-2007-5495) A flaw was found in the way sealert displayed records from the setroubleshoot database as unescaped HTML. An local unprivileged attacker could cause AVC denial events with carefully crafted process or file names, injecting arbitrary HTML tags into the logs, which could be used as a scripting attack, or to confuse the user running sealert. (CVE-2007-5496) Additionally, the following bugs have been fixed in these update packages: * in certain situations, the sealert process used excessive CPU. These alerts are now capped at a maximum of 30, D-Bus is used instead of polling, threads causing excessive wake-up have been removed, and more robust exception-handling has been added. * different combinations of the sealert '-a', '-l', '-H', and '-v' options did not work as documented. * the SETroubleShoot browser did not allow multiple entries to be deleted. * the SETroubleShoot browser did not display statements that displayed whether SELinux was using Enforcing or Permissive mode, particularly when warning about SELinux preventions. * in certain cases, the SETroubleShoot browser gave incorrect instructions regarding paths, and would not display the full paths to files. * adding an email recipient to the recipients option from the /etc/setroubleshoot/setroubleshoot.cfg file and then generating an SELinux denial caused a traceback error. The recipients option has been removed; email addresses are now managed through the SETroubleShoot browser by navigating to File -> Edit Email Alert List, or by editing the /var/lib/setroubleshoot/email_alert_recipients file. * the setroubleshoot browser incorrectly displayed a period between the httpd_sys_content_t context and the directory path. * on the PowerPC architecture, The get_credentials() function in access_control.py would generate an exception when it called the socket.getsockopt() function. * The code which handles path information has been completely rewritten so that assumptions on path information which were misleading are no longer made. If the path information is not present, it will be presented as "<Unknown>". * setroubleshoot had problems with non-English locales under certain circumstances, possibly causing a python traceback, an sealert window pop-up containing an error, a "RuntimeError: maximum recursion depth exceeded" error after a traceback, or a "UnicodeEncodeError" after a traceback. * sealert ran even when SELinux was disabled, causing "attempt to open server connection failed" errors. Sealert now checks whether SELinux is enabled or disabled. * the database setroubleshoot maintains was world-readable. The setroubleshoot database is now mode 600, and is owned by the root user and group. * setroubleshoot did not validate requests to set AVC filtering options for users. In these updated packages, checks ensure that requests originate from the filter owner. * the previous setroubleshoot packages required a number of GNOME packages and libraries. setroubleshoot has therefore been split into 2 packages: setroubleshoot and setroubleshoot-server. * a bug in decoding the audit field caused an "Input is not proper UTF-8, indicate encoding!" error message. The decoding code has been rewritten. * a file name mismatch in the setroubleshoot init script would cause a failure to shut down. Users of setroubleshoot are advised to upgrade to these updated packages, which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5495 CVE-2007-5496 setroubleshoot browser doesn't allow multiple entry deletion setroubleshoot gives bad suggestions Adding recipents entry to config file crashes setroubleshoot typo in sealert / setroubleshoot suggestion missing filename in setroubleshoot (AVC.get_path() returns incomplete path) Runtime Error: maximum recursion depth exceeded CVE-2007-5495 setroubleshoot insecure logging CVE-2007-5496 setroubleshoot log injection setroubleshoot failure when httpd is trying to access rpm_log_t setroubleshoot requires gnome to run setroubleshoot - audit_listener_database.xml:3029: parser error in xmlParseDoc() socket.getsockopt() on ppc generates exception cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 The libXfont package contains the X.Org X11 libXfont runtime library. A heap based buffer overflow flaw was found in the way the X.Org server handled malformed font files. A malicious local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server. (CVE-2008-0006) Users of X.Org libXfont should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-0006 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These new kernel packages fix the following security issues: A flaw was found in the virtual filesystem (VFS). An unprivileged local user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the Xen PAL emulation on Intel 64 platforms. A guest Hardware-assisted virtual machine (HVM) could read the arbitrary physical memory of the host system, which could make information available to unauthorized users. (CVE-2007-6416, Important) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file, potentially containing sensitive information. (CVE-2007-6206, Moderate) A buffer overflow flaw was found in the CIFS virtual file system. A remote,authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate) A flaw was found in the "sysfs_readdir" function. A local user could create a race condition which would cause a denial of service (kernel oops). (CVE-2007-3104, Moderate) As well, these updated packages fix the following bugs: * running the "strace -f" command caused strace to hang, without displaying information about child processes. * unmounting an unresponsive, interruptable NFS mount, for example, one mounted with the "intr" option, may have caused a system crash. * a bug in the s2io.ko driver prevented VLAN devices from being added. Attempting to add a device to a VLAN, for example, running the "vconfig add [device-name] [vlan-id]" command caused vconfig to fail. * tux used an incorrect open flag bit. This caused problems when building packages in a chroot environment, such as mock, which is used by the koji build system. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-3104 CVE-2007-5904 CVE-2007-6206 CVE-2007-6416 CVE-2008-0001 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 The International Components for Unicode (ICU) library provides robust and full-featured Unicode services. Will Drewry reported multiple flaws in the way libicu processed certain malformed regular expressions. If an application linked against ICU, such as OpenOffice.org, processed a carefully crafted regular expression, it may be possible to execute arbitrary code as the user running the application. (CVE-2007-4770, CVE-2007-4771) All users of icu should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4770 CVE-2007-4771 CVE-2007-4770 libicu poor back reference validation CVE-2007-4771 libicu incomplete interval handling cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The BEA WebLogic JRockit 1.4.2_16 JRE and SDK contains BEA WebLogic JRockit Virtual Machine 1.4.2_16 and is certified for the Java 2 Platform, Standard Edition, v1.4.2. A buffer overflow in the Java Runtime Environment image handling code was found. If an attacker could induce a server application to process a specially crafted image file, the attacker could potentially cause a denial-of-service or execute arbitrary code as the user running the Java Virtual Machine. (CVE-2007-2788, CVE-2007-2789) A denial of service flaw was found in the way the JSSE component processed SSL/TLS handshake requests. A remote attacker able to connect to a JSSE enabled service could send a specially crafted handshake which would cause the Java Runtime Environment to stop responding to future requests. (CVE-2007-3698) A flaw was found in the way the Java Runtime Environment processed font data. An applet viewed via the "appletviewer" application could elevate its privileges, allowing the applet to perform actions with the same permissions as the user running the "appletviewer" application. The same flaw could, potentially, crash a server application which processed untrusted font information from a third party. (CVE-2007-4381) A flaw in the applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Untrusted Java Applets were able to drag and drop files to a desktop application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment (JRE) allowed untrusted Java Applets or applications to display over-sized windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached, malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Please note: the vulnerabilities noted above concerned with applets can only be triggered in java-1.4.2-bea by calling the "appletviewer" application. All users of java-1.4.2-bea should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.4.2_16 release which resolves these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-4381 CVE-2007-2788 CVE-2007-2789 CVE-2007-3698 CVE-2007-5232 CVE-2007-5240 CVE-2007-5273 CVE-2007-5239 CVE-2007-3698 Java Secure Socket Extension Does Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial of Service (DoS) Condition CVE-2007-2788 Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit CVE-2007-2789 BMP image parser vulnerability CVE-2007-4381 java: Vulnerability in the font parsing code CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching CVE-2007-5240 Applets or Applications are allowed to display an oversized window CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy cpe://redhat:rhel_extras:3 cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419) Several flaws were found in the way Firefox displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593) A flaw was found in the way Firefox stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417) A flaw was found in the way Firefox handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of Firefox. (CVE-2008-0418) A flaw was found in the way Firefox saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", Firefox will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592) Users of firefox are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0412 Mozilla layout engine crashes CVE-2008-0413 Mozilla javascript engine crashes CVE-2008-0415 Mozilla arbitrary code execution CVE-2008-0417 Mozilla arbitrary code execution CVE-2008-0418 Mozilla chrome: directory traversal CVE-2008-0419 Mozilla arbitrary code execution CVE-2008-0591 Mozilla information disclosure flaw CVE-2008-0592 Mozilla text file mishandling CVE-2008-0593 Mozilla URL token stealing flaw cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed web content. A webpage containing malicious content could cause SeaMonkey to crash, or potentially execute arbitrary code as the user running SeaMonkey. