Red Hat OVAL Patch Definition Merger 2 5.3 2009-11-30T10:42:35 Red Hat Enterprise Linux 5 The xen packages contain the Xen tools and management daemons needed to manage virtual machines running on Red Hat Enterprise Linux. Xen was found to allow unprivileged DomU domains to overwrite xenstore values which should only be changeable by the privileged Dom0 domain. An attacker controlling a DomU domain could, potentially, use this flaw to kill arbitrary processes in Dom0 or trick a Dom0 user into accessing the text console of a different domain running on the same host. This update makes certain parts of the xenstore tree read-only to the unprivileged DomU domains. (CVE-2008-4405) It was discovered that the qemu-dm.debug script created a temporary file in /tmp in an insecure way. A local attacker in Dom0 could, potentially, use this flaw to overwrite arbitrary files via a symlink attack. Note: This script is not needed in production deployments and therefore was removed and is not shipped with updated xen packages. (CVE-2008-4993) This update also fixes the following bug: * xen calculates its running time by adding the hypervisor's up-time to the hypervisor's boot-time record. In live migrations of para-virtualized guests, however, the guest would over-write the new hypervisor's boot-time record with the boot-time of the previous hypervisor. This caused time-dependent processes on the guests to fail (for example, crond would fail to start cron jobs). With this update, the new hypervisor's boot-time record is no longer over-written during live migrations. All xen users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The Xen host must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-4405 CVE-2008-4993 CVE-2008-4993 xen: insecure temporary file use in qemu-dm.debug timer stops running after live migrate or dom0 reboot & save/restore of a Xen guest CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength, general purpose, cryptography library. The Google security team discovered a flaw in the way OpenSSL checked the verification of certificates. An attacker in control of a malicious server, or able to effect a "man in the middle" attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client and bypass validation. (CVE-2008-5077) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all running OpenSSL client applications must be restarted, or the system rebooted. Important Copyright 2009 Red Hat, Inc. CVE-2008-5077 CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 GNOME VFS is the GNOME virtual file system. It provides a modular architecture and ships with several modules that implement support for various local and remote file systems as well as numerous protocols, including HTTP, FTP, and others. A buffer overflow flaw was discovered in the GNOME virtual file system when handling data returned by CDDB servers. If a user connected to a malicious CDDB server, an attacker could use this flaw to execute arbitrary code on the victim's machine. (CVE-2005-0706) Users of gnome-vfs and gnome-vfs2 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running GNOME sessions must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2005-0706 CVE-2005-0706 grip,libcdaudio: buffer overflow caused by large amount of CDDB replies cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. A denial-of-service flaw was discovered in the system for sending messages between applications. A local user could send a message with a malformed signature to the bus causing the bus (and, consequently, any process using libdbus to receive messages) to abort. (CVE-2008-3834) All users are advised to upgrade to these updated dbus packages, which contain backported patch which resolve this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using libdbus library must be restarted, or the system rebooted. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-3834 CVE-2008-3834 dbus denial of service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially-crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the "secure" flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option "$only_secure_cookies" to "false" in SquirrelMail's /etc/squirrelmail/config.php configuration file. Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-2379 CVE-2008-3663 CVE-2008-3663 squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Little Color Management System (LittleCMS, or simply "lcms") is a small-footprint, speed-optimized open source color management engine. Multiple insufficient input validation flaws were discovered in LittleCMS. An attacker could use these flaws to create a specially-crafted image file which could cause an application using LittleCMS to crash, or, possibly, execute arbitrary code when opened. (CVE-2008-5316, CVE-2008-5317) Users of lcms should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using lcms library must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5316 CVE-2008-5317 CVE-2008-5316 lcms: insufficient input validation in ReadEmbeddedTextTag CVE-2008-5317 lcms: unsigned -> signed integer cast issue in cmsAllocGamma cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The netpbm package contains a library of functions for editing and converting between various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. An input validation flaw and multiple integer overflows were discovered in the JasPer library providing support for JPEG-2000 image format and used in the jpeg2ktopam and pamtojpeg2k converters. An attacker could create a carefully-crafted JPEG file which could cause jpeg2ktopam to crash or, possibly, execute arbitrary code as the user running jpeg2ktopam. (CVE-2007-2721, CVE-2008-3520) All users are advised to upgrade to these updated packages which contain backported patches which resolve these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2007-2721 CVE-2008-3520 CVE-2007-2721 jasper crash in jpc_qcx_getcompparms CVE-2008-3520 jasper: multiple integer overflows in jas_alloc calls cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, see printers to print to, and find shared files on other computers. Hugo Dias discovered a denial of service flaw in avahi-daemon. A remote attacker on the same local area network (LAN) could send a specially-crafted mDNS (Multicast DNS) packet that would cause avahi-daemon to exit unexpectedly due to a failed assertion check. (CVE-2008-5081) All users are advised to upgrade to these updated packages, which contain a backported patch which resolves this issue. After installing the update, avahi-daemon will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5081 CVE-2008-5081 avahi: avahi-daemon DoS (application abort) via packet with source port 0 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues: * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the "/dev/watchdog" device is accessible only to the root user. (CVE-2008-5702, Low) * the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low) This update also fixes the following bugs: * when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel® CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use. * mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this. * attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail. * after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime. * writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations. * on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes. * a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes. * a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved. * the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network. * the "/proc/xen/" directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of "/proc/xen/". Note: this update will remove the "/proc/xen/" directory on systems not running Red Hat Virtualization. All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2008-3275 CVE-2008-4933 CVE-2008-4934 CVE-2008-5025 CVE-2008-5029 CVE-2008-5300 CVE-2008-5702 CVE-2008-5029 kernel: Unix sockets kernel panic HP-Japan: RHEL4.6 diskdump fails when NUMA is on getsockopt() returning incorrectly in PPC RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken netconsole hang the system on ifenslave operation erroneous load balancing for isolated CPUs leads to divide-by-zero panic in find_busiest_group() CVE-2008-3275 Linux kernel local filesystem DoS Local keyboard DoS through LED switching Xen balloon driver on RHEL4 x86_64 with 2.6.9-78.0.1.ELsmp CVE-2008-4933 kernel: hfsplus: fix Buffer overflow with a corrupted image CVE-2008-4934 kernel: hfsplus: check read_mapping_page() return value CVE-2008-5025 kernel: hfs: fix namelength memory corruption CVE-2008-5300 kernel: fix soft lockups/OOM issues with unix socket garbage collector CVE-2008-5702 kernel: watchdog: ib700wdt.c - buffer_underflow bug kernel: devmem: add range_is_allowed() check to mmap_mem() [rhel-4.7.z] lost packets when live migrating (RHEL4 XEN) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The xterm program is a terminal emulator for the X Window System. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) All xterm users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. All running instances of xterm must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-2383 CVE-2008-2383 xterm: arbitrary command injection cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. (CVE-2009-0025) For users of Red Hat Enterprise Linux 3 this update also addresses a bug which can cause BIND to occasionally exit with an assertion failure. All BIND users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. After installing the update, BIND daemon will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0025 CVE-2009-0025 bind: DSA_do_verify() returns check issue named dies due to assertion failure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A flaw was discovered in the way the ntpd daemon checked the return value of the OpenSSL EVP_VerifyFinal function. On systems using NTPv4 authentication, this could lead to an incorrect verification of cryptographic signatures, allowing time-spoofing attacks. (CVE-2009-0021) Note: This issue only affects systems that have enabled NTP authentication. By default, NTP authentication is not enabled. All ntp users are advised to upgrade to the updated packages, which contain a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0021 CVE-2009-0021 ntp incorrectly checks for malformed signatures cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. The Red Hat SquirrelMail packages provided by the RHSA-2009:0010 advisory introduced a session handling flaw. Users who logged back into SquirrelMail without restarting their web browsers were assigned fixed session identifiers. A remote attacker could make use of that flaw to hijack user sessions. (CVE-2009-0030) SquirrelMail users should upgrade to this updated package, which contains a patch to correct this issue. As well, all users who used affected versions of SquirrelMail should review their preferences. Important Copyright 2009 Red Hat, Inc. CVE-2009-0030 CVE-2009-1580 Squirrelmail session management broken by security backport CVE-2009-0030 squirrelmail: session management flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Dovecot is an IMAP server for Linux and UNIX-like systems, primarily written with security in mind. A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative access rights as positive rights, which could allow an attacker to bypass intended access restrictions. (CVE-2008-4577) A password disclosure flaw was found with Dovecot's configuration file. If a system had the "ssl_key_password" option defined, any local user could view the SSL key password. (CVE-2008-4870) Note: This flaw did not allow the attacker to acquire the contents of the SSL key. The password has no value without the key file which arbitrary users should not have read access to. To better protect even this value, however, the dovecot.conf file now supports the "!include_try" directive. The ssl_key_password option should be moved from dovecot.conf to a new file owned by, and only readable and writable by, root (ie 0600). This file should be referenced from dovecot.conf by setting the "!include_try [/path/to/password/file]" option. Additionally, this update addresses the following bugs: * the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if the dovecot binary or configuration files existed. It also used the wrong pid file for checking the dovecot service's status. This update includes a new init script that corrects these errors. * the %files section of the dovecot spec file did not include "%dir %{ssldir}/private". As a consequence, the /etc/pki/private/ directory was not owned by dovecot. (Note: files inside /etc/pki/private/ were and are owned by dovecot.) With this update, the missing line has been added to the spec file, and the noted directory is now owned by dovecot. * in some previously released versions of dovecot, the authentication process accepted (and passed along un-escaped) passwords containing characters that had special meaning to dovecot's internal protocols. This updated release prevents such passwords from being passed back, instead returning the error, "Attempted login with password having illegal chars". Note: dovecot versions previously shipped with Red Hat Enterprise Linux 5 did not allow this behavior. This update addresses the issue above but said issue was only present in versions of dovecot not previously included with Red Hat Enterprise Linux 5. Users of dovecot are advised to upgrade to this updated package, which addresses these vulnerabilities and resolves these issues. Low Copyright 2009 Red Hat, Inc. CVE-2008-4577 CVE-2008-4870 Wrong init script new dovecot security issues from the dovecot site dovecot.conf is world readable - possible password exposure dovecot should own /etc/pki/dovecot/private directory CVE-2008-4577 dovecot: incorrect handling of negative rights in the ACL plugin CVE-2008-4870 dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Linux kernel (the core of the Linux operating system) These updated packages contain 730 bug fixes and enhancements for the Linux kernel. Space precludes a detailed description of each of these changes in this advisory and users are therefore directed to the release notes for Red Hat Enterprise Linux 5.3 for information on 97 of the most significant of these changes. Details of three security-related bug fixes are set out below, along with notes on other broad categories of change not covered in the release notes. For more detailed information on specific bug fixes or enhancements, please consult the Bugzilla numbers listed in this advisory. * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue. (CVE-2008-5029, Important) * a flaw was found in the Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use the flaw to listen on the same socket more than once, possibly causing a denial of service. (CVE-2008-5079, Important) * a race condition was found in the Linux kernel "inotify" watch removal and umount implementation. This could allow a local, unprivileged user to cause a privilege escalation or a denial of service. (CVE-2008-5182, Important) * Bug fixes and enhancements are provided for: * support for specific NICs, including products from the following manufacturers: Broadcom Chelsio Cisco Intel Marvell NetXen Realtek Sun * Fiber Channel support, including support for Qlogic qla2xxx, qla4xxx, and qla84xx HBAs and the FCoE, FCP, and zFCP protocols. * support for various CPUs, including: AMD Opteron processors with 45 nm SOI ("Shanghai") AMD Turion Ultra processors Cell processors Intel Core i7 processors * Xen support, including issues specific to the IA64 platform, systems using AMD