Red Hat OVAL Patch Definition Merger 2 5.3 2011-09-30T09:55:20 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 PyXML provides XML libraries for Python. The distribution contains a validating XML parser, an implementation of the SAX and DOM programming interfaces, and an interface to the Expat parser. A buffer over-read flaw was found in the way PyXML's Expat parser handled malformed UTF-8 sequences when processing XML files. A specially-crafted XML file could cause Python applications using PyXML's Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes PyXML use the system Expat library rather than its own internal copy; therefore, users must install the RHSA-2009:1625 expat update together with this PyXML update to resolve the CVE-2009-3720 issue. All PyXML users should upgrade to this updated package, which changes PyXML to use the system Expat library. After installing this update along with RHSA-2009:1625, applications using the PyXML library must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3720 CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 sequences cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG. A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially-crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3546 CVE-2009-3546 gd: insufficient input validation in _gdGetColors() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. It was discovered that the Red Hat Security Advisory RHSA-2009:0008 did not correctly fix the denial of service flaw in the system for sending messages between applications. A local user could use this flaw to send a message with a malformed signature to the bus, causing the bus (and, consequently, any process using libdbus to receive messages) to abort. (CVE-2009-1189) Note: Users running any application providing services over the system message bus are advised to test this update carefully before deploying it in production environments. All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-1189 CVE-2009-1189 dbus: invalid fix for CVE-2008-3834 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a flaw was found in the IPv6 Extension Header (EH) handling implementation in the Linux kernel. The skb->dst data structure was not properly validated in the ipv6_hop_jumbo() function. This could possibly lead to a remote denial of service. (CVE-2007-4567, Important) * a flaw was found in each of the following Intel PRO/1000 Linux drivers in the Linux kernel: e1000 and e1000e. A remote attacker using packets larger than the MTU could bypass the existing fragment check, resulting in partial, invalid frames being passed to the network stack. These flaws could also possibly be used to trigger a remote denial of service. (CVE-2009-4536, CVE-2009-4538, Important) * a flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel. Receiving overly-long frames with network cards supported by this driver could possibly result in a remote denial of service. (CVE-2009-4537, Important) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2007-4567 CVE-2009-4536 CVE-2009-4537 CVE-2009-4538 CVE-2007-4567 kernel: ipv6_hop_jumbo remote system crash CVE-2009-4537 kernel: r8169 issue reported at 26c3 CVE-2009-4538 kernel: e1000e frame fragment issue CVE-2009-4536 kernel: e1000 issue reported at 26c3 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a flaw was found in each of the following Intel PRO/1000 Linux drivers in the Linux kernel: e1000 and e1000e. A remote attacker using packets larger than the MTU could bypass the existing fragment check, resulting in partial, invalid frames being passed to the network stack. These flaws could also possibly be used to trigger a remote denial of service. (CVE-2009-4536, CVE-2009-4538, Important) * a flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel. Receiving overly-long frames with network cards supported by this driver could possibly result in a remote denial of service. (CVE-2009-4537, Important) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-4536 CVE-2009-4537 CVE-2009-4538 CVE-2009-4537 kernel: r8169 issue reported at 26c3 CVE-2009-4538 kernel: e1000e frame fragment issue CVE-2009-4536 kernel: e1000 issue reported at 26c3 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). Multiple integer underflow flaws, leading to heap-based corruption, were found in the way the MIT Kerberos Key Distribution Center (KDC) decrypted ciphertexts encrypted with the Advanced Encryption Standard (AES) and ARCFOUR (RC4) encryption algorithms. If a remote KDC client were able to provide a specially-crafted AES- or RC4-encrypted ciphertext or texts, it could potentially lead to either a denial of service of the central KDC (KDC crash or abort upon processing the crafted ciphertext), or arbitrary code execution with the privileges of the KDC (i.e., root privileges). (CVE-2009-4212) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-4212 CVE-2009-4212 krb: KDC integer overflows in AES and RC4 decryption routines (MITKRB5-SA-2009-004) cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes several vulnerabilities in Adobe Reader. These vulnerabilities are summarized on the Adobe Security Advisory APSB10-02 page listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955, CVE-2009-3959, CVE-2009-3956) This update also fixes the following bugs: * the acroread process continued to run even after closing a PDF file. If multiple PDF files were opened and then closed, the acroread processes continued to run and consume system resources (up to 100% CPU usage). With this update, the acroread process correctly exits, which resolves this issue. (BZ#473217) * the PPKLite.api plug-in was missing, causing Adobe Reader to crash when attempting to open signed PDF files. For such files, if an immediate crash was not observed, clicking on the Signature Panel could trigger one. With this update, the PPKLite.api plug-in is included, which resolves this issue. (BZ#472975) * Adobe Reader has been upgraded to version 9.3. (BZ#497957) Adobe have discontinued support for Adobe Reader 8 for Linux. All users of Adobe Reader are advised to install these updated packages, which contain Adobe Reader version 9.3, which is not vulnerable to these issues and fixes these bugs. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-3953 CVE-2009-3954 CVE-2009-3955 CVE-2009-3956 CVE-2009-3959 CVE-2009-4324 acroread missing PPKLite.api and crashes on signed PDFs acroread takes 100% cpu and does not die when killed CVE-2009-4324 acroread: media.newplayer JavaScript API code execution vulnerability (APSB10-02) CVE-2009-3953 CVE-2009-3954 CVE-2009-3955 CVE-2009-3959 acroread: multiple code execution flaws (APSB10-02) CVE-2009-3956 acroread: script injection vulnerability (APSB10-02) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The gcc and gcc4 packages include, among others, C, C++, and Java GNU compilers and related support libraries. libgcj contains a copy of GNU Libtool's libltdl library. A flaw was found in the way GNU Libtool's libltdl library looked for libraries to load. It was possible for libltdl to load a malicious library from the current working directory. In certain configurations, if a local attacker is able to trick a local user into running a Java application (which uses a function to load native libraries, such as System.loadLibrary) from within an attacker-controlled directory containing a malicious library or module, the attacker could possibly execute arbitrary code with the privileges of the user running the Java application. (CVE-2009-3736) All gcc and gcc4 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running Java applications using libgcj must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3736 CVE-2009-3736 libtool: libltdl may load and execute code from a library in the current directory cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. Multiple missing input sanitization flaws were discovered in PHP's exif extension. A specially-crafted image file could cause the PHP interpreter to crash or, possibly, disclose portions of its memory when a PHP script tried to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2009-2687, CVE-2009-3292) A missing input sanitization flaw, leading to a buffer overflow, was discovered in PHP's gd library. A specially-crafted GD image file could cause the PHP interpreter to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546) It was discovered that PHP did not limit the maximum number of files that can be uploaded in one request. A remote attacker could use this flaw to instigate a denial of service by causing the PHP interpreter to use lots of system resources dealing with requests containing large amounts of files to be uploaded. This vulnerability depends on file uploads being enabled (which it is, in the default PHP configuration). (CVE-2009-4017) Note: This update introduces a new configuration option, max_file_uploads, used for limiting the number of files that can be uploaded in one request. By default, the limit is 20 files per request. It was discovered that PHP was affected by the previously published "null prefix attack", caused by incorrect handling of NUL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse PHP into accepting it by mistake. (CVE-2009-3291) It was discovered that PHP's htmlspecialchars() function did not properly recognize partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use this flaw to perform a cross-site scripting attack. (CVE-2009-4142) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-2687 CVE-2009-3291 CVE-2009-3292 CVE-2009-3546 CVE-2009-4017 CVE-2009-4142 CVE-2009-2687 php: exif_read_data crash on corrupted JPEG files CVE-2009-3292 php: exif extension: Multiple missing sanity checks in EXIF file processing CVE-2009-3291 php: openssl extension: Incorrect verification of SSL certificate with NUL in name CVE-2009-3546 gd: insufficient input validation in _gdGetColors() CVE-2009-4017 PHP: resource exhaustion attack via upload requests with lots of files CVE-2009-4142 php: htmlspecialchars() insufficient checking of input for multi-byte encodings cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A directory traversal flaw was discovered in Pidgin's MSN protocol implementation. A remote attacker could send a specially-crafted emoticon image download request that would cause Pidgin to disclose an arbitrary file readable to the user running Pidgin. (CVE-2010-0013) These packages upgrade Pidgin to version 2.6.5. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct this issue. Pidgin must be restarted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0013 CVE-2010-0013 pidgin/libpurple: MSN custom smiley request directory traversal file disclosure cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * an array index error was found in the gdth driver. A local user could send a specially-crafted IOCTL request that would cause a denial of service or, possibly, privilege escalation. (CVE-2009-3080, Important) * a flaw was found in the FUSE implementation. When a system is low on memory, fuse_put_request() could dereference an invalid pointer, possibly leading to a local denial of service or privilege escalation. (CVE-2009-4021, Important) * Tavis Ormandy discovered a deficiency in the fasync_helper() implementation. This could allow a local, unprivileged user to leverage a use-after-free of locked, asynchronous file descriptors to cause a denial of service or privilege escalation. (CVE-2009-4141, Important) * the Parallels Virtuozzo Containers team reported the RHSA-2009:1243 update introduced two flaws in the routing implementation. If an attacker was able to cause a large enough number of collisions in the routing hash table (via specially-crafted packets) for the emergency route flush to trigger, a deadlock could occur. Secondly, if the kernel routing cache was disabled, an uninitialized pointer would be left behind after a route lookup, leading to a kernel panic. (CVE-2009-4272, Important) * the RHSA-2009:0225 update introduced a rewrite attack flaw in the do_coredump() function. A local attacker able to guess the file name a process is going to dump its core to, prior to the process crashing, could use this flaw to append data to the dumped core file. This issue only affects systems that have "/proc/sys/fs/suid_dumpable" set to 2 (the default value is 0). (CVE-2006-6304, Moderate) The fix for CVE-2006-6304 changes the expected behavior: With suid_dumpable set to 2, the core file will not be recorded if the file already exists. For example, core files will not be overwritten on subsequent crashes of processes whose core files map to the same name. * an information leak was found in the Linux kernel. On AMD64 systems, 32-bit processes could access and read certain 64-bit registers by temporarily switching themselves to 64-bit mode. (CVE-2009-2910, Moderate) * the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV) support in the qla2xxx driver, resulting in two new sysfs pseudo files, "/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete". These two files were world-writable by default, allowing a local user to change SCSI host attributes. This flaw only affects systems using the qla2xxx driver and NPIV capable hardware. (CVE-2009-3556, Moderate) * permission issues were found in the megaraid_sas driver. The "dbg_lvl" and "poll_mode_io" files on the sysfs file system ("/sys/") had world-writable permissions. This could allow local, unprivileged users to change the behavior of the driver. (CVE-2009-3889, CVE-2009-3939, Moderate) * a NULL pointer dereference flaw was found in the firewire-ohci driver used for OHCI compliant IEEE 1394 controllers. A local, unprivileged user with access to /dev/fw* files could issue certain IOCTL calls, causing a denial of service or privilege escalation. The FireWire modules are blacklisted by default, and if enabled, only root has access to the files noted above by default. (CVE-2009-4138, Moderate) * a buffer overflow flaw was found in the hfs_bnode_read() function in the HFS file system implementation. This could lead to a denial of service if a user browsed a specially-crafted HFS file system, for example, by running "ls". (CVE-2009-4020, Low) Bug fix documentation for this update will be available shortly from www.redhat.com/docs/en-US/errata/RHSA-2010-0046/Kernel_Security_Update/ index.html Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2006-6304 CVE-2009-2910 CVE-2009-3080 CVE-2009-3556 CVE-2009-3889 CVE-2009-3939 CVE-2009-4020 CVE-2009-4021 CVE-2009-4138 CVE-2009-4141 CVE-2009-4272 CVE-2009-3889 CVE-2009-3939 kernel: megaraid_sas permissions in sysfs CVE-2009-2910 kernel: x86_64 32 bit process register leak Timedrift on VM with pv_clock enabled, causing system hangs and sporadic time behaviour [rhel-5.4.z] CVE-2009-3556 kernel: qla2xxx NPIV vport management pseudofiles are world writable CVE-2006-6304 kernel: use flag in do_coredump() CVE-2009-4021 kernel: fuse: prevent fuse_put_request on invalid pointer CVE-2009-3080 kernel: gdth: Prevent negative offsets in ioctl bnx2: panic in bnx2_poll_work() [rhel-5.4.z] CVE-2009-4020 kernel: hfs buffer overflow PV clock fix throws off database application time [rhel-5.4.z] kdump corefile cannot be backtraced in IA64 [rhel-5.4.z] Using IPoIB, losing connectivity with 1 host, other hosts accessible [rhel-5.4.z] glock_workqueue -- glock ref count via gfs2_glock_hold [rhel-5.4.z] CVE-2009-4272 kernel: emergency route cache flushing leads to node deadlock CVE-2009-4138 kernel: firewire: ohci: handle receive packets with a data length of zero CRM#1971672, Data loss in GFS2 when multiple nodes writes to same file [rhel-5.4.z] kernel: BUG: soft lockup - CPU#1 stuck for 13s! [httpd:4490] [rhel-5.4.z] CVE-2009-4141 kernel: create_elf_tables can leave urandom in a bad state kernel: sleeping vfs_check_frozen in called in atomic context from do_wp_page [rhel-5.4.z] hvm, x86_64 guest panic on 2.6.18-164.9.1.el5 [rhel-5.4.z] [NetApp 5.4.z bug] Emulex FC ports on RHEL 5.4 GA offlined during target controller faults [rhel-5.4.z] Hang when echoing to /proc/sys/net/ipv4/route/secret_interval [rhel-5.4.z] resize2fs online resize hangs [rhel-5.4.z] RHEL5.4 guest with PV clock: inconsistent times returned by clock_gettime(CLOCK_REALTIME) and gettimeofday() [rhel-5.4.