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419) Several flaws were found in the way SeaMonkey displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593) A flaw was found in the way SeaMonkey stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417) A flaw was found in the way SeaMonkey handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of SeaMonkey. (CVE-2008-0418) A flaw was found in the way SeaMonkey saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", SeaMonkey will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592) Users of SeaMonkey are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0412 Mozilla layout engine crashes CVE-2008-0413 Mozilla javascript engine crashes CVE-2008-0415 Mozilla arbitrary code execution CVE-2008-0417 Mozilla arbitrary code execution CVE-2008-0418 Mozilla chrome: directory traversal CVE-2008-0419 Mozilla arbitrary code execution CVE-2008-0591 Mozilla information disclosure flaw CVE-2008-0592 Mozilla text file mishandling CVE-2008-0593 Mozilla URL token stealing flaw cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A heap-based buffer overflow flaw was found in the way Thunderbird processed messages with external-body Multipurpose Internet Message Extensions (MIME) types. A HTML mail message containing malicious content could cause Thunderbird to execute arbitrary code as the user running Thunderbird. (CVE-2008-0304) Several flaws were found in the way Thunderbird processed certain malformed HTML mail content. A HTML mail message containing malicious content could cause Thunderbird to crash, or potentially execute arbitrary code as the user running Thunderbird. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419) Several flaws were found in the way Thunderbird displayed malformed HTML mail content. A HTML mail message containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0420, CVE-2008-0591, CVE-2008-0593) A flaw was found in the way Thunderbird handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious HTML mail message to steal sensitive session data. Note: this flaw does not affect a default installation of Thunderbird. (CVE-2008-0418) Note: JavaScript support is disabled by default in Thunderbird; the above issues are not exploitable unless JavaScript is enabled. A flaw was found in the way Thunderbird saves certain text files. If a remote site offers a file of type "plain/text", rather than "text/plain", Thunderbird will not show future "text/plain" content to the user, forcing them to save those files locally to view the content. (CVE-2008-0592) Users of thunderbird are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0304 CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0418 CVE-2008-0419 CVE-2008-0420 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0412 Mozilla layout engine crashes CVE-2008-0413 Mozilla javascript engine crashes CVE-2008-0415 Mozilla arbitrary code execution CVE-2008-0418 Mozilla chrome: directory traversal CVE-2008-0419 Mozilla arbitrary code execution CVE-2008-0591 Mozilla information disclosure flaw CVE-2008-0592 Mozilla text file mishandling CVE-2008-0593 Mozilla URL token stealing flaw CVE-2008-0304 thunderbird/seamonkey: MIME External-Body Heap Overflow Vulnerability cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols for accessing directory services. These updated openldap packages fix a flaw in the way the OpenLDAP slapd daemon handled modify and modrdn requests with NOOP control on objects stored in a Berkeley DB (BDB) storage backend. An authenticated attacker with permission to perform modify or modrdn operations on such LDAP objects could cause slapd to crash. (CVE-2007-6698, CVE-2008-0658) Users of openldap should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-6698 CVE-2008-0658 CVE-2007-6698 openldap: slapd crash on NOOP control operation on entry in bdb storage CVE-2008-0658 openldap: slapd crash on modrdn operation with NOOP control on entry in bdb storage cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. These updated java-1.5.0-sun packages resolve the following security issues: Two vulnerabilities in the Java Runtime Environment allowed an untrusted application or applet to elevate the assigned privileges. This could be misused by a malicious website to read and write local files or execute local applications in the context of the user running the Java process. (CVE-2008-0657) Users of java-1.5.0-sun should upgrade to these updated packages, which contain backported patches to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0657 CVE-2008-0657 java-1.5.0 Privilege escalation via unstrusted applet and application cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in vmsplice. An unprivileged local user could use this flaw to gain root privileges. (CVE-2008-0600) Red Hat is aware that a public exploit for this issue is available. This issue did not affect the Linux kernels distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-0600 CVE-2008-0600 kernel vmsplice_to_pipe flaw cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The netpbm package contains a library of functions for editing and converting between various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps) and others. The package includes no interactive tools and is primarily used by other programs (eg CGI scripts that manage web-site images). An input validation flaw was discovered in the GIF-to-PNM converter (giftopnm) shipped with the netpbm package. An attacker could create a carefully crafted GIF file which could cause giftopnm to crash or possibly execute arbitrary code as the user running giftopnm. (CVE-2008-0554) All users are advised to upgrade to these updated packages which contain a backported patch which resolves this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0554 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 IBM's 1.4.2 SR10 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. The Java Secure Socket Extension (JSSE) component did not correctly process SSL/TLS handshake requests. A remote attacker who is able to connect to a JSSE-based service could trigger this flaw leading to a denial-of-service. (CVE-2007-3698) A flaw was found in the way the Java Runtime Environment processes font data. An untrusted applet could elevate its privileges, allowing the applet to perform actions with the same permissions as the logged in user. It may also be possible to crash a server application which processes untrusted font information from a third party. (CVE-2007-4381) The applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Multiple vulnerabilities existed in Java Web Start allowing an untrusted application to determine the location of the Java Web Start cache. (CVE-2007-5238) Untrusted Java Web Start Applications or Java Applets were able to drag and drop a file to a Desktop Application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment allowed untrusted Java Applets or applications to display oversized Windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Unsigned Applets loaded with Mozilla Firefox or Opera browsers allowed remote attackers to violate the Java security model. A cached malicious Applet could create network connections to services on other machines. (CVE-2007-5274) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, that contain IBM's 1.4.2 SR10 Java release which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-3698 CVE-2007-4381 CVE-2007-5232 CVE-2007-5238 CVE-2007-5240 CVE-2007-5239 CVE-2007-5273 CVE-2007-5274 CVE-2007-3698 Java Secure Socket Extension Does Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial of Service (DoS) Condition CVE-2007-4381 java: Vulnerability in the font parsing code CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching CVE-2007-5238 Vulnerabilities in Java Web Start allow to determine the location of the Java Web Start cache CVE-2007-5239 Untrusted Application or Applet May Move or Copy Arbitrary Files CVE-2007-5240 Applets or Applications are allowed to display an oversized window CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy CVE-2007-5274 Anti-DNS Pinning and Java Applets with Opera and Firefox cpe://redhat:rhel_extras:3 cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 3 Tcl is a scripting language designed for embedding into other applications and for use with Tk, a widget set. An input validation flaw was discovered in Tk's GIF image handling. A code-size value read from a GIF image was not properly validated before being used, leading to a buffer overflow. A specially crafted GIF file could use this to cause a crash or, potentially, execute code with the privileges of the application using the Tk graphical toolkit. (CVE-2008-0553) A buffer overflow flaw was discovered in Tk's animated GIF image handling. An animated GIF containing an initial image smaller than subsequent images could cause a crash or, potentially, execute code with the privileges of the application using the Tk library. (CVE-2007-5378) A flaw in the Tcl regular expression handling engine was discovered by Will Drewry. This flaw, first discovered in the Tcl regular expression engine used in the PostgreSQL database server, resulted in an infinite loop when processing certain regular