processors, and Dell Optiplex GX280 systems * ext3, ext4, GFS2, NFS, and SPUFS * Infiniband (including eHCA, eHEA, and IPoIB) support * common I/O (CIO), direct I/O (DIO), and queued direct I/O (qdio) support * the kernel distributed lock manager (DLM) * hardware issues with: SCSI, IEEE 1394 (FireWire), RAID (including issues specific to Adaptec controllers), SATA (including NCQ), PCI, audio, serial connections, tape-drives, and USB * ACPI, some of a general nature and some related to specific hardware including: certain Lenovo Thinkpad notebooks, HP DC7700 systems, and certain machines based on Intel Centrino processor technology. * CIFS, including Kerberos support and a tech-preview of DFS support * networking support, including IPv6, PPPoE, and IPSec * support for Intel chipsets, including: Intel Cantiga chipsets Intel Eagle Lake chipsets Intel i915 chipsets Intel i965 chipsets Intel Ibex Peak chipsets Intel chipsets offering QuickPath Interconnects (QPI) * device mapping issues, including some in device mapper itself * various issues specific to IA64 and PPC * CCISS, including support for Compaq SMART Array controllers P711m and P712m and other new hardware * various issues affecting specific HP systems, including: DL785G5 XW4800 XW8600 XW8600 XW9400 * IOMMU support, including specific issues with AMD and IBM Calgary hardware * the audit subsystem * DASD support * iSCSI support, including issues specific to Chelsio T3 adapters * LVM issues * SCTP management information base (MIB) support * issues with: autofs, kdump, kobject_add, libata, lpar, ptrace, and utrace * IBM Power platforms using Enhanced I/O Error Handling (EEH) * EDAC issues for AMD K8 and Intel i5000 * ALSA, including support for new hardware * futex support * hugepage support * Intelligent Platform Management Interface (IPMI) support * issues affecting NEC/Stratus servers * OFED support * SELinux * various Virtio issues All users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements. Important Copyright 2009 Red Hat, Inc. CVE-2008-5029 CVE-2008-5079 CVE-2008-5182 CVE-2008-5300 ext4 assembly bitops failures on s390 CVE-2008-5029 kernel: Unix sockets kernel panic LTC:5.4:201049:DM-MP SCSI Hardware Handlers RHEL5.3: update ecryptfs kernelspace to 2.6.26 codebase libata: Avoid overflow in ata_tf_read_block() when tf->hba_lbal > 127 [Broadcom 5.3 bug] bnx2: add PCI-IDs for 5716s Problem with aic79xx [Stratus/NEC 5.3 bug] System can crash when removing input device sr #1768018 : numlock led does not reflect the status of numlock [Kdump] not work on HP-XW8600 RHEL53 Beta1: network installation through cxgb3 interface failed if the adapter firmware doesn't match the cxgb3 device driver requst firmware level in rhel53. RHEL5.3: Modify SATA IDE mode quirk RHEL5.3 e1000e: enable ECC correction on 82571 silicon cifs: data corruption due to interleaved partial writes timing out [QLogic 5.3 bug] qla2xx/qla84xx - Failure to establish link. [QLogic 5.3 bug] qla2xxx - No NPIV for Loop connections. Various firewire bugs fixed upstream kernel-xen panic when X shuts down a check for a buggy HP SAL caused problems booting as a guest in a virtual machine bnx2x + 57711 MCA on BL870c Handle invalid ACPI SLIT table FEAT: RHEL5.3 update acpi-cpufreq driver /dev/agpart missing for intel i965 HW/82G965 Graphics firewire module unload hangs RHEL5.3: ext4 warning on x86 build GFS2: recovery stuck RHEL5.3: ecryptfs memory corruption spufs in RHEL5.3: missing context switch notification log [RHEL5.3] kernel kernel BUG at kernel/exit.c:1129! kernel: cpufreq: fix format string bug [rhel-5.3] CVE-2008-5182 kernel: fix inotify watch removal/umount races [QLogic 5.3 feat] [3/n] qla2xxx - Upstream updates: 8.02.00-k5 to 8.02.00-k6 Performance degradation due to excessive spinlocking in the block layer when using logical volume that spans too many physical volumes dlm_recoverd in D state when using IPv6 to comunicate between nodes kernel: binfmt_misc.c: avoid potential kernel stack overflow [rhel-5.3] CIFS option forcedirectio fails to allow the appending of text to files. kernel: devmem: add range_is_allowed() check to mmap_mem() [rhel-5.3] backport upstream kernel support for private futexes to RHEL 5.3 kernel Nested LVM can cause deadlock due to kcopyd Deadlock possibility with nested LVMs with snapshots Poor LVM mirroring performance kernel: dio: zero struct dio with kzalloc instead of manually [rhel-5.3] IPV6DOD: xfrm reverse icmp feature does not seem to work correctly. gdb on ppc hangs, then panics with a kill -9 RHEL 5.3: allow tun/tap support larger MTU sizes kernel panic seen in ptrace_induce_signal in run of rhts test /tools/gdb/gdb-any/ kernel panic when modprobe -r acpi_cpufreq on centrino platform with kernel newer than 2.6.18-118 statically linked uuid segfaults in uuid_generate() on Xen kernel Interactive installation fails with ext4dev root partition RHEL 5.3: allow virtio_net support larger MTU sizes RHEL 5.3: implement virtio_net mergeable receive buffer allocate scheme xm trigger <domain> init causes kernel panic. panic in aoe:aoecmd_ata_rsp during direct I/O to lvm [snap,mirror,stripe] RHEL 5.1 will incorrectly mark SCSI devices as offline due to improper error handling [RFE] DTR/DSR flow control launching too many guests panics with "No available IRQ to bind to: increase NR_IRQS!" iBFT target info not parsed properly by the iscsi_ibft module cp -p does not copy mtime to CIFS share CIFS: slab error in kmem_cache_destroy(): cache `cifs_request': Can't free all objects Need to build xen-platform-pci as a module and not into the kernel [Brocade/Dell 5.3 bug] hts failing memory test with EDAC i5000 Non-Fatal error kernel BUG at arch/i386/mm/highmem-xen.c:43! with errata/RHBA-2008-0314 installed Netdump not functioning w/ bnx2 >= v1.8h (Broadcom Netxtreme II Network Card) dlm: fix up memory allocation flags Significant regression in time() performance Multiple outstanding ptc.g instruction support RHEL5.3: SB600/700 SATA controller PMP support FEAT: RHEL5.3 backport fallocate syscall Access to firewire devices is still allowed after the device is removed from the bus. CIFS VFS: Send error in FindClose = -9 Update 3w-xxxx to version 1.26.03.000-2.6.18RH Update 3w-9xxx to version 2.26.08.003-2.6.18RH update CIFS for RHEL5.3 [QLogic 5.3 bug] qla2xxx- provide additional statistics to user [QLogic 5.3 feat] [1/n] qla2xxx- Upstream updates: 8.01.07-k7 virtual ethernet device stops working on reception of duplicate backend state change signals Actual & placeholder funcs have differing param counts 'xm info' does not show correct info in 'node_to_cpu' field on ia64 Altix Partitioned System FEAT: RHEL 5.3: (1/2) Increase deep idle state residency on idle platforms using Nehalem class processors FEAT: RHEL 5.3: (2/2) Increase deep idle state residency on idle platforms using Nehalem class processors RFE: delalloc helpers for ext4 Need to add 3 dlm symbols to the kernel whitelist [QLogic 5.3 feat] qla2xxx - mgmt. API, CT pass thru [QLogic 5.3 feat] [0/n] qla2xxx- Netlink, FCoE management API Regression: Tape commands are possibly retried if there is a loss of connectivity while it is running Under heavy memory usage dma_alloc_coherent does not return aligned address Backport of don't use large pages to map the first 2/4MB of memory form 2.6.26 to RHEL5-U3 pppoe: Check packet length on all receive paths [rhel-5.3] hang in ad_rx_machine due to second attempt to lock spin_lock enable userspace kernel header check kernel: random32: seeding improvement [rhel-5.3] RHEL5.3: misc ecryptfs fixes from 2.6.27 ide-cd: fix oops when using growisofs [rhel-5.3] [5.0] kdump hangs up by Sysrq+C trigger Make oprofile recognize Nehalem FEAT: RHEL 5.3 ext4 tech preview write barriers not supported, ext3 does not complain kernel dm mpath: fix several problems in dm-mapth target error paths Oprofile need to enable/disable all the counters for intel family 6 kernel dm crypt: use cond_resched dm-snap.c: Data read from snapshot may be corrupt if origin is being written to simultaneously [RHEL5.3] LTP test failure in inotify02 testcase [5.2][nfs] ls -l shows outdated timestamp incorrect ATA7 handing in kernel causing ABRT errors max_phys_segments violation with dm-linear + md raid1 + cciss Question for LUKS device passhprase unreadable when using Xen iwlagn (Montevina & Santa Rosa) fails to get associated with AP by NetworkManager frequently system-config-soundcard is not working on RHEL5.3 GA-snapshot1 panic in kcopyd during snapshot I/O [Emulex 5.3 bug] Update lpfc to version 8.2.0.33.3p [QLogic 5.3 bug] qla4xxx - Add checks for <TargetName, ISID, TargetPortGroupTag> RHEL5.3: Calgary DMA errors on IBM systems kernel: alsa: asoc: fix double free and memory leak in many codec drivers [rhel-5.3] Regression: multipath was setting the REQ_FAILFAST flags which caused a performance drop When bonding is used and IPV6 is enabled the message of 'kernel: bond0: duplicate address detected!' is output [RHEL5] nmi: crash during kdump kernel boot [qlogic 5.3 bug] qla2xxx - Set rport dev loss timeout consistently RHEL 5.3: fix scsi regression causing udev to hang loading sr_mod DM failing path due to a communication failure on a single i/o [RHEL 5.3 Xen]: Guest hang on FV save/restore fcoe: fix terminate_rport_io related problems RHEL5.2: ecryptfs oops after lower persistent file creation failure jbd races lead to EIO for O_DIRECT RHEL5.3 pv guests crash randomly on reboot orders. kdump panic introduced by hpet fix on systems without HPET e1000_clean_tx_irq: Detected Tx Unit Hang - 82546EB Kernel obsoletes existing Driver Updates on install crypto: hmac(md5) self-test panics system GFS2: glock deadlock in page fault path 2.6.26 backport of "check physical address range in ioremap" into RHEL5-U3 backport of fix endless page faults in mount_block_root for Linux 2.6 from 2.6.26 to RHEL5-U3 dlm: move plock code from gfs2 duplicate packet from ipt_CLUSTERIP module Read from /proc/ppc64/rtas/error_log does not honor O_NONBLOCK [QLogic 5.3 bug] qla2xxx/qla84xxx: Advertise qla84xx firmware rev. fix netlink code [QLogic 5.3 bug] Update qla2xxx version to meet open source standards. [QLogic 5.3 bug] qla2xxx/qla84xx: Fix 128Kb limitation in netlink messages; EEPROM/NVM of the e1000e becomes corrupted [aacraid] aac_srb: aac_fib_send failed with status 8195 deadlock when lockd tries to take f_sema that it already has clean up CIFS build warnings [TAHI] DAD test failure when ipv6_autoconf=yes net: Enable TSO if supported by at least one device RTL8101E performance problem ST Driver causing kernel panic condition r8169 driver broken in 2.6.18-92+ kernels. RTL8111/8168B network card does not work utrace: PTRACE_POKEUSR_AREA corrupts ACR0 [RHEL5 U2] iwl4965 -> compat module taints kernel 50-75 % drop in nfs-server rewrite performance compared to rhel 4.6+ LTC41974-Pages of a memory mapped NFS file get corrupted. [Areca 5.3 feat] Update arcmsr to version 1.20.00.15.RH1 SCSI IO errors do not propagate properly with certain SCSI devices xenkbd can crash when probe fails [RHEL5] console: kobject_add failed Need EOE (End of Event) audit message sent from kernel. Audit subsystem SIGUSR2 support resize2fs online resize fails with small journal xen/ia64 asm missing srlz instruction [RFE] Add uvcvideo module to the kernel. GFS2 : gfs2meta is FUBAR batch kprobe unregister fix setuid/setgid clearing by knfsd close system call returns -ERESTARTSYS FEAT: Add rt2x00 drivers FEAT: Add rtl818x drivers x86: fix PAE pmd_bad bootup warning v4l2 ioctl debug messages cannot be turned off s2io intr_type documentation inaccurate ip tunnel can't be bound to another device IPMI: Restrict keyboard io port reservation BusLogic module can't compile in the rhel 5.2 beta kernel BUG: Don't reserve crashkernel memory > 4 GB on ia64 Add gate.lds to Documentation/dontdiff CONFIG_AUDITSYSCALL requires SELinux Missing functions in UP kernel x86: show apicid for cpu in proc x86: don't call MP_processor_info for disabled cpu x86: don't call MP_processor_info for disabled cpu (64bit) HP DC7700 ACPI problem high I/O wait using 3w-9xxx fix bad merge in nfs3_write_done and nfs3_commit_done audit tty input nVidia MCP55 MCP55 Ethernet (rev a3) not functional on kernel 2.6.18-53.1.4 [RHEL5.2]: Running strace with a bad syscall doesn't return -ENOSYS [NEC/Stratus 5.3 bug] various crashes in md - rdev removed in the middle of ITERATE_RDEV GFS2: Hang when shrink_slab calls gfs2_delete_inode (the GFP_NOFS bit) Guest OS install causes host machine to crash Fake ARP dropped after migration leading to loss of network connectivity RHEL5.3: posix-timers race condition causes timer to seize up Fix NUL handling in TTY input auditing ssh connection hangs when running command producing large text output after running "service iptables restart" document divider= option in kernel docs dlm: check for null in device_write [rhel-5.3] soft lockup while unmounting a read-only filesystem with errors ecryptfs module incorrectly checks error codes in process_request_key_err utrace: orig_rax 0x00000000ffffffff not recognized as -1 gfs2 crash - BUG: unable to handle kernel NULL pointer dereference at virtual address kernel panic with voip traffic (h323) Backport NetXen nic driver from upstream kernel to RHEL5.3 dlm: add old plock interface network hangs and BUG() message at boot with -105.el5debug kernel RHEL 5.3: allow tcp socket buffers grow to larger than a page size CVE-2008-5079 Linux Kernel 'atm module' Local Denial of Service kernel NULL pointer dereference in kobject_get_path kernel doesn't honor ADDR_NO_RANDOMIZE for stack [IA64] Fix SMP-unsafe with XENMEM_add_to_physmap on HVM [Stratus 5.3][2/2] ttyS1 lost interrupt and it stops transmitting Unbalance reference count in ndisc_recv_ns getsockopt() returning incorrectly in PPC PTRACE_KILL does not kill the child process, rather than the child starts running freely. oops in cifs module while trying to stop a thread (kthread_stop) during filesystem mount kernel: splice: fix bad unlock_page() in error case [rhel-5.3] IPsec crash with MAC longer than 16 bytes [5.3] makedumpfile: Can't get necessary symbols for excluding free pages. softlockup when repeatedly dropping caches Feature: allow panic on softlockup warnings [RHEL5.3] Kernel-xen Oops EIP is at range_straddles_page_boundary+0x2c/0xd9 [QLogic 5.3 bug] qla3xxx, qla4xxx- Update version numbers and use new format. [RHEL5] patch enabling deep C states makes a RHTS machine hang on boot [All Partners 5.3 bug] allow both ACPI code paths to use the same blacklist dmi_table correctly [QLogic 5.3 bug] qla2xxx - Additional residual-count corrections during UNDERRUN handling. avc: denied { sys_resource } when using ext4dev partitions writing data to file can fail and cause panic sometimes when using xattr on ecryptfs RHEL5.3: Regression in ext3/jbd [autofs4] Incorrect "active offset mount" messages in syslog dlm: add dlm_posix_set_fsid to kABI RHEL 5.3: minor virtio_net_fixes kernel-xen doesn't boot on Dell Optiplex GX280 [QLogic 5.3 bug] qla2xxx - restore disable by default of MSI, MSI-X On RHEL 5.2 32 bit rmmod bonding results in a kernel panic when configured in balance-tlb mode [QLogic 5.3 bug] qla2xxx - Correct Atmel flash-part handling [QLogic 5.3 bug] qla2xxx - fails to report Option Rom version information kprobes remove causing kernel panic on ia64 with 2.6.18-92.1.10.el5 kernel IPV6DOD: ESP with 3des-cbc for encrypt and authentication set to "null" IPV6DOD: all MCAST_* socket options fail with 32-bit app, 64-bit kernel due to padding RHEL 5.3 NULL pointer dereferenced in powernowk8_init Kernel BUG at fs/nfs/namespace.c:103 (:nfs:nfs_follow_mountpoint) Driver sky2 lost support for Marvell 88E8056 network controller Error in the uhci code causes usb not to work with iommu=calgary