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that the OpenSSL library did not properly re-initialize its internal state in the SSL_library_init() function after previous calls to the CRYPTO_cleanup_all_ex_data() function, which would cause a memory leak for each subsequent SSL connection. This flaw could cause server applications that call those functions during reload, such as a combination of the Apache HTTP Server, mod_ssl, PHP, and cURL, to consume all available memory, resulting in a denial of service. (CVE-2009-4355) Dan Kaminsky found that browsers could accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. OpenSSL now disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-2409 CVE-2009-4355 CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests (DoS) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The gzip package provides the GNU gzip data compression program. An integer underflow flaw, leading to an array index error, was found in the way gzip expanded archive files compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. If a victim expanded a specially-crafted archive, it could cause gzip to crash or, potentially, execute arbitrary code with the privileges of the user running gzip. This flaw only affects 64-bit systems. (CVE-2010-0001) Red Hat would like to thank Aki Helin of the Oulu University Secure Programming Group for responsibly reporting this flaw. Users of gzip should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0001 CVE-2010-0001 gzip: (64 bit) Integer underflow by decompressing LZW format files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-0097) The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-0290) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0097 CVE-2010-0290 CVE-2010-0382 CVE-2010-0097 BIND DNSSEC NSEC/NSEC3 validation code could cause bogus NXDOMAIN responses CVE-2010-0290 BIND upstream fix for CVE-2009-4022 is incomplete cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * an array index error was found in the gdth driver in the Linux kernel. A local user could send a specially-crafted IOCTL request that would cause a denial of service or, possibly, privilege escalation. (CVE-2009-3080, Important) * a flaw was found in the collect_rx_frame() function in the HiSax ISDN driver (hfc_usb) in the Linux kernel. An attacker could use this flaw to send a specially-crafted HDLC packet that could trigger a buffer out of bounds, possibly resulting in a denial of service. (CVE-2009-4005, Important) * permission issues were found in the megaraid_sas driver (for SAS based RAID controllers) in the Linux kernel. The "dbg_lvl" and "poll_mode_io" files on the sysfs file system ("/sys/") had world-writable permissions. This could allow local, unprivileged users to change the behavior of the driver. (CVE-2009-3889, CVE-2009-3939, Moderate) * a buffer overflow flaw was found in the hfs_bnode_read() function in the HFS file system implementation in the Linux kernel. This could lead to a denial of service if a user browsed a specially-crafted HFS file system, for example, by running "ls". (CVE-2009-4020, Low) This update also fixes the following bugs: * if a process was using ptrace() to trace a multi-threaded process, and that multi-threaded process dumped its core, the process performing the trace could hang in wait4(). This issue could be triggered by running "strace -f" on a multi-threaded process that was dumping its core, resulting in the strace command hanging. (BZ#555869) * a bug in the ptrace() implementation could have, in some cases, caused ptrace_detach() to create a zombie process if the process being traced was terminated with a SIGKILL signal. (BZ#555869) * the RHSA-2010:0020 update resolved an issue (CVE-2009-4537) in the Realtek r8169 Ethernet driver. This update implements a better solution for that issue. Note: This is not a security regression. The original fix was complete. This update is adding the official upstream fix. (BZ#556406) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-3080 CVE-2009-3889 CVE-2009-3939 CVE-2009-4005 CVE-2009-4020 CVE-2009-3889 CVE-2009-3939 kernel: megaraid_sas permissions in sysfs CVE-2009-3080 kernel: gdth: Prevent negative offsets in ioctl CVE-2009-4005 kernel: isdn: hfc_usb: fix read buffer overflow CVE-2009-4020 kernel: hfs buffer overflow [4.7] wait4 blocks on non-existing pid [rhel-4.8.z] kernel: r8169: straighten out overlength frame detection (improved) [rhel-4.9] [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. The x86 emulator implementation was missing a check for the Current Privilege Level (CPL) and I/O Privilege Level (IOPL). A user in a guest could leverage these flaws to cause a denial of service (guest crash) or possibly escalate their privileges within that guest. (CVE-2010-0298, CVE-2010-0306) A flaw was found in the Programmable Interval Timer (PIT) emulation. Access to the internal data structure pit_state, which represents the data state of the emulated PIT, was not properly validated in the pit_ioport_read() function. A privileged guest user could use this flaw to crash the host. (CVE-2010-0309) A flaw was found in the USB passthrough handling code. A specially-crafted USB packet sent from inside a guest could be used to trigger a buffer overflow in the usb_host_handle_control() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to cause a denial of service (guest hang or crash) or possibly escalate their privileges within the host. (CVE-2010-0297) This update also fixes the following bugs: * pvclock MSR values were not preserved during remote migration, causing time drift for guests. (BZ#537028) * SMBIOS table 4 data is now generated for Windows guests. (BZ#545874) * if the qemu-kvm "-net user" option was used, unattended Windows XP installations did not receive an IP address after reboot. (BZ#546562) * when being restored from migration, a race condition caused Windows Server 2008 R2 guests to hang during shutdown. (BZ#546563) * the kernel symbol checking on the kvm-kmod build process has a safety check for ABI changes. (BZ#547293) * on hosts without high-res timers, Windows Server 2003 guests experienced significant time drift. (BZ#547625) * in some situations, installing Windows Server 2008 R2 from an ISO image resulted in a blue screen "BAD_POOL_HEADER" stop error. (BZ#548368) * a bug in the grow_refcount_table() error handling caused infinite recursion in some cases. This caused the qemu-kvm process to hang and eventually crash. (BZ#552159) * for Windows Server 2003 R2, Service Pack 2, 32-bit guests, an "unhandled vm exit" error could occur during reboot on some systems. (BZ#552518) * for Windows guests, QEMU could attempt to stop a stopped audio device, resulting in a "snd_playback_stop: ASSERT playback_channel->base.active failed" error. (BZ#552519) * the Hypercall driver did not reset the device on power-down. (BZ#552528) * mechanisms have been added to make older savevm versions to be emitted in some cases. (BZ#552529) * an error in the Makefile prevented users from using the source RPM to install KVM. (BZ#552530) * guests became unresponsive and could use up to 100% CPU when running certain benchmark tests with more than 7 guests running simultaneously. (BZ#553249) * QEMU could terminate randomly with virtio-net and SMP enabled. (BZ#561022) All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The procedure in the Solution section must be performed before this update will take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0297 CVE-2010-0298 CVE-2010-0306 CVE-2010-0309 pvclock msr values are not preserved across remote migration Need to generate SMBIOS table 4 data for windows guests Windows XP unattended install doesn't get an IP address after rebooting, if using -net user Windows Server 2008 R2 shutdown hangs after restore from migration kvm kmod package should filter only some specific ksym dependencies time drift in win2k364 KVM guest BSOD BAD_POOL_HEADER STOP 0x19 during boot of Windows Server 2008 R2 installer qcow2: infinite recursion on grow_refcount_table() error handling Rhev-Block driver causes 'unhandled vm exit' with 32bit win2k3r2sp2 Guest VM on restart KVM : QEMU-Audio attempting to stop unactivated audio device (snd_playback_stop: ASSERT playback_channel->base.active failed). Hypercall driver doesn't reset device on power-down kvm: migration: mechanism to make older savevm versions to be emitted on some cases Build tree for RHEL 5.X and RHEL 5.4.z contains build bugs hypercall device - Vm becomes non responsive on Sysmark benchmark (when more than 7 vm's running simultaneously) CVE-2010-0297 kvm-userspace-rhel5: usb-linux.c: fix buffer overflow CVE-2010-0298 kvm: emulator privilege escalation CVE-2010-0306 kvm: emulator privilege escalation IOPL/CPL level check CVE-2010-0309 kvm: cat /dev/port in guest cause the host hang QEMU terminates without warning with virtio-net and SMP enabled cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 4 HelixPlayer is a media player. Multiple buffer and integer overflow flaws were found in the way HelixPlayer processed Graphics Interchange Format (GIF) files. An attacker could create a specially-crafted GIF file which would cause HelixPlayer to crash or, potentially, execute arbitrary code when opened. (CVE-2009-4242, CVE-2009-4245) A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. An attacker could create a specially-crafted SMIL file which would cause HelixPlayer to crash or, potentially, execute arbitrary code when opened. (CVE-2009-4257) A buffer overflow flaw was found in the way HelixPlayer handled the Real Time Streaming Protocol (RTSP) SET_PARAMETER directive. A malicious RTSP server could use this flaw to crash HelixPlayer or, potentially, execute arbitrary code. (CVE-2009-4248) Multiple buffer overflow flaws were discovered in the way HelixPlayer handled RuleBook structures in media files and RTSP streams. Specially-crafted input could cause HelixPlayer to crash or, potentially, execute arbitrary code. (CVE-2009-4247, CVE-2010-0417) A buffer overflow flaw was found in the way HelixPlayer performed URL un-escaping. A specially-crafted URL string could cause HelixPlayer to crash or, potentially, execute arbitrary code. (CVE-2010-0416) All HelixPlayer users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. All running instances of HelixPlayer must be restarted for this update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-4242 CVE-2009-4245 CVE-2009-4247 CVE-2009-4248 CVE-2009-4257 CVE-2010-0416 CVE-2010-0417 CVE-2010-4376 CVE-2009-4257 HelixPlayer / RealPlayer: SMIL getAtom heap buffer overflow CVE-2009-4247 HelixPlayer / RealPlayer: RTSP client ASM RuleBook stack buffer overflow CVE-2009-4248 HelixPlayer / RealPlayer: RTSP SET_PARAMETER buffer overflow CVE-2009-4242 HelixPlayer / RealPlayer: GIF file heap overflow CVE-2009-4245 HelixPlayer / RealPlayer: compressed GIF heap overflow CVE-2010-0416 HelixPlayer / RealPlayer: URL unescape buffer overflow CVE-2010-0417 HelixPlayer / RealPlayer: rule book handling heap corruption cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way OpenOffice.org parsed XPM files. An attacker could create a specially-crafted document, which once opened by a local, unsuspecting user, could lead to arbitrary code execution with the permissions of the user running OpenOffice.org. Note: This flaw affects embedded XPM files in OpenOffice.org documents as well as stand-alone XPM files. (CVE-2009-2949) An integer underflow flaw and a boundary error flaw, both possibly leading to a heap-based buffer overflow, were found in the way OpenOffice.org parsed certain records in Microsoft Word documents. An attacker could create a specially-crafted Microsoft Word document, which once opened by a local, unsuspecting user, could cause OpenOffice.org to crash or, potentially, execute arbitrary code with the permissions of the user running OpenOffice.org. (CVE-2009-3301, CVE-2009-3302) A heap-based buffer overflow flaw, leading to memory corruption, was found in the way OpenOffice.org parsed GIF files. An attacker could create a specially-crafted document, which once opened by a local, unsuspecting user, could cause OpenOffice.org to crash. Note: This flaw affects embedded GIF files in OpenOffice.org documents as well as stand-alone GIF files. (CVE-2009-2950) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of OpenOffice.org applications must be restarted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-2949 CVE-2009-2950 CVE-2009-3301 CVE-2009-3302 CVE-2009-2950 openoffice.org: GIF file parsing heap overflow CVE-2009-2949 openoffice.org: integer overflow in XPM processing CVE-2009-3301 OpenOffice.org Word sprmTDefTable Memory Corruption CVE-2009-3302 OpenOffice.org Word sprmTSetBrc Memory Corruption cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes two vulnerabilities in Adobe Flash Player. These vulnerabilities are summarized on the Adobe Security Advisory APSB10-06 page listed in the References section. If a victim loaded a web page containing specially-crafted SWF content, it could cause Flash Player to perform unauthorized cross-domain requests, leading to the disclosure of sensitive data. (CVE-2010-0186, CVE-2010-0187) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.0.45.2. Important Copyright 2010 Red Hat, Inc. CVE-2010-0186 CVE-2010-0187 CVE-2010-0186 flash-plugin: unauthorized cross-domain requests (APSB10-06) CVE-2010-0187 flash-plugin: possible player crash (APSB10-06) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. A missing network certificate verification flaw was found in NetworkManager. If a user created a WPA Enterprise or 802.1x wireless network connection that was verified using a Certificate Authority (CA) certificate, and then later removed that CA certificate file, NetworkManager failed to verify the identity of the network on the following connection attempts. In these situations, a malicious wireless network spoofing the original network could trick a user into disclosing authentication credentials or communicating over an untrusted network. (CVE-2009-4144) An information disclosure flaw was found in NetworkManager's nm-connection-editor D-Bus interface. If a user edited network connection options using nm-connection-editor, a summary of those changes was broadcasted over the D-Bus message bus, possibly disclosing sensitive information (such as wireless network authentication credentials) to other local users. (CVE-2009-4145) Users of NetworkManager should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-4144 CVE-2009-4145 CVE-2009-4145 NetworkManager: information disclosure by nm-connection-editor CVE-2009-4144 NetworkManager: WPA enterprise network not verified when certificate is removed cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. It was discovered that the MySQL client ignored certain SSL certificate verification errors when connecting to servers. A man-in-the-middle attacker could use this flaw to trick MySQL clients into connecting to a spoofed MySQL server. (CVE-2009-4028) Note: This fix may uncover previously hidden SSL configuration issues, such as incorrect CA certificates being used by clients or expired server certificates. This update should be carefully tested in deployments where SSL connections are used. A flaw was found in the way MySQL handled SELECT statements with subqueries in the WHERE clause, that assigned results to a user variable. A remote, authenticated attacker could use this flaw to crash the MySQL server daemon (mysqld). This issue only caused a temporary denial of service, as the MySQL daemon was automatically restarted after the crash. (CVE-2009-4019) When the "datadir" option was configured with a relative path, MySQL did not properly check paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. An authenticated attacker could use this flaw to bypass the