expressions. (CVE-2007-4772) All users are advised to upgrade to these updated packages which contain backported patches which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0553 CVE-2007-5378 CVE-2007-4772 CVE-2007-4772 postgresql DoS via infinite loop in regex NFA optimization code CVE-2007-5378 Tk GIF processing buffer overflow CVE-2008-0553 tk: GIF handling buffer overflow cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 4 Tk is a graphical toolkit for the Tcl scripting language. An input validation flaw was discovered in Tk's GIF image handling. A code-size value read from a GIF image was not properly validated before being used, leading to a buffer overflow. A specially crafted GIF file could use this to cause a crash or, potentially, execute code with the privileges of the application using the Tk graphical toolkit. (CVE-2008-0553) A buffer overflow flaw was discovered in Tk's animated GIF image handling. An animated GIF containing an initial image smaller than subsequent images could cause a crash or, potentially, execute code with the privileges of the application using the Tk library. (CVE-2007-5378) All users are advised to upgrade to these updated packages which contain a backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0553 CVE-2007-5378 CVE-2007-5378 Tk GIF processing buffer overflow CVE-2008-0553 tk: GIF handling buffer overflow cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 5 Tk is a graphical toolkit for the Tcl scripting language. An input validation flaw was discovered in Tk's GIF image handling. A code-size value read from a GIF image was not properly validated before being used, leading to a buffer overflow. A specially crafted GIF file could use this to cause a crash or, potentially, execute code with the privileges of the application using the Tk graphical toolkit. (CVE-2008-0553) A buffer overflow flaw was discovered in Tk's animated GIF image handling. An animated GIF containing an initial image smaller than subsequent images could cause a crash or, potentially, execute code with the privileges of the application using the Tk library. (CVE-2007-5137) All users are advised to upgrade to these updated packages which contain a backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0553 CVE-2007-5137 CVE-2007-5137 Tk GIF processing buffer overflow CVE-2008-0553 tk: GIF handling buffer overflow cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The Adobe Reader allows users to view and print documents in portable document format (PDF). Several flaws were found in the way Adobe Reader processed malformed PDF files. An attacker could create a malicious PDF file which could execute arbitrary code if opened by a victim. (CVE-2007-5659, CVE-2007-5663, CVE-2007-5666, CVE-2008-0726) A flaw was found in the way the Adobe Reader browser plug-in honored certain requests. A malicious PDF file could cause the browser to request an unauthorized URL, allowing for a cross-site request forgery attack. (CVE-2007-0044) A flaw was found in Adobe Reader's JavaScript API DOC.print function. A malicious PDF file could silently trigger non-interactive printing of the document, causing multiple copies to be printed without the users consent. (CVE-2008-0667) Additionally, this update fixes multiple unknown flaws in Adobe Reader. When the information regarding these flaws is made public by Adobe, it will be added to this advisory. (CVE-2008-0655) Note: Adobe have yet to release security fixed versions of Adobe 7. All users of Adobe Reader are, therefore, advised to install these updated packages. They contain Adobe Reader version 8.1.2, which is not vulnerable to these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5659 CVE-2007-5663 CVE-2007-5666 CVE-2007-0044 CVE-2008-0655 CVE-2008-0667 CVE-2008-0726 CVE-2007-0044 Acrobat Reader Universal CSRF and session riding CVE-2008-0655 acroread: unspecified vulnerabilities CVE-2008-0667 acroread: silent print vulnerability CVE-2007-5659 acroread Multiple buffer overflows CVE-2007-5663 acroread JavaScript Insecure Method Exposure CVE-2007-5666 acroread JavaScript Insecure Libary Search Path CVE-2008-0726 Acroread memory corruption cpe://redhat:rhel_extras:3 cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Several heap-based buffer overflow flaws were found in ImageMagick. If a victim opened a specially crafted DCM or XWD file, an attacker could potentially execute arbitrary code on the victim's machine. (CVE-2007-1797) Several denial of service flaws were found in ImageMagick's parsing of XCF and DCM files. Attempting to process a specially-crafted input file in these formats could cause ImageMagick to enter an infinite loop. (CVE-2007-4985) Several integer overflow flaws were found in ImageMagick. If a victim opened a specially-crafted DCM, DIB, XBM, XCF or XWD file, an attacker could potentially execute arbitrary code with the privileges of the user running ImageMagick. (CVE-2007-4986) An integer overflow flaw was found in ImageMagick's DIB parsing code. If a victim opened a specially-crafted DIB file, an attacker could potentially execute arbitrary code with the privileges of the user running ImageMagick. (CVE-2007-4988) A heap-based buffer overflow flaw was found in the way ImageMagick parsed XCF files. If a specially-crafted XCF image was opened, ImageMagick could be made to overwrite heap memory beyond the bounds of its allocated memory. This could, potentially, allow an attacker to execute arbitrary code on the machine running ImageMagick. (CVE-2008-1096) A heap-based buffer overflow flaw was found in ImageMagick's processing of certain malformed PCX images. If a victim opened a specially-crafted PCX file, an attacker could possibly execute arbitrary code on the victim's machine. (CVE-2008-1097) All users of ImageMagick should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-1797 CVE-2007-4985 CVE-2007-4986 CVE-2007-4988 CVE-2008-1096 CVE-2008-1097 CVE-2007-1797 Heap overflow in ImageMagick's DCM and XWD coders CVE-2008-1097 Memory corruption in ImageMagick's PCX coder CVE-2008-1096 Out of bound write in ImageMagick's XCF coder CVE-2007-4988 Integer overflow in ImageMagick's DIB coder CVE-2007-4985 Infinite loops in ImageMagick's XCF and DCM coders CVE-2007-4986 Multiple integer overflows in ImageMagick cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473) Users of gd should upgrade to these updated packages, which contain backported patches which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-4484 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472 CVE-2007-3473 CVE-2007-3475 CVE-2007-3476 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to attempt to dereference already freed memory and crash. (CVE-2008-0597) A memory management flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. When shared printer was removed, allocated memory was not properly freed, leading to a memory leak possibly causing CUPS daemon crash after exhausting available memory. (CVE-2008-0596) These issues were found during the investigation of CVE-2008-0882, which did not affect Red Hat Enterprise Linux 3. Note that the default configuration of CUPS on Red Hat Enterprise Linux 3 allow requests of this type only from the local subnet. In addition, these updated cups packages fix a bug that occurred when using the CUPS polling daemon. Excessive debugging log information was saved to the error_log file regardless of the LogLevel setting, which filled up disk space rapidly. All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-0596 CVE-2008-0597 Cups fills up logfiles if queue is turned on CVE-2008-0596 cups: memory leak handling IPP browse requests CVE-2008-0597 cups: dereference of free'd memory handling IPP browse requests cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw in the hypervisor for hosts running on Itanium architectures allowed an Intel VTi domain to read arbitrary physical memory from other Intel VTi domains, which could make information available to unauthorized users. (CVE-2007-6207, Important) * two buffer overflow flaws were found in ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-5938: Important, CVE-2007-6063: Moderate) * a possible NULL pointer dereference was found in the subsystem used for showing CPU information, as used by CHRP systems on PowerPC architectures. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) * a flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped, possibly causing a denial of service. (CVE-2006-6921, Moderate) As well, these updated packages fix the following bugs: * a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out of memory, causing a kernel panic. * on IBM System z architectures, using the IBM Hardware Management Console to toggle IBM FICON channel path ids (CHPID) caused a file ID miscompare, possibly causing data corruption. * when running the IA-32 Execution Layer (IA-32EL) or a Java VM on Itanium architectures, a bug in the address translation in the hypervisor caused the wrong address to be registered, causing Dom0 to hang. * on Itanium architectures, frequent Corrected Platform Error errors may have caused the hypervisor to hang. * when enabling a CPU without hot plug support, routines for checking the presence of the CPU were missing. The CPU tried to access its own resources, causing a kernel panic. * after updating to kernel-2.6.18-53.el5, a bug in the CCISS driver caused the HP Array Configuration Utility CLI to become unstable, possibly causing a system hang, or a kernel panic. * a bug in NFS directory caching could have caused different hosts to have different views of NFS directories. * on Itanium architectures, the Corrected Machine Check Interrupt masked hot-added CPUs as disabled. * when running Oracle database software on the Intel 64 and AMD64 architectures, if an SGA larger than 4GB was created, and had hugepages allocated to it, the hugepages were not freed after database shutdown. * in a clustered environment, when two or more NFS clients had the same logical volume mounted, and one of them modified a file on the volume, NULL characters may have been inserted, possibly causing data corruption. These updated packages resolve several severe issues in the lpfc driver: * a system hang after LUN discovery. * a general fault protection, a NULL pointer dereference, or slab corruption could occur while running a debug on the kernel. * the inability to handle kernel paging requests in "lpfc_get_scsi_buf". * erroneous structure references caused certain FC discovery routines to reference and change "lpfc_nodelist" structures, even after they were freed. * the lpfc driver failed to interpret certain fields correctly, causing tape backup software to fail. Tape drives reported "Illegal Request". * the lpfc driver did not clear structures correctly, resulting in SCSI I/Os being rejected by targets, and causing errors. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-6921 CVE-2007-5938 CVE-2007-6063 CVE-2007-6207 CVE-2007-6694 CVE-2006-6921 kernel: denial of service with wedged processes audit: Logging execve arguments, out of memory in audit_expand (kernel panic) CVE-2007-5938 NULL dereference in iwl driver CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow CVE-2007-6694 /proc/cpuinfo DoS on some ppc machines LTC39906-[BBDQ] FICON DS8000: File ID Miscompare after CHPID off via HMC CVE-2007-6207 [5.2][XEN] Security: some HVM domain can access another domain memory. [Xen][5.1.z] Running IA32EL or java-vm causes dom0 hung Severe issues in 5.1 lpfc driver: Request update to 8.1.10.12 [Xen ia64] hypervisor sometimes hangs on Corrected Platform Errors [5.1] Panic if user enable a cpu which is not prepared for hotplug. scsi: cciss - incompatability between hpacucli and RHEL 5.1 Kernel NFS: Fix directory caching problem - with test case and patch. CMCI is left disabled on hot-added processors RHEL 5.1 regression in hugepages due to pagetable sharing patch Null bytes in files access by 2 or more NFS clients cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Ghostscript is a program for displaying PostScript files, or printing them to non-PostScript printers. Chris Evans from the Google Security Team reported a stack-based buffer overflow flaw in Ghostscript's zseticcspace() function. An attacker could create a malicious PostScript file that would cause Ghostscript to execute arbitrary code when opened. (CVE-2008-0411) These updated packages also fix a bug, which prevented the pxlmono printer driver from producing valid output on Red Hat Enterprise Linux 4. All users of ghostscript are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-0411 CVE-2008-0411 ghostscript: stack-based buffer overflow in .seticcspace operator cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The BEA WebLogic JRockit 1.5.0_14 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.5.0_14 and are certified for the Java 5 Platform, Standard Edition, v1.5.0. A flaw in the applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Untrusted Java Applets were able to drag and drop a file to a Desktop Application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment (JRE) allowed untrusted Java Applets or applications to display oversized windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached, malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Two vulnerabilities in the Java Runtime Environment allowed an untrusted application or applet to elevate the assigned privileges. This could be misused by a malicious website to read and write local files or execute local applications in the context of the user running the Java process. (CVE-2008-0657) Those vulnerabilities concerned with applets can only be triggered in java-1.5.0-bea by calling the 'appletviewer' application. All users of java-1.5.0-bea should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.5.0_14 release that resolves these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5232 CVE-2007-5239 CVE-2007-5240 CVE-2007-5273 CVE-2008-0657 CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching CVE-2007-5239 Untrusted Application or Applet May Move or Copy Arbitrary Files CVE-2007-5240 Applets or Applications are allowed to display an oversized window CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy CVE-2008-0657 java-1.5.0 Privilege escalation via unstrusted applet and application cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. The Internet Printing Protocol (IPP) is a standard network protocol for remote printing, as well as managing print jobs. A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. (CVE-2008-0882) Note: the default configuration of CUPS on Red Hat Enterprise Linux 5 will only accept requests of this type from the local subnet. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3 or 4. All cups users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-0882 CVE-2008-0882 cups: double free vulnerability in process_browse_data() cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Havoc Pennington discovered a flaw in the way the dbus-daemon applies its security policy. A user with the ability to connect to the dbus-daemon may be able to execute certain method calls they should normally not have permission to access. (CVE-2008-0595) Red Hat does not ship any applications in Red Hat Enterprise Linux 5 that would allow a user to leverage this flaw to elevate their privileges. This flaw does not affect the version of D-Bus shipped in Red Hat Enterprise Linux 4. All users are advised to upgrade to these updated dbus packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0595 CVE-2008-0595 dbus security policy circumvention cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to attempt to dereference already freed memory and crash. (CVE-2008-0597) A memory management flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. When shared printer was removed, allocated memory was not properly freed, leading to a memory leak possibly causing CUPS daemon crash after exhausting available memory. (CVE-2008-0596) These issues were found during the investigation of CVE-2008-0882, which did not affect Red Hat Enterprise Linux 4. Note that the default configuration of CUPS on Red Hat Enterprise Linux 4 allow requests of this type only from the local subnet. All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-0596 CVE-2008-0597 CVE-2008-0596 cups: memory leak handling IPP browse requests CVE-2008-0597 cups: dereference of free'd memory handling IPP browse requests cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. Jeff Altman of Secure Endpoints discovered a flaw in the RPC library as used by MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind or possibly execute arbitrary code. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 5. (CVE-2008-0947) Red Hat would like to thank MIT for reporting these issues. Multiple memory management flaws were discovered in the GSSAPI library used by MIT Kerberos. These flaws could possibly result in use of already freed memory or an attempt to free already freed memory blocks (double-free flaw), possibly causing a crash or arbitrary code execution. (CVE-2007-5901, CVE-2007-5971) In addition to the security issues resolved above, the following bugs were also fixed: * delegated krb5 credentials were not properly stored when SPNEGO was the underlying mechanism during GSSAPI authentication. Consequently, applications attempting to copy delegated Kerberos 5 credentials into a credential cache received an "Invalid credential was supplied" message rather than a copy of the delegated credentials. With this update, SPNEGO credentials can be properly searched, allowing applications to copy delegated credentials as expected. * applications can initiate context acceptance (via gss_accept_sec_context) without passing a ret_flags value that would indicate that credentials were delegated. A delegated credential handle should have been returned in such instances. This updated package adds a temp_ret_flag that stores the credential status in the event no other ret_flags value is passed by an application calling gss_accept_sec_context. * kpasswd did not fallback to TCP on receipt of certain errors, or when a packet was too big for UDP. This update corrects this. * when the libkrb5 password-routine generated a set-password or change-password request, incorrect sequence numbers were generated for all requests subsequent to the first request. This caused password change requests to fail if the primary server was unavailable. This updated package corrects this by saving the sequence number value after the AP-REQ data is built and restoring this value before the request is generated. * when a user's password expired, kinit would not prompt that user to change the password, instead simply informing the user their password had expired. This update corrects this behavior: kinit now prompts for a new password to be set when a password has expired. All krb5 users are advised to upgrade to these updated packages, which contain backported fixes to address these vulnerabilities and fix these bugs. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5901 CVE-2007-5971 CVE-2008-0062 CVE-2008-0063 CVE-2008-0947 CVE-2007-5901 krb5: use-after-free in gssapi lib CVE-2007-5971 krb5: double free in gssapi lib CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request CVE-2008-0947 krb5: file descriptor array overflow in RPC library gss_krb5_copy_ccache can't find delegated Kerberos creds when using SPNEGO gss_init_sec_context() mechglue wrapper doesn't handle ret_flags right kpasswd does not fallback to tcp krb5 password changing uses incorrect sequence numbers for every server but the first kinit does not automatically start a password change when password is expired cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. A buffer overflow flaw was found in the CIFS virtual file system. A remote authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate) As well, these updated packages fix the following bugs: * a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out out memory while attempting to create audit log messages. This could cause a kernel panic. In these updated packages, large audit messages are split into acceptable sizes, which resolves this issue. * on certain Intel chipsets, it was not possible to load the acpiphp module using the "modprobe acpiphp" command. Because the acpiphp module did not recurse across PCI bridges, hardware detection for PCI hot plug slots failed. In these updated packages, hardware detection works correctly. * on IBM System z architectures that run the IBM z/VM hypervisor, the IBM eServer zSeries HiperSockets network interface (layer 3) allowed ARP packets to be sent and received, even when the "NOARP" flag was set. These ARP packets caused problems for virtual machines. * it was possible for the iounmap function to sleep while holding a lock. This may have caused a deadlock for drivers and other code that uses the iounmap function. In these updated packages, the lock is dropped before the sleep code is called, which resolves this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5904 CVE-2007-5904 Buffer overflow in CIFS VFS audit: Logging execve arguments, out of memory in audit_expand ACPIPHP.ko will not load : RHEL4.x and RHEL5.0 on X8450 (Intel 4 socket Quad Core) but will load on RHEL5.1 LTC39262-qeth: HiperSockets layer-3 interface to drop non-IP packets [Stratus 4.6.z bug] iounmap may sleep while holding vmlist_lock, causing a deadlock. cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Multiple heap overflows and an integer underflow were found in the Quattro Pro(R) import filter. An attacker could create a carefully crafted Quattro Pro file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-5745, CVE-2007-5747) A heap overflow flaw was found in the EMF parser. An attacker could create a carefully crafted EMF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the malicious EMF image was added to a document or if a document containing the malicious EMF file was opened by a victim. (CVE-2007-5746) A heap overflow flaw was found in the OLE Structured Storage file parser. (OLE Structured Storage is a format used by Microsoft Office documents.) An attacker could create a carefully crafted OLE file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2008-0320) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5746 CVE-2008-0320 CVE-2007-5745 CVE-2007-5747 CVE-2007-5746 openoffice.org: EMF files parsing EMR_BITBLT record heap overflows CVE-2008-0320 openoffice.org: OLE files parsing heap overflows CVE-2007-5745 openoffice.org: Quattro Pro files handling heap overflows in Attribute and Font records CVE-2007-5747 openoffice.org: Quattro Pro files parsing integer underflow cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A heap overflow flaw was found in the EMF parser. An attacker could create a carefully crafted EMF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the malicious EMF image was added to a document or if a document containing the malicious EMF file was opened by a victim. (CVE-2007-5746) A heap overflow flaw was found in the OLE Structured Storage file parser. (OLE Structured Storage is a format used by Microsoft Office documents.) An attacker could create a carefully crafted OLE file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2008-0320) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5746 CVE-2008-0320 CVE-2007-5746 openoffice.org: EMF files parsing EMR_BITBLT record heap overflows CVE-2008-0320 openoffice.org: OLE files parsing heap overflows cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Evolution is the GNOME collection of personal information management (PIM) tools. A format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf Härnhammar of Secunia Research for finding and reporting this issue. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0072 CVE-2008-0072 Evolution format string flaw cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. Red Hat would like to thank MIT for reporting these issues. A double-free flaw was discovered in the GSSAPI library used by MIT Kerberos. This flaw could possibly cause a crash of the application using the GSSAPI library. (CVE-2007-5971) All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5971 CVE-2008-0062 CVE-2008-0063 CVE-2007-5971 krb5: double free in gssapi lib CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 3 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. A flaw was found in the RPC library used by the MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 2.1 or 3. (CVE-2008-0948) Red Hat would like to thank MIT for reporting these issues. All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0062 CVE-2008-0063 CVE-2008-0948 CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request CVE-2008-0948 krb5: incorrect handling of high-numbered file descriptors in RPC library cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. Flaws in the JRE allowed an untrusted application or applet to elevate its privileges. This could be exploited by a remote attacker to access local files or execute local applications accessible to the user running the JRE (CVE-2008-1185, CVE-2008-1186) A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196) A flaw was found in the Java Plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to acesss local network services. (CVE-2008-1195) This update also fixes an issue where the Java Plug-in is not available for browser use after successful installation. Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1185 CVE-2008-1186 CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1191 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196 CVE-2008-1185 Untrusted applet and application privilege escalation (CVE-2008-1186) CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1188 Buffer overflow security vulnerabilities in Java Web Start (CVE-2008-1189, CVE-2008-1190, CVE-2008-1191) CVE-2008-1192 Java Plugin same-origin-policy bypass CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) CVE-2008-1195 Java-API calls in untrusted Javascript allow network privilege escalation CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A heap buffer overflow flaw was found in a CUPS administration interface CGI script. A local attacker able to connect to the IPP port (TCP port 631) could send a malicious request causing the script to crash or, potentially, execute arbitrary code as the "lp" user. Please note: the default CUPS configuration in Red Hat Enterprise Linux 5 does not allow remote connections to the IPP TCP port. (CVE-2008-0047) Red Hat would like to thank "regenrecht" for reporting this issue. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3 or 4. Two overflows were discovered in the HP-GL/2-to-PostScript filter. An attacker could create a malicious HP-GL/2 file that could possibly execute arbitrary code as the "lp" user if the file is printed. (CVE-2008-0053) A buffer overflow flaw was discovered in the GIF decoding routines used by CUPS image converting filters "imagetops" and "imagetoraster". An attacker could create a malicious GIF file that could possibly execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-1373) All cups users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0047 CVE-2008-0053 CVE-2008-1373 CVE-2008-0047 cups: heap based buffer overflow in cgiCompileSearch() CVE-2008-0053 cups: buffer overflows in HP-GL/2 filter CVE-2008-1373 cups: overflow in gif image filter cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. These updated packages fix the following security issues: Daniel P. Berrange discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the format of messages serving to update the contents of the framebuffer. This could allow a malicious user to cause a denial of service, or compromise the privileged domain (Dom0). (CVE-2008-1944) Markus Armbruster discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the frontend's framebuffer description. This could allow a malicious user to cause a denial of service, or to use a specially crafted frontend to compromise the privileged domain (Dom0). (CVE-2008-1943) Chris Wright discovered a security vulnerability in the QEMU block format auto-detection, when running fully-virtualized guests. Such fully-virtualized guests, with a raw formatted disk image, were able to write a header to that disk image describing another format. This could allow such guests to read arbitrary files in their hypervisor's host. (CVE-2008-2004) Ian Jackson discovered a security vulnerability in the QEMU block device drivers backend. A guest operating system could issue a block device request and read or write arbitrary memory locations, which could lead to privilege escalation. (CVE-2008-0928) Tavis Ormandy found that QEMU did not perform adequate sanity-checking of data received via the "net socket listen" option. A malicious local administrator of a guest domain could trigger this flaw to potentially execute arbitrary code outside of the domain. (CVE-2007-5730) Steve Kemp discovered that the xenbaked daemon and the XenMon utility communicated via an insecure temporary file. A malicious local administrator of a guest domain could perform a symbolic link attack, causing arbitrary files to be truncated. (CVE-2007-3919) As well, in the previous xen packages, it was possible for Dom0 to fail to flush data from a fully-virtualized guest to disk, even if the guest explicitly requested the flush. This could cause data integrity problems on the guest. In these updated packages, Dom0 always respects the request to flush to disk. Users of xen are advised to upgrade to these updated packages, which resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-3919 CVE-2007-5730 CVE-2008-0928 CVE-2008-1943 CVE-2008-1944 CVE-2008-2004 CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss CVE-2007-5730 QEMU Buffer overflow via crafted "net socket listen" option CVE-2008-0928 Qemu insufficient block device address range