boot option [REG][Xen][5.2beta] cannot open a vmcore of xen-kdump with crash Include xenpv-driver in bare metal kernel rpm. mptscsi race between hotremove and mptscsih_bus_reset libata: rmmod pata_sil680 never returns from ata_port_detach GFS2: d_doio stuck in readv() waiting for pagelock. GFS2: glock dumping misses out some glocks RFE: [Ext4 enabler] backport vfs helpers to facilitate ext4 backport and testing Assertion failure in journal_next_log_block Assertion failure in journal_start() at fs/jbd/transaction.c:274: 'handle->h_transaction->t_journal == journal' whitelist: iounmap(ia64) - Failed ABI dependencies for IA64 mpt SCSI drivers FEAT: RHEL 5.3 HDA ALSA driver update from mainstream backport patch to RHEL5 have it flip to synchronous writes when there is a write error Direct I/O cache invalidation after sync writes xentop - incompatibility between HV and userspace toolset [Stratus 5.3 bug] kernel NULL pointer dereference at usbdev_read GFS2 will panic if you misspell any mount options initscripts upgrade from 8.45.17 to 8.45.19 breaks arp_ip_target [RHEL5.3]: Hang when booting an i386 domU on an i386 HV [RFE] Add support for Wacom PTZ-431W to kernel [RHEL5] EDAC k8 MC0: extended error code: GART error [5.2][kdump][xen] crash failed to read vmcore from Dom0 Kernel GFS2: d_rwdirectempty fails with short read RHEL5.3: Patch to support new AMD HDMI Audio Netboot image for ppc too large Xen Support more than 16 disk devices (kernel) Need SCSI transport and LLD netlink support. /proc/xen on bare-metal and FV guests causes multiple issues libata: avoid overflow in ata_tf_to_lba48() when tf->hba_lbal> 127 kernel freezes when running script which features ecryptfs parts of kernel [firewire] unable to use disk (fw_sbp2: failed to login to ...) autofs problem with symbolic links acpi processor module displays errors if hyperthreading disabled libata: sata_nv - disable ADMA by default mounting CIFS subshare doesn't autoconvert prepath delimiters CIFS: enable DFS support as tech-preview in RHEL5.3 utrace: ERESTARTSYS from calling a function from a debugger pppoe: Fix skb_unshare_check call position [rhel-5.3] FEAT: Update ieee80211 component and associated drivers do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY [QLogic 5.3 bug] latest qlogic driver takes several minutes to find LUNs on older qla2xx controller kernel dm snapshot: PPC64: kernel OOPS during activation of snapshot with small chunksize Backport fix for possible data corruption in mark_buffer_dirty on SMP fix up remaining sctp MIB problems ls shows two /proc/[pid]/limits files for every process Panic while using pci=use_crs for resource allocation utrace signal handling bug interferes with systemtap uprobes GFS2: rm on multiple nodes causes panic kernel: dlm: dlm/user.c input validation fixes [rhel-5.3] Marvell NIC using skge driver loses promiscuous mode on rewiring tg3.c does not build on sparc with > 2.6.18-53.el5 Xenoprof check_ctrs/start/stop fixes for intel family 6 [RHEL5] k8_edac: typo in 'EDAC k8 MC0: GART TLB errorr: ' RHEL5 Kernel patches for blktap statistics Misspellings in RPM description, suggested clarifications dlm: fixes for mixed endian cluster dlm: fixes for recovery of user lockspace dlm: keep cached master rsbs during recovery dlm: save master info after failed no-queue request [RHEL5 U2] Audit fails to shutdown properly ecryptfs page-sized memory allocations can corrupt memory kernel: fix array out of bounds when mounting with selinux options [rhel-5.3] [firewire] unable to use disk (giving up on config rom) [firewire] ohci iso receive support incomplete debugfs: file/directory creation error Please add vscnprintf and down_write_trylock to KABI Whitelist Rpm install fails due to missing symbols required in myri10ge-kmod x86_64 rpm use after free in nlm subsystem memory leak on size-8192 buckets with NFSV4 [RHEL5 U2] Connectathon RHEL5 client to RHEL4 server, Connectathon failure memory corruption due to portmap call succeeding after parent rpc_clnt has been freed remove extraneous error field from nfs_readdir_descriptor_t /proc/<pid>/environ not always accessible when receiving PTRACE_EVENT_EXIT ipv6: use timer pending to fix bridge reference count problem [rhel-5.3] pppoe: Unshare skb before anything else [rhel-5.3] Rpmbuild generates incorrect packages due to typos in the kernel-2.6.spec file. ia64: suspecious compile warning in brew IPSec Packet has no Non-ESP marker fix default route doesn't work. IPv6 default route does not work [PATCH][RHEL5.1] Performance Improvement of fdatasync(2) in case of Overwrite Add support for filetype option in audit subsystem JBD: Fix typo that could result in filesystem corruption. GFS2: lock_dlm is not always delivering callbacks in the right order dlm: fix basts for granted CW waiting PR/CW bonding driver can leave rtnl_lock unbalanced Ensure that 'noac' and/or 'actimeo=0' turn off attribute caching GFS2: cannot use fifo nodes (named pipes) deadlock when rpc_malloc tries to flush NFS pages gfs2: BUG: unable to handle kernel paging request at ffff81002690e000 IPsec memory leak RHEL 5.3 HDA ALSA driver update from upstream 2008-07-22 (fixes and support for new hw) kernel: serial open/close loop disables irq [rhel-5.3] dlm get_comm() uses NULL pointer GFS2: Multiple writer performance issue. [TAHI] no echo reply for loopback address [QLogic 5.3 bug] Update qla2xxx - PCI EE error handling support BUG: warning when pata_sil680 loaded Make dm interfaces available for external modules. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-0352, CVE-2009-0353, CVE-2009-0356) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a Firefox user into surrendering sensitive information. (CVE-2009-0354, CVE-2009-0355) A flaw was found in the way Firefox treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie. (CVE-2009-0357) A flaw was found in the way Firefox treated certain HTTP page caching directives. A local attacker could steal the contents of sensitive pages which the page author did not intend to be cached. (CVE-2009-0358) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.6. You can find a link to the Mozilla advisories in the References section. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.6, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0352 CVE-2009-0353 CVE-2009-0354 CVE-2009-0355 CVE-2009-0356 CVE-2009-0357 CVE-2009-0358 missing dependency on pkgconfig in the -devel subpackage CVE-2009-0355 Firefox local file stealing with SessionStore CVE-2009-0352 Firefox layout crashes with evidence of memory corruption CVE-2009-0353 Firefox javascript crashes with evidence of memory corruption CVE-2009-0354 Firefox XSS using a chrome XBL method and window.eval CVE-2009-0356 Firefox Chrome privilege escalation via local .desktop files CVE-2009-0357 Firefox XMLHttpRequest allows reading HTTPOnly cookies CVE-2009-0358 Firefox directives to not cache pages ignored cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-0352, CVE-2009-0353) A flaw was found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a SeaMonkey user into uploading a local file. (CVE-2009-0355) A flaw was found in the way SeaMonkey treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie. (CVE-2009-0357) All SeaMonkey users should upgrade to these updated packages, which contain backported patches that correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0352 CVE-2009-0353 CVE-2009-0355 CVE-2009-0357 CVE-2009-0355 Firefox local file stealing with SessionStore CVE-2009-0352 Firefox layout crashes with evidence of memory corruption CVE-2009-0353 Firefox javascript crashes with evidence of memory corruption CVE-2009-0357 Firefox XMLHttpRequest allows reading HTTPOnly cookies cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2009-0352, CVE-2009-0353, CVE-2009-0772, CVE-2009-0774, CVE-2009-0775) Several flaws were found in the way malformed content was processed. An HTML mail message containing specially-crafted content could potentially trick a Thunderbird user into surrendering sensitive information. (CVE-2009-0355, CVE-2009-0776) Note: JavaScript support is disabled by default in Thunderbird. None of the above issues are exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0352 CVE-2009-0353 CVE-2009-0355 CVE-2009-0772 CVE-2009-0774 CVE-2009-0775 CVE-2009-0776 CVE-2009-0355 Firefox local file stealing with SessionStore CVE-2009-0352 Firefox layout crashes with evidence of memory corruption CVE-2009-0353 Firefox javascript crashes with evidence of memory corruption CVE-2009-0775 Firefox XUL Linked Clones Double Free Vulnerability CVE-2009-0776 Firefox XML data theft via RDFXMLDataSource and cross-domain redirect CVE-2009-0772 Firefox 2 and 3 - Layout engine crashes CVE-2009-0774 Firefox 2 and 3 crashes in the JavaScript engine cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The mod_auth_mysql package includes an extension module for the Apache HTTP Server which can be used to implement web user authentication against a MySQL database. A flaw was found in the way mod_auth_mysql escaped certain multibyte-encoded strings. If mod_auth_mysql was configured to use a multibyte character set that allowed a backslash '\' as part of the character encodings, a remote attacker could inject arbitrary SQL commands into a login request. (CVE-2008-2384) Note: This flaw only affected non-default installations where AuthMySQLCharacterSet is configured to use one of the affected multibyte character sets. Installations that did not use the AuthMySQLCharacterSet configuration option were not vulnerable to this flaw. All mod_auth_mysql users are advised to upgrade to the updated package, which contains a backported patch to resolve this issue. After installing the update, the httpd daemon must be restarted for the fix to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-2384 CVE-2008-2384 mod_auth_mysql: character encoding SQL injection flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Virtual Network Computing (VNC) is a remote display system which allows you to view a computer's "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. An insufficient input validation flaw was discovered in the VNC client application, vncviewer. If an attacker could convince a victim to connect to a malicious VNC server, or when an attacker was able to connect to vncviewer running in the "listen" mode, the attacker could cause the victim's vncviewer to crash or, possibly, execute arbitrary code. (CVE-2008-4770) Users of vncviewer should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all running instances of vncviewer must be restarted after the update is installed. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-4770 CVE-2008-4770 vnc: vncviewer insufficient encoding value validation in CMsgReader::readRect VNC Free Edition 4.1.3 fixes a possible security vulnerability only present in the listening viewer. VNC Server is not compromised. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues: * a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) * a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important) * the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low) In addition, these updated packages fix the following bugs: * when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target. * the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value. * nfs_create_rpc_client was called with a "flavor" parameter which was usually ignored and ended up unconditionally creating the RPC client with an AUTH_UNIX flavor. This caused problems on AUTH_GSS mounts when the credentials needed to be refreshed. The credops did not match the authorization type, which resulted in the credops dereferencing an incorrect part of the AUTH_UNIX rpc_auth struct. * when copy_user_c terminated prematurely due to reading beyond the end of the user buffer and the kernel jumped to the exception table entry, the rsi register was not cleared. This resulted in exiting back to user code with garbage in the rsi register. * the hexdump data in s390dbf traces was incomplete. The length of the data traced was incorrect and the SAN payload was read from a different place then it was written to. * when using connected mode (CM) in IPoIB on ehca2 hardware, it was not possible to transmit any data. * when an application called fork() and pthread_create() many times and, at some point, a thread forked a child and then attempted to call the setpgid() function, then this function failed and returned and ESRCH error value. Users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: for this update to take effect, the system must be rebooted. Important Copyright 2009 Red Hat, Inc. CVE-2008-4933 CVE-2008-4934 CVE-2008-5025 CVE-2008-5713 CVE-2009-0031 CVE-2009-0065 oops in mirror_map (dm-raid1.c) [5.3] clock_gettime() syscall returns a smaller timespec value than previous. Kernel panic in auth_rpcgss:__gss_find_upcall RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken zfcp: fix hexdump data in s390dbf traces CVE-2008-5713 kernel: soft lockup occurs when network load is very high CVE-2009-0031 kernel: local denial of service in keyctl_join_session_keyring CVE-2008-4933 kernel: hfsplus: fix Buffer overflow with a corrupted image CVE-2008-4934 kernel: hfsplus: check read_mapping_page() return value CVE-2008-5025 kernel: hfs: fix namelength memory corruption IB/ipoib: data transmission fails in connected mode on any HCA CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID RHEL5.2/3 - setpgid() returns ESRCH in some situations cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root with logging. A flaw was discovered in a way sudo handled group specifications in "run as" lists in the sudoers configuration file. If sudo configuration allowed a user to run commands as any user of some group and the user was also a member of that group, sudo incorrectly allowed them to run defined commands with the privileges of any system user. This gave the user unintended privileges. (CVE-2009-0034) Users of sudo should update to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0034 CVE-2009-0034 sudo: incorrect handling of groups in Runas_User cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The gstreamer-plugins package contains plug-ins used by the GStreamer streaming-media framework to support a wide variety of media types. An array indexing error was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. (CVE-2009-0398) All users of gstreamer-plugins are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using GStreamer (such as nautilus-media) must be restarted for the changes to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0398 CVE-2009-0398 gstreamer-plugins: Array index error while parsing malformed QuickTime media files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gstreamer-plugins package contains plugins used by the GStreamer streaming-media framework to support a wide variety of media types. A heap buffer overflow was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. (CVE-2009-0397) All users of gstreamer-plugins are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using GStreamer (such as rhythmbox) must be restarted for the changes to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0397 CVE-2009-0397 gstreamer-plugins, gstreamer-plugins-good: heap-based buffer overflow while parsing malformed QuickTime media files via crafted Time-to-sample (stss) atom data cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GStreamer is a streaming media framework, based on graphs of filters which operate on media data. GStreamer Good Plug-ins is a collection of well-supported, GStreamer plug-ins of good quality released under the LGPL license. Multiple heap buffer overflows and an array indexing error were found in the GStreamer's QuickTime media file format decoding plugin. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. (CVE-2009-0386, CVE-2009-0387, CVE-2009-0397) All users of gstreamer-plugins-good are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications using GStreamer (such as totem or rhythmbox) must be restarted for the changes to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0386 CVE-2009-0387 CVE-2009-0397 CVE-2009-0397 gstreamer-plugins, gstreamer-plugins-good: heap-based buffer overflow while parsing malformed QuickTime media files via crafted Time-to-sample (stss) atom data CVE-2009-0386 gstreamer-plugins-good: heap-based buffer overflow while parsing malformed QuickTime media files via crafted Composition Time To Sample (aka ctts) atom data CVE-2009-0387 gstreamer-plugins-good: Array index error while parsing malformed QuickTime media files via crafted Sync Sample (aka stss) atom data cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A buffer overflow flaw was discovered in the dmail and tmail mail delivery utilities shipped with imap. If either of these utilities were used as a mail delivery agent, a remote attacker could potentially use this flaw to run arbitrary code as the targeted user by sending a specially-crafted mail message to the victim. (CVE-2008-5005) Users of imap should upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5005 CVE-2008-5005 uw-imap: buffer overflow in dmail and tmail cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Simple Network Management Protocol (SNMP) is a protocol used for network management. It was discovered that the snmpd daemon did not use TCP wrappers correctly, causing network hosts access restrictions defined in "/etc/hosts.allow" and "/etc/hosts.deny" to not be honored. A remote attacker could use this flaw to bypass intended access restrictions. (CVE-2008-6123) This issue only affected configurations where hosts.allow and hosts.deny were used to limit access to the SNMP server. To obtain information from the server, the attacker would have to successfully authenticate, usually by providing a correct community string. All net-snmp users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the snmpd and snmptrapd daemons will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-6123 CVE-2008-6123 net-snmp: incorrect application of hosts access restrictions in hosts.{allow,deny} cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The International Components for Unicode (ICU) library provides robust and full-featured Unicode services. A flaw was found in the way ICU processed certain, invalid, encoded data. If an application used ICU to decode malformed, multibyte, character data, it may have been possible to bypass certain content protection mechanisms, or display information in a manner misleading to the user. (CVE-2008-1036) All users of icu should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-1036 CVE-2008-1036 ICU: Invalid character sequences omission during conversion of some character encodings (XSS attack possible) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS security advisory, RHSA-2008:0937, stated that it fixed CVE-2008-3640 for Red Hat Enterprise Linux 3, 4, and 5. It was discovered this flaw was not properly fixed on Red Hat Enterprise Linux 3, however. (CVE-2009-0577) These new packages contain a proper fix for CVE-2008-3640 on Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 4 and 5 already contain the appropriate fix for this flaw and do not need to be updated. Users of cups should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2009 Red Hat, Inc. CVE-2009-0577 CVE-2009-0577 cups-CVE-2008-3640.patch has been corrupted. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. Multiple buffer overflow flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malformed dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2008-4683, CVE-2009-0599) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malformed dump file. (CVE-2008-4680, CVE-2008-4681, CVE-2008-4682, CVE-2008-4684, CVE-2008-4685, CVE-2008-5285, CVE-2009-0600) Users of wireshark should upgrade to these updated packages, which contain Wireshark version 1.0.6, and resolve these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-4680 CVE-2008-4681 CVE-2008-4682 CVE-2008-4683 CVE-2008-4684 CVE-2008-4685 CVE-2008-5285 CVE-2008-6472 CVE-2009-0599 CVE-2009-0600 CVE-2009-0599 wireshark: buffer overflows in NetScreen snoop file reader CVE-2009-0600 wireshark: denial of service (application crash) via a crafted Tektronix K12 text capture file CVE-2008-4683 wireshark: DoS (app crash or abort) in Bluetooth ACL dissector via a packet with an invalid length CVE-2008-4680 wireshark: DoS (app crash or abort) via malformed USB Request Block (URB). CVE-2008-4681 wireshark: DoS (app crash or abort) in Bluetooth RFCOMM dissector via unknown packets CVE-2008-4682 wireshark: DoS (app abort) via a malformed .ncf file with an unknown/unexpected packet type CVE-2008-4684 wireshark: DoS (app crash) via certain series of packets by enabling the (1) PRP or (2) MATE post dissector CVE-2008-4685 wireshark: DoS (app crash or abort) in Q.931 dissector via certain packets CVE-2008-5285 wireshark: DoS (infinite loop) in SMTP dissector via large SMTP request cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-0040, CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, CVE-2009-0774, CVE-2009-0775) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a Firefox user into surrendering sensitive information. (CVE-2009-0776, CVE-2009-0777) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.7. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.7, and which correct these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0040 CVE-2009-0771 CVE-2009-0772 CVE-2009-0773 CVE-2009-0774 CVE-2009-0775 CVE-2009-0776 CVE-2009-0777 CVE-2009-0040 libpng arbitrary free() flaw CVE-2009-0771 Firefox 3 Layout Engine Crashes CVE-2009-0775 Firefox XUL Linked Clones Double Free Vulnerability CVE-2009-0776 Firefox XML data theft via RDFXMLDataSource and cross-domain redirect CVE-2009-0772 Firefox 2 and 3 - Layout engine crashes CVE-2009-0773 Firefox 3 crashes in the JavaScript engine CVE-2009-0774 Firefox 2 and 3 crashes in the JavaScript engine CVE-2009-0777 Firefox URL spoofing with invisible control characters cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-0040, CVE-2009-0772, CVE-2009-0774, CVE-2009-0775) A flaw was found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a SeaMonkey user into surrendering sensitive information. (CVE-2009-0776) All SeaMonkey users should upgrade to these updated packages, which contain backported patches that correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0040 CVE-2009-0772 CVE-2009-0774 CVE-2009-0775 CVE-2009-0776 CVE-2009-0040 libpng arbitrary free() flaw CVE-2009-0775 Firefox XUL Linked Clones Double Free Vulnerability CVE-2009-0776 Firefox XML data theft via RDFXMLDataSource and cross-domain redirect CVE-2009-0772 Firefox 2 and 3 - Layout engine crashes CVE-2009-0774 Firefox 2 and 3 crashes in the JavaScript engine cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * memory leaks were found on some error paths in the icmp_send() function in the Linux kernel. This could, potentially, cause the network connectivity to cease. (CVE-2009-0778, Important) * Chris Evans reported a deficiency in the clone() system call when called with the CLONE_PARENT flag. This flaw permits the caller (the parent process) to indicate an arbitrary signal it wants to receive when its child process exits. This could lead to a denial of service of the parent process. (CVE-2009-0028, Moderate) * an off-by-one underflow flaw was found in the eCryptfs subsystem. This could potentially cause a local denial of service when the readlink() function returned an error. (CVE-2009-0269, Moderate) * a deficiency was found in the Remote BIOS Update (RBU) driver for Dell systems. This could allow a local, unprivileged user to cause a denial of service by reading zero bytes from the image_type or packet_size files in "/sys/devices/platform/dell_rbu/". (CVE-2009-0322, Moderate) * an inverted logic flaw was found in the SysKonnect FDDI PCI adapter driver, allowing driver statistics to be reset only when the CAP_NET_ADMIN capability was absent (local, unprivileged users could reset driver statistics). (CVE-2009-0675, Moderate) * the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure. (CVE-2009-0676, Moderate) * the ext2 and ext3 file system code failed to properly handle corrupted data structures, leading to a possible local denial of service when read or write operations were performed on a specially-crafted file system. (CVE-2008-3528, Low) * a deficiency was found in the libATA implementation. This could, potentially, lead to a local denial of service. Note: by default, the "/dev/sg*" devices are accessible only to the root user. (CVE-2008-5700, Low) Bug fixes: * a bug in aic94xx may have caused kernel panics during boot on some systems with certain SATA disks. (BZ#485909) * a word endianness problem in the qla2xx driver on PowerPC-based machines may have corrupted flash-based devices. (BZ#485908) * a memory leak in pipe() may have caused a system deadlock. The workaround in Section 1.5, Known Issues, of the Red Hat Enterprise Linux 5.3 Release Notes Updates, which involved manually allocating extra file descriptors to processes calling do_pipe, is no longer necessary. (BZ#481576) * CPU soft-lockups in the network rate estimator. (BZ#481746) * bugs in the ixgbe driver caused it to function unreliably on some systems with 16 or more CPU cores. (BZ#483210) * the iwl4965 driver may have caused a kernel panic. (BZ#483206) * a bug caused NFS attributes to not update for some long-lived NFS mounted file systems. (BZ#483201) * unmounting a GFS2 file system may have caused a panic. (BZ#485910) * a bug in ptrace() may have caused a panic when single stepping a target. (BZ#487394) * on some 64-bit systems, notsc was incorrectly set at boot, causing slow gettimeofday() calls. (BZ#488239) * do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#490433) * scaling problems caused performance problems for LAPI applications. (BZ#489457) * a panic may have occurred on systems using certain Intel WiFi Link 5000 products when booting with the RF Kill switch on. (BZ#489846) * the TSC is invariant with C/P/T states, and always runs at constant frequency from now on. (BZ#489310) All users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-3528 CVE-2008-5700 CVE-2009-0028 CVE-2009-0269 CVE-2009-0322 CVE-2009-0675 CVE-2009-0676 CVE-2009-0778 reproducible panic in debugfs_remove when unmounting gfs2 filesystem Panic at boot if SATA disk is present [QLogic 5.4 bug] qla2xx - Word-endian problem programming flash on PPC RHEL5.3 (x86_64): MCE handler must not clear status registers on fatal conditions multipath test causes memory leak and eventual system deadlock [RHEL 5] gen_estimator deadlock fix CVE-2009-0269 kernel: ecryptfs readlink flaw CVE-2009-0028 Linux kernel minor signal handling vulnerability CVE-2009-0322 kernel: dell_rbu local oops NFS problem#3 of IT 106473 - 32-bit jiffy wrap around - NFS inode Kernel panic in iwl4965 driver kernel BUG at kernel/ptrace.c:1068 RHEL5 kernel forces notsc on certain systems [C-state support dependant] CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt CVE-2009-0675 kernel: skfp_ioctl inverted logic flaw CVE-2009-0778 kernel: rt_cache leak leads to lack of network connectivity Lapi takes too long to run CVE-2008-5700 kernel: enforce a minimum SG_IO timeout CVE-2008-3528 Linux kernel ext[234] directory corruption denial of service RHEL 5.3 GA kernel panics when RF Kill is on in 5100/5300 AGN [Intel 5.4 FEAT] TSC keeps running in C3+ cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines. Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946) Chris Evans discovered multiple integer overflow flaws in the FreeType font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2006-1861) An integer overflow flaw was found in the way the FreeType font engine processed TrueType® Font (TTF) files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2007-2754) A flaw was discovered in the FreeType TTF font-file format parser when the TrueType virtual machine Byte Code Interpreter (BCI) is enabled. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2008-1808) The CVE-2008-1808 flaw did not affect the freetype packages as distributed in Red Hat Enterprise Linux 3 and 4, as they are not compiled with TrueType BCI support. A fix for this flaw has been included in this update as users may choose to recompile the freetype packages in order to enable TrueType BCI support. Red Hat does not, however, provide support for modified and recompiled packages. Note: For the FreeType 2 font engine, the CVE-2006-1861, CVE-2007-2754, and CVE-2008-1808 flaws were addressed via RHSA-2006:0500, RHSA-2007:0403, and RHSA-2008:0556 respectively. This update provides corresponding updates for the FreeType 1 font engine, included in the freetype packages distributed in Red Hat Enterprise Linux 3 and 4. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2006-1861 CVE-2007-2754 CVE-2008-1808 CVE-2009-0946 CVE-2007-2754 freetype integer overflow CVE-2008-1808 FreeType off-by-one flaws CVE-2006-1861 freetype: multiple integer overflow vulnerabilities CVE-2009-0946 freetype: multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues: * a buffer overflow was found in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a memory leak was found in keyctl handling. A local, unprivileged user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) * a deficiency was found in the Remote BIOS Update (RBU) driver for Dell systems. This could allow a local, unprivileged user to cause a denial of service by reading zero bytes from the image_type or packet_size file in "/sys/devices/platform/dell_rbu/". (CVE-2009-0322, Important) * a deficiency was found in the libATA implementation. This could, potentially, lead to a denial of service. Note: by default, "/dev/sg*" devices are accessible only to the root user. (CVE-2008-5700, Low) This update also fixes the following bugs: * when the hypervisor changed a page table entry (pte) mapping from read-only to writable via a make_writable hypercall, accessing the changed page immediately following the change caused a spurious page fault. When trying to install a para-virtualized Red Hat Enterprise Linux 4 guest on a Red Hat Enterprise Linux 5.3 dom0 host, this fault crashed the installer with a kernel backtrace. With this update, the "spurious" page fault is handled properly. (BZ#483748) * net_rx_action could detect its cpu poll_list as non-empty, but have that same list reduced to empty by the poll_napi path. This resulted in garbage data being returned when net_rx_action calls list_entry, which subsequently resulted in several possible crash conditions. The race condition in the network code which caused this has been fixed. (BZ#475970, BZ#479681, BZ#480741) * a misplaced memory barrier at unlock_buffer() could lead to a concurrent h_refcounter update which produced a reference counter leak and, later, a double free in ext3_xattr_release_block(). Consequent to the double free, ext3 reported an error ext3_free_blocks_sb: bit already cleared for block [block number] and mounted itself as read-only. With this update, the memory barrier is now placed before the buffer head lock bit, forcing the write order and preventing the double free. (BZ#476533) * when the iptables module was unloaded, it was assumed the correct entry for removal had been found if "wrapper->ops->pf" matched the value passed in by "reg->pf". If several ops