Red Hat OVAL Patch Definition Merger 2 5.3 2011-09-30T09:53:45 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513) Several flaws were found in the way malformed content was processed. An HTML mail message containing specially-crafted content could potentially trick a Thunderbird user into surrendering sensitive information. (CVE-2008-5503, CVE-2008-5506, CVE-2008-5507) Note: JavaScript support is disabled by default in Thunderbird; the above issues are not exploitable unless JavaScript is enabled. A flaw was found in the way malformed URLs were processed by Thunderbird. This flaw could prevent various URL sanitization mechanisms from properly parsing a malicious URL. (CVE-2008-5508) All Thunderbird users should upgrade to these updated packages, which resolve these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5500 CVE-2008-5501 CVE-2008-5502 CVE-2008-5503 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512 CVE-2008-5513 CVE-2008-5500 Layout engine crashes - Firefox 2 and 3 CVE-2008-5501 Layout engine crash - Firefox 3 only CVE-2008-5502 JavaScript engine crash - Firefox 3 only CVE-2008-5503 Firefox 2 Information stealing via loadBindingDocument CVE-2008-5506 Firefox XMLHttpRequest 302 response disclosure CVE-2008-5507 Firefox Cross-domain data theft via script redirect error message CVE-2008-5508 Firefox errors parsing URLs with control characters CVE-2008-5511 Firefox XSS via XBL bindings to unloaded document CVE-2008-5512 Firefox JavaScript privilege escalation CVE-2008-5513 Firefox XSS vulnerabilities in SessionStore cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The xen packages contain the Xen tools and management daemons needed to manage virtual machines running on Red Hat Enterprise Linux. Xen was found to allow unprivileged DomU domains to overwrite xenstore values which should only be changeable by the privileged Dom0 domain. An attacker controlling a DomU domain could, potentially, use this flaw to kill arbitrary processes in Dom0 or trick a Dom0 user into accessing the text console of a different domain running on the same host. This update makes certain parts of the xenstore tree read-only to the unprivileged DomU domains. (CVE-2008-4405) It was discovered that the qemu-dm.debug script created a temporary file in /tmp in an insecure way. A local attacker in Dom0 could, potentially, use this flaw to overwrite arbitrary files via a symlink attack. Note: This script is not needed in production deployments and therefore was removed and is not shipped with updated xen packages. (CVE-2008-4993) This update also fixes the following bug: * xen calculates its running time by adding the hypervisor's up-time to the hypervisor's boot-time record. In live migrations of para-virtualized guests, however, the guest would over-write the new hypervisor's boot-time record with the boot-time of the previous hypervisor. This caused time-dependent processes on the guests to fail (for example, crond would fail to start cron jobs). With this update, the new hypervisor's boot-time record is no longer over-written during live migrations. All xen users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The Xen host must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-4405 CVE-2008-4993 timer stops running after live migrate or dom0 reboot & save/restore of a Xen guest CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore CVE-2008-4993 xen: insecure temporary file use in qemu-dm.debug cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength, general purpose, cryptography library. The Google security team discovered a flaw in the way OpenSSL checked the verification of certificates. An attacker in control of a malicious server, or able to effect a "man in the middle" attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client and bypass validation. (CVE-2008-5077) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all running OpenSSL client applications must be restarted, or the system rebooted. Important Copyright 2009 Red Hat, Inc. CVE-2008-5077 CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 GNOME VFS is the GNOME virtual file system. It provides a modular architecture and ships with several modules that implement support for various local and remote file systems as well as numerous protocols, including HTTP, FTP, and others. A buffer overflow flaw was discovered in the GNOME virtual file system when handling data returned by CDDB servers. If a user connected to a malicious CDDB server, an attacker could use this flaw to execute arbitrary code on the victim's machine. (CVE-2005-0706) Users of gnome-vfs and gnome-vfs2 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running GNOME sessions must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2005-0706 CVE-2005-0706 grip,libcdaudio: buffer overflow caused by large amount of CDDB replies cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. A denial-of-service flaw was discovered in the system for sending messages between applications. A local user could send a message with a malformed signature to the bus causing the bus (and, consequently, any process using libdbus to receive messages) to abort. (CVE-2008-3834) All users are advised to upgrade to these updated dbus packages, which contain backported patch which resolve this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using libdbus library must be restarted, or the system rebooted. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-3834 CVE-2008-3834 dbus denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially-crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the "secure" flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option "$only_secure_cookies" to "false" in SquirrelMail's /etc/squirrelmail/config.php configuration file. Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-2379 CVE-2008-3663 CVE-2008-3663 squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Little Color Management System (LittleCMS, or simply "lcms") is a small-footprint, speed-optimized open source color management engine. Multiple insufficient input validation flaws were discovered in LittleCMS. An attacker could use these flaws to create a specially-crafted image file which could cause an application using LittleCMS to crash, or, possibly, execute arbitrary code when opened. (CVE-2008-5316, CVE-2008-5317) Users of lcms should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using lcms library must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5316 CVE-2008-5317 CVE-2008-5316 lcms: insufficient input validation in ReadEmbeddedTextTag CVE-2008-5317 lcms: unsigned -> signed integer cast issue in cmsAllocGamma cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The netpbm package contains a library of functions for editing and converting between various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. An input validation flaw and multiple integer overflows were discovered in the JasPer library providing support for JPEG-2000 image format and used in the jpeg2ktopam and pamtojpeg2k converters. An attacker could create a carefully-crafted JPEG file which could cause jpeg2ktopam to crash or, possibly, execute arbitrary code as the user running jpeg2ktopam. (CVE-2007-2721, CVE-2008-3520) All users are advised to upgrade to these updated packages which contain backported patches which resolve these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2007-2721 CVE-2008-3520 CVE-2007-2721 jasper crash in jpc_qcx_getcompparms CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, see printers to print to, and find shared files on other computers. Hugo Dias discovered a denial of service flaw in avahi-daemon. A remote attacker on the same local area network (LAN) could send a specially-crafted mDNS (Multicast DNS) packet that would cause avahi-daemon to exit unexpectedly due to a failed assertion check. (CVE-2008-5081) All users are advised to upgrade to these updated packages, which contain a backported patch which resolves this issue. After installing the update, avahi-daemon will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5081 CVE-2008-5081 avahi: avahi-daemon DoS (application abort) via packet with source port 0 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues: * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the "/dev/watchdog" device is accessible only to the root user. (CVE-2008-5702, Low) * the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low) This update also fixes the following bugs: * when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel® CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use. * mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this. * attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail. * after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime. * writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations. * on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes. * a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes. * a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved. * the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network. * the "/proc/xen/" directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of "/proc/xen/". Note: this update will remove the "/proc/xen/" directory on systems not running Red Hat Virtualization. All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2008-3275 CVE-2008-4933 CVE-2008-4934 CVE-2008-5025 CVE-2008-5029 CVE-2008-5300 CVE-2008-5702 Local keyboard DoS through LED switching CVE-2008-3275 Linux kernel local filesystem DoS kernel: devmem: add range_is_allowed() check to mmap_mem() [rhel-4.7.z] CVE-2008-4933 kernel: hfsplus: fix Buffer overflow with a corrupted image CVE-2008-4934 kernel: hfsplus: check read_mapping_page() return value lost packets when live migrating (RHEL4 XEN) HP-Japan: RHEL4.6 diskdump fails when NUMA is on getsockopt() returning incorrectly in PPC CVE-2008-5029 kernel: Unix sockets kernel panic CVE-2008-5025 kernel: hfs: fix namelength memory corruption RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken erroneous load balancing for isolated CPUs leads to divide-by-zero panic in find_busiest_group() netconsole hang the system on ifenslave operation CVE-2008-5300 kernel: fix soft lockups/OOM issues with unix socket garbage collector CVE-2008-5702 kernel: watchdog: ib700wdt.c - buffer_underflow bug Xen balloon driver on RHEL4 x86_64 with 2.6.9-78.0.1.ELsmp cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These are summarized in the "Security Alerts" from IBM. All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR3 Java release. Critical Copyright 2009 Red Hat, Inc. CVE-2008-2086 CVE-2008-5339 CVE-2008-5344 CVE-2008-5345 CVE-2008-5347 CVE-2008-5348 CVE-2008-5350 CVE-2008-5352 CVE-2008-5353 CVE-2008-5354 CVE-2008-5359 CVE-2008-5360 CVE-2008-5350 OpenJDK allows to list files within the user home directory (6484091) CVE-2008-5347 OpenJDK applet privilege escalation via JAX package access (6592792) CVE-2008-5348 OpenJDK Denial-Of-Service in kerberos authentication (6588160) CVE-2008-5360 OpenJDK temporary files have guessable file names (6721753) CVE-2008-5359 OpenJDK Buffer overflow in image processing (6726779) CVE-2008-5353 OpenJDK calendar object deserialization allows privilege escalation (6734167) CVE-2008-5354 OpenJDK Privilege escalation in command line applications (6733959) CVE-2008-5352 OpenJDK Jar200 Decompression buffer overflow (6755943) CVE-2008-2086 Java Web Start File Inclusion via System Properties Override CVE-2008-5339 JavaWebStart allows unauthorized network connections CVE-2008-5344 Java WebStart unprivileged local file and network access CVE-2008-5345 JRE allows unauthorized file access and connections to localhost cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These are summarized in the "Security Alerts" from IBM. All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR9 Java release. Critical Copyright 2009 Red Hat, Inc. CVE-2008-2086 CVE-2008-5339 CVE-2008-5340 CVE-2008-5341 CVE-2008-5342 CVE-2008-5343 CVE-2008-5344 CVE-2008-5345 CVE-2008-5346 CVE-2008-5348 CVE-2008-5349 CVE-2008-5350 CVE-2008-5351 CVE-2008-5352 CVE-2008-5353 CVE-2008-5354 CVE-2008-5356 CVE-2008-5357 CVE-2008-5359 CVE-2008-5360 CVE-2008-5350 OpenJDK allows to list files within the user home directory (6484091) CVE-2008-5349 OpenJDK RSA public key length denial-of-service (6497740) CVE-2008-5348 OpenJDK Denial-Of-Service in kerberos authentication (6588160) CVE-2008-5360 OpenJDK temporary files have guessable file names (6721753) CVE-2008-5359 OpenJDK Buffer overflow in image processing (6726779) CVE-2008-5351 OpenJDK UTF-8 decoder accepts non-shortest form sequences (4486841) CVE-2008-5356 OpenJDK Font processing vulnerability (6733336) CVE-2008-5353 OpenJDK calendar object deserialization allows privilege escalation (6734167) CVE-2008-5354 OpenJDK Privilege escalation in command line applications (6733959) CVE-2008-5357 OpenJDK Truetype Font processing vulnerability (6751322) CVE-2008-5352 OpenJDK Jar200 Decompression buffer overflow (6755943) CVE-2008-2086 Java Web Start File Inclusion via System Properties Override CVE-2008-5339 JavaWebStart allows unauthorized network connections CVE-2008-5340 Java WebStart privilege escalation CVE-2008-5341 Java Web Start exposes username and the pathname of the JWS cache CVE-2008-5342 Java Web Start BasicService displays local files in the browser CVE-2008-5343 Java WebStart allows hidden code privilege escalation CVE-2008-5344 Java WebStart unprivileged local file and network access CVE-2008-5345 JRE allows unauthorized file access and connections to localhost CVE-2008-5346 JRE allows unauthorized memory read access via a crafted ZIP file cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-2383 CVE-2008-2383 xterm: arbitrary command injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. (CVE-2009-0025) For users of Red Hat Enterprise Linux 3 this update also addresses a bug which can cause BIND to occasionally exit with an assertion failure. All BIND users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. After installing the update, BIND daemon will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0025 named dies due to assertion failure CVE-2009-0025 bind: DSA_do_verify() returns check issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 libvirt is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. libvirt also provides tools for remotely managing virtualized systems. The libvirtd daemon was discovered to not properly check user connection permissions before performing certain privileged actions, such as requesting migration of an unprivileged guest domain to another system. A local user able to establish a read-only connection to libvirtd could use this flaw to perform actions that should be restricted to read-write connections. (CVE-2008-5086) libvirt_proxy, a setuid helper application allowing non-privileged users to communicate with the hypervisor, was discovered to not properly validate user requests. Local users could use this flaw to cause a stack-based buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary code with root privileges. (CVE-2009-0036) All users are advised to upgrade to these updated packages, which contain backported patches which resolve these issues. After installing the update, libvirtd must be restarted manually (for example, by issuing a "service libvirtd restart" command), and guest systems rebooted, for this change to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2008-5086 CVE-2009-0036 CVE-2008-5086 libvirt: missing checks for read-only connection CVE-2009-0036 libvirt: libvirt_proxy buffer overflow cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A flaw was discovered in the way the ntpd daemon checked the return value of the OpenSSL EVP_VerifyFinal function. On systems using NTPv4 authentication, this could lead to an incorrect verification of cryptographic signatures, allowing time-spoofing attacks. (CVE-2009-0021) Note: This issue only affects systems that have enabled NTP authentication. By default, NTP authentication is not enabled. All ntp users are advised to upgrade to the updated packages, which contain a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0021 CVE-2009-0021 ntp incorrectly checks for malformed signatures cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. The Red Hat SquirrelMail packages provided by the RHSA-2009:0010 advisory introduced a session handling flaw. Users who logged back into SquirrelMail without restarting their web browsers were assigned fixed session identifiers. A remote attacker could make use of that flaw to hijack user sessions. (CVE-2009-0030) SquirrelMail users should upgrade to this updated package, which contains a patch to correct this issue. As well, all users who used affected versions of SquirrelMail should review their preferences. Important Copyright 2009 Red Hat, Inc. CVE-2009-0030 CVE-2009-1580 Squirrelmail session management broken by security backport CVE-2009-0030 squirrelmail: session management flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Dovecot is an IMAP server for Linux and UNIX-like systems, primarily written with security in mind. A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative access rights as positive rights, which could allow an attacker to bypass intended access restrictions. (CVE-2008-4577) A password disclosure flaw was found with Dovecot's configuration file. If a system had the "ssl_key_password" option defined, any local user could view the SSL key password. (CVE-2008-4870) Note: This flaw did not allow the attacker to acquire the contents of the SSL key. The password has no value without the key file which arbitrary users should not have read access to. To better protect even this value, however, the dovecot.conf file now supports the "!include_try" directive. The ssl_key_password option should be moved from dovecot.conf to a new file owned by, and only readable and writable by, root (ie 0600). This file should be referenced from dovecot.conf by setting the "!include_try [/path/to/password/file]" option. Additionally, this update addresses the following bugs: * the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if the dovecot binary or configuration files existed. It also used the wrong pid file for checking the dovecot service's status. This update includes a new init script that corrects these errors. * the %files section of the dovecot spec file did not include "%dir %{ssldir}/private". As a consequence, the /etc/pki/private/ directory was not owned by dovecot. (Note: files inside /etc/pki/private/ were and are owned by dovecot.) With this update, the missing line has been added to the spec file, and the noted directory is now owned by dovecot. * in some previously released versions of dovecot, the authentication process accepted (and passed along un-escaped) passwords containing characters that had special meaning to dovecot's internal protocols. This updated release prevents such passwords from being passed back, instead returning the error, "Attempted login with password having illegal chars". Note: dovecot versions previously shipped with Red Hat Enterprise Linux 5 did not allow this behavior. This update addresses the issue above but said issue was only present in versions of dovecot not previously included with Red Hat Enterprise Linux 5. Users of dovecot are advised to upgrade to this updated package, which addresses these vulnerabilities and resolves these issues. Low Copyright 2009 Red Hat, Inc. CVE-2008-4577 CVE-2008-4870 Wrong init script dovecot.conf is world readable - possible password exposure new dovecot security issues from the dovecot site dovecot should own /etc/pki/dovecot/private directory CVE-2008-4577 dovecot: incorrect handling of negative rights in the ACL plugin CVE-2008-4870 dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel (the core of the Linux operating system) These updated packages contain 730 bug fixes and enhancements for the Linux kernel. Space precludes a detailed description of each of these changes in this advisory and users are therefore directed to the release notes for Red Hat Enterprise Linux 5.3 for information on 97 of the most significant of these changes. Details of three security-related bug fixes are set out below, along with notes on other broad categories of change not covered in the release notes. For more detailed information on specific bug fixes or enhancements, please consult the Bugzilla numbers listed in this advisory. * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue. (CVE-2008-5029, Important) * a flaw was found in the Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use the flaw to listen on the same socket more than once, possibly causing a denial of service. (CVE-2008-5079, Important) * a race condition was found in the Linux kernel "inotify" watch removal and umount implementation. This could allow a local, unprivileged user to cause a privilege escalation or a denial of service. (CVE-2008-5182, Important) * Bug fixes and enhancements are provided for: * support for specific NICs, including products from the following manufacturers: Broadcom Chelsio Cisco Intel Marvell NetXen Realtek Sun * Fiber Channel support, including support for Qlogic qla2xxx, qla4xxx, and qla84xx HBAs and the FCoE, FCP, and zFCP protocols. * support for various CPUs, including: AMD Opteron processors with 45 nm SOI ("Shanghai") AMD Turion Ultra processors Cell processors Intel Core i7 processors * Xen support, including issues specific to the IA64 platform, systems using AMD processors, and Dell Optiplex GX280 systems * ext3, ext4, GFS2, NFS, and SPUFS * Infiniband (including eHCA, eHEA, and IPoIB) support * common I/O (CIO), direct I/O (DIO), and queued direct I/O (qdio) support * the kernel distributed lock manager (DLM) * hardware issues with: SCSI, IEEE 1394 (FireWire), RAID (including issues specific to Adaptec controllers), SATA (including NCQ), PCI, audio, serial connections, tape-drives, and USB * ACPI, some of a general nature and some related to specific hardware including: certain Lenovo Thinkpad notebooks, HP DC7700 systems, and certain machines based on Intel Centrino processor technology. * CIFS, including Kerberos support and a tech-preview of DFS support * networking support, including IPv6, PPPoE, and IPSec * support for Intel chipsets, including: Intel Cantiga chipsets Intel Eagle Lake chipsets Intel i915 chipsets Intel i965 chipsets Intel Ibex Peak chipsets Intel chipsets offering QuickPath Interconnects (QPI) * device mapping issues, including some in device mapper itself * various issues specific to IA64 and PPC * CCISS, including support for Compaq SMART Array controllers P711m and P712m and other new hardware * various issues affecting specific HP systems, including: DL785G5 XW4800 XW8600 XW8600 XW9400 * IOMMU support, including specific issues with AMD and IBM Calgary hardware * the audit subsystem * DASD support * iSCSI support, including issues specific to Chelsio T3 adapters * LVM issues * SCTP management information base (MIB) support * issues with: autofs, kdump, kobject_add, libata, lpar, ptrace, and utrace * IBM Power platforms using Enhanced I/O Error Handling (EEH) * EDAC issues for AMD K8 and Intel i5000 * ALSA, including support for new hardware * futex support * hugepage support * Intelligent Platform Management Interface (IPMI) support * issues affecting NEC/Stratus servers * OFED support * SELinux * various Virtio issues All users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements. Important Copyright 2009 Red Hat, Inc. CVE-2008-5029 CVE-2008-5079 CVE-2008-5182 CVE-2008-5300 acpi processor module displays errors if hyperthreading disabled GFS2 will panic if you misspell any mount options When bonding is used and IPV6 is enabled the message of 'kernel: bond0: duplicate address detected!' is output [RHEL5] console: kobject_add failed IPv6 default route does not work audit tty input Misspellings in RPM description, suggested clarifications RHEL5 Kernel patches for blktap statistics use after free in nlm subsystem IPSec Packet has no Non-ESP marker [RFE] Add support for Wacom PTZ-431W to kernel Read from /proc/ppc64/rtas/error_log does not honor O_NONBLOCK duplicate packet from ipt_CLUSTERIP module [RHEL5] EDAC k8 MC0: extended error code: GART error Marvell NIC using skge driver loses promiscuous mode on rewiring kernel-xen panic when X shuts down Driver sky2 lost support for Marvell 88E8056 network controller memory leak on size-8192 buckets with NFSV4 Please add vscnprintf and down_write_trylock to KABI Whitelist resize2fs online resize fails with small journal Xenoprof check_ctrs/start/stop fixes for intel family 6 fix default route doesn't work. Need EOE (End of Event) audit message sent from kernel. Audit subsystem SIGUSR2 support nVidia MCP55 MCP55 Ethernet (rev a3) not functional on kernel 2.6.18-53.1.4 [RHEL5 U2] Connectathon RHEL5 client to RHEL4 server, Connectathon failure soft lockup while unmounting a read-only filesystem with errors RHEL5.2: ecryptfs oops after lower persistent file creation failure Make dm interfaces available for external modules. [RHEL5 U2] Audit fails to shutdown properly [firewire] unable to use disk (giving up on config rom) [firewire] unable to use disk (fw_sbp2: failed to login to ...) [firewire] ohci iso receive support incomplete utrace: PTRACE_POKEUSR_AREA corrupts ACR0 SCSI IO errors do not propagate properly with certain SCSI devices mounting CIFS subshare doesn't autoconvert prepath delimiters GFS2: d_doio stuck in readv() waiting for pagelock. memory corruption due to portmap call succeeding after parent rpc_clnt has been freed kernel panic with voip traffic (h323) sr #1768018 : numlock led does not reflect the status of numlock xenkbd can crash when probe fails utrace: ERESTARTSYS from calling a function from a debugger fix up remaining sctp MIB problems kernel freezes when running script which features ecryptfs parts of kernel whitelist: iounmap(ia64) - Failed ABI dependencies for IA64 mpt SCSI drivers LTC41974-Pages of a memory mapped NFS file get corrupted. 50-75 % drop in nfs-server rewrite performance compared to rhel 4.6+ [Areca 5.3 feat] Update arcmsr to version 1.20.00.15.RH1 tg3.c does not build on sparc with > 2.6.18-53.el5 e1000_clean_tx_irq: Detected Tx Unit Hang - 82546EB Rpm install fails due to missing symbols required in myri10ge-kmod x86_64 rpm remove extraneous error field from nfs_readdir_descriptor_t fix bad merge in nfs3_write_done and nfs3_commit_done batch kprobe unregister gfs2 crash - BUG: unable to handle kernel NULL pointer dereference at virtual address utrace: orig_rax 0x00000000ffffffff not recognized as -1 /proc/<pid>/environ not always accessible when receiving PTRACE_EVENT_EXIT Poor LVM mirroring performance ia64: suspecious compile warning in brew backport patch to RHEL5 have it flip to synchronous writes when there is a write error LTC:5.4:201049:DM-MP SCSI Hardware Handlers Assertion failure in journal_next_log_block Assertion failure in journal_start() at fs/jbd/transaction.c:274: 'handle->h_transaction->t_journal == journal' [RFE] Add uvcvideo module to the kernel. kernel: splice: fix bad unlock_page() in error case [rhel-5.3] kernel: dio: zero struct dio with kzalloc instead of manually [rhel-5.3] xen/ia64 asm missing srlz instruction ecryptfs module incorrectly checks error codes in process_request_key_err panic in aoe:aoecmd_ata_rsp during direct I/O to lvm [snap,mirror,stripe] HP DC7700 ACPI problem RHEL 5.1 will incorrectly mark SCSI devices as offline due to improper error handling Fake ARP dropped after migration leading to loss of network connectivity mptscsi race between hotremove and mptscsih_bus_reset do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY Backport fix for possible data corruption in mark_buffer_dirty on SMP [5.2][kdump][xen] crash failed to read vmcore from Dom0 Kernel Xen Support more than 16 disk devices (kernel) launching too many guests panics with "No available IRQ to bind to: increase NR_IRQS!" IPV6DOD: ESP with 3des-cbc for encrypt and authentication set to "null" libata: sata_nv - disable ADMA by default Include xenpv-driver in bare metal kernel rpm. fix setuid/setgid clearing by knfsd cp -p does not copy mtime to CIFS share ls shows two /proc/[pid]/limits files for every process [REG][Xen][5.2beta] cannot open a vmcore of xen-kdump with crash kernel dm snapshot: PPC64: kernel OOPS during activation of snapshot with small chunksize ST Driver causing kernel panic condition RHEL 5.3 NULL pointer dereferenced in powernowk8_init RFE: [Ext4 enabler] backport vfs helpers to facilitate ext4 backport and testing IPV6DOD: all MCAST_* socket options fail with 32-bit app, 64-bit kernel due to padding xentop - incompatibility between HV and userspace toolset kernel doesn't honor ADDR_NO_RANDOMIZE for stack high I/O wait using 3w-9xxx iBFT target info not parsed properly by the iscsi_ibft module oops in cifs module while trying to stop a thread (kthread_stop) during filesystem mount softlockup when repeatedly dropping caches BusLogic module can't compile in the rhel 5.2 beta kernel [RFE] DTR/DSR flow control Feature: allow panic on softlockup warnings clean up CIFS build warnings [PATCH][RHEL5.1] Performance Improvement of fdatasync(2) in case of Overwrite Direct I/O cache invalidation after sync writes debugfs: file/directory creation error [RHEL5] k8_edac: typo in 'EDAC k8 MC0: GART TLB errorr: ' [RHEL5 U2] iwl4965 -> compat module taints kernel CIFS: slab error in kmem_cache_destroy(): cache `cifs_request': Can't free all objects BUG: Don't reserve crashkernel memory > 4 GB on ia64 IPV6DOD: xfrm reverse icmp feature does not seem to work correctly. jbd races lead to EIO for O_DIRECT Add support for filetype option in audit subsystem Access to firewire devices is still allowed after the device is removed from the bus. CIFS VFS: Send error in FindClose = -9 DM failing path due to a communication failure on a single i/o JBD: Fix typo that could result in filesystem corruption. GFS2: lock_dlm is not always delivering callbacks in the right order ssh connection hangs when running command producing large text output after running "service iptables restart" FEAT: Update ieee80211 component and associated drivers FEAT: Add rt2x00 drivers FEAT: Add rtl818x drivers RHEL5.3: update ecryptfs kernelspace to 2.6.26 codebase FEAT: RHEL5.3 update acpi-cpufreq driver Guest OS install causes host machine to crash Add gate.lds to Documentation/dontdiff dlm: fixes for mixed endian cluster dlm: fixes for recovery of user lockspace dlm: keep cached master rsbs during recovery dlm: save master info after failed no-queue request dlm: check for null in device_write [rhel-5.3] dlm: fix basts for granted CW waiting PR/CW dlm: move plock code from gfs2 Ensure that 'noac' and/or 'actimeo=0' turn off attribute caching bonding driver can leave rtnl_lock unbalanced GFS2: cannot use fifo nodes (named pipes) FEAT: RHEL5.3 backport fallocate syscall [Stratus 5.3 bug] kernel NULL pointer dereference at usbdev_read Unbalance reference count in ndisc_recv_ns s2io intr_type documentation inaccurate FEAT: RHEL 5.3 HDA ALSA driver update from mainstream Rpmbuild generates incorrect packages due to typos in the kernel-2.6.spec file. [Stratus 5.3][2/2] ttyS1 lost interrupt and it stops transmitting ip tunnel can't be bound to another device deadlock when rpc_malloc tries to flush NFS pages RHEL5.3: SB600/700 SATA controller PMP support Handle invalid ACPI SLIT table Multiple outstanding ptc.g instruction support a check for a buggy HP SAL caused problems booting as a guest in a virtual machine Update 3w-xxxx to version 1.26.03.000-2.6.18RH Update 3w-9xxx to version 2.26.08.003-2.6.18RH gfs2: BUG: unable to handle kernel paging request at ffff81002690e000 kernel BUG at arch/i386/mm/highmem-xen.c:43! with errata/RHBA-2008-0314 installed CONFIG_AUDITSYSCALL requires SELinux Actual & placeholder funcs have differing param counts r8169 driver broken in 2.6.18-92+ kernels. Missing functions in UP kernel deadlock when lockd tries to take f_sema that it already has [RHEL5.2]: Running strace with a bad syscall doesn't return -ENOSYS [QLogic 5.3 bug] qla2xxx- provide additional statistics to user update CIFS for RHEL5.3 [aacraid] aac_srb: aac_fib_send failed with status 8195 RTL8111/8168B network card does not work virtual ethernet device stops working on reception of duplicate backend state change signals Error in the uhci code causes usb not to work with iommu=calgary boot option [QLogic 5.3 feat] [1/n] qla2xxx- Upstream updates: 8.01.07-k7 [5.2][nfs] ls -l shows outdated timestamp [RHEL5.3] LTP test failure in inotify02 testcase 'xm info' does not show correct info in 'node_to_cpu' field on ia64 document divider= option in kernel docs PTRACE_KILL does not kill the child process, rather than the child starts running freely. v4l2 ioctl debug messages cannot be turned off IPsec memory leak Altix Partitioned System x86: show apicid for cpu in proc x86: don't call MP_processor_info for disabled cpu x86: don't call MP_processor_info for disabled cpu (64bit) x86: fix PAE pmd_bad bootup warning FEAT: RHEL 5.3: (1/2) Increase deep idle state residency on idle platforms using Nehalem class processors FEAT: RHEL 5.3: (2/2) Increase deep idle state residency on idle platforms using Nehalem class processors RFE: delalloc helpers for ext4 kernel NULL pointer dereference in kobject_get_path [NEC/Stratus 5.3 bug] various crashes in md - rdev removed in the middle of ITERATE_RDEV 2.6.26 backport of "check physical address range in ioremap" into RHEL5-U3 backport of fix endless page faults in mount_block_root for Linux 2.6 from 2.6.26 to RHEL5-U3 Backport of don't use large pages to map the first 2/4MB of memory form 2.6.26 to RHEL5-U3 close system call returns -ERESTARTSYS Under heavy memory usage dma_alloc_coherent does not return aligned address [QLogic 5.3 feat] qla2xxx - mgmt. API, CT pass thru kernel: fix array out of bounds when mounting with selinux options [rhel-5.3] Need to add 3 dlm symbols to the kernel whitelist RHEL 5.3 HDA ALSA driver update from upstream 2008-07-22 (fixes and support for new hw) kernel: serial open/close loop disables irq [rhel-5.3] IPMI: Restrict keyboard io port reservation GFS2: glock dumping misses out some glocks GFS2: d_rwdirectempty fails with short read [Kdump] not work on HP-XW8600 [QLogic 5.3 feat] [0/n] qla2xxx- Netlink, FCoE management API ipv6: use timer pending to fix bridge reference count problem [rhel-5.3] pppoe: Check packet length on all receive paths [rhel-5.3] pppoe: Unshare skb before anything else [rhel-5.3] ide-cd: fix oops when using growisofs [rhel-5.3] ecryptfs page-sized memory allocations can corrupt memory [IA64] Fix SMP-unsafe with XENMEM_add_to_physmap on HVM RHEL5.3: misc ecryptfs fixes from 2.6.27 hang in ad_rx_machine due to second attempt to lock spin_lock dlm get_comm() uses NULL pointer GFS2 : gfs2meta is FUBAR RTL8101E performance problem Backport NetXen nic driver from upstream kernel to RHEL5.3 kprobes remove causing kernel panic on ia64 with 2.6.18-92.1.10.el5 kernel kernel: random32: seeding improvement [rhel-5.3] [TAHI] DAD test failure when ipv6_autoconf=yes GFS2: rm on multiple nodes causes panic enable userspace kernel header check [5.0] kdump hangs up by Sysrq+C trigger Make oprofile recognize Nehalem Problem with aic79xx GFS2: glock deadlock in page fault path FEAT: RHEL 5.3 ext4 tech preview autofs problem with symbolic links kernel: dlm: dlm/user.c input validation fixes [rhel-5.3] Kernel BUG at fs/nfs/namespace.c:103 (:nfs:nfs_follow_mountpoint) Oprofile need to enable/disable all the counters for intel family 6 write barriers not supported, ext3 does not complain Panic while using pci=use_crs for resource allocation pppoe: Fix skb_unshare_check call position [rhel-5.3] kernel dm mpath: fix several problems in dm-mapth target error paths kernel dm crypt: use cond_resched [RHEL5.3]: Hang when booting an i386 domU on an i386 HV RHEL5.3: Patch to support new AMD HDMI Audio dm-snap.c: Data read from snapshot may be corrupt if origin is being written to simultaneously ext4 assembly bitops failures on s390 kernel: cpufreq: fix format string bug [rhel-5.3] kernel: binfmt_misc.c: avoid potential kernel stack overflow [rhel-5.3] Performance degradation due to excessive spinlocking in the block layer when using logical volume that spans too many physical volumes [TAHI] no echo reply for loopback address dlm_recoverd in D state when using IPv6 to comunicate between nodes [QLogic 5.3 feat] [3/n] qla2xxx - Upstream updates: 8.02.00-k5 to 8.02.00-k6 GFS2: Multiple writer performance issue. utrace signal handling bug interferes with systemtap uprobes IPsec crash with MAC longer than 16 bytes network hangs and BUG() message at boot with -105.el5debug kernel Kernel obsoletes existing Driver Updates on install CIFS option forcedirectio fails to allow the appending of text to files. kernel: alsa: asoc: fix double free and memory leak in many codec drivers [rhel-5.3] CIFS: enable DFS support as tech-preview in RHEL5.3 Need SCSI transport and LLD netlink support. backport upstream kernel support for private futexes to RHEL 5.3 kernel Nested LVM can cause deadlock due to kcopyd Deadlock possibility with nested LVMs with snapshots kernel: devmem: add range_is_allowed() check to mmap_mem() [rhel-5.3] Significant regression in time() performance [QLogic 5.3 bug] qla2xxx/qla84xx: Fix 128Kb limitation in netlink messages; /proc/xen on bare-metal and FV guests causes multiple issues crypto: hmac(md5) self-test panics system [RHEL5] nmi: crash during kdump kernel boot net: Enable TSO if supported by at least one device [qlogic 5.3 bug] qla2xxx - Set rport dev loss timeout consistently [QLogic 5.3 bug] qla2xxx - Additional residual-count corrections during UNDERRUN handling. dlm: add old plock interface [QLogic 5.3 bug] Update qla2xxx - PCI EE error handling support Fix NUL handling in TTY input auditing BUG: warning when pata_sil680 loaded spufs in RHEL5.3: missing context switch notification log Netboot image for ppc too large libata: rmmod pata_sil680 never returns from ata_port_detach Regression: Tape commands are possibly retried if there is a loss of connectivity while it is running RHEL5.3: ext4 warning on x86 build RHEL 5.3: fix scsi regression causing udev to hang loading sr_mod Regression: multipath was setting the REQ_FAILFAST flags which caused a performance drop RHEL5.3: ecryptfs memory corruption [RHEL5.3] Kernel-xen Oops EIP is at range_straddles_page_boundary+0x2c/0xd9 EEPROM/NVM of the e1000e becomes corrupted xm trigger <domain> init causes kernel panic. [QLogic 5.3 bug] qla2xxx/qla84xxx: Advertise qla84xx firmware rev. fix netlink code incorrect ATA7 handing in kernel causing ABRT errors [QLogic 5.3 bug] Update qla2xxx version to meet open source standards. [5.3] makedumpfile: Can't get necessary symbols for excluding free pages. panic in kcopyd during snapshot I/O GFS2: recovery stuck RHEL5.3: posix-timers race condition causes timer to seize up Question for LUKS device passhprase unreadable when using Xen Interactive installation fails with ext4dev root partition /dev/agpart missing for intel i965 HW/82G965 Graphics RHEL5.3: Modify SATA IDE mode quirk [RHEL5.3] kernel kernel BUG at kernel/exit.c:1129! [QLogic 5.3 bug] latest qlogic driver takes several minutes to find LUNs on older qla2xx controller avc: denied { sys_resource } when using ext4dev partitions On RHEL 5.2 32 bit rmmod bonding results in a kernel panic when configured in balance-tlb mode GFS2: Hang when shrink_slab calls gfs2_delete_inode (the GFP_NOFS bit) RHEL 5.3: allow tcp socket buffers grow to larger than a page size [RHEL5] patch enabling deep C states makes a RHTS machine hang on boot RHEL 5.3: minor virtio_net_fixes kernel-xen doesn't boot on Dell Optiplex GX280 getsockopt() returning incorrectly in PPC [autofs4] Incorrect "active offset mount" messages in syslog writing data to file can fail and cause panic sometimes when using xattr on ecryptfs dlm: add dlm_posix_set_fsid to kABI RHEL5.3: Regression in ext3/jbd [QLogic 5.3 bug] qla2xxx - restore disable by default of MSI, MSI-X [QLogic 5.3 bug] qla2xxx - Correct Atmel flash-part handling initscripts upgrade from 8.45.17 to 8.45.19 breaks arp_ip_target [QLogic 5.3 bug] qla2xxx - fails to report Option Rom version information [Stratus/NEC 5.3 bug] System can crash when removing input device bnx2x + 57711 MCA on BL870c iwlagn (Montevina & Santa Rosa) fails to get associated with AP by NetworkManager frequently [QLogic 5.3 bug] qla3xxx, qla4xxx- Update version numbers and use new format. [All Partners 5.3 bug] allow both ACPI code paths to use the same blacklist dmi_table correctly Various firewire bugs fixed upstream firewire module unload hangs libata: avoid overflow in ata_tf_to_lba48() when tf->hba_lbal> 127 kernel panic seen in ptrace_induce_signal in run of rhts test /tools/gdb/gdb-any/ RHEL53 Beta1: network installation through cxgb3 interface failed if the adapter firmware doesn't match the cxgb3 device driver requst firmware level in rhel53. CVE-2008-5029 kernel: Unix sockets kernel panic cifs: data corruption due to interleaved partial writes timing out system-config-soundcard is not working on RHEL5.3 GA-snapshot1 [Emulex 5.3 bug] Update lpfc to version 8.2.0.33.3p Netdump not functioning w/ bnx2 >= v1.8h (Broadcom Netxtreme II Network Card) gdb on ppc hangs, then panics with a kill -9 [QLogic 5.3 bug] qla2xxx - No NPIV for Loop connections. libata: Avoid overflow in ata_tf_read_block() when tf->hba_lbal > 127 max_phys_segments violation with dm-linear + md raid1 + cciss statically linked uuid segfaults in uuid_generate() on Xen kernel dlm: fix up memory allocation flags [Broadcom 5.3 bug] bnx2: add PCI-IDs for 5716s [Brocade/Dell 5.3 bug] hts failing memory test with EDAC i5000 Non-Fatal error RHEL5.3 e1000e: enable ECC correction on 82571 silicon CVE-2008-5182 kernel: fix inotify watch removal/umount races [QLogic 5.3 bug] qla2xx/qla84xx - Failure to establish link. Need to build xen-platform-pci as a module and not into the kernel kernel panic when modprobe -r acpi_cpufreq on centrino platform with kernel newer than 2.6.18-118 RHEL 5.3: allow tun/tap support larger MTU sizes RHEL 5.3: allow virtio_net support larger MTU sizes RHEL 5.3: implement virtio_net mergeable receive buffer allocate scheme CVE-2008-5079 Linux Kernel 'atm module' Local Denial of Service RHEL5.3: Calgary DMA errors on IBM systems [QLogic 5.3 bug] qla4xxx - Add checks for <TargetName, ISID, TargetPortGroupTag> fcoe: fix terminate_rport_io related problems kdump panic introduced by hpet fix on systems without HPET [RHEL 5.3 Xen]: Guest hang on FV save/restore RHEL5.3 pv guests crash randomly on reboot orders. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-0352, CVE-2009-0353, CVE-2009-0356) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a Firefox user into surrendering sensitive information. (CVE-2009-0354, CVE-2009-0355) A flaw was found in the way Firefox treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie. (CVE-2009-0357) A flaw was found in the way Firefox treated certain HTTP page caching directives. A local attacker could steal the contents of sensitive pages which the page author did not intend to be cached. (CVE-2009-0358) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.6. You can find a link to the Mozilla advisories in the References section. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.6, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0352 CVE-2009-0353 CVE-2009-0354 CVE-2009-0355 CVE-2009-0356 CVE-2009-0357 CVE-2009-0358 missing dependency on pkgconfig in the -devel subpackage CVE-2009-0352 Firefox layout crashes with evidence of memory corruption CVE-2009-0353 Firefox javascript crashes with evidence of memory corruption CVE-2009-0354 Firefox XSS using a chrome XBL method and window.eval CVE-2009-0355 Firefox local file stealing with SessionStore CVE-2009-0356 Firefox Chrome privilege escalation via local .desktop files CVE-2009-0357 Firefox XMLHttpRequest allows reading HTTPOnly cookies CVE-2009-0358 Firefox directives to not cache pages ignored cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-0352, CVE-2009-0353) A flaw was found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a SeaMonkey user into uploading a local file. (CVE-2009-0355) A flaw was found in the way SeaMonkey treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie. (CVE-2009-0357) All SeaMonkey users should upgrade to these updated packages, which contain backported patches that correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0352 CVE-2009-0353 CVE-2009-0355 CVE-2009-0357 CVE-2009-0352 Firefox layout crashes with evidence of memory corruption CVE-2009-0353 Firefox javascript crashes with evidence of memory corruption CVE-2009-0355 Firefox local file stealing with SessionStore CVE-2009-0357 Firefox XMLHttpRequest allows reading HTTPOnly cookies cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2009-0352, CVE-2009-0353, CVE-2009-0772, CVE-2009-0774, CVE-2009-0775) Several flaws were found in the way malformed content was processed. An HTML mail message containing specially-crafted content could potentially trick a Thunderbird user into surrendering sensitive information. (CVE-2009-0355, CVE-2009-0776) Note: JavaScript support is disabled by default in Thunderbird. None of the above issues are exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0352 CVE-2009-0353 CVE-2009-0355 CVE-2009-0772 CVE-2009-0774 CVE-2009-0775 CVE-2009-0776 CVE-2009-0352 Firefox layout crashes with evidence of memory corruption CVE-2009-0353 Firefox javascript crashes with evidence of memory corruption CVE-2009-0355 Firefox local file stealing with SessionStore CVE-2009-0772 Firefox 2 and 3 - Layout engine crashes CVE-2009-0774 Firefox 2 and 3 crashes in the JavaScript engine CVE-2009-0775 Firefox XUL Linked Clones Double Free Vulnerability CVE-2009-0776 Firefox XML data theft via RDFXMLDataSource and cross-domain redirect cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The mod_auth_mysql package includes an extension module for the Apache HTTP Server which can be used to implement web user authentication against a MySQL database. A flaw was found in the way mod_auth_mysql escaped certain multibyte-encoded strings. If mod_auth_mysql was configured to use a multibyte character set that allowed a backslash '\' as part of the character encodings, a remote attacker could inject arbitrary SQL commands into a login request. (CVE-2008-2384) Note: This flaw only affected non-default installations where AuthMySQLCharacterSet is configured to use one of the affected multibyte character sets. Installations that did not use the AuthMySQLCharacterSet configuration option were not vulnerable to this flaw. All mod_auth_mysql users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. After installing the update, the httpd daemon must be restarted for the fix to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-2384 CVE-2008-2384 mod_auth_mysql: character encoding SQL injection flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Virtual Network Computing (VNC) is a remote display system which allows you to view a computer's "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. An insufficient input validation flaw was discovered in the VNC client application, vncviewer. If an attacker could convince a victim to connect to a malicious VNC server, or when an attacker was able to connect to vncviewer running in the "listen" mode, the attacker could cause the victim's vncviewer to crash or, possibly, execute arbitrary code. (CVE-2008-4770) Users of vncviewer should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all running instances of vncviewer must be restarted after the update is installed. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-4770 VNC Free Edition 4.1.3 fixes a possible security vulnerability only present in the listening viewer. VNC Server is not compromised. CVE-2008-4770 vnc: vncviewer insufficient encoding value validation in CMsgReader::readRect cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues: * a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) * a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important) * the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low) In addition, these updated packages fix the following bugs: * when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target. * the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value. * nfs_create_rpc_client was called with a "flavor" parameter which was usually ignored and ended up unconditionally creating the RPC client with an AUTH_UNIX flavor. This caused problems on AUTH_GSS mounts when the credentials needed to be refreshed. The credops did not match the authorization type, which resulted in the credops dereferencing an incorrect part of the AUTH_UNIX rpc_auth struct. * when copy_user_c terminated prematurely due to reading beyond the end of the user buffer and the kernel jumped to the exception table entry, the rsi register was not cleared. This resulted in exiting back to user code with garbage in the rsi register. * the hexdump data in s390dbf traces was incomplete. The length of the data traced was incorrect and the SAN payload was read from a different place then it was written to. * when using connected mode (CM) in IPoIB on ehca2 hardware, it was not possible to transmit any data. * when an application called fork() and pthread_create() many times and, at some point, a thread forked a child and then attempted to call the setpgid() function, then this function failed and returned and ESRCH error value. Users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: for this update to take effect, the system must be rebooted. Important Copyright 2009 Red Hat, Inc. CVE-2008-4933 CVE-2008-4934 CVE-2008-5025 CVE-2008-5713 CVE-2009-0031 CVE-2009-0065 CVE-2008-4933 kernel: hfsplus: fix Buffer overflow with a corrupted image CVE-2008-4934 kernel: hfsplus: check read_mapping_page() return value CVE-2008-5025 kernel: hfs: fix namelength memory corruption CVE-2008-5713 kernel: soft lockup occurs when network load is very high CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID IB/ipoib: data transmission fails in connected mode on any HCA RHEL5.2/3 - setpgid() returns ESRCH in some situations CVE-2009-0031 kernel: local denial of service in keyctl_join_session_keyring zfcp: fix hexdump data in s390dbf traces RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken Kernel panic in auth_rpcgss:__gss_find_upcall oops in mirror_map (dm-raid1.c) [5.3] clock_gettime() syscall returns a smaller timespec value than previous. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root with logging. A flaw was discovered in a way sudo handled group specifications in "run as" lists in the sudoers configuration file. If sudo configuration allowed a user to run commands as any user of some group and the user was also a member of that group, sudo incorrectly allowed them to run defined commands with the privileges of any system user. This gave the user unintended privileges. (CVE-2009-0034) Users of sudo should update to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0034 CVE-2009-0034 sudo: incorrect handling of groups in Runas_User cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gstreamer-plugins package contains plug-ins used by the GStreamer streaming-media framework to support a wide variety of media types. An array indexing error was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. (CVE-2009-0398) All users of gstreamer-plugins are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using GStreamer (such as nautilus-media) must be restarted for the changes to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0398 CVE-2009-0398 gstreamer-plugins: Array index error while parsing malformed QuickTime media files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gstreamer-plugins package contains plugins used by the GStreamer streaming-media framework to support a wide variety of media types. A heap buffer overflow was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. (CVE-2009-0397) All users of gstreamer-plugins are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using GStreamer (such as rhythmbox) must be restarted for the changes to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0397 CVE-2009-0397 gstreamer-plugins, gstreamer-plugins-good: heap-based buffer overflow while parsing malformed QuickTime media files via crafted Time-to-sample (stss) atom data cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GStreamer is a streaming media framework, based on graphs of filters which operate on media data. GStreamer Good Plug-ins is a collection of well-supported, GStreamer plug-ins of good quality released under the LGPL license. Multiple heap buffer overflows and an array indexing error were found in the GStreamer's QuickTime media file format decoding plugin. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. (CVE-2009-0386, CVE-2009-0387, CVE-2009-0397) All users of gstreamer-plugins-good are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications using GStreamer (such as totem or rhythmbox) must be restarted for the changes to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0386 CVE-2009-0387 CVE-2009-0397 CVE-2009-0397 gstreamer-plugins, gstreamer-plugins-good: heap-based buffer overflow while parsing malformed QuickTime media files via crafted Time-to-sample (stss) atom data CVE-2009-0386 gstreamer-plugins-good: heap-based buffer overflow while parsing malformed QuickTime media files via crafted Composition Time To Sample (aka ctts) atom data CVE-2009-0387 gstreamer-plugins-good: Array index error while parsing malformed QuickTime media files via crafted Sync Sample (aka stss) atom data cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A buffer overflow flaw was discovered in the dmail and tmail mail delivery utilities shipped with imap. If either of these utilities were used as a mail delivery agent, a remote attacker could potentially use this flaw to run arbitrary code as the targeted user by sending a specially-crafted mail message to the victim. (CVE-2008-5005) Users of imap should upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5005 CVE-2008-5005 uw-imap: buffer overflow in dmail and tmail cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Simple Network Management Protocol (SNMP) is a protocol used for network management. It was discovered that the snmpd daemon did not use TCP wrappers correctly, causing network hosts access restrictions defined in "/etc/hosts.allow" and "/etc/hosts.deny" to not be honored. A remote attacker could use this flaw to bypass intended access restrictions. (CVE-2008-6123) This issue only affected configurations where hosts.allow and hosts.deny were used to limit access to the SNMP server. To obtain information from the server, the attacker would have to successfully authenticate, usually by providing a correct community string. All net-snmp users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the snmpd and snmptrapd daemons will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-6123 CVE-2008-6123 net-snmp: incorrect application of hosts access restrictions in hosts.{allow,deny} cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The International Components for Unicode (ICU) library provides robust and full-featured Unicode services. A flaw was found in the way ICU processed certain, invalid, encoded data. If an application used ICU to decode malformed, multibyte, character data, it may have been possible to bypass certain content protection mechanisms, or display information in a manner misleading to the user. (CVE-2008-1036) All users of icu should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-1036 CVE-2008-1036 ICU: Invalid character sequences omission during conversion of some character encodings (XSS attack possible) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS security advisory, RHSA-2008:0937, stated that it fixed CVE-2008-3640 for Red Hat Enterprise Linux 3, 4, and 5. It was discovered this flaw was not properly fixed on Red Hat Enterprise Linux 3, however. (CVE-2009-0577) These new packages contain a proper fix for CVE-2008-3640 on Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 4 and 5 already contain the appropriate fix for this flaw and do not need to be updated. Users of cups should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2009 Red Hat, Inc. CVE-2009-0577 CVE-2009-0577 cups-CVE-2008-3640.patch has been corrupted. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. Multiple buffer overflow flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malformed dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2008-4683, CVE-2009-0599) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malformed dump file. (CVE-2008-4680, CVE-2008-4681, CVE-2008-4682, CVE-2008-4684, CVE-2008-4685, CVE-2008-5285, CVE-2009-0600) Users of wireshark should upgrade to these updated packages, which contain Wireshark version 1.0.6, and resolve these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-4680 CVE-2008-4681 CVE-2008-4682 CVE-2008-4683 CVE-2008-4684 CVE-2008-4685 CVE-2008-5285 CVE-2008-6472 CVE-2009-0599 CVE-2009-0600 CVE-2008-4680 wireshark: DoS (app crash or abort) via malformed USB Request Block (URB). CVE-2008-4681 wireshark: DoS (app crash or abort) in Bluetooth RFCOMM dissector via unknown packets CVE-2008-4682 wireshark: DoS (app abort) via a malformed .ncf file with an unknown/unexpected packet type CVE-2008-4683 wireshark: DoS (app crash or abort) in Bluetooth ACL dissector via a packet with an invalid length CVE-2008-4684 wireshark: DoS (app crash) via certain series of packets by enabling the (1) PRP or (2) MATE post dissector CVE-2008-4685 wireshark: DoS (app crash or abort) in Q.931 dissector via certain packets CVE-2008-5285 wireshark: DoS (infinite loop) in SMTP dissector via large SMTP request CVE-2009-0599 wireshark: buffer overflows in NetScreen snoop file reader CVE-2009-0600 wireshark: denial of service (application crash) via a crafted Tektronix K12 text capture file cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-0040, CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, CVE-2009-0774, CVE-2009-0775) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a Firefox user into surrendering sensitive information. (CVE-2009-0776, CVE-2009-0777) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.7. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.7, and which correct these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0040 CVE-2009-0771 CVE-2009-0772 CVE-2009-0773 CVE-2009-0774 CVE-2009-0775 CVE-2009-0776 CVE-2009-0777 CVE-2009-0040 libpng arbitrary free() flaw CVE-2009-0771 Firefox 3 Layout Engine Crashes CVE-2009-0772 Firefox 2 and 3 - Layout engine crashes CVE-2009-0773 Firefox 3 crashes in the JavaScript engine CVE-2009-0774 Firefox 2 and 3 crashes in the JavaScript engine CVE-2009-0775 Firefox XUL Linked Clones Double Free Vulnerability CVE-2009-0776 Firefox XML data theft via RDFXMLDataSource and cross-domain redirect CVE-2009-0777 Firefox URL spoofing with invisible control characters cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-0040, CVE-2009-0772, CVE-2009-0774, CVE-2009-0775) A flaw was found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a SeaMonkey user into surrendering sensitive information. (CVE-2009-0776) All SeaMonkey users should upgrade to these updated packages, which contain backported patches that correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0040 CVE-2009-0772 CVE-2009-0774 CVE-2009-0775 CVE-2009-0776 CVE-2009-0040 libpng arbitrary free() flaw CVE-2009-0772 Firefox 2 and 3 - Layout engine crashes CVE-2009-0774 Firefox 2 and 3 crashes in the JavaScript engine CVE-2009-0775 Firefox XUL Linked Clones Double Free Vulnerability CVE-2009-0776 Firefox XML data theft via RDFXMLDataSource and cross-domain redirect cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * memory leaks were found on some error paths in the icmp_send() function in the Linux kernel. This could, potentially, cause the network connectivity to cease. (CVE-2009-0778, Important) * Chris Evans reported a deficiency in the clone() system call when called with the CLONE_PARENT flag. This flaw permits the caller (the parent process) to indicate an arbitrary signal it wants to receive when its child process exits. This could lead to a denial of service of the parent process. (CVE-2009-0028, Moderate) * an off-by-one underflow flaw was found in the eCryptfs subsystem. This could potentially cause a local denial of service when the readlink() function returned an error. (CVE-2009-0269, Moderate) * a deficiency was found in the Remote BIOS Update (RBU) driver for Dell systems. This could allow a local, unprivileged user to cause a denial of service by reading zero bytes from the image_type or packet_size files in "/sys/devices/platform/dell_rbu/". (CVE-2009-0322, Moderate) * an inverted logic flaw was found in the SysKonnect FDDI PCI adapter driver, allowing driver statistics to be reset only when the CAP_NET_ADMIN capability was absent (local, unprivileged users could reset driver statistics). (CVE-2009-0675, Moderate) * the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure. (CVE-2009-0676, Moderate) * the ext2 and ext3 file system code failed to properly handle corrupted data structures, leading to a possible local denial of service when read or write operations were performed on a specially-crafted file system. (CVE-2008-3528, Low) * a deficiency was found in the libATA implementation. This could, potentially, lead to a local denial of service. Note: by default, the "/dev/sg*" devices are accessible only to the root user. (CVE-2008-5700, Low) Bug fixes: * a bug in aic94xx may have caused kernel panics during boot on some systems with certain SATA disks. (BZ#485909) * a word endianness problem in the qla2xx driver on PowerPC-based machines may have corrupted flash-based devices. (BZ#485908) * a memory leak in pipe() may have caused a system deadlock. The workaround in Section 1.5, Known Issues, of the Red Hat Enterprise Linux 5.3 Release Notes Updates, which involved manually allocating extra file descriptors to processes calling do_pipe, is no longer necessary. (BZ#481576) * CPU soft-lockups in the network rate estimator. (BZ#481746) * bugs in the ixgbe driver caused it to function unreliably on some systems with 16 or more CPU cores. (BZ#483210) * the iwl4965 driver may have caused a kernel panic. (BZ#483206) * a bug caused NFS attributes to not update for some long-lived NFS mounted file systems. (BZ#483201) * unmounting a GFS2 file system may have caused a panic. (BZ#485910) * a bug in ptrace() may have caused a panic when single stepping a target. (BZ#487394) * on some 64-bit systems, notsc was incorrectly set at boot, causing slow gettimeofday() calls. (BZ#488239) * do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#490433) * scaling problems caused performance problems for LAPI applications. (BZ#489457) * a panic may have occurred on systems using certain Intel WiFi Link 5000 products when booting with the RF Kill switch on. (BZ#489846) * the TSC is invariant with C/P/T states, and always runs at constant frequency from now on. (BZ#489310) All users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-3528 CVE-2008-5700 CVE-2009-0028 CVE-2009-0269 CVE-2009-0322 CVE-2009-0675 CVE-2009-0676 CVE-2009-0778 CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service CVE-2008-5700 kernel: enforce a minimum SG_IO timeout CVE-2009-0028 Linux kernel minor signal handling vulnerability multipath test causes memory leak and eventual system deadlock CVE-2009-0269 kernel: ecryptfs readlink flaw [RHEL 5] gen_estimator deadlock fix CVE-2009-0322 kernel: dell_rbu local oops NFS problem#3 of IT 106473 - 32-bit jiffy wrap around - NFS inode Kernel panic in iwl4965 driver CVE-2009-0778 kernel: rt_cache leak leads to lack of network connectivity [QLogic 5.4 bug] qla2xx - Word-endian problem programming flash on PPC Panic at boot if SATA disk is present reproducible panic in debugfs_remove when unmounting gfs2 filesystem CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt CVE-2009-0675 kernel: skfp_ioctl inverted logic flaw kernel BUG at kernel/ptrace.c:1068 RHEL5 kernel forces notsc on certain systems [C-state support dependant] [Intel 5.4 FEAT] TSC keeps running in C3+ Lapi takes too long to run RHEL 5.3 GA kernel panics when RF Kill is on in 5100/5300 AGN RHEL5.3 (x86_64): MCE handler must not clear status registers on fatal conditions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines. Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946) Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861) An integer overflow flaw was found in the way the FreeType font engine processed TrueType® Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754) A flaw was discovered in the FreeType TTF font-file format parser when the TrueType virtual machine Byte Code Interpreter (BCI) is enabled. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2008-1808) The CVE-2008-1808 flaw did not affect the freetype packages as distributed in Red Hat Enterprise Linux 3 and 4, as they are not compiled with TrueType BCI support. A fix for this flaw has been included in this update as users may choose to recompile the freetype packages in order to enable TrueType BCI support. Red Hat does not, however, provide support for modified and recompiled packages. Note: For the FreeType 2 font engine, the CVE-2006-1861, CVE-2007-2754, and CVE-2008-1808 flaws were addressed via RHSA-2006:0500, RHSA-2007:0403, and RHSA-2008:0556 respectively. This update provides corresponding updates for the FreeType 1 font engine, included in the freetype packages distributed in Red Hat Enterprise Linux 3 and 4. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2006-1861 CVE-2007-2754 CVE-2008-1808 CVE-2009-0946 CVE-2007-2754 freetype integer overflow CVE-2008-1808 FreeType off-by-one flaws CVE-2006-1861 freetype: multiple integer overflow vulnerabilities CVE-2009-0946 freetype: multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues: * a buffer overflow was found in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a memory leak was found in keyctl handling. A local, unprivileged user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) * a deficiency was found in the Remote BIOS Update (RBU) driver for Dell systems. This could allow a local, unprivileged user to cause a denial of service by reading zero bytes from the image_type or packet_size file in "/sys/devices/platform/dell_rbu/". (CVE-2009-0322, Important) * a deficiency was found in the libATA implementation. This could, potentially, lead to a denial of service. Note: by default, "/dev/sg*" devices are accessible only to the root user. (CVE-2008-5700, Low) This update also fixes the following bugs: * when the hypervisor changed a page table entry (pte) mapping from read-only to writable via a make_writable hypercall, accessing the changed page immediately following the change caused a spurious page fault. When trying to install a para-virtualized Red Hat Enterprise Linux 4 guest on a Red Hat Enterprise Linux 5.3 dom0 host, this fault crashed the installer with a kernel backtrace. With this update, the "spurious" page fault is handled properly. (BZ#483748) * net_rx_action could detect its cpu poll_list as non-empty, but have that same list reduced to empty by the poll_napi path. This resulted in garbage data being returned when net_rx_action calls list_entry, which subsequently resulted in several possible crash conditions. The race condition in the network code which caused this has been fixed. (BZ#475970, BZ#479681, BZ#480741) * a misplaced memory barrier at unlock_buffer() could lead to a concurrent h_refcounter update which produced a reference counter leak and, later, a double free in ext3_xattr_release_block(). Consequent to the double free, ext3 reported an error ext3_free_blocks_sb: bit already cleared for block [block number] and mounted itself as read-only. With this update, the memory barrier is now placed before the buffer head lock bit, forcing the write order and preventing the double free. (BZ#476533) * when the iptables module was unloaded, it was assumed the correct entry for removal had been found if "wrapper->ops->pf" matched the value passed in by "reg->pf". If several ops ranges were registered against the same protocol family, however, (which was likely if you had both ip_conntrack and ip_contrack_* loaded) this assumption could lead to NULL list pointers and cause a kernel panic. With this update, "wrapper->ops" is matched to pointer values "reg", which ensures the correct entry is removed and results in no NULL list pointers. (BZ#477147) * when the pidmap page (used for tracking process ids, pids) incremented to an even page (ie the second, fourth, sixth, etc. pidmap page), the alloc_pidmap() routine skipped the page. This resulted in "holes" in the allocated pids. For example, after pid 32767, you would expect 32768 to be allocated. If the page skipping behavior presented, however, the pid allocated after 32767 was 65536. With this update, alloc_pidmap() no longer skips alternate pidmap pages and allocated pid holes no longer occur. This fix also corrects an error which allowed pid_max to be set higher than the pid_max limit has been corrected. (BZ#479182) All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-5700 CVE-2009-0031 CVE-2009-0065 CVE-2009-0322 CVE-2008-5700 kernel: enforce a minimum SG_IO timeout oops in e1000_clean (list corruption due to race with e1000_down) Read-only filesystem after 'ext3_free_blocks_sb: bit already cleared for block' errors Kernel panic when unloading ip conntrack modules CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID RHEL4 64 bit skips all pids with bit 15 set (32768-65535, 98304-131071 etc) oops in net_rx_action on double free of dev->poll_list CVE-2009-0031 kernel: local denial of service in keyctl_join_session_keyring RHEL4.8 kernel crashed in net_rx_action() on IA64 machine in RHTS connectathon test CVE-2009-0322 kernel: dell_rbu local oops rhel4 PV guest installations busted on rhel 5.3 i386 intel dom0 cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Firefox-compatible Adobe Flash Player Web browser plug-in. Multiple input validation flaws were found in the way Flash Player displayed certain SWF (Shockwave Flash) content. An attacker could use these flaws to create a specially-crafted SWF file that could cause flash-plugin to crash, or, possibly, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2009-0520, CVE-2009-0519) It was discovered that Adobe Flash Player had an insecure RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user with write access to the directory pointed to by RPATH could use this flaw to execute arbitrary code with the privileges of the user running Adobe Flash Player. (CVE-2009-0521) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.0.22.87. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0519 CVE-2009-0520 CVE-2009-0521 CVE-2009-0519 flash-plugin: Input validation flaw (DoS) CVE-2009-0520 flash-plugin: Buffer overflow (arbitrary code execution) via crafted SWF file. CVE-2009-0521 flash-plugin: Linux-specific information disclosure (privilege escalation) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0040) A flaw was discovered in the way libpng handled PNG images containing "unknown" chunks. If an application linked against libpng attempted to process a malformed, unknown chunk in a malicious PNG image, it could cause the application to crash. (CVE-2008-1382) Users of libpng and libpng10 should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libpng or libpng10 must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-1382 CVE-2009-0040 CVE-2008-1382 libpng unknown chunk handling flaw CVE-2009-0040 libpng arbitrary free() flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GLib is the low-level core library that forms the basis for projects such as GTK+ and GNOME. It provides data structure handling for C, portability wrappers, and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system. Diego Pettenò discovered multiple integer overflows causing heap-based buffer overflows in GLib's Base64 encoding and decoding functions. An attacker could use these flaws to crash an application using GLib's Base64 functions to encode or decode large, untrusted inputs, or, possibly, execute arbitrary code as the user running the application. (CVE-2008-4316) Note: No application shipped with Red Hat Enterprise Linux 5 uses the affected functions. Third-party applications may, however, be affected. All users of glib2 should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-4316 CVE-2008-4316 glib2: integer overflows in the base64 handling functions (oCERT-2008-015) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-3658 CVE-2008-3660 CVE-2008-5498 CVE-2008-5557 CVE-2009-0754 CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension CVE-2008-3660 php: FastCGI module DoS via multiple dots preceding the extension CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure CVE-2008-5557 php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution) CVE-2009-0754 PHP mbstring.func_overload web server denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had "display_errors" enabled, a remote attacker able to set a specially-crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-3658 CVE-2008-3660 CVE-2008-5498 CVE-2008-5557 CVE-2008-5814 CVE-2009-0754 CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension CVE-2008-3660 php: FastCGI module DoS via multiple dots preceding the extension CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure CVE-2008-5557 php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution) CVE-2009-0754 PHP mbstring.func_overload web server denial of service CVE-2008-5814 php: XSS via PHP error messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Little Color Management System (LittleCMS, or simply "lcms") is a small-footprint, speed-optimized open source color management engine. Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in LittleCMS. An attacker could use these flaws to create a specially-crafted image file which could cause an application using LittleCMS to crash, or, possibly, execute arbitrary code when opened by a victim. (CVE-2009-0723, CVE-2009-0733) A memory leak flaw was found in LittleCMS. An application using LittleCMS could use excessive amount of memory, and possibly crash after using all available memory, if used to open specially-crafted images. (CVE-2009-0581) Red Hat would like to thank Chris Evans from the Google Security Team for reporting these issues. All users of LittleCMS should install these updated packages, which upgrade LittleCMS to version 1.18. All running applications using the lcms library must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 CVE-2009-0723 LittleCms integer overflow CVE-2009-0581 LittleCms memory leak CVE-2009-0733 LittleCms lack of upper-bounds check on sizes cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0040) Users of libpng and libpng10 should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libpng or libpng10 must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0040 CVE-2009-0040 libpng arbitrary free() flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. David Kierznowski discovered a flaw in libcurl where it would not differentiate between different target URLs when handling automatic redirects. This caused libcurl to follow any new URL that it understood, including the "file://" URL type. This could allow a remote server to force a local libcurl-using application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2009-0037) Note: Applications using libcurl that are expected to follow redirects to "file://" protocol must now explicitly call curl_easy_setopt(3) and set the newly introduced CURLOPT_REDIR_PROTOCOLS option as required. cURL users should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libcurl must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0037 CVE-2009-0037 curl: local file access via unsafe redirects cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libsoup is an HTTP client/library implementation for GNOME written in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. An integer overflow flaw which caused a heap-based buffer overflow was discovered in libsoup's Base64 encoding routine. An attacker could use this flaw to crash, or, possibly, execute arbitrary code. This arbitrary code would execute with the privileges of the application using libsoup's Base64 routine to encode large, untrusted inputs. (CVE-2009-0585) All users of libsoup and evolution28-libsoup should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running applications using the affected library function (such as Evolution configured to connect to the GroupWise back-end) must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0585 CVE-2009-0585 libsoup: integer overflow in soup_base64_encode() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Ghostscript is a set of software that provides a PostScript(TM) interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images which could cause Ghostscript to crash, or, potentially, execute arbitrary code when opened by the victim. (CVE-2009-0583, CVE-2009-0584) All users of ghostscript are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0583 CVE-2009-0584 CVE-2009-0583 ghostscript, argyllcms: Multiple integer overflows in the International Color Consortium Format Library CVE-2009-0584 ghostscript, argyllcms: Multiple insufficient upper-bounds checks on certain sizes in the International Color Consortium Format Library cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins. An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586) All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0586 CVE-2009-0586 gstreamer-plugins-base: integer overflow in gst_vorbis_tag_add_coverart() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution-data-server and evolution28-evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0547 CVE-2009-0582 CVE-2009-0587 CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM) CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution and evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution and evolution-data-server must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0547 CVE-2009-0582 CVE-2009-0587 CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM) CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0582 CVE-2009-0587 CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. An information disclosure flaw was found in NetworkManager's D-Bus interface. A local attacker could leverage this flaw to discover sensitive information, such as network connection passwords and pre-shared keys. (CVE-2009-0365) A potential denial of service flaw was found in NetworkManager's D-Bus interface. A local user could leverage this flaw to modify local connection settings, preventing the system's network connection from functioning properly. (CVE-2009-0578) Red Hat would like to thank Ludwig Nussel for reporting these flaws responsibly. Users of NetworkManager should upgrade to these updated packages which contain backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0365 CVE-2009-0578 CVE-2009-0365 NetworkManager: GetSecrets disclosure CVE-2009-0578 NetworkManager: local users can modify the connection settings cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. An information disclosure flaw was found in NetworkManager's D-Bus interface. A local attacker could leverage this flaw to discover sensitive information, such as network connection passwords and pre-shared keys. (CVE-2009-0365) Red Hat would like to thank Ludwig Nussel for responsibly reporting this flaw. NetworkManager users should upgrade to these updated packages, which contain a backported patch that corrects this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0365 CVE-2009-0365 NetworkManager: GetSecrets disclosure cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM® 1.6.0 Java™ release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2008-5340, CVE-2008-5341, CVE-2008-5342, CVE-2008-5343, CVE-2008-5351, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR4 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2008-5340 CVE-2008-5341 CVE-2008-5342 CVE-2008-5343 CVE-2008-5351 CVE-2008-5356 CVE-2008-5357 CVE-2008-5358 CVE-2008-5351 OpenJDK UTF-8 decoder accepts non-shortest form sequences (4486841) CVE-2008-5356 OpenJDK Font processing vulnerability (6733336) CVE-2008-5357 OpenJDK Truetype Font processing vulnerability (6751322) CVE-2008-5358 OpenJDK Buffer Overflow in GIF image processing (6766136) CVE-2008-5340 Java WebStart privilege escalation CVE-2008-5341 Java Web Start exposes username and the pathname of the JWS cache CVE-2008-5342 Java Web Start BasicService displays local files in the browser CVE-2008-5343 Java WebStart allows hidden code privilege escalation cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 SystemTap is an instrumentation infrastructure for systems running version 2.6 of the Linux kernel. SystemTap scripts can collect system operations data, greatly simplifying information gathering. Collected data can then assist in performance measuring, functional testing, and performance and function problem diagnosis. A race condition was discovered in SystemTap that could allow users in the stapusr group to elevate privileges to that of members of the stapdev group (and hence root), bypassing directory confinement restrictions and allowing them to insert arbitrary SystemTap kernel modules. (CVE-2009-0784) Note: This issue was only exploitable if another SystemTap kernel module was placed in the "systemtap/" module directory for the currently running kernel. Red Hat would like to thank Erik Sjölund for reporting this issue. SystemTap users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0784 CVE-2009-0784 systemtap: race condition leads to privilege escalation cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). Multiple input validation flaws were discovered in the JBIG2 compressed images decoder used by Adobe Reader. A malicious PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader. (CVE-2009-0193, CVE-2009-0658, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 8.1.4, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0193 CVE-2009-0658 CVE-2009-0928 CVE-2009-1061 CVE-2009-1062 CVE-2009-0658, CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062 acroread: multiple JBIG2-related security flaws cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language. A flaw was found in the way that the Java Virtual Machine (JVM) handled temporary font files. A malicious applet could use this flaw to use large amounts of disk space, causing a denial of service. (CVE-2006-2426) A memory leak flaw was found in LittleCMS (embedded in OpenJDK). An application using color profiles could use excessive amounts of memory, and possibly crash after using all available memory, if used to open specially-crafted images. (CVE-2009-0581) Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in the way LittleCMS handled color profiles. An attacker could use these flaws to create a specially-crafted image file which could cause a Java application to crash or, possibly, execute arbitrary code when opened. (CVE-2009-0723, CVE-2009-0733) A null pointer dereference flaw was found in LittleCMS. An application using color profiles could crash while converting a specially-crafted image file. (CVE-2009-0793) A flaw in the Java API for XML Web Services (JAX-WS) service endpoint handling could allow a remote attacker to cause a denial of service on the server application hosting the JAX-WS service endpoint. (CVE-2009-1101) A flaw in the way the Java Runtime Environment initialized LDAP connections could allow a remote, authenticated user to cause a denial of service on the LDAP service. (CVE-2009-1093) A flaw in the Java Runtime Environment LDAP client could allow malicious data from an LDAP server to cause arbitrary code to be loaded and then run on an LDAP client. (CVE-2009-1094) Several buffer overflow flaws were found in the Java Runtime Environment unpack200 functionality. An untrusted applet could extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet. (CVE-2009-1095, CVE-2009-1096) A flaw in the Java Runtime Environment Virtual Machine code generation functionality could allow untrusted applets to extend their privileges. An untrusted applet could extend its privileges, allowing it to read and write local files, as well as execute local applications with the privileges of the user running the applet. (CVE-2009-1102) A buffer overflow flaw was found in the splash screen processing. A remote attacker could extend privileges to read and write local files, as well as to execute local applications with the privileges of the user running the java process. (CVE-2009-1097) A buffer overflow flaw was found in how GIF images were processed. A remote attacker could extend privileges to read and write local files, as well as execute local applications with the privileges of the user running the java process. (CVE-2009-1098) Note: The flaws concerning applets in this advisory, CVE-2009-1095, CVE-2009-1096, and CVE-2009-1102, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer" application. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2006-2426 CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 CVE-2009-0793 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1101 CVE-2009-1102 CVE-2006-2426 Untrusted applet causes DoS by filling up disk space CVE-2009-0723 LittleCms integer overflow CVE-2009-0581 LittleCms memory leak CVE-2009-0733 LittleCms lack of upper-bounds check on sizes CVE-2009-1101 OpenJDK JAX-WS service endpoint remote Denial-of-Service (6630639) CVE-2009-1093 OpenJDK remote LDAP Denial-Of-Service (6717680) CVE-2009-1094 OpenJDK LDAP client remote code execution (6737315) CVE-2009-1095 CVE-2009-1096 OpenJDK Pack200 Buffer overflow vulnerability (6792554) CVE-2009-1102 OpenJDK code generation vulnerability (6636360) CVE-2009-1097 OpenJDK PNG processing buffer overflow vulnerability (6804996) CVE-2009-1098 OpenJDK GIF processing buffer overflow vulnerability (6804998) CVE-2009-0793 lcms: Null pointer dereference (DoS) by handling transformations of monochrome profiles cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 libvirt is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. libvirt also provides tools for remotely managing virtualized systems. The libvirtd daemon was discovered to not properly check user connection permissions before performing certain privileged actions, such as requesting migration of an unprivileged guest domain to another system. A local user able to establish a read-only connection to libvirtd could use this flaw to perform actions that should be restricted to read-write connections. (CVE-2008-5086) libvirt_proxy, a setuid helper application allowing non-privileged users to communicate with the hypervisor, was discovered to not properly validate user requests. Local users could use this flaw to cause a stack-based buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary code with root privileges. (CVE-2009-0036) All users are advised to upgrade to these updated packages, which contain backported patches which resolve these issues. After installing the update, libvirtd must be restarted manually (for example, by issuing a "service libvirtd restart" command) for this change to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5086 CVE-2009-0036 CVE-2008-5086 libvirt: missing checks for read-only connection CVE-2009-0036 libvirt: libvirt_proxy buffer overflow cpe:/a:redhat:rhel_virtualization Supplementary for Red Hat Enterprise Linux 5 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. These vulnerabilities are summarized on the "Advance notification of Security Updates for Java SE" page from Sun Microsystems, listed in the References section. (CVE-2006-2426, CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, CVE-2009-1107) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2006-2426 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1102 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2006-2426 Untrusted applet causes DoS by filling up disk space CVE-2009-1101 OpenJDK JAX-WS service endpoint remote Denial-of-Service (6630639) CVE-2009-1093 OpenJDK remote LDAP Denial-Of-Service (6717680) CVE-2009-1094 OpenJDK LDAP client remote code execution (6737315) CVE-2009-1095 CVE-2009-1096 OpenJDK Pack200 Buffer overflow vulnerability (6792554) CVE-2009-1102 OpenJDK code generation vulnerability (6636360) CVE-2009-1097 OpenJDK PNG processing buffer overflow vulnerability (6804996) CVE-2009-1098 OpenJDK GIF processing buffer overflow vulnerability (6804998) CVE-2009-1099 OpenJDK: Type1 font processing buffer overflow vulnerability CVE-2009-1100 OpenJDK: DoS (disk consumption) via handling of temporary font files CVE-2009-1103 OpenJDK: Files disclosure, arbitrary code execution via "deserializing applets" (6646860) CVE-2009-1104 OpenJDK: Intended access restrictions bypass via LiveConnect (6724331) CVE-2009-1105 OpenJDK: Possibility of trusted applet run in older, vulnerable version of JRE (6706490) CVE-2009-1106 OpenJDK: Improper parsing of crossdomain.xml files (intended access restriction bypass) (6798948) CVE-2009-1107 OpenJDK: Signed applet remote misuse possibility (6782871) cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The Sun 1.5.0 Java release includes the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. These vulnerabilities are summarized on the "Advance notification of Security Updates for Java SE" page from Sun Microsystems, listed in the References section. (CVE-2006-2426, CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1103, CVE-2009-1104, CVE-2009-1107) Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2006-2426 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1103 CVE-2009-1104 CVE-2009-1107 CVE-2006-2426 Untrusted applet causes DoS by filling up disk space CVE-2009-1093 OpenJDK remote LDAP Denial-Of-Service (6717680) CVE-2009-1094 OpenJDK LDAP client remote code execution (6737315) CVE-2009-1095 CVE-2009-1096 OpenJDK Pack200 Buffer overflow vulnerability (6792554) CVE-2009-1098 OpenJDK GIF processing buffer overflow vulnerability (6804998) CVE-2009-1099 OpenJDK: Type1 font processing buffer overflow vulnerability CVE-2009-1100 OpenJDK: DoS (disk consumption) via handling of temporary font files CVE-2009-1103 OpenJDK: Files disclosure, arbitrary code execution via "deserializing applets" (6646860) CVE-2009-1104 OpenJDK: Intended access restrictions bypass via LiveConnect (6724331) CVE-2009-1107 OpenJDK: Signed applet remote misuse possibility (6782871) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A memory corruption flaw was discovered in the way Firefox handles XML files containing an XSLT transform. A remote attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1169) A flaw was discovered in the way Firefox handles certain XUL garbage collection events. A remote attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1044) For technical details regarding these flaws, refer to the Mozilla security advisories. You can find a link to the Mozilla advisories in the References section of this errata. Firefox users should upgrade to these updated packages, which resolve these issues. For Red Hat Enterprise Linux 4, they contain backported patches to the firefox package. For Red Hat Enterprise Linux 5, they contain backported patches to the xulrunner packages. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1044 CVE-2009-1169 CVE-2009-1169 Firefox XSLT memory corruption issue CVE-2009-1044 Firefox XUL garbage collection issue (cansecwest pwn2own) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. A memory corruption flaw was discovered in the way SeaMonkey handles XML files containing an XSLT transform. A remote attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-1169) A flaw was discovered in the way SeaMonkey handles certain XUL garbage collection events. A remote attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-1044) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1044 CVE-2009-1169 CVE-2009-1169 Firefox XSLT memory corruption issue CVE-2009-1044 Firefox XUL garbage collection issue (cansecwest pwn2own) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Gerd v. Egidy discovered a flaw in the Dead Peer Detection (DPD) in Openswan's pluto IKE daemon. A remote attacker could use a malicious DPD packet to crash the pluto daemon. (CVE-2009-0790) It was discovered that Openswan's livetest script created temporary files in an insecure manner. A local attacker could use this flaw to overwrite arbitrary files owned by the user running the script. (CVE-2008-4190) Note: The livetest script is an incomplete feature and was not automatically executed by any other script distributed with Openswan, or intended to be used at all, as was documented in its man page. In these updated packages, the script only prints an informative message and exits immediately when run. All users of openswan are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the ipsec service will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2008-4190 CVE-2009-0790 CVE-2008-4190 openswan: Insecure auxiliary /tmp file usage (symlink attack possible) CVE-2009-0790 openswan: ISAKMP DPD remote DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). The Generic Security Service Application Program Interface (GSS-API) definition provides security services to callers (protocols) in a generic fashion. The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is used by GSS-API peers to choose from a common set of security mechanisms. An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) Multiple input validation flaws were found in the MIT Kerberos GSS-API library's implementation of the SPNEGO mechanism. A remote attacker could use these flaws to crash any network service utilizing the MIT Kerberos GSS-API library to authenticate users or, possibly, leak portions of the service's memory. (CVE-2009-0844, CVE-2009-0845) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0844 CVE-2009-0845 CVE-2009-0846 CVE-2009-0845 krb5: NULL pointer dereference in GSSAPI SPNEGO (MITKRB5-SA-2009-001) CVE-2009-0844 krb5: buffer over-read in SPNEGO GSS-API mechanism (MITKRB5-SA-2009-001) CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0846 CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0846 CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The device-mapper multipath packages provide tools to manage multipath devices by issuing instructions to the device-mapper multipath kernel module, and by managing the creation and removal of partitions for device-mapper devices. It was discovered that the multipathd daemon set incorrect permissions on the socket used to communicate with command line clients. An unprivileged, local user could use this flaw to send commands to multipathd, resulting in access disruptions to storage devices accessible via multiple paths and, possibly, file system corruption on these devices. (CVE-2009-0115) Users of device-mapper-multipath are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. The multipathd service must be restarted for the changes to take effect. Important: the version of the multipathd daemon in Red Hat Enterprise Linux 5 has a known issue which may cause a machine to become unresponsive when the multipathd service is stopped. This issue is tracked in the Bugzilla bug #494582; a link is provided in the References section of this erratum. Until this issue is resolved, we recommend restarting the multipathd service by issuing the following commands in sequence: # killall -KILL multipathd # service multipathd restart Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0115 CVE-2009-0115 device-mapper-multipath: insecure permissions on multipathd.sock cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. It was discovered that the Red Hat Security Advisory RHSA-2009:0345 did not address all possible integer overflow flaws in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0792) A missing boundary check was found in Ghostscript's CCITTFax decoding filter. An attacker could create a specially-crafted PostScript or PDF file that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2007-6725) Users of ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2007-6725 CVE-2009-0792 CVE-2009-0792 ghostscript, argyllcms: Incomplete fix for CVE-2009-0583 CVE-2007-6725 ghostscript: DoS (crash) in CCITTFax decoding filter cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. It was discovered that the Red Hat Security Advisory RHSA-2009:0345 did not address all possible integer overflow flaws in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0792) A buffer overflow flaw and multiple missing boundary checks were found in Ghostscript. An attacker could create a specially-crafted PostScript or PDF file that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2008-6679, CVE-2007-6725, CVE-2009-0196) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly reporting the CVE-2009-0196 flaw. Users of ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2007-6725 CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 CVE-2009-0792 ghostscript, argyllcms: Incomplete fix for CVE-2009-0583 CVE-2009-0196 ghostscript: Missing boundary check in Ghostscript's jbig2dec library CVE-2007-6725 ghostscript: DoS (crash) in CCITTFax decoding filter CVE-2008-6679 ghostscript: Buffer overflow in BaseFont writer module for pdfwrite device cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 udev provides a user-space API and implements a dynamic device directory, providing only the devices present on the system. udev replaces devfs in order to provide greater hot plug functionality. Netlink is a datagram oriented service, used to transfer information between kernel modules and user-space processes. It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world-writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for responsibly reporting this flaw. Users of udev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the udevd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-1185 CVE-2009-1185 udev: Uncheck origin of NETLINK messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An integer overflow flaw, leading to a heap-based buffer overflow, was discovered in the Tagged Image File Format (TIFF) decoding routines used by the CUPS image-converting filters, "imagetops" and "imagetoraster". An attacker could create a malicious TIFF file that could, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0163) Red Hat would like to thank Aaron Sigel of the Apple Product Security team for responsibly reporting this flaw. Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0163 CVE-2009-0163 cups: Integer overflow in the TIFF image filter Multiple PDF flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. Multiple integer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in the CUPS JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0800) An integer overflow flaw, leading to a heap-based buffer overflow, was discovered in the Tagged Image File Format (TIFF) decoding routines used by the CUPS image-converting filters, "imagetops" and "imagetoraster". An attacker could create a malicious TIFF file that could, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0163) Multiple denial of service flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash when printed. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Aaron Sigel, Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0163 CVE-2009-0166 CVE-2009-0195 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-0163 cups: Integer overflow in the TIFF image filter CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder Multiple PDF flaws CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in Xpdf's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF that would cause Xpdf to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder Multiple PDF flaws CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in KPDF's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF that would cause KPDF to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder Multiple PDF flaws CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1302, CVE-2009-1303, CVE-2009-1304, CVE-2009-1305) Several flaws were found in the way malformed web content was processed. A web page containing malicious content could execute arbitrary JavaScript in the context of the site, possibly presenting misleading data to a user, or stealing sensitive information such as login credentials. (CVE-2009-0652, CVE-2009-1306, CVE-2009-1307, CVE-2009-1308, CVE-2009-1309, CVE-2009-1310, CVE-2009-1312) A flaw was found in the way Firefox saved certain web pages to a local file. If a user saved the inner frame of a web page containing POST data, the POST data could be revealed to the inner frame, possibly surrendering sensitive information such as login credentials. (CVE-2009-1311) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.9. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.9, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1310 CVE-2009-1311 CVE-2009-1312 CVE-2009-0652 firefox: does not properly prevent the literal rendering of homoglyph characters in IDN domain names (spoof URLs and conduct phishing attacks) CVE-2009-1302 Firefox 3 Layout engine crashes CVE-2009-1303 Firefox 2 and 3 Layout engine crash CVE-2009-1304 Firefox 3 JavaScript engine crashes CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol CVE-2009-1308 Firefox XSS hazard using third-party stylesheets and XBL bindings CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString CVE-2009-1310 Firefox Malicious search plugins can inject code into arbitrary sites CVE-2009-1311 Firefox POST data sent to wrong site when saving web page with embedded frame CVE-2009-1312 Firefox allows Refresh header to redirect to javascript: URIs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-1303, CVE-2009-1305) Several flaws were found in the way malformed web content was processed. A web page containing malicious content could execute arbitrary JavaScript in the context of the site, possibly presenting misleading data to a user, or stealing sensitive information such as login credentials. (CVE-2009-0652, CVE-2009-1306, CVE-2009-1307, CVE-2009-1309, CVE-2009-1312) A flaw was found in the way SeaMonkey saved certain web pages to a local file. If a user saved the inner frame of a web page containing POST data, the POST data could be revealed to the inner frame, possibly surrendering sensitive information such as login credentials. (CVE-2009-1311) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0652 CVE-2009-1303 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1309 CVE-2009-1311 CVE-2009-1312 CVE-2009-0652 firefox: does not properly prevent the literal rendering of homoglyph characters in IDN domain names (spoof URLs and conduct phishing attacks) CVE-2009-1303 Firefox 2 and 3 Layout engine crash CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString CVE-2009-1311 Firefox POST data sent to wrong site when saving web page with embedded frame CVE-2009-1312 Firefox allows Refresh header to redirect to javascript: URIs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The giflib packages contain a shared library of functions for loading and saving GIF image files. This library is API and ABI compatible with libungif, the library that supported uncompressed GIF image files while the Unisys LZW patent was in effect. Several flaws were discovered in the way giflib decodes GIF images. An attacker could create a carefully crafted GIF image that could cause an application using giflib to crash or, possibly, execute arbitrary code when opened by a victim. (CVE-2005-2974, CVE-2005-3350) All users of giflib are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications using giflib must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2005-2974 CVE-2005-3350 CVE-2005-3350 giflib/libunfig: memory corruption via a crafted GIF CVE-2005-2974 giflib/libunfig: NULL pointer dereference crash cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM® 1.4.2 SR13 Java™ release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2008-2086, CVE-2008-5339, CVE-2008-5340, CVE-2008-5342, CVE-2008-5343, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2008-5348, CVE-2008-5350, CVE-2008-5351, CVE-2008-5353, CVE-2008-5354, CVE-2008-5359, CVE-2008-5360) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2008-2086 CVE-2008-5339 CVE-2008-5340 CVE-2008-5342 CVE-2008-5343 CVE-2008-5344 CVE-2008-5345 CVE-2008-5346 CVE-2008-5348 CVE-2008-5350 CVE-2008-5351 CVE-2008-5353 CVE-2008-5354 CVE-2008-5359 CVE-2008-5360 CVE-2008-5350 OpenJDK allows to list files within the user home directory (6484091) CVE-2008-5348 OpenJDK Denial-Of-Service in kerberos authentication (6588160) CVE-2008-5360 OpenJDK temporary files have guessable file names (6721753) CVE-2008-5359 OpenJDK Buffer overflow in image processing (6726779) CVE-2008-5351 OpenJDK UTF-8 decoder accepts non-shortest form sequences (4486841) CVE-2008-5353 OpenJDK calendar object deserialization allows privilege escalation (6734167) CVE-2008-5354 OpenJDK Privilege escalation in command line applications (6733959) CVE-2008-2086 Java Web Start File Inclusion via System Properties Override CVE-2008-5339 JavaWebStart allows unauthorized network connections CVE-2008-5340 Java WebStart privilege escalation CVE-2008-5342 Java Web Start BasicService displays local files in the browser CVE-2008-5343 Java WebStart allows hidden code privilege escalation CVE-2008-5344 Java WebStart unprivileged local file and network access CVE-2008-5345 JRE allows unauthorized file access and connections to localhost CVE-2008-5346 JRE allows unauthorized memory read access via a crafted ZIP file cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1313) For technical details regarding this flaw, refer to the Mozilla security advisory for Firefox 3.0.10. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.10, which corrects this issue. After installing the update, Firefox must be restarted for the change to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1313 CVE-2009-1313 Firefox crash in nsTextFrame::ClearTextRun() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libwmf is a library for reading and converting Windows Metafile Format (WMF) vector graphics. libwmf is used by applications such as GIMP and ImageMagick. A pointer use-after-free flaw was found in the GD graphics library embedded in libwmf. An attacker could create a specially-crafted WMF file that would cause an application using libwmf to crash or, potentially, execute arbitrary code as the user running the application when opened by a victim. (CVE-2009-1364) Note: This flaw is specific to the GD graphics library embedded in libwmf. It does not affect the GD graphics library from the "gd" packages, or applications using it. Red Hat would like to thank Tavis Ormandy of the Google Security Team for responsibly reporting this flaw. All users of libwmf are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libwmf must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1364 CVE-2009-1364 libwmf: embedded gd use-after-free error cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GPdf is a viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in GPdf's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF that would cause GPdf to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-3606 CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder Multiple PDF flaws CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * a logic error was found in the do_setlk() function of the Linux kernel Network File System (NFS) implementation. If a signal interrupted a lock request, the local POSIX lock was incorrectly created. This could cause a denial of service on the NFS server if a file descriptor was closed before its corresponding lock request returned. (CVE-2008-4307, Important) * a deficiency was found in the Linux kernel system call auditing implementation on 64-bit systems. This could allow a local, unprivileged user to circumvent a system call audit configuration, if that configuration filtered based on the "syscall" number or arguments. (CVE-2009-0834, Important) * Chris Evans reported a deficiency in the Linux kernel signals implementation. The clone() system call permits the caller to indicate the signal it wants to receive when its child exits. When clone() is called with the CLONE_PARENT flag, it permits the caller to clone a new child that shares the same parent as itself, enabling the indicated signal to be sent to the caller's parent (instead of the caller), even if the caller's parent has different real and effective user IDs. This could lead to a denial of service of the parent. (CVE-2009-0028, Moderate) * the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure. (CVE-2009-0676, Moderate) Bug fixes: * a kernel crash may have occurred for Red Hat Enterprise Linux 4.7 guests if their guest configuration file specified "vif = [ "type=ioemu" ]". This crash only occurred when starting guests via the "xm create" command. (BZ#477146) * a bug in IO-APIC NMI watchdog may have prevented Red Hat Enterprise Linux 4.7 from being installed on HP ProLiant DL580 G5 systems. Hangs during installation and "NMI received for unknown reason [xx]" errors may have occurred. (BZ#479184) * a kernel deadlock on some systems when using netdump through a network interface that uses the igb driver. (BZ#480579) * a possible kernel hang in sys_ptrace() on the Itanium® architecture, possibly triggered by tracing a threaded process with strace. (BZ#484904) * the RHSA-2008:0665 errata only fixed the known problem with the LSI Logic LSI53C1030 Ultra320 SCSI controller, for tape devices. Read commands sent to tape devices may have received incorrect data. This issue may have led to data corruption. This update includes a fix for all types of devices. (BZ#487399) * a missing memory barrier caused a race condition in the AIO subsystem between the read_events() and aio_complete() functions. This may have caused a thread in read_events() to sleep indefinitely, possibly causing an application hang. (BZ#489935) * due to a lack of synchronization in the NFS client code, modifications to some pages (for files on an NFS mounted file system) made through a region of memory mapped by mmap() may be lost if the NFS client invalidates its page cache for particular files. (BZ#490119) * a NULL pointer dereference in the megaraid_mbox driver caused a system crash on some systems. (BZ#493420) * the ext3_symlink() function in the ext3 file system code used an illegal __GFP_FS allocation inside some transactions. This may have resulted in a kernel panic and "Assertion failure" errors. (BZ#493422) * do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#494915) * a bug prevented NMI watchdog from initializing on HP ProLiant DL580 G5 systems. (BZ#497330) This update contains backported patches to fix these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-4307 CVE-2009-0028 CVE-2009-0676 CVE-2009-0834 CVE-2008-4307 Kernel BUG() in locks_remove_flock RHEL4.7 guest will crash, if creating with only RTL8139 emulation NIC RHEL 4.7: unknown NMI errors on x86_64 on DL580 G5 CVE-2009-0028 Linux kernel minor signal handling vulnerability deadlock in igb during netdump [RHEL4U4] strace utility can cause system to hang at sys_ptrace CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt [4.7]When SCSI READ Command is issued to tape device, the read data might not be correct for LSI 53C1030 Errata No28. CVE-2009-0834 kernel: x86-64: syscall-audit: 32/64 syscall hole race in aio_complete() leads to process hang LTC41974-Pages of a memory mapped NFS file get corrupted. NULL pointer dereference at megaraid_queue_command after a reset [RHEL4u4] Kernel panic was caused by page_symlink() when kernel has to shrink caches Enable NMI watchdog on HP DL580 G5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a logic error was found in the do_setlk() function of the Linux kernel Network File System (NFS) implementation. If a signal interrupted a lock request, the local POSIX lock was incorrectly created. This could cause a denial of service on the NFS server if a file descriptor was closed before its corresponding lock request returned. (CVE-2008-4307, Important) * a deficiency was found in the Linux kernel system call auditing implementation on 64-bit systems. This could allow a local, unprivileged user to circumvent a system call audit configuration, if that configuration filtered based on the "syscall" number or arguments. (CVE-2009-0834, Important) * the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important) * a flaw was found in the ecryptfs_write_metadata_to_contents() function of the Linux kernel eCryptfs implementation. On systems with a 4096 byte page-size, this flaw may have caused 4096 bytes of uninitialized kernel memory to be written into the eCryptfs file headers, leading to an information leak. Note: Encrypted files created on systems running the vulnerable version of eCryptfs may contain leaked data in the eCryptfs file headers. This update does not remove any leaked data. Refer to the Knowledgebase article in the References section for further information. (CVE-2009-0787, Moderate) * the Linux kernel implementation of the Network File System (NFS) did not properly initialize the file name limit in the nfs_server data structure. This flaw could possibly lead to a denial of service on a client mounting an NFS share. (CVE-2009-1336, Moderate) This update also fixes the following bugs: * the enic driver (Cisco 10G Ethernet) did not operate under virtualization. (BZ#472474) * network interfaces using the IBM eHEA Ethernet device driver could not be successfully configured under low-memory conditions. (BZ#487035) * bonding with the "arp_validate=3" option may have prevented fail overs. (BZ#488064) * when running under virtualization, the acpi-cpufreq module wrote "Domain attempted WRMSR" errors to the dmesg log. (BZ#488928) * NFS clients may have experienced deadlocks during unmount. (BZ#488929) * the ixgbe driver double counted the number of received bytes and packets. (BZ#489459) * the Wacom Intuos3 Lens Cursor device did not work correctly with the Wacom Intuos3 12x12 tablet. (BZ#489460) * on the Itanium® architecture, nanosleep() caused commands which used it, such as sleep and usleep, to sleep for one second more than expected. (BZ#490434) * a panic and corruption of slab cache data structures occurred on 64-bit PowerPC systems when clvmd was running. (BZ#491677) * the NONSTOP_TSC feature did not perform correctly on the Intel® microarchitecture (Nehalem) when running in 32-bit mode. (BZ#493356) * keyboards may not have functioned on IBM eServer System p machines after a certain point during installation or afterward. (BZ#494293) * using Device Mapper Multipathing with the qla2xxx driver resulted in frequent path failures. (BZ#495635) * if the hypervisor was booted with the dom0_max_vcpus parameter set to less than the actual number of CPUs in the system, and the cpuspeed service was started, the hypervisor could crash. (BZ#495931) * using Openswan to provide an IPsec virtual private network eventually resulted in a CPU soft lockup and a system crash. (BZ#496044) * it was possible for posix_locks_deadlock() to enter an infinite loop (under the BKL), causing a system hang. (BZ#496842) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-4307 CVE-2009-0787 CVE-2009-0834 CVE-2009-1336 CVE-2009-1337 CVE-2008-4307 Kernel BUG() in locks_remove_flock ehea network configuration fails during boot after fsck CVE-2009-0834 kernel: x86-64: syscall-audit: 32/64 syscall hole [RHEL-5.3] ARP packets aren't received by backup slaves breaking arp_validate=3 xm dmesg printk spam -- Domain attempted WRMSR 00000000000000e8 from 00000016:3d0e9470 to 00000000:00000000 Deadlock in flush_workqueue() results in hung nfs clients [Intel 5.4 bug] ixgbe driver double counts RX byte count Wacom driver does not with with mouse/lens device on intuos3 [5.3] The nanosleep() syscall sleeps one second longer. CVE-2009-0787 kernel: ecryptfs file header infoleak slab corruption with dlm and clvmd on ppc64 [Intel 5.4 FEAT] TSC keeps running in C3+[incremental patch for 5.3.z] CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check CVE-2009-1336 kernel: nfsv4 client can be crashed by stating a long filename RHEL5-U2 Installation hangs on p-series--7029, 2078 Frequent path failures during I/O on DM multipath devices [5.3][Xen] APERF/MPERF patch update [5.3][Xen] dom0 panic when we use dom0_max_vcpus=2. Running Openswan ipsec vpn server with rhel-5.3 kernel-2.6.18-128.el5 causes crash softlockups due to infinite loops in posix_locks_deadlock cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs. Anthony de Almeida Lopes of Outpost24 AB reported a denial of service flaw in the acpid daemon's error handling. If an attacker could exhaust the sockets open to acpid, the daemon would enter an infinite loop, consuming most CPU resources and preventing acpid from communicating with legitimate processes. (CVE-2009-0798) Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0798 CVE-2009-0798 acpid: too many open files DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Pango is a library used for the layout and rendering of internationalized text. Will Drewry discovered an integer overflow flaw in Pango's pango_glyph_string_set_size() function. If an attacker is able to pass an arbitrarily long string to Pango, it may be possible to execute arbitrary code with the permissions of the application calling Pango. (CVE-2009-1194) pango and evolution28-pango users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, you must restart your system or restart the X server for the update to take effect. Note: Restarting the X server closes all open applications and logs you out of your session. Important Copyright 2009 Red Hat, Inc. CVE-2009-1194 CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). Two flaws were discovered in Adobe Reader's JavaScript API. A PDF file containing malicious JavaScript instructions could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader. (CVE-2009-1492, CVE-2009-1493) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 8.1.5, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1492 CVE-2009-1493 CVE-2009-1492, CVE-2009-1493 acroread: multiple vulnerabilities in Adobe Reader 8.1.4 cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Perl DBI is a database access Application Programming Interface (API) for the Perl language. perl-DBD-Pg allows Perl applications to access PostgreSQL database servers. A heap-based buffer overflow flaw was discovered in the pg_getline function implementation. If the pg_getline or getline functions read large, untrusted records from a database, it could cause an application using these functions to crash or, possibly, execute arbitrary code. (CVE-2009-0663) Note: After installing this update, pg_getline may return more data than specified by its second argument, as this argument will be ignored. This is consistent with current upstream behavior. Previously, the length limit (the second argument) was not enforced, allowing a buffer overflow. A memory leak flaw was found in the function performing the de-quoting of BYTEA type values acquired from a database. An attacker able to cause an application using perl-DBD-Pg to perform a large number of SQL queries returning BYTEA records, could cause the application to use excessive amounts of memory or, possibly, crash. (CVE-2009-1341) All users of perl-DBD-Pg are advised to upgrade to this updated package, which contains backported patches to fix these issues. Applications using perl-DBD-Pg must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0663 CVE-2009-1341 CVE-2009-0663 perl-DBD-Pg: pg_getline buffer overflow CVE-2009-1341 perl-DBD-Pg: dequote_bytea memory leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Multiple integer overflow flaws were found in poppler. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179, CVE-2009-1187, CVE-2009-1188) Multiple buffer overflow flaws were found in poppler's JBIG2 decoder. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in poppler's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in poppler's JBIG2 decoder. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in poppler's JBIG2 decoder. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0791 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-1187 CVE-2009-1188 CVE-2009-3604 CVE-2009-3606 CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder Multiple PDF flaws CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS CVE-2009-1187 poppler CairoOutputDev integer overflow CVE-2009-1188 xpdf/poppler: SplashBitmap integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The nfs-utils package provides a daemon for the kernel NFS server and related tools, which provides a much higher level of performance than the traditional Linux NFS server used by most users. A flaw was found in the nfs-utils package provided by RHBA-2008:0742. The nfs-utils package was missing TCP wrappers support, which could result in an administrator believing they had access restrictions enabled when they did not. (CVE-2008-1376) This update also includes the following bug fixes: * the "nfsstat" command now displays correct statistics. In previous versions, performing more than 2^31 RPC calls could cause the "nfsstat" command to incorrectly display the number of calls as "negative". This was because "nfsstat" printed statistics from /proc/net/rpc/* files as signed integers; with this version of nfs-utils, "nfsstat" now reads and prints these statistics as unsigned integers. (BZ#404831) * imapd upcalls now support zero-length reads and perform extra bounds checking in gssd and svcgssd. This fixes a bug in previous versions that could cause the rpc.imapd daemon to hang when communicating with the kernel, which would halt any ID translation services. (BZ#448710) * tcp_wrappers supported in nfs-utils now allows proper application of hosts access rules defined in /etc/hosts.allow and /etc/hosts.deny. (BZ#494585) * the nfs init script did not check whether SECURE_NFS was set to "yes" before starting, stopping, or querying rpc.svcgssd. On systems where SECURE_NFS was not set to "yes", the nfs init script could not start the rpc.svcgssd daemon at the "service nfs start" command because the rpcsvcssd init script would check the status of SECURE_NFS before starting the daemon. However, at the "service nfs stop" or "service nfs restart" commands, nfs init script would attempt to stop rpc.svcgssd and then report a failure because the daemon was not running in the first place. These error messages may have misled end-users into believing that there was a genuine problem with their NFS configuration. This version of nfs-utils contains a fix backported from Red Hat Enterprise Linux 5. nfs-utils now checks the status of SECURE_NFS before the nfs init script attempts to start, query or stop rpc.svcgssd and therefore, the irrelevant error messages seen previously will not appear. (BZ#470423) * the nfs init script is now fully compliant with Linux Standard Base Core specifications. This update fixes a bug that prevented "/etc/init.d/nfs start" from exiting properly if NFS was already running. (BZ#474570) * /var/lib/nfs/statd/sm is now created with the proper user and group whenever rpc.statd is called. In previous versions, some thread stack conditions could incorrectly prevent rpc.statd from creating the /var/lib/nfs/statd/sm file, which could cause "service nfslock start" to fail. (BZ#479376) All users of nfs-utils should upgrade to this updated package, which resolves these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-1376 "nfsstat -s" shows negative value CVE-2008-1376 nfs-utils: missing tcp_wrappers support lockd not using settings in sysconfig/nfs Incorrect exit codes from nfs init script statd fails to create SM_DIR libwrap - Nor ip, nor hostname work,, only when used ALL expression in hosts.deny access is denied cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The util-linux package contains a collection of basic system utilities, such as fdisk and mount. A log injection attack was found in util-linux when logging log in attempts via the audit subsystem of the Linux kernel. A remote attacker could use this flaw to modify certain parts of logged events, possibly hiding their activities on a system. (CVE-2008-1926) This updated package also fixes the following bugs: * partitions created by VMware ESX™ were not included in the list of recognized file systems used by fdisk. Consequently, if VMware ESX was installed, "fdisk -l" returned "Unknown" for these partitions. With this update, information regarding the VMKcore and VMFS partitions has been added to the file systems list. On systems running VMware ESX, "fdisk -l" now lists information about these partitions as expected. (BZ#447264) * if a username was not set, the login command would fail with a Segmentation fault. With this update, login lets the audit system handle NULL usernames (it sends an AUDIT_USER_LOGIN message to the audit system in the event there is no username set). (BZ#456213) * the nfs(5) man page listed version 2 as the default. This is incorrect: unless otherwise specified, the NFS client uses NFS version 3. The man page has been corrected. (BZ#458539) * in certain situations, backgrounded NFS mounts died shortly after being backgrounded when the mount command was executed by the initlog command, which, for example, would occur when running an init script, such as running the "service netfs start" command. In these situations, running the "ps -ef" command showed backgrounded NFS mounts disappearing shortly after being backgrounded. In this updated package, backgrounded mount processes detach from the controlling terminal, which resolves this issue. (BZ#461488) * if a new partition's starting cylinder was beyond one terabyte, fdisk could not create the partition. This has been fixed. (BZ#471372) * in rare cases "mount -a" ignored fstab order and tried to re-mount file systems on mpath devices. With this update, mount honors fstab order even in the rare cases reported. (BZ#472186) * the "mount --move" command moved a file system's mount point as expected (for example, /proc/mounts showed the changed mount point as expected) but did not update /etc/mtab properly. With this update, the "mount --move" command gathers all necessary information about the old mount point, copies it to the new mount point and then deletes the old point, ensuring /etc/mtab is updated properly. (BZ#485004) Util-linux users are advised to upgrade to this updated package, which addresses this vulnerability and resolves these issues. Low Copyright 2009 Red Hat, Inc. CVE-2008-1926 CVE-2008-1926 util-linux: audit log injection via login RHEL4: VMware fdisk partitions RHEL4: login segfaults on EOF RHEL4: audit log injection attack via login man nfs : wrong information about nfs version used Backgrounded NFS mounts dies soon after "service netfs start" command is issued RHEL4: fdisk cannot create partition with starting beyond 1 TB mount -a has problems with duplicate labels in a mpath setup Move mount doesn't correctly update mtab cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: * the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important) * the Linux kernel implementation of the Network File System (NFS) did not properly initialize the file name limit in the nfs_server data structure. This flaw could possibly lead to a denial of service on a client mounting an NFS share. (CVE-2009-1336, Moderate) Bug Fixes and Enhancements: Kernel Feature Support: * added a new allowable value to "/proc/sys/kernel/wake_balance" to allow the scheduler to run the thread on any available CPU rather than scheduling it on the optimal CPU. * added "max_writeback_pages" tunable parameter to /proc/sys/vm/ to allow the maximum number of modified pages kupdate writes to disk, per iteration per run. * added "swap_token_timeout" tunable parameter to /proc/sys/vm/ to provide a valid hold time for the swap out protection token. * added diskdump support to sata_svw driver. * limited physical memory to 64GB for 32-bit kernels running on systems with more than 64GB of physical memory to prevent boot failures. * improved reliability of autofs. * added support for 'rdattr_error' in NFSv4 readdir requests. * fixed various short packet handling issues for NFSv4 readdir and sunrpc. * fixed several CIFS bugs. Networking and IPv6 Enablement: * added router solicitation support. * enforced sg requires tx csum in ethtool. Platform Support: x86, AMD64, Intel 64, IBM System z * added support for a new Intel chipset. * added initialization vendor info in boot_cpu_data. * added support for N_Port ID Virtualization (NPIV) for IBM System z guests using zFCP. * added HDMI support for some AMD and ATI chipsets. * updated HDA driver in ALSA to latest upstream as of 2008-07-22. * added support for affected_cpus for cpufreq. * removed polling timer from i8042. * fixed PM-Timer when using the ASUS A8V Deluxe motherboard. * backported usbfs_mutex in usbfs. 64-bit PowerPC: * updated eHEA driver from version 0078-04 to 0078-08. * updated logging of checksum errors in the eHEA driver. Network Driver Updates: * updated forcedeth driver to latest upstream version 0.61. * fixed various e1000 issues when using Intel ESB2 hardware. * updated e1000e driver to upstream version 0.3.3.3-k6. * updated igb to upstream version 1.2.45-k2. * updated tg3 to upstream version 3.96. * updated ixgbe to upstream version 1.3.18-k4. * updated bnx2 to upstream version 1.7.9. * updated bnx2x to upstream version 1.45.23. * fixed bugs and added enhancements for the NetXen NX2031 and NX3031 products. * updated Realtek r8169 driver to support newer network chipsets. All variants of RTL810x/RTL8168(9) are now supported. Storage Driver Updates: * fixed various SCSI issues. Also, the SCSI sd driver now calls the revalidate_disk wrapper. * fixed a dmraid reduced I/O delay bug in certain configurations. * removed quirk aac_quirk_scsi_32 for some aacraid controllers. * updated FCP driver on IBM System z systems with support for point-to-point connections. * updated lpfc to version 8.0.16.46. * updated megaraid_sas to version 4.01-RH1. * updated MPT Fusion driver to version 3.12.29.00rh. * updated qla2xxx firmware to 4.06.01 for 4GB/s and 8GB/s adapters. * updated qla2xxx driver to version 8.02.09.00.04.08-d. * fixed sata_nv in libsata to disable ADMA mode by default. Miscellaneous Updates: * upgraded OpenFabrics Alliance Enterprise Distribution (OFED) to version 1.4. * added driver support and fixes for various Wacom tablets. Users should install this update, which resolves these issues and adds these enhancements. Important Copyright 2009 Red Hat, Inc. CVE-2009-1336 CVE-2009-1337 sr_get_mcn: check for kmalloc failure drivers/scsi/sg.c: fix check after use remove tape during error handling -> "illegal state transition" Debug: sleeping function called from invalid context at include/linux/rwsem.h:43 dm-snap.c: Data read from snapshot may be corrupt if origin is being written to simultaneously lm_sensors fails with piix4_smbus errors on ServerWorks Grand Champion SL/w83781d sd data corrupter Hangs when registering modules to handle ioctls in kernel compatibility mode [PATCH] Don't match tcp/udp source/destination port for IP fragments [PATCH] NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated. [PATCH] Netfilter ip_queue: Fix wrong skb->len == nlmsg_len assumption [PATCH] Fix deadlock in br_stp_disable_bridge [PATCH] Fix extra dst release when ip_options_echo fails PMTimer doesn't get detected in an Asus A8V Deluxe motherboard Kernel panic using USB serial I/O Serious problems during the diskdump, can cause the machine to hang and not reboot. Request to backport zFCP NPIV support to RHEL 4 Kernel can BUG() in low memory conditions use after free in nlm subsystem RHEL4.5: PM Timer appears in top-level make menuconfig pci_alloc_consistent() for 64k on 16gig machine -> return value is not multiple of 64k scsi hot swapp mechanism not working with SATA HDD under RHEL4U5 Watchdog timeout e1000 (7.3.20-k2-NAPI) Getting Cpu stuck messages on boot up tx checksum offload settings reported incorrectly e1000e: Wakeup-on-Lan does not work memory leak on size-8192 buckets with NFSV4 kernel: NFS: v4 server returned a bad sequence-id error! ip tunnel can't be bound to another device via-rhine may lose link Kernel Panic in tcp_retransmit_skb ptrace: orig_rax 0x00000000ffffffff not recognized as -1 [PATCH] NFSv3: mode of the symlink can be update Swap Token issue with RHEL4 include patch to add FATTR4_RDATTR_ERROR to readdir calls A deadlock can occur between mmap/munmap and journaling(ext3). entropy generation in bnx2 driver not consistent with other network drivers on RHEL4 align per-cpu section to configured cache bytes ethttool -S on r8169 version 2.2LK hangs when interface is down ADMA problems with sata_nv intermittant mount failures Backport fix for possible data corruption in mark_buffer_dirty on SMP fix setuid/setgid clearing by knfsd Clean up handling of short readdir packets in NFS client 8250 serial port lock recursion clean up CIFS build warnings /proc filesystem in RHEL4 doesn't follow usual unix filesystem conventions Ensure that 'noac' and/or 'actimeo=0' turn off attribute caching crm #1790828 Kernel 2.6.9-67.ELsmp panics in nfs4_free_client CIFS: slab error in kmem_cache_destroy(): cache `cifs_request': Can't free all objects CIFS VFS: Send error in FindClose = -9 CIFS: clear DFS bit in header_assemble mounting CIFS subshare doesn't autoconvert prepath delimiters JBD: Fix typo that could result in filesystem corruption. memory corruption due to portmap call succeeding after parent rpc_clnt has been freed holding files under /proc/net open no longer adds to module refcount Backport FCP point-to-point to RHEL 4 el4u6 xenU guest kernel lockup due to mm_unpinned_lock and runqueue spinlock deadlock process hangs in async direct IO / possible race between dio_bio_end_aio() and dio_await_one() ? [rhel 4.6] System Time drifts forward with TSC [Intel 4.8 FEAT] e1000e driver update to latest upstream [Intel 4.8 FEAT] igb driver update to latest upstream [Intel 4.8 FEAT] ixgbe driver update to latest upstream PATH and EXECVE audit records contain bogus newlines kernel BUG at kernel/signal.c:369! (attempt to free tsk->signal twice) FEAT: RHEL 4.8 HDA ALSA driver update from mainstream RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken kernel: usbhid: probe of 3-1:1.0 failed with error -5 page keeps non uptodate kernel panic with kernel version 2.6.9-67.0.20.EL Fail to build kernel when enable CONFIG_ACPI_DEBUG in .config Inconsistent documentation regarding pci_alloc_consistent document divider= option in kernel docs LTC:4.8:201714:Update the ehea driver to sync with mainline kernel [NetApp 4.8 bug] online resize of filesystem does not work [4.7] /proc/acpi/dsdt: No such device [RHEL4/Xen]: Allow attach of > 16 xvd devices Kernel panic at hcd_pci_release+16 fattr structs being used uninitialized in nfs3_proc_getacl and nfs3_proc_setacls kernel: fix array out of bounds when mounting with selinux options [rhel-4.8] Timeouts in wait_drive_not_busy with TEAC DV-W28ECW and similar Crash dump fails on IA64 with block_order set to 10 [RHEL4.7 Beta] Wake on LAN function does not operate with LAN card which uses igb driver Crash due to incorrect inet{,6} device initialization order Kernel panic when unloading ip conntrack modules race in aio_complete() leads to process hang RHEL4 scheduler optimizations for financial applications ipv6: use timer pending to fix bridge reference count problem [rhel-4.8] pppoe: Check packet length on all receive paths [rhel-4.8] pppoe: Unshare skb before anything else [rhel-4.8] ide-cd: fix oops when using growisofs [rhel-4.8] RTL8101E with driver r8169 does not work on 1000 network [RHEL4.6] x86_64 race condition at shutdown/panic aac_fib_send failed with status 8195 kernel: random32: seeding improvement [rhel-4.8] missing infiniband kernel headers Backport NetXen nic driver from upstream kernel to RHEL4 Badness in __writeback_single_inode at fs/fs-writeback.c:248 pppoe: Fix skb_unshare_check call position [rhel-4.8] RHEL4.8: Patch to support new HDMI Audio [RHEL4] nmi watchdog: include fix for Pentium 4 D processors Kernel part of AutoFS still having issues with expiration of submount maps regression, rhel4.7+, on the try to read /proc/self/mem getting improper return value kernel: devmem: add range_is_allowed() check to mmap_mem() [rhel-4.8] lost packets when live migrating (RHEL4 XEN) CIFS option forcedirectio fails to allow the appending of text to files. netdump fails when bnx2 has remote copper PHY - Badness in local_bh_enable at kernel/softirq.c:141 lockd: return NLM_LCK_DENIED_GRACE_PERIOD after long periods RHEL4 64 bit skips all pids with bit 15 set (32768-65535, 98304-131071 etc) find using an automounted directory results in 'No such file or directory' do_mount_indirect: indirect trigger not valid Update CIFS for RHEL4.8 [RHEL4 PV-on-HVM]: Crash in xen-vbd when trying to attach disks virtual ethernet device stops working on reception of duplicate backend state change signals openib creates multiple /proc/net/sdp files add multi-core support to cpufreq driver Fix compile warnings caused by adding roundup() to kernel.h rhel4 PV guest installations busted on rhel 5.3 i386 intel dom0 dasd: fix loop in request expiration handling Concurrent CIFS mount/umount processes to same windows machine, different shares hangs umount processes or crashes kernel kernel panic related to autofs4_catatonic_mode when stopping autofs Kernel BUG at include/linux/module.h:397 md: pass down BIO_RW_SYNC in raid{1,10}' applied to RHEL4 kernel BUG() call in net/core/skbuff.c in function ___pksb_trim() [4.7.z] Unable to Unload "ohci-hcd " And to Reboot [Stratus 4.8 bug REVERT] panic reading /proc/bus/input/devices during input device removal futex missreporting ETIMEDOUT instead of EINVAL CRM #1862478 xen guest installation panics when installing 100th guest RHEL4.7 guest will crash, if creating with only RTL8139 emulation NIC [4.7] ethtool operation to the slave device of bonding makes the system hang up. [RHEL-4] wacomexpresskeys: fix Graphire support RHEL4.8 kernel crashed in net_rx_action() on IA64 machine in RHTS connectathon test Need to build xen-platform-pci as a module and not into the kernel [autofs4] Incorrect "active offset mount" messages in syslog [RHEL 4.7 Xen]: Guest hang on FV save/restore panic in kcopyd during snapshot I/O [QLogic 4.8 bug] qla2xxx - Properly support programmable devices [nfs] actimeo=0 not enforced during ftruncate operations, resulting in database crashes oops in net_rx_action on double free of dev->poll_list [QLogic 4.8 bug] qla4xxx - Driver Update Patches - bugs, cleanups If diskdump fails, panic information should be displayed. Kernel Panic with Bnx2 - Badness in local_bh_enable at kernel/softirq.c:141 LTC:4.8:200770:Include Open Fabric Enterprise Distribution fix scsi device cleanup when sysfs addition fails [QLogic 4.8 bug] qla2xxx - Updates from standard and upstream drivers NFS: unable to unmount file system Leap second message can hang the kernel Kernel maintainer's bz for committing some maintenance patches [QLogic 4.8 bug] qla4xxx - Correct version number Kernel Panic on AMD-K6 Improve udp port randomization RHEL 4.8 mpt driver fails to bring up device [EMULEX 4.8 bug] scsi messages correlate with silent data corruption, but no i/o errors netdump generates incomplete vmcore logs with Broadcom BCM5754 Intel E1000 doesn't work on NVIDIA MCP51 motherboards RHEL4 kvm virtio: kernel driver updates cifs mounted home directory breaks ssh security checks on authorized_keys file Random crashing in dm snapshots because of a race condition netdump is broken on igb and ixgbe devices in recent update Dropping packets in bnx2 since 1.7.9 bnx2 version [Qlogic 4.8 bug] qla4xxx: properly support the Async Msg PDU Kernel panic when running xen-vnif enabled FV guest image on KVM NMI appears to be stuck (460) - NMI received for unknown reason 21 fix dst cache leak [RHEL4u4] Kernel panic was caused by page_symlink() when kernel has to shrink caches Creation of mirrored logical volume with VG extent-size of 1K fails UNDERRUN and TIMEOUT status with qla2xxx divider option does not work with TSC clocksource [QLogic 4.8 bug] qla2xxx - fixes for flash, loop resets and HBA traversal [QLogic 4.8 bug] qla2xxx - firmware update for blade servers CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check CVE-2009-1336 kernel: nfsv4 client can be crashed by stating a long filename kernel dm crypt: memory corruption when invalid mapping parameters provided cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The ipsec-tools package is used in conjunction with the IPsec functionality in the Linux kernel and includes racoon, an IKEv1 keying daemon. A denial of service flaw was found in the ipsec-tools racoon daemon. An unauthenticated, remote attacker could trigger a NULL pointer dereference that could cause the racoon daemon to crash. (CVE-2009-1574) Multiple memory leak flaws were found in the ipsec-tools racoon daemon. If a remote attacker is able to make multiple connection attempts to the racoon daemon, it was possible to cause the racoon daemon to consume all available memory. (CVE-2009-1632) Users of ipsec-tools should upgrade to this updated package, which contains backported patches to correct these issues. Users must restart the racoon daemon for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1574 CVE-2009-1632 CVE-2009-1574 ipsec-tools: racoon NULL dereference in fragmentation code CVE-2009-1632 ipsec-tools: multiple memory leaks fixed in 0.7.2 cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, CVE-2009-1107) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR9-SSU Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2009-1101 OpenJDK JAX-WS service endpoint remote Denial-of-Service (6630639) CVE-2009-1093 OpenJDK remote LDAP Denial-Of-Service (6717680) CVE-2009-1094 OpenJDK LDAP client remote code execution (6737315) CVE-2009-1095 CVE-2009-1096 OpenJDK Pack200 Buffer overflow vulnerability (6792554) CVE-2009-1097 OpenJDK PNG processing buffer overflow vulnerability (6804996) CVE-2009-1098 OpenJDK GIF processing buffer overflow vulnerability (6804998) CVE-2009-1099 OpenJDK: Type1 font processing buffer overflow vulnerability CVE-2009-1100 OpenJDK: DoS (disk consumption) via handling of temporary font files CVE-2009-1103 OpenJDK: Files disclosure, arbitrary code execution via "deserializing applets" (6646860) CVE-2009-1104 OpenJDK: Intended access restrictions bypass via LiveConnect (6724331) CVE-2009-1105 OpenJDK: Possibility of trusted applet run in older, vulnerable version of JRE (6706490) CVE-2009-1106 OpenJDK: Improper parsing of crossdomain.xml files (intended access restriction bypass) (6798948) CVE-2009-1107 OpenJDK: Signed applet remote misuse possibility (6782871) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially-crafted request packet that could crash ntpd. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially-crafted reply to an ntpq request that could crash ntpq. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0159 CVE-2009-1252 CVE-2009-0159 ntp: buffer overflow in ntpq CVE-2009-1252 ntp: remote arbitrary code execution vulnerability if autokeys is enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially-crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the "ntp" user. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially-crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0159 CVE-2009-1252 CVE-2009-0159 ntp: buffer overflow in ntpq CVE-2009-1252 ntp: remote arbitrary code execution vulnerability if autokeys is enabled cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A buffer overflow flaw was found in the way Pidgin initiates file transfers when using the Extensible Messaging and Presence Protocol (XMPP). If a Pidgin client initiates a file transfer, and the remote target sends a malformed response, it could cause Pidgin to crash or, potentially, execute arbitrary code with the permissions of the user running Pidgin. This flaw only affects accounts using XMPP, such as Jabber and Google Talk. (CVE-2009-1373) It was discovered that on 32-bit platforms, the Red Hat Security Advisory RHSA-2008:0584 provided an incomplete fix for the integer overflow flaw affecting Pidgin's MSN protocol handler. If a Pidgin client receives a specially-crafted MSN message, it may be possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2009-1376) Note: By default, when using an MSN account, only users on your buddy list can send you messages. This prevents arbitrary MSN users from exploiting this flaw. All Pidgin users should upgrade to this update package, which contains backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1373 CVE-2009-1376 CVE-2009-1373 pidgin file transfer buffer overflow CVE-2009-1376 pidgin incomplete fix for CVE-2008-2927 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A buffer overflow flaw was found in the way Pidgin initiates file transfers when using the Extensible Messaging and Presence Protocol (XMPP). If a Pidgin client initiates a file transfer, and the remote target sends a malformed response, it could cause Pidgin to crash or, potentially, execute arbitrary code with the permissions of the user running Pidgin. This flaw only affects accounts using XMPP, such as Jabber and Google Talk. (CVE-2009-1373) A denial of service flaw was found in Pidgin's QQ protocol decryption handler. When the QQ protocol decrypts packet information, heap data can be overwritten, possibly causing Pidgin to crash. (CVE-2009-1374) A flaw was found in the way Pidgin's PurpleCircBuffer object is expanded. If the buffer is full when more data arrives, the data stored in this buffer becomes corrupted. This corrupted data could result in confusing or misleading data being presented to the user, or possibly crash Pidgin. (CVE-2009-1375) It was discovered that on 32-bit platforms, the Red Hat Security Advisory RHSA-2008:0584 provided an incomplete fix for the integer overflow flaw affecting Pidgin's MSN protocol handler. If a Pidgin client receives a specially-crafted MSN message, it may be possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2009-1376) Note: By default, when using an MSN account, only users on your buddy list can send you messages. This prevents arbitrary MSN users from exploiting this flaw. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1373 CVE-2009-1374 CVE-2009-1375 CVE-2009-1376 CVE-2009-1373 pidgin file transfer buffer overflow CVE-2009-1374 pidgin DoS when decrypting qq packets CVE-2009-1375 pidgin PurpleCircBuffer corruption CVE-2009-1376 pidgin incomplete fix for CVE-2008-2927 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide the FreeType 2 font engine. Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946) Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0946 CVE-2009-0946 freetype: multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 SquirrelMail is a standards-based webmail package written in PHP. A server-side code injection flaw was found in the SquirrelMail "map_yp_alias" function. If SquirrelMail was configured to retrieve a user's IMAP server address from a Network Information Service (NIS) server via the "map_yp_alias" function, an unauthenticated, remote attacker using a specially-crafted username could use this flaw to execute arbitrary code with the privileges of the web server. (CVE-2009-1579) Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. An attacker could construct a carefully crafted URL, which once visited by an unsuspecting user, could cause the user's web browser to execute malicious script in the context of the visited SquirrelMail web page. (CVE-2009-1578) It was discovered that SquirrelMail did not properly sanitize Cascading Style Sheets (CSS) directives used in HTML mail. A remote attacker could send a specially-crafted email that could place mail content above SquirrelMail's controls, possibly allowing phishing and cross-site scripting attacks. (CVE-2009-1581) Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-1578 CVE-2009-1579 CVE-2009-1581 CVE-2009-1581 SquirrelMail: CSS positioning vulnerability CVE-2009-1579 SquirrelMail: Server-side code injection in map_yp_alias username map CVE-2009-1578 SquirrelMail: Multiple cross site scripting issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular and freely-available Web server. A flaw was found in the handling of compression structures between mod_ssl and OpenSSL. If too many connections were opened in a short period of time, all system memory and swap space would be consumed by httpd, negatively impacting other processes, or causing a system crash. (CVE-2008-1678) Note: The CVE-2008-1678 issue did not affect Red Hat Enterprise Linux 5 prior to 5.3. The problem was introduced via the RHBA-2009:0181 errata in Red Hat Enterprise Linux 5.3, which upgraded OpenSSL to the newer 0.9.8e version. A flaw was found in the handling of the "Options" and "AllowOverride" directives. In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended. (CVE-2009-1195) All httpd users should upgrade to these updated packages, which contain backported patches to resolve these issues. Users must restart httpd for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-1678 CVE-2009-1195 CVE-2008-1678 httpd: mod_ssl per-connection memory leak for connections with zlib compression CVE-2009-1195 AllowOverride Options=IncludesNoExec allows Options Includes memory leak in httpd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The Internet Printing Protocol (IPP) allows users to print and manage printing-related tasks over a network. A NULL pointer dereference flaw was found in the CUPS IPP routine, used for processing incoming IPP requests for the CUPS scheduler. An attacker could use this flaw to send specially-crafted IPP requests that would crash the cupsd daemon. (CVE-2009-0949) Red Hat would like to thank Anibal Sacco from Core Security Technologies for reporting this issue. Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0949 CVE-2009-0949 cups: IPP_TAG_UNSUPPORTED handling NULL pointer dereference DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The Internet Printing Protocol (IPP) allows users to print and manage printing-related tasks over a network. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript. "pdftops" is based on Xpdf and the CUPS imaging library. A NULL pointer dereference flaw was found in the CUPS IPP routine, used for processing incoming IPP requests for the CUPS scheduler. An attacker could use this flaw to send specially-crafted IPP requests that would crash the cupsd daemon. (CVE-2009-0949) A use-after-free flaw was found in the CUPS scheduler directory services routine, used to process data about available printers and printer classes. An attacker could use this flaw to cause a denial of service (cupsd daemon stop or crash). (CVE-2009-1196) Multiple integer overflows flaws, leading to heap-based buffer overflows, were found in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0791) Red Hat would like to thank Anibal Sacco from Core Security Technologies for reporting the CVE-2009-0949 flaw, and Swen van Brussel for reporting the CVE-2009-1196 flaw. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0791 CVE-2009-0949 CVE-2009-1196 CVE-2009-0791 xpdf: multiple integer overflows CVE-2009-1196 cups: DoS (stop, crash) by renewing CUPS browse packets CVE-2009-0949 cups: IPP_TAG_UNSUPPORTED handling NULL pointer dereference DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838, CVE-2009-1841) Multiple flaws were found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data. (CVE-2009-1835, CVE-2009-1839) A script, privilege elevation flaw was found in the way Firefox loaded XML User Interface Language (XUL) scripts. Firefox and certain add-ons could load malicious content when certain policy checks did not happen. (CVE-2009-1840) A flaw was found in the way Firefox displayed certain Unicode characters in International Domain Names (IDN). If an IDN contained invalid characters, they may have been displayed as spaces, making it appear to the user that they were visiting a trusted site. (CVE-2009-1834) A flaw was found in the way Firefox handled error responses returned from proxy servers. If an attacker is able to conduct a man-in-the-middle attack against a Firefox instance that is using a proxy server, they may be able to steal sensitive information from the site the user is visiting. (CVE-2009-1836) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.11. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.11, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1392 CVE-2009-1832 CVE-2009-1833 CVE-2009-1834 CVE-2009-1835 CVE-2009-1836 CVE-2009-1837 CVE-2009-1838 CVE-2009-1839 CVE-2009-1840 CVE-2009-1841 frequent firefox crashes against clearspace CVE-2009-1392 Firefox browser engine crashes CVE-2009-1832 Firefox double frame construction flaw CVE-2009-1833 Firefox JavaScript engine crashes CVE-2009-1834 Firefox URL spoofing with invalid unicode characters CVE-2009-1835 Firefox Arbitrary domain cookie access by local file: resources CVE-2009-1836 Firefox SSL tampering via non-200 responses to proxy CONNECT requests CVE-2009-1837 Firefox Race condition while accessing the private data of a NPObject JS wrapper class object CVE-2009-1838 Firefox arbitrary code execution flaw CVE-2009-1839 Firefox information disclosure flaw CVE-2009-1840 Firefox XUL scripts skip some security checks CVE-2009-1841 Firefox JavaScript arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-1392, CVE-2009-1833, CVE-2009-1838, CVE-2009-1841) A flaw was found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data. (CVE-2009-1835) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1392 CVE-2009-1833 CVE-2009-1835 CVE-2009-1838 CVE-2009-1841 CVE-2009-1392 Firefox browser engine crashes CVE-2009-1833 Firefox JavaScript engine crashes CVE-2009-1835 Firefox Arbitrary domain cookie access by local file: resources CVE-2009-1838 Firefox arbitrary code execution flaw CVE-2009-1841 Firefox JavaScript arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. A format string flaw was found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2009-1210) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2009-1268, CVE-2009-1269, CVE-2009-1829) Users of wireshark should upgrade to these updated packages, which contain Wireshark version 1.0.8, and resolve these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1210 CVE-2009-1268 CVE-2009-1269 CVE-2009-1829 CVE-2009-1210 wireshark: format string in PROFINET dissector CVE-2009-1268 Wireshark CHAP dissector crash CVE-2009-1269 Wireshark Tektronix .rf5 file crash CVE-2009-1829 wireshark: PCNFSD dissector crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 cscope is a mature, ncurses-based, C source-code tree browsing tool. Multiple buffer overflow flaws were found in cscope. An attacker could create a specially crafted source code file that could cause cscope to crash or, possibly, execute arbitrary code when browsed with cscope. (CVE-2004-2541, CVE-2006-4262, CVE-2009-0148, CVE-2009-1577) All users of cscope are advised to upgrade to this updated package, which contains backported patches to fix these issues. All running instances of cscope must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2004-2541 CVE-2006-4262 CVE-2009-0148 CVE-2009-1577 CVE-2006-4262 cscope: multiple buffer overflows CVE-2004-2541, CVE-2009-0148 cscope: multiple buffer overflows CVE-2009-1577 cscope: putstring buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 cscope is a mature, ncurses-based, C source-code tree browsing tool. Multiple buffer overflow flaws were found in cscope. An attacker could create a specially crafted source code file that could cause cscope to crash or, possibly, execute arbitrary code when browsed with cscope. (CVE-2004-2541, CVE-2009-0148) All users of cscope are advised to upgrade to this updated package, which contains backported patches to fix these issues. All running instances of cscope must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2004-2541 CVE-2009-0148 CVE-2004-2541, CVE-2009-0148 cscope: multiple buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, CVE-2009-1633, Important) * the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) * Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) * a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) * a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) Bug fixes: * a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. "Busy inodes" messages may have been logged. (BZ#498653) * nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium®-based systems. (BZ#500349) * LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120) * ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(), instead of reporting it once. (BZ#486945) * epoll_wait() may have caused a system lockup and problems for applications. (BZ#497322) * missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. (BZ#497271) * on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods, causing commands that use stat(2), such as ls, to hang. (BZ#486926) * in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory page and also performed fork(2), the buffer storing the result of the I/O may have ended up with invalid data. (BZ#486921) * when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state. (BZ#501742) * with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#499783) * the "-fwrapv" flag was added to the gcc build options to prevent gcc from optimizing away wrapping. (BZ#501751) * a kernel panic when enabling and disabling iSCSI paths. (BZ#502916) * using the Broadcom NetXtreme BCM5704 network device with the tg3 driver caused high system load and very bad performance. (BZ#502837) * "/proc/[pid]/maps" and "/proc/[pid]/smaps" can only be read by processes able to use the ptrace() call on a given process; however, certain information from "/proc/[pid]/stat" and "/proc/[pid]/wchan" could be used to reconstruct memory maps. (BZ#499546) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1072 CVE-2009-1192 CVE-2009-1439 CVE-2009-1630 CVE-2009-1633 CVE-2009-1758 CVE-2009-3238 Corruption on ext3/xfs with O_DIRECT and unaligned user buffers [RHEL5.2] nfs_getattr() hangs during heavy write workloads waitpid() reports stopped process more than once CVE-2009-1072 kernel: nfsd should drop CAP_MKNOD for non-root CVE-2009-1439 kernel: cifs: memory overwrite when saving nativeFileSystem field during mount CVE-2009-1633 kernel: cifs: fix potential buffer overruns when converting unicode strings sent by server CVE-2009-1192 kernel: agp: zero pages before sending to userspace crm #1896100 port epoll_wait fix from RHSA-2008-0665 to RHEL 5 fault in iget() - suspected race between nfs_access_cache_shrinker() and umount - Ref.: Bug #433249 kernel: proc: avoid information leaks to non-privileged processes [rhel-5.3.z] Problem with drive status leds after update to 2.6.18-128.el5 CVE-2009-1630 kernel: nfs: fix NFS v4 client handling of MAY_EXEC in nfs_permission RHEL5.3.z LTP nanosleep02 Test Case Failure on Fujitsu Machine CVE-2009-1758 kernel: xen: local denial of service GFS2: gfs2_quotad in uninterruptible sleep while idle kernel should be built with -fwrapv [rhel-5.3.z] BCM5704 NIC results in CPU 100%SI , sluggish system performance kernel BUG at drivers/scsi/libiscsi.c:301! cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 apr-util is a utility library used with the Apache Portable Runtime (APR). It aims to provide a free library of C data structures and routines. This library contains additional utility interfaces for APR; including support for XML, LDAP, database interfaces, URI parsing, and more. An off-by-one overflow flaw was found in the way apr-util processed a variable list of arguments. An attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service (application crash). (CVE-2009-1956) Note: The CVE-2009-1956 flaw only affects big-endian platforms, such as the IBM S/390 and PowerPC. It does not affect users using the apr-util package on little-endian platforms, due to their different organization of byte ordering used to represent particular data. A denial of service flaw was found in the apr-util Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine. (CVE-2009-1955) A heap-based underwrite flaw was found in the way apr-util created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine. (CVE-2009-0023) All apr-util users should upgrade to these updated packages, which contain backported patches to correct these issues. Applications using the Apache Portable Runtime library, such as httpd, must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0023 CVE-2009-1955 CVE-2009-1956 CVE-2009-0023 apr-util heap buffer underwrite CVE-2009-1956 apr-util single NULL byte buffer overflow CVE-2009-1955 apr-util billion laughs attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP Server is a popular Web server. The httpd package shipped with Red Hat Enterprise Linux 3 contains an embedded copy of the Apache Portable Runtime (APR) utility library, a free library of C data structures and routines, which includes interfaces to support XML parsing, LDAP connections, database interfaces, URI parsing, and more. An off-by-one overflow flaw was found in the way apr-util processed a variable list of arguments. An attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service (application crash). (CVE-2009-1956) Note: The CVE-2009-1956 flaw only affects big-endian platforms, such as the IBM S/390 and PowerPC. It does not affect users using the httpd package on little-endian platforms, due to their different organization of byte ordering used to represent particular data. A denial of service flaw was found in the apr-util Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine. (CVE-2009-1955) A heap-based underwrite flaw was found in the way apr-util created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine. (CVE-2009-0023) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0023 CVE-2009-1955 CVE-2009-1956 CVE-2009-0023 apr-util heap buffer underwrite CVE-2009-1956 apr-util single NULL byte buffer overflow CVE-2009-1955 apr-util billion laughs attack cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). Multiple security flaws were discovered in Adobe Reader. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889, CVE-2009-1855, CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859, CVE-2009-1861, CVE-2009-2028) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 8.1.6, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0198 CVE-2009-0509 CVE-2009-0510 CVE-2009-0511 CVE-2009-0512 CVE-2009-0888 CVE-2009-0889 CVE-2009-1855 CVE-2009-1856 CVE-2009-1857 CVE-2009-1858 CVE-2009-1859 CVE-2009-1861 CVE-2009-2028 acroread: multiple security fixes in version 8.1.6 (APSB09-07) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and SIEVE support. It was discovered that the Cyrus SASL library (cyrus-sasl) does not always reliably terminate output from the sasl_encode64() function used by programs using this library. The Cyrus IMAP server (cyrus-imapd) relied on this function's output being properly terminated. Under certain conditions, improperly terminated output from sasl_encode64() could, potentially, cause cyrus-imapd to crash, disclose portions of its memory, or lead to SASL authentication failures. (CVE-2009-0688) Users of cyrus-imapd are advised to upgrade to these updated packages, which resolve this issue. After installing the update, cyrus-imapd will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0688 CVE-2009-0688 cyrus-imapd uses sasl_encode64() improperly cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The International Components for Unicode (ICU) library provides robust and full-featured Unicode services. A flaw was found in the way ICU processed certain, invalid byte sequences during Unicode conversion. If an application used ICU to decode malformed, multibyte character data, it may have been possible to bypass certain content protection mechanisms, or display information in a manner misleading to the user. (CVE-2009-0153) All users of icu should upgrade to these updated packages, which contain backported patches to resolve this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0153 CVE-2009-0153 icu: XSS vulnerability due to improper invalid byte sequence handling cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GStreamer is a streaming media framework, based on graphs of filters which operate on media data. GStreamer Good Plug-ins is a collection of well-supported, good quality GStreamer plug-ins. Multiple integer overflow flaws, that could lead to a buffer overflow, were found in the GStreamer Good Plug-ins PNG decoding handler. An attacker could create a specially-crafted PNG file that would cause an application using the GStreamer Good Plug-ins library to crash or, potentially, execute arbitrary code as the user running the application when parsed. (CVE-2009-1932) All users of gstreamer-plugins-good are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the update, all applications using GStreamer Good Plug-ins (such as some media playing applications) must be restarted for the changes to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1932 CVE-2009-1932 gstreamer-plugins-good: PNG decoder integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Simple Network Management Protocol (SNMP) is a protocol used for network management. A divide-by-zero flaw was discovered in the snmpd daemon. A remote attacker could issue a specially-crafted GETBULK request that could crash the snmpd daemon. (CVE-2009-1887) Note: An attacker must have read access to the SNMP server in order to exploit this flaw. In the default configuration, the community name "public" grants read-only access. In production deployments, it is recommended to change this default community name. All net-snmp users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the snmpd and snmptrapd daemons will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1887 CVE-2009-1887 net-snmp: DoS (division by zero) via SNMP GetBulk requests cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2009-1392, CVE-2009-1303, CVE-2009-1305, CVE-2009-1833, CVE-2009-1838) Several flaws were found in the way malformed HTML mail content was processed. An HTML mail message containing malicious content could execute arbitrary JavaScript in the context of the mail message, possibly presenting misleading data to the user, or stealing sensitive information such as login credentials. (CVE-2009-1306, CVE-2009-1307, CVE-2009-1309) Note: JavaScript support is disabled by default in Thunderbird. None of the above issues are exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1303 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1309 CVE-2009-1392 CVE-2009-1833 CVE-2009-1838 CVE-2009-2210 CVE-2009-1303 Firefox 2 and 3 Layout engine crash CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString CVE-2009-1392 Firefox browser engine crashes CVE-2009-1833 Firefox JavaScript engine crashes CVE-2009-1838 Firefox arbitrary code execution flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2009-1392, CVE-2009-1303, CVE-2009-1305, CVE-2009-1833, CVE-2009-1838) Several flaws were found in the way malformed HTML mail content was processed. An HTML mail message containing malicious content could execute arbitrary JavaScript in the context of the mail message, possibly presenting misleading data to the user, or stealing sensitive information such as login credentials. (CVE-2009-1306, CVE-2009-1307, CVE-2009-1308, CVE-2009-1309) A flaw was found in the way Thunderbird handled error responses returned from proxy servers. If an attacker is able to conduct a man-in-the-middle attack against a Thunderbird instance that is using a proxy server, they may be able to steal sensitive information from the site Thunderbird is displaying. (CVE-2009-1836) Note: JavaScript support is disabled by default in Thunderbird. None of the above issues are exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1303 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1392 CVE-2009-1833 CVE-2009-1836 CVE-2009-1838 CVE-2009-2210 Launch thunderbird with option "-contentLocale" <locale> will get warning message CVE-2009-1303 Firefox 2 and 3 Layout engine crash CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol CVE-2009-1308 Firefox XSS hazard using third-party stylesheets and XBL bindings CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString CVE-2009-1392 Firefox browser engine crashes CVE-2009-1833 Firefox JavaScript engine crashes CVE-2009-1836 Firefox SSL tampering via non-200 responses to proxy CONNECT requests CVE-2009-1838 Firefox arbitrary code execution flaw cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The kdelibs packages provide libraries for the K Desktop Environment (KDE). A flaw was found in the way the KDE CSS parser handled content for the CSS "style" attribute. A remote attacker could create a specially-crafted CSS equipped HTML page, which once visited by an unsuspecting user, could cause a denial of service (Konqueror crash) or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-1698) A flaw was found in the way the KDE HTML parser handled content for the HTML "head" element. A remote attacker could create a specially-crafted HTML page, which once visited by an unsuspecting user, could cause a denial of service (Konqueror crash) or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-1690) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the KDE JavaScript garbage collector handled memory allocation requests. A remote attacker could create a specially-crafted HTML page, which once visited by an unsuspecting user, could cause a denial of service (Konqueror crash) or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-1687) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1687 CVE-2009-1690 CVE-2009-1698 CVE-2009-1690 kdelibs: KHTML Incorrect handling <head> element content once the <head> element was removed (DoS, ACE) CVE-2009-1687 kdelibs: Integer overflow in KJS JavaScript garbage collector CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kdelibs packages provide libraries for the K Desktop Environment (KDE). A flaw was found in the way the KDE CSS parser handled content for the CSS "style" attribute. A remote attacker could create a specially-crafted CSS equipped HTML page, which once visited by an unsuspecting user, could cause a denial of service (Konqueror crash) or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-1698) Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1698 CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kdegraphics packages contain applications for the K Desktop Environment (KDE). Scalable Vector Graphics (SVG) is an XML-based language to describe vector images. KSVG is a framework aimed at implementing the latest W3C SVG specifications. A use-after-free flaw was found in the KDE KSVG animation element implementation. A remote attacker could create a specially-crafted SVG image, which once opened by an unsuspecting user, could cause a denial of service (Konqueror crash) or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-1709) A NULL pointer dereference flaw was found in the KDE, KSVG SVGList interface implementation. A remote attacker could create a specially-crafted SVG image, which once opened by an unsuspecting user, would cause memory corruption, leading to a denial of service (Konqueror crash). (CVE-2009-0945) All users of kdegraphics should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0945 CVE-2009-1709 CVE-2009-1709 kdegraphics: KSVG Pointer use-after-free error in the SVG animation element (DoS, ACE) CVE-2009-0945 kdegraphics: KSVG NULL-pointer dereference in the SVGList interface implementation (ACE) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially-crafted packet that would cause a denial of service. (CVE-2009-1385, Important) * the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) * Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) * a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) * a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) These updated packages also fix the following bugs: * "/proc/[pid]/maps" and "/proc/[pid]/smaps" can only be read by processes able to use the ptrace() call on a given process; however, certain information from "/proc/[pid]/stat" and "/proc/[pid]/wchan" could be used to reconstruct memory maps, making it possible to bypass the Address Space Layout Randomization (ASLR) security feature. This update addresses this issue. (BZ#499549) * in some situations, the link count was not decreased when renaming unused files on NFS mounted file systems. This may have resulted in poor performance. With this update, the link count is decreased in these situations, the same as is done for other file operations, such as unlink and rmdir. (BZ#501802) * tcp_ack() cleared the probes_out variable even if there were outstanding packets. When low TCP keepalive intervals were used, this bug may have caused problems, such as connections terminating, when using remote tools such as rsh and rlogin. (BZ#501754) * off-by-one errors in the time normalization code could have caused clock_gettime() to return one billion nanoseconds, rather than adding an extra second. This bug could have caused the name service cache daemon (nscd) to consume excessive CPU resources. (BZ#501800) * a system panic could occur when one thread read "/proc/bus/input/devices" while another was removing a device. With this update, a mutex has been added to protect the input_dev_list and input_handler_list variables, which resolves this issue. (BZ#501804) * using netdump may have caused a kernel deadlock on some systems. (BZ#504565) * the file system mask, which lists capabilities for users with a file system user ID (fsuid) of 0, was missing the CAP_MKNOD and CAP_LINUX_IMMUTABLE capabilities. This could, potentially, allow users with an fsuid other than 0 to perform actions on some file system types that would otherwise be prevented. This update adds these capabilities. (BZ#497269) All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1072 CVE-2009-1192 CVE-2009-1385 CVE-2009-1630 CVE-2009-1758 CVE-2009-1072 kernel: nfsd should drop CAP_MKNOD for non-root CVE-2009-1192 kernel: agp: zero pages before sending to userspace kernel: proc: avoid information leaks to non-privileged processes [rhel-4.8.z] CVE-2009-1630 kernel: nfs: fix NFS v4 client handling of MAY_EXEC in nfs_permission CVE-2009-1758 kernel: xen: local denial of service Bug with TCP tcp_ack() [RHEL 4] [RHEL4] Nscd consumes many cpu resources ( nearly 100% ) continuously. [RHEL 4] inode of the overwritten file will remain in the icache causing performance issues. [Stratus 4.9 bug] panic reading /proc/bus/input/devices during input device removal CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service e1000e: sporadic hang in netdump cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the way that SeaMonkey parsed malformed HTML mail messages. If a user opened a specially-crafted HTML mail message, it could cause SeaMonkey to crash or, possibly, to execute arbitrary code as the user running SeaMonkey. (CVE-2009-2210) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-2210 CVE-2009-2210 Thunderbird mail crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) Users of DHCP should upgrade to these updated packages, which contain a backported patch to correct this issue. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0692 CVE-2009-0692 dhclient: stack overflow leads to arbitrary code execution as root cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Multiple insufficient input validation flaws were found in the way Openswan's pluto IKE daemon processed some fields of X.509 certificates. A remote attacker could provide a specially-crafted X.509 certificate that would crash the pluto daemon. (CVE-2009-2185) All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. After installing this update, the ipsec service will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-2185 CVE-2009-2185 Openswan ASN.1 parser vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for CommunicAtion in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems. A denial of service flaw was found in the Pidgin OSCAR protocol implementation. If a remote ICQ user sent a web message to a local Pidgin user using this protocol, it would cause excessive memory usage, leading to a denial of service (Pidgin crash). (CVE-2009-1889) These updated packages also fix the following bug: * the Yahoo! Messenger Protocol changed, making it incompatible (and unusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin 2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which resolves this issue. Note: These packages upgrade Pidgin to version 2.5.8. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1889 pidgin Yahoo protocol 16 [rhel-4.8.z] pidgin Yahoo protocol 16 [rhel-5.3.z] CVE-2009-1889 pidgin: DoS via specially-crafted ICQWebMessage cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in the way the Ruby POP module processed certain APOP authentication requests. By sending certain responses when the Ruby APOP module attempted to authenticate using APOP against a POP server, a remote attacker could, potentially, acquire certain portions of a user's authentication credentials. (CVE-2007-1558) It was discovered that Ruby did not properly check the return value when verifying X.509 certificates. This could, potentially, allow a remote attacker to present an invalid X.509 certificate, and have Ruby treat it as valid. (CVE-2009-0642) A flaw was found in the way Ruby converted BigDecimal objects to Float numbers. If an attacker were able to provide certain input for the BigDecimal object converter, they could crash an application using this class. (CVE-2009-1904) All Ruby users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2007-1558 CVE-2009-0642 CVE-2009-1904 CVE-2007-1558 fetchmail/mutt/evolution/...: APOP password disclosure vulnerability CVE-2009-0642 ruby: Incorrect checks for validity of X.509 certificates CVE-2009-1904 ruby: DoS vulnerability in BigDecimal cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular Web server. A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. (CVE-2009-1890) A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1890 CVE-2009-1891 CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate CVE-2009-1890 httpd: mod_proxy reverse proxy DoS (infinite loop) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) An insecure temporary file use flaw was discovered in the DHCP daemon's init script ("/etc/init.d/dhcpd"). A local attacker could use this flaw to overwrite an arbitrary file with the output of the "dhcpd -t" command via a symbolic link attack, if a system administrator executed the DHCP init script with the "configtest", "restart", or "reload" option. (CVE-2009-1893) Users of DHCP should upgrade to these updated packages, which contain backported patches to correct these issues. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0692 CVE-2009-1893 CVE-2009-0692 dhclient: stack overflow leads to arbitrary code execution as root CVE-2009-1893 dhcp: insecure temporary file use in the dhcpd init script cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Several integer overflow flaws, leading to heap-based buffer overflows, were found in various libtiff color space conversion tools. An attacker could create a specially-crafted TIFF file, which once opened by an unsuspecting user, would cause the conversion tool to crash or, potentially, execute arbitrary code with the privileges of the user running the tool. (CVE-2009-2347) A buffer underwrite flaw was found in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a specially-crafted LZW-encoded TIFF file, which once opened by an unsuspecting user, would cause an application linked with libtiff to access an out-of-bounds memory location, leading to a denial of service (application crash). (CVE-2009-2285) The CVE-2009-2347 flaws were discovered by Tielei Wang from ICST-ERCIS, Peking University. All libtiff users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, all applications linked with the libtiff library (such as Konqueror) must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2285 CVE-2009-2347 CVE-2009-2285 libtiff: LZWDecodeCompat underflow CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conversion tools (crash, ACE) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2467, CVE-2009-2469, CVE-2009-2471) Several flaws were found in the way Firefox handles malformed JavaScript code. A website containing malicious content could launch a cross-site scripting (XSS) attack or execute arbitrary JavaScript with the permissions of another website. (CVE-2009-2472) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.12. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.12, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2462 CVE-2009-2463 CVE-2009-2464 CVE-2009-2465 CVE-2009-2466 CVE-2009-2467 CVE-2009-2469 CVE-2009-2470 CVE-2009-2471 CVE-2009-2472 CVE-2009-2664 CVE-2009-2462 Mozilla Browser engine crashes CVE-2009-2463 Mozilla Base64 decoding crash CVE-2009-2464 Mozilla crash with multiple RDFs in XUL tree CVE-2009-2465 Mozilla double frame construction crashes CVE-2009-2466 Mozilla JavaScript engine crashes CVE-2009-2467 Mozilla remote code execution during Flash player unloading CVE-2009-2469 Mozilla remote code execution using watch and __defineSetter__ on SVG element CVE-2009-2471 Mozilla setTimeout loses XPCNativeWrappers CVE-2009-2472 Mozilla multiple cross origin wrapper bypasses cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2466) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2462 CVE-2009-2463 CVE-2009-2466 CVE-2009-2470 CVE-2009-2462 Mozilla Browser engine crashes CVE-2009-2463 Mozilla Base64 decoding crash CVE-2009-2466 Mozilla JavaScript engine crashes cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that the Red Hat Security Advisory RHSA-2007:0871 did not address all possible flaws in the way Tomcat handles certain characters and character sequences in cookie values. A remote attacker could use this flaw to obtain sensitive information, such as session IDs, and then use this information for session hijacking attacks. (CVE-2007-5333) Note: The fix for the CVE-2007-5333 flaw changes the default cookie processing behavior: with this update, version 0 cookies that contain values that must be quoted to be valid are automatically changed to version 1 cookies. To reactivate the previous, but insecure behavior, add the following entry to the "/etc/tomcat5/catalina.properties" file: org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially-crafted requests that would cause an information leak. (CVE-2008-5515) A flaw was found in the way the Tomcat AJP (Apache JServ Protocol) connector processes AJP connections. An attacker could use this flaw to send specially-crafted requests that would cause a temporary denial of service. (CVE-2009-0033) It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute force methods) usernames registered with applications running on Tomcat when FORM-based authentication was used. (CVE-2009-0580) A cross-site scripting (XSS) flaw was found in the examples calendar application. With some web browsers, remote attackers could use this flaw to inject arbitrary web script or HTML via the "time" parameter. (CVE-2009-0781) It was discovered that web applications containing their own XML parsers could replace the XML parser Tomcat uses to parse configuration files. A malicious web application running on a Tomcat instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same Tomcat instance. (CVE-2009-0783) Users of Tomcat should upgrade to these updated packages, which contain backported patches to resolve these issues. Tomcat must be restarted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2007-5333 CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2007-5333 Improve cookie parsing for tomcat5 CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection CVE-2009-0580 tomcat6 Information disclosure in authentication classes CVE-2009-0783 tomcat XML parser information disclosure CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Python is an interpreted, interactive, object-oriented programming language. When the assert() system call was disabled, an input sanitization flaw was revealed in the Python string object implementation that led to a buffer overflow. The missing check for negative size values meant the Python memory allocator could allocate less memory than expected. This could result in arbitrary code execution with the Python interpreter's privileges. (CVE-2008-1887) Multiple buffer and integer overflow flaws were found in the Python Unicode string processing and in the Python Unicode and string object implementations. An attacker could use these flaws to cause a denial of service (Python application crash). (CVE-2008-3142, CVE-2008-5031) Multiple integer overflow flaws were found in the Python imageop module. If a Python application used the imageop module to process untrusted images, it could cause the application to disclose sensitive information, crash or, potentially, execute arbitrary code with the Python interpreter's privileges. (CVE-2007-4965, CVE-2008-4864) Multiple integer underflow and overflow flaws were found in the Python snprintf() wrapper implementation. An attacker could use these flaws to cause a denial of service (memory corruption). (CVE-2008-3144) Multiple integer overflow flaws were found in various Python modules. An attacker could use these flaws to cause a denial of service (Python application crash). (CVE-2008-2315, CVE-2008-3143) An integer signedness error, leading to a buffer overflow, was found in the Python zlib extension module. If a Python application requested the negative byte count be flushed for a decompression stream, it could cause the application to crash or, potentially, execute arbitrary code with the Python interpreter's privileges. (CVE-2008-1721) A flaw was discovered in the strxfrm() function of the Python locale module. Strings generated by this function were not properly NULL-terminated, which could possibly cause disclosure of data stored in the memory of a Python application using this function. (CVE-2007-2052) Red Hat would like to thank David Remahl of the Apple Product Security team for responsibly reporting the CVE-2008-2315 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2007-2052 CVE-2007-4965 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 CVE-2007-2052 python off-by-one locale.strxfrm() (possible memory disclosure) CVE-2007-4965 python imageop module heap corruption CVE-2008-1721 python: integer signedness error in the zlib extension module CVE-2008-1887 python: PyString_FromStringAndSize does not check for negative size values CVE-2008-3142 python: Multiple buffer overflows in unicode processing CVE-2008-2315 python: Multiple integer overflows in python core CVE-2008-3143 python: Multiple integer overflows discovered by Google CVE-2008-3144 python: Potential integer underflow and overflow in the PyOS_vsnprintf C API function CVE-2008-4864 python: imageop module multiple integer overflows CVE-2008-5031 python: stringobject, unicodeobject integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Python is an interpreted, interactive, object-oriented programming language. When the assert() system call was disabled, an input sanitization flaw was revealed in the Python string object implementation that led to a buffer overflow. The missing check for negative size values meant the Python memory allocator could allocate less memory than expected. This could result in arbitrary code execution with the Python interpreter's privileges. (CVE-2008-1887) Multiple buffer and integer overflow flaws were found in the Python Unicode string processing and in the Python Unicode and string object implementations. An attacker could use these flaws to cause a denial of service (Python application crash). (CVE-2008-3142, CVE-2008-5031) Multiple integer overflow flaws were found in the Python imageop module. If a Python application used the imageop module to process untrusted images, it could cause the application to crash or, potentially, execute arbitrary code with the Python interpreter's privileges. (CVE-2008-1679, CVE-2008-4864) Multiple integer underflow and overflow flaws were found in the Python snprintf() wrapper implementation. An attacker could use these flaws to cause a denial of service (memory corruption). (CVE-2008-3144) Multiple integer overflow flaws were found in various Python modules. An attacker could use these flaws to cause a denial of service (Python application crash). (CVE-2008-2315, CVE-2008-3143) An integer signedness error, leading to a buffer overflow, was found in the Python zlib extension module. If a Python application requested the negative byte count be flushed for a decompression stream, it could cause the application to crash or, potentially, execute arbitrary code with the Python interpreter's privileges. (CVE-2008-1721) Red Hat would like to thank David Remahl of the Apple Product Security team for responsibly reporting the CVE-2008-1679 and CVE-2008-2315 issues. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-1679 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 CVE-2008-1679 python: imageop module integer overflows CVE-2008-1721 python: integer signedness error in the zlib extension module CVE-2008-1887 python: PyString_FromStringAndSize does not check for negative size values CVE-2008-3142 python: Multiple buffer overflows in unicode processing CVE-2008-2315 python: Multiple integer overflows in python core CVE-2008-3143 python: Multiple integer overflows discovered by Google CVE-2008-3144 python: Potential integer underflow and overflow in the PyOS_vsnprintf C API function CVE-2008-4864 python: imageop module multiple integer overflows CVE-2008-5031 python: stringobject, unicodeobject integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Python is an interpreted, interactive, object-oriented programming language. When the assert() system call was disabled, an input sanitization flaw was revealed in the Python string object implementation that led to a buffer overflow. The missing check for negative size values meant the Python memory allocator could allocate less memory than expected. This could result in arbitrary code execution with the Python interpreter's privileges. (CVE-2008-1887) Multiple buffer and integer overflow flaws were found in the Python Unicode string processing and in the Python Unicode and string object implementations. An attacker could use these flaws to cause a denial of service (Python application crash). (CVE-2008-3142, CVE-2008-5031) Multiple integer overflow flaws were found in the Python imageop module. If a Python application used the imageop module to process untrusted images, it could cause the application to crash or, potentially, execute arbitrary code with the Python interpreter's privileges. (CVE-2008-1679, CVE-2008-4864) Multiple integer underflow and overflow flaws were found in the Python snprintf() wrapper implementation. An attacker could use these flaws to cause a denial of service (memory corruption). (CVE-2008-3144) Multiple integer overflow flaws were found in various Python modules. An attacker could use these flaws to cause a denial of service (Python application crash). (CVE-2008-2315, CVE-2008-3143) Red Hat would like to thank David Remahl of the Apple Product Security team for responsibly reporting the CVE-2008-1679 and CVE-2008-2315 issues. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-1679 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 CVE-2008-1679 python: imageop module integer overflows CVE-2008-1887 python: PyString_FromStringAndSize does not check for negative size values CVE-2008-3142 python: Multiple buffer overflows in unicode processing CVE-2008-2315 python: Multiple integer overflows in python core CVE-2008-3143 python: Multiple integer overflows discovered by Google CVE-2008-3144 python: Potential integer underflow and overflow in the PyOS_vsnprintf C API function CVE-2008-4864 python: imageop module multiple integer overflows CVE-2008-5031 python: stringobject, unicodeobject integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handles dynamic update message packets containing the "ANY" record type. A remote attacker could use this flaw to send a specially-crafted dynamic update packet that could cause named to exit with an assertion failure. (CVE-2009-0696) Note: even if named is not configured for dynamic updates, receiving such a specially-crafted dynamic update packet could still cause named to exit unexpectedly. All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0696 CVE-2009-0696 bind: DoS (assertion failure) via nsupdate packets cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handles dynamic update message packets containing the "ANY" record type. A remote attacker could use this flaw to send a specially-crafted dynamic update packet that could cause named to exit with an assertion failure. (CVE-2009-0696) Note: even if named is not configured for dynamic updates, receiving such a specially-crafted dynamic update packet could still cause named to exit unexpectedly. This update also fixes the following bug: * when running on a system receiving a large number of (greater than 4,000) DNS requests per second, the named DNS nameserver became unresponsive, and the named service had to be restarted in order for it to continue serving requests. This was caused by a deadlock occurring between two threads that led to the inability of named to continue to service requests. This deadlock has been resolved with these updated packages so that named no longer becomes unresponsive under heavy load. (BZ#512668) All BIND users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0696 bind gets hung with 4000 accesses / sec CVE-2009-0696 bind: DoS (assertion failure) via nsupdate packets cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handles dynamic update message packets containing the "ANY" record type. A remote attacker could use this flaw to send a specially-crafted dynamic update packet that could cause named to exit with an assertion failure. (CVE-2009-0696) Note: even if named is not configured for dynamic updates, receiving such a specially-crafted dynamic update packet could still cause named to exit unexpectedly. This update also fixes the following bug: * the following message could have been logged: "internal_accept: fcntl() failed: Too many open files". With these updated packages, timeout queries are aborted in order to reduce the number of open UDP sockets, and when the accept() function returns an EMFILE error value, that situation is now handled gracefully, thus resolving the issue. (BZ#498164) All BIND users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0696 bind-9.2.4-22.el3 and too many open files CVE-2009-0696 bind: DoS (assertion failure) via nsupdate packets cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. These updated packages upgrade NSS from the previous version, 3.12.2, to a prerelease of version 3.12.4. The version of NSPR has also been upgraded from 4.7.3 to 4.7.4. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library used by browsers such as Mozilla Firefox to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running the browser. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction in Firefox, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by Firefox, otherwise Firefox presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. Dan Kaminsky discovered flaws in the way browsers such as Firefox handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by Firefox, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Firefox into accepting it by mistake. (CVE-2009-2408) Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) These version upgrades also provide a fix for the following bug: * SSL client authentication failed against an Apache server when it was using the mod_nss module and configured for NSSOCSP. On the client side, the user agent received an error message that referenced "Error Code: -12271" and stated that establishing an encrypted connection had failed because the certificate had been rejected by the host. On the server side, the nss_error_log under /var/log/httpd/ contained the following message: [error] Re-negotiation handshake failed: Not accepted by client!? Also, /var/log/httpd/error_log contained this error: SSL Library Error: -8071 The OCSP server experienced an internal error With these updated packages, the dependency problem which caused this failure has been resolved so that SSL client authentication with an Apache web server using mod_nss which is configured for NSSOCSP succeeds as expected. Note that if the presented client certificate is expired, then access is denied, the user agent is presented with an error message about the invalid certificate, and the OCSP queries are seen in the OCSP responder. Also, similar OCSP status verification happens for SSL server certificates used in Apache upon instance start or restart. (BZ#508027) All users of nspr and nss are advised to upgrade to these updated packages, which resolve these issues. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2404 CVE-2009-2408 CVE-2009-2409 rhcs80beta TPS and mod_nss with NSSOCSP has ssl errors and unable to use agent service CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly CVE-2009-2404 nss regexp heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library (provided by SeaMonkey) used to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running SeaMonkey. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by SeaMonkey, otherwise SeaMonkey presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. All SeaMonkey users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, SeaMonkey must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2404 CVE-2009-2404 nss regexp heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. These updated packages upgrade NSS from the previous version, 3.12.2, to a prerelease of version 3.12.4. The version of NSPR has also been upgraded from 4.7.3 to 4.7.4. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library used by browsers such as Mozilla Firefox to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running the browser. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction in Firefox, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by Firefox, otherwise Firefox presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. Dan Kaminsky discovered flaws in the way browsers such as Firefox handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by Firefox, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Firefox into accepting it by mistake. (CVE-2009-2408) Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) All users of nspr and nss are advised to upgrade to these updated packages, which resolve these issues and add an enhancement. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2404 CVE-2009-2408 CVE-2009-2409 CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly CVE-2009-2404 nss regexp heap overflow cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. Multiple security flaws were found in the way Flash Player displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, possibly, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2009-1862, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1868, CVE-2009-1869) A clickjacking flaw was discovered in Flash Player. A specially-crafted SWF file could trick a user into unintentionally or mistakenly clicking a link or a dialog. (CVE-2009-1867) A flaw was found in the Flash Player local sandbox. A specially-crafted SWF file could cause information disclosure when it was saved to the hard drive. (CVE-2009-1870) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.0.32.18. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1862 CVE-2009-1863 CVE-2009-1864 CVE-2009-1865 CVE-2009-1866 CVE-2009-1867 CVE-2009-1868 CVE-2009-1869 CVE-2009-1870 CVE-2009-1862 acroread, flash-plugin: Remote code execution vulnerability via malicious SWF (Shockwave Flash) content flash-plugin: multiple code execution flaws (APSB09-10) flash-plugin: multiple information disclosure flaws (APSB09-10) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * the possibility of a timeout value overflow was found in the Linux kernel high-resolution timers functionality, hrtimers. This could allow a local, unprivileged user to execute arbitrary code, or cause a denial of service (kernel panic). (CVE-2007-5966, Important) * a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially-crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important) * Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than could be handled, which could lead to a remote denial of service or code execution. (CVE-2009-1389, Important) * the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2009-1895, Important) * Ramon de Carvalho Valle reported two flaws in the Linux kernel eCryptfs implementation. A local attacker with permissions to perform an eCryptfs mount could modify the metadata of the files in that eCrypfts mount to cause a buffer overflow, leading to a denial of service or privilege escalation. (CVE-2009-2406, CVE-2009-2407, Important) * Konstantin Khlebnikov discovered a race condition in the ptrace implementation in the Linux kernel. This race condition can occur when the process tracing and the process being traced participate in a core dump. A local, unprivileged user could use this flaw to trigger a deadlock, resulting in a partial denial of service. (CVE-2009-1388, Moderate) Bug fixes (see References below for a link to more detailed notes): * possible dom0 crash when a Xen para-virtualized guest was installed while another para-virtualized guest was rebooting. (BZ#497812) * no directory removal audit record if the directory and its subtree were recursively watched by an audit rule. (BZ#507561) * running "echo 1 > /proc/sys/vm/drop_caches" under high memory load could cause a kernel panic. (BZ#503692) * on 32-bit systems, core dumps for some multithreaded applications did not include all thread information. (BZ#505322) * a stack buffer used by get_event_name() was too small for nul terminator sprintf() writes. This could lead to an invalid pointer or kernel panic. (BZ#506906) * when using the aic94xx driver, systems with SATA drives may not boot due to a libsas bug. (BZ#506029) * Wacom Cintiq 21UX and Intuos stylus buttons were handled incorrectly when moved away from and back to these tablets. (BZ#508275) * CPU "soft lockup" messages and possibe system hangs on systems with certain Broadcom network devices and running the Linux kernel from the kernel-xen package. (BZ#503689) * on 64-bit PowerPC, getitimer() failed for programs using the ITIMER_REAL timer that were also compiled for 64-bit systems. This caused such programs to abort. (BZ#510018) * write operations could be blocked even when using O_NONBLOCK. (BZ#510239) * the "pci=nomsi" option was required for installing and booting Red Hat Enterprise Linux 5.2 on systems with VIA VT3364 chipsets. (BZ#507529) * shutting down, destroying, or migrating Xen guests with large amounts of memory could cause other guests to be temporarily unresponsive. (BZ#512311) Users should upgrade to these updated packages, which contain backported patches to correct these issues. Systems must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2007-5966 CVE-2009-1385 CVE-2009-1388 CVE-2009-1389 CVE-2009-1895 CVE-2009-2406 CVE-2009-2407 CVE-2007-5966 kernel: non-root can trigger cpu_idle soft lockup RH5.3 x64 RC2 reboots while installing a virtual machine CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service Call trace thrown up when stressing the network with bw_tcp Possible panic when drop_pagecache_sb() and prune_icache() run concurrently. CVE-2009-1388 kernel: do_coredump() vs ptrace_start() deadlock CVE-2009-1389 kernel: r8169: fix crash when large packets are received [Reg][RHEL5.3] Multi-threaded application dumps a core with wrong thread information With Red Hat errata 128.1.6 installed system hangs with SATA drives installed. kernel: TPM: get_event_name stack corruption [rhel-5.3.z] disable MSI on VIA VT3364 chipsets Removal of directory doesn't produce audit record if rule is recursive Wacom driver with Intuos tablet does not report button press after a proximity leave/re-enter setitimer(ITIMER_REAL, ...) failing in 64bit enviroment [5.3]Write operation with O_NONBLOCK flag to TTY terminal is blocked CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID A Shut down of a 32GB domU's freezes other domU's for several seconds CVE-2009-2406 kernel: ecryptfs stack overflow in parse_tag_11_packet() CVE-2009-2407 kernel: ecryptfs heap overflow in parse_tag_3_packet() cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, CVE-2009-1107) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR5 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2009-1101 OpenJDK JAX-WS service endpoint remote Denial-of-Service (6630639) CVE-2009-1093 OpenJDK remote LDAP Denial-Of-Service (6717680) CVE-2009-1094 OpenJDK LDAP client remote code execution (6737315) CVE-2009-1095 CVE-2009-1096 OpenJDK Pack200 Buffer overflow vulnerability (6792554) CVE-2009-1097 OpenJDK PNG processing buffer overflow vulnerability (6804996) CVE-2009-1098 OpenJDK GIF processing buffer overflow vulnerability (6804998) CVE-2009-1099 OpenJDK: Type1 font processing buffer overflow vulnerability CVE-2009-1100 OpenJDK: DoS (disk consumption) via handling of temporary font files CVE-2009-1103 OpenJDK: Files disclosure, arbitrary code execution via "deserializing applets" (6646860) CVE-2009-1104 OpenJDK: Intended access restrictions bypass via LiveConnect (6724331) CVE-2009-1105 OpenJDK: Possibility of trusted applet run in older, vulnerable version of JRE (6706490) CVE-2009-1106 OpenJDK: Improper parsing of crossdomain.xml files (intended access restriction bypass) (6798948) CVE-2009-1107 OpenJDK: Signed applet remote misuse possibility (6782871) cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The Sun 1.5.0 Java release includes the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. These vulnerabilities are summarized on the "Advance notification of Security Updates for Java SE" page from Sun Microsystems, listed in the References section. (CVE-2009-2475, CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2689) Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2475 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 CVE-2009-2676 CVE-2009-2689 CVE-2009-2720 CVE-2009-2721 CVE-2009-2722 CVE-2009-2723 CVE-2009-2724 CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524) CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071) CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497) CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335) CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) CVE-2009-2475 OpenJDK information leaks in mutable variables (6588003,6656586,6656610,6656625,6657133,6657619,6657625,6657695,6660049,6660539,6813167) CVE-2009-2689 OpenJDK JDK13Services grants unnecessary privileges (6777448) CVE-2009-2676 JRE applet launcher vulnerability cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. These vulnerabilities are summarized on the "Advance notification of Security Updates for Java SE" page from Sun Microsystems, listed in the References section. (CVE-2009-0217, CVE-2009-2475, CVE-2009-2476, CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2690) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0217 CVE-2009-2475 CVE-2009-2476 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2674 CVE-2009-2675 CVE-2009-2676 CVE-2009-2690 CVE-2009-2716 CVE-2009-2718 CVE-2009-2719 CVE-2009-2720 CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524) CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071) CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497) CVE-2009-2674 Java Web Start Buffer JPEG processing integer overflow (6823373) CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335) CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) CVE-2009-2475 OpenJDK information leaks in mutable variables (6588003,6656586,6656610,6656625,6657133,6657619,6657625,6657695,6660049,6660539,6813167) CVE-2009-2476 OpenJDK OpenType checks can be bypassed (6736293) CVE-2009-2690 OpenJDK private variable information disclosure (6777487) CVE-2009-2676 JRE applet launcher vulnerability cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language. A flaw was found in the way the XML Digital Signature implementation in the JRE handled HMAC-based XML signatures. An attacker could use this flaw to create a crafted signature that could allow them to bypass authentication, or trick a user, applet, or application into accepting untrusted content. (CVE-2009-0217) Several potential information leaks were found in various mutable static variables. These could be exploited in application scenarios that execute untrusted scripting code. (CVE-2009-2475) It was discovered that OpenType checks can be bypassed. This could allow a rogue application to bypass access restrictions by acquiring references to privileged objects through finalizer resurrection. (CVE-2009-2476) A denial of service flaw was found in the way the JRE processes XML. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service. (CVE-2009-2625) A flaw was found in the JRE audio system. An untrusted applet or application could use this flaw to gain read access to restricted System properties. (CVE-2009-2670) Two flaws were found in the JRE proxy implementation. An untrusted applet or application could use these flaws to discover the usernames of users running applets and applications, or obtain web browser cookies and use them for session hijacking attacks. (CVE-2009-2671, CVE-2009-2672) An additional flaw was found in the proxy mechanism implementation. This flaw allowed an untrusted applet or application to bypass access restrictions and communicate using non-authorized socket or URL connections to hosts other than the origin host. (CVE-2009-2673) An integer overflow flaw was found in the way the JRE processes JPEG images. An untrusted application could use this flaw to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the application. (CVE-2009-2674) An integer overflow flaw was found in the JRE unpack200 functionality. An untrusted applet or application could extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-2675) It was discovered that JDK13Services grants unnecessary privileges to certain object types. This could be misused by an untrusted applet or application to use otherwise restricted functionality. (CVE-2009-2689) An information disclosure flaw was found in the way private Java variables were handled. An untrusted applet or application could use this flaw to obtain information from variables that would otherwise be private. (CVE-2009-2690) Note: The flaws concerning applets in this advisory, CVE-2009-2475, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2689, and CVE-2009-2690, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer" application. This update also fixes the following bug: * the EVR in the java-1.6.0-openjdk package as shipped with Red Hat Enterprise Linux allowed the java-1.6.0-openjdk package from the EPEL repository to take precedence (appear newer). Users using java-1.6.0-openjdk from EPEL would not have received security updates since October 2008. This update prevents the packages from EPEL from taking precedence. (BZ#499079) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0217 CVE-2009-2475 CVE-2009-2476 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2674 CVE-2009-2675 CVE-2009-2689 CVE-2009-2690 Bad EVR CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524) CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071) CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497) CVE-2009-2674 Java Web Start Buffer JPEG processing integer overflow (6823373) CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335) CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) CVE-2009-2475 OpenJDK information leaks in mutable variables (6588003,6656586,6656610,6656625,6657133,6657619,6657625,6657695,6660049,6660539,6813167) CVE-2009-2476 OpenJDK OpenType checks can be bypassed (6736293) CVE-2009-2689 OpenJDK JDK13Services grants unnecessary privileges (6777448) CVE-2009-2690 OpenJDK private variable information disclosure (6777487) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Matt Lewis, of Google, reported multiple heap overflow flaws in Subversion (server and client) when parsing binary deltas. A malicious user with commit access to a server could use these flaws to cause a heap overflow on that server. A malicious server could use these flaws to cause a heap overflow on a client when it attempts to checkout or update. These heap overflows can result in a crash or, possibly, arbitrary code execution. (CVE-2009-2411) All Subversion users should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the updated packages, the Subversion server must be restarted for the update to take effect: restart httpd if you are using mod_dav_svn, or restart svnserve if it is used. Important Copyright 2009 Red Hat, Inc. CVE-2009-2411 CVE-2009-2411 subversion: multiple heap overflow issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It aims to provide a free library of C data structures and routines. apr-util is a utility library used with APR. This library provides additional utility interfaces for APR; including support for XML parsing, LDAP, database interfaces, URI parsing, and more. Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the Apache Portable Runtime (APR) manages memory pool and relocatable memory allocations. An attacker could use these flaws to issue a specially-crafted request for memory allocation, which would lead to a denial of service (application crash) or, potentially, execute arbitrary code with the privileges of an application using the APR libraries. (CVE-2009-2412) All apr and apr-util users should upgrade to these updated packages, which contain backported patches to correct these issues. Applications using the APR libraries, such as httpd, must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2412 CVE-2009-2412 apr, apr-util: Integer overflows in memory pool (apr) and relocatable memory (apr-util) management cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Apache HTTP Server is a popular Web server. The httpd package shipped with Red Hat Enterprise Linux 3 contains embedded copies of the Apache Portable Runtime (APR) libraries, which provide a free library of C data structures and routines, and also additional utility interfaces to support XML parsing, LDAP, database interfaces, URI parsing, and more. Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the Apache Portable Runtime (APR) manages memory pool and relocatable memory allocations. An attacker could use these flaws to issue a specially-crafted request for memory allocation, which would lead to a denial of service (application crash) or, potentially, execute arbitrary code with the privileges of an application using the APR libraries. (CVE-2009-2412) A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891) This update also fixes the following bug: * in some cases the Content-Length header was dropped from HEAD responses. This resulted in certain sites not working correctly with mod_proxy, such as www.windowsupdate.com. (BZ#506016) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1891 CVE-2009-2412 windowsupdate.microsoft.com does not work with mod_proxy CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate CVE-2009-2412 apr, apr-util: Integer overflows in memory pool (apr) and relocatable memory (apr-util) management cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libxml is a library for parsing and manipulating XML files. A Document Type Definition (DTD) defines the legal syntax (and also which elements can be used) for certain types of files, such as XML files. A stack overflow flaw was found in the way libxml processes the root XML document element definition in a DTD. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service (application crash). (CVE-2009-2414) Multiple use-after-free flaws were found in the way libxml parses the Notation and Enumeration attribute types. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service (application crash). (CVE-2009-2416) Users should upgrade to these updated packages, which contain backported patches to resolve these issues. For Red Hat Enterprise Linux 3, they contain backported patches for the libxml and libxml2 packages. For Red Hat Enterprise Linux 4 and 5, they contain backported patches for the libxml2 packages. The desktop must be restarted (log out, then log back in) for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2414 CVE-2009-2416 CVE-2009-2414 libxml, libxml2, mingw32-libxml2: Stack overflow by parsing root XML element DTD definition CVE-2009-2416 libxml, libxml2, mingw32-libxml2: Pointer use-after-free flaws by parsing Notation and Enumeration attribute types cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Scott Cantor reported that cURL is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. (CVE-2009-2417) cURL users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications using libcurl must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2417 CVE-2009-2417 curl: incorrect verification of SSL certificate with NUL in name cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than what could be handled. This could lead to a remote denial of service or code execution. (CVE-2009-1389, Important) * a buffer overflow flaw was found in the CIFSTCon() function of the Linux kernel Common Internet File System (CIFS) implementation. When mounting a CIFS share, a malicious server could send an overly-long string to the client, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, Important) * several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1633, Important) These updated packages also fix the following bugs: * when using network bonding in the "balance-tlb" or "balance-alb" mode, the primary setting for the primary slave device was lost when said device was brought down (ifdown). Bringing the slave interface back up (ifup) did not restore the primary setting (the device was not made the active slave). (BZ#507563) * a bug in timer_interrupt() may have caused the system time to move up to two days or more into the future, or to be delayed for several minutes. This bug only affected Intel 64 and AMD64 systems that have the High Precision Event Timer (HPET) enabled in the BIOS, and could have caused problems for applications that require timing to be accurate. (BZ#508835) * a race condition was resolved in the Linux kernel block layer between show_partition() and rescan_partitions(). This could have caused a NULL pointer dereference in show_partition(), leading to a system crash (kernel panic). This issue was most likely to occur on systems running monitoring software that regularly scanned hard disk partitions, or from repeatedly running commands that probe for partition information. (BZ#512310) * previously, the Stratus memory tracker missed certain modified pages. With this update, information about the type of page (small page or huge page) is passed to the Stratus memory tracker, which resolves this issue. The fix for this issue does not affect systems that do not use memory tracking. (BZ#513182) * a bug may have caused a system crash when using the cciss driver, due to an uninitialized kernel structure. A reported case of this issue occurred after issuing consecutive SCSI TUR commands (sg_turs sends SCSI test-unit-ready commands in a loop). (BZ#513189) * a bug in the SCSI implementation caused "Aborted Command - internal target failure" errors to be sent to Device-Mapper Multipath, without retries, resulting in Device-Mapper Multipath marking the path as failed and making a path group switch. With this update, all errors that return a sense key in the SCSI mid layer (including "Aborted Command - internal target failure") are retried. (BZ#514007) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1389 CVE-2009-1439 CVE-2009-1633 CVE-2009-1439 kernel: cifs: memory overwrite when saving nativeFileSystem field during mount CVE-2009-1633 kernel: cifs: fix potential buffer overruns when converting unicode strings sent by server CVE-2009-1389 kernel: r8169: fix crash when large packets are received A bond's preferred primary setting is lost after bringing down and up of the primary slave. [4.6] The system time leaps 2 days 21 hours 41 min future. show_partition() oops when race with rescan_partitions(). Function unmap_hugepage_range passing PMD instead of PTE to ptep_get_and_clear RHEL4.8: crash in do_cciss_request() Make Aborted Command (internal target failure) retryable at SCSI layer (sense B 44 00) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. Federico Muttis of Core Security Technologies discovered a flaw in Pidgin's MSN protocol handler. If a user received a malicious MSN message, it was possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2009-2694) Note: Users can change their privacy settings to only allow messages from users on their buddy list to limit the impact of this flaw. These packages upgrade Pidgin to version 2.5.9. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which resolve this issue. Pidgin must be restarted for this update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2694 CVE-2009-2694 pidgin: insufficient input validation in msn_slplink_process_msg() cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format. An insufficient input validation flaw was found in the way libvorbis processes the codec file headers (static mode headers and encoding books) of the Ogg Vorbis audio file format (Ogg). A remote attacker could provide a specially-crafted Ogg file that would cause a denial of service (memory corruption and application crash) or, potentially, execute arbitrary code with the privileges of an application using the libvorbis library when opened by a victim. (CVE-2009-2663) Users of libvorbis should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-2663 CVE-2009-2663 libvorbis: Improper codec headers processing (DoS, ACE) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. These updated packages also fix the following bug: * in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running "cman_tool kill -n [nodename]". (BZ#515432) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-2692 CVE-2009-2698 dlm_send socket leak [rhel-5.3.z] CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc CVE-2009-2698 kernel: udp socket NULL ptr dereference cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-2692 CVE-2009-2698 CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc CVE-2009-2698 kernel: udp socket NULL ptr dereference cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was discovered in the way GnuTLS handles NULL characters in certain fields of X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by an application using GnuTLS, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse the application into accepting it by mistake. (CVE-2009-2730) Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch that corrects this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2730 CVE-2009-2730 gnutls: incorrect verification of SSL certificate with NUL in name (GNUTLS-SA-2009-4) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. All Red Hat Enterprise Linux 3 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-2692 CVE-2009-2698 CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc CVE-2009-2698 kernel: udp socket NULL ptr dereference cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR10 Java release. All running instances of IBM Java must be restarted for this update to take effect. Note: The packages included in this update are identical to the packages made available by RHEA-2009:1208 and RHEA-2009:1210 on the 13th of August 2009. These packages are being reissued as a Red Hat Security Advisory as they fixed a number of security issues that were not made public until after those errata were released. Since the packages are identical, there is no need to install this update if RHEA-2009:1208 or RHEA-2009:1210 has already been installed. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524) CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071) CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497) CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335) CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Dnsmasq is a lightweight and easy to configure DNS forwarder and DHCP server. Core Security Technologies discovered a heap overflow flaw in dnsmasq when the TFTP service is enabled (the "--enable-tftp" command line option, or by enabling "enable-tftp" in "/etc/dnsmasq.conf"). If the configured tftp-root is sufficiently long, and a remote user sends a request that sends a long file name, dnsmasq could crash or, possibly, execute arbitrary code with the privileges of the dnsmasq service (usually the unprivileged "nobody" user). (CVE-2009-2957) A NULL pointer dereference flaw was discovered in dnsmasq when the TFTP service is enabled. This flaw could allow a malicious TFTP client to crash the dnsmasq service. (CVE-2009-2958) Note: The default tftp-root is "/var/ftpd", which is short enough to make it difficult to exploit the CVE-2009-2957 issue; if a longer directory name is used, arbitrary code execution may be possible. As well, the dnsmasq package distributed by Red Hat does not have TFTP support enabled by default. All users of dnsmasq should upgrade to this updated package, which contains a backported patch to correct these issues. After installing the updated package, the dnsmasq service must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-2957 CVE-2009-2958 CVE-2009-2957, CVE-2009-2958 dnsmasq: multiple vulnerabilities in TFTP server cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important) * a flaw was found in the way the do_sigaltstack() function in the Linux kernel copies the stack_t structure to user-space. On 64-bit machines, this flaw could lead to a four-byte information leak. (CVE-2009-2847, Moderate) * a flaw was found in the ext4 file system code. A local attacker could use this flaw to cause a denial of service by performing a resize operation on a specially-crafted ext4 file system. (CVE-2009-0745, Low) * multiple flaws were found in the ext4 file system code. A local attacker could use these flaws to cause a denial of service by mounting a specially-crafted ext4 file system. (CVE-2009-0746, CVE-2009-0747, CVE-2009-0748, Low) These updated packages also include several hundred bug fixes for and enhancements to the Linux kernel. Space precludes documenting each of these changes in this advisory and users are directed to the Red Hat Enterprise Linux 5.4 Release Notes for information on the most significant of these changes: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Release_Notes/ Also, for details concerning every bug fixed in and every enhancement added to the kernel for this release, see the kernel chapter in the Red Hat Enterprise Linux 5.4 Technical Notes: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Technical_Notes/kernel.html All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which address these vulnerabilities as well as fixing the bugs and adding the enhancements noted in the Red Hat Enterprise Linux 5.4 Release Notes and Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0745 CVE-2009-0746 CVE-2009-0747 CVE-2009-0748 CVE-2009-2847 CVE-2009-2848 raid10_make_request bug: can't convert block across chunks or bigger than 64k.. PCI devices disappear in Xen Paravirtual DomU on reboot/reset RHEL5 Kernel crash when specifying mem= or highmem= kernel parameter Add Filesystem Label to GFS2 Frequent path failures during I/O on DM multipath devices pci: MSI/HT problems with some nvidia bridge chips Increase timeout for device connection on boot [RHEL 5.2]: Tick divider bug when using clocksource=pit Kernel BUG at drivers/scsi/iscsi_tcp.c:387 - invalid opcode: 0000 module load option to enable entropy generation from e1000,bnx2 network cards Online resize2fs error: Invalid argument While trying to add group #15625 A deadlock can occur between mmap/munmap and journaling(ext3). crash formatting a DVD under libata Guest crash when host has >= 64G RAM RFE: improve gettimeofday performance on hypervisors [RHEL5 U1] Kernel NFS Connectathon Test#12, 12.1 Failing E1000 driver enables TSOv6 for hardware that doesn't support it SMP 32bit RHEL5u1 and RHEL5u2 HVM domain might stop booting when start udev service scsi_add_host() returns success even if the work_q was not created backport RUSAGE_THREAD support ptrace(PTRACE_CONT, sig) kills app even if sig is blocked lazy umount causes pwd to fail silently (kernel) [RFE] Enable raw devices on s390x RHEL5.2: ext3 panic in dx_probe CPUID driver does not support cpuid.4 and cpuid.0xb instruments RHEL5-U2 Installation hangs on p-series--7029, 2078 DM-multipath marks the surviving path as failed on failbacks [RHEL5.2-Z][kernel-xen] powernow identifies the wrong number of processors. Module snd-sb16.ko fails to build in a custom kernel. Cannot create more than 1024 nfsd threads [Qlogic 5.4] qla4xxx: Remove Dead/Unused code from driver FEAT: kernel: nf_nat: backport NAT port randomisation [rhel-5.3] NFS problem#3 of IT 106473 - 32-bit jiffy wrap around - NFS inode GFS2: Hang when shrink_slab calls gfs2_delete_inode Xen domU, RAID1, LVM, iscsi target export with blockio bug SCSI Hotswap not working with sym53c8xx_2 card in NSN MCP18 system. [EMC 5.4 feat] Require kernel support to issue Control I/O to CKD dasd on EMC Symmetrix arrays device-mapper changes to support readonly device maps Debug Kernel - NMI Watchdog detected LOCKUP [RHEL-5.2] e1000e module doesn't implement SIOETHTOOL ETHTOOL_GPERMADDR RHEL 5.1 show error msg of "PCI: BIOS Bug: MCFG area at e0000000 is not E820-reserved" during boot [RHEL-5.2] replacing routes doesn't emit notifications via netlink invalid behaviour of NETKEY / XFRM deleting SPD 5.3 beta kernel -115.el breaks the proprietary Nvidia driver [PATCH] Removing bond interfaces causes workqueue thread leak document netdev_budget Patches to improve timekeeping for RHEL kernels running under VMware. Timeouts in wait_drive_not_busy with TEAC DV-W28ECW and similar RHEL5: memmap=X$Y option doesn't yield new BIOS map update CIFS for RHEL5.4 Kernel panic in auth_rpcgss:__gss_find_upcall kernel module is required to enable kernel markers MD RAID1 error handler deadlock (raid1d / make_request) IPoIB-CM connectivity problem with eHCA adapters RFE: an error when mounting the same NFS mount with different SELinux contexts xen: 32 bit guest on 64 bit host oops in xen_set_pud() unstable time source [EMULEX 5.4 bug] scsi messages correlate with silent data corruption, but no i/o errors number of lockd socket connections is capped at 80 Xen live migration may fail due to fragmented memory ansi cprng needs to allow for user-provided initial counter values specfile changes to allow just building the debug kernel [RHEL5.2] nfs_getattr() hangs during heavy write workloads xm dmesg printk spam -- Domain attempted WRMSR 00000000000000e8 from 00000016:3d0e9470 to 00000000:00000000 IPv6 netfilter: output routing rules based on fwmark don't work overlapping nfs locks don't work in gfs/dlm FIPS certification requires exporting DSA_verify function stack usage optimization in link_path_walk() [rhel-5.4] Kernel Panic at pci_scan_bus_parented+0xa/0x1f with "acpi=off" or "acpi=ht" options The system stall or panic can occur when /proc/<pid>/oom_score is read rng header needs to be in kernel-devel lockd: fix reference count leaks in async locking case (impacts GFS2) crypto: ansi_cprng: get_prng_bytes returning some incorrect data Creation of mirrored logical volume with VG extent-size of 1K fails Driver for dm9601 doesn't seem to work as advertised kernel's inotify subsystem not send notification on inode link count change [QLogic 5.4 feat] qla2xxx,qla8xxx - Support production FCoE hardware. fips crypto: self-test needed for rfc4309(ccm(aes)) missing compat sys_ustat corrupts userspace when sys_ustat called from 32-bit AMD: Panic if cpu_khz is incorrect [RHEL5.4 FEAT] Update ixgbe to version 2.0.8-k2 and support the 82599 (Niantic) device oops in mirror_map (dm-raid1.c) kernel panic in tcp_tso_segment() (iptables/netfilter) asm-generic/ioctl.h can generate link error undefined __invalid_size_argument_for_IOC [Intel 5.4 FEAT] TSC keeps running in C3+ [RHEL5.1] Support of Broadcom HT1100 chipset - add new PCI ID [AMD 5.4 FEAT] Withdraw IGN_SERR_INTERNAL for SB800 SATA r8169 reports incredible number of RX dropped packets crypto: des3_ede single-key doesn't work lockd: return NLM_LCK_DENIED_GRACE_PERIOD after long periods [LTC 5.4 FEAT] Kernel NSS support - kernel part [200790] [LTC 5.4 FEAT] System z support for processor degradation [200975] [LTC 5.4 FEAT] Automatic IPL after dump (kernel) [201169] After successful connection to a WPA AP, iwlagn loses its ability to speak WEP [RHEL 5] gen_estimator deadlock fix [Intel 5.4 FEAT] Update the Intel igb driver to match upstream changes & include Kawela PF PCI Domain support for HP xw9400 and xw9300 [LTC 5.4 FEAT] Thread scalability issues with TPC-C [201300] audit: increase the maximum length of the key field fix assorted audit_filter_task() panics on ctx == NULL audit: fix kstrdup() error check kernel/audit.c control character detection is off-by-one missing audit records for descriptors created by pipe(2) and socketpair(2) GFS2: mount attempt hangs if no more journals available Misc kernel audit fixups [LTC 5.4 FEAT] FCP - Performance Data collection (kernel) [201590] Make clock source functions consistent between x86_64 & i386 arches [LTC 5.4 FEAT] Extra kernel parameter via VMPARM [201726] [LTC 5.4 FEAT] OpenIPMI driver update [201263] [LTC 5.4 FEAT] TTY terminal server over IUCV (kernel) [201734] [LTC 5.4 FEAT] Shutdown actions interface (kernel) [201747] [Broadcom 5.4 FEAT] Update bnx2 to 1.8.2b+ [LTC 5.4 FEAT] Provide service levels of HW & Hypervisor in Linux [201753] [LTC 5.4 FEAT] HiperSockets Layer3 support for IPv6 [201751] [LTC 5.4 FEAT] Update spufs for Cell in the kernel of RHEL5.4 to the upstream version [201774] [LTC 5.4 FEAT] Enable SOL (serial over lan) usage for Cell systems with RHEL5 [201454] [Intel 5.4 bug] ixgbe does not work reliably with 16 or more cores [LTC 5.4 FEAT] Enable Power Button on Cell Blades [201777] [LTC 5.4 FEAT] EEH infrastructure change for MSI-X interrupt support [201779] [LTC 5.4 FEAT] Enhance the ipr driver to support MSI-X interrupt [201780] Compilation failure with /usr/include/linux/futex.h header race in aio_complete() leads to process hang [LTC 5.4 FEAT] Linux to add Call Home data [201167] Question for LUKS device passhprase unreadable when using Xen ahci: jmb361 has only one port convert NFS to new write_begin/write_end interfaces [Chelsio FEAT] Update support for Terminator3 adapters GFS2: [RFE] fiemap support for GFS2 softlockups due to infinite loops in posix_locks_deadlock GFS2: [RFE] Merge upstream uevent patches into RHEL 5.4 kernel panics when attempting to rmmod the bnx2 module while it is in use. lockdep warnings on RHEL5.3 xen guest network hangs with xen_vnif in FV RHEL5 guest [LTC 5.4 FEAT] Xen support for 192 CPUs [201257] kernel-2.6.18-92.1.22.el5 misses bug fix which has to be backported. multipath test causes memory leak and eventual system deadlock [Broadcom 5.4 feat] Please add pcie_set_readrq() to the rhel5_drivers_pci_pcie_ga kernel symbol whitelist [QLOGIC 5.4 feat] Add qlge 10Gb ethernet driver GFS2: Parsing of remount arguments incorrect PATH and EXECVE audit records contain bogus newlines [RHEL 5.1] SUN Ultra 40 forcedeth: Network freezes reproducibly (stress) evebe600 RH5.3 x64 RC2 reboots while installing a virtual machine Leap second message can hang the kernel Needs to check GSO packet length against MSS /proc/acpi/dsdt: No such device [QLogic 5.4 bug] qla2xxx - updates and fixes from upstream, part 1 data corruption and general brokenness with ramdisks (rd) RDMA latencytest and perftest fail with QLogic IB 2 volume rebuilding problem - second volume rebuild doesn't succeed. RHEL-5: Deadlock in Xen netfront driver. Improve udp port randomization crypto: panic handling ccm vectors with null associated data kernel BUG at net/ipv4/netfilter/ip_nat_core.c:308 need to backport several ansi_cprng patches waitpid() reports stopped process more than once Bitmap Merging Patch for RHEL 5.4 [RHEL5.3] Original ether's status is keeping PROMISC MULTICAST mode linux-2.6-misc-utrace-update.patch contains incorrect optimization [QLogic 5.4 bug] qla2xx - Word-endian problem programming flash on PPC BCM5704 NIC results in CPU 100%SI , sluggish system performance Add explicit ALUA support to kernel eHEA: mutex_unlock missing in eHEA error path RHEL 5.3 GA kernel panics when RF Kill is on in 5100/5300 AGN Panic at boot if SATA disk is present fix oops when using skb_seq_read gfs2 blocked after recovery [RFE ] Connlimit kernel module support [rhel-5.4] FEAT: RHEL 5.4 - update ALSA HDA audio driver from upstream reproducible panic in debugfs_remove when unmounting gfs2 filesystem [IPV6] Fix the return value of get destination options with NULL data [ipv6] Fix the return value of Set Hop-by-Hop options header with NULL kernel BUG at kernel/ptrace.c:1068 [IPV6] Return correct result for sticky options FEAT: feature request. disable iostat collection in gendisk [Intel 5.4 FEAT] virtualization feature VTd: hypervisor changes (Xen) [RHEL-5.3] ARP packets aren't received by backup slaves breaking arp_validate=3 Add kernel version to oops and panic output Running Openswan ipsec vpn server with rhel-5.3 kernel-2.6.18-128.el5 causes crash tulip driver MTU problems when using dot1q vlans DASDFMT not operating like CPFMTXA [Stratus 5.4 bug] PCI hot unplug can leak MSI descriptors causing fallback to legacy interrupts [IPv6] Update setsockopt(IPV6_MULTICAST_IF) to support RFC 3493, try2 [IPV6]: Check length of optval provided by user in setsockopt() NULL pointer deference in gfs2_getbuf Dock/Undock+ CDROM support for X61 and other laptops Data cards like Huawei EC121 does not work with RHEL5 GFS2 unaligned access in gfs2_bitfit ext4 kernelspace rebase for RHEL5.4 backport critical netxen driver fixes from upstream kernel to RHEL5.4 Add mmu-notifiers support to RHEL5 kernel [iwl3945] Status LED doesn't light up (Lenovo T61) GFS2: Quota mount option inconsistent with common quota/noquota options pci_setup_bridge() clears the Prefetchable Memory Base and Limit Upper 32 Bits registers [ipv6 RAW] Disallow IPPROTO_IPV6-level IPV6_CHECKSUM socket option on ICMPv6 sockets [IPV6] Check outgoing interface even if source address is unspecified nfs server rejecting large writes when sec=krb5i/p is specified [Intel 5.4 bug] ixgbe driver double counts RX byte count Missing DELL MD3000i storage into scsi_dh_rdac kernel module device list [ipv6] Check the hop limit setting in ancillary data slab corruption with dlm and clvmd on ppc64 [RHEL5.3]: modprobe xen-vnif in a KVM guest causes a crash CVE-2009-0745 kernel: ext4: ext4_group_add() missing initialisation issue CVE-2009-0746 kernel: ext4: make_indexed_dir() missing validation CVE-2009-0747 kernel: ext4: ext4_isize() denial of service CVE-2009-0748 kernel: ext4: ext4_fill_super() missing validation issue [NET] Fix functions put_cmsg()/put_cmsg_compat() which may cause usr application memory overflow Problem with drive status leds after update to 2.6.18-128.el5 update efifb RHEL 5.4: hpilo - backport of bugfixes and updates from upstream install include/trace/*.h headers in kernel-devel [RHEL5.3 Xen]: Cannot attach > 16 PV disks using PV-on-HVM drivers Backport lookupcache= mount option for nfs shares [QLOGIC 5.4 bug] qla4xxx: Extended Sense Data Errors "automount" daemon gets blocked uninterruptibly while trying to acquire "i_sem" of monitored directory ethttool -S on r8169 version 2.2LK hangs when interface is down NFS: an f_mode/f_flags confusion in fs/nfs/write.c [RHEL5.3 Xen]: Annoying messages on i686 boot [x86_64]: copy_user_c can zero more data than needed kernel should be built with -fwrapv [rhel-5.4] vmalloc_user() panics 2.6.18-128.1.1.el5 if a kmem cache grows building of kernel-devel on i386 doesn't include asm-x86_64/stacktrace.h powernow-k8: export module parameters to /sys/modules Driver core: make bus_find_device_by_name() more robust Xen guest kernel advertises absolute mouse pointer feature which it is incapable of setting up correctly tar off gfs2 broken - truncated symbolic links GFS2: gfs2_quotad in uninterruptible sleep while idle [RHEL5.2] [IPV6] TUNNEL6: Fix incoming packet length check for inter-protocol tunnel. memory leak when reading from files mounted with nfs mount option 'noac' Kprobes bugfixes backport from 2.6.29 panic in SELinux code with shrinkable NFS mounts [Intel 5.4 FEAT] virtualization feature SR/IOV: kernel changes The SCSI tape driver (st) does not support writing with larger buffers when using aic7xxx Upgrade to update 3 causes SATA resets. 