checking [RHEL5.2]: LTC41676-Xen full virt has data integrity issue CVE-2008-1943 PVFB backend fails to validate frontend's framebuffer description CVE-2008-1944 PVFB SDL backend chokes on bogus screen updates CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 The unzip utility is used to list, test, or extract files from a zip archive. An invalid pointer flaw was found in unzip. If a user ran unzip on a specially crafted file, an attacker could execute arbitrary code with that user's privileges. (CVE-2008-0888) Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue. All unzip users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0888 CVE-2008-0888 unzip: free() called for uninitialized or already freed pointer cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 5 gnome-screensaver is the GNOME project's official screen saver program. A flaw was found in the way gnome-screensaver verified user passwords. When a system used a remote directory service for login credentials, a local attacker able to cause a network outage could cause gnome-screensaver to crash, unlocking the screen. (CVE-2008-0887) Users of gnome-screensaver should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0887 CVE-2008-0887 gnome-screensaver using NIS auth will unlock if NIS goes away cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Two overflows were discovered in the HP-GL/2-to-PostScript filter. An attacker could create a malicious HP-GL/2 file that could possibly execute arbitrary code as the "lp" user if the file is printed. (CVE-2008-0053) A buffer overflow flaw was discovered in the GIF decoding routines used by CUPS image converting filters "imagetops" and "imagetoraster". An attacker could create a malicious GIF file that could possibly execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-1373) It was discovered that the patch used to address CVE-2004-0888 in CUPS packages in Red Hat Enterprise Linux 3 and 4 did not completely resolve the integer overflow in the "pdftops" filter on 64-bit platforms. An attacker could create a malicious PDF file that could possibly execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-1374) All cups users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0053 CVE-2008-1373 CVE-2008-1374 CVE-2008-0053 cups: buffer overflows in HP-GL/2 filter CVE-2008-1373 cups: overflow in gif image filter CVE-2008-1374 cups: incomplete fix for CVE-2004-0888 / CVE-2005-0206 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of some malformed web content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. A web page containing specially-crafted content could, potentially, trick a Firefox user into surrendering sensitive information. (CVE-2008-1234, CVE-2008-1238, CVE-2008-1241) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1241 CVE-2008-1233 Mozilla products XPCNativeWrapper pollution CVE-2008-1234 universal XSS using event handlers CVE-2008-1235 chrome privilege via wrong principal CVE-2008-1236 browser engine crashes CVE-2008-1237 javascript crashes CVE-2008-1238 Referrer spoofing bug CVE-2008-1241 XUL popup spoofing cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of some malformed web content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. A web page containing specially-crafted content could, potentially, trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-1234, CVE-2008-1238, CVE-2008-1241) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1241 CVE-2008-1233 Mozilla products XPCNativeWrapper pollution CVE-2008-1234 universal XSS using event handlers CVE-2008-1235 chrome privilege via wrong principal CVE-2008-1236 browser engine crashes CVE-2008-1237 javascript crashes CVE-2008-1238 Referrer spoofing bug CVE-2008-1241 XUL popup spoofing cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of some malformed HTML mail content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. An HTML mail message containing specially-crafted content could, potentially, trick a user into surrendering sensitive information. (CVE-2008-1234, CVE-2008-1238, CVE-2008-1241) Note: JavaScript support is disabled by default in Thunderbird; the above issues are not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1241 CVE-2008-1233 Mozilla products XPCNativeWrapper pollution CVE-2008-1234 universal XSS using event handlers CVE-2008-1235 chrome privilege via wrong principal CVE-2008-1236 browser engine crashes CVE-2008-1237 javascript crashes CVE-2008-1238 Referrer spoofing bug CVE-2008-1241 XUL popup spoofing cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 IBM's 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Two vulnerabilities in the Java Runtime Environment allowed an untrusted application or applet to elevate the assigned privileges. This could be misused by a malicious website to read and write local files or execute local applications in the context of the user running the Java process. (CVE-2008-0657) A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1196) A flaw was found in the Java Plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to acesss local network services. (CVE-2008-1195) All users of java-ibm-1.5.0 are advised to upgrade to these updated packages, that contain IBM's 1.5.0 SR7 Java release which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0657 CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196 CVE-2008-0657 java-1.5.0 Privilege escalation via unstrusted applet and application CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1188 Buffer overflow security vulnerabilities in Java Web Start (CVE-2008-1189, CVE-2008-1190) CVE-2008-1192 Java Plugin same-origin-policy bypass CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) CVE-2008-1195 Java-API calls in untrusted Javascript allow network privilege escalation CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 3 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * the absence of a protection mechanism when attempting to access a critical section of code has been found in the Linux kernel open file descriptors control mechanism, fcntl. This could allow a local unprivileged user to simultaneously execute code, which would otherwise be protected against parallel execution. As well, a race condition when handling locks in the Linux kernel fcntl functionality, may have allowed a process belonging to a local unprivileged user to gain re-ordered access to the descriptor table. (CVE-2008-1669, Important) * the absence of a protection mechanism when attempting to access a critical section of code, as well as a race condition, have been found in the Linux kernel file system event notifier, dnotify. This could allow a local unprivileged user to get inconsistent data, or to send arbitrary signals to arbitrary system processes. (CVE-2008-1375, Important) Red Hat would like to thank Nick Piggin for responsibly disclosing the following issue: * when accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform required range checks. A local unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a kernel crash. (CVE-2008-0007, Important) * a flaw was found when performing asynchronous input or output operations on a FIFO special file. A local unprivileged user could use this flaw to cause a kernel panic. (CVE-2007-5001, Important) * a flaw was found in the way core dump files were created. If a local user could get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate) * a buffer overflow was found in the Linux kernel ISDN subsystem. A local unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6151, Moderate) * a race condition found in the mincore system core could allow a local user to cause a denial of service (system hang). (CVE-2006-4814, Moderate) * it was discovered that the Linux kernel handled string operations in the opposite way to the GNU Compiler Collection (GCC). This could allow a local unprivileged user to cause memory corruption. (CVE-2008-1367, Low) As well, these updated packages fix the following bugs: * a bug, which caused long delays when unmounting mounts containing a large number of unused dentries, has been resolved. * in the previous kernel packages, the kernel was unable to handle certain floating point instructions on Itanium(R) architectures. * on certain Intel CPUs, the Translation Lookaside Buffer (TLB) was not flushed correctly, which caused machine check errors. Red Hat Enterprise Linux 3 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-4814 CVE-2007-5001 CVE-2007-6151 CVE-2007-6206 CVE-2008-0007 CVE-2008-1367 CVE-2008-1375 CVE-2008-1669 CVE-2006-4814 kernel Race condition in mincore can cause "ps -ef" to hang CVE-2007-5001 kernel asynchronous IO on a FIFO kernel panic CVE-2007-6206 Issue with core dump owner RHEL3: System hangs at unmount CVE-2007-6151 I4L: fix isdn_ioctl memory issue CVE-2008-0007 kernel: insufficient range checks in fault handlers with mremap CVE-2008-1367 Kernel doesn't clear DF for signal handlers CVE-2008-1375 kernel: race condition in dnotify (local DoS, local roothole possible) CVE-2008-1669 kernel: add rcu_read_lock() to fcheck() in both dnotify, locks.c and fix fcntl store/load race in locks.c cpe://redhat:enterprise_linux:3 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A flaw was found in the way squid manipulated HTTP headers for cached objects stored in system memory. An attacker could use this flaw to cause a squid child process to exit. This interrupted existing connections and made proxy services unavailable. Note: the parent squid process started a new child process, so this attack only resulted in a temporary denial of service. (CVE-2008-1612) Users of squid are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1612 CVE-2008-1612 squid: regression in SQUID-2007:2 / CVE-2007-6239 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 gnome-screensaver is the GNOME project's official screen saver program. A flaw was found in the way gnome-screensaver verified user passwords. When a system used a remote directory service for login