restriction preventing the use of subdirectories of the MySQL data directory being used as DATA DIRECTORY and INDEX DIRECTORY paths. (CVE-2009-4030) Note: Due to the security risks and previous security issues related to the use of the DATA DIRECTORY and INDEX DIRECTORY directives, users not depending on this feature should consider disabling it by adding "symbolic-links=0" to the "[mysqld]" section of the "my.cnf" configuration file. In this update, an example of such a configuration was added to the default "my.cnf" file. All MySQL users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-4019 CVE-2009-4028 CVE-2009-4030 CVE-2009-4019 mysql: DoS (crash) when comparing GIS items from subquery and when handling subqueires in WHERE and assigning a SELECT result to a @variable CVE-2009-4028 mysql: client SSL certificate verification flaw CVE-2009-4030 mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. Multiple flaws were discovered in the way MySQL handled symbolic links to tables created using the DATA DIRECTORY and INDEX DIRECTORY directives in CREATE TABLE statements. An attacker with CREATE and DROP table privileges and shell access to the database server could use these flaws to escalate their database privileges, or gain access to tables created by other database users. (CVE-2008-4098, CVE-2009-4030) Note: Due to the security risks and previous security issues related to the use of the DATA DIRECTORY and INDEX DIRECTORY directives, users not depending on this feature should consider disabling it by adding "symbolic-links=0" to the "[mysqld]" section of the "my.cnf" configuration file. In this update, an example of such a configuration was added to the default "my.cnf" file. An insufficient HTML entities quoting flaw was found in the mysql command line client's HTML output mode. If an attacker was able to inject arbitrary HTML tags into data stored in a MySQL database, which was later retrieved using the mysql command line client and its HTML output mode, they could perform a cross-site scripting (XSS) attack against victims viewing the HTML output in a web browser. (CVE-2008-4456) Multiple format string flaws were found in the way the MySQL server logged user commands when creating and deleting databases. A remote, authenticated attacker with permissions to CREATE and DROP databases could use these flaws to formulate a specially-crafted SQL command that would cause a temporary denial of service (open connections to mysqld are terminated). (CVE-2009-2446) Note: To exploit the CVE-2009-2446 flaws, the general query log (the mysqld "--log" command line option or the "log" option in "my.cnf") must be enabled. This logging is not enabled by default. All MySQL users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2008-4098 CVE-2008-4456 CVE-2009-2446 CVE-2009-4030 CVE-2008-4098 mysql: incomplete upstream fix for CVE-2008-2079 CVE-2008-4456 mysql: mysql command line client XSS flaw CVE-2009-2446 MySQL: Format string vulnerability by manipulation with database instances (crash) CVE-2009-4030 mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A use-after-free flaw was found in Firefox. Under low memory conditions, visiting a web page containing malicious content could result in Firefox executing arbitrary code with the privileges of the user running Firefox. (CVE-2009-1571) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-0159, CVE-2010-0160) Two flaws were found in the way certain content was processed. An attacker could use these flaws to create a malicious web page that could bypass the same-origin policy, or possibly run untrusted JavaScript. (CVE-2009-3988, CVE-2010-0162) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.18. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.18, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-1571 CVE-2009-3988 CVE-2010-0159 CVE-2010-0160 CVE-2010-0162 CVE-2010-0167 CVE-2010-0169 CVE-2010-0171 CVE-2010-0159 Mozilla crashes with evidence of memory corruption (MFSA 2010-01) CVE-2010-0160 Mozilla implementation of Web Workers can lead to crash with evidence of memory corruption (MFSA 2010-02) CVE-2009-1571 Mozilla incorrectly frees used memory (MFSA 2010-03) CVE-2009-3988 Mozilla violation of same-origin policy due to properties set on objects passed to showModalDialog (MFSA 2010-04) CVE-2010-0162 Mozilla bypass of same-origin policy due to improper SVG document processing (MFSA 2010-05) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. A use-after-free flaw was found in SeaMonkey. Under low memory conditions, visiting a web page containing malicious content could result in SeaMonkey executing arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-1571) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-0159) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-1571 CVE-2010-0159 CVE-2010-0169 CVE-2010-0171 CVE-2010-0159 Mozilla crashes with evidence of memory corruption (MFSA 2010-01) CVE-2009-1571 Mozilla incorrectly frees used memory (MFSA 2010-03) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes two vulnerabilities in Adobe Reader. These vulnerabilities are summarized on the Adobe Security Advisory APSB10-07 page listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-0186, CVE-2010-0188) This update also fixes a bug where, on some systems, attempting to install or upgrade the acroread packages failed due to a package dependency issue. (BZ#557506) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.3.1, which is not vulnerable to these issues and fixes this bug. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0186 CVE-2010-0188 acroread requires openldap-devel which is in Workstation/ CVE-2010-0186 flash-plugin: unauthorized cross-domain requests (APSB10-06) CVE-2010-0188 acroread: unspecified code execution flaw cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially-crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML "br" element, it would cause Finch to crash. (CVE-2010-0420) Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue. A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) These packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 CVE-2010-0277 pidgin MSN protocol plugin memory corruption CVE-2010-0420 pidgin: Finch XMPP MUC Crash CVE-2010-0423 pidgin: Smiley Denial of Service cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A privilege escalation flaw was found in the way sudo handled the sudoedit pseudo-command. If a local user were authorized by the sudoers file to use this pseudo-command, they could possibly leverage this flaw to execute arbitrary code with the privileges of the root user. (CVE-2010-0426) The sudo utility did not properly initialize supplementary groups when the "runas_default" option (in the sudoers file) was used. If a local user were authorized by the sudoers file to perform their sudo commands under the account specified with "runas_default", they would receive the root user's supplementary groups instead of those of the intended target user, giving them unintended privileges. (CVE-2010-0427) Users of sudo should upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2010-0426 CVE-2010-0427 CVE-2010-0426 sudo: sudoedit option can possibly allow for arbitrary code execution CVE-2010-0427 sudo: Fails to reset group permissions if runas_default set cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap's tapset __get_argv() function. If a privileged user ran a SystemTap script that called this function, a local, unprivileged user could, while that script is still running, trigger this flaw and cause memory corruption by running a command with a large argument list, which may lead to a system crash or, potentially, arbitrary code execution with root privileges. (CVE-2010-0411) Note: SystemTap scripts that call __get_argv(), being a privileged function, can only be executed by the root user or users in the stapdev group. As well, if such a script was compiled and installed by root, users in the stapusr group would also be able to execute it. SystemTap users should upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2009-4273 CVE-2010-0411 CVE-2009-4273 systemtap: remote code execution via stap-server CVE-2010-0411 systemtap: Crash with systemtap script using __get_argv() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A buffer overflow flaw was found in SystemTap's tapset __get_argv() function. If a privileged user ran a SystemTap script that called this function, a local, unprivileged user could, while that script is still running, trigger this flaw and cause memory corruption by running a command with a large argument list, which may lead to a system crash or, potentially, arbitrary code execution with root privileges. (CVE-2010-0411) Note: SystemTap scripts that call __get_argv(), being a privileged function, can only be executed by the root user or users in the stapdev group. As well, if such a script was compiled and installed by root, users in the stapusr group would also be able to execute it. SystemTap users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0411 CVE-2010-0411 systemtap: Crash with systemtap script using __get_argv() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the x86 emulator loaded segment selectors (used for memory segmentation and protection) into segment registers. In some guest system configurations, an unprivileged guest user could leverage this flaw to crash the guest or possibly escalate their privileges within the guest. (CVE-2010-0419) The x86 emulator implementation was missing a check for the Current Privilege Level (CPL) while accessing debug registers. An unprivileged user in a guest could leverage this flaw to crash the guest. (CVE-2009-3722) This update also fixes the following bugs: With Red Hat Enterprise Virtualization, the virtio_blk_dma_restart_bh() function was previously used to handle write errors; however, a bug fix provided by the RHSA-2009:1659 update meant that read errors would also have to be handled by this function. The function was not updated for this, causing read errors to be resubmitted as writes. This caused guest image corruption in some cases. Additionally, the return values of the bdrv_aio_write() and bdrv_aio_read() functions were ignored. If an immediate failure occurred in one of these functions, errors would be missed and the guest could hang or read corrupted data. (BZ#562776) All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The procedure in the Solution section must be performed before this update will take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-3722 CVE-2010-0419 CVE-2009-3722 KVM: Check cpl before emulating debug register access Guest image corruption after RHEV-H update to 5.4-2.1.3.el5_4rhev2_1 using virtio-blk CVE-2010-0419 kvm: emulator privilege escalation segment selector check cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. It was discovered that the Red Hat Security Advisory RHSA-2009:1595 did not fully correct the use-after-free flaw in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could send specially-crafted queries to the CUPS server, causing it to crash. (CVE-2010-0302) Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0302 CVE-2010-0302 cups Incomplete fix for CVE-2009-3553 cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. (CVE-2009-3555) This update disables renegotiation in the Java Secure Socket Extension (JSSE) component. Unsafe renegotiation can be re-enabled using the com.ibm.jsse2.renegotiate property. Refer to the following Knowledgebase article for details: http://kbase.redhat.com/faq/docs/DOC-20491 All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR11-FP1 Java release. All running instances of IBM Java must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0091 CVE-2010-0092 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0839 CVE-2009-3555 TLS: MITM attacks via session renegotiation cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Pango is a library used for the layout and rendering of internationalized text. An input sanitization flaw, leading to an array index error, was found in the way the Pango font rendering library synthesized the Glyph Definition (GDEF) table from a font's character map and the Unicode property database. If an attacker created a specially-crafted font file and tricked a local, unsuspecting user into loading the font file in an application that uses the Pango font rendering library, it could cause that application to crash. (CVE-2010-0421) Users of pango and evolution28-pango are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, you must restart your system or restart your X session for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0421 CVE-2010-0421 libpangoft2 segfaults on forged font files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. A heap-based buffer overflow flaw was found in the way tar expanded archive files. If a user were tricked into expanding a specially-crafted archive, it could cause the tar executable to crash or execute arbitrary code with the privileges of the user running tar. (CVE-2010-0624) Red Hat would like to thank Jakob Lell for responsibly reporting the CVE-2010-0624 issue. A denial of service flaw was found in the way tar expanded archive files. If a user expanded a specially-crafted archive, it could cause the tar executable to crash. (CVE-2007-4476) Users of tar are advised to upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2007-4476 CVE-2010-0624 CVE-2007-4476 tar/cpio stack crashing in safer_name_suffix CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. A heap-based buffer overflow flaw was found in the way tar expanded archive files. If a user were tricked into expanding a specially-crafted archive, it could cause the tar executable to crash or execute arbitrary code with the privileges of the user running tar. (CVE-2010-0624) Red Hat would like to thank Jakob Lell for responsibly reporting this issue. Users of tar are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0624 CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GNU cpio copies files into or out of a cpio or tar archive. A heap-based buffer overflow flaw was found in the way cpio expanded archive files. If a user were tricked into expanding a specially-crafted archive, it could cause the cpio executable to crash or execute arbitrary code with the privileges of the user running cpio. (CVE-2010-0624) Red Hat would like to thank Jakob Lell for responsibly reporting this issue. Users of cpio are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0624 CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 GNU cpio copies files into or out of a cpio or tar archive. A heap-based buffer overflow flaw was found in the way cpio expanded archive files. If a user were tricked into expanding a specially-crafted archive, it could cause the cpio executable to crash or execute arbitrary code with the privileges of the user running cpio. (CVE-2010-0624) Red Hat would like to thank Jakob Lell for responsibly reporting the CVE-2010-0624 issue. A denial of service flaw was found in the way cpio expanded archive files. If a user expanded a specially-crafted archive, it could cause the cpio executable to crash. (CVE-2007-4476) Users of cpio are advised to upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2007-4476 CVE-2010-0624 CVE-2007-4476 tar/cpio stack crashing in safer_name_suffix CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 GNU cpio copies files into or out of a cpio or tar archive. A heap-based buffer overflow flaw was found in the way cpio expanded archive files. If a user were tricked into expanding a specially-crafted archive, it could cause the cpio executable to crash or execute arbitrary code with the privileges of the user running cpio. (CVE-2010-0624) Red Hat would like to thank Jakob Lell for responsibly reporting the CVE-2010-0624 issue. A stack-based buffer overflow flaw was found in the way cpio expanded large archive files. If a user expanded a specially-crafted archive, it could cause the cpio executable to crash. This issue only