ranges were registered against the same protocol family, however, (which was likely if you had both ip_conntrack and ip_contrack_* loaded) this assumption could lead to NULL list pointers and cause a kernel panic. With this update, "wrapper->ops" is matched to pointer values "reg", which ensures the correct entry is removed and results in no NULL list pointers. (BZ#477147) * when the pidmap page (used for tracking process ids, pids) incremented to an even page (ie the second, fourth, sixth, etc. pidmap page), the alloc_pidmap() routine skipped the page. This resulted in "holes" in the allocated pids. For example, after pid 32767, you would expect 32768 to be allocated. If the page skipping behavior presented, however, the pid allocated after 32767 was 65536. With this update, alloc_pidmap() no longer skips alternate pidmap pages and allocated pid holes no longer occur. This fix also corrects an error which allowed pid_max to be set higher than the pid_max limit has been corrected. (BZ#479182) All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-5700 CVE-2009-0031 CVE-2009-0065 CVE-2009-0322 oops in e1000_clean (list corruption due to race with e1000_down) CVE-2009-0031 kernel: local denial of service in keyctl_join_session_keyring CVE-2009-0322 kernel: dell_rbu local oops rhel4 PV guest installations busted on rhel 5.3 i386 intel dom0 Read-only filesystem after 'ext3_free_blocks_sb: bit already cleared for block' errors Kernel panic when unloading ip conntrack modules RHEL4 64 bit skips all pids with bit 15 set (32768-65535, 98304-131071 etc) oops in net_rx_action on double free of dev->poll_list CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID CVE-2008-5700 kernel: enforce a minimum SG_IO timeout RHEL4.8 kernel crashed in net_rx_action() on IA64 machine in RHTS connectathon test cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0040) A flaw was discovered in the way libpng handled PNG images containing "unknown" chunks. If an application linked against libpng attempted to process a malformed, unknown chunk in a malicious PNG image, it could cause the application to crash. (CVE-2008-1382) Users of libpng and libpng10 should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libpng or libpng10 must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-1382 CVE-2009-0040 CVE-2009-0040 libpng arbitrary free() flaw CVE-2008-1382 libpng unknown chunk handling flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GLib is the low-level core library that forms the basis for projects such as GTK+ and GNOME. It provides data structure handling for C, portability wrappers, and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system. Diego Pettenò discovered multiple integer overflows causing heap-based buffer overflows in GLib's Base64 encoding and decoding functions. An attacker could use these flaws to crash an application using GLib's Base64 functions to encode or decode large, untrusted inputs, or, possibly, execute arbitrary code as the user running the application. (CVE-2008-4316) Note: No application shipped with Red Hat Enterprise Linux 5 uses the affected functions. Third-party applications may, however, be affected. All users of glib2 should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-4316 CVE-2008-4316 glib2: integer overflows in the base64 handling functions (oCERT-2008-015) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-3658 CVE-2008-3660 CVE-2008-5498 CVE-2008-5557 CVE-2009-0754 CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension CVE-2008-3660 php: FastCGI module DoS via multiple dots preceding the extension CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure CVE-2009-0754 PHP mbstring.func_overload web server denial of service CVE-2008-5557 php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had "display_errors" enabled, a remote attacker able to set a specially-crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-3658 CVE-2008-3660 CVE-2008-5498 CVE-2008-5557 CVE-2008-5814 CVE-2009-0754 CVE-2008-3658 php: buffer overflow in the imageloadfont function in gd extension CVE-2008-3660 php: FastCGI module DoS via multiple dots preceding the extension CVE-2008-5498 php: libgd imagerotate() array index error memory disclosure CVE-2009-0754 PHP mbstring.func_overload web server denial of service CVE-2008-5557 php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution) CVE-2008-5814 php: XSS via PHP error messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Little Color Management System (LittleCMS, or simply "lcms") is a small-footprint, speed-optimized open source color management engine. Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in LittleCMS. An attacker could use these flaws to create a specially-crafted image file which could cause an application using LittleCMS to crash, or, possibly, execute arbitrary code when opened by a victim. (CVE-2009-0723, CVE-2009-0733) A memory leak flaw was found in LittleCMS. An application using LittleCMS could use excessive amount of memory, and possibly crash after using all available memory, if used to open specially-crafted images. (CVE-2009-0581) Red Hat would like to thank Chris Evans from the Google Security Team for reporting these issues. All users of LittleCMS should install these updated packages, which upgrade LittleCMS to version 1.18. All running applications using the lcms library must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 CVE-2009-0733 LittleCms lack of upper-bounds check on sizes CVE-2009-0581 LittleCms memory leak CVE-2009-0723 LittleCms integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0040) Users of libpng and libpng10 should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libpng or libpng10 must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0040 CVE-2009-0040 libpng arbitrary free() flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. David Kierznowski discovered a flaw in libcurl where it would not differentiate between different target URLs when handling automatic redirects. This caused libcurl to follow any new URL that it understood, including the "file://" URL type. This could allow a remote server to force a local libcurl-using application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2009-0037) Note: Applications using libcurl that are expected to follow redirects to "file://" protocol must now explicitly call curl_easy_setopt(3) and set the newly introduced CURLOPT_REDIR_PROTOCOLS option as required. cURL users should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libcurl must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0037 CVE-2009-0037 curl: local file access via unsafe redirects cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libsoup is an HTTP client/library implementation for GNOME written in C. It was originally part of a SOAP (Simple Object Access Protocol) implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. An integer overflow flaw which caused a heap-based buffer overflow was discovered in libsoup's Base64 encoding routine. An attacker could use this flaw to crash, or, possibly, execute arbitrary code. This arbitrary code would execute with the privileges of the application using libsoup's Base64 routine to encode large, untrusted inputs. (CVE-2009-0585) All users of libsoup and evolution28-libsoup should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running applications using the affected library function (such as Evolution configured to connect to the GroupWise back-end) must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0585 CVE-2009-0585 libsoup: integer overflow in soup_base64_encode() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GStreamer is a streaming media framework based on graphs of filters which operate on media data. GStreamer Base Plug-ins is a collection of well-maintained base plug-ins. An integer overflow flaw which caused a heap-based buffer overflow was discovered in the Vorbis comment tags reader. An attacker could create a carefully-crafted Vorbis file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if opened by a victim. (CVE-2009-0586) All users of gstreamer-plugins-base are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all applications using GStreamer (such as Totem or Rhythmbox) must be restarted for the changes to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0586 CVE-2009-0586 gstreamer-plugins-base: integer overflow in gst_vorbis_tag_add_coverart() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution-data-server and evolution28-evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0547 CVE-2009-0582 CVE-2009-0587 CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. Evolution Data Server provides a unified back-end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications. Evolution did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by evolution and evolution-data-server. This could cause evolution, or an application using evolution-data-server, to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution and evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution and evolution-data-server must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0547 CVE-2009-0582 CVE-2009-0587 CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Evolution is the integrated collection of e-mail, calendaring, contact management, communications, and personal information management (PIM) tools for the GNOME desktop environment. It was discovered that evolution did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause evolution to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) An integer overflow flaw which could cause heap-based buffer overflow was found in the Base64 encoding routine used by evolution. This could cause evolution to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587) All users of evolution are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of evolution must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0582 CVE-2009-0587 CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. An information disclosure flaw was found in NetworkManager's D-Bus interface. A local attacker could leverage this flaw to discover sensitive information, such as network connection passwords and pre-shared keys. (CVE-2009-0365) A potential denial of service flaw was found in NetworkManager's D-Bus interface. A local user could leverage this flaw to modify local connection settings, preventing the system's network connection from functioning properly. (CVE-2009-0578) Red Hat would like to thank Ludwig Nussel for reporting these flaws responsibly. Users of NetworkManager should upgrade to these updated packages which contain backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0365 CVE-2009-0578 CVE-2009-0365 NetworkManager: GetSecrets disclosure CVE-2009-0578 NetworkManager: local users can modify the connection settings cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. An information disclosure flaw was found in NetworkManager's D-Bus interface. A local attacker could leverage this flaw to discover sensitive information, such as network connection passwords and pre-shared keys. (CVE-2009-0365) Red Hat would like to thank Ludwig Nussel for responsibly reporting this flaw. NetworkManager users should upgrade to these updated packages, which contain a backported patch that corrects this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0365 CVE-2009-0365 NetworkManager: GetSecrets disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 SystemTap is an instrumentation infrastructure for systems running version 2.6 of the Linux kernel. SystemTap scripts can collect system operations data, greatly simplifying information gathering. Collected data can then assist in performance measuring, functional testing, and performance and function problem diagnosis. A race condition was discovered in SystemTap that could allow users in the stapusr group to elevate privileges to that of members of the stapdev group (and hence root), bypassing directory confinement restrictions and allowing them to insert arbitrary SystemTap kernel modules. (CVE-2009-0784) Note: This issue was only exploitable if another SystemTap kernel module was placed in the "systemtap/" module directory for the currently running kernel. Red Hat would like to thank Erik Sjölund for reporting this issue. SystemTap users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0784 CVE-2009-0784 systemtap: race condition leads to privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language. A flaw was found in the way that the Java Virtual Machine (JVM) handled temporary font files. A malicious applet could use this flaw to use large amounts of disk space, causing a denial of service. (CVE-2006-2426) A memory leak flaw was found in LittleCMS (embedded in OpenJDK). An application using color profiles could use excessive amounts of memory, and possibly crash after using all available memory, if used to open specially-crafted images. (CVE-2009-0581) Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in the way LittleCMS handled color profiles. An attacker could use these flaws to create a specially-crafted image file which could cause a Java application to crash or, possibly, execute arbitrary code when opened. (CVE-2009-0723, CVE-2009-0733) A null pointer dereference flaw was found in LittleCMS. An application using color profiles could crash while converting a specially-crafted image file. (CVE-2009-0793) A flaw in the Java API for XML Web Services (JAX-WS) service endpoint handling could allow a remote attacker to cause a denial of service on the server application hosting the JAX-WS service endpoint. (CVE-2009-1101) A flaw in the way the Java Runtime Environment initialized LDAP connections could allow a remote, authenticated user to cause a denial of service on the LDAP service. (CVE-2009-1093) A flaw in the Java Runtime Environment LDAP client could allow malicious data from an LDAP server to cause arbitrary code to be loaded and then run on an LDAP client. (CVE-2009-1094) Several buffer overflow flaws were found in the Java Runtime Environment unpack200 functionality. An untrusted applet could extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet. (CVE-2009-1095, CVE-2009-1096) A flaw in the Java Runtime Environment Virtual Machine code generation functionality could allow untrusted applets to extend their privileges. An untrusted applet could extend its privileges, allowing it to read and write local files, as well as execute local applications with the privileges of the user running the applet. (CVE-2009-1102) A buffer overflow flaw was found in the splash screen processing. A remote attacker could extend privileges to read and write local files, as well as to execute local applications with the privileges of the user running the java process. (CVE-2009-1097) A buffer overflow flaw was found in how GIF images were processed. A remote attacker could extend privileges to read and write local files, as well as execute local applications with the privileges of the user running the java process. (CVE-2009-1098) Note: The flaws concerning applets in this advisory, CVE-2009-1095, CVE-2009-1096, and CVE-2009-1102, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer" application. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2006-2426 CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 CVE-2009-0793 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1101 CVE-2009-1102 CVE-2009-0793 lcms: Null pointer dereference (DoS) by handling transformations of monochrome profiles CVE-2009-0733 LittleCms lack of upper-bounds check on sizes CVE-2009-0581 LittleCms memory leak CVE-2009-0723 LittleCms integer overflow CVE-2009-1094 OpenJDK LDAP client remote code execution (6737315) CVE-2009-1097 OpenJDK PNG processing buffer overflow vulnerability (6804996) CVE-2009-1093 OpenJDK remote LDAP Denial-Of-Service (6717680) CVE-2009-1095 CVE-2009-1096 OpenJDK Pack200 Buffer overflow vulnerability (6792554) CVE-2009-1098 OpenJDK GIF processing buffer overflow vulnerability (6804998) CVE-2009-1102 OpenJDK code generation vulnerability (6636360) CVE-2006-2426 Untrusted applet causes DoS by filling up disk space CVE-2009-1101 OpenJDK JAX-WS service endpoint remote Denial-of-Service (6630639) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 libvirt is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. libvirt also provides tools for remotely managing virtualized systems. The libvirtd daemon was discovered to not properly check user connection permissions before performing certain privileged actions, such as requesting migration of an unprivileged guest domain to another system. A local user able to establish a read-only connection to libvirtd could use this flaw to perform actions that should be restricted to read-write connections. (CVE-2008-5086) libvirt_proxy, a setuid helper application allowing non-privileged users to communicate with the hypervisor, was discovered to not properly validate user requests. Local users could use this flaw to cause a stack-based buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary code with root privileges. (CVE-2009-0036) All users are advised to upgrade to these updated packages, which contain backported patches which resolve these issues. After installing the update, libvirtd must be restarted manually (for example, by issuing a "service libvirtd restart" command) for this change to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-5086 CVE-2009-0036 CVE-2009-0036 libvirt: libvirt_proxy buffer overflow CVE-2008-5086 libvirt: missing checks for read-only connection cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A memory corruption flaw was discovered in the way Firefox handles XML files containing an XSLT transform. A remote attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1169) A flaw was discovered in the way Firefox handles certain XUL garbage collection events. A remote attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1044) For technical details regarding these flaws, refer to the Mozilla security advisories. You can find a link to the Mozilla advisories in the References section of this errata. Firefox users should upgrade to these updated packages, which resolve these issues. For Red Hat Enterprise Linux 4, they contain backported patches to the firefox package. For Red Hat Enterprise Linux 5, they contain backported patches to the xulrunner packages. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1044 CVE-2009-1169 CVE-2009-1169 Firefox XSLT memory corruption issue CVE-2009-1044 Firefox XUL garbage collection issue (cansecwest pwn2own) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. A memory corruption flaw was discovered in the way SeaMonkey handles XML files containing an XSLT transform. A remote attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-1169) A flaw was discovered in the way SeaMonkey handles certain XUL garbage collection events. A remote attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-1044) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1044 CVE-2009-1169 CVE-2009-1169 Firefox XSLT memory corruption issue CVE-2009-1044 Firefox XUL garbage collection issue (cansecwest pwn2own) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Gerd v. Egidy discovered a flaw in the Dead Peer Detection (DPD) in Openswan's pluto IKE daemon. A remote attacker could use a malicious DPD packet to crash the pluto daemon. (CVE-2009-0790) It was discovered that Openswan's livetest script created temporary files in an insecure manner. A local attacker could use this flaw to overwrite arbitrary files owned by the user running the script. (CVE-2008-4190) Note: The livetest script is an incomplete feature and was not automatically executed by any other script distributed with Openswan, or intended to be used at all, as was documented in its man page. In these updated packages, the script only prints an informative message and exits immediately when run. All users of openswan are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the ipsec service will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2008-4190 CVE-2009-0790 CVE-2009-0790 openswan: ISAKMP DPD remote DoS CVE-2008-4190 openswan: Insecure auxiliary /tmp file usage (symlink attack possible) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). The Generic Security Service Application Program Interface (GSS-API) definition provides security services to callers (protocols) in a generic fashion. The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is used by GSS-API peers to choose from a common set of security mechanisms. An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) Multiple input validation flaws were found in the MIT Kerberos GSS-API library's implementation of the SPNEGO mechanism. A remote attacker could use these flaws to crash any network service utilizing the MIT Kerberos GSS-API library to authenticate users or, possibly, leak portions of the service's memory. (CVE-2009-0844, CVE-2009-0845) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0844 CVE-2009-0845 CVE-2009-0846 CVE-2009-0845 krb5: NULL pointer dereference in GSSAPI SPNEGO (MITKRB5-SA-2009-001) CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) CVE-2009-0844 krb5: buffer over-read in SPNEGO GSS-API mechanism (MITKRB5-SA-2009-001) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0846 CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0846 CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The device-mapper multipath packages provide tools to manage multipath devices by issuing instructions to the device-mapper multipath kernel module, and by managing the creation and removal of partitions for device-mapper devices. It was discovered that the multipathd daemon set incorrect permissions on the socket used to communicate with command line clients. An unprivileged, local user could use this flaw to send commands to multipathd, resulting in access disruptions to storage devices accessible via multiple paths and, possibly, file system corruption on these devices. (CVE-2009-0115) Users of device-mapper-multipath are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. The multipathd service must be restarted for the changes to take effect. Important: the version of the multipathd daemon in Red Hat Enterprise Linux 5 has a known issue which may cause a machine to become unresponsive when the multipathd service is stopped. This issue is tracked in the Bugzilla bug #494582; a link is provided in the References section of this erratum. Until this issue is resolved, we recommend restarting the multipathd service by issuing the following commands in sequence: # killall -KILL multipathd # service multipathd restart Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0115 CVE-2009-0115 device-mapper-multipath: insecure permissions on multipathd.sock cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. It was discovered that the Red Hat Security Advisory RHSA-2009:0345 did not address all possible integer overflow flaws in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0792) A buffer overflow flaw and multiple missing boundary checks were found in Ghostscript. An attacker could create a specially-crafted PostScript or PDF file that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2008-6679, CVE-2007-6725, CVE-2009-0196) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly reporting the CVE-2009-0196 flaw. Users of ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2009 Red Hat, Inc. CVE-2007-6725 CVE-2008-6679 CVE-2009-0196 CVE-2009-0792 CVE-2009-0196 ghostscript: Missing boundary check in Ghostscript's jbig2dec library CVE-2008-6679 ghostscript: Buffer overflow in BaseFont writer module for pdfwrite defice CVE-2007-6725 ghostscript: DoS (crash) in CCITTFax decoding filter CVE-2009-0792 ghostscript, argyllcms: Incomplete fix for CVE-2009-0583 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 udev provides a user-space API and implements a dynamic device directory, providing only the devices present on the system. udev replaces devfs in order to provide greater hot plug functionality. Netlink is a datagram oriented service, used to transfer information between kernel modules and user-space processes. It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world-writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for responsibly reporting this flaw. Users of udev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the udevd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-1185 CVE-2009-1185 udev: Uncheck origin of NETLINK messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An integer overflow flaw, leading to a heap-based buffer overflow, was discovered in the Tagged Image File Format (TIFF) decoding routines used by the CUPS image-converting filters, "imagetops" and "imagetoraster". An attacker could create a malicious TIFF file that could, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0163) Red Hat would like to thank Aaron Sigel of the Apple Product Security team for responsibly reporting this flaw. Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0163 CVE-2009-0163 cups: Integer overflow in the TIFF image filter cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. Multiple integer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in the CUPS JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0800) An integer overflow flaw, leading to a heap-based buffer overflow, was discovered in the Tagged Image File Format (TIFF) decoding routines used by the CUPS image-converting filters, "imagetops" and "imagetoraster". An attacker could create a malicious TIFF file that could, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0163) Multiple denial of service flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash when printed. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Aaron Sigel, Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0163 CVE-2009-0166 CVE-2009-0195 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-0163 cups: Integer overflow in the TIFF image filter CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in Xpdf's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in Xpdf's JBIG2 decoder. An attacker could create a malicious PDF that would cause Xpdf to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in KPDF's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF file that would cause KPDF to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in KPDF's JBIG2 decoder. An attacker could create a malicious PDF that would cause KPDF to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1302, CVE-2009-1303, CVE-2009-1304, CVE-2009-1305) Several flaws were found in the way malformed web content was processed. A web page containing malicious content could execute arbitrary JavaScript in the context of the site, possibly presenting misleading data to a user, or stealing sensitive information such as login credentials. (CVE-2009-0652, CVE-2009-1306, CVE-2009-1307, CVE-2009-1308, CVE-2009-1309, CVE-2009-1310, CVE-2009-1312) A flaw was found in the way Firefox saved certain web pages to a local file. If a user saved the inner frame of a web page containing POST data, the POST data could be revealed to the inner frame, possibly surrendering sensitive information such as login credentials. (CVE-2009-1311) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.9. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.9, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1310 CVE-2009-1311 CVE-2009-1312 CVE-2009-0652 firefox: does not properly prevent the literal rendering of homoglyph characters in IDN domain names (spoof URLs and conduct phishing attacks) CVE-2009-1302 Firefox 3 Layout engine crashes CVE-2009-1303 Firefox 2 and 3 Layout engine crash CVE-2009-1304 Firefox 3 JavaScript engine crashes CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol CVE-2009-1308 Firefox XSS hazard using third-party stylesheets and XBL bindings CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString CVE-2009-1310 Firefox Malicious search plugins can inject code into arbitrary sites CVE-2009-1311 Firefox POST data sent to wrong site when saving web page with embedded frame CVE-2009-1312 Firefox allows Refresh header to redirect to javascript: URIs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-1303, CVE-2009-1305) Several flaws were found in the way malformed web content was processed. A web page containing malicious content could execute arbitrary JavaScript in the context of the site, possibly presenting misleading data to a user, or stealing sensitive information such as login credentials. (CVE-2009-0652, CVE-2009-1306, CVE-2009-1307, CVE-2009-1309, CVE-2009-1312) A flaw was found in the way SeaMonkey saved certain web pages to a local file. If a user saved the inner frame of a web page containing POST data, the POST data could be revealed to the inner frame, possibly surrendering sensitive information such as login credentials. (CVE-2009-1311) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0652 CVE-2009-1303 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1309 CVE-2009-1311 CVE-2009-1312 CVE-2009-0652 firefox: does not properly prevent the literal rendering of homoglyph characters in IDN domain names (spoof URLs and conduct phishing attacks) CVE-2009-1303 Firefox 2 and 3 Layout engine crash CVE-2009-1305 Firefox 2 and 3 JavaScript engine crash CVE-2009-1306 Firefox jar: scheme ignores the content-disposition: header on the inner URI CVE-2009-1307 Firefox Same-origin violations when Adobe Flash loaded via view-source: protocol CVE-2009-1309 Firefox Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString CVE-2009-1311 Firefox POST data sent to wrong site when saving web page with embedded frame CVE-2009-1312 Firefox allows Refresh header to redirect to javascript: URIs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The giflib packages contain a shared library of functions for loading and saving GIF image files. This library is API and ABI compatible with libungif, the library that supported uncompressed GIF image files while the Unisys LZW patent was in effect. Several flaws were discovered in the way giflib decodes GIF images. An attacker could create a carefully crafted GIF image that could cause an application using giflib to crash or, possibly, execute arbitrary code when opened by a victim. (CVE-2005-2974, CVE-2005-3350) All users of giflib are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications using giflib must be restarted for the update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2005-2974 CVE-2005-3350 CVE-2005-3350 giflib/libunfig: memory corruption via a crafted GIF CVE-2005-2974 giflib/libunfig: NULL pointer dereference crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1313) For technical details regarding this flaw, refer to the Mozilla security advisory for Firefox 3.0.10. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.10, which corrects this issue. After installing the update, Firefox must be restarted for the change to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1313 CVE-2009-1313 Firefox crash in nsTextFrame::ClearTextRun() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 libwmf is a library for reading and converting Windows Metafile Format (WMF) vector graphics. libwmf is used by applications such as GIMP and ImageMagick. A pointer use-after-free flaw was found in the GD graphics library embedded in libwmf. An attacker could create a specially-crafted WMF file that would cause an application using libwmf to crash or, potentially, execute arbitrary code as the user running the application when opened by a victim. (CVE-2009-1364) Note: This flaw is specific to the GD graphics library embedded in libwmf. It does not affect the GD graphics library from the "gd" packages, or applications using it. Red Hat would like to thank Tavis Ormandy of the Google Security Team for responsibly reporting this flaw. All users of libwmf are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libwmf must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1364 EMBARGOED CVE-2009-1364 libwmf: embedded gd use-after-free error cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GPdf is a viewer for Portable Document Format (PDF) files. Multiple integer overflow flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179) Multiple buffer overflow flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in GPdf's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF file that would cause GPdf to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in GPdf's JBIG2 decoder. An attacker could create a malicious PDF that would cause GPdf to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-3606 CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * a logic error was found in the do_setlk() function of the Linux kernel Network File System (NFS) implementation. If a signal interrupted a lock request, the local POSIX lock was incorrectly created. This could cause a denial of service on the NFS server if a file descriptor was closed before its corresponding lock request returned. (CVE-2008-4307, Important) * a deficiency was found in the Linux kernel system call auditing implementation on 64-bit systems. This could allow a local, unprivileged user to circumvent a system call audit configuration, if that configuration filtered based on the "syscall" number or arguments. (CVE-2009-0834, Important) * Chris Evans reported a deficiency in the Linux kernel signals implementation. The clone() system call permits the caller to indicate the signal it wants to receive when its child exits. When clone() is called with the CLONE_PARENT flag, it permits the caller to clone a new child that shares the same parent as itself, enabling the indicated signal to be sent to the caller's parent (instead of the caller), even if the caller's parent has different real and effective user IDs. This could lead to a denial of service of the parent. (CVE-2009-0028, Moderate) * the sock_getsockopt() function in the Linux kernel did not properly initialize a data structure that can be directly returned to user-space when the getsockopt() function is called with SO_BSDCOMPAT optname set. This flaw could possibly lead to memory disclosure. (CVE-2009-0676, Moderate) Bug fixes: * a kernel crash may have occurred for Red Hat Enterprise Linux 4.7 guests if their guest configuration file specified "vif = [ "type=ioemu" ]". This crash only occurred when starting guests via the "xm create" command. (BZ#477146) * a bug in IO-APIC NMI watchdog may have prevented Red Hat Enterprise Linux 4.7 from being installed on HP ProLiant DL580 G5 systems. Hangs during installation and "NMI received for unknown reason [xx]" errors may have occurred. (BZ#479184) * a kernel deadlock on some systems when using netdump through a network interface that uses the igb driver. (BZ#480579) * a possible kernel hang in sys_ptrace() on the Itanium® architecture, possibly triggered by tracing a threaded process with strace. (BZ#484904) * the RHSA-2008:0665 errata only fixed the known problem with the LSI Logic LSI53C1030 Ultra320 SCSI controller, for tape devices. Read commands sent to tape devices may have received incorrect data. This issue may have led to data corruption. This update includes a fix for all types of devices. (BZ#487399) * a missing memory barrier caused a race condition in the AIO subsystem between the read_events() and aio_complete() functions. This may have caused a thread in read_events() to sleep indefinitely, possibly causing an application hang. (BZ#489935) * due to a lack of synchronization in the NFS client code, modifications to some pages (for files on an NFS mounted file system) made through a region of memory mapped by mmap() may be lost if the NFS client invalidates its page cache for particular files. (BZ#490119) * a NULL pointer dereference in the megaraid_mbox driver caused a system crash on some systems. (BZ#493420) * the ext3_symlink() function in the ext3 file system code used an illegal __GFP_FS allocation inside some transactions. This may have resulted in a kernel panic and "Assertion failure" errors. (BZ#493422) * do_machine_check() cleared all Machine Check Exception (MCE) status registers, preventing the BIOS from using them to determine the cause of certain panics and errors. (BZ#494915) * a bug prevented NMI watchdog from initializing on HP ProLiant DL580 G5 systems. (BZ#497330) This update contains backported patches to fix these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-4307 CVE-2009-0028 CVE-2009-0676 CVE-2009-0834 CVE-2008-4307 Kernel BUG() in locks_remove_flock RHEL4.7 guest will crash, if creating with only RTL8139 emulation NIC RHEL 4.7: unknown NMI errors on x86_64 on DL580 G5 CVE-2009-0028 Linux kernel minor signal handling vulnerability deadlock in igb during netdump [RHEL4U4] strace utility can cause system to hang at sys_ptrace CVE-2009-0676 kernel: memory disclosure in SO_BSDCOMPAT gsopt [4.7]When SCSI READ Command is issued to tape device, the read data might not be correct for LSI 53C1030 Errata No28. CVE-2009-0834 kernel: x86-64: syscall-audit: 32/64 syscall hole race in aio_complete() leads to process hang LTC41974-Pages of a memory mapped NFS file get corrupted. NULL pointer dereference at megaraid_queue_command after a reset [RHEL4u4] Kernel panic was caused by page_symlink() when kernel has to shrink caches Enable NMI watchdog on HP DL580 G5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a logic error was found in the do_setlk() function of the Linux kernel Network File System (NFS) implementation. If a signal interrupted a lock request, the local POSIX lock was incorrectly created. This could cause a denial of service on the NFS server if a file descriptor was closed before its corresponding lock request returned. (CVE-2008-4307, Important) * a deficiency was found in the Linux kernel system call auditing implementation on 64-bit systems. This could allow a local, unprivileged user to circumvent a system call audit configuration, if that configuration filtered based on the "syscall" number or arguments. (CVE-2009-0834, Important) * the exit_notify() function in the Linux kernel did not properly reset the exit signal if a process executed a set user ID (setuid) application before exiting. This could allow a local, unprivileged user to elevate their privileges. (CVE-2009-1337, Important) * a flaw was found in the ecryptfs_write_metadata_to_contents() function of the Linux kernel eCryptfs implementation. On systems with a 4096 byte page-size, this flaw may have caused 4096 bytes of uninitialized kernel memory to be written into the eCryptfs file headers, leading to an information leak. Note: Encrypted files created on systems running the vulnerable version of eCryptfs may contain leaked data in the eCryptfs file headers. This update does not remove any leaked data. Refer to the Knowledgebase article in the References section for further information. (CVE-2009-0787, Moderate) * the Linux kernel implementation of the Network File System (NFS) did not properly initialize the file name limit in the nfs_server data structure. This flaw could possibly lead to a denial of service on a client mounting an NFS share. (CVE-2009-1336, Moderate) This update also fixes the following bugs: * the enic driver (Cisco 10G Ethernet) did not operate under virtualization. (BZ#472474) * network interfaces using the IBM eHEA Ethernet device driver could not be successfully configured under low-memory conditions. (BZ#487035) * bonding with the "arp_validate=3" option may have prevented fail overs. (BZ#488064) * when running under virtualization, the acpi-cpufreq module wrote "Domain attempted WRMSR" errors to the dmesg log. (BZ#488928) * NFS clients may have experienced deadlocks during unmount. (BZ#488929) * the ixgbe driver double counted the number of received bytes and packets. (BZ#489459) * the Wacom Intuos3 Lens Cursor device did not work correctly with the Wacom Intuos3 12x12 tablet. (BZ#489460) * on the Itanium® architecture, nanosleep() caused commands which used it, such as sleep and usleep, to sleep for one second more than expected. (BZ#490434) * a panic and corruption of slab cache data structures occurred on 64-bit PowerPC systems when clvmd was running. (BZ#491677) * the NONSTOP_TSC feature did not perform correctly on the Intel® microarchitecture (Nehalem) when running in 32-bit mode. (BZ#493356) * keyboards may not have functioned on IBM eServer System p machines after a certain point during installation or afterward. (BZ#494293) * using Device Mapper Multipathing with the qla2xxx driver resulted in frequent path failures. (BZ#495635) * if the hypervisor was booted with the dom0_max_vcpus parameter set to less than the actual number of CPUs in the system, and the cpuspeed service was started, the hypervisor could crash. (BZ#495931) * using Openswan to provide an IPsec virtual private network eventually resulted in a CPU soft lockup and a system crash. (BZ#496044) * it was possible for posix_locks_deadlock() to enter an infinite loop (under the BKL), causing a system hang. (BZ#496842) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2008-4307 CVE-2009-0787 CVE-2009-0834 CVE-2009-1336 CVE-2009-1337 CVE-2008-4307 Kernel BUG() in locks_remove_flock ehea network configuration fails during boot after fsck CVE-2009-0834 kernel: x86-64: syscall-audit: 32/64 syscall hole [RHEL-5.3] ARP packets aren't received by backup slaves breaking arp_validate=3 xm dmesg printk spam -- Domain attempted WRMSR 00000000000000e8 from 00000016:3d0e9470 to 00000000:00000000 Deadlock in flush_workqueue() results in hung nfs clients [Intel 5.4 bug] ixgbe driver double counts RX byte count Wacom driver does not with with mouse/lens device on intuos3 [5.3] The nanosleep() syscall sleeps one second longer. CVE-2009-0787 kernel: ecryptfs file header infoleak slab corruption with dlm and clvmd on ppc64 [Intel 5.4 FEAT] TSC keeps running in C3+[incremental patch for 5.3.z] CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check CVE-2009-1336 kernel: nfsv4 client can be crashed by stating a long filename RHEL5-U2 Installation hangs on p-series--7029, 2078 Frequent path failures during I/O on DM multipath devices [5.3][Xen] APERF/MPERF patch update [5.3][Xen] dom0 panic when we use dom0_max_vcpus=2. Running Openswan ipsec vpn server with rhel-5.3 kernel-2.6.18-128.el5 causes crash softlockups due to infinite loops in posix_locks_deadlock cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs. Anthony de Almeida Lopes of Outpost24 AB reported a denial of service flaw in the acpid daemon's error handling. If an attacker could exhaust the sockets open to acpid, the daemon would enter an infinite loop, consuming most CPU resources and preventing acpid from communicating with legitimate processes. (CVE-2009-0798) Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0798 CVE-2009-0798 acpid: too many open files DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Pango is a library used for the layout and rendering of internationalized text. Will Drewry discovered an integer overflow flaw in Pango's pango_glyph_string_set_size() function. If an attacker is able to pass an arbitrarily long string to Pango, it may be possible to execute arbitrary code with the permissions of the application calling Pango. (CVE-2009-1194) pango and evolution28-pango users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, you must restart your system or restart the X server for the update to take effect. Note: Restarting the X server closes all open applications and logs you out of your session. Important Copyright 2009 Red Hat, Inc. CVE-2009-1194 CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Perl DBI is a database access Application Programming Interface (API) for the Perl language. perl-DBD-Pg allows Perl applications to access PostgreSQL database servers. A heap-based buffer overflow flaw was discovered in the pg_getline function implementation. If the pg_getline or getline functions read large, untrusted records from a database, it could cause an application using these functions to crash or, possibly, execute arbitrary code. (CVE-2009-0663) Note: After installing this update, pg_getline may return more data than specified by its second argument, as this argument will be ignored. This is consistent with current upstream behavior. Previously, the length limit (the second argument) was not enforced, allowing a buffer overflow. A memory leak flaw was found in the function performing the de-quoting of BYTEA type values acquired from a database. An attacker able to cause an application using perl-DBD-Pg to perform a large number of SQL queries returning BYTEA records, could cause the application to use excessive amounts of memory or, possibly, crash. (CVE-2009-1341) All users of perl-DBD-Pg are advised to upgrade to this updated package, which contains backported patches to fix these issues. Applications using perl-DBD-Pg must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-0663 CVE-2009-1341 CVE-2009-0663 perl-DBD-Pg: pg_getline buffer overflow CVE-2009-1341 perl-DBD-Pg: dequote_bytea memory leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Multiple integer overflow flaws were found in poppler. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0147, CVE-2009-1179, CVE-2009-1187, CVE-2009-1188) Multiple buffer overflow flaws were found in poppler's JBIG2 decoder. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in poppler's JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in poppler's JBIG2 decoder. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0800) Multiple denial of service flaws were found in poppler's JBIG2 decoder. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash when opened. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, and Will Dormann of the CERT/CC for responsibly reporting these flaws. Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0791 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-1187 CVE-2009-1188 CVE-2009-3604 CVE-2009-3606 CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS CVE-2009-1187 poppler CairoOutputDev integer overflow CVE-2009-1188 xpdf/poppler: SplashBitmap integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The ipsec-tools package is used in conjunction with the IPsec functionality in the Linux kernel and includes racoon, an IKEv1 keying daemon. A denial of service flaw was found in the ipsec-tools racoon daemon. An unauthenticated, remote attacker could trigger a NULL pointer dereference that could cause the racoon daemon to crash. (CVE-2009-1574) Multiple memory leak flaws were found in the ipsec-tools racoon daemon. If a remote attacker is able to make multiple connection attempts to the racoon daemon, it was possible to cause the racoon daemon to consume all available memory. (CVE-2009-1632) Users of ipsec-tools should upgrade to this updated package, which contains backported patches to correct these issues. Users must restart the racoon daemon for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1574 CVE-2009-1632 CVE-2009-1574 ipsec-tools: racoon NULL dereference in fragmentation code CVE-2009-1632 ipsec-tools: multiple memory leaks fixed in 0.7.2 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially-crafted request packet that could crash ntpd. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially-crafted reply to an ntpq request that could crash ntpq. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0159 CVE-2009-1252 CVE-2009-0159 ntp: buffer overflow in ntpq CVE-2009-1252 ntp: remote arbitrary code execution vulnerability if autokeys is enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially-crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the "ntp" user. (CVE-2009-1252) Note: NTP authentication is not enabled by default. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially-crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. (CVE-2009-0159) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will be restarted automatically. Critical Copyright 2009 Red Hat, Inc. CVE-2009-0159 CVE-2009-1252 CVE-2009-0159 ntp: buffer overflow in ntpq CVE-2009-1252 ntp: remote arbitrary code execution vulnerability if autokeys is enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A buffer overflow flaw was found in the way Pidgin initiates file transfers when using the Extensible Messaging and Presence Protocol (XMPP). If a Pidgin client initiates a file transfer, and the remote target sends a malformed response, it could cause Pidgin to crash or, potentially, execute arbitrary code with the permissions of the user running Pidgin. This flaw only affects accounts using XMPP, such as Jabber and Google Talk. (CVE-2009-1373) It was discovered that on 32-bit platforms, the Red Hat Security Advisory RHSA-2008:0584 provided an incomplete fix for the integer overflow flaw affecting Pidgin's MSN protocol handler. If a Pidgin client receives a specially-crafted MSN message, it may be possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2009-1376) Note: By default, when using an MSN account, only users on your buddy list can send you messages. This prevents arbitrary MSN users from exploiting this flaw. All Pidgin users should upgrade to this update package, which contains backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1373 CVE-2009-1376 CVE-2009-1373 pidgin file transfer buffer overflow CVE-2009-1376 pidgin incomplete fix for CVE-2008-2927 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A buffer overflow flaw was found in the way Pidgin initiates file transfers when using the Extensible Messaging and Presence Protocol (XMPP). If a Pidgin client initiates a file transfer, and the remote target sends a malformed response, it could cause Pidgin to crash or, potentially, execute arbitrary code with the permissions of the user running Pidgin. This flaw only affects accounts using XMPP, such as Jabber and Google Talk. (CVE-2009-1373) A denial of service flaw was found in Pidgin's QQ protocol decryption handler. When the QQ protocol decrypts packet information, heap data can be overwritten, possibly causing Pidgin to crash. (CVE-2009-1374) A flaw was found in the way Pidgin's PurpleCircBuffer object is expanded. If the buffer is full when more data arrives, the data stored in this buffer becomes corrupted. This corrupted data could result in confusing or misleading data being presented to the user, or possibly crash Pidgin. (CVE-2009-1375) It was discovered that on 32-bit platforms, the Red Hat Security Advisory RHSA-2008:0584 provided an incomplete fix for the integer overflow flaw affecting Pidgin's MSN protocol handler. If a Pidgin client receives a specially-crafted MSN message, it may be possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2009-1376) Note: By default, when using an MSN account, only users on your buddy list can send you messages. This prevents arbitrary MSN users from exploiting this flaw. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-1373 CVE-2009-1374 CVE-2009-1375 CVE-2009-1376 CVE-2009-1373 pidgin file transfer buffer overflow CVE-2009-1374 pidgin DoS when decrypting qq packets CVE-2009-1375 pidgin PurpleCircBuffer corruption CVE-2009-1376 pidgin incomplete fix for CVE-2008-2927 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide the FreeType 2 font engine. Tavis Ormandy of the Google Security Team discovered several integer overflow flaws in the FreeType 2 font engine. If a user loaded a carefully-crafted font file with an application linked against FreeType 2, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-0946) Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2009 Red Hat, Inc. CVE-2009-0946 CVE-2009-0946 freetype: multiple integer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 SquirrelMail is a standards-based webmail package written in PHP. A server-side code injection flaw was found in the SquirrelMail "map_yp_alias" function. If SquirrelMail was configured to retrieve a user's IMAP server address from a Network Information Service (NIS) server via the "map_yp_alias" function, an unauthenticated, remote attacker using a specially-crafted username could use this flaw to execute arbitrary code with the privileges of the web server. (CVE-2009-1579) Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. An attacker could construct a carefully crafted URL, which once visited by an unsuspecting user, could cause the user's web browser to execute malicious script in the context of the visited SquirrelMail web page. (CVE-2009-1578) It was discovered that SquirrelMail did not properly sanitize Cascading Style Sheets (CSS) directives used in HTML mail. A remote attacker could send a specially-crafted email that could place mail content above SquirrelMail's controls, possibly allowing phishing and cross-site scripting attacks. (CVE-2009-1581) Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2009 Red Hat, Inc. CVE-2009-1578 CVE-2009-1579 CVE-2009-1581 CVE-2009-1581 SquirrelMail: CSS positioning vulnerability CVE-2009-1579 SquirrelMail: Server-side code injection in map_yp_alias username map CVE-2009-1578 SquirrelMail: Multiple cross site scripting issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular and freely-available Web server. A flaw was found in the handling of compression structures between mod_ssl and OpenSSL. If too many connections were opened in a short period of time, all system memory and swap space would be consumed by httpd, negatively impacting other processes, or causing a system crash. (CVE-2008-1678) Note: The CVE-2008-1678 issue did not affect Red Hat Enterprise Linux 5 prior to 5.3. The problem was introduced via the RHBA-2009:0181 errata in Red Hat Enterprise Linux 5.3, which upgraded OpenSSL to the newer 0.9.8e version. A flaw was found in the handling of the "Options" and "AllowOverride" directives. In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended. (CVE-2009-1195) All httpd users should upgrade to these updated packages, which contain backported patches to resolve these issues. Users must restart httpd for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2008-1678 CVE-2009-1195 CVE-2008-1678 httpd: mod_ssl per-connection memory leak for connections with zlib compression CVE-2009-1195 AllowOverride Options=IncludesNoExec allows Options Includes memory leak in httpd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The Internet Printing Protocol (IPP) allows users to print and manage printing-related tasks over a network. A NULL pointer dereference flaw was found in the CUPS IPP routine, used for processing incoming IPP requests for the CUPS scheduler. An attacker could use this flaw to send specially-crafted IPP requests that would crash the cupsd daemon. (CVE-2009-0949) Red Hat would like to thank Anibal Sacco from Core Security Technologies for reporting this issue. Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0949 CVE-2009-0949 cups: IPP_TAG_UNSUPPORTED handling NULL pointer dereference DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 The Common UNIX® Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The Internet Printing Protocol (IPP) allows users to print and manage printing-related tasks over a network. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript. "pdftops" is based on Xpdf and the CUPS imaging library. A NULL pointer dereference flaw was found in the CUPS IPP routine, used for processing incoming IPP requests for the CUPS scheduler. An attacker could use this flaw to send specially-crafted IPP requests that would crash the cupsd daemon. (CVE-2009-0949) A use-after-free flaw was found in the CUPS scheduler directory services routine, used to process data about available printers and printer classes. An attacker could use this flaw to cause a denial of service (cupsd daemon stop or crash). (CVE-2009-1196) Multiple integer overflows flaws, leading to heap-based buffer overflows, were found in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0791) Red Hat would like to thank Anibal Sacco from Core Security Technologies for reporting the CVE-2009-0949 flaw, and Swen van Brussel for reporting the CVE-2009-1196 flaw. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2009 Red Hat, Inc. CVE-2009-0791 CVE-2009-0949 CVE-2009-1196 CVE-2009-0791 cups: Multiple integer overflows in the CUPS "pdftops" filter CVE-2009-1196 cups: DoS (stop, crash) by renewing CUPS browse packets CVE-2009-0949 cups: IPP_TAG_UNSUPPORTED handling NULL pointer dereference DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838, CVE-2009-1841) Multiple flaws were found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data. (CVE-2009-1835, CVE-2009-1839) A script, privilege elevation flaw was found in the way Firefox loaded XML User Interface Language (XUL) scripts. Firefox and certain add-ons could load malicious content when certain policy checks did not happen. (CVE-2009-1840) A flaw was found in the way Firefox displayed certain Unicode characters in International Domain Names (IDN). If an IDN contained invalid characters, they may have been displayed as spaces, making it appear to the user that they were visiting a trusted site. (CVE-2009-1834) A flaw was found in the way Firefox handled error responses returned from proxy servers. If an attacker is able to conduct a man-in-the-middle attack against a Firefox instance that is using a proxy server, they may be able to steal sensitive information from the site the user is visiting. (CVE-2009-1836) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.11. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.11, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1392 CVE-2009-1832 CVE-2009-1833 CVE-2009-1834 CVE-2009-1835 CVE-2009-1836 CVE-2009-1837 CVE-2009-1838 CVE-2009-1839 CVE-2009-1840 CVE-2009-1841 frequent firefox crashes against clearspace CVE-2009-1392 Firefox browser engine crashes CVE-2009-1832 Firefox double frame construction flaw CVE-2009-1833 Firefox JavaScript engine crashes CVE-2009-1834 Firefox URL spoofing with invalid unicode characters CVE-2009-1835 Firefox Arbitrary domain cookie access by local file: resources CVE-2009-1836 Firefox SSL tampering via non-200 responses to proxy CONNECT requests CVE-2009-1837 Firefox Race condition while accessing the private data of a NPObject JS wrapper class object CVE-2009-1838 Firefox arbitrary code execution flaw CVE-2009-1839 Firefox information disclosure flaw CVE-2009-1840 Firefox XUL scripts skip some security checks CVE-2009-1841 Firefox JavaScript arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2009-1392, CVE-2009-1833, CVE-2009-1838, CVE-2009-1841) A flaw was found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data. (CVE-2009-1835) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2009 Red Hat, Inc. CVE-2009-1392 CVE-2009-1833 CVE-2009-1835 CVE-2009-1838 CVE-2009-1841 CVE-2009-1392 Firefox browser engine crashes CVE-2009-1833 Firefox JavaScript engine crashes CVE-2009-1835 Firefox Arbitrary domain cookie access by local file: resources CVE-2009-1838 Firefox arbitrary code execution flaw CVE-2009-1841 Firefox JavaScript arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. A format string flaw was found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2009-1210) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2009-1268, CVE-2009-1269, CVE-2009-1829) Users of wireshark should upgrade to these updated packages, which contain Wireshark version 1.0.8, and resolve these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2009-1210 CVE-2009-1268 CVE-2009-1269 CVE-2009-1829 CVE-2009-1210 wireshark: format string in PROFINET dissector CVE-2009-1268 Wireshark CHAP dissector crash CVE-2009-1269 Wireshark Tektronix .rf5 file crash CVE-2009-1829 wireshark: PCNFSD dissector crash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 cscope is a mature, ncurses-based, C source-code tree browsing tool. Multiple buffer overflow flaws were found in cscope. An attacker could create a specially crafted source code file that could cause cscope to crash or, possibly, execute arbitrary code when browsed with cscope. (CVE-2004-2541, CVE-2006-4262, CVE-2009-0148, CVE-2009-1577) All users of cscope are advised to upgrade to this updated package, which contains backported patches to fix these issues. All running instances of cscope must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2004-2541 CVE-2006-4262 CVE-2009-0148 CVE-2009-1577 CVE-2006-4262 cscope: multiple buffer overflows CVE-2004-2541, CVE-2009-0148 cscope: multiple buffer overflows CVE-2009-1577 cscope: putstring buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 cscope is a mature, ncurses-based, C source-code tree browsing tool. Multiple buffer overflow flaws were found in cscope. An attacker could create a specially crafted source code file that could cause cscope to crash or, possibly, execute arbitrary code when browsed with cscope. (CVE-2004-2541, CVE-2009-0148) All users of cscope are advised to upgrade to this updated package, which contains backported patches to fix these issues. All running instances of cscope must be restarted for this update to take effect. Moderate Copyright 2009 Red Hat, Inc. CVE-2004-2541 CVE-2009-0148 CVE-2004-2541, CVE-2009-0148 cscope: multiple buffer overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings. CIFS clients convert Unicode strings sent by a server to their local character sets, and then write those strings into memory. If a malicious server sent a long enough string, it could write past the end of the target memory region and corrupt other memory areas, possibly leading to a denial of service or privilege escalation on the client mounting the CIFS share. (CVE-2009-1439, CVE-2009-1633, Important) * the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD capability when handling requests from local, unprivileged users. This flaw could possibly lead to an information leak or privilege escalation. (CVE-2009-1072, Moderate) * Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted file systems. (CVE-2009-1630, Moderate) * a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running in that guest accesses a certain memory location in the kernel. (CVE-2009-1758, Moderate) * a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may later be available to user-space processes. This flaw could possibly lead to an information leak. (CVE-2009-1192, Low) Bug fixes: * a race in the NFS client between destroying cached access rights and unmounting an NFS file system could have caused a system crash. "Busy inodes" messages may have been logged. (BZ#498653) * nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium®-based systems. (BZ#500349) * LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults. (BZ#500120) * ptrace_do_wait() reported tasks were stopped each time the process doing