credentials, a local attacker able to cause a network outage could cause gnome-screensaver to crash, unlocking the screen. (CVE-2008-0887) Users of gnome-screensaver should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0887 CVE-2008-0887 gnome-screensaver using NIS auth will unlock if NIS goes away cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in. Several input validation flaws were found in the way Flash Player displayed certain content. These may have made it possible to execute arbitrary code on a victim's machine, if the victim opened a malicious Adobe Flash file. (CVE-2007-0071, CVE-2007-6019) A flaw was found in the way Flash Player established TCP sessions to remote hosts. A remote attacker could, consequently, use Flash Player to conduct a DNS rebinding attack. (CVE-2007-5275, CVE-2008-1655) A flaw was found in the way Flash Player restricted the interpretation and usage of cross-domain policy files. A remote attacker could use Flash Player to conduct cross-domain and cross-site scripting attacks. (CVE-2007-6243, CVE-2008-1654) A flaw was found in the way Flash Player interacted with web browsers. An attacker could use malicious content presented by Flash Player to conduct a cross-site scripting attack. (CVE-2007-6637) All users of Adobe Flash Player should upgrade to this updated package, which contains Flash Player version 9.0.124.0 and resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5275 CVE-2007-6243 CVE-2007-6637 CVE-2007-6019 CVE-2007-0071 CVE-2008-1655 CVE-2008-1654 CVE-2007-5275 Flash plugin DNS rebinding CVE-2007-6243 Flash Player cross-domain and cross-site scripting flaws CVE-2007-6637 Flash Player content injection flaw cpe://redhat:rhel_extras:3 cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1380) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1380 CVE-2008-1380 Firefox JavaScript garbage collection crash cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-1380) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1380 CVE-2008-1380 Firefox JavaScript garbage collection crash cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the processing of malformed JavaScript content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1380) Note: JavaScript support is disabled by default in Thunderbird; the above issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1380 CVE-2008-1380 Firefox JavaScript garbage collection crash cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * the absence of a protection mechanism when attempting to access a critical section of code has been found in the Linux kernel open file descriptors control mechanism, fcntl. This could allow a local unprivileged user to simultaneously execute code, which would otherwise be protected against parallel execution. As well, a race condition when handling locks in the Linux kernel fcntl functionality, may have allowed a process belonging to a local unprivileged user to gain re-ordered access to the descriptor table. (CVE-2008-1669, Important) * a possible hypervisor panic was found in the Linux kernel. A privileged user of a fully virtualized guest could initiate a stress-test File Transfer Protocol (FTP) transfer between the guest and the hypervisor, possibly leading to hypervisor panic. (CVE-2008-1619, Important) * the absence of a protection mechanism when attempting to access a critical section of code, as well as a race condition, have been found in the Linux kernel file system event notifier, dnotify. This could allow a local unprivileged user to get inconsistent data, or to send arbitrary signals to arbitrary system processes. (CVE-2008-1375, Important) Red Hat would like to thank Nick Piggin for responsibly disclosing the following issue: * when accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform required range checks. A local unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a kernel crash. (CVE-2008-0007, Important) * the absence of sanity-checks was found in the hypervisor block backend driver, when running 32-bit paravirtualized guests on a 64-bit host. The number of blocks to be processed per one request from guest to host, or vice-versa, was not checked for its maximum value, which could have allowed a local privileged user of the guest operating system to cause a denial of service. (CVE-2007-5498, Important) * it was discovered that the Linux kernel handled string operations in the opposite way to the GNU Compiler Collection (GCC). This could allow a local unprivileged user to cause memory corruption. (CVE-2008-1367, Low) As well, these updated packages fix the following bugs: * on IBM System z architectures, when running QIOASSIST enabled QDIO devices in an IBM z/VM environment, the output queue stalled under heavy load. This caused network performance to degrade, possibly causing network hangs and outages. * multiple buffer overflows were discovered in the neofb video driver. It was not possible for an unprivileged user to exploit these issues, and as such, they have not been handled as security issues. * when running Microsoft Windows in a HVM, a bug in vmalloc/vfree caused network performance to degrade. * on certain architectures, a bug in the libATA sata_nv driver may have caused infinite reboots, and an "ata1: CPB flags CMD err flags 0x11" error. * repeatedly hot-plugging a PCI Express card may have caused "Bad DLLP" errors. * a NULL pointer dereference in NFS, which may have caused applications to crash, has been resolved. * when attempting to kexec reboot, either manually or via a panic-triggered kdump, the Unisys ES7000/one hanged after rebooting in the new kernel, after printing the "Memory: 32839688k/33685504k available" line. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5498 CVE-2008-0007 CVE-2008-1367 CVE-2008-1375 CVE-2008-1619 CVE-2008-1669 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Speex is a patent-free compression format designed especially for speech. The Speex package contains a library for handling Speex files and sample encoder and decoder implementations using this library. The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) All users of speex are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1686 CVE-2008-1686 speex, libfishsound: insufficient boundary checks cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * the absence of a protection mechanism when attempting to access a critical section of code has been found in the Linux kernel open file descriptors control mechanism, fcntl. This could allow a local unprivileged user to simultaneously execute code, which would otherwise be protected against parallel execution. As well, a race condition when handling locks in the Linux kernel fcntl functionality, may have allowed a process belonging to a local unprivileged user to gain re-ordered access to the descriptor table. (CVE-2008-1669, Important) * on AMD64 architectures, the possibility of a kernel crash was discovered by testing the Linux kernel process-trace ability. This could allow a local unprivileged user to cause a denial of service (kernel crash). (CVE-2008-1615, Important) * the absence of a protection mechanism when attempting to access a critical section of code, as well as a race condition, have been found in the Linux kernel file system event notifier, dnotify. This could allow a local unprivileged user to get inconsistent data, or to send arbitrary signals to arbitrary system processes. (CVE-2008-1375, Important) Red Hat would like to thank Nick Piggin for responsibly disclosing the following issue: * when accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform required range checks. A local unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a kernel crash. (CVE-2008-0007, Important) * the possibility of a kernel crash was found in the Linux kernel IPsec protocol implementation, due to improper handling of fragmented ESP packets. When an attacker controlling an intermediate router fragmented these packets into very small pieces, it would cause a kernel crash on the receiving node during packet reassembly. (CVE-2007-6282, Important) * a flaw in the MOXA serial driver could allow a local unprivileged user to perform privileged operations, such as replacing firmware. (CVE-2005-0504, Important) As well, these updated packages fix the following bugs: * multiple buffer overflows in the neofb driver have been resolved. It was not possible for an unprivileged user to exploit these issues, and as such, they have not been handled as security issues. * a kernel panic, due to inconsistent detection of AGP aperture size, has been resolved. * a race condition in UNIX domain sockets may have caused "recv()" to return zero. In clustered configurations, this may have caused unexpected failovers. * to prevent link storms, network link carrier events were delayed by up to one second, causing unnecessary packet loss. Now, link carrier events are scheduled immediately. * a client-side race on blocking locks caused large time delays on NFS file systems. * in certain situations, the libATA sata_nv driver may have sent commands with duplicate tags, which were rejected by SATA devices. This may have caused infinite reboots. * running the "service network restart" command may have caused networking to fail. * a bug in NFS caused cached information about directories to be stored for too long, causing wrong attributes to be read. * on systems with a large highmem/lowmem ratio, NFS write performance may have been very slow when using small files. * a bug, which caused network hangs when the system clock was wrapped around zero, has been resolved. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2005-0504 CVE-2007-6282 CVE-2008-0007 CVE-2008-1375 CVE-2008-1615 CVE-2008-1669 CVE-2007-6282 IPSec ESP kernel panics CVE-2005-0504 Buffer overflow in moxa driver CVE-2008-0007 kernel: insufficient range checks in fault handlers with mremap CVE-2008-1615 kernel: ptrace: Unprivileged crash on x86_64 %cs corruption [RHEL4.6] In unix domain sockets, recv() may incorrectly return zero Fake ARP dropped after migration leading to loss of network connectivity LTC41942-30 second flock() calls against files stored on a NetApp while using NFS libata: sata_nv may send commands with duplicate tags HP-Japan Network stack hang after service network restart NFS: Fix directory caching problem - with test case and patch. [2.6.9-55.9] VM pagecache reclaim patch causes high latency on systems with large highmem/lowmem ratios Since "Patch2037: linux-2.6.9-vm-balance.patch" my NFS performance is poorly CVE-2008-1375 kernel: race condition in dnotify (local DoS, local roothole possible) CVE-2008-1669 kernel: add rcu_read_lock() to fcheck() in both dnotify, locks.c and fix fcntl store/load race in locks.c cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment, including kpdf, a PDF file viewer. Kees Cook discovered a flaw in the way kpdf displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause kpdf to crash, or, potentially, execute arbitrary code when opened. (CVE-2008-1693) All kdegraphics users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1693 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux 5 Poppler is a PDF rendering library, used by applications such as Evince. Kees Cook discovered a flaw in the way poppler displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause applications that use poppler -- such as Evince -- to crash, or, potentially, execute arbitrary code when opened. (CVE-2008-1693) Users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1693 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 4 Xpdf is an X Window System-based viewer for Portable Document Format (PDF) files. Kees Cook discovered a flaw in the way xpdf displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause xpdf to crash, or, potentially, execute arbitrary code when opened. (CVE-2008-1693) Users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1693 cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux Extras 3 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The BEA WebLogic JRockit 1.4.2_16 JRE and SDK contains BEA WebLogic JRockit Virtual Machine 1.4.2_16 and is certified for the Java 2 Platform, Standard Edition, v1.4.2. A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Please note: This vulnerability can only be triggered in java-1.4.2-bea by calling the "appletviewer" application. All java-1.4.2-bea users should upgrade to this updated package which addresses this vulnerability. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1187 CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation cpe://redhat:rhel_extras:3 cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux Extras 5 The BEA WebLogic JRockit 1.5.0_14 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.5.0_14, and are certified for the Java 5 Platform, Standard Edition, v1.5.0. A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possibly execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The vulnerabilities concerning applets listed above can only be triggered in java-1.5.0-bea, by calling the "appletviewer" application. Users of java-1.5.0-bea are advised to upgrade to these updated packages, which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1187 CVE-2008-1193 CVE-2008-1194 CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) cpe://redhat:rhel_extras:4 cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux Extras 5 The BEA WebLogic JRockit 1.6.0_03 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.6.0_03, and are certified for the Java 6 Platform, Standard Edition, v1.6.0. The Java XML parsing code processed external entity references even when the "external general entities" property was set to "FALSE". This allowed remote attackers to conduct XML External Entity (XXE) attacks, possibly causing a denial of service, or gaining access to restricted resources. (CVE-2008-0628) A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The vulnerabilities concerning applets listed above can only be triggered in java-1.6.0-bea, by calling the "appletviewer" application. Users of java-1.6.0-bea are advised to upgrade to these updated packages, which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0628 CVE-2008-1187 CVE-2008-1193 CVE-2008-1194 CVE-2008-0628 java-1.6.0 default external entity processing CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 4 gpdf is a GNOME-based viewer for Portable Document Format (PDF) files. Kees Cook discovered a flaw in the way gpdf displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause gpdf to crash, or, potentially, execute arbitrary code when opened. (CVE-2008-1693) Users of gpdf are advised to upgrade to this updated package, which contains a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1693 CVE-2008-1693 xpdf: embedded font vulnerability cpe://redhat:enterprise_linux:4 Red Hat Enterprise Linux Extras 5 IBM's 1.6.0 Java release includes the IBM Java 2 Runtime Environment, and the IBM Java 2 Software Development Kit. A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files, or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196) A flaw was found in the Java plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possibly execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to access local network services. (CVE-2008-1195) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, that contain IBM's 1.6.0 SR1 Java release, which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1191 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196 CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1188 Buffer overflow security vulnerabilities in Java Web Start (CVE-2008-1189, CVE-2008-1190) CVE-2008-1192 Java Plugin same-origin-policy bypass CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) CVE-2008-1195 Java-API calls in untrusted Javascript allow network privilege escalation CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start CVE-2008-1191 Untrusted Java Web Start arbitrary file creation cpe://redhat:rhel_extras:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format. Will Drewry of the Google Security Team reported several flaws in the way libvorbis processed audio data. An attacker could create a carefully crafted OGG audio file in such a way that it could cause an application linked with libvorbis to crash, or execute arbitrary code when it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423) Moreover, additional OGG file sanity-checks have been added to prevent possible exploitation of similar issues in the future. Users of libvorbis are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1419 CVE-2008-1420 CVE-2008-1423 cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * on AMD64 architectures, the possibility of a kernel crash was discovered by testing the Linux kernel process-trace ability. This could allow a local unprivileged user to cause a denial of service (kernel crash). (CVE-2008-1615, Important) * on 64-bit architectures, the possibility of a timer-expiration value overflow was found in the Linux kernel high-resolution timers functionality, hrtimer. This could allow a local unprivileged user to setup a large interval value, forcing the timer expiry value to become negative, causing a denial of service (kernel hang). (CVE-2007-6712, Important) * the possibility of a kernel crash was found in the Linux kernel IPsec protocol implementation, due to improper handling of fragmented ESP packets. When an attacker controlling an intermediate router fragmented these packets into very small pieces, it would cause a kernel crash on the receiving node during packet reassembly. (CVE-2007-6282, Important) * a potential denial of service attack was discovered in the Linux kernel PWC USB video driver. A local unprivileged user could use this flaw to bring the kernel USB subsystem into the busy-waiting state, causing a denial of service. (CVE-2007-5093, Low) As well, these updated packages fix the following bugs: * in certain situations, a kernel hang and a possible panic occurred when disabling the cpufreq daemon. This may have prevented system reboots from completing successfully. * continual "softlockup" messages, which occurred on the guest's console after a successful save and restore of a Red Hat Enterprise Linux 5 para-virtualized guest, have been resolved. * in the previous kernel packages, the kernel may not have reclaimed NFS locks after a system reboot. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5093 CVE-2007-6282 CVE-2007-6712 CVE-2008-1615 CVE-2007-5093 kernel PWC driver DoS rhel5.1s2 hang at 'Disabling ondemand cpu frequency scaling' [rhel-5.1.z] CVE-2007-6282 IPSec ESP kernel panics booting with maxcpus=1 panics when starting cpufreq service [rhel-5.1.z] CVE-2008-1615 kernel: ptrace: Unprivileged crash on x86_64 %cs corruption CVE-2007-6712 kernel: infinite loop in highres timers (kernel hang) [RHEL5]: Softlockup after save/restore in PV guest RHEL5.1 kernel not reclaiming NFS locks when server reboots cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libxslt is a C library, based on libxml, for parsing of XML files into other textual formats (eg HTML, plain text and other XML representations of the underlying data) It uses the standard XSLT stylesheet transformation mechanism and, being written in plain ANSI C, is designed to be simple to incorporate into other applications Anthony de Almeida Lopes reported the libxslt library did not properly process long "transformation match" conditions in the XSL stylesheet files. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute and arbitrary code with the privileges of the application using libxslt library to perform XSL transformations. (CVE-2008-1767) All users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1767 CVE-2008-1767 libxslt: fixed-sized steps array overflow via "template match" condition in XSL file cpe://redhat:enterprise_linux:3 cpe://redhat:enterprise_linux:4 cpe://redhat:enterprise_linux:5 Red Hat Enterprise Linux 3