2.6.18-128.1.6.el5xen panic! CPU P-state limits (via acpi _ppc) ignored by OS With Red Hat errata 128.1.6 installed system hangs with SATA drives installed. [RHEL5.4]: Explicitly zero CR[1] in getvcpucontext [RHEL5.4]: Fix interaction between dom0 and NTP GFS2: gfs2_grow changes to rindex read in wrong by the kernel [QLogic 5.4 bug] qla2xxx - updates and fixes from upstream, part 2 [QLogic 5.4 bug] qla2xxx - updates and fixes from upstream, part 3 ptrace: wrong value for bp register at syscall entry tracing kernel dm: OOps in mempool_free when device removed Bonding driver updelay parameter actual behavior doesn't match documented behavior vmscan: bail out of direct reclaim after swap_cluster_max pages Export guest UUID through SMBIOS to show in guest dmidecode by default kernel: tun: Add packet accounting show_partition() oops when race with rescan_partitions() Random crashing in dm snapshots because of a race condition kernel BUG with dm multipath and a partial read request Backport patches for snapshot store damage [QLogic 5.4 bug] qla2xxx - updates and fixes from upstream, part 4 sata_mv: Fix chip type for Highpoint RocketRaid 1740/1742 autofs4 - obvious mistake in mounted check in autofs4_mount_busy() [Intel 5.4 FEAT] virtualization feature VTd: kernel changes [Intel 5.4 FEAT] virtualization feature enhanced VTd: hypervisor changes Setacl not working over NFS. kernel BUG at drivers/scsi/libiscsi.c:301! add 'success' value to sched_wakeup and sched_wakeup_new tracepoints [QLOGIC 5.4 bug] qla4xxx: Driver Fault Recovery dont use DID_TRANSPORT_DISRUPTED when transitioning rport or iscsi states ehca performance impact during creation of queue pairs [patch] mac80211: nullfunc and hidden SSID fixes Deadlock between libvirt and xentop kernel: ecryptfs_parse_options: eCryptfs: unrecognized option 'ecryptfs_unlink_sigs' New compilation warning in ext4 rebase RHEL5.3.z LTP nanosleep02 Test Case Failure on Fujitsu Machine Add Generic Receive Offload support device-mapper: dm-raid45 target doesn't create parity as expected by dmraid (isw) kernel: proc: avoid information leaks to non-privileged processes [rhel-5.4] nfsv4recoverydir proc file unreadable Wacom driver with Intuos tablet does not report button press after a proximity leave/re-enter ath5k module freezes when interface is brought down Kernel panic when loading cpufreq_governor NETDEV_BONDING_FAILOVER is defined twice in the kernel device-mapper: dm-raid45 target regression causing oops on mapping table reload [RHEL5.4] igb: debug kernel reveals incorrect call used to free multiqueue netdev kernel-xen should *not* include pci-stub driver LTP ftest04 and ftest08 Failures Deadlock when a uevent is blocked waiting for the queued I/O. Need symbols added to KABI whitelist for cmirror-kmod renaming file on a share w/o write permissions causes oops [RHEL5 U4] Systems seems to hang on reboot Kernel - testing NMI watchdog ... CPU#0: NMI appears to be stuck (0)! RHEL5.4 ext4: backport corruption fixes from .30 RHEL5: NMI lockups seen after enabling cpuspeed on -147.el5 & -148.el5 REGRESSION: iSCSI Target's Redirect login causes errors in connection Removal of directory doesn't produce audit record if rule is recursive disable MSI on VIA VT3364 chipsets RHEL5.4 virtio: "Device does not have a release() function, it is broken and must be fixed" warnings [RHEL5.4 Xen]: Xenbus warnings in a FV guest on shutdown [RHEL5.4 Xen]: "Weight assignment" messages printed to the serial console READ CAPACITY failed on 10TB LUN need to fix sky2 stats [RHEL5.4 Xen]: Tun patch causing connectathon to fail igb: dropping rx packets [Emulex 5.4 bug] Update lpfc to version 8.2.0.44 qemu-kvm: page allocation failure [RHEL5.4 Xen]: Trying to boot a FV -PAE kernel crashes Xen dom0 fake e820 prevents IGB driver from creating VF devices PCI device fails to allocate resource sata_sx4: ata_cmd_set_features time out resulting in disabled device kernel: TPM: get_event_name stack corruption [rhel-5.4] System freezes when removing ipr driver after injecting EEH errors GFS2: s_umount locking bug with gfs2meta filesystem type RHEL 5.3 long installation time and low hard disk performance in VX800 platform [Broadcom 5.4 bug] Include fixes/cleanups for bnx2i gfs2: extending direct IO writes expose stale data (corruption) iw_cxgb3 OFED driver update RHEL5.4: cxgb3 update gfs2: filesystem consistency error with statfs_slow = 1 [Emulex 5.4 bug] Update lpfc to version 8.2.0.45 (bug fixes only) 32-bit Dom0 Cannot Boot in RHEL5.4 BUG: soft lockup - CPU#0 stuck for 10s! [NetworkManager:5182] 1921270 - gfs2 filesystem won't free up space when files are deleted ext4 preallocation corruption with truncate [RHEL5.4] ixgbe fixups for version 2.0.8-k2 specifically the 82599 need to backport upstream commit 4ea7e38696c7e798c47ebbecadfd392f23f814f9 from net-next GFS2: Filesystem deadlock when running SPECsfs on BIGI test bed. RHEL5.4: cxgb3i (open-iscsi) update performance regression running Iozone with different I/O options on RHEL54 kernels [Emulex 5.4 bug] Update lpfc to version 8.2.0.46 (bug fixes only) RHEL5.4 -154 e1000e using MSI-X hangs system Kernel panic unplugging a rt73usb dongle [QLogic 5.4 bug] qla4xxx: Testing updates, 4 fixes. mmap_min_addr can trigger on non MAP_FIXED mmap operations [QLogic 5.4 bug] qla2xxx - updates and fixes from upstream, part 5 [QLogic 5.4 bug] qla2xxx - updates 24xx / 25xx firmware to 4.04.09 xen kernel, modprobe -r popup call trace and error msg [QLogic 5.4 bug] qla2xxx - properly handle event notification in FCoE environment [RHEL 5.4] sky2: /proc/net/dev statistics are broken RTNL: assertion failed due to bonding notify. RHEL 5.4 cxgb3i (open-iscsi) connection error through VLAN GFS2 panics while shrinking the glock cache. [Emulex 5.4 bug] be2net: traffic stops when using INTx interrupts No network traffic when igb network interface receives arp traffic during negotiation [Emulex 5.4 bug] Unload of bonding driver causes be2net driver to deadlock umount.gfs2 hangs eating CPU [Emulex 5.4 bug] Update lpfc to version 8.2.0.48 (bug fixes only) VT-d BUG() during normal traffic in ixgbe device (RHEL 5.4 Alpha/Beta x86 ) no audio output on IbexPeak chipset [QLogic 5.4 bug] qlge - testing fixes part 3. cciss: spinlock deadlock causes NMI on HP systems [Emulex 5.4 bug] Lower throughput seen on be2net with MSIx interrupt qla2xxx - NPIV broken for PPC, endian fix megaraid sas driver in rhel5.4-beta fails to scan for SAS tape drive (HP Ultrium 4-SCSI) PCI FLR support needed for secure device assignment to KVM guests bnx2i and libiscsi: make sure cnic dev is registered and fix libiscsi eh_abort locking qla2xxx - Provide fundamental reset capability for EEH kernel: build with -fno-delete-null-pointer-checks [rhel-5.4] RHEL5.4: Add SATA GEN3 related messages [Emulex 5.4 bug] Update lpfc driver to 8.2.0.48.2p to fix multiple panics max_phys_segments violation with dm-linear + md raid1 + cciss ahci: add device IDs for Ibex Peak SATA AHCI controllers cciss disk devices do not have storage capability in HAL [Broadcom 5.4 bug] cnic ISCSI_KEVENT_IF_DOWN message handling RHEL 5.4 cxgb3i (open-iscsi) hits skb_over_panic() on write CVE-2009-2847 kernel: information leak in sigaltstack CVE-2009-2848 kernel: execve: must clear current->clear_child_tid cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 LFTP is a sophisticated file transfer program for the FTP and HTTP protocols. Like bash, it has job control and uses the readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind. It was discovered that lftp did not properly escape shell metacharacters when generating shell scripts using the "mirror --script" command. A mirroring script generated to download files from a malicious FTP server could allow an attacker controlling the FTP server to run an arbitrary command as the user running lftp. (CVE-2007-2348) This update also fixes the following bugs: * when using the "mirror" or "get" commands with the "-c" option, lftp did not check for some specific conditions that could result in the program becoming unresponsive, hanging and the command not completing. For example, when waiting for a directory listing, if lftp received a "226" message, denoting an empty directory, it previously ignored the message and kept waiting. With this update, these conditions are properly checked for and lftp no longer hangs when "-c" is used with "mirror" or "get". (BZ#422881) * when using the "put", "mput" or "reput" commands over a Secure FTP (SFTP) connection, specifying the "-c" option sometimes resulted in corrupted files of incorrect size. With this update, using these commands over SFTP with the "-c" option works as expected, and transferred files are no longer corrupted in the transfer process. (BZ#434294) * previously, LFTP linked to the OpenSSL library. OpenSSL's license is, however, incompatible with LFTP's GNU GPL license and LFTP does not include an exception allowing OpenSSL linking. With this update, LFTP links to the GnuTLS (GNU Transport Layer Security) library, which is released under the GNU LGPL license. Like OpenSSL, GnuTLS implements the SSL and TLS protocols, so functionality has not changed. (BZ#458777) * running "help mirror" from within lftp only presented a sub-set of the available options compared to the full list presented in the man page. With this update, running "help mirror" in lftp presents the same list of mirror options as is available in the Commands section of the lftp man page. (BZ#461922) * LFTP imports gnu-lib from upstream. Subsequent to gnu-lib switching from GNU GPLv2 to GNU GPLv3, the LFTP license was internally inconsistent, with LFTP licensed as GNU GPLv2 but portions of the package apparently licensed as GNU GPLv3 because of changes made by the gnu-lib import. With this update, LFTP itself switches to GNU GPLv3, resolving the inconsistency. (BZ#468858) * when the "ls" command was used within lftp to present a directory listing on a remote system connected to via HTTP, file names containing spaces were presented incorrectly. This update corrects this behavior. (BZ#504591) * the default alias "edit" did not define a default editor. If EDITOR was not set in advance by the system, lftp attempted to execute "~/.lftp/edit.tmp.$$" (which failed because the file is not set to executable). The edit alias also did not support tab-completion of file names and incorrectly interpreted file names containing spaces. The updated package defines a default editor (vi) in the absence of a system-defined EDITOR. The edit alias now also supports tab-completion and handles file names containing spaces correctly for both downloading and uploading. (BZ#504594) Note: This update upgrades LFTP from version 3.7.3 to upstream version 3.7.11, which incorporates a number of further bug fixes to those noted above. For details regarding these fixes, refer to the "/usr/share/doc/lftp-3.7.11/NEWS" file after installing this update. (BZ#308721) All LFTP users are advised to upgrade to this updated package, which resolves these issues. Low Copyright 2009 Red Hat, Inc. CVE-2007-2348 CVE-2007-2348 lftp mirror --script does not escape names and targets of symbolic links lftp affected by problems described in CVE-2007-2348 bump lftp to current version 3.7.11 Using lftp with -c options causes hangs lftp corrupts data when using (m)put's -c option on sftp transport [RHEL 5] lftp 'help mirror' does not display all options defined in manpage. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A flaw was found in the SSH protocol. An attacker able to perform a man-in-the-middle attack may be able to obtain a portion of plain text from an arbitrary ciphertext block when a CBC mode cipher was used to encrypt SSH communication. This update helps mitigate this attack: OpenSSH clients and servers now prefer CTR mode ciphers to CBC mode, and the OpenSSH server now reads SSH packets up to their full possible length when corruption is detected, rather than reporting errors early, reducing the possibility of successful plain text recovery. (CVE-2008-5161) This update also fixes the following bug: * the ssh client hung when trying to close a session in which a background process still held tty file descriptors open. With this update, this so-called "hang on exit" error no longer occurs and the ssh client closes the session immediately. (BZ#454812) In addition, this update adds the following enhancements: * the SFTP server can now chroot users to various directories, including a user's home directory, after log in. A new configuration option -- ChrootDirectory -- has been added to "/etc/ssh/sshd_config" for setting this up (the default is not to chroot users). Details regarding configuring this new option are in the sshd_config(5) manual page. (BZ#440240) * the executables which are part of the OpenSSH FIPS module which is being validated will check their integrity and report their FIPS mode status to the system log or to the terminal. (BZ#467268, BZ#492363) All OpenSSH users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues and add these enhancements. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. Low Copyright 2009 Red Hat, Inc. CVE-2008-5161 request to add chroot sftp capabilty into openssh-server CVE-2008-5161 OpenSSH: Plaintext Recovery Attack against CBC ciphers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. MySQL did not correctly check directories used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated attacker could elevate their access privileges to tables created by other database users. Note: This attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. (CVE-2008-2079) A flaw was found in the way MySQL handles an empty bit-string literal. A remote, authenticated attacker could crash the MySQL server daemon (mysqld) if they used an empty bit-string literal in an SQL statement. This issue only caused a temporary denial of service, as the MySQL daemon was automatically restarted after the crash. (CVE-2008-3963) An insufficient HTML entities quoting flaw was found in the mysql command line client's HTML output mode. If an attacker was able to inject arbitrary HTML tags into data stored in a MySQL database, which was later retrieved using the mysql command line client and its HTML output mode, they could perform a cross-site scripting (XSS) attack against victims viewing the HTML output in a web browser. (CVE-2008-4456) Multiple format string flaws were found in the way the MySQL server logs user commands when creating and deleting databases. A remote, authenticated attacker with permissions to CREATE and DROP databases could use these flaws to formulate a specifically-crafted SQL command that would cause a temporary denial of service (open connections to mysqld are terminated). (CVE-2009-2446) Note: To exploit the CVE-2009-2446 flaws, the general query log (the mysqld "--log" command line option or the "log" option in "/etc/my.cnf") must be enabled. This logging is not enabled by default. This update also fixes multiple bugs. Details regarding these bugs can be found in the Red Hat Enterprise Linux 5.4 Technical Notes. You can find a link to the Technical Notes in the References section of this errata. Note: These updated packages upgrade MySQL to version 5.0.77 to incorporate numerous upstream bug fixes. Details of these changes are found in the following MySQL Release Notes: http://dev.mysql.com/doc/refman/5.0/en/news-5-0-77.html All MySQL users are advised to upgrade to these updated packages, which resolve these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-2079 CVE-2008-3963 CVE-2008-4456 CVE-2009-2446 Timeout error starting MySQL when using non-default socket file value (fix provided) CVE-2008-2079 mysql: privilege escalation via DATA/INDEX DIRECTORY directives upgrade to RHEL5.2 - breaks mysql replication between MasterDB and Slave Somewhat dubious code in mysqld init.d script mysql-server crash permanently DATE function used in WHERE clause - broken tmpdir variable not honored for internally created temporary tables 'Explicit or implicit commit' error/server crash with concurrent transactions CVE-2008-3963 MySQL: Using an empty binary value leads to server crash SQL Config files should not be read more than once CVE-2008-4456 mysql: mysql command line client XSS flaw Got query result when using ORDER BY ASC, but empty result when using DESC CVE-2008-3963 MySQL: Using an empty binary value leads to server crash CVE-2009-2446 MySQL: Format string vulnerability by manipulation with database instances (crash) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is released as a Technology Preview for Red Hat Enterprise Linux 5.4. These updated ecryptfs-utils packages have been upgraded to upstream version 75, which provides a number of bug fixes and enhancements over the previous version. In addition, these packages provide a graphical program to help configure and use eCryptfs. To start this program, run the command: ecryptfs-mount-helper-gui Important: the syntax of certain eCryptfs mount options has changed. Users who were previously using the initial Technology Preview release of ecryptfs-utils are advised to refer to the ecryptfs(7) man page, and to update any affected mount scripts and /etc/fstab entries for eCryptfs file systems. A disclosure flaw was found in the way the "ecryptfs-setup-private" script passed passphrases to the "ecryptfs-wrap-passphrase" and "ecryptfs-add-passphrase" commands as command line arguments. A local user could obtain the passphrases of other users who were running the script from the process listing. (CVE-2008-5188) These updated packages provide various enhancements, including a mount helper and supporting libraries to perform key management and mounting functions. Notable enhancements include: * a new package, ecryptfs-utils-gui, has been added to this update. This package depends on the pygtk2 and pygtk2-libglade packages and provides the eCryptfs Mount Helper GUI program. To install the GUI, first install ecryptfs-utils and then issue the following command: yum install ecryptfs-utils-gui (BZ#500997) * the "ecryptfs-rewrite-file" utility is now more intelligent when dealing with non-existent files and with filtering special files such as the "." directory. In addition, the progress output from "ecryptfs-rewrite-file" has been improved and is now more explicit about the success status of each target. (BZ#500813) * descriptions of the "verbose" flag and the "verbosity=[x]" option, where [x] is either 0 or 1, were missing from a number of eCryptfs manual pages, and have been added. Refer to the eCryptfs man pages for important information regarding using the verbose and/or verbosity options. (BZ#470444) These updated packages also fix the following bugs: * mounting a directory using the eCryptfs mount helper with an RSA key that was too small did not allow the eCryptfs mount helper to encrypt the entire key. When this situation occurred, the mount helper did not display an error message alerting the user to the fact that the key size was too small, possibly leading to corrupted files. The eCryptfs mount helper now refuses RSA keys which are to small to encrypt the eCryptfs key. (BZ#499175) * when standard input was redirected from /dev/null or was unavailable, attempting to mount a directory with the eCryptfs mount helper caused it to become unresponsive and eventually crash, or an "invalid value" error message, depending on if the "--verbosity=[value]" option was provided as an argument, and, if so, its value. With these updated packages, attempting to mount a directory using "mount.ecryptfs" under the same conditions results in either the mount helper attempting to use default values (if "verbosity=0" is supplied), or an "invalid value" error message (instead of the mount helper hanging) if standard input is redirected and "--verbosity=1" is supplied, or that option is omitted entirely. (BZ#499367) * attempting to use the eCryptfs mount helper with an OpenSSL key when the keyring did not contain enough space for the key resulted in an unhelpful error message. The user is now alerted when this situation occurs. (BZ#501460) * the eCryptfs mount helper no longer fails upon receiving an incorrect or empty answer to "yes/no" questions. (BZ#466210) Users are advised to upgrade to these updated ecryptfs-utils packages, which resolve these issues and add these enhancements. Low Copyright 2009 Red Hat, Inc. CVE-2008-5188 ecryptfs complains about a missing module, fails and then loads it CVE-2008-5188 ecryptfs-utils: potential provided password disclosure in the process table difference between the name of the binary and the name in its usage message RHEL5: update ecryptfs-utils to latest `man ecryptfs' is wrong on what to write to openssl_passwd_file=XXX mount.ecrytfs hangs when used with wrong/missing stdin mount helper asks different set questions when the mount options are OK and when are not [ecryptfs-add-passphrase] adding key, which is in keyring already, results in error msg When kernel does not support filename encryption `ecryptfs-add-passphrase --fnek' should exit with exit code != 0 Access-Your-Private-Data.desktop file should have an icon associated Typo in ecryptfs-rewrite-file(1) ecryptfs-insert-wrapped-passphrase-into-keyring fails to add passphrase to keyring if the passphrase is in the keyring already ecryptfs-rewrite-file should be more wise when dealing with non-existing/bogus files ecryptfs-dot-private is not expected to be executed, remove the "x" permission ecryptfs-setup-swap: vol_id: command not found Possible missing runtime dependencies for `ecryptfs-setup-swap' `ecryptfs-setup-swap' tries to restart service ``cryptdisks'' which is not present in RHEL/Fedora [RFE] ecryptfs-manager should ask for password confirmation when creating openssl key ecryptfs-utils-gui must require pygtk2-libglade Select key bytes: item "default" is bogus Error msg from ecryptfs-utils does not reflect reality when adding key to "full" keyring cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The nfs-utils package provides a daemon for the kernel NFS server and related tools. It was discovered that nfs-utils did not use tcp_wrappers correctly. Certain hosts access rules defined in "/etc/hosts.allow" and "/etc/hosts.deny" may not have been honored, possibly allowing remote attackers to bypass intended access restrictions. (CVE-2008-4552) This updated package also fixes the following bugs: * the "LOCKD_TCPPORT" and "LOCKD_UDPPORT" options in "/etc/sysconfig/nfs" were not honored: the lockd daemon continued to use random ports. With this update, these options are honored. (BZ#434795) * it was not possible to mount NFS file systems from a system that has the "/etc/" directory mounted on a read-only file system (this could occur on systems with an NFS-mounted root file system). With this update, it is possible to mount NFS file systems from a system that has "/etc/" mounted on a read-only file system. (BZ#450646) * arguments specified by "STATDARG=" in "/etc/sysconfig/nfs" were removed by the nfslock init script, meaning the arguments specified were never passed to rpc.statd. With this update, the nfslock init script no longer removes these arguments. (BZ#459591) * when mounting an NFS file system from a host not specified in the NFS server's "/etc/exports" file, a misleading "unknown host" error was logged on the server (the hostname lookup did not fail). With this update, a clearer error message is provided for these situations. (BZ#463578) * the nhfsstone benchmark utility did not work with NFS version 3 and 4. This update adds support to nhfsstone for NFS version 3 and 4. The new nhfsstone "-2", "-3", and "-4" options are used to select an NFS version (similar to nfsstat(8)). (BZ#465933) * the exportfs(8) manual page contained a spelling mistake, "djando", in the EXAMPLES section. (BZ#474848) * in some situations the NFS server incorrectly refused mounts to hosts that had a host alias in a NIS netgroup. (BZ#478952) * in some situations the NFS client used its cache, rather than using the latest version of a file or directory from a given export. This update adds a new mount option, "lookupcache=", which allows the NFS client to control how it caches files and directories. Note: The Red Hat Enterprise Linux 5.4 kernel update (the fourth regular update) must be installed in order to use the "lookupcache=" option. Also, "lookupcache=" is currently only available for NFS version 3. Support for NFS version 4 may be introduced in future Red Hat Enterprise Linux 5 updates. Refer to Red Hat Bugzilla #511312 for further information. (BZ#489335) Users of nfs-utils should upgrade to this updated package, which contains backported patches to correct these issues. After installing this update, the nfs service will be restarted automatically. Low Copyright 2009 Red Hat, Inc. CVE-2008-4552 lockd not using settings in sysconfig/nfs /sbin/mount.nfs fails with read-only /etc CVE-2008-4552 nfs-utils: incorrect use of tcp_wrappers, causing hostname-based rules to be ignored rpc.statd options not correctly parsed confusing 'mount request from unknown host' messages nhfsstone does not support NFSv3 and v4 typo in exportfs manpage Add support for lookupcache= option in nfs-utils. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength general purpose cryptography library. Datagram TLS (DTLS) is a protocol based on TLS that is capable of securing datagram transport (for example, UDP). Multiple denial of service flaws were discovered in OpenSSL's DTLS implementation. A remote attacker could use these flaws to cause a DTLS server to use excessive amounts of memory, or crash on an invalid memory access or NULL pointer dereference. (CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386, CVE-2009-1387) Note: These flaws only affect applications that use DTLS. Red Hat does not ship any DTLS client or server applications in Red Hat Enterprise Linux. An input validation flaw was found in the handling of the BMPString and UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex() function. An attacker could use this flaw to create a specially-crafted X.509 certificate that could cause applications using the affected function to crash when printing certificate contents. (CVE-2009-0590) Note: The affected function is rarely used. No application shipped with Red Hat Enterprise Linux calls this function, for example. These updated packages also fix the following bugs: * "openssl smime -verify -in" verifies the signature of the input file and the "-verify" switch expects a signed or encrypted input file. Previously, running openssl on an S/MIME file that was not encrypted or signed caused openssl to segfault. With this update, the input file is now checked for a signature or encryption. Consequently, openssl now returns an error and quits when attempting to verify an unencrypted or unsigned S/MIME file. (BZ#472440) * when generating RSA keys, pairwise tests were called even in non-FIPS mode. This prevented small keys from being generated. With this update, generating keys in non-FIPS mode no longer calls the pairwise tests and keys as small as 32-bits can be generated in this mode. Note: In FIPS mode, pairwise tests are still called and keys generated in this mode must still be 1024-bits or larger. (BZ#479817) As well, these updated packages add the following enhancements: * both the libcrypto and libssl shared libraries, which are part of the OpenSSL FIPS module, are now checked for integrity on initialization of FIPS mode. (BZ#475798) * an issuing Certificate Authority (CA) allows multiple certificate templates to inherit the CA's Common Name (CN). Because this CN is used as a unique identifier, each template had to have its own Certificate Revocation List (CRL). With this update, multiple CRLs with the same subject name can now be stored in a X509_STORE structure, with their signature field being used to distinguish between them. (BZ#457134) * the fipscheck library is no longer needed for rebuilding the openssl source RPM. (BZ#475798) OpenSSL users should upgrade to these updated packages, which resolve these issues and add these enhancements. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0590 CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-1387 Do not call pairwise tests in non-FIPS mode CVE-2009-0590 openssl: ASN1 printing crash CVE-2009-1377 OpenSSL: DTLS epoch record buffer memory DoS CVE-2009-1378 OpenSSL: DTLS fragment handling memory DoS CVE-2009-1379 OpenSSL: DTLS pointer use-after-free flaw (DoS) CVE-2009-1386 openssl: DTLS NULL deref crash on early ChangeCipherSpec request CVE-2009-1387 openssl: DTLS out-of-sequence message handling NULL deref DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The gfs2-utils package provides the user-space tools necessary to mount, create, maintain, and test GFS2 file systems. Multiple insecure temporary file use flaws were discovered in GFS2 user level utilities. A local attacker could use these flaws to overwrite an arbitrary file writable by a victim running those utilities (typically root) with the output of the utilities via a symbolic link attack. (CVE-2008-6552) This update also fixes the following bugs: * gfs2_fsck now properly detects and repairs problems with sequence numbers on GFS2 file systems. * GFS2 user utilities now use the file system UUID. * gfs2_grow now properly updates the file system size during operation. * gfs2_fsck now returns the proper exit codes. * gfs2_convert now properly frees blocks when removing free blocks up to height 2. * the gfs2_fsck manual page has been renamed to fsck.gfs2 to match current standards. * the 'gfs2_tool df' command now provides human-readable output. * mounting GFS2 file systems with the noatime or noquota option now works properly. * new capabilities have been added to the gfs2_edit tool to help in testing and debugging GFS and GFS2 issues. * the 'gfs2_tool df' command no longer segfaults on file systems with a block size other than 4k. * the gfs2_grow manual page no longer references the '-r' option, which has been removed. * the 'gfs2_tool unfreeze' command no longer hangs during use. * gfs2_convert no longer corrupts file systems when converting from GFS to GFS2. * gfs2_fsck no longer segfaults when encountering a block which is listed as both a data and stuffed directory inode. * gfs2_fsck can now fix file systems even if the journal is already locked for use. * a GFS2 file system's metadata is now properly copied with 'gfs2_edit savemeta' and 'gfs2_edit restoremeta'. * the gfs2_edit savemeta function now properly saves blocks of type 2. * 'gfs2_convert -vy' now works properly on the PowerPC architecture. * when mounting a GFS2 file system as '/', mount_gfs2 no longer fails after being unable to find the file system in '/proc/mounts'. * gfs2_fsck no longer segfaults when fixing 'EA leaf block type' problems. All gfs2-utils users should upgrade to this updated package, which resolves these issues. Low Copyright 2009 Red Hat, Inc. CVE-2008-6552 Add Filesystem UUID to GFS2 utils. GFS2: gfs2_grow doesn't grow file system properly GFS2: make gfs2_fsck conform to fsck(8) exit codes GFS2: gfs2_convert not freeing blocks when removing file with height >=2 gfs2_fsck man page should be fsck.gfs2 man page No longer able to mount GFS volume with noatime,noquota options GFS2: gfs2_edit fixes for 5.4 GFS2: gfs2_tool df segfault on non-4K block size gfs2_grow man page references removed -r option GFS2: gfs2_tool unfreeze hangs gfs2_fsck does not fix filesystem when 'journal is already locked for use' mount failure after gfs2_edit restoremeta of GFS file system GFS2: gfs2_edit savemeta needs to save freemeta blocks GFS2: gfs2_convert, parameter not understood on ppc fsck.gfs2 segfaults while fixing 'EA leaf block type' problem. CVE-2008-6552 cman, gfs2-utils, rgmanager: multiple insecure temporary file use issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The rgmanager package contains the Red Hat Resource Group Manager, which provides high availability for critical server applications in the event of system downtime. Multiple insecure temporary file use flaws were discovered in rgmanager and various resource scripts run by rgmanager. A local attacker could use these flaws to overwrite an arbitrary file writable by the rgmanager process (i.e. user root) with the output of rgmanager or a resource agent via a symbolic link attack. (CVE-2008-6552) This update also fixes the following bugs: * clulog now accepts '-' as the first character in messages. * if expire_time is 0, max_restarts is no longer ignored. * the SAP resource agents included in the rgmanager package shipped with Red Hat Enterprise Linux 5.3 were outdated. This update includes the most recent SAP resource agents and, consequently, improves SAP failover support. * empty PID files no longer cause resource start failures. * recovery policy of type 'restart' now works properly when using a resource based on ra-skelet.sh. * samba.sh has been updated to kill the PID listed in the proper PID file. * handling of the '-F' option has been improved to fix issues causing rgmanager to crash if no members of a restricted failover domain were online. * the number of simultaneous status checks can now be limited to prevent load spikes. * forking and cloning during status checks has been optimized to reduce load spikes. * rg_test no longer hangs when run with large cluster configuration files. * when rgmanager is used with a restricted failover domain it will no longer occasionally segfault when some nodes are offline during a failover event. * virtual machine guests no longer restart after a cluster.conf update. * nfsclient.sh no longer leaves temporary files after running. * extra checks from the Oracle agents have been removed. * vm.sh now uses libvirt. * users can now define an explicit service processing order when central_processing is enabled. * virtual machine guests can no longer start on 2 nodes at the same time. * in some cases a successfully migrated virtual machine guest could restart when the cluster.conf file was updated. * incorrect reporting of a service being started when it was not started has been addressed. As well, this update adds the following enhancements: * a startup_wait option has been added to the MySQL resource agent. * services can now be prioritized. * rgmanager now checks to see if it has been killed by the OOM killer and if so, reboots the node. Users of rgmanager are advised to upgrade to this updated package, which resolves these issues and adds these enhancements. Low Copyright 2009 Red Hat, Inc. CVE-2008-6552 fs.sh inefficient scripting leads to load peaks and disk saturation Convert all XM management calls to either lib virt or virsh Recovery policy of type restart doesn't work with a service using a resource based on ra-skelet.sh Virtual Services guest can start on 2 nodes at same time The oracledb.sh script checks in strange intervals(10s, 5m, 4.5m) rgmanager oracledb.sh resource agent does not properly check for all db startup failures. oracledb.sh script kills ALL oracle instances when failing over second ocf_log message doesn't make it to /var/log/messages Zero-length pid files cause resource start failures Update support for SAP resource agents (rgmanager) MySQL Service Startup Timeout after Crash Cluster Event Script needs Updates to include Group Exclusive rgmanager: samba.sh tries to kill the wrong pid file nfsclient.sh leaves temporary files /tmp/nfsclient-status-cache-$$ clusvcadm -e <service> -F handling bugs Enabling (according to failover domain rules) a frozen service results in a unusable failed+frozen service /usr/share/cluster/apache.sh does not handle a valid /etc/httpd/conf/httpd.conf configuration correctly domU's restart after cluster.conf update rg_test hangs when running against cluster RFE: priorities for services/virtual machines segfault in check_rdomain_crash() during failover VM migration and subsequent cluster.conf update can cause the VM restart vm.sh does will fail resource if "no state" is detected CVE-2008-6552 cman, gfs2-utils, rgmanager: multiple insecure temporary file use issues cpe:/a:redhat:rhel_cluster Red Hat Enterprise Linux 5 The Cluster Manager (cman) utility provides services for managing a Linux cluster. Multiple insecure temporary file use flaws were found in fence_apc_snmp and ccs_tool. A local attacker could use these flaws to overwrite an arbitrary file writable by a victim running those utilities (typically root) with the output of the utilities via a symbolic link attack. (CVE-2008-4579, CVE-2008-6552) Bug fixes: * a buffer could overflow if cluster.conf had more than 52 entries per block inside the <cman> block. The limit is now 1024. * the output of the group_tool dump subcommands were NULL padded. * using device="" instead of label="" no longer causes qdiskd to incorrectly exit. * the IPMI fencing agent has been modified to time out after 10 seconds. It is also now possible to specify a different timeout value with the '-t' option. * the IPMI fencing agent now allows punctuation in passwords. * quickly starting and stopping the cman service no longer causes the cluster membership to become inconsistent across the cluster. * an issue with lock syncing caused 'receive_own from' errors to be logged to '/var/log/messages'. * an issue which caused gfs_controld to segfault when mounting hundreds of file systems has been fixed. * the LPAR fencing agent now properly reports status when an LPAR is in Open Firmware mode. * the LPAR fencing agent now works properly with systems using the Integrated Virtualization Manager (IVM). * the APC SNMP fencing agent now properly recognizes outletStatusOn and outletStatusOff return codes from the SNMP agent. * the WTI fencing agent can now connect to fencing devices with no password. * the rps-10 fencing agent now properly performs a reboot when run with no options. * the IPMI fencing agent now supports different cipher types with the '-C' option. * qdisk now properly scans devices and partitions. * cman now checks to see if a new node has state to prevent killing the first node during cluster setup. * 'service qdiskd start' now works properly. * the McData fence agent now works properly with the McData Sphereon 4500 Fabric Switch. * the Egenera fence agent can now specify an SSH login name. * the APC fence agent now works with non-admin accounts when using the 3.5.x firmware. * fence_xvmd now tries two methods to reboot a virtual machine. * connections to OpenAIS are now allowed from unprivileged CPG clients with the user and group of 'ais'. * groupd no longer allows the default fence domain to be '0', which previously caused rgmanager to hang. Now, rgmanager no longer hangs. * the RSA fence agent now supports SSH enabled RSA II devices. * the DRAC fence agent now works with the Integrated Dell Remote Access Controller (iDRAC) on Dell PowerEdge M600 blade servers. * fixed a memory leak in cman. * qdisk now displays a warning if more than one label is found with the same name. * the DRAC5 fencing agent now shows proper usage instructions for the '-D' option. * cman no longer uses the wrong node name when getnameinfo() fails. * the SCSI fence agent now verifies that sg_persist is installed. * the DRAC5 fencing agent now properly handles modulename. * QDisk now logs warning messages if it appears its I/O to shared storage is hung. * fence_apc no longer fails with a pexpect exception. * removing a node from the cluster using 'cman_tool leave remove' now properly reduces the expected_votes and quorum. * a semaphore leak in cman has been fixed. * 'cman_tool nodes -F name' no longer segfaults when a node is out of membership. Enhancements: * support for: ePowerSwitch 8+ and LPAR/HMC v3 devices, Cisco MDS 9124 and MDS 9134 SAN switches, the virsh fencing agent, and broadcast communication with cman. * fence_scsi limitations added to fence_scsi man page. Users of cman are advised to upgrade to these updated packages, which resolve these issues and add these enhancements. Low Copyright 2009 Red Hat, Inc. CVE-2008-4579 CVE-2008-6552 fence_impilan blocks alternative fencing agents when connectivity to IPMI fails. rps-10 fence agent does not perform default reboot action RFE: support for IPMI v2.0 ciphersuites in fence_ipmilan fence_ipmilan does not handle punctuation in password CVE-2008-4579 cman/fence: insecure temporary file usage in the apc fence agents Possible buffer overflow in cman config loader can lead to memory corruption cman_tool nodes -F name segfaults when a node is out of membership cluster view inconsistent after "service cman stop; service cman start" clvmd memory leak gfs_controld: receive_own from N messages with plock_ownership enabled fence_xvmd Fails to Reboot VM gfs_controld segfault during multiple mount attempt [RFE] Add support for Cisco 9124 and 9134 SAN switches as fence devices [PATCH] /sbin/fence_lpar - properly report status on systems in Open Firmware fence_wti is unable to connect to (password-less) fencing device fence_apc_snmp: invalid status outletStatusOff qdiskd does not prune partitions mapped to dm-mpio devices Cman kills first node in initial cluster setup 'service qdiskd restart' doesn't work Normal users cannot run CPG clients if openais is started by cman. fence_lpar doesn't work with hmc version 3 Qdisk should choose first disk if multiple disks containing same label exist Exceptions in fencing agents cman uses local node name for lookup during start up GFS: Allow fence_egenera to specify ssh login name APC Fence Agent does not work with non-admin account group_tool ls fence returns one for fence id ZERO groupd assigns zero group id [RFE] Providing support for ssh enabled RSA II fence devices [RFE] Include fence_virsh along with the present agents fence_drac5 uses module_name instead of modulename fence_drac5 help output shows incorrect usage groupd segfaults on start qdiskd I/O hang reporting Flag added to openais to report security errors causes cman not to build fence agents (fence_apc, fence_wti) fails with pexpect exception fence_lpar can't log in to IVM systems fence_lpar: lssyscfg command on HMC can take longer than SHELL_TIMEOUT cman_tool leave remove does not reduce quorum semaphore leak during cluster startup/shutdown cycle Fence_scsi limitations man page fix needed [RHEL5][cman] fence_apc_snmp: local variable 'verbose_filename' referenced before assignment CVE-2008-6552 cman, gfs2-utils, rgmanager: multiple insecure temporary file use issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The GNOME Display Manager (GDM) is a configurable re-implementation of XDM, the X Display Manager. GDM allows you to log in to your system with the X Window System running, and supports running several different X sessions on your local machine at the same time. A flaw was found in the way the gdm package was built. The gdm package was missing TCP wrappers support, which could result in an administrator believing they had access restrictions enabled when they did not. (CVE-2009-2697) This update also fixes the following bugs: * the GDM Reference Manual is now included with the gdm packages. The gdm-docs package installs this document in HTML format in "/usr/share/doc/". (BZ#196054) * GDM appeared in English on systems using Telugu (te_IN). With this update, GDM has been localized in te_IN. (BZ#226931) * the Ctrl+Alt+Backspace sequence resets the X server when in runlevel 5. In previous releases, however, repeated use of this sequence prevented GDM from starting the X server as part of the reset process. This was because GDM sometimes did not notice the X server shutdown properly and would subsequently fail to complete the reset process. This update contains an added check to explicitly notify GDM whenever the X server is terminated, ensuring that resets are executed reliably. (BZ#441971) * the "gdm" user is now part of the "audio" group by default. This enables audio support at the login screen. (BZ#458331) * the gui/modules/dwellmouselistener.c source code contained incorrect XInput code that prevented tablet devices from working properly. This update removes the errant code, ensuring that tablet devices work as expected. (BZ#473262) * a bug in the XOpenDevice() function prevented the X server from starting whenever a device defined in "/etc/X11/xorg.conf" was not actually plugged in. This update wraps XOpenDevice() in the gdk_error_trap_pop() and gdk_error_trap_push() functions, which resolves this bug. This ensures that the X server can start properly even when devices defined in "/etc/X11/xorg.conf" are not plugged in. (BZ#474588) All users should upgrade to these updated packages, which resolve these issues. GDM must be restarted for this update to take effect. Rebooting achieves this, but changing the runlevel from 5 to 3 and back to 5 also restarts GDM. Low Copyright 2009 Red Hat, Inc. CVE-2009-2697 CVE-2009-2697 gdm not built with tcp_wrappers [RHEL5] GDM sometimes doesn't come back after ctrl-alt-backspace Add supplementary audio group to the gdm user Mouse cursor not movable when using tablet instead of mouse gdmgreeter crashes if input device (ex wacom) is defined but not plugged cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet, presentation manager, formula editor, and a drawing program. An integer underflow flaw and a boundary error flaw, both possibly leading to a heap-based buffer overflow, were found in the way OpenOffice.org parses certain records in Microsoft Word documents. An attacker could create a specially-crafted Microsoft Word document, which once opened by an unsuspecting user, could cause OpenOffice.org to crash or, potentially, execute arbitrary code with the permissions of the user running OpenOffice.org. (CVE-2009-0200, CVE-2009-0201) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of OpenOffice.org applications must be restarted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0200 CVE-2009-0201 CVE-2009-0200 OpenOffice.org Word document Integer Underflow CVE-2009-0201 OpenOffice.org Word document buffer overflow cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, such as SLIP and PPP connections. It was discovered that fetchmail is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666) A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565) A flaw was found in fetchmail. When fetchmail is run in double verbose mode ("-v -v"), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ("-d"). (CVE-2008-2711) Note: when using SSL-enabled services, it is recommended that the fetchmail "--sslcertck" option be used to enforce strict SSL certificate checking. All fetchmail users should upgrade to this updated package, which contains backported patches to correct these issues. If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the "fetchmail --quit" command to stop the fetchmail process). Moderate Copyright 2009 Red Hat, Inc. CVE-2007-4565 CVE-2008-2711 CVE-2009-2666 CVE-2007-4565 Fetchmail NULL pointer dereference CVE-2008-2711 fetchmail: Crash in large log messages in verbose mode CVE-2009-2666 fetchmail: SSL null terminator bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The XML Security Library is a C library based on libxml2 and OpenSSL. It implements the XML Signature Syntax and Processing and XML Encryption Syntax and Processing standards. HMAC is used for message authentication using cryptographic hash functions. The HMAC algorithm allows the hash output to be truncated (as documented in RFC 2104). A missing check for the recommended minimum length of the truncated form of HMAC-based XML signatures was found in xmlsec1. An attacker could use this flaw to create a specially-crafted XML file that forges an XML signature, allowing the attacker to bypass authentication that is based on the XML Signature specification. (CVE-2009-0217) Users of xmlsec1 should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, applications that use the XML Security Library must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0217 CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3070, CVE-2009-3071, CVE-2009-3072, CVE-2009-3074, CVE-2009-3075) A use-after-free flaw was found in Firefox. An attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3077) A flaw was found in the way Firefox handles malformed JavaScript. A website with an object containing malicious JavaScript could execute that JavaScript with the privileges of the user running Firefox. (CVE-2009-3079) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing a trusted site or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3076) A flaw was found in the way Firefox displays the address bar when window.open() is called in a certain way. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-2654) A flaw was found in the way Firefox displays certain Unicode characters. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-3078) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.14. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.14, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2654 CVE-2009-3070 CVE-2009-3071 CVE-2009-3072 CVE-2009-3074 CVE-2009-3075 CVE-2009-3076 CVE-2009-3077 CVE-2009-3078 CVE-2009-3079 CVE-2009-2654 firefox: URL bar spoofing vulnerability CVE-2009-3070 Firefox 3.5 3.0.14 browser engine crashes CVE-2009-3071 Firefox 3.5.2 3.0.14 browser engine crashes CVE-2009-3072 Firefox 3.5.3 3.0.14 browser engine crashes CVE-2009-3074 Firefox 3.5 3.0.14 JavaScript engine crashes CVE-2009-3075 Firefox 3.5.2 3.0.14 JavaScript engine crashes CVE-2009-3076 Firefox 3.0.14 Insufficient warning for PKCS11 module installation and removal CVE-2009-3077 Firefox 3.5.3 3.0.14 TreeColumns dangling pointer vulnerability CVE-2009-3078 Firefox 3.5.3 3.0.14 Location bar spoofing via tall line-height Unicode characters CVE-2009-3079 Firefox 3.5.3 3.0.14 Chrome privilege escalation with FeedWriter cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3072, CVE-2009-3075) A use-after-free flaw was found in SeaMonkey. An attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3077) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing a trusted site or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3076) A flaw was found in the way SeaMonkey displays the address bar when window.open() is called in a certain way. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-2654) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2654 CVE-2009-3072 CVE-2009-3075 CVE-2009-3076 CVE-2009-3077 CVE-2009-2654 firefox: URL bar spoofing vulnerability CVE-2009-3072 Firefox 3.5.3 3.0.14 browser engine crashes CVE-2009-3075 Firefox 3.5.2 3.0.14 JavaScript engine crashes CVE-2009-3076 Firefox 3.0.14 Insufficient warning for PKCS11 module installation and removal CVE-2009-3077 Firefox 3.5.3 3.0.14 TreeColumns dangling pointer vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3072, CVE-2009-3075) A use-after-free flaw was found in SeaMonkey. An attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3077) Dan Kaminsky discovered flaws in the way browsers such as SeaMonkey handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by SeaMonkey, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse SeaMonkey into accepting it by mistake. (CVE-2009-2408) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing a trusted site or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3076) A flaw was found in the way SeaMonkey displays the address bar when window.open() is called in a certain way. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-2654) Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS (provided by SeaMonkey) now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2408 CVE-2009-2409 CVE-2009-2654 CVE-2009-3072 CVE-2009-3075 CVE-2009-3076 CVE-2009-3077 CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly CVE-2009-2654 firefox: URL bar spoofing vulnerability CVE-2009-3072 Firefox 3.5.3 3.0.14 browser engine crashes CVE-2009-3075 Firefox 3.5.2 3.0.14 JavaScript engine crashes CVE-2009-3076 Firefox 3.0.14 Insufficient warning for PKCS11 module installation and removal CVE-2009-3077 Firefox 3.5.3 3.0.14 TreeColumns dangling pointer vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security issues: * the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2009-1895, Important) * it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important) * Solar Designer reported a missing capability check in the z90crypt driver in the Linux kernel. This missing check could allow a local user with an effective user ID (euid) of 0 to bypass intended capability restrictions. (CVE-2009-1883, Moderate) * a flaw was found in the way the do_sigaltstack() function in the Linux kernel copies the stack_t structure to user-space. On 64-bit machines, this flaw could lead to a four-byte information leak. (CVE-2009-2847, Moderate) Bug fixes: * the gcc flag "-fno-delete-null-pointer-checks" was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#517964) * the Emulex LPFC driver has been updated to version 8.0.16.47, which fixes a memory leak that caused memory allocation failures and system hangs. (BZ#513192) * an error in the MPT Fusion driver makefile caused CSMI ioctls to not work with Serial Attached SCSI devices. (BZ#516184) * this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer deference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#517904) * time-outs resulted in I/O errors being logged to "/var/log/messages" when running "mt erase" on tape drives using certain LSI MegaRAID SAS adapters, preventing the command from completing. The megaraid_sas driver's timeout value is now set to the OS layer value. (BZ#517965) * a locking issue caused the qla2xxx ioctl module to hang after encountering errors. This locking issue has been corrected. This ioctl module is used by the QLogic SAN management tools, such as SANsurfer and scli. (BZ#519428) * when a RAID 1 array that uses the mptscsi driver and the LSI 1030 controller became degraded, the whole array was detected as being offline, which could cause kernel panics at boot or data loss. (BZ#517295) * on 32-bit architectures, if a file was held open and frequently written for more than 25 days, it was possible that the kernel would stop flushing those writes to storage. (BZ#515255) * a memory allocation bug in ib_mthca prevented the driver from loading if it was loaded with large values for the "num_mpt=" and "num_mtt=" options. See Kbase link below for details. (BZ#518707) * with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. See Kbase link below for details. (BZ#519692) * a bug in __ptrace_unlink() caused it to create deadlocked and unkillable processes. See Kbase link below for details. (BZ#519446) * previously, multiple threads using the fcntl() F_SETLK command to synchronize file access caused a deadlock in posix_locks_deadlock(). This could cause a system hang. (BZ#519429) Users should upgrade to these updated packages, which contain backported patches to correct these issues. Reboot the system for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1883 CVE-2009-1895 CVE-2009-2847 CVE-2009-2848 CVE-2009-3238 CVE-2009-1883 kernel: missing capability check in z90crypt CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID [Emulex 4.9 bug] DMA zone exhaustion from lpfc driver memory leak NFS problems on RHEL 4 where logs show different lengths CVE-2009-2847 kernel: information leak in sigaltstack CVE-2009-2848 kernel: execve: must clear current->clear_child_tid MPT driver CC_CSMI_SAS_GET_CNTLR_CONFIG IOCTL fails [rhel-4.8.z] Missing mptscsi RAID1 disk causes kernel panic when rebooted before array rebuild. [rhel-4.8.z] kernel: security: implement mmap_min_addr infrastructure [rhel-4.8.z] kernel: build with -fno-delete-null-pointer-checks [rhel-4.8.z] MegaRAID SAS 1078 tape I/O errors when using mt erase [rhel-4.8.z] num_mtt settings of 2097152 fails in RHEL with infiniband HCA [rhel-4.8.z] [NetApp 4.8 bug] Issues with "qioctlmod" module on RHEL4.8 hosts with QLogic FC inbox drivers [rhel-4.8.z] [RHEL 4] Lookups due to infinite loops in posix_locks_deadlock [rhel-4.8.z] kernel: ptrace: don't use REMOVE_LINKS/SET_LINKS for reparenting [rhel-4.9] [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially-crafted RADIUS packet. (CVE-2009-3111) Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3111 CVE-2009-3111 FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 neon is an HTTP and WebDAV client library, with a C interface. It provides a high-level interface to HTTP and WebDAV methods along with a low-level interface for HTTP request handling. neon supports persistent connections, proxy servers, basic, digest and Kerberos authentication, and has complete SSL support. It was discovered that neon is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse an application using the neon library into accepting it by mistake. (CVE-2009-2474) A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. A remote attacker (malicious DAV server) could provide a specially-crafted XML document that would cause excessive memory and CPU consumption if an application using the neon XML parser was tricked into processing it. (CVE-2009-2473) All neon users should upgrade to these updated packages, which contain backported patches to correct these issues. Applications using the neon HTTP and WebDAV client library, such as cadaver, must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2473 CVE-2009-2474 CVE-2009-2473 neon, gnome-vfs2 embedded neon: billion laughs DoS attack CVE-2009-2474 neon: Improper verification of x509v3 certificate with NULL (zero) byte in certain fields cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. Info/Query (IQ) is an Extensible Messaging and Presence Protocol (XMPP) specific request-response mechanism. A NULL pointer dereference flaw was found in the way the Pidgin XMPP protocol plug-in processes IQ error responses when trying to fetch a custom smiley. A remote client could send a specially-crafted IQ error response that would crash Pidgin. (CVE-2009-3085) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially-crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) It was discovered that, when connecting to certain, very old Jabber servers via XMPP, Pidgin may ignore the "Require SSL/TLS" setting. In these situations, a non-encrypted connection is established rather than the connection failing, causing the user to believe they are using an encrypted connection when they are not, leading to sensitive information disclosure (session sniffing). (CVE-2009-3026) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially-crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) These packages upgrade Pidgin to version 2.6.2. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2703 CVE-2009-3026 CVE-2009-3083 CVE-2009-3085 CVE-2009-3026 pidgin: ignores SSL/TLS requirements with old jabber servers CVE-2009-2703 Pidgin: NULL pointer dereference by handling IRC topic(s) (DoS) CVE-2009-3083 Pidgin: NULL pointer dereference by processing incomplete MSN SLP invite (DoS) CVE-2009-3085 Pidgin: NULL pointer dereference by processing a custom smiley (DoS) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fix: * a NULL pointer dereference flaw was found in the Multiple Devices (md) driver in the Linux kernel. If the "suspend_lo" or "suspend_hi" file on the sysfs file system ("/sys/") is modified when the disk array is inactive, it could lead to a local denial of service or privilege escalation. Note: By default, only the root user can write to the files noted above. (CVE-2009-2849, Moderate) Bug fixes: * a bug in nlm_lookup_host() could lead to un-reclaimed file system locks, resulting in umount failing & NFS service relocation issues for clusters. (BZ#517967) * a bug in the sky2 driver prevented the phy from being reset properly on some hardware when it hung, preventing a link from coming back up. (BZ#517976) * disabling MSI-X for qla2xxx also disabled MSI interrupts. (BZ#519782) * performance issues with reads when using the qlge driver on PowerPC systems. A system hang could also occur during reboot. (BZ#519783) * unreliable time keeping for Red Hat Enterprise Linux virtual machines. The KVM pvclock code is now used to detect/correct lost ticks. (BZ#520685) * /proc/cpuinfo was missing flags for new features in supported processors, possibly preventing the operating system & applications from getting the best performance. (BZ#520686) * reading/writing with a serial loopback device on a certain IBM system did not work unless booted with "pnpacpi=off". (BZ#520905) * mlx4_core failed to load on systems with more than 32 CPUs. (BZ#520906) * on big-endian platforms, interfaces using the mlx4_en driver & Large Receive Offload (LRO) did not handle VLAN traffic properly (a segmentation fault in the VLAN stack in the kernel occurred). (BZ#520908) * due to a lock being held for a long time, some systems may have experienced "BUG: soft lockup" messages under heavy load. (BZ#520919) * incorrect APIC timer calibration may have caused a system hang during boot, as well as the system time becoming faster or slower. A warning is now provided. (BZ#521238) * a Fibre Channel device re-scan via 'echo "---" > /sys/class/scsi_host/ host[x]/scan' may not complete after hot adding a drive, leading to soft lockups ("BUG: soft lockup detected"). (BZ#521239) * the Broadcom BCM5761 network device could not to be initialized properly; therefore, the associated interface could not obtain an IP address via DHCP or be assigned one manually. (BZ#521241) * when a process attempted to read from a page that had first been accessed by writing to part of it (via write(2)), the NFS client needed to flush the modified portion of the page out to the server, & then read the entire page back in. This flush caused performance issues. (BZ#521244) * a kernel panic when using bnx2x devices & LRO in a bridge. A warning is now provided to disable LRO in these situations. (BZ#522636) * the scsi_dh_rdac driver was updated to recognize the Sun StorageTek Flexline 380. (BZ#523237) * in FIPS mode, random number generators are required to not return the first block of random data they generate, but rather save it to seed the repetition check. This update brings the random number generator into conformance. (BZ#523289) * an option to disable/enable the use of the first random block is now provided to bring ansi_cprng into compliance with FIPS-140 continuous test requirements. (BZ#523290) * running the SAP Linux Certification Suite in a KVM guest caused severe SAP kernel errors, causing it to exit. (BZ#524150) * attempting to 'online' a CPU for a KVM guest via sysfs caused a system crash. (BZ#524151) * when using KVM, pvclock returned bogus wallclock values. (BZ#524152) * the clock could go backwards when using the vsyscall infrastructure. (BZ#524527) See References for KBase links re BZ#519782 & BZ#520906. Users should upgrade to these updated packages, which contain backported patches to correct these issues. Reboot the system for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-2849 Bug in lockd prevents a locks being freed. [rhel-5.4.z] [RHEL 5] sky2 eth0: receiver hang detected [rhel-5.4.z] CVE-2009-2849 kernel: md: NULL pointer deref when accessing suspend_* sysfs attributes [QLogic 5.5 bug] qla2xxx - allow use of MSI when MSI-X disabled. [rhel-5.4.z] [QLogic 5.5 bug] qlge - fix hangs and read perfromance [rhel-5.4.z] use KVM pvclock code to detect/correct lost ticks [rhel-5.4.z] bare-metal and xen: /proc/cpuinfo does not list all CPU flags presented by CPU [rhel-5.4.z] Serial ports don't function on 4838-310 without pnpacpi=off boot option [rhel-5.4.z] mlx4_core fails to load on systems with32 cores [rhel-5.4.z] TCP traffic for VLAN interfaces fails over mlx4_en parent interface. [rhel-5.4.z] BUG: soft lockup - CPU#5 stuck for 10s at .context_struct_compute_av+0x214/0x39c [rhel-5.4.z] [RHEL 5] Hang on boot due to wrong APIC timer calibration [rhel-5.4.z] scsi_transport_fc: fc_user_scan can loop forever, needs mutex with rport list changes [rhel-5.4.z] 5.4 alpha: Broadcom 5761 NIC does not work [rhel-5.4.z] Read/Write NFS I/O performance degraded by FLUSH_STABLE page flushing [rhel-5.4.z] bridge: Fix LRO crash with tun (tun_chr_read()) [rhel-5.4.z] Add kernel (scsi_dh_rdac) support for Sun 6540 storage arrays. [rhel-5.4.z] [FIP140-2] the first n- bit block generated after power-up, initialization, or reset shall not be used [rhel-5.4.z] [FIPS140-2] Provide option to disable/enable use of the first random block [rhel-5.4.z] Can't override KVM clock in a KVM guest with -165 kernel to triage SAP DB create failure [rhel-5.4.z] cpu1 didn't come online in a kvm i686 guest [rhel-5.4.z] pvclock return bogus wallclock values [rhel-5.4.z] RHEV : SAP SLCS 2.3 fails during install/import in a RHEV-H/KVM guest with PV KVM clock [rhel-5.4.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support. Multiple buffer overflow flaws were found in the Cyrus IMAP Sieve implementation. An authenticated user able to create Sieve mail filtering rules could use these flaws to execute arbitrary code with the privileges of the Cyrus IMAP server user. (CVE-2009-2632, CVE-2009-3235) Users of cyrus-imapd are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, cyrus-imapd will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-2632 CVE-2009-3235 CVE-2009-2632 cyrus-imapd: buffer overflow in cyrus sieve CVE-2009-3235 cyrus-impad: CMU sieve buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Newt is a programming library for color text mode, widget-based user interfaces. Newt can be used to add stacked windows, entry widgets, checkboxes, radio buttons, labels, plain text fields, scrollbars, and so on, to text mode user interfaces. A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially-crafted text dialog box display request (direct or via a custom application), leading to a denial of service (application crash) or, potentially, arbitrary code execution with the privileges of the user running the application using the newt library. (CVE-2009-2905) Users of newt should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, all applications using the newt library must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2905 CVE-2009-2905 newt: heap-overflow in textbox when text reflowing cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. The kvm_emulate_hypercall() implementation was missing a check for the Current Privilege Level (CPL). A local, unprivileged user in a virtual machine could use this flaw to cause a local denial of service or escalate their privileges within that virtual machine. (CVE-2009-3290) This update also fixes the following bugs: * non-maskable interrupts (NMI) were not supported on systems with AMD processors. As a consequence, Windows Server 2008 R2 guests running with more than one virtual CPU assigned on systems with AMD processors would hang at the Windows shut down screen when a restart was attempted. This update adds support for NMI filtering on systems with AMD processors, allowing clean restarts of Windows Server 2008 R2 guests running with multiple virtual CPUs. (BZ#520694) * significant performance issues for guests running 64-bit editions of Windows. This update improves performance for guests running 64-bit editions of Windows. (BZ#521793) * Windows guests may have experienced time drift. (BZ#521794) * removing the Red Hat VirtIO Ethernet Adapter from a guest running Windows Server 2008 R2 caused KVM to crash. With this update, device removal should not cause this issue. (BZ#524557) All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The procedure in the Solution section must be performed before this update takes effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-3290 NMI filtering for AMD (Windows 2008 R2 KVM guest can not restart when set it as multiple cpus) windows 64 bit does vmexit on each cr8 access. rtc-td-hack stopped working. Time drifts in windows CVE-2009-3290 kernel: KVM: x86: Disallow hypercalls for guest callers in rings > 0 QEMU crash (during virtio-net WHQL tests for Win2008 R2) cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 5 OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. (CVE-2009-2904) All OpenSSH users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2904 CVE-2009-2904 openssh: possible privilege escalation when using ChrootDirectory setting cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags. An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially-crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224) It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially-crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027) All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2007-2027 CVE-2008-7224 CVE-2007-2027 elinks tries to load .po files from a non-absolute path CVE-2008-7224 elinks: entity_cache static array buffer overflow (off-by-one) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Xen is an open source virtualization framework. Virtualization allows users to run guest operating systems in virtual machines on top of a host operating system. The pyGrub boot loader did not honor the "password" option in the grub.conf file for para-virtualized guests. Users with access to a guest's console could use this flaw to bypass intended access restrictions and boot the guest with arbitrary kernel boot options, allowing them to get root privileges in the guest's operating system. With this update, pyGrub correctly honors the "password" option in grub.conf for para-virtualized guests. (CVE-2009-3525) This update also fixes the following bugs: * rebooting para-virtualized guests sometimes caused those guests to crash due to a race condition in the xend node control daemon. This update fixes this race condition so that rebooting guests no longer potentially causes them to crash and fail to reboot. (BZ#525141) * due to a race condition in the xend daemon, a guest could disappear from the list of running guests following a reboot, even though the guest rebooted successfully and was running. This update fixes this race condition so that guests always reappear in the guest list following a reboot. (BZ#525143) * attempting to use PCI pass-through to para-virtualized guests on certain kernels failed with a "Function not implemented" error message. As a result, users requiring PCI pass-through on para-virtualized guests were not able to update the xen packages without also updating the kernel and thus requiring a reboot. These updated packages enable PCI pass-through for para-virtualized guests so that users do not need to upgrade the kernel in order to take advantage of PCI pass-through functionality. (BZ#525149) All Xen users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the xend service must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3525 [REG][Xen][5.4] PV domains may crash after reboot Add grub.conf password protection support to pygrub Domain goes missing from xm list when rebooted PCI-Paththrough with PCI-Card does not work anymore with RHEL5.4 CVE-2009-3525 Xen: PyGrub missing support for password configuration command cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 PostgreSQL is an advanced object-relational database management system (DBMS). It was discovered that the upstream patch for CVE-2007-6600 included in the Red Hat Security Advisory RHSA-2008:0038 did not include protection against misuse of the RESET ROLE and RESET SESSION AUTHORIZATION commands. An authenticated user could use this flaw to install malicious code that would later execute with superuser privileges. (CVE-2009-3230) A flaw was found in the way PostgreSQL handled encoding conversion. A remote, authenticated user could trigger an encoding conversion failure, possibly leading to a temporary denial of service. Note: To exploit this issue, a locale and client encoding for which specific messages fail to translate must be selected (the availability of these is determined by an administrator-defined locale setting). (CVE-2009-0922) Note: For Red Hat Enterprise Linux 4, this update upgrades PostgreSQL to version 7.4.26. For Red Hat Enterprise Linux 5, this update upgrades PostgreSQL to version 8.1.18. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/7.4/static/release.html http://www.postgresql.org/docs/8.1/static/release.html All PostgreSQL users should upgrade to these updated packages, which resolve these issues. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0922 CVE-2009-3230 CVE-2009-0922 postgresql: potential DoS due to conversion functions CVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for CVE-2007-6600 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PostgreSQL is an advanced object-relational database management system (DBMS). It was discovered that the upstream patch for CVE-2007-6600 included in the Red Hat Security Advisory RHSA-2008:0039 did not include protection against misuse of the RESET ROLE and RESET SESSION AUTHORIZATION commands. An authenticated user could use this flaw to install malicious code that would later execute with superuser privileges. (CVE-2009-3230) All PostgreSQL users should upgrade to these updated packages, which contain a backported patch to correct this issue. If you are running a PostgreSQL server, the postgresql service must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3230 CVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for CVE-2007-6600 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 SquirrelMail is a standards-based webmail package written in PHP. Form submissions in SquirrelMail did not implement protection against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker tricked a user into visiting a malicious web page, the attacker could hijack that user's authentication, inject malicious content into that user's preferences, or possibly send mail without that user's permission. (CVE-2009-2964) Users of SquirrelMail should upgrade to this updated package, which contains a backported patch to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2964 CVE-2009-2964 squirrelmail: CSRF issues in all forms cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). Multiple flaws were discovered in Adobe Reader. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2009-2980, CVE-2009-2983, CVE-2009-2985, CVE-2009-2986, CVE-2009-2990, CVE-2009-2991, CVE-2009-2993, CVE-2009-2994, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3458, CVE-2009-3459, CVE-2009-3462) Multiple flaws were discovered in Adobe Reader. A specially-crafted PDF file could cause Adobe Reader to crash when opened. (CVE-2009-2979, CVE-2009-2988, CVE-2009-3431) An input validation flaw was found in Adobe Reader. Opening a specially-crafted PDF file could lead to a Trust Manager restrictions bypass. (CVE-2009-2981) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 8.1.7, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2979 CVE-2009-2980 CVE-2009-2981 CVE-2009-2983 CVE-2009-2985 CVE-2009-2986 CVE-2009-2988 CVE-2009-2990 CVE-2009-2991 CVE-2009-2993 CVE-2009-2994 CVE-2009-2996 CVE-2009-2997 CVE-2009-2998 CVE-2009-3431 CVE-2009-3458 CVE-2009-3459 CVE-2009-3462 CVE-2009-3459 acroread: heap overflow fix in version 8.1.7 (APSB09-15) acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15) CVE-2009-2979 CVE-2009-2988 CVE-2009-3431 acroread: Multiple DoS fixes in 8.1.7 (APSB09-15) CVE-2009-2981 acroread: Trust Manager restrictions bypass fixed in 8.1.7 (APSB09-15) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in Xpdf. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0791, CVE-2009-3604, CVE-2009-3606, CVE-2009-3609) Red Hat would like to thank Adam Zabrocki for reporting the CVE-2009-3604 issue. Users are advised to upgrade to this updated package, which contains a backported patch to correct these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0791 CVE-2009-3604 CVE-2009-3606 CVE-2009-3609 CVE-2009-0791 xpdf: multiple integer overflows CVE-2009-3606 xpdf/poppler: PSOutputDev::doImageL1Sep integer overflow CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow and missing allocation return value check cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in Xpdf. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0791, CVE-2009-1188, CVE-2009-3604, CVE-2009-3606, CVE-2009-3608, CVE-2009-3609) Red Hat would like to thank Adam Zabrocki for reporting the CVE-2009-3604 issue, and Chris Rohlf for reporting the CVE-2009-3608 issue. Users are advised to upgrade to this updated package, which contains a backported patch to correct these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0791 CVE-2009-1188 CVE-2009-3604 CVE-2009-3606 CVE-2009-3608 CVE-2009-3609 CVE-2009-0791 xpdf: multiple integer overflows CVE-2009-1188 xpdf/poppler: SplashBitmap integer overflow CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016) CVE-2009-3606 xpdf/poppler: PSOutputDev::doImageL1Sep integer overflow CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow and missing allocation return value check cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in KPDF. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0791, CVE-2009-1188, CVE-2009-3604, CVE-2009-3606, CVE-2009-3608, CVE-2009-3609) Red Hat would like to thank Adam Zabrocki for reporting the CVE-2009-3604 issue, and Chris Rohlf for reporting the CVE-2009-3608 issue. Users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0791 CVE-2009-1188 CVE-2009-3604 CVE-2009-3606 CVE-2009-3608 CVE-2009-3609 CVE-2009-0791 xpdf: multiple integer overflows CVE-2009-1188 xpdf/poppler: SplashBitmap integer overflow CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016) CVE-2009-3606 xpdf/poppler: PSOutputDev::doImageL1Sep integer overflow CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow and missing allocation return value check cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GPdf is a viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in GPdf. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0791, CVE-2009-1188, CVE-2009-3604, CVE-2009-3608, CVE-2009-3609) Red Hat would like to thank Adam Zabrocki for reporting the CVE-2009-3604 issue, and Chris Rohlf for reporting the CVE-2009-3608 issue. Users are advised to upgrade to this updated package, which contains a backported patch to correct these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0791 CVE-2009-1188 CVE-2009-3604 CVE-2009-3608 CVE-2009-3609 CVE-2009-0791 xpdf: multiple integer overflows CVE-2009-1188 xpdf/poppler: SplashBitmap integer overflow CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016) CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow and missing allocation return value check cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Multiple integer overflow flaws were found in poppler. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-3603, CVE-2009-3608, CVE-2009-3609) Red Hat would like to thank Chris Rohlf for reporting the CVE-2009-3608 issue. This update also corrects a regression introduced in the previous poppler security update, RHSA-2009:0480, that prevented poppler from rendering certain PDF documents correctly. (BZ#528147) Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-3603 CVE-2009-3608 CVE-2009-3609 CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016) CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2009-3603 xpdf/poppler: SplashBitmap::SplashBitmap integer overflow latest poppler security fix breaks compatibility with Xerox WorkCentre generated pdf documents cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP1 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes two vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2008-5349, CVE-2009-2625) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP1 Java release. All running instances of IBM Java must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5349 CVE-2009-2625 CVE-2008-5349 OpenJDK RSA public key length denial-of-service (6497740) CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in KPDF. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0791, CVE-2009-1188, CVE-2009-3604, CVE-2009-3608, CVE-2009-3609) Red Hat would like to thank Adam Zabrocki for reporting the CVE-2009-3604 issue, and Chris Rohlf for reporting the CVE-2009-3608 issue. Users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0791 CVE-2009-1188 CVE-2009-3604 CVE-2009-3608 CVE-2009-3609 CVE-2009-0791 xpdf: multiple integer overflows CVE-2009-1188 xpdf/poppler: SplashBitmap integer overflow CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016) CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow and missing allocation return value check cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript. Two integer overflow flaws were found in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-3608, CVE-2009-3609) Red Hat would like to thank Chris Rohlf for reporting the CVE-2009-3608 issue. Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3608 CVE-2009-3609 CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016) CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * multiple, missing initialization flaws were found in the Linux kernel. Padding data in several core network structures was not initialized properly before being sent to user-space. These flaws could lead to information leaks. (CVE-2005-4881, CVE-2009-3228, Moderate) This update also fixes the following bugs: * a packet duplication issue was fixed via the RHSA-2008:0665 update; however, the fix introduced a problem for systems using network bonding: Backup slaves were unable to receive ARP packets. When using network bonding in the "active-backup" mode and with the "arp_validate=3" option, the bonding driver considered such backup slaves as being down (since they were not receiving ARP packets), preventing successful failover to these devices. (BZ#519384) * due to insufficient memory barriers in the network code, a process sleeping in select() may have missed notifications about new data. In rare cases, this bug may have caused a process to sleep forever. (BZ#519386) * the driver version number in the ata_piix driver was not changed between Red Hat Enterprise Linux 4.7 and Red Hat Enterprise Linux 4.8, even though changes had been made between these releases. This could have prevented the driver from loading on systems that check driver versions, as this driver appeared older than it was. (BZ#519389) * a bug in nlm_lookup_host() could have led to un-reclaimed locks on file systems, resulting in the umount command failing. This bug could have also prevented NFS services from being relocated correctly in clustered environments. (BZ#519656) * the data buffer ethtool_get_strings() allocated, for the igb driver, was smaller than the amount of data that was copied in igb_get_strings(), because of a miscalculation in IGB_QUEUE_STATS_LEN, resulting in memory corruption. This bug could have led to a kernel panic. (BZ#522738) * in some circumstances, write operations to a particular TTY device opened by more than one user (eg, one opened it as /dev/console and the other opened it as /dev/ttyS0) were blocked. If one user opened the TTY terminal without setting the O_NONBLOCK flag, this user's write operations were suspended if the output buffer was full or if a STOP (Ctrl-S) signal was sent. As well, because the O_NONBLOCK flag was not respected, Write operations for user terminals opened with the O_NONBLOCK flag set were also blocked. This update re-implements TTY locks, ensuring O_NONBLOCK works as expected, even if it a STOP signal is sent from another terminal. (BZ#523930) * a deadlock was found in the cciss driver. In rare cases, this caused an NMI lockup during boot. Messages such as "cciss: controller cciss[x] failed, stopping." and "cciss[x]: controller not responding." may have been displayed on the console. (BZ#525725) * on 64-bit PowerPC systems, a rollover bug in the ibmveth driver could have caused a kernel panic. In a reported case, this panic occurred on a system with a large uptime and under heavy network load. (BZ#527225) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2005-4881 CVE-2009-3228 CVE-2009-3612 [RHEL 4] Arp Monitor - Failed to detect layer 2 switch failure [rhel-4.8.z] [RHEL4.5] Even if a process have received data but schedule() in select() cannot return [rhel-4.8.z] RHEL4.8-Beta : Update the version number of ata_piix driver [rhel-4.8.z] Bug in lockd prevents a locks being freed. [rhel-4.8.z] CVE-2009-3228 kernel: tc: uninitialised kernel memory leak CVE-2005-4881 kernel: netlink: fix numerous padding memleaks [RHEL4.8] igb driver doesn't allocate enough buffer for ethtool_get_strings() [rhel-4.8.z] [4.8]Write operation with O_NONBLOCK flag to TTY terminal is blocked [rhel-4.8.z] cciss: spinlock deadlock causes NMI on HP systems [rhel-4.8.z] BUG in ibmveth_replenish_buffer_pool at drivers/net/ibmveth.c:219 [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 In accordance with the Red Hat Enterprise Linux Errata Support Policy, the regular 7 year life-cycle of Red Hat Enterprise Linux 3 will end on October 31, 2010. After this date, Red Hat will discontinue the regular subscription services for Red Hat Enterprise Linux 3. Therefore, new bug fix, enhancement, and security errata updates, as well as technical support services will no longer be available for the following products: * Red Hat Enterprise Linux AS 3 * Red Hat Enterprise Linux ES 3 * Red Hat Enterprise Linux WS 3 * Red Hat Enterprise Linux Extras 3 * Red Hat Desktop 3 * Red Hat Global File System 3 * Red Hat Cluster Suite 3 Customers still running production workloads on Red Hat Enterprise Linux 3 are advised to begin planning the upgrade to Red Hat Enterprise Linux 5. Active subscribers of Red Hat Enterprise Linux already have access to all currently maintained versions of Red Hat Enterprise Linux, as part of their subscription without additional fees. For customers who are unable to migrate off Red Hat Enterprise Linux 3 before its end-of-life date, Red Hat may offer a limited, optional extension program. For more information, contact your Red Hat sales representative or channel partner. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: http://www.redhat.com/security/updates/errata/ Low Copyright 2009 Red Hat, Inc. Send Out RHEL 3 1-Year EOL Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Samba is a suite of programs used by machines to share files, printers, and other information. A denial of service flaw was found in the Samba smbd daemon. An authenticated, remote user could send a specially-crafted response that would cause an smbd child process to enter an infinite loop. An authenticated, remote user could use this flaw to exhaust system resources by opening multiple CIFS sessions. (CVE-2009-2906) This update also fixes the following bug: * the RHSA-2007:0354 update added code to escape input passed to scripts that are run by Samba. This code was missing "c" from the list of valid characters, causing it to be escaped. With this update, the previous patch has been updated to include "c" in the list of valid characters. (BZ#242754) Users of Samba should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2906 Missing character bug in latest security patches CVE-2009-2906 samba: infinite loop flaw in smbd on unexpected oplock break notification reply cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. A denial of service flaw was found in the Samba smbd daemon. An authenticated, remote user could send a specially-crafted response that would cause an smbd child process to enter an infinite loop. An authenticated, remote user could use this flaw to exhaust system resources by opening multiple CIFS sessions. (CVE-2009-2906) An uninitialized data access flaw was discovered in the smbd daemon when using the non-default "dos filemode" configuration option in "smb.conf". An authenticated, remote user with write access to a file could possibly use this flaw to change an access control list for that file, even when such access should have been denied. (CVE-2009-1888) A flaw was discovered in the way Samba handled users without a home directory set in the back-end password database (e.g. "/etc/passwd"). If a share for the home directory of such a user was created (e.g. using the automated "[homes]" share), any user able to access that share could see the whole file system, possibly bypassing intended access restrictions. (CVE-2009-2813) The mount.cifs program printed CIFS passwords as part of its debug output when running in verbose mode. When mount.cifs had the setuid bit set, a local, unprivileged user could use this flaw to disclose passwords from a file that would otherwise be inaccessible to that user. Note: mount.cifs from the samba packages distributed by Red Hat does not have the setuid bit set. This flaw only affected systems where the setuid bit was manually set by an administrator. (CVE-2009-2948) Users of Samba should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1888 CVE-2009-2813 CVE-2009-2906 CVE-2009-2948 CVE-2009-1888 Samba improper file access CVE-2009-2813 Samba: Share restriction bypass via home-less directory user account(s) CVE-2009-2948 samba: information disclosure in suid mount.cifs CVE-2009-2906 samba: infinite loop flaw in smbd on unexpected oplock break notification reply cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR). A flaw was found in the way Firefox handles form history. A malicious web page could steal saved form data by synthesizing input events, causing the browser to auto-fill form fields (which could then be read by an attacker). (CVE-2009-3370) A flaw was found in the way Firefox creates temporary file names for downloaded files. If a local attacker knows the name of a file Firefox is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274) A flaw was found in the Firefox Proxy Auto-Configuration (PAC) file processor. If Firefox loads a malicious PAC file, it could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3372) A heap-based buffer overflow flaw was found in the Firefox GIF image processor. A malicious GIF image could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3373) A heap-based buffer overflow flaw was found in the Firefox string to floating point conversion routines. A web page containing malicious JavaScript could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-1563) A flaw was found in the way Firefox handles text selection. A malicious website may be able to read highlighted text in a different domain (e.g. another website the user is viewing), bypassing the same-origin policy. (CVE-2009-3375) A flaw was found in the way Firefox displays a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differs from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that differs from what the user expected. (CVE-2009-3376) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3374, CVE-2009-3380, CVE-2009-3382) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.15. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.15, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1563 CVE-2009-3274 CVE-2009-3370 CVE-2009-3372 CVE-2009-3373 CVE-2009-3374 CVE-2009-3375 CVE-2009-3376 CVE-2009-3380 CVE-2009-3382 CVE-2009-3274 Firefox: Predictable /tmp pathname use CVE-2009-3370 Firefox form history vulnerable to stealing CVE-2009-3372 Firefox crash in proxy auto-configuration regexp parsing CVE-2009-3373 Firefox heap buffer overflow in GIF color map parser CVE-2009-3374 Firefox chrome privilege escalation in XPCVariant::VariantDataToJS() CVE-2009-0689 (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion CVE-2009-3375 Firefox cross-origin data theft through document.getSelection() CVE-2009-3376 Firefox download filename spoofing with RTL override CVE-2009-3380 Firefox crashes with evidence of memory corruption CVE-2009-3382 Firefox crashes with evidence of memory corruption cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the way SeaMonkey creates temporary file names for downloaded files. If a local attacker knows the name of a file SeaMonkey is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274) A heap-based buffer overflow flaw was found in the SeaMonkey string to floating point conversion routines. A web page containing malicious JavaScript could crash SeaMonkey or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-1563) A flaw was found in the way SeaMonkey handles text selection. A malicious website may be able to read highlighted text in a different domain (e.g. another website the user is viewing), bypassing the same-origin policy. (CVE-2009-3375) A flaw was found in the way SeaMonkey displays a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differs from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that differs from what the user expected. (CVE-2009-3376) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3380) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1563 CVE-2009-3274 CVE-2009-3375 CVE-2009-3376 CVE-2009-3380 CVE-2009-3385 CVE-2009-3274 Firefox: Predictable /tmp pathname use CVE-2009-0689 (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion CVE-2009-3375 Firefox cross-origin data theft through document.getSelection() CVE-2009-3376 Firefox download filename spoofing with RTL override CVE-2009-3380 Firefox crashes with evidence of memory corruption cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially-crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially-crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially-crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) All Pidgin users should upgrade to this updated package, which contains backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2703 CVE-2009-3083 CVE-2009-3615 CVE-2009-2703 Pidgin: NULL pointer dereference by handling IRC topic(s) (DoS) CVE-2009-3083 Pidgin: NULL pointer dereference by processing incomplete MSN SLP invite (DoS) CVE-2009-3615 Pidgin: Invalid pointer dereference (crash) after receiving contacts from SIM IM client cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for Communication in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially-crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) These packages upgrade Pidgin to version 2.6.3. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct this issue. Pidgin must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3615 CVE-2009-3615 Pidgin: Invalid pointer dereference (crash) after receiving contacts from SIM IM client cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important) Users should upgrade to these updated packages, which contain a backported patch to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-3547 CVE-2009-3547 kernel: fs: pipe.c null pointer dereference cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * a system with SELinux enforced was more permissive in allowing local users in the unconfined_t domain to map low memory areas even if the mmap_min_addr restriction was enabled. This could aid in the local exploitation of NULL pointer dereference bugs. (CVE-2009-2695, Important) * a NULL pointer dereference flaw was found in the eCryptfs implementation in the Linux kernel. A local attacker could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2908, Important) * a flaw was found in the NFSv4 implementation. The kernel would do an unnecessary permission check after creating a file. This check would usually fail and leave the file with the permission bits set to random values. Note: This is a server-side only issue. (CVE-2009-3286, Important) * a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important) * a flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel. pci_unmap_single() presented a memory leak that could lead to IOMMU space exhaustion and a system crash. An attacker on the local network could abuse this flaw by using jumbo frames for large amounts of network traffic. (CVE-2009-3613, Important) * missing initialization flaws were found in the Linux kernel. Padding data in several core network structures was not initialized properly before being sent to user-space. These flaws could lead to information leaks. (CVE-2009-3228, Moderate) Bug fixes: * with network bonding in the "balance-tlb" or "balance-alb" mode, the primary setting for the primary slave device was lost when said device was brought down. Bringing the slave back up did not restore the primary setting. (BZ#517971) * some faulty serial device hardware caused systems running the kernel-xen kernel to take a very long time to boot. (BZ#524153) * a caching bug in nfs_readdir() may have caused NFS clients to see duplicate files or not see all files in a directory. (BZ#526960) * the RHSA-2009:1243 update removed the mpt_msi_enable option, preventing certain scripts from running. This update adds the option back. (BZ#526963) * an iptables rule with the recent module and a hit count value greater than the ip_pkt_list_tot parameter (the default is 20), did not have any effect over packets, as the hit count could not be reached. (BZ#527434) * a check has been added to the IPv4 code to make sure that rt is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#527436) * a kernel panic occurred in certain conditions after reconfiguring a tape drive's block size. (BZ#528133) * when using the Linux Virtual Server (LVS) in a master and backup configuration, and propagating active connections on the master to the backup, the connection timeout value on the backup was hard-coded to 180 seconds, meaning connection information on the backup was soon lost. This could prevent the successful failover of connections. The timeout value can now be set via "ipvsadm --set". (BZ#528645) * a bug in nfs4_do_open_expired() could have caused the reclaimer thread on an NFSv4 client to enter an infinite loop. (BZ#529162) * MSI interrupts may not have been delivered for r8169 based network cards that have MSI interrupts enabled. This bug only affected certain systems. (BZ#529366) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-2695 CVE-2009-2908 CVE-2009-3228 CVE-2009-3286 CVE-2009-3547 CVE-2009-3613 CVE-2009-2695 kernel: SELinux and mmap_min_addr A bond's preferred primary setting is lost after bringing down and up of the primary slave. [rhel-5.4.z] CVE-2009-3228 kernel: tc: uninitialised kernel memory leak dom0 freeze during kernel startup [rhel-5.4.z] CVE-2009-3286 kernel: O_EXCL creates on NFSv4 are broken [NetApp 5.5 bug] nfs_readdir() may fail to return all the files in the directory [rhel-5.4.z] [RFE] Re-enable "mpt_msi_enable" option in RHEL5 [rhel-5.4.z] kernel: ipt_recent: sanity check hit count [rhel-5.4.z] kernel: ipv4: make ip_append_data() handle NULL routing table [rhel-5.4.z] CVE-2009-2908 kernel ecryptfs NULL pointer dereference kernel panics from list corruption when using a tape drive connected through cciss adapter [rhel-5.4.z] LVS master and backup director - Synchronised connections on backup director have unsuitable timeout value [rhel-5.4.z] CVE-2009-3613 kernel: flood ping cause out-of-iommu error and panic when mtu larger than 1500 NFSv4 reclaimer thread in an infinite loop [rhel-5.4.z] r8169 stopping all activity until the link is reset [rhel-5.4.z] CVE-2009-3547 kernel: fs: pipe.c null pointer dereference cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 GNU Wget is a file retrieval utility that can use HTTP, HTTPS, and FTP. Daniel Stenberg reported that Wget is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Wget into accepting it by mistake. (CVE-2009-3490) Wget users should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3490 CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue. (CVE-2008-5029, Important) * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important) * a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially-crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important) * the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2009-1895, Important) * it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important) * missing initialization flaws were found in getname() implementations in the IrDA sockets, AppleTalk DDP protocol, NET/ROM protocol, and ROSE protocol implementations in the Linux kernel. Certain data structures in these getname() implementations were not initialized properly before being copied to user-space. These flaws could lead to an information leak. (CVE-2009-3002, Important) * a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important) Bug fixes: * this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer dereference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#512642) * a bridge reference count problem in IPv6 has been fixed. (BZ#457010) * enforce null-termination of user-supplied arguments to setsockopt(). (BZ#505514) * the gcc flag "-fno-delete-null-pointer-checks" was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#511185) * a check has been added to the IPv4 code to make sure that rt is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#520300) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-5029 CVE-2008-5300 CVE-2009-1337 CVE-2009-1385 CVE-2009-1895 CVE-2009-2848 CVE-2009-3002 CVE-2009-3547 ipv6: use timer pending to fix bridge reference count problem [rhel-3.9] CVE-2008-5029 kernel: Unix sockets kernel panic CVE-2008-5300 kernel: fix soft lockups/OOM issues with unix socket garbage collector CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service kernel: ensure devname passed to SO_BINDTODEVICE is NULL-terminated [rhel-3] CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID kernel: build with -fno-delete-null-pointer-checks [rhel-3] kernel: security: implement mmap_min_addr infrastructure [rhel-3] CVE-2009-2848 kernel: execve: must clear current->clear_child_tid CVE-2009-3001, CVE-2009-3002 kernel: numerous getname() infoleaks kernel: ipv4: make ip_append_data() handle NULL routing table [rhel-3] CVE-2009-3547 kernel: fs: pipe.c null pointer dereference cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. These vulnerabilities are summarized on the "Advance notification of Security Updates for Java SE" page from Sun Microsystems, listed in the References section. (CVE-2009-2409, CVE-2009-3728, CVE-2009-3729, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2409 CVE-2009-3728 CVE-2009-3729 CVE-2009-3865 CVE-2009-3866 CVE-2009-3867 CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3872 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3879 CVE-2009-3880 CVE-2009-3881 CVE-2009-3882 CVE-2009-3883 CVE-2009-3884 CVE-2009-3886 CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968) CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503) CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877 CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357) CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358) CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643) CVE-2009-3728 OpenJDK ICC_Profile file existence detection information leak (6631533) CVE-2009-3881 OpenJDK resurrected classloaders can still have children (6636650) CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable variables (6657026,6657138) CVE-2009-3880 OpenJDK UI logging information leakage(6664512) CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057) CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265) CVE-2009-3729 JRE TrueType font parsing crash (6815780) CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969) CVE-2009-3886 JRE REGRESSION:have problem to run JNLP app and applets with signed Jar files (6870531) CVE-2009-3865 java-1.6.0-sun: ACE in JRE Deployment Toolkit (6869752) CVE-2009-3866 java-1.6.0-sun: Privilege escalation in the Java Web Start Installer (6872824) CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303) CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via crafted image file due improper color profiles parsing (6862970) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format. Multiple flaws were found in the libvorbis library. A specially-crafted Ogg Vorbis media format file (Ogg) could cause an application using libvorbis to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3379) Users of libvorbis should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-3379 CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63 cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Sun 1.5.0 Java release includes the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. These vulnerabilities are summarized on the "Advance notification of Security Updates for Java SE" page from Sun Microsystems, listed in the References section. (CVE-2009-2409, CVE-2009-3728, CVE-2009-3873, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884) Note: This is the final update for the java-1.5.0-sun packages, as the Sun Java SE Release family 5.0 has now reached End of Service Life. The next update will remove the java-1.5.0-sun packages. An alternative to Sun Java SE 5.0 is the Java 2 Technology Edition of the IBM Developer Kit for Linux, which is available from the Extras and Supplementary channels on the Red Hat Network. For users of applications that are capable of using the Java 6 runtime, the OpenJDK open source JDK is included in Red Hat Enterprise Linux 5 (since 5.3) and is supported by Red Hat. Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2409 CVE-2009-3728 CVE-2009-3867 CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3879 CVE-2009-3880 CVE-2009-3881 CVE-2009-3882 CVE-2009-3883 CVE-2009-3884 CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968) CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877 CVE-2009-3728 OpenJDK ICC_Profile file existence detection information leak (6631533) CVE-2009-3881 OpenJDK resurrected classloaders can still have children (6636650) CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable variables (6657026,6657138) CVE-2009-3880 OpenJDK UI logging information leakage(6664512) CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057) CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The 4Suite package contains XML-related tools and libraries for Python, including 4DOM, 4XSLT, 4XPath, 4RDF, and 4XPointer. A buffer over-read flaw was found in the way 4Suite's XML parser handles malformed UTF-8 sequences when processing XML files. A specially-crafted XML file could cause applications using the 4Suite library to crash while parsing the file. (CVE-2009-3720) Note: In Red Hat Enterprise Linux 3, this flaw only affects a non-default configuration of the 4Suite package: configurations where the beta version of the cDomlette module is enabled. All 4Suite users should upgrade to this updated package, which contains a backported patch to correct this issue. After installing the updated package, applications using the 4Suite XML-related tools and libraries must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3720 CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 sequences cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 The Apache HTTP Server is a popular Web server. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update partially mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested renegotiation. (CVE-2009-3555) Note: This update does not fully resolve the issue for HTTPS servers. An attack is still possible in configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase article for further information: http://kbase.redhat.com/faq/docs/DOC-20491 A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (CVE-2009-3094) A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. (CVE-2009-3095) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3094 CVE-2009-3095 CVE-2009-3555 CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header CVE-2009-3555 TLS: MITM attacks via session renegotiation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular Web server. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update partially mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested renegotiation. (CVE-2009-3555) Note: This update does not fully resolve the issue for HTTPS servers. An attack is still possible in configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase article for further information: http://kbase.redhat.com/faq/docs/DOC-20491 A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891) A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (CVE-2009-3094) A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. (CVE-2009-3095) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1891 CVE-2009-3094 CVE-2009-3095 CVE-2009-3555 CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header CVE-2009-3555 TLS: MITM attacks via session renegotiation cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, CVE-2009-2676) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR6 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2674 CVE-2009-2675 CVE-2009-2676 CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524) CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071) CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497) CVE-2009-2674 Java Web Start Buffer JPEG processing integer overflow (6823373) CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335) CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) CVE-2009-2676 JRE applet launcher vulnerability cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language. An integer overflow flaw and buffer overflow flaws were found in the way the JRE processed image files. An untrusted applet or application could use these flaws to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-3869, CVE-2009-3871, CVE-2009-3873, CVE-2009-3874) An information leak was found in the JRE. An untrusted applet or application could use this flaw to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-3881) It was discovered that the JRE still accepts certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by the JRE. With this update, the JRE disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409) A timing attack flaw was found in the way the JRE processed HMAC digests. This flaw could aid an attacker using forged digital signatures to bypass authentication checks. (CVE-2009-3875) Two denial of service flaws were found in the JRE. These could be exploited in server-side application scenarios that process DER-encoded (Distinguished Encoding Rules) data. (CVE-2009-3876, CVE-2009-3877) An information leak was found in the way the JRE handled color profiles. An attacker could use this flaw to discover the existence of files outside of the color profiles directory. (CVE-2009-3728) A flaw in the JRE with passing arrays to the X11GraphicsDevice API was found. An untrusted applet or application could use this flaw to access and modify the list of supported graphics configurations. This flaw could also lead to sensitive information being leaked to unprivileged code. (CVE-2009-3879) It was discovered that the JRE passed entire objects to the logging API. This could lead to sensitive information being leaked to either untrusted or lower-privileged code from an attacker-controlled applet which has access to the logging API and is therefore able to manipulate (read and/or call) the passed objects. (CVE-2009-3880) Potential information leaks were found in various mutable static variables. These could be exploited in application scenarios that execute untrusted scripting code. (CVE-2009-3882, CVE-2009-3883) An information leak was found in the way the TimeZone.getTimeZone method was handled. This method could load time zone files that are outside of the [JRE_HOME]/lib/zi/ directory, allowing a remote attacker to probe the local file system. (CVE-2009-3884) Note: The flaws concerning applets in this advisory, CVE-2009-3869, CVE-2009-3871, CVE-2009-3873, CVE-2009-3874, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881 and CVE-2009-3884, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer" application. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-2409 CVE-2009-3728 CVE-2009-3869 CVE-2009-3871 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3879 CVE-2009-3880 CVE-2009-3881 CVE-2009-3882 CVE-2009-3883 CVE-2009-3884 CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968) CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503) CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877 CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357) CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358) CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643) CVE-2009-3728 OpenJDK ICC_Profile file existence detection information leak (6631533) CVE-2009-3881 OpenJDK resurrected classloaders can still have children (6636650) CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable variables (6657026,6657138) CVE-2009-3880 OpenJDK UI logging information leakage(6664512) CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057) CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. These samba3x packages provide Samba 3.3, which is a Technology Preview for Red Hat Enterprise Linux 5. These packages cannot be installed in parallel with the samba packages. Note: Technology Previews are not intended for production use. A denial of service flaw was found in the Samba smbd daemon. An authenticated, remote user could send a specially-crafted response that would cause an smbd child process to enter an infinite loop. An authenticated, remote user could use this flaw to exhaust system resources by opening multiple CIFS sessions. (CVE-2009-2906) An uninitialized data access flaw was discovered in the smbd daemon when using the non-default "dos filemode" configuration option in "smb.conf". An authenticated, remote user with write access to a file could possibly use this flaw to change an access control list for that file, even when such access should have been denied. (CVE-2009-1888) A flaw was discovered in the way Samba handled users without a home directory set in the back-end password database (e.g. "/etc/passwd"). If a share for the home directory of such a user was created (e.g. using the automated "[homes]" share), any user able to access that share could see the whole file system, possibly bypassing intended access restrictions. (CVE-2009-2813) The mount.cifs program printed CIFS passwords as part of its debug output when running in verbose mode. When mount.cifs had the setuid bit set, a local, unprivileged user could use this flaw to disclose passwords from a file that would otherwise be inaccessible to that user. Note: mount.cifs from the samba3x packages distributed by Red Hat does not have the setuid bit set. This flaw only affected systems where the setuid bit was manually set by an administrator. (CVE-2009-2948) This update also fixes the following bugs: * the samba3x packages contained missing and conflicting license information. License information was missing for the libtalloc, libtdb, and tdb-tools packages. The samba3x-common package provided a COPYING file; however, it stated the license was GPLv2, while RPM metadata stated the licenses were either GPLv3 or LGPLv3. This update adds the correct licensing information to the samba3x-common, libsmbclient, libtalloc, libtdb, and tdb-tools packages. (BZ#528633) * the upstream Samba version in the samba3x packages distributed with the RHEA-2009:1399 update contained broken implementations of the Netlogon credential chain and SAMR access checks security subsystems. This prevented Samba from acting as a domain controller: Client systems could not join the domain; users could not authenticate; and systems could not access the user and group list. (BZ#524551) * this update resolves interoperability issues with Windows 7 and Windows Server 2008 R2. (BZ#529022) These packages upgrade Samba from version 3.3.5 to version 3.3.8. Refer to the Samba Release Notes for a list of changes between versions: http://samba.org/samba/history/ Users of samba3x should upgrade to these updated packages, which resolve these issues. After installing this update, the smb service will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1888 CVE-2009-2813 CVE-2009-2906 CVE-2009-2948 CVE-2009-1888 Samba improper file access CVE-2009-2813 Samba: Share restriction bypass via home-less directory user account(s) samba3x 3.3.4 is broken as domain controller CVE-2009-2948 samba: information disclosure in suid mount.cifs CVE-2009-2906 samba: infinite loop flaw in smbd on unexpected oplock break notification reply License problem for Samba3X in x86_64 supplementary image Interoperation with Windows 7 and Windows 2008 (R2) broken cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially-crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553) Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially-crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820) Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-2820 CVE-2009-3553 CVE-2009-2820 cups: Several XSS flaws in forms processed by CUPS web interface CVE-2009-3553 cups: Use-after-free (crash) due improper reference counting in abstract file descriptors handling interface cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The kdelibs packages provide libraries for the K Desktop Environment (KDE). A buffer overflow flaw was found in the kdelibs string to floating point conversion routines. A web page containing malicious JavaScript could crash Konqueror or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-0689) Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0689 CVE-2009-0689 kdelibs remote array overrun cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The xerces-j2 packages provide the Apache Xerces2 Java Parser, a high-performance XML parser. A Document Type Definition (DTD) defines the legal syntax (and also which elements can be used) for certain types of files, such as XML files. A flaw was found in the way the Apache Xerces2 Java Parser processed the SYSTEM identifier in DTDs. A remote attacker could provide a specially-crafted XML file, which once parsed by an application using the Apache Xerces2 Java Parser, would lead to a denial of service (application hang due to excessive CPU use). (CVE-2009-2625) Users should upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the Apache Xerces2 Java Parser must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-2625 CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Dstat is a versatile replacement for the vmstat, iostat, and netstat tools. Dstat can be used for performance tuning tests, benchmarks, and troubleshooting. Robert Buchholz of the Gentoo Security Team reported a flaw in the Python module search path used in dstat. If a local attacker could trick a local user into running dstat from a directory containing a Python script that is named like an importable module, they could execute arbitrary code with the privileges of the user running dstat. (CVE-2009-3894) All dstat users should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3894 CVE-2009-3894 dstat insecure module search path cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2009-4022) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-4022 CVE-2009-4022 bind: cache poisoning using not validated DNSSEC responses cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Expat is a C library written by James Clark for parsing XML documents. Two buffer over-read flaws were found in the way Expat handled malformed UTF-8 sequences when processing XML files. A specially-crafted XML file could cause applications using Expat to crash while parsing the file. (CVE-2009-3560, CVE-2009-3720) All expat users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, applications using the Expat library must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3560 CVE-2009-3720 CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 sequences CVE-2009-3560 expat: buffer over-read and crash in big2_toUtf8() on XML with malformed UTF-8 sequences cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs. It was discovered that acpid could create its log file ("/var/log/acpid") with random permissions on some systems. A local attacker could use this flaw to escalate their privileges if the log file was created as world-writable and with the setuid or setgid bit set. (CVE-2009-4033) Please note that this flaw was due to a Red Hat-specific patch (acpid-1.0.4-fd.patch) included in the Red Hat Enterprise Linux 5 acpid package. Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Important Copyright 2009 Red Hat, Inc. CVE-2009-4033 /var/log/acpid has improper permissions CVE-2009-4033 acpid: log file created with random permissions cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP3 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP3 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-3867 CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3872 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968) CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503) CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877 CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357) CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358) CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643) CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969) CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303) CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via crafted image file due improper color profiles parsing (6862970) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 GNU Libtool is a set of shell scripts which automatically configure UNIX, Linux, and similar operating systems to generically build shared libraries. A flaw was found in the way GNU Libtool's libltdl library looked for modules to load. It was possible for libltdl to load and run modules from an arbitrary library in the current working directory. If a local attacker could trick a local user into running an application (which uses libltdl) from an attacker-controlled directory containing a malicious Libtool control file (.la), the attacker could possibly execute arbitrary code with the privileges of the user running the application. (CVE-2009-3736) All libtool users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, applications using the libltdl library must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3736 CVE-2009-3736 libtool: libltdl may load and execute code from a library in the current directory cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR11 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-3867 CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3872 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968) CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503) CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877 CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357) CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358) CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643) CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969) CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303) CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via crafted image file due improper color profiles parsing (6862970) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Robin Park and Dmitri Vinokurov discovered a flaw in the way ntpd handled certain malformed NTP packets. ntpd logged information about all such packets and replied with an NTP packet that was treated as malformed when received by another ntpd. A remote attacker could use this flaw to create an NTP packet reply loop between two ntpd servers via a malformed packet with a spoofed source IP address and port, causing ntpd on those servers to use excessive amounts of CPU time and fill disk space with log messages. (CVE-2009-3563) All ntp users are advised to upgrade to this updated package, which contains a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-3563 CVE-2009-3563 ntpd: DoS with mode 7 packets (VU#568372) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Robin Park and Dmitri Vinokurov discovered a flaw in the way ntpd handled certain malformed NTP packets. ntpd logged information about all such packets and replied with an NTP packet that was treated as malformed when received by another ntpd. A remote attacker could use this flaw to create an NTP packet reply loop between two ntpd servers via a malformed packet with a spoofed source IP address and port, causing ntpd on those servers to use excessive amounts of CPU time and fill disk space with log messages. (CVE-2009-3563) A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially-crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0159 CVE-2009-3563 CVE-2009-0159 ntp: buffer overflow in ntpq CVE-2009-3563 ntpd: DoS with mode 7 packets (VU#568372) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. Multiple security flaws were found in the way Flash Player displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, possibly, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.0.42.34. Critical Copyright 2009 Red Hat, Inc. CVE-2009-3794 CVE-2009-3796 CVE-2009-3797 CVE-2009-3798 CVE-2009-3799 CVE-2009-3800 flash-plugin: multiple code execution flaws (APSB09-19) (CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs: * performance problems occurred when using the qcow2 image format with the qemu-kvm -drive "cache=none" option (the default setting when not specified otherwise). This could cause guest operating system installations to take hours. With this update, performance patches have been backported so that using the qcow2 image format with the "cache=none" option no longer causes performance issues. (BZ#520693) * when using the virtual vm8086 mode, bugs in the emulated hardware task switching implementation may have, in some situations, caused older guest operating systems to malfunction. (BZ#532031) * Windows Server 2003 guests (32-bit) with more than 4GB of memory may have crashed during reboot when using the default qemu-kvm CPU settings. (BZ#532043) * with Red Hat Enterprise Virtualization, guests continued to run after encountering disk read errors. This could have led to their file systems becoming corrupted (but not the host's), notably in environments that use networked storage. With this update, the qemu-kvm -drive "werror=stop" option now applies not only to write errors but also to read errors: When using this option, guests will pause on disk read and write errors. By default, guests managed by Red Hat Enterprise Virtualization use the "werror=stop" option. This option is not used by default for guests managed by libvirt. (BZ#537334, BZ#540406) * the para-virtualized block driver (virtio-blk) silently ignored read errors when accessing disk images. With this update, the driver correctly signals the read error to the guest. (BZ#537334) All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The procedure in the Solution section must be performed before this update will take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-4031 KVM does not implement proper support for hardware task linking when using vm8086 mode qemu aborted when restart 32bitwin23k with more than 4G mem in intel host. O/S Filesystem Corruption with RHEL-5.4 on a RHEV Guest RHEL5.4 VM image corruption with an IDE v-disk CVE-2009-4031 kernel: KVM: x86 emulator: limit instructions to 15 bytes cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * NULL pointer dereference flaws in the r128 driver. Checks to test if the Concurrent Command Engine state was initialized were missing in private IOCTL functions. An attacker could use these flaws to cause a local denial of service or escalate their privileges. (CVE-2009-3620, Important) * a NULL pointer dereference flaw in the NFSv4 implementation. Several NFSv4 file locking functions failed to check whether a file had been opened on the server before performing locking operations on it. A local user on a system with an NFSv4 share mounted could possibly use this flaw to cause a denial of service or escalate their privileges. (CVE-2009-3726, Important) * a flaw in tcf_fill_node(). A certain data structure in this function was not initialized properly before being copied to user-space. This could lead to an information leak. (CVE-2009-3612, Moderate) * unix_stream_connect() did not check if a UNIX domain socket was in the shutdown state. This could lead to a deadlock. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2009-3621, Moderate) Knowledgebase DOC-20536 has steps to mitigate NULL pointer dereference flaws. Bug fixes: * frequently changing a CPU between online and offline caused a kernel panic on some systems. (BZ#545583) * for the LSI Logic LSI53C1030 Ultra320 SCSI controller, read commands sent could receive incorrect data, preventing correct data transfer. (BZ#529308) * pciehp could not detect PCI Express hot plug slots on some systems. (BZ#530383) * soft lockups: inotify race and contention on dcache_lock. (BZ#533822, BZ#537019) * priority ordered lists are now used for threads waiting for a given mutex. (BZ#533858) * a deadlock in DLM could cause GFS2 file systems to lock up. (BZ#533859) * use-after-free bug in the audit subsystem crashed certain systems when running usermod. (BZ#533861) * on certain hardware configurations, a kernel panic when the Broadcom iSCSI offload driver (bnx2i.ko and cnic.ko) was loaded. (BZ#537014) * qla2xxx: Enabled MSI-X, and correctly handle the module parameter to control it. This improves performance for certain systems. (BZ#537020) * system crash when reading the cpuaffinity file on a system. (BZ#537346) * suspend-resume problems on systems with lots of logical CPUs, e.g. BX-EX. (BZ#539674) * off-by-one error in the legacy PCI bus check. (BZ#539675) * TSC was not made available on systems with multi-clustered APICs. This could cause slow performance for time-sensitive applications. (BZ#539676) * ACPI: ARB_DISABLE now disabled on platforms that do not need it. (BZ#539677) * fix node to core and power-aware scheduling issues, and a kernel panic during boot on certain AMD Opteron processors. (BZ#539678, BZ#540469, BZ#539680, BZ#539682) * APIC timer interrupt issues on some AMD Opteron systems prevented achieving full power savings. (BZ#539681) * general OProfile support for some newer Intel processors. (BZ#539683) * system crash during boot when NUMA is enabled on systems using MC and kernel-xen. (BZ#539684) * on some larger systems, performance issues due to a spinlock. (BZ#539685) * APIC errors when IOMMU is enabled on some AMD Opteron systems. (BZ#539687) * on some AMD Opteron systems, repeatedly taking a CPU offline then online caused a system hang. (BZ#539688) * I/O page fault errors on some systems. (BZ#539689) * certain memory configurations could cause the kernel-xen kernel to fail to boot on some AMD Opteron systems. (BZ#539690) * NMI watchdog is now disabled for offline CPUs. (BZ#539691) * duplicate directories in /proc/acpi/processor/ on BX-EX systems. (BZ#539692) * links did not come up when using bnx2x with certain Broadcom devices. (BZ#540381) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-3612 CVE-2009-3620 CVE-2009-3621 CVE-2009-3726 CVE-2009-3612 kernel: tcf_fill_node() infoleak due to typo in 9ef1d4c7 CVE-2009-3726 kernel: nfsv4: kernel panic in nfs4_proc_lock() [5.4]The errata 28 fix on LSI53C1030 hasn't been included yet. [rhel-5.4.z] CVE-2009-3620 kernel: r128 IOCTL NULL pointer dereferences when CCE state is uninitialised CVE-2009-3621 kernel: AF_UNIX: Fix deadlock on connecting to shutdown socket [5.3] PCIe hotplug slot detection failure [rhel-5.4.z] CRM 1908390 - BUG: warning at fs/inotify.c:181/set_dentry_child_flags() [rhel-5.4.z] threads on pthread_mutex_lock wake in fifo order, but posix specifies by priority [rhel-5.4.z] dlm_recv deadlock under memory pressure while processing GFP_KERNEL locks. [rhel-5.4.z] system crashes in audit_update_watch() [rhel-5.4.z] Panic on boot when loading iscsid with broadcom NIC [rhel-5.4.z] kernel: BUG: soft lockup with dcache_lock [rhel-5.4.z] [QLogic 5.4.z bug] qla2xxx - enable MSI-X and correct/cleanup irq request code [rhel-5.4.z] kernel: NULL pointer dereference in pci_bus_show_cpuaffinity() [rhel-5.4.z] [Intel 5.5 FEAT] Add ability to access Nehalem uncore config space [rhel-5.4.z] [Intel 5.5 FEAT] Support Intel multi-APIC-cluster systems [rhel-5.4.z] [Intel 5.5 FEAT] ACPI: Disable ARB_DISABLE on platforms where it is not needed [rhel-5.4.z] Fix node to core association [rhel-5.4.z] Fix Power-aware scheduling [rhel-5.4.z] Fix AMD erratum - server C1E [rhel-5.4.z] Fix kernel panic while booting RHEL5 32-bit kernel [rhel-5.4.z] [Intel 5.5 FEAT] Oprofile: Add support for arch perfmon - kernel component [rhel-5.4.z] EXPERIMENTAL EX/MC: Fix Xen NUMA [rhel-5.4.z] [Intel 5.5 FEAT] Fix spinlock issue which causes performance impact on large systems [rhel-5.4.z] EXPERIMENTAL MC/EX: Fix APIC error IOMMU issues [rhel-5.4.z] EXPERIMENTAL MC/EX: Issue when bringing CPU offline and online with 32-bit kernel [rhel-5.4.z] EXPERIMENTAL EX/MC: AMD IOMMU Linux driver with latest BIOS has IO PAGE FAULTS [rhel-5.4.z] EXPERIMENTAL MC/EX: Incorrect memory setup can cause Xen crash [rhel-5.4.z] [Intel 5.5 BUG] NMI and Watchdog are not disabled on CPU when CPU is off-lined [rhel-5.4.z] Broadcom Everest Dual port 10Gb with SFP+ (57711) NIC fails with no link [rhel-5.4.z] EXPERIMENTAL EX/MC: Fix node to core issue [rhel-5.4.z] kernel panic when doing cpu offline/online frequently on hp-dl785g5-01.rhts.eng.bos.redhat.com [rhel-5.4.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel. pci_unmap_single() presented a memory leak that could lead to IOMMU space exhaustion and a system crash. An attacker on the local network could trigger this flaw by using jumbo frames for large amounts of network traffic. (CVE-2009-3613, Important) * NULL pointer dereference flaws were found in the r128 driver in the Linux kernel. Checks to test if the Concurrent Command Engine state was initialized were missing in private IOCTL functions. An attacker could use these flaws to cause a local denial of service or escalate their privileges. (CVE-2009-3620, Important) * an information leak was found in the Linux kernel. On AMD64 systems, 32-bit processes could access and read certain 64-bit registers by temporarily switching themselves to 64-bit mode. (CVE-2009-2910, Moderate) * the unix_stream_connect() function in the Linux kernel did not check if a UNIX domain socket was in the shutdown state. This could lead to a deadlock. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2009-3621, Moderate) This update also fixes the following bugs: * an iptables rule with the recent module and a hit count value greater than the ip_pkt_list_tot parameter (the default is 20), did not have any effect over packets, as the hit count could not be reached. (BZ#529306) * in environments that use dual-controller storage devices with the cciss driver, Device-Mapper Multipath maps could not be detected and configured, due to the cciss driver not exporting the bus attribute via sysfs. This attribute is now exported. (BZ#529309) * the kernel crashed with a divide error when a certain joystick was attached. (BZ#532027) * a bug in the mptctl_do_mpt_command() function in the mpt driver may have resulted in crashes during boot on i386 systems with certain adapters using the mpt driver, and also running the hugemem kernel. (BZ#533798) * on certain hardware, the igb driver was unable to detect link statuses correctly. This may have caused problems for network bonding, such as failover not occurring. (BZ#534105) * the RHSA-2009:1024 update introduced a regression. After updating to Red Hat Enterprise Linux 4.8 and rebooting, network links often failed to be brought up for interfaces using the forcedeth driver. "no link during initialization" messages may have been logged. (BZ#534112) * the RHSA-2009:1024 update introduced a second regression. On certain systems, PS/2 keyboards failed to work. (BZ#537344) * a bug in checksum offload calculations could have crashed the bnx2x firmware when the iptable_nat module was loaded, causing network traffic to stop. (BZ#537013) * a check has been added to the IPv4 code to make sure that the routing table data structure, rt, is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#537016) * possible kernel pointer dereferences on systems with several NFS mounts (a mixture of "-o lock" and "-o nolock"), which in rare cases may have caused a system crash, have been resolved. (BZ#537017) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-2910 CVE-2009-3613 CVE-2009-3620 CVE-2009-3621 CVE-2009-2910 kernel: x86_64 32 bit process register leak CVE-2009-3613 kernel: flood ping cause out-of-iommu error and panic when mtu larger than 1500 kernel: ipt_recent: sanity check hit count [rhel-4.9] [rhel-4.8.z] CCISS device-mapper-multipath support: missing sysfs attributes [rhel-4.8.z] CVE-2009-3620 kernel: r128 IOCTL NULL pointer dereferences when CCE state is uninitialised CVE-2009-3621 kernel: AF_UNIX: Fix deadlock on connecting to shutdown socket kernel hid-input.c divide error crash [rhel-4.8.z] [Cisco/LSI 4.8.z bug] mptctl module dereferences a userspace address, triggering a crash [rhel-4.8.z] EL4.8: igb driver fails to detect link status change on SERDES interface [rhel-4.8.z] Upgrade from RHEL4U7 to U8 fails to bring up networking with forcedeth driver. [simple patch] [rhel-4.8.z] bnx2x fails when iptables is on [rhel-4.8.z] kernel: ipv4: make ip_append_data() handle NULL routing table [rhel-4.8.z] NLM: Fix Oops in nlmclnt_mark_reclaim() [rhel-4.8.z] RHEL4.8 regression: PS/2 keyboard doesn't work on PRIMERGY TX120S1 [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3979) A flaw was found in the SeaMonkey NT Lan Manager (NTLM) authentication protocol implementation. If an attacker could trick a local user that has NTLM credentials into visiting a specially-crafted web page, they could send arbitrary requests, authenticated with the user's NTLM credentials, to other applications on the user's system. (CVE-2009-3983) A flaw was found in the way SeaMonkey displayed the SSL location bar indicator. An attacker could create an unencrypted web page that appears to be encrypted, possibly tricking the user into believing they are visiting a secure page. (CVE-2009-3984) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-3979 CVE-2009-3983 CVE-2009-3984 CVE-2009-3979 Mozilla crash with evidence of memory corruption CVE-2009-3983 Mozilla NTLM reflection vulnerability CVE-2009-3984 Mozilla SSL spoofing with document.location and empty SSL response page cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3979, CVE-2009-3981, CVE-2009-3986) A flaw was found in the Firefox NT Lan Manager (NTLM) authentication protocol implementation. If an attacker could trick a local user that has NTLM credentials into visiting a specially-crafted web page, they could send arbitrary requests, authenticated with the user's NTLM credentials, to other applications on the user's system. (CVE-2009-3983) A flaw was found in the way Firefox displayed the SSL location bar indicator. An attacker could create an unencrypted web page that appears to be encrypted, possibly tricking the user into believing they are visiting a secure page. (CVE-2009-3984) A flaw was found in the way Firefox displayed blank pages after a user navigates to an invalid address. If a user visits an attacker-controlled web page that results in a blank page, the attacker could inject content into that blank page, possibly tricking the user into believing they are viewing a legitimate page. (CVE-2009-3985) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.16. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.16, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-3979 CVE-2009-3981 CVE-2009-3983 CVE-2009-3984 CVE-2009-3985 CVE-2009-3986 CVE-2009-3979 Mozilla crash with evidence of memory corruption CVE-2009-3981 Mozilla crashes with evidence of memory corruption CVE-2009-3983 Mozilla NTLM reflection vulnerability CVE-2009-3984 Mozilla SSL spoofing with document.location and empty SSL response page CVE-2009-3986 Mozilla Chrome privilege escalation via window.opener CVE-2009-3985 Mozilla URL spoofing via invalid document.location cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in Xpdf's Type 1 font parser. A specially-crafted PDF file with an embedded Type 1 font could cause Xpdf to crash or, possibly, execute arbitrary code when opened. (CVE-2009-4035) Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Important Copyright 2009 Red Hat, Inc. CVE-2009-4035 CVE-2009-4035 xpdf: buffer overflow in FoFiType1::parse cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GPdf is a viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in GPdf's Type 1 font parser. A specially-crafted PDF file with an embedded Type 1 font could cause GPdf to crash or, possibly, execute arbitrary code when opened. (CVE-2009-4035) Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Important Copyright 2009 Red Hat, Inc. CVE-2009-4035 CVE-2009-4035 xpdf: buffer overflow in FoFiType1::parse cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Petr Gajdos and Christian Kornacker of SUSE reported a buffer overflow flaw in KPDF's Type 1 font parser. A specially-crafted PDF file with an embedded Type 1 font could cause KPDF to crash or, possibly, execute arbitrary code when opened. (CVE-2009-4035) Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2009 Red Hat, Inc. CVE-2009-4035 CVE-2009-4035 xpdf: buffer overflow in FoFiType1::parse cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2009-0217, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR7 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0217 CVE-2009-3555 CVE-2009-3865 CVE-2009-3866 CVE-2009-3867 CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3872 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968) CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503) CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877 CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357) CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358) CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643) CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969) CVE-2009-3865 java-1.6.0-sun: ACE in JRE Deployment Toolkit (6869752) CVE-2009-3866 java-1.6.0-sun: Privilege escalation in the Java Web Start Installer (6872824) CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303) CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via crafted image file due improper color profiles parsing (6862970) cpe:/a:redhat:rhel_extras