Red Hat OVAL Patch Definition Merger 2 5.3 2011-09-30T09:52:52 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent DMTF standard that defines a common information model, and communication protocol for monitoring and controlling resources. During a security audit, a stack buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003) Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux 5. Users of tog-pegasus should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages the tog-pegasus service should be restarted. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0003 CVE-2008-0003 tog-pegasus pam authentication buffer overflow cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The e2fsprogs packages contain a number of utilities for creating, checking, modifying, and correcting any inconsistencies in second and third extended (ext2/ext3) file systems. Multiple integer overflow flaws were found in the way e2fsprogs processes file system content. If a victim opens a carefully crafted file system with a program using e2fsprogs, it may be possible to execute arbitrary code with the permissions of the victim. It may be possible to leverage this flaw in a virtualized environment to gain access to other virtualized hosts. (CVE-2007-5497) Red Hat would like to thank Rafal Wojtczuk of McAfee Avert Research for responsibly disclosing these issues. Users of e2fsprogs are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5497 CVE-2007-5497 e2fsprogs multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP Server is a popular Web server. A flaw was found in the mod_imap module. On sites where mod_imap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000) A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the "AddDefaultCharset" directive has been removed from the configuration, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) A flaw was found in the mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-3847) A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) Users of Apache httpd should upgrade to these updated packages, which contain backported patches to resolve these issues. Users should restart httpd after installing this update. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3847 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 CVE-2007-3847 httpd out of bounds read CVE-2007-4465 mod_autoindex XSS CVE-2007-5000 mod_imagemap XSS CVE-2007-6388 apache mod_status cross-site scripting CVE-2008-0005 mod_proxy_ftp XSS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular Web server. A flaw was found in the mod_imap module. On sites where mod_imap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000) A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the "AddDefaultCharset" directive has been removed from the configuration, a cross-site scripting attack was possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) Users of Apache httpd should upgrade to these updated packages, which contain backported patches to resolve these issues. Users should restart httpd after installing this update. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 CVE-2007-4465 mod_autoindex XSS CVE-2007-5000 mod_imagemap XSS CVE-2007-6388 apache mod_status cross-site scripting CVE-2008-0005 mod_proxy_ftp XSS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular Web server. A flaw was found in the mod_imagemap module. On sites where mod_imagemap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000) A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the "AddDefaultCharset" directive has been removed from the configuration, a cross-site scripting attack might have been possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer was enabled, a cross-site scripting attack against an authorized user was possible. (CVE-2007-6421) A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer was enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-6422) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) Users of Apache httpd should upgrade to these updated packages, which contain backported patches to resolve these issues. Users should restart httpd after installing this update. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2007-6421 CVE-2007-6422 CVE-2008-0005 CVE-2007-4465 mod_autoindex XSS CVE-2007-5000 mod_imagemap XSS CVE-2007-6388 apache mod_status cross-site scripting CVE-2007-6421 httpd mod_proxy_balancer cross-site scripting CVE-2007-6422 httpd mod_proxy_balancer crash CVE-2008-0005 mod_proxy_ftp XSS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. Two integer overflow flaws were found in the XFree86 server's EVI and MIT-SHM modules. A malicious authorized client could exploit these issues to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2007-6429) A heap based buffer overflow flaw was found in the way the XFree86 server handled malformed font files. A malicious local user could exploit this issue to potentially execute arbitrary code with the privileges of the XFree86 server. (CVE-2008-0006) A memory corruption flaw was found in the XFree86 server's XInput extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2007-6427) An information disclosure flaw was found in the XFree86 server's TOG-CUP extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially view arbitrary memory content within the XFree86 server's address space. (CVE-2007-6428) An integer and heap overflow flaw were found in the X.org font server, xfs. A user with the ability to connect to the font server could have been able to cause a denial of service (crash), or potentially execute arbitrary code with the permissions of the font server. (CVE-2007-4568, CVE-2007-4990) A flaw was found in the XFree86 server's XC-SECURITY extension, that could have allowed a local user to verify the existence of an arbitrary file, even in directories that are not normally accessible to that user. (CVE-2007-5958) Users of XFree86 are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4568 CVE-2007-4990 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 CVE-2007-4568 xfs integer overflow in the build_range function CVE-2007-4990 xfs heap overflow in the swap_char2b function CVE-2007-5958 Xorg / XFree86 file existence disclosure vulnerability CVE-2007-6429 xorg / xfree86: integer overflow in EVI extension CVE-2007-6429 xorg / xfree86: integer overflow in MIT-SHM extension CVE-2007-6428 xorg / xfree86: information disclosure via TOG-CUP extension CVE-2007-6427 xorg / xfree86: memory corruption via XInput extension CVE-2008-0006 Xorg / XFree86 PCF font parser buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The xorg-x11 packages contain X.Org, an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Two integer overflow flaws were found in the X.Org server's EVI and MIT-SHM modules. A malicious authorized client could exploit these issues to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6429) A heap based buffer overflow flaw was found in the way the X.Org server handled malformed font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.Org server. (CVE-2008-0006) A memory corruption flaw was found in the X.Org server's XInput extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6427) An input validation flaw was found in the X.Org server's XFree86-Misc extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-5760) An information disclosure flaw was found in the X.Org server's TOG-CUP extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially view arbitrary memory content within the X server's address space. (CVE-2007-6428) An integer and heap overflow flaw were found in the X.Org font server, xfs. A user with the ability to connect to the font server could have been able to cause a denial of service (crash), or potentially execute arbitrary code with the permissions of the font server. (CVE-2007-4568, CVE-2007-4990) A flaw was found in the X.Org server's XC-SECURITY extension, that could have allowed a local user to verify the existence of an arbitrary file, even in directories that are not normally accessible to that user. (CVE-2007-5958) Users of xorg-x11 should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4568 CVE-2007-4990 CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 CVE-2007-4568 xfs integer overflow in the build_range function CVE-2007-4990 xfs heap overflow in the swap_char2b function CVE-2007-5958 Xorg / XFree86 file existence disclosure vulnerability CVE-2007-6429 xorg / xfree86: integer overflow in EVI extension CVE-2007-6429 xorg / xfree86: integer overflow in MIT-SHM extension CVE-2007-6428 xorg / xfree86: information disclosure via TOG-CUP extension CVE-2007-6427 xorg / xfree86: memory corruption via XInput extension CVE-2007-5760 xorg: invalid array indexing in XFree86-Misc extension CVE-2008-0006 Xorg / XFree86 PCF font parser buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 X.Org is an open source implementation of the X Window System. It provides basic low-level functionality that full-fledged graphical user interfaces are designed upon. Two integer overflow flaws were found in the X.Org server's EVI and MIT-SHM modules. A malicious authorized client could exploit these issues to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6429) A memory corruption flaw was found in the X.Org server's XInput extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6427) An input validation flaw was found in the X.Org server's XFree86-Misc extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-5760) An information disclosure flaw was found in the X.Org server's TOG-CUP extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially view arbitrary memory content within the X server's address space. (CVE-2007-6428) A flaw was found in the X.Org server's XC-SECURITY extension, that could have allowed a local user to verify the existence of an arbitrary file, even in directories that are not normally accessible to that user. (CVE-2007-5958) Users of xorg-x11-server should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2007-5958 Xorg / XFree86 file existence disclosure vulnerability CVE-2007-6429 xorg / xfree86: integer overflow in EVI extension CVE-2007-6429 xorg / xfree86: integer overflow in MIT-SHM extension CVE-2007-6428 xorg / xfree86: information disclosure via TOG-CUP extension CVE-2007-6427 xorg / xfree86: memory corruption via XInput extension CVE-2007-5760 xorg: invalid array indexing in XFree86-Misc extension cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 The libxml2 packages provide a library that allows you to manipulate XML files. It includes support to read, modify, and write XML and HTML files. A denial of service flaw was found in the way libxml2 processes certain content. If an application linked against libxml2 processes malformed XML content, it could cause the application to stop responding. (CVE-2007-6284) Red Hat would like to thank the Google Security Team for responsibly disclosing this issue. All users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2007-6284 CVE-2007-6284 libxml2: infinite loop in UTF-8 decoding cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 PostgreSQL is an advanced Object-Relational database management system (DBMS). The postgresql packages include the client programs and libraries needed to access a PostgreSQL DBMS server. Will Drewry discovered multiple flaws in PostgreSQL's regular expression engine. An authenticated attacker could use these flaws to cause a denial of service by causing the PostgreSQL server to crash, enter an infinite loop, or use extensive CPU and memory resources while processing queries containing specially crafted regular expressions. Applications that accept regular expressions from untrusted sources may expose this problem to unauthorized attackers. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067) A privilege escalation flaw was discovered in PostgreSQL. An authenticated attacker could create an index function that would be executed with administrator privileges during database maintenance tasks, such as database vacuuming. (CVE-2007-6600) A privilege escalation flaw was discovered in PostgreSQL's Database Link library (dblink). An authenticated attacker could use dblink to possibly escalate privileges on systems with "trust" or "ident" authentication configured. Please note that dblink functionality is not enabled by default, and can only by enabled by a database administrator on systems with the postgresql-contrib package installed. (CVE-2007-3278, CVE-2007-6601) All postgresql users should upgrade to these updated packages, which include PostgreSQL 7.4.19 and 8.1.11, and resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3278 CVE-2007-4769 CVE-2007-4772 CVE-2007-6067 CVE-2007-6600 CVE-2007-6601 CVE-2007-3278 dblink allows proxying of database connections via 127.0.0.1 CVE-2007-4769 postgresql integer overflow in regex code CVE-2007-4772 postgresql DoS via infinite loop in regex NFA optimization code CVE-2007-6067 postgresql: tempory DoS caused by slow regex NFA cleanup CVE-2007-6600 PostgreSQL privilege escalation CVE-2007-6601 PostgreSQL privilege escalation via dblink cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PostgreSQL is an advanced Object-Relational database management system (DBMS). The postgresql packages include the client programs and libraries needed to access a PostgreSQL DBMS server. A privilege escalation flaw was discovered in PostgreSQL. An authenticated attacker could create an index function that would be executed with administrator privileges during database maintenance tasks, such as database vacuuming. (CVE-2007-6600) A privilege escalation flaw was discovered in PostgreSQL's Database Link library (dblink). An authenticated attacker could use dblink to possibly escalate privileges on systems with "trust" or "ident" authentication configured. Please note that dblink functionality is not enabled by default, and can only by enabled by a database administrator on systems with the postgresql-contrib package installed. (CVE-2007-3278, CVE-2007-6601) All postgresql users should upgrade to these updated packages, which include PostgreSQL 7.3.21 and resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3278 CVE-2007-6600 CVE-2007-6601 CVE-2007-3278 dblink allows proxying of database connections via 127.0.0.1 CVE-2007-6600 PostgreSQL privilege escalation CVE-2007-6601 PostgreSQL privilege escalation via dblink cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. A directory traversal vulnerability existed in the Apache Tomcat webdav servlet. In some configurations it allowed remote authenticated users to read files accessible to the local tomcat process. (CVE-2007-5461) The default security policy in the JULI logging component did not restrict access permissions to files. This could be misused by untrusted web applications to access and write arbitrary files in the context of the tomcat process. (CVE-2007-5342) Users of Tomcat should update to these errata packages, which contain backported patches and are not vulnerable to these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5461 CVE-2007-5342 CVE-2007-5461 Absolute path traversal Apache Tomcat WEBDAV CVE-2007-5342 Apache Tomcat's default security policy is too open cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages fix the following security issues: A flaw was found in the virtual filesystem (VFS). A local unprivileged user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the implementation of ptrace. A local unprivileged user could trigger this flaw and possibly cause a denial of service (system hang). (CVE-2007-5500, Important) A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). (CVE-2007-4130, Important) A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate) Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate) As well, these updated packages fix the following bug: * when moving volumes that contain multiple segments, and a mirror segment is not the first in the mapping table, running the "pvmove /dev/[device] /dev/[device]" command caused a kernel panic. A "kernel: Unable to handle kernel paging request at virtual address [address]" error was logged by syslog. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4130 CVE-2007-5500 CVE-2007-6063 CVE-2007-6151 CVE-2007-6206 CVE-2007-6694 CVE-2008-0001 CVE-2007-4130 panic caused by set_mempolicy with MPOL_BIND CVE-2007-5500 kernel hang via userspace PTRACE+waitid CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow CVE-2007-6694 /proc/cpuinfo DoS on some ppc machines CVE-2007-6206 Issue with core dump owner CVE-2007-6151 I4L: fix isdn_ioctl memory issue pvmove causes kernel panic CVE-2008-0001 kernel: filesystem corruption by unprivileged user via directory truncation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. Several flaws were found in Wireshark. Wireshark could crash or possibly execute arbitrary code as the user running Wireshark if it read a malformed packet off the network. (CVE-2007-6112, CVE-2007-6114, CVE-2007-6115, CVE-2007-6117) Several denial of service bugs were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off the network. (CVE-2007-6111, CVE-2007-6113, CVE-2007-6116, CVE-2007-6118, CVE-2007-6119, CVE-2007-6120, CVE-2007-6121, CVE-2007-6438, CVE-2007-6439, CVE-2007-6441, CVE-2007-6450, CVE-2007-6451) As well, Wireshark switched from using net-snmp to libsmi, which is included in this errata. Users of wireshark should upgrade to these updated packages, which contain Wireshark version 0.99.7, and resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-6111 CVE-2007-6112 CVE-2007-6113 CVE-2007-6114 CVE-2007-6115 CVE-2007-6116 CVE-2007-6117 CVE-2007-6118 CVE-2007-6119 CVE-2007-6120 CVE-2007-6121 CVE-2007-6438 CVE-2007-6439 CVE-2007-6441 CVE-2007-6450 CVE-2007-6451 CVE-2007-6111 wireshark mp3 and ncp flaws CVE-2007-6112 wireshark ppp flaws CVE-2007-6113 wireshark DNP3 flaws CVE-2007-6114 wireshark SSL and OS/400 trace flaws CVE-2007-6115 wireshark ANSI MAP flaws CVE-2007-6116 wireshark firebird/interbase flaws CVE-2007-6117 wireshark HTTP dissector flaws CVE-2007-6118 wireshark MEGACO dissector flaws CVE-2007-6119 wireshark DCP ETSI dissector flaws CVE-2007-6120 wireshark Bluetooth SDP dissector flaws CVE-2007-6121 wireshark RPC Portmap flaws Please consider adding libsmi to distro Please consider adding libsmi to distro CVE-2007-6438 wireshark SMB dissector crash CVE-2007-6439 wireshark IPv6 and USB dissector crash CVE-2007-6441 wireshark WiMAX dissector possible crash CVE-2007-6450 wireshark RPL dissector crash CVE-2007-6451 wireshark CIP dissector crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. Several flaws were found in Wireshark. Wireshark could crash or possibly execute arbitrary code as the user running Wireshark if it read a malformed packet off the network. (CVE-2007-6114, CVE-2007-6115, CVE-2007-6117) Several denial of service bugs were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off the network. (CVE-2007-3389, CVE-2007-3390, CVE-2007-3391, CVE-2007-3392, CVE-2007-3392, CVE-2007-3393, CVE-2007-6113, CVE-2007-6118, CVE-2007-6120, CVE-2007-6121, CVE-2007-6450, CVE-2007-6451) As well, Wireshark switched from using net-snmp to libsmi, which is included in this errata. Users of wireshark should upgrade to these updated packages, which contain Wireshark version 0.99.7, and resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-3389 CVE-2007-3390 CVE-2007-3391 CVE-2007-3392 CVE-2007-3393 CVE-2007-6113 CVE-2007-6114 CVE-2007-6115 CVE-2007-6117 CVE-2007-6118 CVE-2007-6120 CVE-2007-6121 CVE-2007-6450 CVE-2007-6451 CVE-2007-3389 Wireshark crashes when inspecting HTTP traffic CVE-2007-3391 Wireshark loops infinitely when inspecting DCP ETSI traffic CVE-2007-3392 Wireshark loops infinitely when inspecting SSL traffic CVE-2007-3393 Wireshark corrupts the stack when inspecting BOOTP traffic CVE-2007-3390 Wireshark crashes when inspecting iSeries traffic CVE-2007-3392 Wireshark crashes when inspecting MMS traffic CVE-2007-6113 wireshark DNP3 flaws CVE-2007-6114 wireshark SSL and OS/400 trace flaws CVE-2007-6115 wireshark ANSI MAP flaws CVE-2007-6117 wireshark HTTP dissector flaws CVE-2007-6118 wireshark MEGACO dissector flaws CVE-2007-6120 wireshark Bluetooth SDP dissector flaws CVE-2007-6121 wireshark RPC Portmap flaws Wireshare rebase requires new libsmi package adding to rhel3 CVE-2007-6450 wireshark RPL dissector crash CVE-2007-6451 wireshark CIP dissector crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The setroubleshoot packages provide tools to help diagnose SELinux problems. When AVC messages occur, an alert is generated that gives information about the problem, and how to create a resolution. A flaw was found in the way sealert wrote diagnostic messages to a temporary file. A local unprivileged user could perform a symbolic link attack, and cause arbitrary files, writable by other users, to be overwritten when a victim runs sealert. (CVE-2007-5495) A flaw was found in the way sealert displayed records from the setroubleshoot database as unescaped HTML. An local unprivileged attacker could cause AVC denial events with carefully crafted process or file names, injecting arbitrary HTML tags into the logs, which could be used as a scripting attack, or to confuse the user running sealert. (CVE-2007-5496) Additionally, the following bugs have been fixed in these update packages: * in certain situations, the sealert process used excessive CPU. These alerts are now capped at a maximum of 30, D-Bus is used instead of polling, threads causing excessive wake-up have been removed, and more robust exception-handling has been added. * different combinations of the sealert '-a', '-l', '-H', and '-v' options did not work as documented. * the SETroubleShoot browser did not allow multiple entries to be deleted. * the SETroubleShoot browser did not display statements that displayed whether SELinux was using Enforcing or Permissive mode, particularly when warning about SELinux preventions. * in certain cases, the SETroubleShoot browser gave incorrect instructions regarding paths, and would not display the full paths to files. * adding an email recipient to the recipients option from the /etc/setroubleshoot/setroubleshoot.cfg file and then generating an SELinux denial caused a traceback error. The recipients option has been removed; email addresses are now managed through the SETroubleShoot browser by navigating to File -> Edit Email Alert List, or by editing the /var/lib/setroubleshoot/email_alert_recipients file. * the setroubleshoot browser incorrectly displayed a period between the httpd_sys_content_t context and the directory path. * on the PowerPC architecture, The get_credentials() function in access_control.py would generate an exception when it called the socket.getsockopt() function. * The code which handles path information has been completely rewritten so that assumptions on path information which were misleading are no longer made. If the path information is not present, it will be presented as "<Unknown>". * setroubleshoot had problems with non-English locales under certain circumstances, possibly causing a python traceback, an sealert window pop-up containing an error, a "RuntimeError: maximum recursion depth exceeded" error after a traceback, or a "UnicodeEncodeError" after a traceback. * sealert ran even when SELinux was disabled, causing "attempt to open server connection failed" errors. Sealert now checks whether SELinux is enabled or disabled. * the database setroubleshoot maintains was world-readable. The setroubleshoot database is now mode 600, and is owned by the root user and group. * setroubleshoot did not validate requests to set AVC filtering options for users. In these updated packages, checks ensure that requests originate from the filter owner. * the previous setroubleshoot packages required a number of GNOME packages and libraries. setroubleshoot has therefore been split into 2 packages: setroubleshoot and setroubleshoot-server. * a bug in decoding the audit field caused an "Input is not proper UTF-8, indicate encoding!" error message. The decoding code has been rewritten. * a file name mismatch in the setroubleshoot init script would cause a failure to shut down. Users of setroubleshoot are advised to upgrade to these updated packages, which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5495 CVE-2007-5496 setroubleshoot browser doesn't allow multiple entry deletion setroubleshoot gives bad suggestions Adding recipents entry to config file crashes setroubleshoot typo in sealert / setroubleshoot suggestion missing filename in setroubleshoot (AVC.get_path() returns incomplete path) Runtime Error: maximum recursion depth exceeded CVE-2007-5495 setroubleshoot insecure logging CVE-2007-5496 setroubleshoot log injection setroubleshoot failure when httpd is trying to access rpm_log_t setroubleshoot requires gnome to run setroubleshoot - audit_listener_database.xml:3029: parser error in xmlParseDoc() socket.getsockopt() on ppc generates exception cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The libXfont package contains the X.Org X11 libXfont runtime library. A heap based buffer overflow flaw was found in the way the X.Org server handled malformed font files. A malicious local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server. (CVE-2008-0006) Users of X.Org libXfont should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-0006 CVE-2008-0006 Xorg / XFree86 PCF font parser buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These new kernel packages fix the following security issues: A flaw was found in the virtual filesystem (VFS). An unprivileged local user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the Xen PAL emulation on Intel 64 platforms. A guest Hardware-assisted virtual machine (HVM) could read the arbitrary physical memory of the host system, which could make information available to unauthorized users. (CVE-2007-6416, Important) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file, potentially containing sensitive information. (CVE-2007-6206, Moderate) A buffer overflow flaw was found in the CIFS virtual file system. A remote,authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate) A flaw was found in the "sysfs_readdir" function. A local user could create a race condition which would cause a denial of service (kernel oops). (CVE-2007-3104, Moderate) As well, these updated packages fix the following bugs: * running the "strace -f" command caused strace to hang, without displaying information about child processes. * unmounting an unresponsive, interruptable NFS mount, for example, one mounted with the "intr" option, may have caused a system crash. * a bug in the s2io.ko driver prevented VLAN devices from being added. Attempting to add a device to a VLAN, for example, running the "vconfig add [device-name] [vlan-id]" command caused vconfig to fail. * tux used an incorrect open flag bit. This caused problems when building packages in a chroot environment, such as mock, which is used by the koji build system. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-3104 CVE-2007-5904 CVE-2007-6206 CVE-2007-6416 CVE-2008-0001 CVE-2007-3104 Null pointer to an inode in a dentry can cause an oops in sysfs_readdir [rhel-5.1.z] CVE-2007-5904 Buffer overflow in CIFS VFS CVE-2007-6206 Issue with core dump owner [RHEL5 U1] [ia64] Kernel test failing under limited memory NFS: System crashes trying to force umount a unresponsive, interruptible mount, which holds references to silly renamed files. RHEL5.1 beta: System hung during warm boot-cycling test CVE-2007-6416 [RHEL 5.2] [XEN/IA64] Security: vulnerability of copy_to_user in PAL emulation [REG][5.1] VLAN add operation fail on s2io.ko driver(Neterion 10GbE card driver), CVE-2007-3104 Null pointer to an inode in a dentry can cause an oops in sysfs_readdir CVE-2008-0001 kernel: filesystem corruption by unprivileged user via directory truncation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The International Components for Unicode (ICU) library provides robust and full-featured Unicode services. Will Drewry reported multiple flaws in the way libicu processed certain malformed regular expressions. If an application linked against ICU, such as OpenOffice.org, processed a carefully crafted regular expression, it may be possible to execute arbitrary code as the user running the application. (CVE-2007-4770, CVE-2007-4771) All users of icu should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-4770 CVE-2007-4771 CVE-2007-4770 libicu poor back reference validation CVE-2007-4771 libicu incomplete interval handling cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The BEA WebLogic JRockit 1.4.2_16 JRE and SDK contains BEA WebLogic JRockit Virtual Machine 1.4.2_16 and is certified for the Java 2 Platform, Standard Edition, v1.4.2. A buffer overflow in the Java Runtime Environment image handling code was found. If an attacker could induce a server application to process a specially crafted image file, the attacker could potentially cause a denial-of-service or execute arbitrary code as the user running the Java Virtual Machine. (CVE-2007-2788, CVE-2007-2789) A denial of service flaw was found in the way the JSSE component processed SSL/TLS handshake requests. A remote attacker able to connect to a JSSE enabled service could send a specially crafted handshake which would cause the Java Runtime Environment to stop responding to future requests. (CVE-2007-3698) A flaw was found in the way the Java Runtime Environment processed font data. An applet viewed via the "appletviewer" application could elevate its privileges, allowing the applet to perform actions with the same permissions as the user running the "appletviewer" application. The same flaw could, potentially, crash a server application which processed untrusted font information from a third party. (CVE-2007-4381) A flaw in the applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Untrusted Java Applets were able to drag and drop files to a desktop application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment (JRE) allowed untrusted Java Applets or applications to display over-sized windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached, malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Please note: the vulnerabilities noted above concerned with applets can only be triggered in java-1.4.2-bea by calling the "appletviewer" application. All users of java-1.4.2-bea should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.4.2_16 release which resolves these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-4381 CVE-2007-2788 CVE-2007-2789 CVE-2007-3698 CVE-2007-5232 CVE-2007-5240 CVE-2007-5273 CVE-2007-5239 CVE-2007-3698 Java Secure Socket Extension Does Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial of Service (DoS) Condition CVE-2007-2788 Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit CVE-2007-2789 BMP image parser vulnerability CVE-2007-4381 java: Vulnerability in the font parsing code CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching CVE-2007-5240 Applets or Applications are allowed to display an oversized window CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419) Several flaws were found in the way Firefox displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593) A flaw was found in the way Firefox stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417) A flaw was found in the way Firefox handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of Firefox. (CVE-2008-0418) A flaw was found in the way Firefox saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", Firefox will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592) Users of firefox are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0416 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0420 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0412 Mozilla layout engine crashes CVE-2008-0413 Mozilla javascript engine crashes CVE-2008-0415 Mozilla arbitrary code execution CVE-2008-0417 Mozilla arbitrary code execution CVE-2008-0418 Mozilla chrome: directory traversal CVE-2008-0419 Mozilla arbitrary code execution CVE-2008-0591 Mozilla information disclosure flaw CVE-2008-0592 Mozilla text file mishandling CVE-2008-0593 Mozilla URL token stealing flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed web content. A webpage containing malicious content could cause SeaMonkey to crash, or potentially execute arbitrary code as the user running SeaMonkey. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419) Several flaws were found in the way SeaMonkey displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593) A flaw was found in the way SeaMonkey stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417) A flaw was found in the way SeaMonkey handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of SeaMonkey. (CVE-2008-0418) A flaw was found in the way SeaMonkey saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", SeaMonkey will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592) Users of SeaMonkey are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0304 CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0416 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0420 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0412 Mozilla layout engine crashes CVE-2008-0413 Mozilla javascript engine crashes CVE-2008-0415 Mozilla arbitrary code execution CVE-2008-0417 Mozilla arbitrary code execution CVE-2008-0418 Mozilla chrome: directory traversal CVE-2008-0419 Mozilla arbitrary code execution CVE-2008-0591 Mozilla information disclosure flaw CVE-2008-0592 Mozilla text file mishandling CVE-2008-0593 Mozilla URL token stealing flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A heap-based buffer overflow flaw was found in the way Thunderbird processed messages with external-body Multipurpose Internet Message Extensions (MIME) types. A HTML mail message containing malicious content could cause Thunderbird to execute arbitrary code as the user running Thunderbird. (CVE-2008-0304) Several flaws were found in the way Thunderbird processed certain malformed HTML mail content. A HTML mail message containing malicious content could cause Thunderbird to crash, or potentially execute arbitrary code as the user running Thunderbird. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419) Several flaws were found in the way Thunderbird displayed malformed HTML mail content. A HTML mail message containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0420, CVE-2008-0591, CVE-2008-0593) A flaw was found in the way Thunderbird handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious HTML mail message to steal sensitive session data. Note: this flaw does not affect a default installation of Thunderbird. (CVE-2008-0418) Note: JavaScript support is disabled by default in Thunderbird; the above issues are not exploitable unless JavaScript is enabled. A flaw was found in the way Thunderbird saves certain text files. If a remote site offers a file of type "plain/text", rather than "text/plain", Thunderbird will not show future "text/plain" content to the user, forcing them to save those files locally to view the content. (CVE-2008-0592) Users of thunderbird are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0304 CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0418 CVE-2008-0419 CVE-2008-0420 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0412 Mozilla layout engine crashes CVE-2008-0413 Mozilla javascript engine crashes CVE-2008-0415 Mozilla arbitrary code execution CVE-2008-0418 Mozilla chrome: directory traversal CVE-2008-0419 Mozilla arbitrary code execution CVE-2008-0591 Mozilla information disclosure flaw CVE-2008-0592 Mozilla text file mishandling CVE-2008-0593 Mozilla URL token stealing flaw CVE-2008-0304 thunderbird/seamonkey: MIME External-Body Heap Overflow Vulnerability cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols for accessing directory services. These updated openldap packages fix a flaw in the way the OpenLDAP slapd daemon handled modify and modrdn requests with NOOP control on objects stored in a Berkeley DB (BDB) storage backend. An authenticated attacker with permission to perform modify or modrdn operations on such LDAP objects could cause slapd to crash. (CVE-2007-6698, CVE-2008-0658) Users of openldap should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-6698 CVE-2008-0658 CVE-2007-6698 openldap: slapd crash on NOOP control operation on entry in bdb storage CVE-2008-0658 openldap: slapd crash on modrdn operation with NOOP control on entry in bdb storage cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. These updated java-1.5.0-sun packages resolve the following security issues: Two vulnerabilities in the Java Runtime Environment allowed an untrusted application or applet to elevate the assigned privileges. This could be misused by a malicious website to read and write local files or execute local applications in the context of the user running the Java process. (CVE-2008-0657) Users of java-1.5.0-sun should upgrade to these updated packages, which contain backported patches to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0657 CVE-2008-0657 java-1.5.0 Privilege escalation via unstrusted applet and application cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in vmsplice. An unprivileged local user could use this flaw to gain root privileges. (CVE-2008-0600) Red Hat is aware that a public exploit for this issue is available. This issue did not affect the Linux kernels distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-0600 CVE-2008-0600 kernel vmsplice_to_pipe flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The netpbm package contains a library of functions for editing and converting between various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps) and others. The package includes no interactive tools and is primarily used by other programs (eg CGI scripts that manage web-site images). An input validation flaw was discovered in the GIF-to-PNM converter (giftopnm) shipped with the netpbm package. An attacker could create a carefully crafted GIF file which could cause giftopnm to crash or possibly execute arbitrary code as the user running giftopnm. (CVE-2008-0554) All users are advised to upgrade to these updated packages which contain a backported patch which resolves this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0554 CVE-2008-0554 netpbm: GIF handling buffer overflow in giftopnm cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 IBM's 1.4.2 SR10 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. The Java Secure Socket Extension (JSSE) component did not correctly process SSL/TLS handshake requests. A remote attacker who is able to connect to a JSSE-based service could trigger this flaw leading to a denial-of-service. (CVE-2007-3698) A flaw was found in the way the Java Runtime Environment processes font data. An untrusted applet could elevate its privileges, allowing the applet to perform actions with the same permissions as the logged in user. It may also be possible to crash a server application which processes untrusted font information from a third party. (CVE-2007-4381) The applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Multiple vulnerabilities existed in Java Web Start allowing an untrusted application to determine the location of the Java Web Start cache. (CVE-2007-5238) Untrusted Java Web Start Applications or Java Applets were able to drag and drop a file to a Desktop Application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment allowed untrusted Java Applets or applications to display oversized Windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Unsigned Applets loaded with Mozilla Firefox or Opera browsers allowed remote attackers to violate the Java security model. A cached malicious Applet could create network connections to services on other machines. (CVE-2007-5274) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, that contain IBM's 1.4.2 SR10 Java release which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-3698 CVE-2007-4381 CVE-2007-5232 CVE-2007-5238 CVE-2007-5239 CVE-2007-5240 CVE-2007-5273 CVE-2007-5274 CVE-2008-1189 CVE-2008-1190 CVE-2008-1192 CVE-2008-1195 CVE-2007-3698 Java Secure Socket Extension Does Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial of Service (DoS) Condition CVE-2007-4381 java: Vulnerability in the font parsing code CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching CVE-2007-5238 Vulnerabilities in Java Web Start allow to determine the location of the Java Web Start cache CVE-2007-5239 Untrusted Application or Applet May Move or Copy Arbitrary Files CVE-2007-5240 Applets or Applications are allowed to display an oversized window CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy CVE-2007-5274 Anti-DNS Pinning and Java Applets with Opera and Firefox cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Tcl is a scripting language designed for embedding into other applications and for use with Tk, a widget set. An input validation flaw was discovered in Tk's GIF image handling. A code-size value read from a GIF image was not properly validated before being used, leading to a buffer overflow. A specially crafted GIF file could use this to cause a crash or, potentially, execute code with the privileges of the application using the Tk graphical toolkit. (CVE-2008-0553) A buffer overflow flaw was discovered in Tk's animated GIF image handling. An animated GIF containing an initial image smaller than subsequent images could cause a crash or, potentially, execute code with the privileges of the application using the Tk library. (CVE-2007-5378) A flaw in the Tcl regular expression handling engine was discovered by Will Drewry. This flaw, first discovered in the Tcl regular expression engine used in the PostgreSQL database server, resulted in an infinite loop when processing certain regular expressions. (CVE-2007-4772) All users are advised to upgrade to these updated packages which contain backported patches which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0553 CVE-2007-5378 CVE-2007-4772 CVE-2007-4772 postgresql DoS via infinite loop in regex NFA optimization code CVE-2007-5378 Tk GIF processing buffer overflow CVE-2008-0553 tk: GIF handling buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Tk is a graphical toolkit for the Tcl scripting language. An input validation flaw was discovered in Tk's GIF image handling. A code-size value read from a GIF image was not properly validated before being used, leading to a buffer overflow. A specially crafted GIF file could use this to cause a crash or, potentially, execute code with the privileges of the application using the Tk graphical toolkit. (CVE-2008-0553) A buffer overflow flaw was discovered in Tk's animated GIF image handling. An animated GIF containing an initial image smaller than subsequent images could cause a crash or, potentially, execute code with the privileges of the application using the Tk library. (CVE-2007-5378) All users are advised to upgrade to these updated packages which contain a backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0553 CVE-2007-5378 CVE-2007-5378 Tk GIF processing buffer overflow CVE-2008-0553 tk: GIF handling buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Tk is a graphical toolkit for the Tcl scripting language. An input validation flaw was discovered in Tk's GIF image handling. A code-size value read from a GIF image was not properly validated before being used, leading to a buffer overflow. A specially crafted GIF file could use this to cause a crash or, potentially, execute code with the privileges of the application using the Tk graphical toolkit. (CVE-2008-0553) A buffer overflow flaw was discovered in Tk's animated GIF image handling. An animated GIF containing an initial image smaller than subsequent images could cause a crash or, potentially, execute code with the privileges of the application using the Tk library. (CVE-2007-5137) All users are advised to upgrade to these updated packages which contain a backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0553 CVE-2007-5137 CVE-2007-5137 Tk GIF processing buffer overflow CVE-2008-0553 tk: GIF handling buffer overflow cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Adobe Reader allows users to view and print documents in portable document format (PDF). Several flaws were found in the way Adobe Reader processed malformed PDF files. An attacker could create a malicious PDF file which could execute arbitrary code if opened by a victim. (CVE-2007-5659, CVE-2007-5663, CVE-2007-5666, CVE-2008-0726) A flaw was found in the way the Adobe Reader browser plug-in honored certain requests. A malicious PDF file could cause the browser to request an unauthorized URL, allowing for a cross-site request forgery attack. (CVE-2007-0044) A flaw was found in Adobe Reader's JavaScript API DOC.print function. A malicious PDF file could silently trigger non-interactive printing of the document, causing multiple copies to be printed without the users consent. (CVE-2008-0667) Additionally, this update fixes multiple unknown flaws in Adobe Reader. When the information regarding these flaws is made public by Adobe, it will be added to this advisory. (CVE-2008-0655) Note: Adobe have yet to release security fixed versions of Adobe 7. All users of Adobe Reader are, therefore, advised to install these updated packages. They contain Adobe Reader version 8.1.2, which is not vulnerable to these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5659 CVE-2007-5663 CVE-2007-5666 CVE-2007-0044 CVE-2008-0655 CVE-2008-0667 CVE-2008-0726 CVE-2007-0044 Acrobat Reader Universal CSRF and session riding CVE-2008-0655 acroread: unspecified vulnerabilities CVE-2008-0667 acroread: silent print vulnerability CVE-2007-5659 acroread Multiple buffer overflows CVE-2007-5663 acroread JavaScript Insecure Method Exposure CVE-2007-5666 acroread JavaScript Insecure Libary Search Path CVE-2008-0726 Acroread memory corruption cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Several heap-based buffer overflow flaws were found in ImageMagick. If a victim opened a specially crafted DCM or XWD file, an attacker could potentially execute arbitrary code on the victim's machine. (CVE-2007-1797) Several denial of service flaws were found in ImageMagick's parsing of XCF and DCM files. Attempting to process a specially-crafted input file in these formats could cause ImageMagick to enter an infinite loop. (CVE-2007-4985) Several integer overflow flaws were found in ImageMagick. If a victim opened a specially-crafted DCM, DIB, XBM, XCF or XWD file, an attacker could potentially execute arbitrary code with the privileges of the user running ImageMagick. (CVE-2007-4986) An integer overflow flaw was found in ImageMagick's DIB parsing code. If a victim opened a specially-crafted DIB file, an attacker could potentially execute arbitrary code with the privileges of the user running ImageMagick. (CVE-2007-4988) A heap-based buffer overflow flaw was found in the way ImageMagick parsed XCF files. If a specially-crafted XCF image was opened, ImageMagick could be made to overwrite heap memory beyond the bounds of its allocated memory. This could, potentially, allow an attacker to execute arbitrary code on the machine running ImageMagick. (CVE-2008-1096) A heap-based buffer overflow flaw was found in ImageMagick's processing of certain malformed PCX images. If a victim opened a specially-crafted PCX file, an attacker could possibly execute arbitrary code on the victim's machine. (CVE-2008-1097) All users of ImageMagick should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-1797 CVE-2007-4985 CVE-2007-4986 CVE-2007-4988 CVE-2008-1096 CVE-2008-1097 CVE-2007-1797 Heap overflow in ImageMagick's DCM and XWD coders CVE-2008-1097 Memory corruption in ImageMagick's PCX coder CVE-2008-1096 Out of bound write in ImageMagick's XCF coder CVE-2007-4988 Integer overflow in ImageMagick's DIB coder CVE-2007-4985 Infinite loops in ImageMagick's XCF and DCM coders CVE-2007-4986 Multiple integer overflows in ImageMagick cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The gd package contains a graphics library used for the dynamic creation of images such as PNG and JPEG. Multiple issues were discovered in the gd GIF image-handling code. A carefully-crafted GIF file could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2006-4484, CVE-2007-3475, CVE-2007-3476) An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. (CVE-2007-3472) A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. (CVE-2007-0455) A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. (CVE-2007-2756) A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. (CVE-2007-3473) Users of gd should upgrade to these updated packages, which contain backported patches which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-4484 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472 CVE-2007-3473 CVE-2007-3475 CVE-2007-3476 CVE-2007-0455 gd buffer overrun CVE-2007-2756 gd / php-gd ImageCreateFromPng infinite loop caused by truncated PNG CVE-2007-3472 libgd Integer overflow in TrueColor code CVE-2007-3473 libgd NULL pointer dereference when reading a corrupt X bitmap CVE-2007-3475 libgd Denial of service by GIF images without a global color map CVE-2007-3476 libgd Denial of service by corrupted GIF images CVE-2006-4484 gd: GIF handling buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to attempt to dereference already freed memory and crash. (CVE-2008-0597) A memory management flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. When shared printer was removed, allocated memory was not properly freed, leading to a memory leak possibly causing CUPS daemon crash after exhausting available memory. (CVE-2008-0596) These issues were found during the investigation of CVE-2008-0882, which did not affect Red Hat Enterprise Linux 3. Note that the default configuration of CUPS on Red Hat Enterprise Linux 3 allow requests of this type only from the local subnet. In addition, these updated cups packages fix a bug that occurred when using the CUPS polling daemon. Excessive debugging log information was saved to the error_log file regardless of the LogLevel setting, which filled up disk space rapidly. All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-0596 CVE-2008-0597 Cups fills up logfiles if queue is turned on CVE-2008-0596 cups: memory leak handling IPP browse requests CVE-2008-0597 cups: dereference of free'd memory handling IPP browse requests cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw in the hypervisor for hosts running on Itanium architectures allowed an Intel VTi domain to read arbitrary physical memory from other Intel VTi domains, which could make information available to unauthorized users. (CVE-2007-6207, Important) * two buffer overflow flaws were found in ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-5938: Important, CVE-2007-6063: Moderate) * a possible NULL pointer dereference was found in the subsystem used for showing CPU information, as used by CHRP systems on PowerPC architectures. This may have allowed a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate) * a flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped, possibly causing a denial of service. (CVE-2006-6921, Moderate) As well, these updated packages fix the following bugs: * a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out of memory, causing a kernel panic. * on IBM System z architectures, using the IBM Hardware Management Console to toggle IBM FICON channel path ids (CHPID) caused a file ID miscompare, possibly causing data corruption. * when running the IA-32 Execution Layer (IA-32EL) or a Java VM on Itanium architectures, a bug in the address translation in the hypervisor caused the wrong address to be registered, causing Dom0 to hang. * on Itanium architectures, frequent Corrected Platform Error errors may have caused the hypervisor to hang. * when enabling a CPU without hot plug support, routines for checking the presence of the CPU were missing. The CPU tried to access its own resources, causing a kernel panic. * after updating to kernel-2.6.18-53.el5, a bug in the CCISS driver caused the HP Array Configuration Utility CLI to become unstable, possibly causing a system hang, or a kernel panic. * a bug in NFS directory caching could have caused different hosts to have different views of NFS directories. * on Itanium architectures, the Corrected Machine Check Interrupt masked hot-added CPUs as disabled. * when running Oracle database software on the Intel 64 and AMD64 architectures, if an SGA larger than 4GB was created, and had hugepages allocated to it, the hugepages were not freed after database shutdown. * in a clustered environment, when two or more NFS clients had the same logical volume mounted, and one of them modified a file on the volume, NULL characters may have been inserted, possibly causing data corruption. These updated packages resolve several severe issues in the lpfc driver: * a system hang after LUN discovery. * a general fault protection, a NULL pointer dereference, or slab corruption could occur while running a debug on the kernel. * the inability to handle kernel paging requests in "lpfc_get_scsi_buf". * erroneous structure references caused certain FC discovery routines to reference and change "lpfc_nodelist" structures, even after they were freed. * the lpfc driver failed to interpret certain fields correctly, causing tape backup software to fail. Tape drives reported "Illegal Request". * the lpfc driver did not clear structures correctly, resulting in SCSI I/Os being rejected by targets, and causing errors. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-6921 CVE-2007-5938 CVE-2007-6063 CVE-2007-6207 CVE-2007-6694 CVE-2006-6921 kernel: denial of service with wedged processes audit: Logging execve arguments, out of memory in audit_expand (kernel panic) CVE-2007-5938 NULL dereference in iwl driver CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow CVE-2007-6694 /proc/cpuinfo DoS on some ppc machines LTC39906-[BBDQ] FICON DS8000: File ID Miscompare after CHPID off via HMC CVE-2007-6207 [5.2][XEN] Security: some HVM domain can access another domain memory. [Xen][5.1.z] Running IA32EL or java-vm causes dom0 hung Severe issues in 5.1 lpfc driver: Request update to 8.1.10.12 [Xen ia64] hypervisor sometimes hangs on Corrected Platform Errors [5.1] Panic if user enable a cpu which is not prepared for hotplug. scsi: cciss - incompatability between hpacucli and RHEL 5.1 Kernel NFS: Fix directory caching problem - with test case and patch. CMCI is left disabled on hot-added processors RHEL 5.1 regression in hugepages due to pagetable sharing patch Null bytes in files access by 2 or more NFS clients cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Ghostscript is a program for displaying PostScript files, or printing them to non-PostScript printers. Chris Evans from the Google Security Team reported a stack-based buffer overflow flaw in Ghostscript's zseticcspace() function. An attacker could create a malicious PostScript file that would cause Ghostscript to execute arbitrary code when opened. (CVE-2008-0411) These updated packages also fix a bug, which prevented the pxlmono printer driver from producing valid output on Red Hat Enterprise Linux 4. All users of ghostscript are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-0411 CVE-2008-0411 ghostscript: stack-based buffer overflow in .seticcspace operator cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The BEA WebLogic JRockit 1.5.0_14 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.5.0_14 and are certified for the Java 5 Platform, Standard Edition, v1.5.0. A flaw in the applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from. (CVE-2007-5232) Untrusted Java Applets were able to drag and drop a file to a Desktop Application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239) The Java Runtime Environment (JRE) allowed untrusted Java Applets or applications to display oversized windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240) Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached, malicious Applet could create network connections to services on other machines. (CVE-2007-5273) Two vulnerabilities in the Java Runtime Environment allowed an untrusted application or applet to elevate the assigned privileges. This could be misused by a malicious website to read and write local files or execute local applications in the context of the user running the Java process. (CVE-2008-0657) Those vulnerabilities concerned with applets can only be triggered in java-1.5.0-bea by calling the 'appletviewer' application. All users of java-1.5.0-bea should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.5.0_14 release that resolves these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5232 CVE-2007-5239 CVE-2007-5240 CVE-2007-5273 CVE-2008-0657 CVE-2007-5232 Security Vulnerability in Java Runtime Environment With Applet Caching CVE-2007-5239 Untrusted Application or Applet May Move or Copy Arbitrary Files CVE-2007-5240 Applets or Applications are allowed to display an oversized window CVE-2007-5273 Anti-DNS Pinning and Java Applets with HTTP proxy CVE-2008-0657 java-1.5.0 Privilege escalation via unstrusted applet and application cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. The Internet Printing Protocol (IPP) is a standard network protocol for remote printing, as well as managing print jobs. A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. (CVE-2008-0882) Note: the default configuration of CUPS on Red Hat Enterprise Linux 5 will only accept requests of this type from the local subnet. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3 or 4. All cups users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-0882 CVE-2008-0882 cups: double free vulnerability in process_browse_data() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Havoc Pennington discovered a flaw in the way the dbus-daemon applies its security policy. A user with the ability to connect to the dbus-daemon may be able to execute certain method calls they should normally not have permission to access. (CVE-2008-0595) Red Hat does not ship any applications in Red Hat Enterprise Linux 5 that would allow a user to leverage this flaw to elevate their privileges. This flaw does not affect the version of D-Bus shipped in Red Hat Enterprise Linux 4. All users are advised to upgrade to these updated dbus packages, which contain a backported patch and are not vulnerable to this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0595 CVE-2008-0595 dbus security policy circumvention cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to attempt to dereference already freed memory and crash. (CVE-2008-0597) A memory management flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. When shared printer was removed, allocated memory was not properly freed, leading to a memory leak possibly causing CUPS daemon crash after exhausting available memory. (CVE-2008-0596) These issues were found during the investigation of CVE-2008-0882, which did not affect Red Hat Enterprise Linux 4. Note that the default configuration of CUPS on Red Hat Enterprise Linux 4 allow requests of this type only from the local subnet. All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-0596 CVE-2008-0597 CVE-2008-0596 cups: memory leak handling IPP browse requests CVE-2008-0597 cups: dereference of free'd memory handling IPP browse requests cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. Jeff Altman of Secure Endpoints discovered a flaw in the RPC library as used by MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind or possibly execute arbitrary code. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 5. (CVE-2008-0947) Red Hat would like to thank MIT for reporting these issues. Multiple memory management flaws were discovered in the GSSAPI library used by MIT Kerberos. These flaws could possibly result in use of already freed memory or an attempt to free already freed memory blocks (double-free flaw), possibly causing a crash or arbitrary code execution. (CVE-2007-5901, CVE-2007-5971) In addition to the security issues resolved above, the following bugs were also fixed: * delegated krb5 credentials were not properly stored when SPNEGO was the underlying mechanism during GSSAPI authentication. Consequently, applications attempting to copy delegated Kerberos 5 credentials into a credential cache received an "Invalid credential was supplied" message rather than a copy of the delegated credentials. With this update, SPNEGO credentials can be properly searched, allowing applications to copy delegated credentials as expected. * applications can initiate context acceptance (via gss_accept_sec_context) without passing a ret_flags value that would indicate that credentials were delegated. A delegated credential handle should have been returned in such instances. This updated package adds a temp_ret_flag that stores the credential status in the event no other ret_flags value is passed by an application calling gss_accept_sec_context. * kpasswd did not fallback to TCP on receipt of certain errors, or when a packet was too big for UDP. This update corrects this. * when the libkrb5 password-routine generated a set-password or change-password request, incorrect sequence numbers were generated for all requests subsequent to the first request. This caused password change requests to fail if the primary server was unavailable. This updated package corrects this by saving the sequence number value after the AP-REQ data is built and restoring this value before the request is generated. * when a user's password expired, kinit would not prompt that user to change the password, instead simply informing the user their password had expired. This update corrects this behavior: kinit now prompts for a new password to be set when a password has expired. All krb5 users are advised to upgrade to these updated packages, which contain backported fixes to address these vulnerabilities and fix these bugs. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5901 CVE-2007-5971 CVE-2008-0062 CVE-2008-0063 CVE-2008-0947 CVE-2007-5901 krb5: use-after-free in gssapi lib CVE-2007-5971 krb5: double free in gssapi lib CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request CVE-2008-0947 krb5: file descriptor array overflow in RPC library gss_krb5_copy_ccache can't find delegated Kerberos creds when using SPNEGO gss_init_sec_context() mechglue wrapper doesn't handle ret_flags right kpasswd does not fallback to tcp krb5 password changing uses incorrect sequence numbers for every server but the first kinit does not automatically start a password change when password is expired cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. A buffer overflow flaw was found in the CIFS virtual file system. A remote authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate) As well, these updated packages fix the following bugs: * a bug was found in the Linux kernel audit subsystem. When the audit daemon was setup to log the execve system call with a large number of arguments, the kernel could run out out memory while attempting to create audit log messages. This could cause a kernel panic. In these updated packages, large audit messages are split into acceptable sizes, which resolves this issue. * on certain Intel chipsets, it was not possible to load the acpiphp module using the "modprobe acpiphp" command. Because the acpiphp module did not recurse across PCI bridges, hardware detection for PCI hot plug slots failed. In these updated packages, hardware detection works correctly. * on IBM System z architectures that run the IBM z/VM hypervisor, the IBM eServer zSeries HiperSockets network interface (layer 3) allowed ARP packets to be sent and received, even when the "NOARP" flag was set. These ARP packets caused problems for virtual machines. * it was possible for the iounmap function to sleep while holding a lock. This may have caused a deadlock for drivers and other code that uses the iounmap function. In these updated packages, the lock is dropped before the sleep code is called, which resolves this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-5904 CVE-2007-5904 Buffer overflow in CIFS VFS audit: Logging execve arguments, out of memory in audit_expand ACPIPHP.ko will not load : RHEL4.x and RHEL5.0 on X8450 (Intel 4 socket Quad Core) but will load on RHEL5.1 LTC39262-qeth: HiperSockets layer-3 interface to drop non-IP packets [Stratus 4.6.z bug] iounmap may sleep while holding vmlist_lock, causing a deadlock. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Multiple heap overflows and an integer underflow were found in the Quattro Pro(R) import filter. An attacker could create a carefully crafted Quattro Pro file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2007-5745, CVE-2007-5747) A heap overflow flaw was found in the EMF parser. An attacker could create a carefully crafted EMF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the malicious EMF image was added to a document or if a document containing the malicious EMF file was opened by a victim. (CVE-2007-5746) A heap overflow flaw was found in the OLE Structured Storage file parser. (OLE Structured Storage is a format used by Microsoft Office documents.) An attacker could create a carefully crafted OLE file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2008-0320) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5746 CVE-2008-0320 CVE-2007-5745 CVE-2007-5747 CVE-2007-5746 openoffice.org: EMF files parsing EMR_BITBLT record heap overflows CVE-2008-0320 openoffice.org: OLE files parsing heap overflows CVE-2007-5745 openoffice.org: Quattro Pro files handling heap overflows in Attribute and Font records CVE-2007-5747 openoffice.org: Quattro Pro files parsing integer underflow cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. A heap overflow flaw was found in the EMF parser. An attacker could create a carefully crafted EMF file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the malicious EMF image was added to a document or if a document containing the malicious EMF file was opened by a victim. (CVE-2007-5746) A heap overflow flaw was found in the OLE Structured Storage file parser. (OLE Structured Storage is a format used by Microsoft Office documents.) An attacker could create a carefully crafted OLE file that could cause OpenOffice.org to crash or possibly execute arbitrary code if the file was opened by a victim. (CVE-2008-0320) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported fixes to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5746 CVE-2008-0320 CVE-2007-5746 openoffice.org: EMF files parsing EMR_BITBLT record heap overflows CVE-2008-0320 openoffice.org: OLE files parsing heap overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Evolution is the GNOME collection of personal information management (PIM) tools. A format string flaw was found in the way Evolution displayed encrypted mail content. If a user opened a carefully crafted mail message, arbitrary code could be executed as the user running Evolution. (CVE-2008-0072) All users of Evolution should upgrade to these updated packages, which contain a backported patch which resolves this issue. Red Hat would like to thank Ulf Härnhammar of Secunia Research for finding and reporting this issue. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0072 CVE-2008-0072 Evolution format string flaw cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. Red Hat would like to thank MIT for reporting these issues. A double-free flaw was discovered in the GSSAPI library used by MIT Kerberos. This flaw could possibly cause a crash of the application using the GSSAPI library. (CVE-2007-5971) All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5971 CVE-2008-0062 CVE-2008-0063 CVE-2007-5971 krb5: double free in gssapi lib CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly execute arbitrary code using malformed or truncated Kerberos v4 protocol requests. (CVE-2008-0062, CVE-2008-0063) This issue only affected krb5kdc with Kerberos v4 protocol compatibility enabled, which is the default setting on Red Hat Enterprise Linux 4. Kerberos v4 protocol support can be disabled by adding "v4_mode=none" (without the quotes) to the "[kdcdefaults]" section of /var/kerberos/krb5kdc/kdc.conf. A flaw was found in the RPC library used by the MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind. This issue only affected systems with certain resource limits configured and did not affect systems using default resource limits used by Red Hat Enterprise Linux 2.1 or 3. (CVE-2008-0948) Red Hat would like to thank MIT for reporting these issues. All krb5 users are advised to update to these erratum packages which contain backported fixes to correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0062 CVE-2008-0063 CVE-2008-0948 CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request CVE-2008-0948 krb5: incorrect handling of high-numbered file descriptors in RPC library cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. Flaws in the JRE allowed an untrusted application or applet to elevate its privileges. This could be exploited by a remote attacker to access local files or execute local applications accessible to the user running the JRE (CVE-2008-1185, CVE-2008-1186) A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196) A flaw was found in the Java Plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to acesss local network services. (CVE-2008-1195) This update also fixes an issue where the Java Plug-in is not available for browser use after successful installation. Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1185 CVE-2008-1186 CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196 CVE-2008-1185 Untrusted applet and application privilege escalation (CVE-2008-1186) CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1188 Buffer overflow security vulnerabilities in Java Web Start (CVE-2008-1189, CVE-2008-1190) CVE-2008-1192 Java Plugin same-origin-policy bypass CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) CVE-2008-1195 Java-API calls in untrusted Javascript allow network privilege escalation CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A heap buffer overflow flaw was found in a CUPS administration interface CGI script. A local attacker able to connect to the IPP port (TCP port 631) could send a malicious request causing the script to crash or, potentially, execute arbitrary code as the "lp" user. Please note: the default CUPS configuration in Red Hat Enterprise Linux 5 does not allow remote connections to the IPP TCP port. (CVE-2008-0047) Red Hat would like to thank "regenrecht" for reporting this issue. This issue did not affect the versions of CUPS as shipped with Red Hat Enterprise Linux 3 or 4. Two overflows were discovered in the HP-GL/2-to-PostScript filter. An attacker could create a malicious HP-GL/2 file that could possibly execute arbitrary code as the "lp" user if the file is printed. (CVE-2008-0053) A buffer overflow flaw was discovered in the GIF decoding routines used by CUPS image converting filters "imagetops" and "imagetoraster". An attacker could create a malicious GIF file that could possibly execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-1373) All cups users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0047 CVE-2008-0053 CVE-2008-1373 CVE-2008-0047 cups: heap based buffer overflow in cgiCompileSearch() CVE-2008-0053 cups: buffer overflows in HP-GL/2 filter CVE-2008-1373 cups: overflow in gif image filter cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. These updated packages fix the following security issues: Daniel P. Berrange discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the format of messages serving to update the contents of the framebuffer. This could allow a malicious user to cause a denial of service, or compromise the privileged domain (Dom0). (CVE-2008-1944) Markus Armbruster discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the frontend's framebuffer description. This could allow a malicious user to cause a denial of service, or to use a specially crafted frontend to compromise the privileged domain (Dom0). (CVE-2008-1943) Chris Wright discovered a security vulnerability in the QEMU block format auto-detection, when running fully-virtualized guests. Such fully-virtualized guests, with a raw formatted disk image, were able to write a header to that disk image describing another format. This could allow such guests to read arbitrary files in their hypervisor's host. (CVE-2008-2004) Ian Jackson discovered a security vulnerability in the QEMU block device drivers backend. A guest operating system could issue a block device request and read or write arbitrary memory locations, which could lead to privilege escalation. (CVE-2008-0928) Tavis Ormandy found that QEMU did not perform adequate sanity-checking of data received via the "net socket listen" option. A malicious local administrator of a guest domain could trigger this flaw to potentially execute arbitrary code outside of the domain. (CVE-2007-5730) Steve Kemp discovered that the xenbaked daemon and the XenMon utility communicated via an insecure temporary file. A malicious local administrator of a guest domain could perform a symbolic link attack, causing arbitrary files to be truncated. (CVE-2007-3919) As well, in the previous xen packages, it was possible for Dom0 to fail to flush data from a fully-virtualized guest to disk, even if the guest explicitly requested the flush. This could cause data integrity problems on the guest. In these updated packages, Dom0 always respects the request to flush to disk. Users of xen are advised to upgrade to these updated packages, which resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-3919 CVE-2007-5730 CVE-2008-0928 CVE-2008-1943 CVE-2008-1944 CVE-2008-2004 CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss CVE-2007-5730 QEMU Buffer overflow via crafted "net socket listen" option CVE-2008-0928 Qemu insufficient block device address range checking [RHEL5.2]: LTC41676-Xen full virt has data integrity issue CVE-2008-1943 PVFB backend fails to validate frontend's framebuffer description CVE-2008-1944 PVFB SDL backend chokes on bogus screen updates CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The unzip utility is used to list, test, or extract files from a zip archive. An invalid pointer flaw was found in unzip. If a user ran unzip on a specially crafted file, an attacker could execute arbitrary code with that user's privileges. (CVE-2008-0888) Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue. All unzip users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0888 CVE-2008-0888 unzip: free() called for uninitialized or already freed pointer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 gnome-screensaver is the GNOME project's official screen saver program. A flaw was found in the way gnome-screensaver verified user passwords. When a system used a remote directory service for login credentials, a local attacker able to cause a network outage could cause gnome-screensaver to crash, unlocking the screen. (CVE-2008-0887) Users of gnome-screensaver should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0887 CVE-2008-0887 gnome-screensaver using NIS auth will unlock if NIS goes away cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. Two overflows were discovered in the HP-GL/2-to-PostScript filter. An attacker could create a malicious HP-GL/2 file that could possibly execute arbitrary code as the "lp" user if the file is printed. (CVE-2008-0053) A buffer overflow flaw was discovered in the GIF decoding routines used by CUPS image converting filters "imagetops" and "imagetoraster". An attacker could create a malicious GIF file that could possibly execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-1373) It was discovered that the patch used to address CVE-2004-0888 in CUPS packages in Red Hat Enterprise Linux 3 and 4 did not completely resolve the integer overflow in the "pdftops" filter on 64-bit platforms. An attacker could create a malicious PDF file that could possibly execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-1374) All cups users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0053 CVE-2008-1373 CVE-2008-1374 CVE-2008-0053 cups: buffer overflows in HP-GL/2 filter CVE-2008-1373 cups: overflow in gif image filter CVE-2008-1374 cups: incomplete fix for CVE-2004-0888 / CVE-2005-0206 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of some malformed web content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. A web page containing specially-crafted content could, potentially, trick a Firefox user into surrendering sensitive information. (CVE-2008-1234, CVE-2008-1238, CVE-2008-1241) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1241 CVE-2008-1233 Mozilla products XPCNativeWrapper pollution CVE-2008-1234 universal XSS using event handlers CVE-2008-1235 chrome privilege via wrong principal CVE-2008-1236 browser engine crashes CVE-2008-1237 javascript crashes CVE-2008-1238 Referrer spoofing bug CVE-2008-1241 XUL popup spoofing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of some malformed web content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. A web page containing specially-crafted content could, potentially, trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-1234, CVE-2008-1238, CVE-2008-1241) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0414 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1241 CVE-2008-1233 Mozilla products XPCNativeWrapper pollution CVE-2008-1234 universal XSS using event handlers CVE-2008-1235 chrome privilege via wrong principal CVE-2008-1236 browser engine crashes CVE-2008-1237 javascript crashes CVE-2008-1238 Referrer spoofing bug CVE-2008-1241 XUL popup spoofing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of some malformed HTML mail content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. An HTML mail message containing specially-crafted content could, potentially, trick a user into surrendering sensitive information. (CVE-2008-1234, CVE-2008-1238, CVE-2008-1241) Note: JavaScript support is disabled by default in Thunderbird; the above issues are not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1241 CVE-2008-1233 Mozilla products XPCNativeWrapper pollution CVE-2008-1234 universal XSS using event handlers CVE-2008-1235 chrome privilege via wrong principal CVE-2008-1236 browser engine crashes CVE-2008-1237 javascript crashes CVE-2008-1238 Referrer spoofing bug CVE-2008-1241 XUL popup spoofing cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 IBM's 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Two vulnerabilities in the Java Runtime Environment allowed an untrusted application or applet to elevate the assigned privileges. This could be misused by a malicious website to read and write local files or execute local applications in the context of the user running the Java process. (CVE-2008-0657) A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1196) A flaw was found in the Java Plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to acesss local network services. (CVE-2008-1195) All users of java-ibm-1.5.0 are advised to upgrade to these updated packages, that contain IBM's 1.5.0 SR7 Java release which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0657 CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196 CVE-2008-0657 java-1.5.0 Privilege escalation via unstrusted applet and application CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1188 Buffer overflow security vulnerabilities in Java Web Start (CVE-2008-1189, CVE-2008-1190) CVE-2008-1192 Java Plugin same-origin-policy bypass CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) CVE-2008-1195 Java-API calls in untrusted Javascript allow network privilege escalation CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * the absence of a protection mechanism when attempting to access a critical section of code has been found in the Linux kernel open file descriptors control mechanism, fcntl. This could allow a local unprivileged user to simultaneously execute code, which would otherwise be protected against parallel execution. As well, a race condition when handling locks in the Linux kernel fcntl functionality, may have allowed a process belonging to a local unprivileged user to gain re-ordered access to the descriptor table. (CVE-2008-1669, Important) * the absence of a protection mechanism when attempting to access a critical section of code, as well as a race condition, have been found in the Linux kernel file system event notifier, dnotify. This could allow a local unprivileged user to get inconsistent data, or to send arbitrary signals to arbitrary system processes. (CVE-2008-1375, Important) Red Hat would like to thank Nick Piggin for responsibly disclosing the following issue: * when accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform required range checks. A local unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a kernel crash. (CVE-2008-0007, Important) * a flaw was found when performing asynchronous input or output operations on a FIFO special file. A local unprivileged user could use this flaw to cause a kernel panic. (CVE-2007-5001, Important) * a flaw was found in the way core dump files were created. If a local user could get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate) * a buffer overflow was found in the Linux kernel ISDN subsystem. A local unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6151, Moderate) * a race condition found in the mincore system core could allow a local user to cause a denial of service (system hang). (CVE-2006-4814, Moderate) * it was discovered that the Linux kernel handled string operations in the opposite way to the GNU Compiler Collection (GCC). This could allow a local unprivileged user to cause memory corruption. (CVE-2008-1367, Low) As well, these updated packages fix the following bugs: * a bug, which caused long delays when unmounting mounts containing a large number of unused dentries, has been resolved. * in the previous kernel packages, the kernel was unable to handle certain floating point instructions on Itanium(R) architectures. * on certain Intel CPUs, the Translation Lookaside Buffer (TLB) was not flushed correctly, which caused machine check errors. Red Hat Enterprise Linux 3 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-4814 CVE-2007-5001 CVE-2007-6151 CVE-2007-6206 CVE-2008-0007 CVE-2008-1367 CVE-2008-1375 CVE-2008-1669 CVE-2006-4814 kernel Race condition in mincore can cause "ps -ef" to hang CVE-2007-5001 kernel asynchronous IO on a FIFO kernel panic CVE-2007-6206 Issue with core dump owner RHEL3: System hangs at unmount CVE-2007-6151 I4L: fix isdn_ioctl memory issue CVE-2008-0007 kernel: insufficient range checks in fault handlers with mremap CVE-2008-1367 Kernel doesn't clear DF for signal handlers CVE-2008-1375 kernel: race condition in dnotify (local DoS, local roothole possible) CVE-2008-1669 kernel: add rcu_read_lock() to fcheck() in both dnotify, locks.c and fix fcntl store/load race in locks.c cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A flaw was found in the way squid manipulated HTTP headers for cached objects stored in system memory. An attacker could use this flaw to cause a squid child process to exit. This interrupted existing connections and made proxy services unavailable. Note: the parent squid process started a new child process, so this attack only resulted in a temporary denial of service. (CVE-2008-1612) Users of squid are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1612 CVE-2008-1612 squid: regression in SQUID-2007:2 / CVE-2007-6239 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 gnome-screensaver is the GNOME project's official screen saver program. A flaw was found in the way gnome-screensaver verified user passwords. When a system used a remote directory service for login credentials, a local attacker able to cause a network outage could cause gnome-screensaver to crash, unlocking the screen. (CVE-2008-0887) Users of gnome-screensaver should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0887 CVE-2008-0887 gnome-screensaver using NIS auth will unlock if NIS goes away cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in. Several input validation flaws were found in the way Flash Player displayed certain content. These may have made it possible to execute arbitrary code on a victim's machine, if the victim opened a malicious Adobe Flash file. (CVE-2007-0071, CVE-2007-6019) A flaw was found in the way Flash Player established TCP sessions to remote hosts. A remote attacker could, consequently, use Flash Player to conduct a DNS rebinding attack. (CVE-2007-5275, CVE-2008-1655) A flaw was found in the way Flash Player restricted the interpretation and usage of cross-domain policy files. A remote attacker could use Flash Player to conduct cross-domain and cross-site scripting attacks. (CVE-2007-6243, CVE-2008-1654) A flaw was found in the way Flash Player interacted with web browsers. An attacker could use malicious content presented by Flash Player to conduct a cross-site scripting attack. (CVE-2007-6637) All users of Adobe Flash Player should upgrade to this updated package, which contains Flash Player version 9.0.124.0 and resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5275 CVE-2007-6243 CVE-2007-6637 CVE-2007-6019 CVE-2007-0071 CVE-2008-1655 CVE-2008-1654 CVE-2008-3872 CVE-2007-5275 Flash plugin DNS rebinding CVE-2007-6243 Flash Player cross-domain and cross-site scripting flaws CVE-2007-6637 Flash Player content injection flaw CVE-2007-6019 Flash Player input validation error CVE-2007-0071 Flash Player input validation error CVE-2008-1655 Flash Player DNS rebind flaw CVE-2008-1654 Flash Player cross domain HTTP header flaw cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1380) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1380 CVE-2008-1380 Firefox JavaScript garbage collection crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-1380) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1380 CVE-2008-1380 Firefox JavaScript garbage collection crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the processing of malformed JavaScript content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1380) Note: JavaScript support is disabled by default in Thunderbird; the above issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1380 CVE-2008-1380 Firefox JavaScript garbage collection crash cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * the absence of a protection mechanism when attempting to access a critical section of code has been found in the Linux kernel open file descriptors control mechanism, fcntl. This could allow a local unprivileged user to simultaneously execute code, which would otherwise be protected against parallel execution. As well, a race condition when handling locks in the Linux kernel fcntl functionality, may have allowed a process belonging to a local unprivileged user to gain re-ordered access to the descriptor table. (CVE-2008-1669, Important) * a possible hypervisor panic was found in the Linux kernel. A privileged user of a fully virtualized guest could initiate a stress-test File Transfer Protocol (FTP) transfer between the guest and the hypervisor, possibly leading to hypervisor panic. (CVE-2008-1619, Important) * the absence of a protection mechanism when attempting to access a critical section of code, as well as a race condition, have been found in the Linux kernel file system event notifier, dnotify. This could allow a local unprivileged user to get inconsistent data, or to send arbitrary signals to arbitrary system processes. (CVE-2008-1375, Important) Red Hat would like to thank Nick Piggin for responsibly disclosing the following issue: * when accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform required range checks. A local unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a kernel crash. (CVE-2008-0007, Important) * the absence of sanity-checks was found in the hypervisor block backend driver, when running 32-bit paravirtualized guests on a 64-bit host. The number of blocks to be processed per one request from guest to host, or vice-versa, was not checked for its maximum value, which could have allowed a local privileged user of the guest operating system to cause a denial of service. (CVE-2007-5498, Important) * it was discovered that the Linux kernel handled string operations in the opposite way to the GNU Compiler Collection (GCC). This could allow a local unprivileged user to cause memory corruption. (CVE-2008-1367, Low) As well, these updated packages fix the following bugs: * on IBM System z architectures, when running QIOASSIST enabled QDIO devices in an IBM z/VM environment, the output queue stalled under heavy load. This caused network performance to degrade, possibly causing network hangs and outages. * multiple buffer overflows were discovered in the neofb video driver. It was not possible for an unprivileged user to exploit these issues, and as such, they have not been handled as security issues. * when running Microsoft Windows in a HVM, a bug in vmalloc/vfree caused network performance to degrade. * on certain architectures, a bug in the libATA sata_nv driver may have caused infinite reboots, and an "ata1: CPB flags CMD err flags 0x11" error. * repeatedly hot-plugging a PCI Express card may have caused "Bad DLLP" errors. * a NULL pointer dereference in NFS, which may have caused applications to crash, has been resolved. * when attempting to kexec reboot, either manually or via a panic-triggered kdump, the Unisys ES7000/one hanged after rebooting in the new kernel, after printing the "Memory: 32839688k/33685504k available" line. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5498 CVE-2008-0007 CVE-2008-1367 CVE-2008-1375 CVE-2008-1619 CVE-2008-1669 CVE-2007-5498 missing sanity check in xen block backend driver LTC37008-QDIO based network connections hang with QIOASSIST ON CVE-2008-1619 [xen-ia64] Dom0 panic while we run ftp test tool between HVM and Dom0. CVE-2008-0007 kernel: insufficient range checks in fault handlers with mremap [Xen] vmalloc/vfree on HVM Guest/IA64 does untolerate performance. libata: sata_nv may send commands with duplicate tags [5.1.z] CVE-2008-1367 Kernel doesn't clear DF for signal handlers CVE-2008-1619 [xen-ia64] Dom0 panic while we run ftp test tool between HVM and Dom0. CVE-2008-1375 kernel: race condition in dnotify (local DoS, local roothole possible) [5.1] PCI Express hotplug driver problem (Bad DLLP) [rhel-5.1.z] 2.6.18-53.1.12 crashes on NULL pointer dereference with NFS on the stack [rhel-5.1.z] kexec or kdump hangs on ES7000/ONE CVE-2008-1669 kernel: add rcu_read_lock() to fcheck() in both dnotify, locks.c and fix fcntl store/load race in locks.c cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Speex is a patent-free compression format designed especially for speech. The Speex package contains a library for handling Speex files and sample encoder and decoder implementations using this library. The Speex library was found to not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or, possibly, allow arbitrary code execution with the privileges of the application calling the Speex library. (CVE-2008-1686) All users of speex are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1686 CVE-2008-1686 speex, libfishsound: insufficient boundary checks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * the absence of a protection mechanism when attempting to access a critical section of code has been found in the Linux kernel open file descriptors control mechanism, fcntl. This could allow a local unprivileged user to simultaneously execute code, which would otherwise be protected against parallel execution. As well, a race condition when handling locks in the Linux kernel fcntl functionality, may have allowed a process belonging to a local unprivileged user to gain re-ordered access to the descriptor table. (CVE-2008-1669, Important) * on AMD64 architectures, the possibility of a kernel crash was discovered by testing the Linux kernel process-trace ability. This could allow a local unprivileged user to cause a denial of service (kernel crash). (CVE-2008-1615, Important) * the absence of a protection mechanism when attempting to access a critical section of code, as well as a race condition, have been found in the Linux kernel file system event notifier, dnotify. This could allow a local unprivileged user to get inconsistent data, or to send arbitrary signals to arbitrary system processes. (CVE-2008-1375, Important) Red Hat would like to thank Nick Piggin for responsibly disclosing the following issue: * when accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform required range checks. A local unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a kernel crash. (CVE-2008-0007, Important) * the possibility of a kernel crash was found in the Linux kernel IPsec protocol implementation, due to improper handling of fragmented ESP packets. When an attacker controlling an intermediate router fragmented these packets into very small pieces, it would cause a kernel crash on the receiving node during packet reassembly. (CVE-2007-6282, Important) * a flaw in the MOXA serial driver could allow a local unprivileged user to perform privileged operations, such as replacing firmware. (CVE-2005-0504, Important) As well, these updated packages fix the following bugs: * multiple buffer overflows in the neofb driver have been resolved. It was not possible for an unprivileged user to exploit these issues, and as such, they have not been handled as security issues. * a kernel panic, due to inconsistent detection of AGP aperture size, has been resolved. * a race condition in UNIX domain sockets may have caused "recv()" to return zero. In clustered configurations, this may have caused unexpected failovers. * to prevent link storms, network link carrier events were delayed by up to one second, causing unnecessary packet loss. Now, link carrier events are scheduled immediately. * a client-side race on blocking locks caused large time delays on NFS file systems. * in certain situations, the libATA sata_nv driver may have sent commands with duplicate tags, which were rejected by SATA devices. This may have caused infinite reboots. * running the "service network restart" command may have caused networking to fail. * a bug in NFS caused cached information about directories to be stored for too long, causing wrong attributes to be read. * on systems with a large highmem/lowmem ratio, NFS write performance may have been very slow when using small files. * a bug, which caused network hangs when the system clock was wrapped around zero, has been resolved. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2005-0504 CVE-2007-6282 CVE-2008-0007 CVE-2008-1375 CVE-2008-1615 CVE-2008-1669 CVE-2007-6282 IPSec ESP kernel panics CVE-2005-0504 Buffer overflow in moxa driver CVE-2008-0007 kernel: insufficient range checks in fault handlers with mremap CVE-2008-1615 kernel: ptrace: Unprivileged crash on x86_64 %cs corruption [RHEL4.6] In unix domain sockets, recv() may incorrectly return zero Fake ARP dropped after migration leading to loss of network connectivity LTC41942-30 second flock() calls against files stored on a NetApp while using NFS libata: sata_nv may send commands with duplicate tags Network stack hang after service network restart NFS: Fix directory caching problem - with test case and patch. [2.6.9-55.9] VM pagecache reclaim patch causes high latency on systems with large highmem/lowmem ratios Since "Patch2037: linux-2.6.9-vm-balance.patch" my NFS performance is poorly CVE-2008-1375 kernel: race condition in dnotify (local DoS, local roothole possible) CVE-2008-1669 kernel: add rcu_read_lock() to fcheck() in both dnotify, locks.c and fix fcntl store/load race in locks.c cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment, including kpdf, a PDF file viewer. Kees Cook discovered a flaw in the way kpdf displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause kpdf to crash, or, potentially, execute arbitrary code when opened. (CVE-2008-1693) All kdegraphics users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1693 CVE-2008-1693 xpdf: embedded font vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Poppler is a PDF rendering library, used by applications such as Evince. Kees Cook discovered a flaw in the way poppler displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause applications that use poppler -- such as Evince -- to crash, or, potentially, execute arbitrary code when opened. (CVE-2008-1693) Users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1693 CVE-2008-1693 xpdf: embedded font vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Xpdf is an X Window System-based viewer for Portable Document Format (PDF) files. Kees Cook discovered a flaw in the way xpdf displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause xpdf to crash, or, potentially, execute arbitrary code when opened. (CVE-2008-1693) Users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1693 CVE-2008-1693 xpdf: embedded font vulnerability cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The BEA WebLogic JRockit 1.4.2_16 JRE and SDK contains BEA WebLogic JRockit Virtual Machine 1.4.2_16 and is certified for the Java 2 Platform, Standard Edition, v1.4.2. A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Please note: This vulnerability can only be triggered in java-1.4.2-bea by calling the "appletviewer" application. All java-1.4.2-bea users should upgrade to this updated package which addresses this vulnerability. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1187 CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The BEA WebLogic JRockit 1.5.0_14 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.5.0_14, and are certified for the Java 5 Platform, Standard Edition, v1.5.0. A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possibly execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The vulnerabilities concerning applets listed above can only be triggered in java-1.5.0-bea, by calling the "appletviewer" application. Users of java-1.5.0-bea are advised to upgrade to these updated packages, which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1187 CVE-2008-1193 CVE-2008-1194 CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The BEA WebLogic JRockit 1.6.0_03 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.6.0_03, and are certified for the Java 6 Platform, Standard Edition, v1.6.0. The Java XML parsing code processed external entity references even when the "external general entities" property was set to "FALSE". This allowed remote attackers to conduct XML External Entity (XXE) attacks, possibly causing a denial of service, or gaining access to restricted resources. (CVE-2008-0628) A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The vulnerabilities concerning applets listed above can only be triggered in java-1.6.0-bea, by calling the "appletviewer" application. Users of java-1.6.0-bea are advised to upgrade to these updated packages, which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0628 CVE-2008-1187 CVE-2008-1193 CVE-2008-1194 CVE-2008-0628 java-1.6.0 default external entity processing CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 gpdf is a GNOME-based viewer for Portable Document Format (PDF) files. Kees Cook discovered a flaw in the way gpdf displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause gpdf to crash, or, potentially, execute arbitrary code when opened. (CVE-2008-1693) Users of gpdf are advised to upgrade to this updated package, which contains a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1693 CVE-2008-1693 xpdf: embedded font vulnerability cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 IBM's 1.6.0 Java release includes the IBM Java 2 Runtime Environment, and the IBM Java 2 Software Development Kit. A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files, or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196) A flaw was found in the Java plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possibly execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to access local network services. (CVE-2008-1195) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, that contain IBM's 1.6.0 SR1 Java release, which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1191 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196 CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1188 Buffer overflow security vulnerabilities in Java Web Start (CVE-2008-1189, CVE-2008-1190) CVE-2008-1192 Java Plugin same-origin-policy bypass CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194) CVE-2008-1195 Java-API calls in untrusted Javascript allow network privilege escalation CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start CVE-2008-1191 Untrusted Java Web Start arbitrary file creation cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format. Will Drewry of the Google Security Team reported several flaws in the way libvorbis processed audio data. An attacker could create a carefully crafted OGG audio file in such a way that it could cause an application linked with libvorbis to crash, or execute arbitrary code when it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423) Moreover, additional OGG file sanity-checks have been added to prevent possible exploitation of similar issues in the future. Users of libvorbis are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1419 CVE-2008-1420 CVE-2008-1423 CVE-2008-1419 vorbis: zero-dim codebooks can cause crash, infinite loop or heap overflow CVE-2008-1420 vorbis: integer overflow in partvals computation CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * on AMD64 architectures, the possibility of a kernel crash was discovered by testing the Linux kernel process-trace ability. This could allow a local unprivileged user to cause a denial of service (kernel crash). (CVE-2008-1615, Important) * on 64-bit architectures, the possibility of a timer-expiration value overflow was found in the Linux kernel high-resolution timers functionality, hrtimer. This could allow a local unprivileged user to setup a large interval value, forcing the timer expiry value to become negative, causing a denial of service (kernel hang). (CVE-2007-6712, Important) * the possibility of a kernel crash was found in the Linux kernel IPsec protocol implementation, due to improper handling of fragmented ESP packets. When an attacker controlling an intermediate router fragmented these packets into very small pieces, it would cause a kernel crash on the receiving node during packet reassembly. (CVE-2007-6282, Important) * a potential denial of service attack was discovered in the Linux kernel PWC USB video driver. A local unprivileged user could use this flaw to bring the kernel USB subsystem into the busy-waiting state, causing a denial of service. (CVE-2007-5093, Low) As well, these updated packages fix the following bugs: * in certain situations, a kernel hang and a possible panic occurred when disabling the cpufreq daemon. This may have prevented system reboots from completing successfully. * continual "softlockup" messages, which occurred on the guest's console after a successful save and restore of a Red Hat Enterprise Linux 5 para-virtualized guest, have been resolved. * in the previous kernel packages, the kernel may not have reclaimed NFS locks after a system reboot. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2007-5093 CVE-2007-6282 CVE-2007-6712 CVE-2008-1615 CVE-2007-5093 kernel PWC driver DoS rhel5.1s2 hang at 'Disabling ondemand cpu frequency scaling' [rhel-5.1.z] CVE-2007-6282 IPSec ESP kernel panics booting with maxcpus=1 panics when starting cpufreq service [rhel-5.1.z] CVE-2008-1615 kernel: ptrace: Unprivileged crash on x86_64 %cs corruption CVE-2007-6712 kernel: infinite loop in highres timers (kernel hang) [RHEL5]: Softlockup after save/restore in PV guest RHEL5.1 kernel not reclaiming NFS locks when server reboots cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 libxslt is a C library, based on libxml, for parsing of XML files into other textual formats (eg HTML, plain text and other XML representations of the underlying data). It uses the standard XSLT stylesheet transformation mechanism and, being written in plain ANSI C, is designed to be simple to incorporate into other applications Anthony de Almeida Lopes reported the libxslt library did not properly process long "transformation match" conditions in the XSL stylesheet files. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute and arbitrary code with the privileges of the application using libxslt library to perform XSL transformations. (CVE-2008-1767) All users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1767 CVE-2008-1767 libxslt: fixed-sized steps array overflow via "template match" condition in XSL file cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Samba is a suite of programs used by machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the way Samba clients handle over-sized packets. If a client connected to a malicious Samba server, it was possible to execute arbitrary code as the Samba client user. It was also possible for a remote user to send a specially crafted print request to a Samba server that could result in the server executing the vulnerable client code, resulting in arbitrary code execution with the permissions of the Samba server. (CVE-2008-1105) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1105 CVE-2008-1105 Samba client buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the way Samba clients handle over-sized packets. If a client connected to a malicious Samba server, it was possible to execute arbitrary code as the Samba client user. It was also possible for a remote user to send a specially crafted print request to a Samba server that could result in the server executing the vulnerable client code, resulting in arbitrary code execution with the permissions of the Samba server. (CVE-2008-1105) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. This update also addresses two issues which prevented Samba from joining certain Windows domains with tightened security policies, and prevented certain signed SMB content from working as expected: * when some Windows® 2000-based domain controllers were set to use mandatory signing, Samba clients would drop the connection because of an error when generating signatures. This presented as a "Server packet had invalid SMB signature" error to the Samba client. This update corrects the signature generation error. * Samba servers using the "net ads join" command to connect to a Windows Server® 2003-based domain would fail with "failed to get schannel session key from server" and "NT_STATUS_ACCESS_DENIED" errors. This update correctly binds to the NETLOGON share, allowing Samba servers to connect to the domain properly. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1105 Join fails with stricter w2k3 security options set CVE-2008-1105 Samba client buffer overflow Signing issue: "Server packet had invalid SMB signature" with some Win2K servers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The vsftpd package includes a Very Secure File Transfer Protocol (FTP) daemon. A memory leak was discovered in the vsftpd daemon. An attacker who is able to connect to an FTP service, either as an authenticated or anonymous user, could cause vsftpd to allocate all available memory if the "deny_file" option was enabled in vsftpd.conf. (CVE-2007-5962) As well, this updated package fixes following bugs: * a race condition could occur even when the "lock_upload_files" option is set. When uploading two files simultaneously, the result was a combination of the two files. This resulted in uploaded files becoming corrupted. In these updated packages, uploading two files simultaneously will result in a file that is identical to the last uploaded file. * when the "userlist_enable" option is used, failed log in attempts as a result of the user not being in the list of allowed users, or being in the list of denied users, will not be logged. In these updated packages, a new "userlist_log=YES" option can be configured in vsftpd.conf, which will log failed log in attempts in these situations. * vsftpd did not support usernames that started with an underscore or a period character. Usernames starting with an underscore or a period are supported in these updated packages. * using wildcards in conjunction with the "ls" command did not return all the file names it should. For example, if you FTPed into a directory containing three files -- A1, A21 and A11 -- and ran the "ls *1" command, only the file names A1 and A21 were returned. These updated packages use greedier code that continues to speculatively scan for items even after matches have been found. * when the "user_config_dir" option is enabled in vsftpd.conf, and the user-specific configuration file did not exist, the following error occurred after a user entered their password during the log in process: 500 OOPS: reading non-root config file This has been resolved in this updated package. All vsftpd users are advised to upgrade to this updated package, which resolves these issues. Low Copyright 2008 Red Hat, Inc. CVE-2007-5962 vsftpd has a create/lock race condition which corrupts uploads vsftpd file listing issue with wildcard Uploaded file corrupted when two connections from same client uploading same file simultaneously CVE-2007-5962 vsftpd: memory leak when deny_file option is set OOPS: reading non-root config file cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Dovecot is an IMAP server for Linux and UNIX-like systems, primarily written with security in mind. A flaw was discovered in the way Dovecot handled the "mail_extra_groups" option. An authenticated attacker with local shell access could leverage this flaw to read, modify, or delete other users mail that is stored on the mail server. (CVE-2008-1199) This issue did not affect the default Red Hat Enterprise Linux 5 Dovecot configuration. This update adds two new configuration options -- "mail_privileged_group" and "mail_access_groups" -- to minimize the usage of additional privileges. A directory traversal flaw was discovered in Dovecot's zlib plug-in. An authenticated user could use this flaw to view other compressed mailboxes with the permissions of the Dovecot process. (CVE-2007-2231) A flaw was found in the Dovecot ACL plug-in. User with only insert permissions for a mailbox could use the "COPY" and "APPEND" commands to set additional message flags. (CVE-2007-4211) A flaw was found in a way Dovecot cached LDAP query results in certain configurations. This could possibly allow authenticated users to log in as a different user who has the same password. (CVE-2007-6598) As well, this updated package fixes the following bugs: * configuring "userdb" and "passdb" to use LDAP caused Dovecot to hang. A segmentation fault may have occurred. In this updated package, using an LDAP backend for "userdb" and "passdb" no longer causes Dovecot to hang. * the Dovecot "login_process_size" limit was configured for 32-bit systems. On 64-bit systems, when Dovecot was configured to use either IMAP or POP3, the log in processes crashed with out-of-memory errors. Errors such as the following were logged: pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory In this updated package, the "login_process_size" limit is correctly configured on 64-bit systems, which resolves this issue. Note: this updated package upgrades dovecot to version 1.0.7. For further details, refer to the Dovecot changelog: http://koji.fedoraproject.org/koji/buildinfo?buildID=23397 Users of dovecot are advised to upgrade to this updated package, which resolves these issues. Low Copyright 2008 Red Hat, Inc. CVE-2007-2231 CVE-2007-4211 CVE-2007-6598 CVE-2008-1199 CVE-2007-2231 Directory traversal in dovecot with zlib plugin Dovecot hangs while using ldap backend. CVE-2007-4211 Dovecot possible privilege ascalation in ACL plugin Dovecot pop3-login/imap-login crash with OOM error Please consider upgrading Dovecot to 1.0rc23 at least tracker bug for 1.0.7 rebase CVE-2007-6598 dovecot LDAP+auth cache user login mixup CVE-2008-1199 dovecot: insecure mail_extra_groups option cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. It was discovered that the bind packages created the "rndc.key" file with insecure file permissions. This allowed any local user to read the content of this file. A local user could use this flaw to control some aspects of the named daemon by using the rndc utility, for example, stopping the named daemon. This problem did not affect systems with the bind-chroot package installed. (CVE-2007-6283) A buffer overflow flaw was discovered in the "inet_network()" function, as implemented by libbind. An attacker could use this flaw to crash an application calling this function, with an argument provided from an untrusted source. (CVE-2008-0122) As well, these updated packages fix the following bugs: * when using an LDAP backend, missing function declarations caused segmentation faults, due to stripped pointers on machines where pointers are longer than integers. * starting named may have resulted in named crashing, due to a race condition during D-BUS connection initialization. This has been resolved in these updated packages. * the named init script returned incorrect error codes, causing the "status" command to return an incorrect status. In these updated packages, the named init script is Linux Standard Base (LSB) compliant. * in these updated packages, the "rndc [command] [zone]" command, where [command] is an rndc command, and [zone] is the specified zone, will find the [zone] if the zone is unique to all views. * the default named log rotation script did not work correctly when using the bind-chroot package. In these updated packages, installing bind-chroot creates the symbolic link "/var/log/named.log", which points to "/var/named/chroot/var/log/named.log", which resolves this issue. * a previous bind update incorrectly changed the permissions on the "/etc/openldap/schema/dnszone.schema" file to mode 640, instead of mode 644, which resulted in OpenLDAP not being able to start. In these updated packages, the permissions are correctly set to mode 644. * the "checkconfig" parameter was missing in the named usage report. For example, running the "service named" command did not return "checkconfig" in the list of available options. * due to a bug in the named init script not handling the rndc return value correctly, the "service named stop" and "service named restart" commands failed on certain systems. * the bind-chroot spec file printed errors when running the "%pre" and "%post" sections. Errors such as the following occurred: Locating //etc/named.conf failed: [FAILED] This has been resolved in these updated packages. * installing the bind-chroot package creates a "/dev/random" file in the chroot environment; however, the "/dev/random" file had an incorrect SELinux label. Starting named resulted in an 'avc: denied { getattr } for pid=[pid] comm="named" path="/dev/random"' error being logged. The "/dev/random" file has the correct SELinux label in these updated packages. * in certain situations, running the "bind +trace" command resulted in random segmentation faults. As well, these updated packages add the following enhancements: * support has been added for GSS-TSIG (RFC 3645). * the "named.root" file has been updated to reflect the new address for L.ROOT-SERVERS.NET. * updates BIND to the latest 9.3 maintenance release. All users of bind are advised to upgrade to these updated packages, which resolve these issues and add these enhancements. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-6283 CVE-2008-0122 bind_sdb, ldap2zone segfaulting bind crashes on restart and also when running without forwarders Wrong init script bind-chroot does not modify /etc/logrotate.d/named dnszone.schema bad file permissions missed parameter "configtest" in init script usage report "service named restart" fails RFE: add support for GSSTSIG bind-chroot-9.3.3-9.0.1 leaks error noise in its scripts avc: denied { getattr } for comm="named" path="/dev/random" Rebase to latest 9.3 maintenance release New L.ROOT-SERVERS.NET address CVE-2007-6283 bind: /etc/rndc.key has 644 permissions by default resolver library causes segfaults in bind-utils such as dig,ping CVE-2008-0122 libbind off-by-one buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not require privileges such as "SELECT" for the source table in a "CREATE TABLE LIKE" statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the "DROP" privilege for "RENAME TABLE" statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the "--skip-merge" option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using "GRANT EXECUTE". (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs: * a separate counter was used for "insert delayed" statements, which caused rows to be discarded. In these updated packages, "insert delayed" statements no longer use a separate counter, which resolves this issue. * due to a bug in the Native POSIX Thread Library, in certain situations, "flush tables" caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, "COND_refresh" has been replaced with "COND_global_read_lock", which resolves this issue. * mysqld crashed if a query for an unsigned column type contained a negative value for a "WHERE [column] NOT IN" subquery. * in master and slave server situations, specifying "on duplicate key update" for "insert" statements did not update slave servers. * in the mysql client, empty strings were displayed as "NULL". For example, running "insert into [table-name] values (' ');" resulted in a "NULL" entry being displayed when querying the table using "select * from [table-name];". * a bug in the optimizer code resulted in certain queries executing much slower than expected. * on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html All mysql users are advised to upgrade to these updated packages, which resolve these issues. Low Copyright 2008 Red Hat, Inc. CVE-2006-0903 CVE-2006-4031 CVE-2006-4227 CVE-2006-7232 CVE-2007-1420 CVE-2007-2583 CVE-2007-2691 CVE-2007-2692 CVE-2007-3781 CVE-2007-3782 CVE-2006-0903 Mysql log file obfuscation CVE-2006-4031 MySQL improper permission revocation CVE-2006-4227 mysql improper suid argument evaluation CVE-2007-1420 Single MySQL worker can be crashed (NULL deref) with certain SELECT statements CVE-2007-2583 mysql: DoS via statement with crafted IF clause CVE-2007-2691 mysql DROP privilege not enforced when renaming tables CVE-2007-2692 mysql SECURITY INVOKER functions do not drop privileges CVE-2007-3781 CVE-2007-3782 New release of MySQL fixes security bugs Mysql bug 20048: 5.0.22 FLUSH TABLES WITH READ LOCK bug; need upgrade to 5.0.23 mysql 5.0.22 still has a lot of bugs ; need upgrade MySQL client will display empty strings as NULL (fixed in 5.0.23) CVE-2006-7232 mysql: daemon crash via EXPLAIN on queries on information schema mysql does not calculate thread stack size correctly for RHEL5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap module is a plug-in which allows applications to retrieve information about users and groups from a directory server. The pam_ldap module allows PAM-aware applications to use a directory server to verify user passwords. A race condition was discovered in nss_ldap which affected certain applications which make LDAP connections, such as Dovecot. This could cause nss_ldap to answer a request for information about one user with information about a different user. (CVE-2007-5794) In addition, these updated packages fix the following bugs: * a build error prevented the nss_ldap module from being able to use DNS to discover the location of a directory server. For example, when the /etc/nsswitch.conf configuration file was configured to use "ldap", but no "host" or "uri" option was configured in the /etc/ldap.conf configuration file, no directory server was contacted, and no results were returned. * the "port" option in the /etc/ldap.conf configuration file on client machines was ignored. For example, if a directory server which you were attempting to use was listening on a non-default port (i.e. not ports 389 or 636), it was only possible to use that directory server by including the port number in the "uri" option. In this updated package, the "port" option works as expected. * pam_ldap failed to change an expired password if it had to follow a referral to do so, which could occur, for example, when using a slave directory server in a replicated environment. An error such as the following occurred after entering a new password: "LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute" This has been resolved in this updated package. * when the "pam_password exop_send_old" password-change method was configured in the /etc/ldap.conf configuration file, a logic error in the pam_ldap module caused client machines to attempt to change a user's password twice. First, the pam_ldap module attempted to change the password using the "exop" request, and then again using an LDAP modify request. * on Red Hat Enterprise Linux 5.1, rebuilding nss_ldap-253-5.el5 when the krb5-*-1.6.1-17.el5 packages were installed failed due to an error such as the following: + /builddir/build/SOURCES/dlopen.sh ./nss_ldap-253/nss_ldap.so dlopen() of "././nss_ldap-253/nss_ldap.so" failed: ./././nss_ldap-253/nss_ldap.so: undefined symbol: request_key error: Bad exit status from /var/tmp/rpm-tmp.62652 (%build) The missing libraries have been added, which resolves this issue. When recursively enumerating the set of members in a given group, the module would allocate insufficient space for storing the set of member names if the group itself contained other groups, thus corrupting the heap. This update includes a backported fix for this bug. Users of nss_ldap should upgrade to these updated packages, which contain backported patches to correct this issue and fix these bugs. Low Copyright 2008 Red Hat, Inc. CVE-2007-5794 Automatic DNS discovery of the LDAP server does not work pam_ldap tries to change passwords twice CVE-2007-5794 nss_ldap randomly replying with wrong user's data RHEL 5.1 nss_ldap does not build with RHEL 5.1 krb5 packages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Compiz is an OpenGL-based window and compositing manager. Most screen savers create a top-level fullscreen window to cover the desktop, and grab the input with that window. Compiz has an option to un-redirect that window, but in some cases, this breaks the grab and compromises the locked screen. (CVE-2007-3920) Users of compiz are advised to upgrade to these updated packages, which remove this option to resolve this issue. Low Copyright 2008 Red Hat, Inc. CVE-2007-3920 CVE-2007-3920 gnome-screensaver loses keyboard grab when running under compiz cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The nfs-utils package provides a daemon for the kernel NFS server and related tools. A flaw was found in the nfs-utils package build. The nfs-utils package was missing TCP wrappers support, which could result in an administrator believing they had access restrictions enabled when they did not. (CVE-2008-1376) Users of nfs-utils are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1376 CVE-2008-1376 nfs-utils: missing tcp_wrappers support cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The GnuTLS Library provides support for cryptographic algorithms and protocols such as TLS. GnuTLS includes libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. Flaws were found in the way GnuTLS handles malicious client connections. A malicious remote client could send a specially crafted request to a service using GnuTLS that could cause the service to crash. (CVE-2008-1948, CVE-2008-1949, CVE-2008-1950) We believe it is possible to leverage the flaw CVE-2008-1948 to execute arbitrary code but have been unable to prove this at the time of releasing this advisory. Red Hat Enterprise Linux 5 includes applications, such as CUPS, that would be directly vulnerable to any such an exploit, however. Consequently, we have assigned it critical severity. Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1948 CVE-2008-1949 CVE-2008-1950 CVE-2008-1948 GNUTLS-SA-2008-1-1 GnuTLS buffer overflow CVE-2008-1949 GNUTLS-SA-2008-1-2 GnuTLS null-pointer dereference CVE-2008-1950 GNUTLS-SA-2008-1-3 GnuTLS memory overread flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GnuTLS Library provides support for cryptographic algorithms and protocols such as TLS. GnuTLS includes libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. Flaws were found in the way GnuTLS handles malicious client connections. A malicious remote client could send a specially crafted request to a service using GnuTLS that could cause the service to crash. (CVE-2008-1948, CVE-2008-1949, CVE-2008-1950) We believe it is possible to leverage the flaw CVE-2008-1948 to execute arbitrary code but have been unable to prove this at the time of releasing this advisory. Red Hat Enterprise Linux 4 does not ship with any applications directly affected by this flaw. Third-party software which runs on Red Hat Enterprise Linux 4 could, however, be affected by this vulnerability. Consequently, we have assigned it important severity. Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1948 CVE-2008-1949 CVE-2008-1950 CVE-2008-1948 GNUTLS-SA-2008-1-1 GnuTLS buffer overflow CVE-2008-1949 GNUTLS-SA-2008-1-2 GnuTLS null-pointer dereference CVE-2008-1950 GNUTLS-SA-2008-1-3 GnuTLS memory overread flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 SBLIM stands for Standards-Based Linux Instrumentation for Manageability. It consists of a set of standards-based, Web-Based Enterprise Management (WBEM) modules that use the Common Information Model (CIM) standard to gather and provide systems management information, events, and methods to local or networked consumers via a CIM object services broker using the CMPI (Common Manageability Programming Interface) standard. This package provides a set of core providers and development tools for systems management applications. It was discovered that certain sblim libraries had an RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. This RPATH pointed to a sub-directory of a world-writable, temporary directory. A local user could create a file with the same name as a library required by sblim (such as libc.so) and place it in the directory defined in the RPATH. This file could then execute arbitrary code with the privileges of the user running an application that used sblim (eg tog-pegasus). (CVE-2008-1951) Users are advised to upgrade to these updated sblim packages, which resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1951 CVE-2008-1951 sblim: libraries built with insecure RPATH cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An integer overflow flaw leading to a heap buffer overflow was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image converting filters "imagetops" and "imagetoraster". An attacker could create a malicious PNG file that could possibly execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-1722) All CUPS users are advised to upgrade to these updated packages, which contain backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1722 CVE-2008-1722 cups: integer overflow in the image filter cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. An input validation flaw was discovered in X.org's Security and Record extensions. A malicious authorized client could exploit this issue to cause a denial of service (crash) or, potentially, execute arbitrary code with root privileges on the X.Org server. (CVE-2008-1377) Multiple integer overflow flaws were found in X.org's Render extension. A malicious authorized client could exploit these issues to cause a denial of service (crash) or, potentially, execute arbitrary code with root privileges on the X.Org server. (CVE-2008-2360, CVE-2008-2361) An input validation flaw was discovered in X.org's MIT-SHM extension. A client connected to the X.org server could read arbitrary server memory. This could result in the sensitive data of other users of the X.org server being disclosed. (CVE-2008-1379) Users of XFree86 are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1377 CVE-2008-1379 CVE-2008-2360 CVE-2008-2361 CVE-2008-1377 X.org Record and Security extensions memory corruption CVE-2008-1379 X.org MIT-SHM extension arbitrary memory read CVE-2008-2360 X.org Render extension AllocateGlyph() heap buffer overflow CVE-2008-2361 X.org Render extension ProcRenderCreateCursor() crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The xorg-x11 packages contain X.Org, an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. An input validation flaw was discovered in X.org's Security and Record extensions. A malicious authorized client could exploit this issue to cause a denial of service (crash) or, potentially, execute arbitrary code with root privileges on the X.Org server. (CVE-2008-1377) Multiple integer overflow flaws were found in X.org's Render extension. A malicious authorized client could exploit these issues to cause a denial of service (crash) or, potentially, execute arbitrary code with root privileges on the X.Org server. (CVE-2008-2360, CVE-2008-2361) An input validation flaw was discovered in X.org's MIT-SHM extension. A client connected to the X.org server could read arbitrary server memory. This could result in the sensitive data of other users of the X.org server being disclosed. (CVE-2008-1379) Users of xorg-x11 should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1377 CVE-2008-1379 CVE-2008-2360 CVE-2008-2361 CVE-2008-1377 X.org Record and Security extensions memory corruption CVE-2008-1379 X.org MIT-SHM extension arbitrary memory read CVE-2008-2360 X.org Render extension AllocateGlyph() heap buffer overflow CVE-2008-2361 X.org Render extension ProcRenderCreateCursor() crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 X.Org is an open source implementation of the X Window System. It provides basic low-level functionality that full-fledged graphical user interfaces are designed upon. An input validation flaw was discovered in X.org's Security and Record extensions. A malicious authorized client could exploit this issue to cause a denial of service (crash) or, potentially, execute arbitrary code with root privileges on the X.Org server. (CVE-2008-1377) Multiple integer overflow flaws were found in X.org's Render extension. A malicious authorized client could exploit these issues to cause a denial of service (crash) or, potentially, execute arbitrary code with root privileges on the X.Org server. (CVE-2008-2360, CVE-2008-2361, CVE-2008-2362) An input validation flaw was discovered in X.org's MIT-SHM extension. A client connected to the X.org server could read arbitrary server memory. This could result in the sensitive data of other users of the X.org server being disclosed. (CVE-2008-1379) Users of xorg-x11-server should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1377 CVE-2008-1379 CVE-2008-2360 CVE-2008-2361 CVE-2008-2362 CVE-2008-1377 X.org Record and Security extensions memory corruption CVE-2008-1379 X.org MIT-SHM extension arbitrary memory read CVE-2008-2360 X.org Render extension AllocateGlyph() heap buffer overflow CVE-2008-2361 X.org Render extension ProcRenderCreateCursor() crash CVE-2008-2362 X.org Render extension input validation flaw causing memory corruption cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * A security flaw was found in the Linux kernel memory copy routines, when running on certain AMD64 systems. If an unsuccessful attempt to copy kernel memory from source to destination memory locations occurred, the copy routines did not zero the content at the destination memory location. This could allow a local unprivileged user to view potentially sensitive data. (CVE-2008-2729, Important) * Alexey Dobriyan discovered a race condition in the Linux kernel process-tracing system call, ptrace. A local unprivileged user could use this flaw to cause a denial of service (kernel hang). (CVE-2008-2365, Important) * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary, which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * It was discovered that the Linux kernel handled string operations in the opposite way to the GNU Compiler Collection (GCC). This could allow a local unprivileged user to cause memory corruption. (CVE-2008-1367, Low) As well, these updated packages fix the following bug: * On systems with a large number of CPUs (more than 16), multiple applications calling the "times()" system call may have caused a system hang. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-0598 CVE-2008-1367 CVE-2008-2365 CVE-2008-2729 CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data CVE-2008-1367 Kernel doesn't clear DF for signal handlers [4.7] System goes unresponsive if times() syscall is called concurrently on many cpus CVE-2008-2365 kernel: ptrace: Crash on PTRACE_{ATTACH,DETACH} race CVE-2008-2729 kernel: [x86_64] The string instruction version didn't zero the output on exception. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Evolution is the integrated collection of e-mail, calendaring, contact management, communications and personal information management (PIM) tools for the GNOME desktop environment. A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If the Itip Formatter plug-in was disabled and a user opened a mail with a carefully crafted iCalendar attachment, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Note: the Itip Formatter plug-in, which allows calendar information (attachments with a MIME type of "text/calendar") to be displayed as part of the e-mail message, is enabled by default. A heap-based buffer overflow flaw was found in the way Evolution parsed iCalendar attachments with an overly long "DESCRIPTION" property string. If a user responded to a carefully crafted iCalendar attachment in a particular way, arbitrary code could be executed as the user running Evolution. (CVE-2008-1109). The particular response required to trigger this vulnerability was as follows: 1. Receive the carefully crafted iCalendar attachment. 2. Accept the associated meeting. 3. Open the calender the meeting was in. 4. Reply to the sender. Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing these issues. All Evolution users should upgrade to these updated packages, which contain backported patches which resolves these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1108 CVE-2008-1109 CVE-2008-1108 evolution: iCalendar buffer overflow via large timezone specification CVE-2008-1109 evolution: iCalendar buffer overflow via large description parameter cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Evolution is the integrated collection of e-mail, calendaring, contact management, communications and personal information management (PIM) tools for the GNOME desktop environment. A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If the Itip Formatter plug-in was disabled and a user opened a mail with a carefully crafted iCalendar attachment, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Note: the Itip Formatter plug-in, which allows calendar information (attachments with a MIME type of "text/calendar") to be displayed as part of the e-mail message, is enabled by default. A heap-based buffer overflow flaw was found in the way Evolution parsed iCalendar attachments with an overly long "DESCRIPTION" property string. If a user responded to a carefully crafted iCalendar attachment in a particular way, arbitrary code could be executed as the user running Evolution. (CVE-2008-1109). The particular response required to trigger this vulnerability was as follows: 1. Receive the carefully crafted iCalendar attachment. 2. Accept the associated meeting. 3. Open the calender the meeting was in. 4. Reply to the sender. Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing these issues. All Evolution users should upgrade to these updated packages, which contain backported patches which resolves these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1108 CVE-2008-1109 CVE-2008-1108 evolution: iCalendar buffer overflow via large timezone specification CVE-2008-1109 evolution: iCalendar buffer overflow via large description parameter cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Evolution is the integrated collection of e-mail, calendaring, contact management, communications and personal information management (PIM) tools for the GNOME desktop environment. A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If mail which included a carefully crafted iCalendar attachment was opened, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. All users of Evolution should upgrade to these updated packages, which contains a backported patch which resolves this issue. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1108 CVE-2008-1108 evolution: iCalendar buffer overflow via large timezone specification cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * A security flaw was found in the Linux kernel memory copy routines, when running on certain AMD64 systems. If an unsuccessful attempt to copy kernel memory from source to destination memory locations occurred, the copy routines did not zero the content at the destination memory location. This could allow a local unprivileged user to view potentially sensitive data. (CVE-2008-2729, Important) * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary, which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * Brandon Edwards discovered a missing length validation check in the Linux kernel DCCP module reconciliation feature. This could allow a local unprivileged user to cause a heap overflow, gaining privileges for arbitrary code execution. (CVE-2008-2358, Moderate) As well, these updated packages fix the following bug: * Due to a regression, "gettimeofday" may have gone backwards on certain x86 hardware. This issue was quite dangerous for time-sensitive systems, such as those used for transaction systems and databases, and may have caused applications to produce incorrect results, or even crash. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-0598 CVE-2008-2358 CVE-2008-2729 CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data CVE-2008-2358 kernel: dccp: sanity check feature length CVE-2008-2729 kernel: [x86_64] The string instruction version didn't zero the output on exception. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Perl is a high-level programming language commonly used for system administration utilities and Web programming. A flaw was found in Perl's regular expression engine. A specially crafted regular expression with Unicode characters could trigger a buffer overflow, causing Perl to crash, or possibly execute arbitrary code with the privileges of the user running Perl. (CVE-2008-1927) Users of perl are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1927 CVE-2008-1927 perl: heap corruption by regular expressions with utf8 characters cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Simple Network Management Protocol (SNMP) is a protocol used for network management. A flaw was found in the way Net-SNMP checked an SNMPv3 packet's Keyed-Hash Message Authentication Code (HMAC). An attacker could use this flaw to spoof an authenticated SNMPv3 packet. (CVE-2008-0960) A buffer overflow was found in the Perl bindings for Net-SNMP. This could be exploited if an attacker could convince an application using the Net-SNMP Perl module to connect to a malicious SNMP agent. (CVE-2008-2292) All users of net-snmp should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2292 CVE-2008-0960 CVE-2008-2292 net-snmp: buffer overflow in perl module's Perl Module __snprint_value() CVE-2008-0960 net-snmp SNMPv3 authentication bypass (VU#877044) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. The DNS protocol protects against spoofing attacks by requiring an attacker to predict both the DNS transaction ID and UDP source port of a request. In recent years, a number of papers have found problems with DNS implementations which make it easier for an attacker to perform DNS cache-poisoning attacks. Previous versions of BIND did not use randomized UDP source ports. If an attacker was able to predict the random DNS transaction ID, this could make DNS cache-poisoning attacks easier. In order to provide more resilience, BIND has been updated to use a range of random UDP source ports. (CVE-2008-1447) Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4 and 5 to allow BIND to use random UDP source ports. Users of BIND are advised to upgrade to these updated packages, which contain a backported patch to add this functionality. Red Hat would like to thank Dan Kaminsky for reporting this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-1447 CVE-2008-1447 implement source UDP port randomization (CERT VU#800113) Default caching-nameserver configuration blocks fixes for CVE-2008-1447 (rhel-5) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Sean Larsson found a heap overflow flaw in the OpenOffice memory allocator. If a carefully crafted file was opened by a victim, an attacker could use the flaw to crash OpenOffice.org or, possibly, execute arbitrary code. (CVE-2008-2152) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported fix to correct this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-2152 CVE-2008-2152 OpenOffice.org overflow possible on allocation cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. Sean Larsson found a heap overflow flaw in the OpenOffice memory allocator. If a carefully crafted file was opened by a victim, an attacker could use the flaw to crash OpenOffice.org or, possibly, execute arbitrary code. (CVE-2008-2152) It was discovered that certain libraries in the Red Hat Enterprise Linux 3 and 4 openoffice.org packages had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user to run OpenOffice in an attacker-controlled directory, could run arbitrary code with the privileges of the victim. (CVE-2008-2366) All users of openoffice.org are advised to upgrade to these updated packages, which contain backported fixes which correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-2152 CVE-2008-2366 CVE-2008-2152 OpenOffice.org overflow possible on allocation CVE-2008-2366 openoffice.org: insecure relative RPATH in OOo 1.1.x packages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external web sites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) Users of PHP should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2051 CVE-2007-5898 CVE-2007-5899 CVE-2007-4782 CVE-2008-2107 CVE-2008-2108 CVE-2007-4782 php crash in glob() and fnmatch() functions CVE-2007-5898 php htmlentities/htmlspecialchars multibyte sequences CVE-2007-5899 php session ID leakage CVE-2008-2051 PHP multibyte shell escape flaw CVE-2008-2107 PHP 32 bit weak random seed CVE-2008-2108 PHP weak 64 bit random seed cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It was discovered that the PHP escapeshellcmd() function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd() and execute arbitrary commands if the PHP script was using certain locales. Scripts using the default UTF-8 locale are not affected by this issue. (CVE-2008-2051) The PHP functions htmlentities() and htmlspecialchars() did not properly recognize partial multi-byte sequences. Certain sequences of bytes could be passed through these functions without being correctly HTML-escaped. Depending on the browser being used, an attacker could use this flaw to conduct cross-site scripting attacks. (CVE-2007-5898) A PHP script which used the transparent session ID configuration option, or which used the output_add_rewrite_var() function, could leak session identifiers to external web sites. If a page included an HTML form with an ACTION attribute referencing a non-local URL, the user's session ID would be included in the form data passed to that URL. (CVE-2007-5899) It was discovered that the PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) It was discovered that PHP did not properly seed its pseudo-random number generator used by functions such as rand() and mt_rand(), possibly allowing an attacker to easily predict the generated pseudo-random values. (CVE-2008-2107, CVE-2008-2108) As well, these updated packages fix the following bug: * after 2008-01-01, when using PEAR version 1.3.6 or older, it was not possible to use the PHP Extension and Application Repository (PEAR) to upgrade or install packages. In these updated packages, PEAR has been upgraded to version 1.4.9, which restores support for the current pear.php.net update server. The following changes were made to the PEAR packages included in php-pear: Console_Getopt and Archive_Tar are now included by default, and XML_RPC has been upgraded to version 1.5.0. All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2051 CVE-2007-5898 CVE-2007-5899 CVE-2007-4782 CVE-2008-2107 CVE-2008-2108 fix PEAR with current pear.php.net server CVE-2007-4782 php crash in glob() and fnmatch() functions CVE-2007-5898 php htmlentities/htmlspecialchars multibyte sequences CVE-2007-5899 php session ID leakage CVE-2008-2051 PHP multibyte shell escape flaw CVE-2008-2107 PHP 32 bit weak random seed CVE-2008-2108 PHP weak 64 bit random seed cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Multiple flaws were found in the processing of malformed JavaScript content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-2801, CVE-2008-2802, CVE-2008-2803) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-2798, CVE-2008-2799, CVE-2008-2811) Several flaws were found in the way malformed web content was displayed. A web page containing specially-crafted content could potentially trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-2800) Two local file disclosure flaws were found in SeaMonkey. A web page containing malicious content could cause SeaMonkey to reveal the contents of a local file to a remote attacker. (CVE-2008-2805, CVE-2008-2810) A flaw was found in the way a malformed .properties file was processed by SeaMonkey. A malicious extension could read uninitialized memory, possibly leaking sensitive data to the extension. (CVE-2008-2807) A flaw was found in the way SeaMonkey escaped a listing of local file names. If a user could be tricked into listing a local directory containing malicious file names, arbitrary JavaScript could be run with the permissions of the user running SeaMonkey. (CVE-2008-2808) A flaw was found in the way SeaMonkey displayed information about self-signed certificates. It was possible for a self-signed certificate to contain multiple alternate name entries, which were not all displayed to the user, allowing them to mistakenly extend trust to an unknown site. (CVE-2008-2809) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811 CVE-2008-2798 Firefox malformed web content flaws CVE-2008-2799 Firefox javascript arbitrary code execution CVE-2008-2800 Firefox XSS attacks CVE-2008-2802 Firefox arbitrary JavaScript code execution CVE-2008-2803 Firefox javascript arbitrary code execution CVE-2008-2805 Firefox arbitrary file disclosure CVE-2008-2801 Firefox arbitrary signed JAR code execution CVE-2008-2807 Firefox .properties memory leak CVE-2008-2808 Firefox file location escaping flaw CVE-2008-2809 Firefox self signed certificate flaw CVE-2008-2810 Firefox arbitrary file disclosure CVE-2008-2811 Firefox block reflow flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Multiple flaws were found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-2801, CVE-2008-2802, CVE-2008-2803) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-2798, CVE-2008-2799, CVE-2008-2811) Several flaws were found in the way malformed web content was displayed. A web page containing specially-crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-2800) Two local file disclosure flaws were found in Firefox. A web page containing malicious content could cause Firefox to reveal the contents of a local file to a remote attacker. (CVE-2008-2805, CVE-2008-2810) A flaw was found in the way a malformed .properties file was processed by Firefox. A malicious extension could read uninitialized memory, possibly leaking sensitive data to the extension. (CVE-2008-2807) A flaw was found in the way Firefox escaped a listing of local file names. If a user could be tricked into listing a local directory containing malicious file names, arbitrary JavaScript could be run with the permissions of the user running Firefox. (CVE-2008-2808) A flaw was found in the way Firefox displayed information about self-signed certificates. It was possible for a self-signed certificate to contain multiple alternate name entries, which were not all displayed to the user, allowing them to mistakenly extend trust to an unknown site. (CVE-2008-2809) All Mozilla Firefox users should upgrade to this updated package, which contains backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811 CVE-2008-2798 Firefox malformed web content flaws CVE-2008-2799 Firefox javascript arbitrary code execution CVE-2008-2800 Firefox XSS attacks CVE-2008-2802 Firefox arbitrary JavaScript code execution CVE-2008-2803 Firefox javascript arbitrary code execution CVE-2008-2805 Firefox arbitrary file disclosure CVE-2008-2801 Firefox arbitrary signed JAR code execution CVE-2008-2807 Firefox .properties memory leak CVE-2008-2808 Firefox file location escaping flaw CVE-2008-2809 Firefox self signed certificate flaw CVE-2008-2810 Firefox arbitrary file disclosure CVE-2008-2811 Firefox block reflow flaw cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 IBM's 1.4.2 SR11 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) A buffer overflow flaw was found in Java Web Start (JWS). An untrusted application using the Java Network Launch Protocol (JNLP) could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1196) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain IBM's 1.4.2 SR11 Java release which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-1187 CVE-2008-1196 CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 FreeType is a free, high-quality, portable font engine that can open and manage font files, as well as efficiently load, hint and render individual glyphs. Multiple flaws were discovered in FreeType's Printer Font Binary (PFB) font-file format parser. If a user loaded a carefully crafted font-file with a program linked against FreeType, it could cause the application to crash, or possibly execute arbitrary code. (CVE-2008-1806, CVE-2008-1807, CVE-2008-1808) Note: the flaw in FreeType's TrueType Font (TTF) font-file format parser, covered by CVE-2008-1808, did not affect the freetype packages as shipped in Red Hat Enterprise Linux 3, 4, and 5, as they are not compiled with TTF Byte Code Interpreter (BCI) support. Users of freetype should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1806 CVE-2008-1807 CVE-2008-1808 CVE-2008-1806 FreeType PFB integer overflow CVE-2008-1807 FreeType invalid free() flaw CVE-2008-1808 FreeType off-by-one flaws Latest freetype erratum does not display all fonts cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. Users of Ruby should upgrade to these updated packages, which contain a backported patch to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376 CVE-2008-2662 ruby: Integer overflows in rb_str_buf_append() CVE-2008-2663 ruby: Integer overflows in rb_ary_store() CVE-2008-2664 ruby: Unsafe use of alloca in rb_str_format() CVE-2008-2725 ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen CVE-2008-2376 ruby: integer overflows in rb_ary_fill() / Array#fill cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ruby is an interpreted scripting language for quick and easy object-oriented programming. Multiple integer overflows leading to a heap overflow were discovered in the array- and string-handling code used by Ruby. An attacker could use these flaws to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using untrusted inputs in array or string operations. (CVE-2008-2376, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726) It was discovered that Ruby used the alloca() memory allocation function in the format (%) method of the String class without properly restricting maximum string length. An attacker could use this flaw to crash a Ruby application or, possibly, execute arbitrary code with the privileges of the Ruby application using long, untrusted strings as format strings. (CVE-2008-2664) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. A flaw was discovered in the way Ruby's CGI module handles certain HTTP requests. A remote attacker could send a specially crafted request and cause the Ruby CGI script to enter an infinite loop, possibly causing a denial of service. (CVE-2006-6303) Users of Ruby should upgrade to these updated packages, which contain a backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2006-6303 CVE-2008-2376 CVE-2006-6303 ruby's cgi.rb vulnerable infinite loop DoS CVE-2008-2663 ruby: Integer overflows in rb_ary_store() CVE-2008-2664 ruby: Unsafe use of alloca in rb_str_format() CVE-2008-2725 ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N CVE-2008-2726 ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen CVE-2008-2376 ruby: integer overflows in rb_ary_fill() / Array#fill cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Multiple flaws were found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-2801, CVE-2008-2802, CVE-2008-2803) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-2798, CVE-2008-2799, CVE-2008-2811) Several flaws were found in the way malformed web content was displayed. A web page containing specially-crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-2800) Two local file disclosure flaws were found in Firefox. A web page containing malicious content could cause Firefox to reveal the contents of a local file to a remote attacker. (CVE-2008-2805, CVE-2008-2810) A flaw was found in the way a malformed .properties file was processed by Firefox. A malicious extension could read uninitialized memory, possibly leaking sensitive data to the extension. (CVE-2008-2807) A flaw was found in the way Firefox escaped a listing of local file names. If a user could be tricked into listing a local directory containing malicious file names, arbitrary JavaScript could be run with the permissions of the user running Firefox. (CVE-2008-2808) A flaw was found in the way Firefox displayed information about self-signed certificates. It was possible for a self-signed certificate to contain multiple alternate name entries, which were not all displayed to the user, allowing them to mistakenly extend trust to an unknown site. (CVE-2008-2809) All Mozilla Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811 CVE-2008-2798 Firefox malformed web content flaws CVE-2008-2799 Firefox javascript arbitrary code execution CVE-2008-2800 Firefox XSS attacks CVE-2008-2802 Firefox arbitrary JavaScript code execution CVE-2008-2803 Firefox javascript arbitrary code execution CVE-2008-2805 Firefox arbitrary file disclosure CVE-2008-2801 Firefox arbitrary signed JAR code execution CVE-2008-2807 Firefox .properties memory leak CVE-2008-2808 Firefox file location escaping flaw CVE-2008-2809 Firefox self signed certificate flaw CVE-2008-2810 Firefox arbitrary file disclosure CVE-2008-2811 Firefox block reflow flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user's NT desktop. No additional server extensions are required. An integer underflow and integer signedness issue were discovered in the rdesktop. If an attacker could convince a victim to connect to a malicious RDP server, the attacker could cause the victim's rdesktop to crash or, possibly, execute an arbitrary code. (CVE-2008-1801, CVE-2008-1803) Users of rdesktop should upgrade to these updated packages, which contain a backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1801 CVE-2008-1803 CVE-2008-1801 rdesktop: iso_recv_msg() Integer Underflow Vulnerability CVE-2008-1803 rdesktop: channel_process() Integer Signedness Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user's NT desktop. No additional server extensions are required. An integer underflow vulnerability was discovered in the rdesktop. If an attacker could convince a victim to connect to a malicious RDP server, the attacker could cause the victim's rdesktop to crash or, possibly, execute an arbitrary code. (CVE-2008-1801) Users of rdesktop should upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1801 CVE-2008-1801 rdesktop: iso_recv_msg() Integer Underflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 vsftpd (Very Secure File Transfer Protocol (FTP) daemon) is a secure FTP server for Linux and Unix-like systems. The version of vsftpd as shipped in Red Hat Enterprise Linux 3 when used in combination with Pluggable Authentication Modules (PAM) had a memory leak on an invalid authentication attempt. Since vsftpd prior to version 2.0.5 allows any number of invalid attempts on the same connection this memory leak could lead to an eventual DoS. (CVE-2008-2375) This update mitigates this security issue by including a backported patch which terminates a session after a given number of failed log in attempts. The default number of attempts is 3 and this can be configured using the "max_login_fails" directive. All vsftpd users should upgrade to this updated package, which addresses this vulnerability. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2375 CVE-2008-2375 older vsftpd authentication memory leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101) Multiple security flaws were found in netrw.vim, the Vim plug-in providing file reading and writing over the network. If a user opened a specially crafted file or directory with the netrw plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3076) A security flaw was found in zip.vim, the Vim plug-in that handles ZIP archive browsing. If a user opened a ZIP archive using the zip.vim plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3075) A security flaw was found in tar.vim, the Vim plug-in which handles TAR archive browsing. If a user opened a TAR archive using the tar.vim plug-in, it could result in arbitrary code execution as the user runnin Vim. (CVE-2008-3074) Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712) Ulf Härnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the "helptags" command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953) All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-2953 CVE-2008-2712 CVE-2008-3074 CVE-2008-3075 CVE-2008-4101 CVE-2008-6235 CVE-2007-2953 vim format string flaw CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to execute and system CVE-2008-4101 vim: arbitrary code execution in commands: K, Control-], g] CVE-2008-3074 Vim tar.vim plugin: improper Implementation of shellescape() (arbitrary code execution) CVE-2008-3075 Vim zip.vim plugin: improper Implementation of shellescape() (arbitrary code execution) CVE-2008-6235 Vim netrw.vim plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The bluez-libs package contains libraries for use in Bluetooth applications. The bluez-utils package contains Bluetooth daemons and utilities. An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used by the Bluez Bluetooth utilities. A Bluetooth device with an already-established trust relationship, or a local user registering a service record via a UNIX® socket or D-Bus interface, could cause a crash, or possibly execute arbitrary code with privileges of the hcid daemon. (CVE-2008-2374) Users of bluez-libs and bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2374 CVE-2008-2374 bluez-libs: SDP payload processing vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols for accessing directory services. A denial of service flaw was found in the way the OpenLDAP slapd daemon processed certain network messages. An unauthenticated remote attacker could send a specially crafted request that would crash the slapd daemon. (CVE-2008-2952) Users of openldap should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-2952 CVE-2008-2952 OpenLDAP denial-of-service flaw in ASN.1 decoder cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Pidgin is a multi-protocol Internet Messaging client. An integer overflow flaw was found in Pidgin's MSN protocol handler. If a user received a malicious MSN message, it was possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2008-2927) Note: the default Pidgin privacy setting only allows messages from users in the buddy list. This prevents arbitrary MSN users from exploiting this flaw. This update also addresses the following bug: * when attempting to connect to the ICQ network, Pidgin would fail to connect, present an alert saying the "The client version you are using is too old", and de-activate the ICQ account. This update restores Pidgin's ability to connect to the ICQ network. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-2927 RHEL5 - Fix ICQ login CVE-2008-2927 pidgin MSN integer overflow RHEL4 - Fix ICQ login RHEL3 - Fix ICQ login cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. A vulnerability was found in the Java Management Extensions (JMX) management agent, when local monitoring is enabled. This allowed remote attackers to perform illegal operations. (CVE-2008-3103) Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) Several vulnerabilities in the Java API for XML Web Services (JAX-WS) client and service implementation were found. A remote attacker who caused malicious XML to be processed by a trusted or untrusted application was able access URLs or cause a denial of service. (CVE-2008-3105, CVE-2008-3106) A JRE vulnerability could be triggered by an untrusted application or applet. A remote attacker could grant an untrusted applet or application extended privileges such as being able to read and write local files, or execute local programs. (CVE-2008-3107) Several vulnerabilities within the JRE scripting support were reported. A remote attacker could grant an untrusted applet extended privileges such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110) A vulnerability in Java Web Start was found. A remote attacker was able to create arbitrary files with the permissions of the user running the untrusted Java Web Start application. (CVE-2008-3112) Another vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-3103 CVE-2008-3104 CVE-2008-3105 CVE-2008-3106 CVE-2008-3107 CVE-2008-3109 CVE-2008-3110 CVE-2008-3112 CVE-2008-3114 CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088) CVE-2008-3107 JDK untrusted applet/application privilege escalation (6661918) CVE-2008-3103 OpenJDK JMX allows illegal operations with local monitoring (6332953) CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) CVE-2008-3109 CVE-2008-3110 Security Vulnerabilities in the Java Runtime Environment Scripting Language Support (6529568, 6529579) CVE-2008-3112 Java Web Start, arbitrary file creation (6703909) CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074) cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. A vulnerability was found in the Java Management Extensions (JMX) management agent, when local monitoring is enabled. This allowed remote attackers to perform illegal operations. (CVE-2008-3103) Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) A Java Runtime Environment (JRE) vulnerability could be triggered by an untrusted application or applet. A remote attacker could grant an untrusted applet extended privileges such as reading and writing local files, or executing local programs. (CVE-2008-3107) Several buffer overflow vulnerabilities in Java Web Start were reported. These vulnerabilities may allow an untrusted Java Web Start application to elevate its privileges and thereby grant itself permission to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3111) Two file processing vulnerabilities in Java Web Start were found. A remote attacker, by means of an untrusted Java Web Start application, was able to create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112, CVE-2008-3113) A vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114) Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-3103 CVE-2008-3104 CVE-2008-3107 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 CVE-2008-3107 JDK untrusted applet/application privilege escalation (6661918) CVE-2008-3103 OpenJDK JMX allows illegal operations with local monitoring (6332953) CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) CVE-2008-3111 Java Web Start Buffer overflow vulnerabilities (6557220) CVE-2008-3112 Java Web Start, arbitrary file creation (6703909) CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077) CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. An integer overflow flaw was found in the way Firefox displayed certain web content. A malicious web site could cause Firefox to crash, or execute arbitrary code with the permissions of the user running Firefox. (CVE-2008-2785) A flaw was found in the way Firefox handled certain command line URLs. If another application passed Firefox a malformed URL, it could result in Firefox executing local malicious content with chrome privileges. (CVE-2008-2933) All firefox users should upgrade to these updated packages, which contain Firefox 3.0.1 that corrects these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-2785 CVE-2008-2933 CVE-2008-3198 CVE-2008-2785 mozilla: CSS reference counter overflow (ZDI-CAN-349) CVE-2008-2933 Firefox command line URL launches multi-tabs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. An integer overflow flaw was found in the way Firefox displayed certain web content. A malicious web site could cause Firefox to crash, or execute arbitrary code with the permissions of the user running Firefox. (CVE-2008-2785) A flaw was found in the way Firefox handled certain command line URLs. If another application passed Firefox a malformed URL, it could result in Firefox executing local malicious content with chrome privileges. (CVE-2008-2933) All firefox users should upgrade to this updated package, which contains backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-2785 CVE-2008-2933 CVE-2008-2785 mozilla: CSS reference counter overflow (ZDI-CAN-349) CVE-2008-2933 Firefox command line URL launches multi-tabs cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. An integer overflow flaw was found in the way SeaMonkey displayed certain web content. A malicious web site could cause SeaMonkey to crash or execute arbitrary code with the permissions of the user running SeaMonkey. (CVE-2008-2785) All seamonkey users should upgrade to these updated packages, which contain a backported patch to resolve this issue. Critical Copyright 2008 Red Hat, Inc. CVE-2008-2785 CVE-2008-2785 mozilla: CSS reference counter overflow (ZDI-CAN-349) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issue: * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) As well, these updated packages fix the following bugs: * a possible kernel hang on hugemem systems, due to a bug in NFS, which may have caused systems to become unresponsive, has been resolved. * an inappropriate exit condition occurred in the architecture-specific "mmap()" realization, which fell into an infinite loop under certain conditions. On 64-bit systems, this issue may have manifested itself to users as a soft lockup, or process hangs. * due to a bug in hardware initialization in the "ohci_hcd" kernel module, the kernel may have failed with a NULL pointer dereference. On 64-bit PowerPC systems, this may have caused booting to fail, and drop to xmon. On other platforms, a kernel oops occurred. * due to insufficient locks in task termination code, a panic may have occurred in the "sys_times()" system call on SMP machines. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-2136 CVE-2008-2136 kernel: sit memory leak [RHEL 4] cffimtgsaslx08 hung Patch for bug 360281 "Odd behaviour in mmap" introduces regression kernel failed to boot and dropped to xmon kernel panic with kernel version 2.6.9-67.0.20.EL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * a flaw was found in the Linux kernel setrlimit system call, when setting RLIMIT_CPU to a certain value. This could allow a local unprivileged user to bypass the CPU time limit. (CVE-2008-1294, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) These updated packages fix the following bugs: * the GNU libc stub resolver is a minimal resolver that works with Domain Name System (DNS) servers to satisfy requests from applications for names. The GNU libc stub resolver did not specify a source UDP port, and therefore used predictable port numbers. This could have made DNS spoofing attacks easier. The Linux kernel has been updated to implement random UDP source ports where none are specified by an application. This allows applications, such as those using the GNU libc stub resolver, to use random UDP source ports, helping to make DNS spoofing attacks harder. * when using certain hardware, a bug in UART_BUG_TXEN may have caused incorrect hardware detection, causing data flow to "/dev/ttyS1" to hang. * a 50-75% drop in NFS server rewrite performance, compared to Red Hat Enterprise Linux 4.6, has been resolved. * due a bug in the fast userspace mutex code, while one thread fetched a pointer, another thread may have removed it, causing the first thread to fetch the wrong pointer, possibly causing a system crash. * on certain Hitachi hardware, removing the "uhci_hcd" module caused a kernel oops, and the following error: BUG: warning at arch/ia64/kernel/iosapic.c:1001/iosapic_unregister_intr() Even after the "uhci_hcd" module was reloaded, there was no access to USB devices. As well, on systems that have legacy interrupts, "acpi_unregister_gsi" incorrectly called "iosapci_unregister_intr()", causing warning messages to be logged. * when a page was mapped with mmap(), and "PROT_WRITE" was the only "prot" argument, the first read of that page caused a segmentation fault. If the page was read after it was written to, no fault occurred. This was incompatible with the Red Hat Enterprise Linux 4 behavior. * due to a NULL pointer dereference in powernowk8_init(), a panic may have occurred. * certain error conditions handled by the bonding sysfs interface could have left rtnl_lock() unbalanced, either by locking and returning without unlocking, or by unlocking when it did not lock, possibly causing a "kernel: RTNL: assertion failed at net/core/fib_rules.c" error. * the kernel currently expects a maximum of six Machine Check Exception (MCE) banks to be exposed by a CPU. Certain CPUs have 7 or more, which may have caused the MCE to be incorrectly reported. * a race condition in UNIX domain sockets may have caused recv() to return zero. For clusters, this may have caused unexpected failovers. * msgrcv() frequently returned an incorrect "ERESTARTNOHAND (514)" error number. * on certain Intel Itanium-based systems, when kdump was configured to halt the system after a dump operation, after the "System halted." output, the kernel continued to output endless "soft lockup" messages. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-2136 CVE-2008-1294 CVE-2008-2812 CVE-2008-1294 kernel: setrlimit(RLIMIT_CPUINFO) with zero value doesn't inherit properly across children [Stratus 5.2.z][1/2] ttyS1 lost interrupt and it stops transmitting [rhel-5.2.z] CVE-2008-2136 kernel: sit memory leak 50-75 % drop in nfs-server rewrite performance compared to rhel 4.6+ [rhel-5.2.z] Kernel crash on futex [rhel-5.2.z] [RHEL5] BUG: warning at arch/ia64/kernel/iosapic.c:1001/iosapic_unregiste mmap() with PROT_WRITE on RHEL5 incompatible with RHEL4. RHEL 5.3 NULL pointer dereferenced in powernowk8_init bonding driver can leave rtnl_lock unbalanced RHEL 5.3 extend MCE banks support for Dunnington, Nehalem, and beyond [RHEL5.1] In unix domain sockets, recv() may incorrectly return zero CVE-2008-2812 kernel: NULL ptr dereference in multiple network drivers due to missing checks in tty code kernel: randomize udp port allocation [Stratus 5.2.z][2/2] ttyS1 lost interrupt and it stops transmitting The msgrcv() syscall fails with error number 514 (ERESTARTNOHAND). [REG][5.3] Soft lockup is detected cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Multiple flaws were found in the processing of malformed JavaScript content. An HTML mail containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-2801, CVE-2008-2802, CVE-2008-2803) Several flaws were found in the processing of malformed HTML content. An HTML mail containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-2785, CVE-2008-2798, CVE-2008-2799, CVE-2008-2811) Several flaws were found in the way malformed HTML content was displayed. An HTML mail containing specially-crafted content could, potentially, trick a Thunderbird user into surrendering sensitive information. (CVE-2008-2800) Two local file disclosure flaws were found in Thunderbird. An HTML mail containing malicious content could cause Thunderbird to reveal the contents of a local file to a remote attacker. (CVE-2008-2805, CVE-2008-2810) A flaw was found in the way a malformed .properties file was processed by Thunderbird. A malicious extension could read uninitialized memory, possibly leaking sensitive data to the extension. (CVE-2008-2807) A flaw was found in the way Thunderbird escaped a listing of local file names. If a user could be tricked into listing a local directory containing malicious file names, arbitrary JavaScript could be run with the permissions of the user running Thunderbird. (CVE-2008-2808) A flaw was found in the way Thunderbird displayed information about self-signed certificates. It was possible for a self-signed certificate to contain multiple alternate name entries, which were not all displayed to the user, allowing them to mistakenly extend trust to an unknown site. (CVE-2008-2809) Note: JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2810 CVE-2008-2811 CVE-2008-2785 mozilla: CSS reference counter overflow (ZDI-CAN-349) CVE-2008-2798 Firefox malformed web content flaws CVE-2008-2799 Firefox javascript arbitrary code execution CVE-2008-2800 Firefox XSS attacks CVE-2008-2802 Firefox arbitrary JavaScript code execution CVE-2008-2803 Firefox javascript arbitrary code execution CVE-2008-2805 Firefox arbitrary file disclosure CVE-2008-2801 Firefox arbitrary signed JAR code execution CVE-2008-2807 Firefox .properties memory leak CVE-2008-2808 Firefox file location escaping flaw CVE-2008-2809 Firefox self signed certificate flaw CVE-2008-2810 Firefox arbitrary file disclosure CVE-2008-2811 Firefox block reflow flaw cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101) A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially-crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code. (CVE-2008-3432) Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712) Ulf Härnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the "helptags" command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953) All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2007-2953 CVE-2008-2712 CVE-2008-3432 CVE-2008-4101 CVE-2007-2953 vim format string flaw CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to execute and system CVE-2008-3432 vim: heap buffer overflow in mch_expand_wildcards() CVE-2008-4101 vim: arbitrary code execution in commands: K, Control-], g] cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Acrobat Reader allows users to view and print documents in Portable Document Format (PDF). An input validation flaw was discovered in a JavaScript engine used by Acrobat Reader. A malicious PDF file could cause Acrobat Reader to crash or, potentially, execute arbitrary code as the user running Acrobat Reader. (CVE-2008-2641) An insecure temporary file usage issue was discovered in the Acrobat Reader "acroread" startup script. A local attacker could potentially overwrite arbitrary files that were writable by the user running Acrobat Reader, if the victim ran "acroread" with certain command line arguments. (CVE-2008-0883) All acroread users are advised to upgrade to these updated packages, that contain Acrobat Reader version 8.1.2 Security Update 1, and are not vulnerable to these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0883 CVE-2008-2641 CVE-2008-0883 acroread: insecure handling of temporary files CVE-2008-2641 acroread: input validation issue in a JavaScript method cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. A cross-site scripting vulnerability was discovered in the HttpServletResponse.sendError() method. A remote attacker could inject arbitrary web script or HTML via forged HTTP headers. (CVE-2008-1232) An additional cross-site scripting vulnerability was discovered in the host manager application. A remote attacker could inject arbitrary web script or HTML via the hostname parameter. (CVE-2008-1947) A traversal vulnerability was discovered when using a RequestDispatcher in combination with a servlet or JSP. A remote attacker could utilize a specially-crafted request parameter to access protected web resources. (CVE-2008-2370) An additional traversal vulnerability was discovered when the "allowLinking" and "URIencoding" settings were activated. A remote attacker could use a UTF-8-encoded request to extend their privileges and obtain local files accessible to the Tomcat process. (CVE-2008-2938) Users of tomcat should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-1232 CVE-2008-1947 CVE-2008-2370 CVE-2008-2938 CVE-2008-1947 Tomcat host manager xss - name field CVE-2008-2938 tomcat Unicode directory traversal vulnerability CVE-2008-1232 tomcat: Cross-Site-Scripting enabled by sendError call CVE-2008-2370 tomcat RequestDispatcher information disclosure vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 libxslt is a library for transforming XML files into other XML files using the standard XSLT stylesheet transformation mechanism. A heap buffer overflow flaw was discovered in the RC4 libxslt library extension. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute arbitrary code with the privileges of the application using the libxslt library to perform XSL transformations on untrusted XSL style sheets. (CVE-2008-2935) Red Hat would like to thank Chris Evans for reporting this vulnerability. All libxslt users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2935 CVE-2008-2935 libxslt: buffer overflow in libexslt RC4 encryption/decryption functions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. Kernel Feature Support: * iostat displays I/O performance for partitions * I/O task accounting added to getrusage(), allowing comprehensive core statistics * page cache pages count added to show_mem() output * tux O_ATOMICLOOKUP flag removed from the open() system call: replaced with O_CLOEXEC * the kernel now exports process limit information to /proc/[PID]/limits * implement udp_poll() to reduce likelihood of false positives returned from select() * the TCP_RTO_MIN parameter can now be configured to a maximum of 3000 milliseconds. This is configured using "ip route" * update CIFS to version 1.50 Added Features: * nfs.enable_ino64 boot command line parameter: enable and disable 32-bit inode numbers when using NFS * tick "divider" kernel boot parameter: reduce CPU overhead, and increase efficiency at the cost of lowering timing accuracy * /proc/sys/vm/nfs-writeback-lowmem-only tunable parameter: resolve NFS read performance * /proc/sys/vm/write-mapped tunable option, allowing the option of faster NFS reads * support for Large Receive Offload as a networking module * core dump masking, allowing a core dump process to skip the shared memory segments of a process Virtualization: * para-virtualized network and block device drivers, to increase fully-virtualized guest performance * support for more than three VNIF numbers per guest domain Platform Support: * AMD ATI SB800 SATA controller, AMD ATI SB600 and SB700 40-pin IDE cable * 64-bit DMA support on AMD ATI SB700 * PCI device IDs to support Intel ICH10 * /dev/msr[0-n] device files * powernow-k8 as a module * SLB shadow buffer support for IBM POWER6 systems * support for CPU frequencies greater than 32-bit on IBM POWER5, IBM POWER6 * floating point load and store handler for IBM POWER6 Added Drivers and Updates: * ixgbe 1.1.18, for the Intel 82598 10GB ethernet controller * bnx2x 1.40.22, for network adapters on the Broadcom 5710 chipset * dm-hp-sw 1.0.0, for HP Active/Standby * zfcp version and bug fixes * qdio to fix FCP/SCSI write I/O expiring on LPARs * cio bug fixes * eHEA latest upstream, and netdump and netconsole support * ipr driver support for dual SAS RAID controllers * correct CPU cache info and SATA support for Intel Tolapai * i5000_edac support for Intel 5000 chipsets * i3000_edac support for Intel 3000 and 3010 chipsets * add i2c_piix4 module on 64-bit systems to support AMD ATI SB600, 700 and 800 * i2c-i801 support for Intel Tolapai * qla4xxx: 5.01.01-d2 to 5.01.02-d4-rhel4.7-00 * qla2xxx: 8.01.07-d4 to 8.01.07-d4-rhel4.7-02 * cciss: 2.6.16 to 2.6.20 * mptfusion: 3.02.99.00rh to 3.12.19.00rh * lpfc:0: 8.0.16.34 to 8.0.16.40 * megaraid_sas: 00.00.03.13 to 00.00.03.18-rh1 * stex: 3.0.0.1 to 3.6.0101.2 * arcmsr: 1.20.00.13 to 1.20.00.15.rh4u7 * aacraid: 1.1-5[2441] to 1.1.5[2455] Miscellaneous Updates: * OFED 1.3 support * wacom driver to add support for Cintiq 20WSX, Wacom Intuos3 12x19, 12x12 and 4x6 tablets * sata_svw driver to support Broadcom HT-1100 chipsets * libata to un-blacklist Hitachi drives to enable NCQ * ide driver allows command line option to disable ide drivers * psmouse support for cortps protocol These updated packages fix the following security issues: * NULL pointer access due to missing checks for terminal validity. (CVE-2008-2812, Moderate) * a security flaw was found in the Linux kernel Universal Disk Format file system. (CVE-2006-4145, Low) For further details, refer to the latest Red Hat Enterprise Linux 4.7 release notes: redhat.com/docs/manuals/enterprise Moderate Copyright 2008 Red Hat, Inc. CVE-2006-4145 CVE-2008-2812 mount are not interruptible ext2online can't resize: No space left on device A NFS export mounted using version 4 and TCP shows up as UDP in /proc/mounts pvmove causes kernel panic Assertion failure in journal_next_log_block Kernel build requires "High Memory Support" Incorrect suggestion on when to install largesmp kernel mdadm --grow -n 2 (old: 3) fails on particular raid1 devices RFE: Add dm-hp-sw to kernel to allow use of active/passive sans with dm multipathing kernel retries portmap query indefinitely when statd is down Firewall - Premature ip_conntrack timer expiry on 3+ ack or window size advertisements - (hanging tomcat threads problem) [PATCH][RHEL4U4] Fix estimate-mistake (e820-memory-hole and numnodes) of available_memory in x86_64 [PATCH][RHEL4U4] Backported udp_poll() function (Fix the problem that select() returns in RHEL4 though select() must not return essentially when kernel receives broken UDP packet(s)) /sbin/service iptables stop hangs on modprobe -r ipt_state Crash dump fails on IA64 with block_order set to 10 READDIR on a NFSv4 directory containing a referral returns -EIO for entire directory Missing definition for mutex_destroy in linux/kernel.h RHEL4-U5: "cdrom open failed" message in /var/log/messages on every reboot dm-mirror: spinlock in write_callback has the potential for deadlock Backport divider= option from RHEL5 U1 to RHEL4 [RHEL4 U4] NFS server, rpciod was stuck in a infinite loop, Oracle ASM DBWR process goes into 100% CPU spin when using hugepages on ia64 xenbus has use-after-free in drivers/xen/xenbus/xenbus_xs.c xenbus suspend_mutex remains locked after transaction failure oopses when multicasting with connection oriented socket [Promise 4.7 feat] Update stex driver to version 3.6.0101.2 ipv6 device reference counting error in net/ipv6/anycast.c AMD/ATI SB600/700/800 use same SMBus controller devID RHEL4 U5: ia64 machine hang when DB starts using rac/nfs/hugepages Long Delay before OOMKill launches [RHEL 4.5] forcedeth: pull latest upstream updates need a way to disable ide drivers epoll_wait(..., -100) results in printk ip_tables reference count will underflow occasionally PCI: hotplug: acpiphp: avoid acpiphp "cannot get bridge info" PCI hotplug failure We need SB800 SATA Controller supported in RHEL4.7 sb600 system generates ATA errors during initscripts CVE-2006-4145 UDF truncating issue i386 compressed diskdump header contains incorrect panic cpu kernel BUG at mm/rmap.c:479 during suspend/resume testing ptrace: i386 debugger + x86_64 kernel + threaded (i386) inferior = error RHEL 4.7: SB700 contains two IDE channels [RHEL4] Patch pata_jmicron to support new controller RHEL4.6: AD1984 HDAudio does not work on AMD Trevally Board(RS690 + SB700) readdir on nfs4 passing non-posix errors to userspace pull upstream patches for smbfs [PATCH] nfsv4 fails to update content of files when open for write RHEL4: Hald causes system deadlock on ia64 kernel dm: panic on shrinking device size [Stratus 4.7 bug] iounmap may sleep while holding vmlist_lock, causing a deadlock. NFS: Fix directory caching problem - with test case and patch. kernel dm: bd_mount_sem counter corruption kernel dm crypt: oops on device removal Marvell NIC using skge driver loses promiscuous mode on rewiring Assertion failure in journal_start() at fs/jbd/transaction.c:274: 'handle->h_transaction->t_journal == journal' execve returning EFBIG when running 4 GB executable Since "Patch2037: linux-2.6.9-vm-balance.patch" my NFS performance is poorly Deadlock while performing nfs operations. Checksum offloading and IP connection tracking don't play well together Please build SMBus driver i2c-piix4 as a module in RHEL4.7 Implement netif_release_rx_bufs for copying receiver [QLogic 4.7 bug][3/5] qla4xxx - Targets not seen on first port (5.01.02-d2 --> 5.01.02-d3) rapid block device plug / unplug leads to kernel crash and/or soft lockup FEAT: RHEL 4.7 Intel Tolapai cpucache patch [QLogic 4.7 Bug][5/5] qla2xxx - avoid delay for loop ready when loop dead ptrace: PTRACE_SINGLESTEP,signal steps on the 2nd instr. RHEL4, make tcp_input_metrics() get minimum RTO via tcp_rto_min() Update CIFS to 1.50cRH for 4.7 [RHEL-4] RFE: Add EDAC driver for Intel 3000/3010 chipsets [Areca 4.7 feat] Update the arcmsr driver to 1.20.00.15.RH Can not send redirect packet when jiffiess wraparound RHEL4.7: HDMI Audio support for AMD ATI chipsets Allocations on resume path can cause deadlock due to attempting to swap Fake ARP dropped after migration leading to loss of network connectivity [QLogic 4.7 bug][4/5] qla4xxx - Race condition fixes w/ constant qla3xxx ifup/ifdown (5.01.02-d3 --> 5.01.02-d4) [NetApp-S 4.7 bug] LUN removal status is not updated on the host without a driver reload nfs server sending short packets on nfsv2 UDP readdir replies [RHEL4.6]: Under load, an i386 PV guest on i386 HV will hang during save/restore [EMC 4.7 bug] nfs_access_cache_shrinker() race with umount oProfile Driver Module Patch for Family10h ptrace: ERESTARTSYS from calling a function from a debugger [RHEL4.7]: PV kernel can OOPs during live migrate RHEL4.7: USB stress test failure on AMD SBX00 Add Xen disk and network paravirtualized drivers to bare-metal kernel [RHEL 4.6] bonding 802.3ad does not work RHEL4.6 Diskdump performance regression (mptfusion) Add invocation of weak-modules on kernel install/remove 68.25 Kernel rpm installation/uninstallation errors out 32bit NFS server returns -EIO for readdirplus request when backing file system has 32bit inodes cluster mirrors should not be attempted when cmirror modules are not loaded gettimeofday is not monotonically increasing [Broadcom 4.7 bug] HT1000 chip based systems getting blacklisted for msi RHEL4 kernel ignores extended cpu model field oprofile fix to support Penryn-based processors do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY [QLogic 4.7 feat] Update qla2xxx - qla84xx variant support. bonding: incorrect backport creates possible incorrect interface flags Memory corruption due to VNIF increase kernel panic in gnttab_map when booting RHEL4 x86_64 FV xen guest oops in cifs module while trying to stop a thread (kthread_stop) during filesystem mount kernel failed to boot and dropped to xmon cciss driver crash ls shows two /proc/[pid]/limits files for every process Fake ARP dropped after migration leading to loss of network connectivity RHEL4 U6 hang in epoll_wait parted error: Can't open /dev/xvda while probing disks during installation [QLogic 4.7 bug] qla2xxx - Update firmware for 4, 8 Gb/S adapters Patch for bug 435280 introduces possibility of dead lock System hangs when using /proc/sys/vm/drop_caches under heavy load on large system. Patch for bug 360281 "Odd behaviour in mmap" introduces regression [QLogic 4.7 bug] qla2xxx- several fixes: ioctl module and slab corruption (8.02.09-d0-rhel4.7-04) vmware - Console graphic problem when mouse is moved CVE-2008-2812 kernel: NULL ptr dereference in multiple network drivers due to missing checks in tty code cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 vsftpd (Very Secure File Transfer Protocol (FTP) daemon) is a secure FTP server for Linux and Unix-like systems. The version of vsftpd as shipped in Red Hat Enterprise Linux 4 when used in combination with Pluggable Authentication Modules (PAM) had a memory leak on an invalid authentication attempt. Since vsftpd prior to version 2.0.5 allows any number of invalid attempts on the same connection this memory leak could lead to an eventual DoS. (CVE-2008-2375) This update mitigates this security issue by including a backported patch which terminates a session after a given number of failed log in attempts. The default number of attempts is 3 and this can be configured using the "max_login_fails" directive. This package also addresses the following bugs: * when uploading unique files, a bug in vsftpd caused the file to be saved with a suffix '.1' even when no previous file with that name existed. This issues is resolved in this package. * when vsftpd was run through the init script, it was possible for the init script to print an 'OK' message, even though the vsftpd may not have started. The init script no longer produces a false verification with this update. * vsftpd only supported usernames with a maximum length of 32 characters. The updated package now supports usernames up to 128 characters long. * a system flaw meant vsftpd output could become dependent on the timing or sequence of other events, even when the "lock_upload_files" option was set. If a file, filename.ext, was being uploaded and a second transfer of the file, filename.ext, was started before the first transfer was finished, the resultant uploaded file was a corrupt concatenation of the latter upload and the tail of the earlier upload. With this updated package, vsftpd allows the earlier upload to complete before overwriting with the latter upload, fixing the issue. * the 'lock_upload_files' option was not documented in the manual page. A new manual page describing this option is included in this package. * vsftpd did not support usernames that started with an underscore or a period character. These special characters are now allowed at the beginning of a username. * when storing a unique file, vsftpd could cause an error for some clients. This is rectified in this package. * vsftpd init script was found to not be Linux Standards Base compliant. This update corrects their exit codes to conform to the standard. All vsftpd users are advised to upgrade to this updated package, which resolves these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2375 vsftpd 2.0.1 memory leak vsftpd is checked wrongly in init script maximum username length too short vsftpd has a create/lock race condition which corrupts uploads Uploaded file corrupted when two connections from same client uploading same file simultaneously lock_upload_files not documented in vsftpd.conf man page Memory leak in pattern matching function Wrong init script CVE-2008-2375 older vsftpd authentication memory leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap module is a plug-in which allows applications to retrieve information about users and groups from a directory server. The pam_ldap module allows PAM-aware applications to use a directory server to verify user passwords. A race condition was discovered in nss_ldap, which affected certain applications that make LDAP connections, such as Dovecot. This could cause nss_ldap to answer a request for information about one user with the information about a different user. (CVE-2007-5794) As well, this updated package fixes the following bugs: * in certain situations, on Itanium(R) architectures, when an application performed an LDAP lookup for a highly populated group, for example, containing more than 150 members, the application crashed, or may have caused a segmentation fault. As well, this issue may have caused commands, such as "ls", to return a "ber_free_buf: Assertion" error. * when an application enumerated members of a netgroup, the nss_ldap module returned a successful status result and the netgroup name, even when the netgroup did not exist. This behavior was not consistent with other modules. In this updated package, nss_ldap no longer returns a successful status when the netgroup does not exist. * in master and slave server environments, with systems that were configured to use a read-only directory server, if user log in attempts were denied because their passwords had expired, and users attempted to immediately change their passwords, the replication server returned an LDAP referral, instructing the pam_ldap module to resissue its request to a different server; however, the pam_ldap module failed to do so. In these situations, an error such as the following occurred: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry [entry] In this updated package, password changes are allowed when binding against a slave server, which resolves this issue. * when a system used a directory server for naming information, and "nss_initgroups_ignoreusers root" was configured in "/etc/ldap.conf", dbus-daemon-1 would hang. Running the "service messagebus start" command did not start the service, and it did not fail, which would stop the boot process if it was not cancelled. As well, this updated package upgrades nss_ldap to the version as shipped with Red Hat Enterprise Linux 5. Users of nss_ldap are advised to upgrade to this updated package, which resolves these issues. Low Copyright 2008 Red Hat, Inc. CVE-2007-5794 CVE-2007-5794 nss_ldap randomly replying with wrong user's data [rhel-4.7] nss_ldap crashes on large groups (IA64) nss_ldap / setnetgrent() returns always 1 despite not retrieving any valid results. CVE-2007-5794 nss_ldap randomly replying with wrong user's data Rebase nss_ldap to RHEL 5.2 version dbus-daemon-1 hangs when using the option nss_initgroups_ignoreusers in /etc/ldap.conf with the user root cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 rdesktop is an open source client for Microsoft Windows NT Terminal Server and Microsoft Windows 2000 and 2003 Terminal Services, capable of natively using the Remote Desktop Protocol (RDP) to present the user's NT desktop. No additional server extensions are required. An integer underflow vulnerability was discovered in the rdesktop. If an attacker could convince a victim to connect to a malicious RDP server, the attacker could cause the victim's rdesktop to crash or, possibly, execute an arbitrary code. (CVE-2008-1801) Additionally, the following bug was fixed: A missing command line option caused rdesktop to fail when using the krdc remote desktop utility. Using krdc to connect to a terminal server resulted in errors such as the following: The version of rdesktop you are using ([version]) is too old: rdesktop [version] or greater is required. A working patch for rdesktop [version] can be found in KDE CVS. In this updated package, krdc successfully connects to terminal servers. Users of rdesktop should upgrade to these updated packages, which contain a backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1801 krdc requires rdesktop > 1.3.1 CVE-2008-1801 rdesktop: iso_recv_msg() Integer Underflow Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. (CVE-2008-2079) MySQL did not require the "DROP" privilege for "RENAME TABLE" statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the "--skip-merge" option. (CVE-2006-4031) A flaw in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-3469) As well, these updated packages fix the following bugs: * in the previous mysql packages, if a column name was referenced more than once in an "ORDER BY" section of a query, a segmentation fault occurred. * when MySQL failed to start, the init script returned a successful (0) exit code. When using the Red Hat Cluster Suite, this may have caused cluster services to report a successful start, even when MySQL failed to start. In these updated packages, the init script returns the correct exit codes, which resolves this issue. * it was possible to use the mysqld_safe command to specify invalid port numbers (higher than 65536), causing invalid ports to be created, and, in some cases, a "port number definition: unsigned short" error. In these updated packages, when an invalid port number is specified, the default port number is used. * when setting "myisam_repair_threads > 1", any repair set the index cardinality to "1", regardless of the table size. * the MySQL init script no longer runs "chmod -R" on the entire database directory tree during every startup. * when running "mysqldump" with the MySQL 4.0 compatibility mode option, "--compatible=mysql40", mysqldump created dumps that omitted the "auto_increment" field. As well, the MySQL init script now uses more reliable methods for determining parameters, such as the data directory location. Note: these updated packages upgrade MySQL to version 4.1.22. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-22.html All mysql users are advised to upgrade to these updated packages, which resolve these issues and add this enhancement. Moderate Copyright 2008 Red Hat, Inc. CVE-2006-3469 CVE-2006-4031 CVE-2007-2691 CVE-2008-2079 CVE-2006-3469 mysql server DoS Queries using a column name multiple times in ORDER BY crash mysql CVE-2006-4031 MySQL improper permission revocation chown -R of the mysql data directory every startup RFE+patch: MySQLd "init.d" startup script should rely on "/usr/bin/my_print_defaults" to get at options CVE-2007-2691 mysql DROP privilege not enforced when renaming tables CVE-2008-2079 mysql: privilege escalation via DATA/INDEX DIRECTORY directives cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The coreutils package contains the core GNU utilities. It is the combination of the old GNU fileutils, sh-utils, and textutils packages. The coreutils packages were found to not use the pam_succeed_if Pluggable Authentication Module (PAM) correctly in the configuration file for the "su" command. Any local user could use this command to change to a locked or expired user account if the target account's password was known to the user running "su". These updated packages, correctly, only allow the root user to switch to locked or expired accounts using "su". (CVE-2008-1946) All users of coreutils are advised to upgrade to this updated package, which resolve this issue. Low Copyright 2008 Red Hat, Inc. CVE-2008-1946 CVE-2008-1946 /etc/pam.d/su is wrong in RHEL-4.6 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Dnsmasq is lightweight DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. The dnsmasq DNS resolver used a fixed source UDP port. This could have made DNS spoofing attacks easier. dnsmasq has been updated to use random UDP source ports, helping to make DNS spoofing attacks harder. (CVE-2008-1447) All dnsmasq users are advised to upgrade to this updated package, that upgrades dnsmasq to version 2.45, which resolves this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1447 CVE-2008-1447 implement source UDP port randomization (CERT VU#800113) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) A vulnerability in the XML processing API was found. A remote attacker who caused malicious XML to be processed by an untrusted applet or application was able to elevate permissions to access URLs on a remote host. (CVE-2008-3106) A buffer overflow vulnerability was found in the font processing code. This allowed remote attackers to extend the permissions of an untrusted applet or application, allowing it to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3108) Several buffer overflow vulnerabilities in Java Web Start were reported. These vulnerabilities allowed an untrusted Java Web Start application to elevate its privileges, allowing it to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3111) Two file processing vulnerabilities in Java Web Start were found. A remote attacker, by means of an untrusted Java Web Start application, was able to create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112, CVE-2008-3113) A vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, that contain the IBM 1.5.0 SR8 Java release, which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-3104 CVE-2008-3106 CVE-2008-3108 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088) CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) CVE-2008-3108 Security Vulnerability with JRE fonts processing may allow Elevation of Privileges (6450319) CVE-2008-3111 Java Web Start Buffer overflow vulnerabilities (6557220) CVE-2008-3112 Java Web Start, arbitrary file creation (6703909) CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077) CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074) cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 RealPlayer is a media player that provides media playback locally and via streaming. RealPlayer 10.0.9 is vulnerable to a critical security flaw and should no longer be used. A remote attacker could leverage this flaw to execute arbitrary code as the user running RealPlayer. (CVE-2007-5400) This issue is addressed in RealPlayer 11. Red Hat is unable to ship RealPlayer 11 due to additional proprietary codecs included in that version. Therefore, users who wish to continue to use RealPlayer should get an update directly from www.real.com. This update removes the RealPlayer 10.0.9 packages due to their known security vulnerabilities. Critical Copyright 2008 Red Hat, Inc. CVE-2007-5400 CVE-2007-5400 RealPlayer: SWF Frame Handling Buffer Overflow cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The yum-rhn-plugin provides support for yum to securely access a Red Hat Network (RHN) server for software updates. It was discovered that yum-rhn-plugin did not verify the SSL certificate for all communication with a Red Hat Network server. An attacker able to redirect the network communication between a victim and an RHN server could use this flaw to provide malicious repository metadata. This metadata could be used to block the victim from receiving specific security updates. (CVE-2008-3270) This flaw did not allow an attacker to install malicious packages. Package signatures were verified and only packages signed with a trusted Red Hat GPG key were installed. Red Hat would like to thank Justin Cappos and Justin Samuel for discussing various package update mechanism flaws which led to our discovery of this issue. Users of yum-rhn-plugin are advised to upgrade to this updated packages, which resolves this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-3270 CVE-2008-3270 yum-rhn-plugin: does not verify SSL certificate for all communication with RHN server cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The hplip (Hewlett-Packard Linux Imaging and Printing) packages provide drivers for Hewlett-Packard printers and multifunction peripherals. A flaw was discovered in the hplip alert-mailing functionality. A local attacker could elevate their privileges by using specially-crafted packets to trigger alert mails, which are sent by the root account. (CVE-2008-2940) A flaw was discovered in the hpssd message parser. By sending specially-crafted packets, a local attacker could cause a denial of service, stopping the hpssd process. (CVE-2008-2941) Users of hplip should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2940 CVE-2008-2941 CVE-2008-2940 hpssd of hplip allows unprivileged user to trigger alert mail CVE-2008-2941 hplip hpssd.py Denial-Of-Service parsing vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet, presentation manager, formula editor, and a drawing program. A numeric truncation error was found in the OpenOffice.org memory allocator. If a carefully crafted file was opened by a victim, an attacker could use this flaw to crash OpenOffice.org or, possibly, execute arbitrary code. (CVE-2008-3282) All users of openoffice.org are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-3282 CVE-2008-3282 openoffice.org: numeric truncation error in memory allocator (64bit) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The libxml2 packages provide a library that allows you to manipulate XML files. It includes support to read, modify, and write XML and HTML files. A denial of service flaw was found in the way libxml2 processes certain content. If an application linked against libxml2 processes malformed XML content, it could cause the application to stop responding. (CVE-2008-3281) Red Hat would like to thank Andreas Solberg for responsibly disclosing this issue. All users of libxml2 are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-3281 CVE-2008-3281 libxml2 denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. A flaw was found in the way Postfix dereferences symbolic links. If a local user has write access to a mail spool directory with no root mailbox, it may be possible for them to append arbitrary data to files that root has write permission to. (CVE-2008-2936) Red Hat would like to thank Sebastian Krahmer for responsibly disclosing this issue. All users of postfix should upgrade to these updated packages, which contain a backported patch that resolves this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2936 CVE-2008-2936 postfix privilege escalation flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Multiple uses of uninitialized values were discovered in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked with libtiff to crash or, possibly, execute arbitrary code. (CVE-2008-2327) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue. Additionally, these updated packages fix the following bug: * the libtiff packages included manual pages for the sgi2tiff and tiffsv commands, which are not included in these packages. These extraneous manual pages were removed. All libtiff users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-2327 CVE-2008-2327 libtiff: use of uninitialized memory in LZW decoder [RHEL5] libtiff has unnecessary man pages. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Multiple uses of uninitialized values were discovered in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked with libtiff to crash or, possibly, execute arbitrary code. (CVE-2008-2327) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue. A buffer overflow flaw was discovered in the tiff2pdf conversion program distributed with libtiff. An attacker could create a TIFF file containing UTF-8 characters that would, when converted to PDF format, cause tiff2pdf to crash, or, possibly, execute arbitrary code. (CVE-2006-2193) Additionally, these updated packages fix the following bug: * the libtiff packages included manual pages for the sgi2tiff and tiffsv commands, which are not included in these packages. These extraneous manual pages were removed. All libtiff users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-2327 CVE-2006-2193 CVE-2006-2193 tiff2pdf buffer overflow CVE-2008-2327 libtiff: use of uninitialized memory in LZW decoder [RHEL4] libtiff has unnecessary man pages. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The ipsec-tools package is used in conjunction with the IPsec functionality in the Linux kernel and includes racoon, an IKEv1 keying daemon. Two denial of service flaws were found in the ipsec-tools racoon daemon. It was possible for a remote attacker to cause the racoon daemon to consume all available memory. (CVE-2008-3651, CVE-2008-3652) Users of ipsec-tools should upgrade to this updated package, which contains backported patches that resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-3651 CVE-2008-3652 CVE-2008-3651 ipsec-tools: racoon memory leak caused by invalid proposals CVE-2008-3652 ipsec-tools: racoon orphaned ph1s memory leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers. In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html To reiterate, our processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk. These packages also fix a low severity flaw in the way ssh handles X11 cookies when creating X11 forwarding connections. When ssh was unable to create untrusted cookie, ssh used a trusted cookie instead, possibly allowing the administrative user of a untrusted remote server, or untrusted application run on the remote server, to gain unintended access to a users local X server. (CVE-2007-4752) Critical Copyright 2008 Red Hat, Inc. CVE-2007-4752 CVE-2008-3844 CVE-2007-4752 openssh falls back to the trusted x11 cookie if generation of an untrusted cookie fails cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Multiple uses of uninitialized values were discovered in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked with libtiff to crash or, possibly, execute arbitrary code. (CVE-2008-2327) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue. All libtiff users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-2327 CVE-2008-2327 libtiff: use of uninitialized memory in LZW decoder cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-4058, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064) Several flaws were found in the way malformed web content was displayed. A web page containing specially crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-4067, CVE-2008-4068) A flaw was found in the way Firefox handles mouse click events. A web page containing specially crafted JavaScript code could move the content window while a mouse-button was pressed, causing any item under the pointer to be dragged. This could, potentially, cause the user to perform an unsafe drag-and-drop action. (CVE-2008-3837) A flaw was found in Firefox that caused certain characters to be stripped from JavaScript code. This flaw could allow malicious JavaScript to bypass or evade script filters. (CVE-2008-4065) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.2. You can find a link to the Mozilla advisories in the References section. All firefox users should upgrade to this updated package, which contains backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-3837 CVE-2008-4058 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 CVE-2008-4063 CVE-2008-4064 CVE-2008-4065 CVE-2008-4067 CVE-2008-4068 CVE-2008-3837 mozilla: Forced mouse drag CVE-2008-4058 Mozilla privilege escalation via XPCnativeWrapper pollution CVE-2008-4060 Mozilla privilege escalation via XPCnativeWrapper pollution CVE-2008-4061 Mozilla layout engine crash CVE-2008-4062 Mozilla crashes with evidence of memory corruption CVE-2008-4063 Mozilla crashes with evidence of memory corruption CVE-2008-4064 Mozilla crashes with evidence of memory corruption CVE-2008-4065 Mozilla BOM characters stripped from JavaScript before execution CVE-2008-4067 Mozilla resource: traversal vulnerability CVE-2008-4068 Mozilla local HTML file recource: bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-0016, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062) Several flaws were found in the way malformed web content was displayed. A web page containing specially crafted content could potentially trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-3835, CVE-2008-4067, CVE-2008-4068, CVE-2008-4069) A flaw was found in the way SeaMonkey handles mouse click events. A web page containing specially crafted JavaScript code could move the content window while a mouse-button was pressed, causing any item under the pointer to be dragged. This could, potentially, cause the user to perform an unsafe drag-and-drop action. (CVE-2008-3837) A flaw was found in SeaMonkey that caused certain characters to be stripped from JavaScript code. This flaw could allow malicious JavaScript to bypass or evade script filters. (CVE-2008-4065, CVE-2008-4066) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0016 CVE-2008-3835 CVE-2008-3837 CVE-2008-4058 CVE-2008-4059 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 CVE-2008-4065 CVE-2008-4066 CVE-2008-4067 CVE-2008-4068 CVE-2008-4069 CVE-2008-0016 Mozilla UTF-8 stack buffer overflow CVE-2008-3835 mozilla: nsXMLDocument::OnChannelRedirect() same-origin violation CVE-2008-3837 mozilla: Forced mouse drag CVE-2008-4058 Mozilla privilege escalation via XPCnativeWrapper pollution CVE-2008-4059 Mozilla privilege escalation via XPCnativeWrapper pollution CVE-2008-4060 Mozilla privilege escalation via XPCnativeWrapper pollution CVE-2008-4061 Mozilla layout engine crash CVE-2008-4062 Mozilla crashes with evidence of memory corruption CVE-2008-4065 Mozilla BOM characters stripped from JavaScript before execution CVE-2008-4066 Mozilla low surrogates stripped from JavaScript before execution CVE-2008-4067 Mozilla resource: traversal vulnerability CVE-2008-4068 Mozilla local HTML file recource: bypass CVE-2008-4069 Mozilla XBM decoder information disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The libxml2 packages provide a library that allows you to manipulate XML files. It includes support to read, modify, and write XML and HTML files. A heap-based buffer overflow flaw was found in the way libxml2 handled long XML entity names. If an application linked against libxml2 processed untrusted malformed XML content, it could cause the application to crash or, possibly, execute arbitrary code. (CVE-2008-3529) All users of libxml2 are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-3529 CVE-2008-3529 libxml2: long entity name heap buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * a missing capability check was found in the Linux kernel do_change_type routine. This could allow a local unprivileged user to gain privileged access or cause a denial of service. (CVE-2008-2931, Important) * a flaw was found in the Linux kernel Direct-IO implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2007-6716, Important) * Tobias Klein reported a missing check in the Linux kernel Open Sound System (OSS) implementation. This deficiency could lead to a possible information leak. (CVE-2008-3272, Moderate) * a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a flaw was found in the Linux kernel tmpfs implementation. This could allow a local unprivileged user to read sensitive information from the kernel. (CVE-2007-6417, Moderate) Bug fixes: * when copying a small IPoIB packet from the original skb it was received in to a new, smaller skb, all fields in the new skb were not initialized. This may have caused a kernel oops. * previously, data may have been written beyond the end of an array, causing memory corruption on certain systems, resulting in hypervisor crashes during context switching. * a kernel crash may have occurred on heavily-used Samba servers after 24 to 48 hours of use. * under heavy memory pressure, pages may have been swapped out from under the SGI Altix XPMEM driver, causing silent data corruption in the kernel. * the ixgbe driver is untested, but support was advertised for the Intel 82598 network card. If this card was present when the ixgbe driver was loaded, a NULL pointer dereference and a panic occurred. * on certain systems, if multiple InfiniBand queue pairs simultaneously fell into an error state, an overrun may have occurred, stopping traffic. * with bridging, when forward delay was set to zero, setting an interface to the forwarding state was delayed by one or possibly two timers, depending on whether STP was enabled. This may have caused long delays in moving an interface to the forwarding state. This issue caused packet loss when migrating virtual machines, preventing them from being migrated without interrupting applications. * on certain multinode systems, IPMI device nodes were created in reverse order of where they physically resided. * process hangs may have occurred while accessing application data files via asynchronous direct I/O system calls. * on systems with heavy lock traffic, a possible deadlock may have caused anything requiring locks over NFS to stop, or be very slow. Errors such as "lockd: server [IP] not responding, timed out" were logged on client systems. * unexpected removals of USB devices may have caused a NULL pointer dereference in kobject_get_path. * on Itanium-based systems, repeatedly creating and destroying Windows guests may have caused Dom0 to crash, due to the "XENMEM_add_to_physmap" hypercall, used by para-virtualized drivers on HVM, being SMP-unsafe. * when using an MD software RAID, crashes may have occurred when devices were removed or changed while being iterated through. Correct locking is now used. * break requests had no effect when using "Serial Over Lan" with the Intel 82571 network card. This issue may have caused log in problems. * on Itanium-based systems, module_free() referred the first parameter before checking it was valid. This may have caused a kernel panic when exiting SystemTap. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-2931 CVE-2008-3275 CVE-2007-6417 CVE-2007-6716 CVE-2008-3272 CVE-2007-6417 tmpfs: restore missing clear_highpage (kernels from 2.6.11 up) LTC43854-trap 700 Program check on uli05, pc: c000000000323910: .skb_under_panic+0x50/0x68 [rhel-5.2.z] CVE-2008-2931 kernel: missing check before setting mount propagation Guest OS install causes host machine to crash [RHEL5] Kernel panic triggered by smbd Silent memory corruption with xpmem ixgbe panics system when installing RHEL 5.2 with 82598AT (copper 10 gig) adapter CVE-2008-3275 Linux kernel local filesystem DoS CVE-2008-3272 kernel snd_seq_oss_synth_make_info leak LTC44570-Event Queue overflow on eHCA adapters lost packets when live migrating LTC41679-IPMI device nodes created in reverse order on multinode systems process hangs in async direct IO / possible race between dio_bio_end_aio() and dio_await_one() ? deadlock when lockd tries to take f_sema that it already has [Stratus 5.2.z bug] kernel NULL pointer dereference in kobject_get_path [IA64] Fix SMP-unsafe with XENMEM_add_to_physmap on HVM [NEC/Stratus 5.2.z bug] various crashes in md - rdev removed in the middle of ITERATE_RDEV SysRq handling issue in serial driver kprobes remove causing kernel panic on ia64 with 2.6.18-92.1.10.el5 kernel CVE-2007-6716 kernel: dio: zero struct dio with kzalloc instead of manually cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. Multiple buffer overflow flaws were found in Wireshark. If Wireshark read a malformed packet off a network, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2008-3146) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malformed dump file. (CVE-2008-1070, CVE-2008-1071, CVE-2008-1072, CVE-2008-1561, CVE-2008-1562, CVE-2008-1563, CVE-2008-3137, CVE-2008-3138, CVE-2008-3141, CVE-2008-3145, CVE-2008-3932, CVE-2008-3933, CVE-2008-3934) Additionally, this update changes the default Pluggable Authentication Modules (PAM) configuration to always prompt for the root password before each start of Wireshark. This avoids unintentionally running Wireshark with root privileges. Users of wireshark should upgrade to these updated packages, which contain Wireshark version 1.0.3, and resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1070 CVE-2008-1071 CVE-2008-1072 CVE-2008-1561 CVE-2008-1562 CVE-2008-1563 CVE-2008-3137 CVE-2008-3138 CVE-2008-3141 CVE-2008-3145 CVE-2008-3146 CVE-2008-3932 CVE-2008-3933 CVE-2008-3934 CVE-2008-1070 wireshark: SCTP dissector crash CVE-2008-1071 wireshark: SNMP dissector crash CVE-2008-1072 wireshark: TFTP dissector crash CVE-2008-1563 wireshark: crash in SCCP dissector CVE-2008-1561 wireshark: crash in X.509sat and Roofnet dissectors CVE-2008-1562 wireshark: crash in LDAP dissector Don't automatically use stored privileges CVE-2008-3137 wireshark: crash in the GSM SMS dissector CVE-2008-3138 wireshark: unexpected exit in the PANA and KISMET dissectors CVE-2008-3141 wireshark: memory disclosure in the RMI dissector CVE-2008-3145 wireshark: crash in the packet reassembling CVE-2008-3146 wireshark: multiple buffer overflows in NCP dissector CVE-2008-3932 wireshark: infinite loop in the NCP dissector CVE-2008-3933 wireshark: crash triggered by zlib-compressed packet data CVE-2008-3934 wireshark: crash via crafted Tektronix .rf5 file cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A flaw was found in the Java Management Extensions (JMX) management agent. When local monitoring is enabled, remote attackers could use this flaw to perform illegal operations. (CVE-2008-3103) All users of java-1.5.0-ibm are advised to upgrade to these updated packages containing the IBM 1.5.0 SR8a Java release, which resolves this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-3103 CVE-2008-3103 OpenJDK JMX allows illegal operations with local monitoring (6332953) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. It was discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the frontend's framebuffer description properly. This could allow a privileged user in the unprivileged domain (DomU) to cause a denial of service, or, possibly, elevate privileges to the privileged domain (Dom0). (CVE-2008-1952) A flaw was found in the QEMU block format auto-detection, when running fully-virtualized guests and using Qemu images written on removable media (USB storage, 3.5" disks). Privileged users of such fully-virtualized guests (DomU), with a raw-formatted disk image, were able to write a header to that disk image describing another format. This could allow such guests to read arbitrary files in their hypervisor's host (Dom0). (CVE-2008-1945) Additionally, the following bug is addressed in this update: * The qcow-create command terminated when invoked due to glibc bounds checking on the realpath() function. Users of xen are advised to upgrade to these updated packages, which resolve these security issues and fix this bug. Important Copyright 2008 Red Hat, Inc. CVE-2008-1945 CVE-2008-1952 CVE-2008-1945 qemu/kvm/xen: add image format options for USB storage and removable media CVE-2008-1952 qemu/xen/kvm: ioemu: Fix PVFB backend to limit frame buffer size xen: buffer overflow detected: qcow-create terminated cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Bzip2 is a freely available, high-quality data compressor. It provides both stand-alone compression and decompression utilities, as well as a shared library for use with other programs. A buffer over-read flaw was discovered in the bzip2 decompression routine. This issue could cause an application linked against the libbz2 library to crash when decompressing malformed archives. (CVE-2008-1372) Users of bzip2 should upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-1372 CVE-2008-1372 bzip2: crash on malformed archive file cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Ruby is an interpreted scripting language for quick and easy object-oriented programming. The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs and a fixed source port when sending DNS requests. A remote attacker could use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905) A number of flaws were found in the safe-level restrictions in Ruby. It was possible for an attacker to create a carefully crafted malicious script that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655) A denial of service flaw was found in Ruby's regular expression engine. If a Ruby script tried to process a large amount of data via a regular expression, it could cause Ruby to enter an infinite-loop and crash. (CVE-2008-3443) Users of ruby should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-3443 CVE-2008-3655 CVE-2008-3905 CVE-2008-3655 ruby: multiple insufficient safe mode restrictions CVE-2008-3443 ruby: Memory allocation failure in Ruby regex engine (remotely exploitable DoS) CVE-2008-3905 ruby: use of predictable source port and transaction id in DNS requests done by resolv.rb module cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Ruby is an interpreted scripting language for quick and easy object-oriented programming. The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs and a fixed source port when sending DNS requests. A remote attacker could use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905) Ruby's XML document parsing module (REXML) was prone to a denial of service attack via XML documents with large XML entity definitions recursion. A specially-crafted XML file could cause a Ruby application using the REXML module to use an excessive amount of CPU and memory. (CVE-2008-3790) An insufficient "taintness" check flaw was discovered in Ruby's DL module, which provides direct access to the C language functions. An attacker could use this flaw to bypass intended safe-level restrictions by calling external C functions with the arguments from an untrusted tainted inputs. (CVE-2008-3657) A denial of service flaw was discovered in WEBrick, Ruby's HTTP server toolkit. A remote attacker could send a specially-crafted HTTP request to a WEBrick server that would cause the server to use an excessive amount of CPU time. (CVE-2008-3656) A number of flaws were found in the safe-level restrictions in Ruby. It was possible for an attacker to create a carefully crafted malicious script that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655) A denial of service flaw was found in Ruby's regular expression engine. If a Ruby script tried to process a large amount of data via a regular expression, it could cause Ruby to enter an infinite-loop and crash. (CVE-2008-3443) Users of ruby should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-3443 CVE-2008-3655 CVE-2008-3656 CVE-2008-3657 CVE-2008-3790 CVE-2008-3905 CVE-2008-1145 CVE-2008-3655 ruby: multiple insufficient safe mode restrictions CVE-2008-3656 ruby: WEBrick DoS vulnerability (CPU consumption) CVE-2008-3657 ruby: missing "taintness" checks in dl module CVE-2008-3443 ruby: Memory allocation failure in Ruby regex engine (remotely exploitable DoS) CVE-2008-3790 ruby: DoS vulnerability in the REXML module CVE-2008-3905 ruby: use of predictable source port and transaction id in DNS requests done by resolv.rb module cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A flaw was found in the Java Management Extensions (JMX) management agent. When local monitoring is enabled, remote attackers could use this flaw to perform illegal operations. (CVE-2008-3103) Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104) Several flaws in the Java API for XML Web Services (JAX-WS) client and the JAX-WS service implementation were found. A remote attacker who could cause malicious XML to be processed by an application could access URLs, or cause a denial of service. (CVE-2008-3105, CVE-2008-3106) Several flaws within the Java Runtime Environment (JRE) scripting support were found. A remote attacker could grant an untrusted applet extended privileges, such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110) A flaw in Java Web Start was found. Using an untrusted Java Web Start application, a remote attacker could create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112) A flaw in Java Web Start when processing untrusted applications was found. An attacker could use this flaw to acquire sensitive information, such as the location of the cache. (CVE-2008-3114) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR2 Java release, which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-3103 CVE-2008-3104 CVE-2008-3105 CVE-2008-3106 CVE-2008-3109 CVE-2008-3110 CVE-2008-3112 CVE-2008-3114 CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088) CVE-2008-3103 OpenJDK JMX allows illegal operations with local monitoring (6332953) CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) CVE-2008-3109 CVE-2008-3110 Security Vulnerabilities in the Java Runtime Environment Scripting Language Support (6529568, 6529579) CVE-2008-3112 Java Web Start, arbitrary file creation (6703909) CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The pam_krb5 module allows Pluggable Authentication Modules (PAM) aware applications to use Kerberos to verify user identities by obtaining user credentials at log in time. A flaw was found in the pam_krb5 "existing_ticket" configuration option. If a system is configured to use an existing credential cache via the "existing_ticket" option, it may be possible for a local user to gain elevated privileges by using a different, local user's credential cache. (CVE-2008-3825) Red Hat would like to thank Stéphane Bertin for responsibly disclosing this issue. Users of pam_krb5 should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-3825 CVE-2008-3825 pam_krb5 existing_ticket permission flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-0016, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062) Several flaws were found in the way malformed HTML mail content was displayed. An HTML mail message containing specially crafted content could potentially trick a Thunderbird user into surrendering sensitive information. (CVE-2008-3835, CVE-2008-4067, CVE-2008-4068) A flaw was found in Thunderbird that caused certain characters to be stripped from JavaScript code. This flaw could allow malicious JavaScript to bypass or evade script filters. (CVE-2008-4065, CVE-2008-4066) Note: JavaScript support is disabled by default in Thunderbird; the above issue is not exploitable unless JavaScript is enabled. A heap based buffer overflow flaw was found in the handling of cancelled newsgroup messages. If the user cancels a specially crafted newsgroup message it could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-4070) All Thunderbird users should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-0016 CVE-2008-3835 CVE-2008-4058 CVE-2008-4059 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 CVE-2008-4065 CVE-2008-4066 CVE-2008-4067 CVE-2008-4068 CVE-2008-4070 CVE-2008-0016 Mozilla UTF-8 stack buffer overflow CVE-2008-3835 mozilla: nsXMLDocument::OnChannelRedirect() same-origin violation CVE-2008-4058 Mozilla privilege escalation via XPCnativeWrapper pollution CVE-2008-4059 Mozilla privilege escalation via XPCnativeWrapper pollution CVE-2008-4060 Mozilla privilege escalation via XPCnativeWrapper pollution CVE-2008-4061 Mozilla layout engine crash CVE-2008-4062 Mozilla crashes with evidence of memory corruption CVE-2008-4065 Mozilla BOM characters stripped from JavaScript before execution CVE-2008-4066 Mozilla low surrogates stripped from JavaScript before execution CVE-2008-4067 Mozilla resource: traversal vulnerability CVE-2008-4068 Mozilla local HTML file recource: bypass CVE-2008-4070 Thunderbird cancelled newsgrop messages cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX(R) operating systems. A buffer overflow flaw was discovered in the SGI image format decoding routines used by the CUPS image converting filter "imagetops". An attacker could create a malicious SGI image file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3639) An integer overflow flaw leading to a heap buffer overflow was discovered in the Text-to-PostScript "texttops" filter. An attacker could create a malicious text file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3640) An insufficient buffer bounds checking flaw was discovered in the HP-GL/2-to-PostScript "hpgltops" filter. An attacker could create a malicious HP-GL/2 file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3641) Red Hat would like to thank regenrecht for reporting these issues. All CUPS users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-3639 CVE-2008-3640 CVE-2008-3641 CVE-2008-3639 CUPS: SGI image parser heap-based buffer overflow CVE-2008-3640 CUPS: texttops integer overflow CVE-2008-3641 CUPS: HP/GL reader insufficient bounds checking cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 OpenOffice.org is an office productivity suite that includes desktop applications such as a word processor, spreadsheet, presentation manager, formula editor, and drawing program. SureRun Security Team discovered an integer overflow flaw leading to a heap buffer overflow in the Windows Metafile (WMF) image format parser. An attacker could create a carefully crafted document containing a malicious WMF file that could cause OpenOffice.org to crash, or, possibly, execute arbitrary code if opened by a victim. (CVE-2008-2237) Multiple integer overflow flaws were found in the Enhanced Windows Metafile (EMF) parser. An attacker could create a carefully crafted document containing a malicious EMF file that could cause OpenOffice.org to crash, or, possibly, execute arbitrary code if opened by a victim. (CVE-2008-2238) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported patches that correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-2237 CVE-2008-2238 CVE-2008-2237 OpenOffice.org WMF integer overflow CVE-2008-2238 OpenOffice.org multiple EMF buffer overflows cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in. A flaw was found in the way Adobe Flash Player wrote content to the clipboard. A malicious SWF file could populate the clipboard with a URL that could cause the user to mistakenly load an attacker-controlled URL. (CVE-2008-3873) A flaw was found which allowed Adobe Flash Player's ActionScript to initiate file uploads and downloads without user interaction. FileReference.browse and FileReference.download calls can now only be initiated via user interaction, such as mouse-clicks or key-presses on the keyboard. (CVE-2008-4401) A flaw was found in Adobe Flash Player's display of the Settings Manager content. A malicious SWF file could trick the user into unknowingly clicking a link or dialog. This could then give the malicious SWF file permission to access the local machine's camera or microphone. (CVE-2008-4503) Flaws were found in the way Flash Player restricted the interpretation and usage of cross-domain policy files. A remote attacker could use Flash Player to conduct cross-domain and cross-site scripting attacks (CVE-2007-4324, CVE-2007-6243). This update provides enhanced fixes for these issues. Adobe Flash Player 10 also includes bug fixes and feature enhancements including: * improved stability on the Linux platform by fixing a race condition issue in sound output. * new support for custom filters and effects, native 3D transformation and animation, advanced audio processing, a new, more flexible text engine, and GPU hardware acceleration. For more information on new features and enhancements, see the Adobe Flash Player site and the Adobe Labs Release Notes. Note: some users may have installed a 3rd-party component, libflashsupport, for older versions of Flash Player. Adobe Flash Player 10 no longer supports libflashsupport. Users are advised to remove libflashsupport if they have it installed. All users of Adobe Flash Player should upgrade to this updated package, which contains Flash Player version 10.0.12.36. Critical Copyright 2008 Red Hat, Inc. CVE-2007-4324 CVE-2007-6243 CVE-2008-3873 CVE-2008-4401 CVE-2008-4503 CVE-2008-4818 CVE-2008-4819 CVE-2008-4821 CVE-2008-4822 CVE-2008-4823 CVE-2008-4824 CVE-2008-5361 CVE-2008-5362 CVE-2008-5363 CVE-2007-4324 Flash movie can determine whether a TCP port is open CVE-2007-6243 Flash Player cross-domain and cross-site scripting flaws CVE-2008-3873 flash: clipboard hijack attack CVE-2008-4401 flash-plugin: upload/download user interaction CVE-2008-4503 Adobe Flash Player clickjacking CVE-2008-4818 Flash Player XSS CVE-2008-4819 Flash Player DNS rebind attack CVE-2008-4823 Flash Player HTML injection flaw CVE-2008-4822 Flash Player policy file interpretation flaw CVE-2008-4821 Flash Player jar: protocol handler cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 ed is a line-oriented text editor, used to create, display, and modify text files (both interactively and via shell scripts). A heap-based buffer overflow was discovered in the way ed, the GNU line editor, processed long file names. An attacker could create a file with a specially-crafted name that could possibly execute an arbitrary code when opened in the ed editor. (CVE-2008-3916) Users of ed should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-3916 CVE-2008-3916 ed: Heap-based buffer overflow (arb. code execution) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 IBM's 1.4.2 SR12 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) Two file processing vulnerabilities in Java Web Start were found. Using an untrusted Java Web Start application, a remote attacker was able to create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112, CVE-2008-3113) A vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain IBM's 1.4.2 SR12 Java release which resolves these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-3104 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) CVE-2008-3112 Java Web Start, arbitrary file creation (6703909) CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077) CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. * the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important) * Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. (CVE-2008-3527, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833, Important) * a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important) * a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low) * a flaw was found in the Linux kernel virtual memory implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low) * an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low) In addition, these updated packages fix the following bugs: * random32() seeding has been improved. * in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash. * a format string was omitted in the call to the request_module() function. * a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected. * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic(). * a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated. * in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures. * some of the newer Nehalem-based systems declare their CPU DSDT entries as type "Alias". During boot, this caused an "Error attaching device data" message to be logged. * the evtchn event channel device lacked locks and memory barriers. This has led to xenstore becoming unresponsive on the Itanium® architecture. * sending of gratuitous ARP packets in the Xen frontend network driver is now delayed until the backend signals that its carrier status has been processed by the stack. * on forcedeth devices, whenever setting ethtool parameters for link speed, the device could stop receiving interrupts. * the CIFS 'forcedirectio' option did not allow text to be appended to files. * the gettimeofday() function returned a backwards time on Intel® 64. * residual-count corrections during UNDERRUN handling were added to the qla2xxx driver. * the fix for a small quirk was removed for certain Adaptec controllers for which it caused problems. * the "xm trigger init" command caused a domain panic if a userland application was running on a guest on the Intel® 64 architecture. Users of kernel should upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2006-5755 CVE-2007-5907 CVE-2008-2372 CVE-2008-3276 CVE-2008-3527 CVE-2008-3833 CVE-2008-4210 CVE-2008-4302 CVE-2007-5907 kernel-xen 3.1.1 does not prevent modification of the CR4 TSC from applications (DoS possible) CVE-2008-2372 kernel: Reinstate ZERO_PAGE optimization in 'get_user_pages()' and fix XIP CVE-2006-5755 kernel: local denial of service due to NT bit leakage kernel: random32: seeding improvement [rhel-5.2.z] kernel: dlm: dlm/user.c input validation fixes [rhel-5.2.z] LTC44618-Race possibility between QP async handler and destroy_qp() CVE-2008-3276 Linux kernel dccp_setsockopt_change() integer overflow kernel: cpufreq: fix format string bug [rhel-5.2.z] kernel: binfmt_misc.c: avoid potential kernel stack overflow [rhel-5.2.z] CVE-2008-3527 kernel: missing boundary checks in syscall/syscall32_nopage() [REG][5.3] The system crashed by the NULL pointer access with kmap_atomic() of ata_scsi_rbuf_get(). kernel: devmem: add range_is_allowed() check to mmap_mem() [rhel-5.2.z] RHEL5.2 ACPI core bug evtchn device lacks lock and barriers Coordinate gratuitous ARP with backend network status nVidia MCP55 MCP55 Ethernet (rev a3) not functional on kernel 2.6.18-53.1.4 CVE-2008-4302 kernel: splice: fix bad unlock_page() in error case CIFS option forcedirectio fails to allow the appending of text to files. RHEL5.3: Fix time of gettimeofday() going backward (EM64T) (*) CVE-2008-4210 kernel: open() call allows setgid bit when user is not in new file's group CVE-2008-3833 kernel: remove SUID when splicing into an inode [QLogic 5.2.z bug] qla2xxx - Additional residual-count corrections during UNDERRUN handling. Significant regression in time() performance [aacraid 5.2.z] aac_srb: aac_fib_send failed with status 8195 xm trigger <domain> init causes kernel panic. kernel-xen doesn't boot on Dell Optiplex GX280 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Lynx is a text-based Web browser. An arbitrary command execution flaw was found in the Lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL that could execute arbitrary code as the user running Lynx in the non-default "Advanced" user mode. (CVE-2008-4690) Note: In these updated lynx packages, Lynx will always prompt users before loading a "lynxcgi:" URI. Additionally, the default lynx.cfg configuration file now marks all "lynxcgi:" URIs as untrusted by default. A flaw was found in a way Lynx handled ".mailcap" and ".mime.types" configuration files. Files in the browser's current working directory were opened before those in the user's home directory. A local attacker, able to convince a user to run Lynx in a directory under their control, could possibly execute arbitrary commands as the user running Lynx. (CVE-2006-7234) All users of Lynx are advised to upgrade to this updated package, which contains backported patches correcting these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-4690 CVE-2006-7234 CVE-2006-7234 lynx: .mailcap and .mime.types files read from CWD CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi: URL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular Web server. A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939) In addition, these updated packages fix a bug found in the handling of the "ProxyRemoteMatch" directive in the Red Hat Enterprise Linux 4 httpd packages. This bug is not present in the Red Hat Enterprise Linux 3 or Red Hat Enterprise Linux 5 packages. Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2364 CVE-2008-2939 CVE-2008-2364 httpd: mod_proxy_http DoS via excessive interim responses from the origin server CVE-2008-2939 httpd: mod_proxy_ftp globbing XSS mod_proxy: ProxyRemoteMatch uses remote proxy if regex does *not* match cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Simple Network Management Protocol (SNMP) is a protocol used for network management. A denial-of-service flaw was found in the way Net-SNMP processes SNMP GETBULK requests. A remote attacker who issued a specially-crafted request could cause the snmpd server to crash. (CVE-2008-4309) Note: An attacker must have read access to the SNMP server in order to exploit this flaw. In the default configuration, the community name "public" grants read-only access. In production deployments, it is recommended to change this default community name. All users of net-snmp should upgrade to these updated packages, which contain a backported patch to resolve this issue. Important Copyright 2008 Red Hat, Inc. CVE-2008-4309 CVE-2008-4309 net-snmp: numresponses calculation integer overflow in snmp_agent.c cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. * a flaw was found in the Linux kernel's Direct-IO implementation. This could have allowed a local unprivileged user to cause a denial of service. (CVE-2007-6716, Important) * when running ptrace in 31-bit mode on an IBM S/390 or IBM System z kernel, a local unprivileged user could cause a denial of service by reading from or writing into a padding area in the user_regs_struct32 structure. (CVE-2008-1514, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could have allowed a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important) * Tobias Klein reported a missing check in the Linux kernel's Open Sound System (OSS) implementation. This deficiency could have led to an information leak. (CVE-2008-3272, Moderate) * a potential denial of service attack was discovered in the Linux kernel's PWC USB video driver. A local unprivileged user could have used this flaw to bring the kernel USB subsystem into the busy-waiting state. (CVE-2007-5093, Low) * the ext2 and ext3 file systems code failed to properly handle corrupted data structures, leading to a possible local denial of service issue when read or write operations were performed. (CVE-2008-3528, Low) In addition, these updated packages fix the following bugs: * when using the CIFS "forcedirectio" option, appending to an open file on a CIFS share resulted in that file being overwritten with the data to be appended. * a kernel panic occurred when a device with PCI ID 8086:10c8 was present on a system with a loaded ixgbe driver. * due to an aacraid driver regression, the kernel failed to boot when trying to load the aacraid driver and printed the following error message: "aac_srb: aac_fib_send failed with status: 8195". * due to an mpt driver regression, when RAID 1 was configured on Primergy systems with an LSI SCSI IME 53C1020/1030 controller, the kernel panicked during boot. * the mpt driver produced a large number of extraneous debugging messages when performing a "Host reset" operation. * due to a regression in the sym driver, the kernel panicked when a SCSI hot swap was performed using MCP18 hardware. * all cores on a multi-core system now scale their frequencies in accordance with the policy set by the system's CPU frequency governor. * the netdump subsystem suffered from several stability issues. These are addressed in this updated kernel. * under certain conditions, the ext3 file system reported a negative count of used blocks. * reading /proc/self/mem incorrectly returned "Invalid argument" instead of "input/output error" due to a regression. * under certain conditions, the kernel panicked when a USB device was removed while the system was busy accessing the device. * a race condition in the kernel could have led to a kernel crash during the creation of a new process. All Red Hat Enterprise Linux 4 Users should upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-3272 CVE-2007-6716 CVE-2007-5093 CVE-2008-1514 CVE-2008-3528 CVE-2008-4210 CVE-2007-5093 kernel PWC driver DoS CVE-2008-1514 kernel: ptrace: Padding area write - unprivileged kernel crash RHEL 4.6: scsi hot swap broken (sym / Nokia MCP18) CVE-2008-3272 kernel snd_seq_oss_synth_make_info leak CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service CVE-2007-6716 kernel: dio: zero struct dio with kzalloc instead of manually CVE-2008-4210 kernel: open() call allows setgid bit when user is not in new file's group CIFS option forcedirectio fails to allow the appending of text to files. Negative used blocks reported with ext3 on RHEL4 regression, rhel4.7+, on the try to read /proc/self/mem getting improper return value [4.7] When the USB device is removed while the system is accessing the USB device, the panic is done. mpt 3.12.19.00rh on RHEL4.7 causes panic if a RAID 1 is configured. RHEL 4.7 ixgbe driver has a recursive stack corruption problem. netdump fails when bnx2 has remote copper PHY - Badness in local_bh_enable at kernel/softirq.c:141 kernel BUG at kernel/signal.c:369! (attempt to free tsk->signal twice) [REG][4.7]Outputting large amount of log message when issuing host reset to adapter. aac_fib_send failed with status 8195 add multi-core support to cpufreq driver cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues: * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local, unprivileged user to prepare and run a specially-crafted binary which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * a possible kernel memory leak was found in the Linux kernel Simple Internet Transition (SIT) INET6 implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2008-2136, Important) * missing capability checks were found in the SBNI WAN driver which could allow a local user to bypass intended capability restrictions. (CVE-2008-3525, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local, unprivileged user to obtain access to privileged information. (CVE-2008-4210, Important) * a buffer overflow flaw was found in Integrated Services Digital Network (ISDN) subsystem. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2007-6063, Moderate) * multiple NULL pointer dereferences were found in various Linux kernel network drivers. These drivers were missing checks for terminal validity, which could allow privilege escalation. (CVE-2008-2812, Moderate) * a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local, unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) This update also fixes the following bugs: * the incorrect kunmap function was used in nfs_xdr_readlinkres. kunmap() was used where kunmap_atomic() should have been. As a consequence, if an NFSv2 or NFSv3 server exported a volume containing a symlink which included a path equal to or longer than the local system's PATH_MAX, accessing the link caused a kernel oops. This has been corrected in this update. * mptctl_gettargetinfo did not check if pIoc3 was NULL before using it as a pointer. This caused a kernel panic in mptctl_gettargetinfo in some circumstances. A check has been added which prevents this. * lost tick compensation code in the timer interrupt routine triggered without apparent cause. When running as a fully-virtualized client, this spurious triggering caused the 64-bit version of Red Hat Enterprise Linux 3 to present highly inaccurate times. With this update the lost tick compensation code is turned off when the operating system is running as a fully-virtualized client under Xen or VMWare®. All Red Hat Enterprise Linux 3 users should install this updated kernel which addresses these vulnerabilities and fixes these bugs. Important Copyright 2008 Red Hat, Inc. CVE-2008-4210 CVE-2008-3275 CVE-2008-0598 CVE-2008-2136 CVE-2008-2812 CVE-2007-6063 CVE-2008-3525 CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data wrong kunmap call in nfs_xdr_readlinkres CVE-2008-2136 kernel: sit memory leak CVE-2008-2812 kernel: NULL ptr dereference in multiple network drivers due to missing checks in tty code CVE-2008-3275 Linux kernel local filesystem DoS CVE-2008-3525 kernel: missing capability checks in sbni_ioctl() CVE-2008-4210 kernel: open() call allows setgid bit when user is not in new file's group cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). Several input validation flaws were discovered in Adobe Reader. A malicious PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader. (CVE-2008-2549, CVE-2008-2992, CVE-2008-4812, CVE-2008-4813, CVE-2008-4814, CVE-2008-4817) The Adobe Reader binary had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local attacker able to convince another user to run Adobe Reader in an attacker-controlled directory could run arbitrary code with the privileges of the victim. (CVE-2008-4815) All acroread users are advised to upgrade to these updated packages, that contain Adobe Reader version 8.1.3, and are not vulnerable to these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-2549 CVE-2008-2992 CVE-2008-4812 CVE-2008-4813 CVE-2008-4814 CVE-2008-4815 CVE-2008-4817 CVE-2009-0927 CVE-2008-2549 acroread: crash and possible code execution CVE-2008-4812 Adobe Reader: embedded font handling out-of-bounds array indexing CVE-2008-4813 Adobe Reader: PDF objects parsing and JavaScript getCosObj handling memory corruption flaw CVE-2008-2992 Adobe Reader: JavaScript util.printf() function buffer overflow CVE-2008-4814 Adobe Reader: arbitrary code execution via unspecified JavaScript method CVE-2008-4815 Adobe Reader: insecure RPATH flaw CVE-2008-4817 Adobe Reader: Download Manager input validation flaw cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-5014, CVE-2008-5016, CVE-2008-5017, CVE-2008-5018, CVE-2008-5021) Several flaws were found in the way malformed HTML mail content was processed. An HTML mail message containing specially-crafted content could potentially trick a Thunderbird user into surrendering sensitive information. (CVE-2008-5012, CVE-2008-5022, CVE-2008-5024) All Thunderbird users should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-5014 CVE-2008-5016 CVE-2008-5017 CVE-2008-5018 CVE-2008-5021 CVE-2008-5012 CVE-2008-5022 CVE-2008-5024 CVE-2008-5052 CVE-2008-5012 Mozilla Image stealing via canvas and HTTP redirect CVE-2008-5014 Mozilla crash and remote code execution via __proto__ tampering CVE-2008-5016 Mozilla crash with evidence of memory corruption CVE-2008-5017 Mozilla crash with evidence of memory corruption CVE-2008-5018 Mozilla crash with evidence of memory corruption CVE-2008-5021 Mozilla crash and remote code execution in nsFrameManager CVE-2008-5022 Mozilla nsXMLHttpRequest::NotifyEventListeners() same-origin violation CVE-2008-5024 Mozilla parsing error in E4X default namespace cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-0017, CVE-2008-5013, CVE-2008-5014, CVE-2008-5016, CVE-2008-5017, CVE-2008-5018, CVE-2008-5019, CVE-2008-5021) Several flaws were found in the way malformed content was processed. A web site containing specially-crafted content could potentially trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-5012, CVE-2008-5022, CVE-2008-5023, CVE-2008-5024) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0017 CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5016 CVE-2008-5017 CVE-2008-5018 CVE-2008-5019 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024 CVE-2008-5052 CVE-2008-5012 Mozilla Image stealing via canvas and HTTP redirect CVE-2008-5013 Mozilla Flash Player dynamic module unloading flaw CVE-2008-5014 Mozilla crash and remote code execution via __proto__ tampering CVE-2008-5016 Mozilla crash with evidence of memory corruption CVE-2008-5017 Mozilla crash with evidence of memory corruption CVE-2008-5018 Mozilla crash with evidence of memory corruption CVE-2008-5019 Mozilla XSS via session restore CVE-2008-0017 Mozilla buffer overflow in http-index-format parser CVE-2008-5021 Mozilla crash and remote code execution in nsFrameManager CVE-2008-5022 Mozilla nsXMLHttpRequest::NotifyEventListeners() same-origin violation CVE-2008-5023 Mozilla -moz-binding property bypasses security checks on codebase principals CVE-2008-5024 Mozilla parsing error in E4X default namespace cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-0017, CVE-2008-5014, CVE-2008-5016, CVE-2008-5017, CVE-2008-5018, CVE-2008-5019, CVE-2008-5021) Several flaws were found in the way malformed content was processed. A web site containing specially-crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-5022, CVE-2008-5023, CVE-2008-5024) A flaw was found in the way Firefox opened "file:" URIs. If a file: URI was loaded in the same tab as a chrome or privileged "about:" page, the file: URI could execute arbitrary code with the permissions of the user running Firefox. (CVE-2008-5015) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.4. You can find a link to the Mozilla advisories in the References section. All firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-0017 CVE-2008-5014 CVE-2008-5015 CVE-2008-5016 CVE-2008-5017 CVE-2008-5018 CVE-2008-5019 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024 CVE-2008-5052 firefox-2.0-getstartpage.patch breaks extensions which set homepage CVE-2008-5014 Mozilla crash and remote code execution via __proto__ tampering CVE-2008-5015 Mozilla file: URIs inherit chrome privileges CVE-2008-5016 Mozilla crash with evidence of memory corruption CVE-2008-5017 Mozilla crash with evidence of memory corruption CVE-2008-5018 Mozilla crash with evidence of memory corruption CVE-2008-5019 Mozilla XSS via session restore CVE-2008-0017 Mozilla buffer overflow in http-index-format parser CVE-2008-5021 Mozilla crash and remote code execution in nsFrameManager CVE-2008-5022 Mozilla nsXMLHttpRequest::NotifyEventListeners() same-origin violation CVE-2008-5023 Mozilla -moz-binding property bypasses security checks on codebase principals CVE-2008-5024 Mozilla parsing error in E4X default namespace cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. Vincent Danen reported, that Red Hat Security Advisory RHSA-2008:0897 did not properly address a denial of service flaw in the WEBrick (Ruby HTTP server toolkit), known as CVE-2008-3656. This flaw allowed a remote attacker to send a specially-crafted HTTP request to a WEBrick server that would cause the server to use excessive CPU time. This update properly addresses this flaw. (CVE-2008-4310) All Ruby users should upgrade to these updated packages, which contain a correct patch that resolves this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-4310 CVE-2008-4310 ruby: Incomplete fix for CVE-2008-3656 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates. (CVE-2008-4989) Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-4989 CVE-2008-4989 gnutls: certificate chain verification flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libxml2 is a library for parsing and manipulating XML files. It includes support for reading, modifying, and writing XML and HTML files. An integer overflow flaw causing a heap-based buffer overflow was found in the libxml2 XML parser. If an application linked against libxml2 processed untrusted, malformed XML content, it could cause the application to crash or, possibly, execute arbitrary code. (CVE-2008-4226) A denial of service flaw was discovered in the libxml2 XML parser. If an application linked against libxml2 processed untrusted, malformed XML content, it could cause the application to enter an infinite loop. (CVE-2008-4225) Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting these issues. Users of libxml2 are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-4225 CVE-2008-4226 CVE-2008-4226 libxml2: integer overflow leading to memory corruption in xmlSAX2Characters CVE-2008-4225 libxml2: integer overflow leading to infinite loop in xmlBufferResize cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent Distributed Management Task Force (DMTF) standard that defines a common information model and communication protocol for monitoring and controlling resources. Red Hat defines additional security enhancements for OpenGroup Pegasus WBEM services in addition to those defined by the upstream OpenGroup Pegasus release. For details regarding these enhancements, refer to the file "README.RedHat.Security", included in the Red Hat tog-pegasus package. After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these additional security enhancements were no longer being applied. As a consequence, access to OpenPegasus WBEM services was not restricted to the dedicated users as described in README.RedHat.Security. An attacker able to authenticate using a valid user account could use this flaw to send requests to WBEM services. (CVE-2008-4313) Note: default SELinux policy prevents tog-pegasus from modifying system files. This flaw's impact depends on whether or not tog-pegasus is confined by SELinux, and on any additional CMPI providers installed and enabled on a particular system. Failed authentication attempts against the OpenPegasus CIM server were not logged to the system log as documented in README.RedHat.Security. An attacker could use this flaw to perform password guessing attacks against a user account without leaving traces in the system log. (CVE-2008-4315) All tog-pegasus users are advised to upgrade to these updated packages, which contain patches to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-4313 CVE-2008-4315 CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase CVE-2008-4315 tog-pegasus: failed authentication attempts not logged via PAM cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GNU enscript converts ASCII files to PostScript(R) language files and spools the generated output to a specified printer or saves it to a file. Enscript can be extended to handle different output media and includes options for customizing printouts. Two buffer overflow flaws were found in GNU enscript. An attacker could craft an ASCII file in such a way that it could execute arbitrary commands if the file was opened with enscript with the "special escapes" option (-e or --escapes) enabled. (CVE-2008-3863, CVE-2008-4306) All users of enscript should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-3863 CVE-2008-4306 CVE-2008-3863 enscript: "setfilename" special escape buffer overflow CVE-2008-4306 enscript: "font" special escape buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. * Olaf Kirch reported a flaw in the i915 kernel driver. This flaw could, potentially, lead to local privilege escalation. Note: the flaw only affects systems based on the Intel G33 Express Chipset and newer. (CVE-2008-3831, Important) * Miklos Szeredi reported a missing check for files opened with O_APPEND in the sys_splice(). This could allow a local, unprivileged user to bypass the append-only file restrictions. (CVE-2008-4554, Important) * a deficiency was found in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. This could lead to a possible denial of service if one end of a SCTP connection did not support the AUTH extension. (CVE-2008-4576, Important) In addition, these updated packages fix the following bugs: * on Itanium® systems, when a multithreaded program was traced using the command "strace -f", messages such as PANIC: attached pid 10740 exited PANIC: handle_group_exit: 10740 leader 10721 ... will be displayed, and after which the trace would stop. With these updated packages, "strace -f" command no longer results in these error messages, and strace terminates normally after tracing all threads. * on big-endian systems such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255. * when using an NFSv4 file system, accessing the same file with two separate processes simultaneously resulted in the NFS client process becoming unresponsive. * on AMD64 and Intel® 64 hypervisor-enabled systems, when a syscall correctly returned '-1' in code compiled on Red Hat Enterprise Linux 5, the same code, when run with the strace utility, would incorrectly return an invalid return value. This has been fixed: on AMD64 and Intel® 64 hypervisor-enabled systems, syscalls in compiled code return the same, correct values as syscalls run with strace. * on the Itanium® architecture, fully-virtualized guest domains created using more than 64 GB of memory caused other guest domains not to receive interrupts. This caused soft lockups on other guests. All guest domains are now able to receive interrupts regardless of their allotted memory. * when user-space used SIGIO notification, which was not disabled before closing a file descriptor and was then re-enabled in a different process, an attempt by the kernel to dereference a stale pointer led to a kernel crash. With this fix, such a situation no longer causes a kernel crash. * modifications to certain pages made through a memory-mapped region could have been lost in cases when the NFS client needed to invalidate the page cache for that particular memory-mapped file. * fully-virtualized Windows® guests became unresponsive due to the vIOSAPIC component being multiprocessor-unsafe. With this fix, vIOSAPIC is multiprocessor-safe and Windows guests do not become unresponsive. * on certain systems, keyboard controllers could not withstand continuous requests to switch keyboard LEDs on or off. This resulted in some or all key presses not being registered by the system. * on the Itanium® architecture, setting the "vm.nr_hugepages" sysctl parameter caused a kernel stack overflow resulting in a kernel panic, and possibly stack corruption. With this fix, setting vm.nr_hugepages works correctly. * hugepages allow the Linux kernel to utilize the multiple page size capabilities of modern hardware architectures. In certain configurations, systems with large amounts of memory could fail to allocate most of this memory for hugepages even if it was free. This could result, for example, in database restart failures. Users should upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2008 Red Hat, Inc. CVE-2008-3831 CVE-2008-4554 CVE-2008-4576 Local keyboard DoS through LED switching LTC41974-Pages of a memory mapped NFS file get corrupted. [Xen][5.2.z] softlockup occurs while creating a guest which has large memory. CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap kernel: rtc: fix kernel panic on second use of SIGIO notification CVE-2008-4576 kernel: sctp: Fix oops when INIT-ACK indicates that peer doesn't support AUTH CVE-2008-4554 kernel: don't allow splice() to files opened with O_APPEND [Xen][5.2] Network Performance Test causes Guest Hang. [REG][5.2] The trace of some threads unexpectedly stops when being traced by 'strace -f'. getsockopt() returning incorrectly in PPC [REG][5.2][NFSv4] Accessing the same file at the same time causes NFSv4 open() call to stall forever on NFS4ERR_DELAY [RHEL5.2]: Running strace with a bad syscall doesn't return -ENOSYS [REG][5.3] Kernel panics when you prepare hugepages. [RHEL5 patch] Allow hugepage allocation to use most of memory. cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. A vulnerability was found in in Java Web Start. If a user visits a malicious website, an attacker could misuse this flaw to execute arbitrary code. (CVE-2008-2086) Additionally, these packages fix several other critical vulnerabilities. These are summarized in the "Advance notification of Security Updates for Java SE" from Sun Microsystems. Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-2086 CVE-2008-5339 CVE-2008-5340 CVE-2008-5341 CVE-2008-5342 CVE-2008-5343 CVE-2008-5344 CVE-2008-5345 CVE-2008-5347 CVE-2008-5348 CVE-2008-5349 CVE-2008-5350 CVE-2008-5351 CVE-2008-5352 CVE-2008-5353 CVE-2008-5354 CVE-2008-5356 CVE-2008-5357 CVE-2008-5358 CVE-2008-5359 CVE-2008-5360 CVE-2008-2086 Java Web Start File Inclusion via System Properties Override cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 GNU enscript converts ASCII files to PostScript(R) language files and spools the generated output to a specified printer or saves it to a file. Enscript can be extended to handle different output media and includes options for customizing printouts. Several buffer overflow flaws were found in GNU enscript. An attacker could craft an ASCII file in such a way that it could execute arbitrary commands if the file was opened with enscript with the "special escapes" option (-e or --escapes) enabled. (CVE-2008-3863, CVE-2008-4306, CVE-2008-5078) All users of enscript should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-3863 CVE-2008-4306 CVE-2008-5078 CVE-2008-3863 enscript: "setfilename" special escape buffer overflow CVE-2008-4306 enscript: "font" special escape buffer overflows CVE-2008-5078 enscript: "epsf" special escape buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is a multi-protocol Internet Messaging client. A denial-of-service flaw was found in Pidgin's MSN protocol handler. If a remote user was able to send, and the Pidgin user accepted, a carefully-crafted file request, it could result in Pidgin crashing. (CVE-2008-2955) A denial-of-service flaw was found in Pidgin's Universal Plug and Play (UPnP) request handling. A malicious UPnP server could send a request to Pidgin, causing it to download an excessive amount of data, consuming all available memory or disk space. (CVE-2008-2957) A flaw was found in the way Pidgin handled SSL certificates. The NSS SSL implementation in Pidgin did not properly verify the authenticity of SSL certificates. This could have resulted in users unknowingly connecting to a malicious SSL service. (CVE-2008-3532) In addition, this update upgrades pidgin from version 2.3.1 to version 2.5.2, with many additional stability and functionality fixes from the Pidgin Project. Note: the Secure Internet Live Conferencing (SILC) chat network protocol has recently changed, affecting all versions of pidgin shipped with Red Hat Enterprise Linux. Pidgin cannot currently connect to the latest version of the SILC server (1.1.14): it fails to properly exchange keys during initial login. This update does not correct this. Red Hat Bugzilla #474212 (linked to in the References section) has more information. Note: after the errata packages are installed, Pidgin must be restarted for the update to take effect. All Pidgin users should upgrade to these updated packages, which contains Pidgin version 2.5.2 and resolves these issues. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-2955 CVE-2008-2957 CVE-2008-3532 User Tune (XEP-0118) shouldn't default on CVE-2008-2955 pidgin: remote DoS via MSN message with crafted file name CVE-2008-2957 pidgin: unrestricted download of arbitrary files triggered via UPnP CVE-2008-3532 pidgin: NSS plugin doesn't verify SSL certificates Failed to add new MSN group. The Font settings that I customized didn't apply to the outgoing message on the conversation window cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Java Runtime Environment (JRE) contains the software and tools that users need to run applets and applications written using the Java programming language. A vulnerability was found in in Java Web Start. If a user visits a malicious website, an attacker could misuse this flaw to execute arbitrary code. (CVE-2008-2086) Additionally, these packages fix several other vulnerabilities. These are summarized in the "Advance notification of Security Updates for Java SE" from Sun Microsystems. Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-2086 CVE-2008-5339 CVE-2008-5340 CVE-2008-5341 CVE-2008-5342 CVE-2008-5343 CVE-2008-5344 CVE-2008-5345 CVE-2008-5346 CVE-2008-5348 CVE-2008-5349 CVE-2008-5350 CVE-2008-5351 CVE-2008-5352 CVE-2008-5353 CVE-2008-5354 CVE-2008-5356 CVE-2008-5357 CVE-2008-5359 CVE-2008-5360 CVE-2008-2086 Java Web Start File Inclusion via System Properties Override cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An integer overflow flaw, leading to a heap buffer overflow, was discovered in the Portable Network Graphics (PNG) decoding routines used by the CUPS image-converting filters, "imagetops" and "imagetoraster". An attacker could create a malicious PNG file that could, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-5286) CUPS users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-5286 CVE-2008-5286 cups: Incomplete fix for CVE-2008-1722 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A null pointer dereference flaw was found in the way CUPS handled subscriptions for printing job completion notifications. A local user could use this flaw to crash the CUPS daemon by submitting a large number of printing jobs requiring mail notification on completion, leading to a denial of service. (CVE-2008-5183) Users of cups should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2008 Red Hat, Inc. CVE-2008-5183 CVE-2008-5183 cups: DoS (daemon crash) caused by the large number of subscriptions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-5506, CVE-2008-5507) A flaw was found in the way Firefox stored attributes in XML User Interface Language (XUL) elements. A web site could use this flaw to track users across browser sessions, even if users did not allow the site to store cookies in the victim's browser. (CVE-2008-5505) A flaw was found in the way malformed URLs were processed by Firefox. This flaw could prevent various URL sanitization mechanisms from properly parsing a malicious URL. (CVE-2008-5508) A flaw was found in Firefox's CSS parser. A malicious web page could inject NULL characters into a CSS input string, possibly bypassing an application's script sanitization routines. (CVE-2008-5510) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.5. You can find a link to the Mozilla advisories in the References section. Note: after the errata packages are installed, Firefox must be restarted for the update to take effect. All firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-5500 CVE-2008-5501 CVE-2008-5502 CVE-2008-5505 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5510 CVE-2008-5511 CVE-2008-5512 CVE-2008-5513 CVE-2008-5500 Layout engine crashes - Firefox 2 and 3 CVE-2008-5501 Layout engine crash - Firefox 3 only CVE-2008-5502 JavaScript engine crash - Firefox 3 only CVE-2008-5505 Firefox 3 User tracking via XUL persist attribute CVE-2008-5506 Firefox XMLHttpRequest 302 response disclosure CVE-2008-5507 Firefox Cross-domain data theft via script redirect error message CVE-2008-5508 Firefox errors parsing URLs with control characters CVE-2008-5510 Firefox null characters ignored by CSS parser CVE-2008-5511 Firefox XSS via XBL bindings to unloaded document CVE-2008-5512 Firefox JavaScript privilege escalation CVE-2008-5513 Firefox XSS vulnerabilities in SessionStore cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5504, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could potentially trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-5503, CVE-2008-5506, CVE-2008-5507) A flaw was found in the way malformed URLs were processed by SeaMonkey. This flaw could prevent various URL sanitization mechanisms from properly parsing a malicious URL. (CVE-2008-5508) Note: after the errata packages are installed, SeaMonkey must be restarted for the update to take effect. All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. Critical Copyright 2008 Red Hat, Inc. CVE-2008-5500 CVE-2008-5501 CVE-2008-5502 CVE-2008-5503 CVE-2008-5504 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512 CVE-2008-5513 CVE-2008-5500 Layout engine crashes - Firefox 2 and 3 CVE-2008-5501 Layout engine crash - Firefox 3 only CVE-2008-5502 JavaScript engine crash - Firefox 3 only CVE-2008-5503 Firefox 2 Information stealing via loadBindingDocument CVE-2008-5504 Firefox 2 XSS attack vectors in feed preview CVE-2008-5506 Firefox XMLHttpRequest 302 response disclosure CVE-2008-5507 Firefox Cross-domain data theft via script redirect error message CVE-2008-5508 Firefox errors parsing URLs with control characters CVE-2008-5511 Firefox XSS via XBL bindings to unloaded document CVE-2008-5512 Firefox JavaScript privilege escalation CVE-2008-5513 Firefox XSS vulnerabilities in SessionStore cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The BEA WebLogic JRockit JRE and SDK contains BEA WebLogic JRockit Virtual Machine and is certified for the Java™ 2 Platform, Standard Edition, v1.4.2. The java-1.4.2-bea packages are vulnerable to important security flaws and should no longer be used. Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104) A buffer overflow vulnerability was found in the font processing code. This allowed remote attackers to extend the permissions of an untrusted applet or application, allowing it to read or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3108) The vulnerabilities concerning applets listed above can only be triggered in java-1.4.2-bea by calling the "appletviewer" application. BEA was acquired by Oracle® during 2008 (the acquisition was completed on April 29, 2008). Consequently, JRockit is now an Oracle offering and these issues are addressed in the current release of Oracle JRockit. Due to a license change by Oracle, however, Red Hat is unable to ship Oracle JRockit. Users who wish to continue using JRockit should get an update directly from Oracle: http://oracle.com/technology/software/products/jrockit/. Alternatives to Oracle JRockit include the Java 2 Technology Edition of the IBM® Developer Kit for Linux and the Sun™ Java SE Development Kit (JDK), both of which are available on the Extras or Supplementary channels. For Java 6 users, the new OpenJDK open source JDK will be included in Red Hat Enterprise Linux 5.3 and will be supported by Red Hat. This update removes the java-1.4.2-bea packages due to their known security vulnerabilities. Important Copyright 2008 Red Hat, Inc. CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) CVE-2008-3108 Security Vulnerability with JRE fonts processing may allow Elevation of Privileges (6450319) cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The BEA WebLogic JRockit JRE and SDK contains BEA WebLogic JRockit Virtual Machine and is certified for the Java™ 2 Platform, Standard Edition, v1.5.0. The java-1.5.0-bea packages are vulnerable to important security flaws and should no longer be used. A flaw was found in the Java Management Extensions (JMX) management agent. When local monitoring was enabled, remote attackers could use this flaw to perform illegal operations. (CVE-2008-3103) Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104) Several flaws in the Java API for XML Web Services (JAX-WS) client and the JAX-WS service implementation were found. A remote attacker who could cause malicious XML to be processed by an application could access URLs, or cause a denial of service. (CVE-2008-3105, CVE-2008-3106) A buffer overflow vulnerability was found in the font processing code. This allowed remote attackers to extend the permissions of an untrusted applet or application, allowing it to read or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3108) The vulnerabilities concerning applets listed above can only be triggered in java-1.5.0-bea, by calling the "appletviewer" application. BEA was acquired by Oracle® during 2008 (the acquisition was completed on April 29, 2008). Consequently, JRockit is now an Oracle offering and these issues are addressed in the current release of Oracle JRockit. Due to a license change by Oracle, however, Red Hat is unable to ship Oracle JRockit. Users who wish to continue using JRockit should get an update directly from Oracle: http://oracle.com/technology/software/products/jrockit/. Alternatives to Oracle JRockit include the Java 2 Technology Edition of the IBM® Developer Kit for Linux and the Sun™ Java SE Development Kit (JDK), both of which are available on the Extras or Supplementary channels. For Java 6 users, the new OpenJDK open source JDK will be included in Red Hat Enterprise Linux 5.3 and will be supported by Red Hat. This update removes the java-1.5.0-bea packages due to their known security vulnerabilities. Important Copyright 2008 Red Hat, Inc. CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088) CVE-2008-3103 OpenJDK JMX allows illegal operations with local monitoring (6332953) CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) CVE-2008-3108 Security Vulnerability with JRE fonts processing may allow Elevation of Privileges (6450319) cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The BEA WebLogic JRockit JRE and SDK contains BEA WebLogic JRockit Virtual Machine and is certified for the Java™ 2 Platform, Standard Edition, v1.6.0. The java-1.6.0-bea packages are vulnerable to important security flaws and should no longer be used. A flaw was found in the Java Management Extensions (JMX) management agent. When local monitoring was enabled, remote attackers could use this flaw to perform illegal operations. (CVE-2008-3103) Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104) Several flaws in the Java API for XML Web Services (JAX-WS) client and the JAX-WS service implementation were found. A remote attacker who could cause malicious XML to be processed by an application could access URLs, or cause a denial of service. (CVE-2008-3105, CVE-2008-3106) Several flaws within the Java Runtime Environment's (JRE) scripting support were found. A remote attacker could grant an untrusted applet extended privileges, such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110) The vulnerabilities concerning applets listed above can only be triggered in java-1.6.0-bea, by calling the "appletviewer" application. BEA was acquired by Oracle® during 2008 (the acquisition was completed on April 29, 2008). Consequently, JRockit is now an Oracle offering and these issues are addressed in the current release of Oracle JRockit. Due to a license change by Oracle, however, Red Hat is unable to ship Oracle JRockit. Users who wish to continue using JRockit should get an update directly from Oracle: http://oracle.com/technology/software/products/jrockit/. Alternatives to Oracle JRockit include the Java 2 Technology Edition of the IBM® Developer Kit for Linux and the Sun™ Java SE Development Kit (JDK), both of which are available on the Extras or Supplementary channels. For Java 6 users, the new OpenJDK open source JDK will be included in Red Hat Enterprise Linux 5.3 and will be supported by Red Hat. This update removes the java-1.6.0-bea packages due to their known security vulnerabilities. Important Copyright 2008 Red Hat, Inc. CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088) CVE-2008-3103 OpenJDK JMX allows illegal operations with local monitoring (6332953) CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932) CVE-2008-3109 CVE-2008-3110 Security Vulnerabilities in the Java Runtime Environment Scripting Language Support (6529568, 6529579) cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in. A security flaw was found in the way Flash Player displayed certain SWF (Shockwave Flash) content. This may have made it possible to execute arbitrary code on a victim's machine, if the victim opened a malicious Adobe Flash file. (CVE-2008-5499) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.0.15.3 for users of Red Hat Enterprise Linux 5 Supplementary, and 9.0.152.0 for users of Red Hat Enterprise 3 and 4 Extras. Critical Copyright 2008 Red Hat, Inc. CVE-2008-5499 CVE-2008-5499 flash-plugin: Linux-specific code execution flaw via crafted SWF file cpe:/a:redhat:rhel_extras