affected 64-bit platforms. (CVE-2005-4268) Users of cpio are advised to upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2005-4268 CVE-2010-0624 CVE-2005-4268 cpio large filesize buffer overflow CVE-2010-0624 tar, cpio: Heap-based buffer overflow by expanding a specially-crafted archive cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a NULL pointer dereference flaw was found in the sctp_rcv_ootb() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008, Important) * a NULL pointer dereference flaw was found in the Linux kernel. During a core dump, the kernel did not check if the Virtual Dynamically-linked Shared Object page was accessible. On Intel 64 and AMD64 systems, a local, unprivileged user could use this flaw to cause a kernel panic by running a crafted 32-bit application. (CVE-2009-4271, Important) * an information leak was found in the print_fatal_signal() implementation in the Linux kernel. When "/proc/sys/kernel/print-fatal-signals" is set to 1 (the default value is 0), memory that is reachable by the kernel could be leaked to user-space. This issue could also result in a system crash. Note that this flaw only affected the i386 architecture. (CVE-2010-0003, Moderate) * on AMD64 systems, it was discovered that the kernel did not ensure the ELF interpreter was available before making a call to the SET_PERSONALITY macro. A local attacker could use this flaw to cause a denial of service by running a 32-bit application that attempts to execute a 64-bit application. (CVE-2010-0307, Moderate) * missing capability checks were found in the ebtables implementation, used for creating an Ethernet bridge firewall. This could allow a local, unprivileged user to bypass intended capability restrictions and modify ebtables rules. (CVE-2010-0007, Low) This update also fixes the following bugs: * under some circumstances, a locking bug could have caused an online ext3 file system resize to deadlock, which may have, in turn, caused the file system or the entire system to become unresponsive. In either case, a reboot was required after the deadlock. With this update, using resize2fs to perform an online resize of an ext3 file system works as expected. (BZ#553135) * some ATA and SCSI devices were not honoring the barrier=1 mount option, which could result in data loss after a crash or power loss. This update applies a patch to the Linux SCSI driver to ensure ordered write caching. This solution does not provide cache flushes; however, it does provide data integrity on devices that have no write caching (or where write caching is disabled) and no command queuing. For systems that have command queuing or write cache enabled there is no guarantee of data integrity after a crash. (BZ#560563) * it was found that lpfc_find_target() could loop continuously when scanning a list of nodes due to a missing spinlock. This missing spinlock allowed the list to be changed after the list_empty() test, resulting in a NULL value, causing the loop. This update adds the spinlock, resolving the issue. (BZ#561453) * the fix for CVE-2009-4538 provided by RHSA-2010:0020 introduced a regression, preventing Wake on LAN (WoL) working for network devices using the Intel PRO/1000 Linux driver, e1000e. Attempting to configure WoL for such devices resulted in the following error, even when configuring valid options: "Cannot set new wake-on-lan settings: Operation not supported not setting wol" This update resolves this regression, and WoL now works as expected for network devices using the e1000e driver. (BZ#565496) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-4271 CVE-2010-0003 CVE-2010-0007 CVE-2010-0008 CVE-2010-0307 CVE-2009-4271 kernel: 32bit process on 64bit system can trigger a kernel panic ext2online resize hangs [rhel-4.8.z] CVE-2010-0003 kernel: infoleak if print-fatal-signals=1 CVE-2010-0007 kernel: netfilter: ebtables: enforce CAP_NET_ADMIN CVE-2010-0008 kernel: sctp remote denial of service CVE-2010-0307 kernel: DoS on x86_64 Write barrier operations not working for libata and general SCSI disks [rhel-4.8.z] [Emulex 4.9 bug] lpfc driver doesn't acquire lock when searching hba for target [rhel-4.8.z] e1000e: wol is broken in kernel 2.6.9-89.19 [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * a NULL pointer dereference flaw was found in the sctp_rcv_ootb() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008, Important) * a missing boundary check was found in the do_move_pages() function in the memory migration functionality in the Linux kernel. A local user could use this flaw to cause a local denial of service or an information leak. (CVE-2010-0415, Important) * a NULL pointer dereference flaw was found in the ip6_dst_lookup_tail() function in the Linux kernel. An attacker on the local network could trigger this flaw by sending IPv6 traffic to a target system, leading to a system crash (kernel OOPS) if dst->neighbour is NULL on the target system when receiving an IPv6 packet. (CVE-2010-0437, Important) * a NULL pointer dereference flaw was found in the ext4 file system code in the Linux kernel. A local attacker could use this flaw to trigger a local denial of service by mounting a specially-crafted, journal-less ext4 file system, if that file system forced an EROFS error. (CVE-2009-4308, Moderate) * an information leak was found in the print_fatal_signal() implementation in the Linux kernel. When "/proc/sys/kernel/print-fatal-signals" is set to 1 (the default value is 0), memory that is reachable by the kernel could be leaked to user-space. This issue could also result in a system crash. Note that this flaw only affected the i386 architecture. (CVE-2010-0003, Moderate) * missing capability checks were found in the ebtables implementation, used for creating an Ethernet bridge firewall. This could allow a local, unprivileged user to bypass intended capability restrictions and modify ebtables rules. (CVE-2010-0007, Low) Bug fixes: * a bug prevented Wake on LAN (WoL) being enabled on certain Intel hardware. (BZ#543449) * a race issue in the Journaling Block Device. (BZ#553132) * 32-bit x86 timespec structures are not the same size as on 64-bit systems. A 32-bit compatible function -- sys32_sched_rr_get_interval() -- is available. However, when 32-bit programs running on 64-bit systems called sched_rr_get_interval(), it was not called and the kernel wrote data past the allocated space, causing user stack corruption. sys32_sched_rr_get_interval() is now called as expected. (BZ#557684) * the RHSA-2010:0019 update introduced a regression, preventing WoL from working for network devices using the e1000e driver. (BZ#559335) * adding a bonding interface in mode balance-alb to a bridge was not functional. (BZ#560588) * some KVM (Kernel-based Virtual Machine) guests experienced slow performance (and possibly a crash) after suspend/resume. (BZ#560640) * on some systems, VF cannot be enabled in dom0. (BZ#560665) * on systems with certain network cards, a system crash occurred after enabling GRO. (BZ#561417) * for x86 KVM guests with pvclock enabled, the boot clocks were registered twice, possibly causing KVM to write data to a random memory area during the guest's life. (BZ#561454) * serious performance degradation for 32-bit applications, that map (mmap) thousands of small files, when run on a 64-bit system. (BZ#562746) * improved kexec/kdump handling. Previously, on some systems under heavy load, kexec/kdump was not functional. (BZ#562772) * dom0 was unable to boot when using the Xen hypervisor on a system with a large number of logical CPUs. (BZ#562777) * a fix for a bug that could potentially cause file system corruption. (BZ#564281) * a bug caused infrequent cluster issues for users of GFS2. (BZ#564288) * gfs2_delete_inode failed on read-only file systems. (BZ#564290) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-4308 CVE-2010-0003 CVE-2010-0007 CVE-2010-0008 CVE-2010-0415 CVE-2010-0437 CVE-2009-4308 kernel: ext4: Avoid null pointer dereference when decoding EROFS w/o a journal [Patch] jbd slab cache creation/deletion is racey [rhel-5.4.z] CVE-2010-0003 kernel: infoleak if print-fatal-signals=1 CVE-2010-0007 kernel: netfilter: ebtables: enforce CAP_NET_ADMIN CVE-2010-0008 kernel: sctp remote denial of service [5.4] sched_rr_get_interval() destroys user data in 32-bit compat mode. [rhel-5.4.z] e1000e: wol is broken on 2.6.18-185.el5 [rhel-5.4.z] Adding bonding in balance-alb mode to bridge causes host network connectivity to be lost [rhel-5.4.z] Call trace error display when resume from suspend to disk (ide block) - pvclock related [rhel-5.4.z] [SR-IOV] VF can not be enabled in Dom0 [rhel-5.4.z] Kernel panic when using GRO through ixgbe driver and xen bridge [rhel-5.4.z] kvm pvclock on i386 suffers from double registering [rhel-5.4.z] CVE-2010-0415 kernel: sys_move_pages infoleak Strange vm performance degradation moving 32 bit app from RHEL 4.6 32bit to 5.4 64bit [rhel-5.4.z] 5.5 - cciss backport some upstream bits to improve kexec/kdump [rhel-5.4.z] [RHEL5 Xen] EXPERIMENTAL EX/MC: Dom0 soft lockups on >64-way system from hard-virt patches [rhel-5.4.z] CVE-2010-0437 kernel: ipv6: fix ip6_dst_lookup_tail() NULL pointer dereference Please implement upstream fix for potential filesystem corruption bug [rhel-5.4.z] GFS2 Filesystem Withdrawal: fatal: invalid metadata block [rhel-5.4.z] 1916556 - GFS2 gfs2_delete_inode failing on RO filesystem [rhel-5.4.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2466, CVE-2009-3072, CVE-2009-3075, CVE-2009-3380, CVE-2009-3979, CVE-2010-0159) A use-after-free flaw was found in Thunderbird. An attacker could use this flaw to crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3077) A heap-based buffer overflow flaw was found in the Thunderbird string to floating point conversion routines. An HTML mail message containing malicious JavaScript could crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-0689) A use-after-free flaw was found in Thunderbird. Under low memory conditions, viewing an HTML mail message containing malicious content could result in Thunderbird executing arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-1571) A flaw was found in the way Thunderbird created temporary file names for downloaded files. If a local attacker knows the name of a file Thunderbird is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274) A flaw was found in the way Thunderbird displayed a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differed from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that is different from what the user expected. (CVE-2009-3376) A flaw was found in the way Thunderbird processed SOCKS5 proxy replies. A malicious SOCKS5 server could send a specially-crafted reply that would cause Thunderbird to crash. (CVE-2009-2470) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing trusted content or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3076) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-0689 CVE-2009-1571 CVE-2009-2462 CVE-2009-2463 CVE-2009-2466 CVE-2009-2470 CVE-2009-3072 CVE-2009-3075 CVE-2009-3076 CVE-2009-3077 CVE-2009-3274 CVE-2009-3376 CVE-2009-3380 CVE-2009-3979 CVE-2010-0159 CVE-2010-0163 CVE-2010-0169 CVE-2010-0171 CVE-2009-2462 Mozilla Browser engine crashes CVE-2009-2463 Mozilla Base64 decoding crash CVE-2009-2466 Mozilla JavaScript engine crashes CVE-2009-2470 Mozilla data corruption with SOCKS5 reply CVE-2009-3072 Firefox 3.5.3 3.0.14 browser engine crashes CVE-2009-3075 Firefox 3.5.2 3.0.14 JavaScript engine crashes CVE-2009-3076 Firefox 3.0.14 Insufficient warning for PKCS11 module installation and removal CVE-2009-3077 Firefox 3.5.3 3.0.14 TreeColumns dangling pointer vulnerability CVE-2009-3274 Firefox: Predictable /tmp pathname use CVE-2009-0689 (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion CVE-2009-3376 Firefox download filename spoofing with RTL override CVE-2009-3380 Firefox crashes with evidence of memory corruption CVE-2009-3979 Mozilla crash with evidence of memory corruption CVE-2010-0159 Mozilla crashes with evidence of memory corruption (MFSA 2010-01) CVE-2009-1571 Mozilla incorrectly frees used memory (MFSA 2010-03) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2466, CVE-2009-3072, CVE-2009-3075, CVE-2009-3380, CVE-2009-3979, CVE-2010-0159) A use-after-free flaw was found in Thunderbird. An attacker could use this flaw to crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3077) A heap-based buffer overflow flaw was found in the Thunderbird string to floating point conversion routines. An HTML mail message containing malicious JavaScript could crash Thunderbird or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-0689) A use-after-free flaw was found in Thunderbird. Under low memory conditions, viewing an HTML mail message containing malicious content could result in Thunderbird executing arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-1571) A flaw was found in the way Thunderbird created temporary file names for downloaded files. If a local attacker knows the name of a file Thunderbird is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274) A flaw was found in the way Thunderbird displayed a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differed from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that is different from what the user expected. (CVE-2009-3376) A flaw was found in the way Thunderbird processed SOCKS5 proxy replies. A malicious SOCKS5 server could send a specially-crafted reply that would cause Thunderbird to crash. (CVE-2009-2470) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing trusted content or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2009-3076) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-0689 CVE-2009-1571 CVE-2009-2462 CVE-2009-2463 CVE-2009-2466 CVE-2009-2470 CVE-2009-3072 CVE-2009-3075 CVE-2009-3076 CVE-2009-3077 CVE-2009-3274 CVE-2009-3376 CVE-2009-3380 CVE-2009-3979 CVE-2010-0159 CVE-2010-0163 CVE-2010-0169 CVE-2010-0171 CVE-2009-2462 Mozilla Browser engine crashes CVE-2009-2463 Mozilla Base64 decoding crash CVE-2009-2466 Mozilla JavaScript engine crashes CVE-2009-2470 Mozilla data corruption with SOCKS5 reply CVE-2009-3072 Firefox 3.5.3 3.0.14 browser engine crashes CVE-2009-3075 Firefox 3.5.2 3.0.14 JavaScript engine crashes CVE-2009-3076 Firefox 3.0.14 Insufficient warning for PKCS11 module installation and removal CVE-2009-3077 Firefox 3.5.3 3.0.14 TreeColumns dangling pointer vulnerability CVE-2009-3274 Firefox: Predictable /tmp pathname use CVE-2009-0689 (rejected CVE-2009-1563) Firefox heap buffer overflow in string to number conversion CVE-2009-3376 Firefox download filename spoofing with RTL override CVE-2009-3380 Firefox crashes with evidence of memory corruption CVE-2009-3979 Mozilla crash with evidence of memory corruption CVE-2010-0159 Mozilla crashes with evidence of memory corruption (MFSA 2010-01) CVE-2009-1571 Mozilla incorrectly frees used memory (MFSA 2010-03) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP4 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. (CVE-2009-3555) This update disables renegotiation in the non-default IBM JSSE2 provider for the Java Secure Socket Extension (JSSE) component. The default JSSE provider is not updated with this fix. Refer to the IBMJSSE2 Provider Reference Guide, linked to in the References, for instructions on how to configure the IBM Java 2 Runtime Environment to use the JSSE2 provider by default. When using the JSSE2 provider, unsafe renegotiation can be re-enabled using the com.ibm.jsse2.renegotiate property. Refer to the following Knowledgebase article for details: http://kbase.redhat.com/faq/docs/DOC-20491 This update also fixes the following bug: * the libjaasauth.so file was missing from the java-1.4.2-ibm packages for the Intel Itanium architecture (.ia64.rpm). This update adds the file to the packages for the Itanium architecture, which resolves this issue. (BZ#572577) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP4 Java release. All running instances of IBM Java must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2009-3555 TLS: MITM attacks via session renegotiation cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code. (CVE-2009-3245) A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491 A missing return value check flaw was discovered in OpenSSL, that could possibly cause OpenSSL to call a Kerberos library function with invalid arguments, resulting in a NULL pointer dereference crash in the MIT Kerberos library. In certain configurations, a remote attacker could use this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos cipher suites during the TLS handshake. (CVE-2010-0433) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Important Copyright 2010 Red Hat, Inc. CVE-2009-3245 CVE-2009-3555 CVE-2010-0433 CVE-2009-3555 TLS: MITM attacks via session renegotiation Nessus PCI scan segfaults openssl dependent products due to kerberos enabled in openssl CVE-2010-0433 openssl: crash caused by a missing krb5_sname_to_principal() return value check CVE-2009-3245 openssl: missing bn_wexpand return value checks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491 Dan Kaminsky found that browsers could accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. OpenSSL now disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409) An input validation flaw was found in the handling of the BMPString and UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex() function. An attacker could use this flaw to create a specially-crafted X.509 certificate that could cause applications using the affected function to crash when printing certificate contents. (CVE-2009-0590) Note: The affected function is rarely used. No application shipped with Red Hat Enterprise Linux calls this function, for example. All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2009-0590 openssl: ASN1 printing crash CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-3555 TLS: MITM attacks via session renegotiation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about this flaw: http://kbase.redhat.com/faq/docs/DOC-20491 All openssl097a users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the openssl097a library must be restarted, or the system rebooted. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2009-3555 TLS: MITM attacks via session renegotiation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about this flaw: http://kbase.redhat.com/faq/docs/DOC-20491 Users of Red Hat Certificate System 7.3 and 8.0 should review the following Knowledgebase article before installing this update: http://kbase.redhat.com/faq/docs/DOC-28439 All users of NSS are advised to upgrade to these updated packages, which update NSS to version 3.12.6. This erratum also updates the NSPR packages to the version required by NSS 3.12.6. All running applications using the NSS library must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2009-3555 TLS: MITM attacks via session renegotiation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491 Dan Kaminsky found that browsers could accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. GnuTLS now disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409) Users of GnuTLS are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted, or the system rebooted. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-2409 CVE-2009-3555 CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-3555 TLS: MITM attacks via session renegotiation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491 A flaw was found in the way GnuTLS extracted serial numbers from X.509 certificates. On 64-bit big endian platforms, this flaw could cause the certificate revocation list (CRL) check to be bypassed; cause various GnuTLS utilities to crash; or, possibly, execute arbitrary code. (CVE-2010-0731) Users of GnuTLS are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted, or the system rebooted. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-0731 CVE-2009-3555 TLS: MITM attacks via session renegotiation CVE-2010-0731 gnutls: gnutls_x509_crt_get_serial incorrect serial decoding from ASN1 (BE64) [GNUTLS-SA-2010-1] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular web server. It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially-crafted requests. (CVE-2010-0408) A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also adds the following enhancement: * with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the "SSLInsecureRenegotiation" configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0408 CVE-2010-0434 [RFE] mod_ssl: Add SSLInsecureRenegotiation directive [rhel-5] CVE-2010-0408 httpd: mod_proxy_ajp remote temporary DoS CVE-2010-0434 httpd: request header information leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code. (CVE-2009-3245) All openssl096b users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all programs using the openssl096b library must be restarted. Important Copyright 2010 Red Hat, Inc. CVE-2009-3245 CVE-2009-3245 openssl: missing bn_wexpand return value checks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular web server. A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also fixes the following bug: * a bug was found in the mod_dav module. If a PUT request for an existing file failed, that file would be unexpectedly deleted and a "Could not get next bucket brigade" error logged. With this update, failed PUT requests no longer cause mod_dav to delete files, which resolves this issue. (BZ#572932) As well, this update adds the following enhancement: * with the updated openssl packages from RHSA-2010:0163 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the "SSLInsecureRenegotiation" configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#575805) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Low Copyright 2010 Red Hat, Inc. CVE-2010-0434 CVE-2010-0434 httpd: request header information leak "could not get next bucket brigade" while a client is doing a PUT results in data loss mod_ssl: Add SSLInsecureRenegotiation directive [rhel-4] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a race condition was found in the mac80211 implementation, a framework used for writing drivers for wireless devices. An attacker could trigger this flaw by sending a Delete Block ACK (DELBA) packet to a target system, resulting in a remote denial of service. Note: This issue only affected users on 802.11n networks, and that also use the iwlagn driver with Intel wireless hardware. (CVE-2009-4027, Important) * a flaw was found in the gfs2_lock() implementation. The GFS2 locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS2 file system mounted could use this flaw to cause a kernel panic. (CVE-2010-0727, Moderate) * a divide-by-zero flaw was found in the ext4 file system code. A local attacker could use this flaw to cause a denial of service by mounting a specially-crafted ext4 file system. (CVE-2009-4307, Low) These updated packages also include several hundred bug fixes for and enhancements to the Linux kernel. Space precludes documenting each of these changes in this advisory and users are directed to the Red Hat Enterprise Linux 5.5 Release Notes for information on the most significant of these changes: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5/html/Release_Notes/ Also, for details concerning every bug fixed in and every enhancement added to the kernel for this release, refer to the kernel chapter in the Red Hat Enterprise Linux 5.5 Technical Notes: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5/html/Technical_Notes/kernel.html All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which address these vulnerabilities as well as fixing the bugs and adding the enhancements noted in the Red Hat Enterprise Linux 5.5 Release Notes and Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-4027 CVE-2009-4307 CVE-2010-0727 CVE-2010-1188 w83627ehf sensor not supported by 2.6.18-8.1.8.el5 kernel /proc/self/smaps unreadable after setuid dump and large file ops are slow, please implement kernel workaround IT87 hwmon module does not support later chipset revisions. 50-75 % drop in cfq read performance compared to rhel 4.6+ RFE: Symbol pci_domain_nr needs to be added the whitelist for ppc64 memory mapped files not updating timestamps Read speed of /sbin/dump command is critically slow with CFQ I/O scheduler [PATCH]RHEL5:fix dio write returning EIO due to bh race VLAN driver logs excessive messages in kernel message log (dmesg) kernel BUG at mm/mempool.c:121! caused by lvcreate pygrub uses cached and eventually outdated grub.conf, kernel and initrd The EDAC driver not support The Intel 3200 and 3210 Chipsets [5.3] Kdump Kernel Hangs on Dell AMD Machines [FUJITSU 5.5] More tracepoints support - networking use KVM pvclock code to detect/correct lost ticks Backport partition table sanity checks to RHEL5 GFS2: After gfs2_grow, new size is not seen immediately bridge: Fix LRO crash with tun (tun_chr_read()) HP6510b close lid cause system crash Inconsistent behaviour in stripping SUID/SGID flags when chmod/chgrp directories httpd Sendfile troubles reading from a CIFS share kernel: Unable to write to file as non-root user with setuid and setgid bit set ifdown bond0 causes a deadlock Adding bonding in balance-alb mode to bridge causes host network connectivity to be lost (direct_io) __blockdev_direct_IO calls kzalloc for dio struct causes OLTP performance regression when booted with P-state limit, limit can never be increased AVC denied 0x100000 for a directory with eCryptFS and Apache NFS umount deadlock in rpciod with rpc_shutdown_client() ip_vs module (LVS) routes demasqueraded packets out wrong interface on multihomed directors get_partstats() returns NULL and causes panic XEN NMI detection fails on Dell 1950 server deadlock with NFSv4 reclaimer thread reconnecting socket GFS2 ">>" will not update ctime,mtime after appending to the file [Patch] jbd slab cache creation/deletion is racey definition of file-nr differs from sysctl/fs.txt to filesystems/proc.txt The tmpfs filesystem goes on readonly mode. I/O scheduler setting via elevator kernel option not picked up by Xen guest blktrace stops working after a trace-file-directory replacement don't OOM kill task during fresh huge page allocation RHEL5 cmirror tracker: multiple device failure of fully synced cmirror causes corruption GFS2 - probably lost glock call back CRM 1908390 - BUG: warning at fs/inotify.c:181/set_dentry_child_flags() [RHEL5] undefined reference to `__udivdi3' kernel leaves initrd in vmalloc space A bond's preferred primary setting is lost after bringing down and up of the primary slave. Please update mlx4_en driver for performance improvements and bug fixes NFS: problems with virtual IP and locking CIFS update for RHEL5.5 Need to display the current settings of the options bits in st driver. soft lockups with software RAID6 create and re-sync' rtl8139 doesn't work with bonding in alb mode GFS2: smbd proccess hangs with flock() call. cat stop responding after 1st cat and CTRL+C interrupt. OOPS in "inet_select_addr" on ICMP when "icmp_errors_use_inbound_ifaddr" is turned on [RHEL-5 Xen]: F-11 Xen 64-bit domU cannot be started with > 2047MB of memory dm-raid1 can return write request as finished and later revert the data Snapshot creation in VG with 1k extent size can fail GFS2: genesis stuck writing to unlinked file ahci: add device ID for 82801JI sata controller Implement blkdev_releasepage() to release the buffer_heads and pages after we release private data belonging to a mounted filesystem. Serial ports don't function on 4838-310 without pnpacpi=off boot option timeout with physical cdrom on a PV guest Cannot increase open file limit greater then 1024 * 1024 (1048576) Bug in lockd prevents a locks being freed. kernel: fd leak if pipe() is called with an invalid address [rhel-5.4] getdents() reports /proc/1/task/1/ as DT_UNKNOWN. Host panic when try to run kvm guest on a host which restored from suspend. [RHEL5.3] Even if a process have received data but schedule() in select() cannot return RHEL 5.4 Beta fails to activate sw raid devices, unable to install to sw raid Segfault/Infinite loop in TLS double access allow more flexibility for read_ahead_kb store BUG: warning at kernel/softirq.c:138/local_bh_enable() (Tainted: G ) CPU hotplug notifiers for KVM (for suspend and cpu hotplug support) cxgb3 driver fixes [NetApp 5.5 bug] nfs_readdir() may fail to return all the files in the directory cpuspeed behave strangely after suspend/resume on intel machine hp-dl580g5-01.rhts.bos.redhat.com /proc/self/exe reports wrong path after fstat on NFSv4 ExpressCards should be detected and useful [LTC 5.5 FEAT] AF_IUCV SOCK_SEQPACKET support [201885] [LTC 5.5 FEAT] Support ACPI S3/S4 Sleeping States [201941] [LTC 5.5 FEAT] Update ibmvscsi driver with upstream multipath enhancements [201916] Server should return NFS4ERR_ATTRNOTSUPP if attribute 'ACL' is not supported Can't write to XFS mount during raid5 resync [RHEL5.4 Snapshot1] File write performance degradation in RHEL5.4 Snapshot1 compared to RHEL5.3 GA system fails to go into s4 cifs: panic when mounting DFS referral with hostname that can't be resolved ifdown on nVidia CK804 (rev f3) NIC doesn't work Out of SW-IOMMU space: External hard disk inaccessible mlx4_core fails to load on systems with32 cores TCP traffic for VLAN interfaces fails over mlx4_en parent interface. e100: return PCI_ERS_RESULT_DISCONNECT on permanent failure igb: return PCI_ERS_RESULT_DISCONNECT on permanent failure r8169 stopping all activity until the link is reset nfsv4-server return NFS4ERR_BAD_STATEID, but return NFS4ERR_EXPIRED when it has invalid stateID scsi_transport_fc: fc_user_scan can loop forever, needs mutex with rport list changes CIFS multiuser mount fails to locate smbid [Broadcom 5.5 feat] Update tg3 and add support for 5717/5718 and 57765 asic revs [PATCH RHEL5.5] :NFS Handle putpubfh operation correctly. Code under CONFIG_X86_VSMP incorrect after an incorrect patch pull from upstream ENOSPC during fsstress leads to filesystem corruption on ext2, ext3, and ext4 [Broadcom 5.5 FEAT] Update bnx2x to 1.52.1-5 kdump corefile cannot be backtraced in IA64 [Emulex 5.5 feat] Three scsi_nl APIs should be added to kabi_whitelist FEAT RHEL5.5: Make MegaRAID SAS driver legacy I/O port free [NetApp 5.5 bug] Emulex FC ports on RHEL 5.4 GA offlined during target controller faults Kernel netlink neighbor updates not sent to multicast group (RTMGRP_NEIGH) [QLogic 5.5 feat] netxen - P3 updates [Promise 5.5 feat] Update stex driver to version 4.6.0102.4 [Broadcom 5.5 FEAT] Update bnx2 to 2.0.2 [Broadcom 5.5 FEAT] Update bnx2i and cnic drivers Add Support for Huawei EC1260 to the RHEL5 kernel SCTP Messages out of order [QLogic 5.5 bug] qlge - fix hangs and read perfromance [QLogic 5.5 bug] qla2xxx - allow use of MSI when MSI-X disabled. bare-metal and xen: /proc/cpuinfo does not list all CPU flags presented by CPU VTD IOMMU 1:1 mapping performance and bug fixes [RFE] GFS2: New mount option: -o errors=withdraw|panic Add kernel (scsi_dh_rdac) support for Sun 6540 storage arrays. GFS2 Filesystem Withdrawal: fatal: invalid metadata block Update for HighPoint RocketRAID hptiop driver in RHEL 5.5 kernel [Cisco 5.5 FEAT] Include/Update support for enic version 1.1.0.100 [Cisco 5.5 FEAT] Update fnic to version x.y.z statfs on NFS partition always returns 0 nfsnobody == 4294967294 causes idmapd to stop responding [QLogic 5.5 bug] qla2xxx - updates and fixes from upstream or testing. [QLogic 5.5 bug] qlge - updates and fixes from upstream or testing. pvclock return bogus wallclock values kernel panics from list corruption when using a tape drive connected through cciss adapter kernel: ipv4: make ip_append_data() handle NULL routing table [rhel-5.5] glibc should call pselect() and ppoll() on ia64 kernel [RHEL5.4 RC2] KMP for xen kernel cannot be applied Cluster hangs after node rejoins from simulated network outage Update arcmsr driver vlan with sky2 is not possible anymore with kernel-xen 2.6.18-164 Xen fails to boot on ia64 with > 128GB memory bnx2x: increase coalescing granularity to 4us instead of 12us [LTC 5.5 FEAT] Provide balloon driver for KVM guests [202025] thinkpad_acpi: CMOS NVRAM (7) and EC (5) do not agree on display brightness level Nehalem Turbo Boost "ida" flag not present in Xen kernel's /proc/cpuinfo output sound no longer works after upgrade to RHEL 5.4 cpu1 didn't come online in a kvm i686 guest [RFE] Add qcserial module to RHEL 5 kernel kernel: ipt_recent: sanity check hit count [rhel-5.5] Boot hang when installing HVM DomU LVS master and backup director - Synchronised connections on backup director have unsuitable timeout value [LSI 5.5 feat] update rdac scsi device handler to upstream Lost the network in a KVM VM on top of 5.4 kvm_clock patches are slowing guests' shutdown to unusable levels cannot compile kernel with CONFIG_ACPI_DEBUG=y resize2fs online resize hangs FEAT: RHEL 5.5 - update ALSA HDA audio driver from upstream Xen panic in msi_msg_read_remap_rte with acpi=off Implement smp_call_function_[single|many] in x86_64 and i386 rw_semaphore bug [Cisco 5.5 feat] libfc bug fixes and improvements bnx2: panic in bnx2_poll_work() kernel: BUG: soft lockup with dcache_lock xset b as well as setterm -bfreq set beep to wrong pitch with CONFIG_HDA_INPUT_BEEP system crashes in audit_update_watch() NFSv4 reclaimer thread in an infinite loop igb driver does not work with kexec pci_dev->is_enabled is not set in RHEL5.4 /proc/net/dev sometimes contains bogus values (BCM5706) ext4: tech preview refresh skip inodes without pages to free in drop_pagecache_sb() scsi: export symbol scsilun_to_int Update to 2.6.18-164.el5PAE causes working CIFS mount to fail GFS2: Enhance statfs and quota usability dlm_recv deadlock under memory pressure while processing GFP_KERNEL locks. NFS: stale nfs_fattr passed to nfs_readdir_lookup() Timedrift on VM with pv_clock enabled, causing system hangs and sporadic time behaviour [scsi] Fix inconsistent usage of max_lun threads on pthread_mutex_lock wake in fifo order, but posix specifies by priority [QLogic 5.5 bug] qla2xxx - enable MSI-X and correct/cleanup irq request code ipoib: null tx/rx_ring skb pointers on free dprintk macro in NFS code doesn't work in some files [Cisco 5.5 feat] Need scsi and libfc symbols to be added to whitelist_file xen server crashes when used with network bonding modes 5 or 6 kernel: sysctl: require CAP_SYS_RAWIO to set mmap_min_addr [rhel-5.5] Updates for mlx4 drivers [LSI 5.5 feat] make scsi_dh_activate asynchronous to address the slower lun failovers with large number of luns Kernel panic when using GRO through ixgbe driver and xen bridge PCI AER code introduced a compile problem in powerpc gfs2 rename rgrp lock issue glock_workqueue -- glock ref count via gfs2_glock_hold Call trace error display when resume from suspend to disk (ide block) - pvclock related [RHEL5 Xen]: PV guest crash on poweroff CVE-2009-4026 CVE-2009-4027 kernel: mac80211: fix spurious delBA handling Possible access to invalid memory [RHEL5]: A new xenfb thread is created on every save/restore kernel panic when doing cpu offline/online frequently on hp-dl785g5-01.rhts.eng.bos.redhat.com kernel: sleeping vfs_check_frozen in called in atomic context from do_wp_page [rhel-5.5] recursive lock of devlist_mtx [QLogic 5.5 feat] netxen P3 - updates from 2.6.32 [QLogic 5.5 bug] qla2xxx - further testing updates for 5.5 [QLogic 5.5 bug] qla2xxx - testing updates #3 Fix deadlock in multipath when removing a device Lock snapshot while reporting status PTRACE_KILL hangs in 100% cpu loop RHEL5: fallocate on XFS returns incorrect value on ENOSPC cifs: possible NULL pointer dereference in mount-time DFS referral chasing code Strange vm performance degradation moving 32 bit app from RHEL 4.6 32bit to 5.4 64bit possible null pointer dereference in ieee80211_change_iface [Broadcom 5.5 feat] Add support for 57765 asic revs Please implement upstream fix for potential filesystem corruption bug rtl8180 shows 0% signal strength while connected wireless: report reasonable bitrate for MCS rates through wext bnx2: panic in bnx2_free_tx_skbs() because of wrong frags index RFE: Add debug to bonding driver as module option CVE-2009-4307 kernel: ext4: avoid divide by zero when trying to mount a corrupted file system PCI AER: HEST FIRMWARE FIRST support [SR-IOV] VF can not be enabled in Dom0 [RHEL5.4][REGRESSION] iptables --reject-with tcp-reset doesn't work aio: eventfd support introduced a 0.5% performance regression I/O errors while accessing loop devices or file-based Xen images from GFS volume after Update from RHEL 5.3 to 5.4 [Emulex 5.5 bug] Multiple bug fixes for be2net Cannot run NVIDIA display driver on 32-bit RHEL 5.3 or 5.4 audit rule with directory auditing crashes the kernel [Emulex 5.5 bug] Update lpfc driver to 8.2.0.63 FC/FCoE khungtaskd not stopped during suspend [Cisco 5.5 bug] Update enic driver to version 1.1.0.241a ipmi_watchdog deadlock [RHEL5 Xen]: Cpu frequency scaling is broken on Intel GFS2: fatal: filesystem consistency error in gfs2_ri_update filesystem mounted with ecryptfs_xattr option could not be written Lost the network in a KVM VM on top of 5.4 [Emulex 5.5 bug] Update be2iscsi driver for bugfixes dm-raid1: dmsetup stuck at suspending failed mirror device dm-raid1: kernel panic when bio on recovery failed region is released [Emulex 5.5 bug] Update lpfc driver to 8.2.0.63.1p FC/FCoE kvm pvclock on i386 suffers from double registering [5.4] VLAN performance issue with 10gbE Mellanox NICs inserting w83627hf kernel module results in panic [Emulex 5.5 bug] Update lpfc driver to 8.2.0.63.2p FC/FCoE e1000e: wol is broken on 2.6.18-185.el5 e1000 & e1000e: Memory corruption/paging error when tx hang occurs [sky2] initial carrier state is always on posix_fadvise() handles its arguments incorrectly in 32-bit compat mode. Add wireless fixes from 2.6.32.y tree kernel panic during modprobe smsc47m1 igb: fix warning in drivers/net/igb/igb_ethtool.c:2090 [Emulex 5.5 bug] be2net bug fixes for be3 hardware from Alpha testing [Broadcom 5.5 feat] Update bnx2 firmware WARNING: APIC timer calibration may be wrong late breaking CIFS patches for RHEL5.5 [Emulex 5.5 bug] Fix scsi eh callouts and add support for new chip to be2iscsi driver f71805f hwmon driver passes '&sio_data' to platform_device_add_data() [Emulex 5.5 bug] Update lpfc driver to 8.2.0.63.3p FC/FCoE "dmraid -ay" panics kernel [Cisco 5.5 bug] Update fnic to 1.4.0.98 to fix FIP crash/hang issues [Broadcom 5.5 bug] tg3: 5717 and 57765 asic revs can panic under load [Broadcom 5.5 bug] tg3: Race condition - performance / panic with 57765 devices [Broadcom 5.5 bug] tg3: 57765 LED does not work correctly GFS2: Use correct GFP for alloc page on write iwl5000/5300 fail to transmit data on N-only netwrok [Emulex 5.5 bug] be2net bug fixes for be3 hardware from Alpha testing network does not work with rhel 5.5 snap1 x64 server, xen kernel, and r8169 driver ixgbe: stop unmapping DMA buffers too early GFS2 - fiemap - Kernel BUG at fs/gfs2/bmap.c:433 [rhel-5.5] Disk performance regression in CFQ CVE-2010-0727 kernel: bug in GFS/GFS2 locking code leads to dos Iozone Outcache testing has a greater than 5 % performance regression on reads [5.4] VLAN performance issue with 10gbE Mellanox NICs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 brltty (Braille TTY) is a background process (daemon) which provides access to the Linux console (when in text mode) for a blind person using a refreshable braille display. It drives the braille display, and provides complete screen review functionality. It was discovered that a brltty library had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user to run an application using brltty in an attacker-controlled directory, could run arbitrary code with the privileges of the victim. (CVE-2008-3279) These updated packages also provide fixes for the following bugs: * the brltty configuration file is documented in the brltty manual page, but there is no separate manual page for the /etc/brltty.conf configuration file: running "man brltty.conf" returned "No manual entry for brltty.conf" rather than opening the brltty manual entry. This update adds brltty.conf.5 as an alias to the brltty manual page. Consequently, running "man brltty.conf" now opens the manual entry documenting the brltty.conf specification. (BZ#530554) * previously, the brltty-pm.conf configuration file was installed in the /etc/brltty/ directory. This file, which configures Papenmeier Braille Terminals for use with Red Hat Enterprise Linux, is optional. As well, it did not come with a corresponding manual page. With this update, the file has been moved to /usr/share/doc/brltty-3.7.2/BrailleDrivers/Papenmeier/. This directory also includes a README document that explains the file's purpose and format. (BZ#530554) * during the brltty packages installation, the message Creating screen inspection device /dev/vcsa...done. was presented at the console. This was inadequate, especially during the initial install of the system. These updated packages do not send any message to the console during installation. (BZ#529163) * although brltty contains ELF objects, the brltty-debuginfo package was empty. With this update, the -debuginfo package contains valid debugging information as expected. (BZ#500545) * the MAX_NR_CONSOLES definition was acquired by brltty by #including linux/tty.h in Programs/api_client.c. MAX_NR_CONSOLES has since moved to linux/vt.h but the #include in api_client.c was not updated. Consequently, brltty could not be built from the source RPM against the Red Hat Enterprise Linux 5 kernel. This update corrects the #include in api_client.c to linux/vt.h and brltty now builds from source as expected. (BZ#456247) All brltty users are advised to upgrade to these updated packages, which resolve these issues. Low Copyright 2010 Red Hat, Inc. CVE-2008-3279 brltty doesn't build with kernel 2.6.18-92.1.1 CVE-2008-3279 brltty: insecure relative RPATH brltty-debuginfo is empty Creating screen inspection device /dev/vcsa...done. Missing man-pages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. A flaw was found in the way OpenLDAP handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick applications using OpenLDAP libraries into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack. (CVE-2009-3767) This update also fixes the following bugs: * the ldap init script did not provide a way to alter system limits for the slapd daemon. A variable is now available in "/etc/sysconfig/ldap" for this option. (BZ#527313) * applications that use the OpenLDAP libraries to contact a Microsoft Active Directory server could crash when a large number of network interfaces existed. This update implements locks in the OpenLDAP library code to resolve this issue. (BZ#510522) * when slapd was configured to allow client certificates, approximately 90% of connections froze because of a large CA certificate file and slapd not checking the success of the SSL handshake. (BZ#509230) * the OpenLDAP server would freeze for unknown reasons under high load. These packages add support for accepting incoming connections by new threads, resolving the issue. (BZ#507276) * the compat-openldap libraries did not list dependencies on other libraries, causing programs that did not specifically specify the libraries to fail. Detection of the Application Binary Interface (ABI) in use on 64-bit systems has been added with this update. (BZ#503734) * the OpenLDAP libraries caused applications to crash due to an unprocessed network timeout. A timeval of -1 is now passed when NULL is passed to LDAP. (BZ#495701) * slapd could crash on a server under heavy load when using rwm overlay, caused by freeing non-allocated memory during operation cleanup. (BZ#495628) * the ldap init script made a temporary script in "/tmp/" and attempted to execute it. Problems arose when "/tmp/" was mounted with the noexec option. The temporary script is no longer created. (BZ#483356) * the ldap init script always started slapd listening on ldap:/// even if instructed to listen only on ldaps:///. By correcting the init script, a user can now select which ports slapd should listen on. (BZ#481003) * the slapd manual page did not mention the supported options -V and -o. (BZ#468206) * slapd.conf had a commented-out option to load the syncprov.la module. Once un-commented, slapd crashed at start-up because the module had already been statically linked to OpenLDAP. This update removes "moduleload syncprov.la" from slapd.conf, which resolves this issue. (BZ#466937) * the migrate_automount.pl script produced output that was unsupported by autofs. This is corrected by updating the output LDIF format for automount records. (BZ#460331) * the ldap init script uses the TERM signal followed by the KILL signal when shutting down slapd. Minimal delay between the two signals could cause the LDAP database to become corrupted if it had not finished saving its state. A delay between the signals has been added via the "STOP_DELAY" option in "/etc/sysconfig/ldap". (BZ#452064) * the migrate_passwd.pl migration script had a problem when number fields contained only a zero. Such fields were considered to be empty, leading to the attribute not being set in the LDIF output. The condition in dump_shadow_attributes has been corrected to allow for the attributes to contain only a zero. (BZ#113857) * the migrate_base.pl migration script did not handle third level domains correctly, creating a second level domain that could not be held by a database with a three level base. This is now allowed by modifying the migrate_base.pl script to generate only one domain. (BZ#104585) Users of OpenLDAP should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3767 migrate_base.pl broken with dc=X,dc=Y,dc=Z configuration migrate_passwd.pl problems with '0' fields openldap-server's migrate_automount.pl produces obsolete output moduleload syncprov.la not found slapd and slapcat : man pages details Wrong init script : slapd always starts with option "ldap:///" /etc/init.d/ldap script assumes files in /tmp can be executed LDAP queries fail entirely on a (temporarily) slow server 64bit shared libs in compat-openldap do not link to other libs ldaps fails if TLSVerifyClient=allow unless slapd is run with -d2 LDAP causes crashes when attempting to authenticate with Active Directory CVE-2009-3767 OpenLDAP: Doesn't properly handle NULL character in subject Common Name openldap cannot start when kerberos is enable, found by PES openldap init script does not handle listen uris properly cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. A flaw was found in the way Squid processed certain external ACL helper HTTP header fields that contained a delimiter that was not a comma. A remote attacker could issue a crafted request to the Squid server, causing excessive CPU use (up to 100%). (CVE-2009-2855) Note: The CVE-2009-2855 issue only affected non-default configurations that use an external ACL helper script. A flaw was found in the way Squid handled truncated DNS replies. A remote attacker able to send specially-crafted UDP packets to Squid's DNS client port could trigger an assertion failure in Squid's child process, causing that child process to exit. (CVE-2010-0308) This update also fixes the following bugs: * Squid's init script returns a non-zero value when trying to stop a stopped service. This is not LSB compliant and can generate difficulties in cluster environments. This update makes stopping LSB compliant. (BZ#521926) * Squid is not currently built to support MAC address filtering in ACLs. This update includes support for MAC address filtering. (BZ#496170) * Squid is not currently built to support Kerberos negotiate authentication. This update enables Kerberos authentication. (BZ#516245) * Squid does not include the port number as part of URIs it constructs when configured as an accelerator. This results in a 403 error. This update corrects this behavior. (BZ#538738) * the error_map feature does not work if the same handling is set also on the HTTP server that operates in deflate mode. This update fixes this issue. (BZ#470843) All users of squid should upgrade to this updated package, which resolves these issues. After installing this update, the squid service will be restarted automatically. Low Copyright 2010 Red Hat, Inc. CVE-2009-2855 CVE-2010-0308 Add arp filter option negotiate support not enabled in squid (for kerberized sso) CVE-2009-2855 squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers squid 'stop after stop' is not LSB compliant Squid accelerator mode works only if port 80 is opened CVE-2010-0308 squid: temporary DoS (assertion failure) triggered by truncated DNS packet (SQUID-2010:1) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Sendmail is a very widely used Mail Transport Agent (MTA). MTAs deliver mail from one machine to another. Sendmail is not a client program, but rather a behind-the-scenes daemon that moves email over networks or the Internet to its final destination. The configuration of sendmail in Red Hat Enterprise Linux was found to not reject the "localhost.localdomain" domain name for email messages that come from external hosts. This could allow remote attackers to disguise spoofed messages. (CVE-2006-7176) A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565) Note: The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration. This update also fixes the following bugs: * sendmail was unable to parse files specified by the ServiceSwitchFile option which used a colon as a separator. (BZ#512871) * sendmail incorrectly returned a zero exit code when free space was low. (BZ#299951) * the sendmail manual page had a blank space between the -qG option and parameter. (BZ#250552) * the comments in the sendmail.mc file specified the wrong path to SSL certificates. (BZ#244012) * the sendmail packages did not provide the MTA capability. (BZ#494408) All users of sendmail are advised to upgrade to these updated packages, which resolve these issues. Low Copyright 2010 Red Hat, Inc. CVE-2006-7176 CVE-2009-4565 CVE-2006-7176 sendmail allows external mail with from address xxx@localhost.localdomain Old path to openssl used in sendmail.mc the description about option '-qG name' should be modified in the manpage there should be %{?dist} instead of %{dist} in the *.spec on the Release: line sendmail allows external mail with from address xxx@localhost.localdomain Sendmail should provide "MTA" CVE-2009-4565 sendmail: incorrect verification of SSL certificate with NUL in name cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The pam_krb5 module allows Pluggable Authentication Modules (PAM) aware applications to use Kerberos to verify user identities by obtaining user credentials at log in time. A flaw was found in pam_krb5. In some non-default configurations (specifically, those where pam_krb5 would be the first module to prompt for a password), the text of the password prompt varied based on whether or not the username provided was a username known to the system. A remote attacker could use this flaw to recognize valid usernames, which would aid a dictionary-based password guess attack. (CVE-2009-1384) This update also fixes the following bugs: * certain applications which do not properly implement PAM conversations may fail to authenticate users whose passwords have expired and must be changed, or may succeed without forcing the user's password to be changed. This bug is triggered by a previously-applied fix to pam_krb5 which makes it comply more closely to PAM specifications. If an application misbehaves, enabling the "chpw_prompt" option for its service should restore the old behavior. (BZ#509092) * pam_krb5 does not allow the user to change an expired password in cases where the Key Distribution Center (KDC) is configured to refuse attempts to obtain forwardable password-changing credentials. This update fixes this issue. (BZ#489015) * failure to verify TGT because of wrong keytab handling. (BZ#450776) Users of pam_krb5 are advised to upgrade to these updated packages, which resolve these issues. Low Copyright 2010 Red Hat, Inc. CVE-2009-1384 Failed to verify TGT cause of wrong keytab handling pam_krb5 cannot offer to change expired password CVE-2009-1384 pam_krb5: Password prompt varies for existent and non-existent users CVE-2009-1384 RHEL-5's pam_krb5: Password prompt varies for existent and non-existent users pam_krb5 update breaks graphical apps (gnome and kde) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way QEMU-KVM handled erroneous data provided by the Linux virtio-net driver, used by guest operating systems. Due to a deficiency in the TSO (TCP segment offloading) implementation, a guest's virtio-net driver would transmit improper data to a certain QEMU-KVM process on the host, causing the guest to crash. A remote attacker could use this flaw to send specially-crafted data to a target guest system, causing that guest to crash. (CVE-2010-0741) Additionally, these updated packages include numerous bug fixes and enhancements. Refer to the KVM chapter of the Red Hat Enterprise Linux 5.5 Technical Notes for details: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5/html/Technical_Notes/kvm.html All KVM users should upgrade to these updated packages, which resolve this issue as well as fixing the bugs and adding the enhancements noted in the Technical Notes. Note: The procedure in the Solution section must be performed before this update will take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0430 CVE-2010-0741 Windows XP not using all CPUS qemu-kvm segfault when using i82551 vnic KVM - qemu-img fail to copy a RAW format image over FCP storage Remove initrd warning message upstream qemu issues on rhel 5.4 Add result test to prevent Infinite loop in raw_pread, reading too large offset Remove warnings from kvm compilation qemu-kvm crashed when setting 32bitwin28k with 64G ram Disable unused/unsupported features on qemu-kvm qemu aborted when restart 32bitwin23k with more than 4G mem in intel host. BUG: warning at /builddir/build/BUILD/kvm-83-maint-snapshot-20090205/kernel-/x86/x86.c:240/kvm_queue_exception_e() (Tainted: G ) [RFE] KVM should be able to export advanced cpu flags to the guest Bad qcow2 performance with cache=off KVM: MMU: make __kvm_mmu_free_some_pages handle empty list (upstream backport) windows 64 bit does vmexit on each cr8 access. rtc-td-hack stopped working. Time drifts in windows Guest Window2008-R2-datacenter installation is stopped at step "Setup will continue after restarting your computer" (AMD host only) German keymap using KVM+VNC missing some keys Call to migrate_set_speed after a migrate_cancel causes segmentation fault in kvm Guest single-cpu IPI leads to a global IPI on host QEMU terminates without warning with virtio-net and SMP enabled x86_64 guest hang when set guest's cpu1 online on AMD host ne model failed to get ip address KVM: x86: verify MTRR/PAT validity (upstream backport) Build tree for RHEL 5.X and RHEL 5.4.z contains build bugs when kvm is load, Kernel panic on rebooting after implement suspend and resume -initrd is broken with > 4GB guests RFE - In-place backing file format change debug message is displayed when save VM state into a compressed file Windows XP unattended install doesn't get an IP address after rebooting, if using -net user pvclock msr values are not preserved across remote migration O/S Filesystem Corruption with RHEL-5.4 on a RHEV Guest Rhev-Block driver causes 'unhandled vm exit' with 32bit win2k3r2sp2 Guest VM on restart kvm modules can't be built against latest kernel-devel package kvm kmod package should filter only some specific ksym dependencies RHEL5.4 VM image corruption with an IDE v-disk kvm kmod package should require a compatible kernel version qcow2: infinite recursion on grow_refcount_table() error handling error codes aren't always propagated up through the block layer (e.g. -ENOSPC) backports of qemu barrier support qemu-img: error creating a new preallocated volume image on FCP storage fix unsafe device data handling Cannot eject cd-rom when configured to host cd-rom kvm can't build against kernel-2.6.18-174.el5 qemu-img: snapshot info error KVM: x86: Add KVM_GET/SET_VCPU_EVENTS kvm: migration: mechanism to make older savevm versions to be emitted on some cases Get segmentation fault when running with ide block on kvm-83-136.el5 time drift in win2k364 KVM guest gPXE fails to PXE boot on e1000 virtual NIC CVE-2010-0741 whitelist host virtio networking features Discrepancy between man page and source code for qcow2 with regards to default value used when no explicit caching is specified kvm: use gpxe PXE roms if available [FEAT] Supported KVM guests for RHEL5.5 Maintain barrier state after migration require newer etherboot package that is compatible with new pxe ROM paths gPXE fails to PXE boot on e1000 virtual NIC Hypercall driver doesn't reset device on power-down Guest image corruption after RHEV-H update to 5.4-2.1.3.el5_4rhev2_1 using virtio-blk Add rhel-5.4.4 support to rhel5.5.0 iozone test can not finish when using virtio_blk in RHEL5u4 guest. migration failed with -M rhel5.4.4 between host 5.5 and host 5.4.4 kvm: NFS : kvm-qemu-img convert failure on RAW/Sparse template with COW/Sparse snapshot migration failed host 5.5 with -M rhel5.5.0 to host 5.5 with -M rhel5.5.0. KVM:Wake up from hibernation operation failed ( migration to file ) qemu-img re-base subcommand got Segmentation fault 'qemu-img re-base' broken on block devices CVE-2010-0741 qemu: Improper handling of erroneous data provided by Linux virtio-net driver cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 5 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Wesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code. Note: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734) This update also fixes the following bugs: * when using curl to upload a file, if the connection was broken or reset by the server during the transfer, curl immediately started using 100% CPU and failed to acknowledge that the transfer had failed. With this update, curl displays an appropriate error message and exits when an upload fails mid-transfer due to a broken or reset connection. (BZ#479967) * libcurl experienced a segmentation fault when attempting to reuse a connection after performing GSS-negotiate authentication, which in turn caused the curl program to crash. This update fixes this bug so that reused connections are able to be successfully established even after GSS-negotiate authentication has been performed. (BZ#517199) As well, this update adds the following enhancements: * curl now supports loading Certificate Revocation Lists (CRLs) from a Privacy Enhanced Mail (PEM) file. When curl attempts to access sites that have had their certificate revoked in a CRL, curl refuses access to those sites. (BZ#532069) * the curl(1) manual page has been updated to clarify that the "--socks4" and "--socks5" options do not work with the IPv6, FTPS, or LDAP protocols. (BZ#473128) * the curl utility's program help, which is accessed by running "curl -h", has been updated with descriptions for the "--ftp-account" and "--ftp-alternative-to-user" options. (BZ#517084) Users of curl should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. All running applications using libcurl must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0734 curl uses 100% of CPU if upload connection is broken curl program options differ from option in manual page curl, libcurl crash when reusing connection after negotiate-auth CVE-2010-0734 curl: zlib-compression causes curl to pass more than CURL_MAX_WRITE_SIZE bytes to write callback cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The gfs-kmod packages contain modules that provide the ability to mount and use GFS file systems. A flaw was found in the gfs_lock() implementation. The GFS locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS file system mounted could use this flaw to cause a kernel panic. (CVE-2010-0727) These updated gfs-kmod packages are in sync with the latest kernel (2.6.18-194.el5). The modules in earlier gfs-kmod packages failed to load because they did not match the running kernel. It was possible to force-load the modules. With this update, however, users no longer need to. These updated gfs-kmod packages also fix the following bugs: * when SELinux was in permissive mode, a race condition during file creation could have caused one or more cluster nodes to be fenced and lock the remaining nodes out of the GFS file system. This race condition no longer occurs with this update. (BZ#471258) * when ACLs (Access Control Lists) are enabled on a GFS file system, if a transaction that has started to do a write request does not have enough spare blocks for the operation it causes a kernel panic. This update ensures that there are enough blocks for the write request before starting the operation. (BZ#513885) * requesting a "flock" on a file in GFS in either read-only or read-write mode would sometimes cause a "Resource temporarily unavailable" state error (error 11 for EWOULDBLOCK) to occur. In these cases, a flock could not be obtained on the file in question. This has been fixed with this update so that flocks can successfully be obtained on GFS files without this error occurring. (BZ#515717) * the GFS withdraw function is a data integrity feature of GFS file systems in a cluster. If the GFS kernel module detects an inconsistency in a GFS file system following an I/O operation, the file system becomes unavailable to the cluster. The GFS withdraw function is less severe than a kernel panic, which would cause another node to fence the node. With this update, you can override the GFS withdraw function by mounting the file system with the "-o errors=panic" option specified. When this option is specified, any errors that would normally cause the system to withdraw cause the system to panic instead. This stops the node's cluster communications, which causes the node to be fenced. (BZ#517145) Finally, these updated gfs-kmod packages provide the following enhancement: * the GFS kernel modules have been updated to use the new generic freeze and unfreeze ioctl interface that is also supported by the following file systems: ext3, ext4, GFS2, JFS and ReiserFS. With this update, GFS supports freeze/unfreeze through the VFS-level FIFREEZE/FITHAW ioctl interface. (BZ#487610) Users are advised to upgrade to these latest gfs-kmod packages, updated for use with the 2.6.18-194.el5 kernel, which contain backported patches to correct these issues, fix these bugs, and add this enhancement. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0727 fatal: assertion "gfs_glock_is_locked_by_me(gl) && gfs_glock_is_held_excl(gl)" failed GFS: Change gfs freeze/unfreeze to use new standard GFS kernel panic, suid + nfsd with posix ACLs enabled Flock on GFS fs file will error with "Resource tempory unavailable" for EWOULDBLOCK [RFE] GFS: New mount option: -o errors=withdraw|panic CVE-2010-0727 kernel: bug in GFS/GFS2 locking code leads to dos cpe:/a:redhat:rhel_cluster_storage Red Hat Enterprise Linux 5 Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding Standards. Automake-generated Makefiles made certain directories world-writable when preparing source archives, as was recommended by the GNU Coding Standards. If a malicious, local user could access the directory where a victim was creating distribution archives, they could use this flaw to modify the files being added to those archives. Makefiles generated by these updated automake packages no longer make distribution directories world-writable, as recommended by the updated GNU Coding Standards. (CVE-2009-4029) Note: This issue affected Makefile targets used by developers to prepare distribution source archives. Those targets are not used when compiling programs from the source code. All users of automake, automake14, automake15, automake16, and automake17 should upgrade to these updated packages, which resolve this issue. Low Copyright 2010 Red Hat, Inc. CVE-2009-4029 CVE-2009-4029 Automake: Race condition by creation of "distdir" based directory hierarchy cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Wesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code. Note: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734) Users of curl should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libcurl must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0734 CVE-2010-0734 curl: zlib-compression causes curl to pass more than CURL_MAX_WRITE_SIZE bytes to write callback cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several use-after-free flaws were found in Firefox. Visiting a web page containing malicious content could result in Firefox executing arbitrary code with the privileges of the user running Firefox. (CVE-2010-0175, CVE-2010-0176, CVE-2010-0177) A flaw was found in Firefox that could allow an applet to generate a drag and drop action from a mouse click. Such an action could be used to execute arbitrary JavaScript with the privileges of the user running Firefox. (CVE-2010-0178) A privilege escalation flaw was found in Firefox when the Firebug add-on is in use. The XMLHttpRequestSpy module in the Firebug add-on exposes a Chrome privilege escalation flaw that could be used to execute arbitrary JavaScript with the privileges of the user running Firefox. (CVE-2010-0179) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-0174) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.19. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.19, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0174 CVE-2010-0175 CVE-2010-0176 CVE-2010-0177 CVE-2010-0178 CVE-2010-0179 CVE-2010-0174 Mozilla crashes with evidence of memory corruption CVE-2010-0175 Mozilla remote code execution with use-after-free in nsTreeSelection CVE-2010-0176 Mozilla Dangling pointer vulnerability in nsTreeContentView CVE-2010-0177 Mozilla Dangling pointer vulnerability in nsPluginArray CVE-2010-0178 Firefox Chrome privilege escalation via forced URL drag and drop CVE-2010-0179 Firefox Arbitrary code execution with Firebug XMLHttpRequestSpy cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several use-after-free flaws were found in SeaMonkey. Visiting a web page containing malicious content could result in SeaMonkey executing arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-0175, CVE-2010-0176, CVE-2010-0177) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-0174) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0174 CVE-2010-0175 CVE-2010-0176 CVE-2010-0177 CVE-2010-0174 Mozilla crashes with evidence of memory corruption CVE-2010-0175 Mozilla remote code execution with use-after-free in nsTreeSelection CVE-2010-0176 Mozilla Dangling pointer vulnerability in nsTreeContentView CVE-2010-0177 Mozilla Dangling pointer vulnerability in nsPluginArray cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the "Oracle Java SE and Java for Business Critical Patch Update Advisory" page, listed in the References section. (CVE-2009-3555, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849) For the CVE-2009-3555 issue, this update disables renegotiation in the Java Secure Socket Extension (JSSE) component. Unsafe renegotiation can be re-enabled using the sun.security.ssl.allowUnsafeRenegotiation property. Refer to the following Knowledgebase article for details: http://kbase.redhat.com/faq/docs/DOC-20491 Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-0082 CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0090 CVE-2010-0091 CVE-2010-0092 CVE-2010-0093 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0839 CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0845 CVE-2010-0846 CVE-2010-0847 CVE-2010-0848 CVE-2010-0849 CVE-2009-3555 TLS: MITM attacks via session renegotiation CVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead of only the base-classes (6626217) CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149) CVE-2010-0093 OpenJDK System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265) CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947) CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807) CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653) CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299) CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597) CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability (6914866) CVE-2010-0846 JDK unspecified vulnerability in ImageIO component CVE-2010-0849 JDK unspecified vulnerability in Java2D component CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities CVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin component CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The Sun 1.5.0 Java release includes the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. The java-1.5.0-sun packages are vulnerable to a number of security flaws and should no longer be used. (CVE-2009-3555, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849) The Sun Java SE Release family 5.0 reached its End of Service Life on November 3, 2009. The RHSA-2009:1571 update provided the final publicly available update of version 5.0 (Update 22). Users interested in continuing to receive critical fixes for Sun Java SE 5.0 should contact Oracle: http://www.sun.com/software/javaforbusiness/index.jsp An alternative to Sun Java SE 5.0 is the Java 2 Technology Edition of the IBM Developer Kit for Linux, which is available from the Extras and Supplementary channels on the Red Hat Network. Applications capable of using the Java 6 runtime can be migrated to Java 6 on: OpenJDK (java-1.6.0-openjdk), an open source JDK included in Red Hat Enterprise Linux 5, since 5.3; the IBM JDK, java-1.6.0-ibm; or the Sun JDK, java-1.6.0-sun. This update removes the java-1.5.0-sun packages as they have reached their End of Service Life. Critical Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-0082 CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0091 CVE-2010-0092 CVE-2010-0093 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0839 CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0845 CVE-2010-0846 CVE-2010-0847 CVE-2010-0848 CVE-2010-0849 CVE-2009-3555 TLS: MITM attacks via session renegotiation CVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead of only the base-classes (6626217) CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149) CVE-2010-0093 OpenJDK System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265) CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947) CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807) CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653) CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299) CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597) CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability (6914866) CVE-2010-0846 JDK unspecified vulnerability in ImageIO component CVE-2010-0849 JDK unspecified vulnerability in Java2D component CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. (CVE-2009-3555) This update disables renegotiation in the Java Secure Socket Extension (JSSE) component. Unsafe renegotiation can be re-enabled using the sun.security.ssl.allowUnsafeRenegotiation property. Refer to the following Knowledgebase article for details: http://kbase.redhat.com/faq/docs/DOC-20491 A number of flaws have been fixed in the Java Virtual Machine (JVM) and in various Java class implementations. These flaws could allow an unsigned applet or application to bypass intended access restrictions. (CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0088, CVE-2010-0094) An untrusted applet could access clipboard information if a drag operation was performed over that applet's canvas. This could lead to an information leak. (CVE-2010-0091) The rawIndex operation incorrectly handled large values, causing the corruption of internal memory structures, resulting in an untrusted applet or application crashing. (CVE-2010-0092) The System.arraycopy operation incorrectly handled large index values, potentially causing array corruption in an untrusted applet or application. (CVE-2010-0093) Subclasses of InetAddress may incorrectly interpret network addresses, allowing an untrusted applet or application to bypass network access restrictions. (CVE-2010-0095) In certain cases, type assignments could result in "non-exact" interface types. This could be used to bypass type-safety restrictions. (CVE-2010-0845) A buffer overflow flaw in LittleCMS (embedded in OpenJDK) could cause an untrusted applet or application using color profiles from untrusted sources to crash. (CVE-2010-0838) An input validation flaw was found in the JRE unpack200 functionality. An untrusted applet or application could use this flaw to elevate its privileges. (CVE-2010-0837) Deferred calls to trusted applet methods could be granted incorrect permissions, allowing an untrusted applet or application to extend its privileges. (CVE-2010-0840) A missing input validation flaw in the JRE could allow an attacker to crash an untrusted applet or application. (CVE-2010-0848) A flaw in Java2D could allow an attacker to execute arbitrary code with the privileges of a user running an untrusted applet or application that uses Java2D. (CVE-2010-0847) Note: The flaws concerning applets in this advisory, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0088, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0840, CVE-2010-0847, and CVE-2010-0848, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer" application. This update also provides three defense in depth patches. (BZ#575745, BZ#575861, BZ#575789) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-0082 CVE-2010-0084 CVE-2010-0085 CVE-2010-0088 CVE-2010-0091 CVE-2010-0092 CVE-2010-0093 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0840 CVE-2010-0845 CVE-2010-0847 CVE-2010-0848 CVE-2009-3555 TLS: MITM attacks via session renegotiation CVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead of only the base-classes (6626217) CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) OpenJDK ThreadGroup finalizer allows creation of false root ThreadGroups (6639665) CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149) CVE-2010-0093 OpenJDK System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265) CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947) CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807) OpenJDK ObjectIdentifer.equals is not capable of detecting incorrectly encoded CommonName OIDs (6898622) CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653) CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299) CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) OpenJDK Application can modify command array in ProcessBuilder (6910590) CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability (6914866) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug: * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client's, cross-realm authentication is required. Using a combination of client configuration and guesswork, the client determines the trust relationship sequence which forms the trusted path between the client's realm and the service's realm. This may include one or more intermediate realms. Anticipating the KDC has better knowledge of extant trust relationships, the client then requests a ticket from the service's KDC, indicating it will accept guidance from the service's KDC by setting a special flag in the request. A KDC which recognizes the flag can, at its option, return a ticket-granting ticket for the next realm along the trust path the client should be following. If the ticket-granting ticket returned by the service's KDC is for use with a realm the client has already determined was in the trusted path, the client accepts this as an optimization and continues. If, however, the ticket is for use in a realm the client is not expecting, the client responds incorrectly: it treats the case as an error rather than continuing along the path suggested by the service's KDC. For this update, the krb5 1.7 modifications which allow the client to trust such KDCs to send them along the correct path, resulting in the client obtaining the tickets it originally desired, were backported to krb 1.6.1 (the version shipped with Red Hat Enterprise Linux 5.5). (BZ#578540) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. All running KDC services must be restarted for the update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0629 CVE-2010-0629 krb5: kadmind use-after-free remote crash (MITKRB5-SA-2010-003) [RFE] Backport referral-chasing code within krb5-1.7 to RHEL5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The nss_db packages provide a set of C library extensions which allow Berkeley Database (Berkeley DB) databases to be used as a primary source of aliases, ethers, groups, hosts, networks, protocols, users, RPCs, services, and shadow passwords. These databases are used instead of or in addition to the flat files used by these tools by default. It was discovered that nss_db did not specify a path to the directory to be used as the database environment for the Berkeley Database library, causing it to use the current working directory as the default. This could possibly allow a local attacker to obtain sensitive information. (CVE-2010-0826) Users of nss_db are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0826 CVE-2010-0826 nss_db: Information leak due the DB_CONFIG file read from current working directory cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The K Desktop Environment (KDE) is a graphical desktop environment for the X Window System. The kdebase packages include core applications for KDE. A privilege escalation flaw was found in the KDE Display Manager (KDM). A local user with console access could trigger a race condition, possibly resulting in the permissions of an arbitrary file being set to world writable, allowing privilege escalation. (CVE-2010-0436) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for responsibly reporting this issue. Users of KDE should upgrade to these updated packages, which contain a backported patch to correct this issue. The system should be rebooted for this update to take effect. After the reboot, administrators should manually remove all leftover user-owned dmctl-* directories in "/var/run/xdmctl/". Important Copyright 2010 Red Hat, Inc. CVE-2010-0436 CVE-2010-0436 kdm privilege escalation flaw cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes several vulnerabilities in Adobe Reader. These vulnerabilities are summarized on the Adobe Security Advisory APSB10-09 page listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-0190, CVE-2010-0191, CVE-2010-0192, CVE-2010-0193, CVE-2010-0194, CVE-2010-0195, CVE-2010-0196, CVE-2010-0197, CVE-2010-0198, CVE-2010-0199, CVE-2010-0201, CVE-2010-0202, CVE-2010-0203, CVE-2010-0204, CVE-2010-1241) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.3.2, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0190 CVE-2010-0191 CVE-2010-0192 CVE-2010-0193 CVE-2010-0194 CVE-2010-0195 CVE-2010-0196 CVE-2010-0197 CVE-2010-0198 CVE-2010-0199 CVE-2010-0201 CVE-2010-0202 CVE-2010-0203 CVE-2010-0204 CVE-2010-1241 CVE-2010-1241 Acroread: Heap-based overflow by opening a specially-crafted PDF file (FG-VD-10-005) Acroread: Multiple code execution flaws (APSB10-09) cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes two vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Security Alert page listed in the References section. (CVE-2010-0886, CVE-2010-0887) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0886 CVE-2010-0887 CVE-2010-0886 CVE-2010-0887 Sun Java: Java Web Start arbitrary command line injection cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. An invalid pointer dereference flaw was found in the Wireshark SMB and SMB2 dissectors. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2009-4377) Several buffer overflow flaws were found in the Wireshark LWRES dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2010-0304) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2009-2560, CVE-2009-2562, CVE-2009-2563, CVE-2009-3550, CVE-2009-3829) Users of Wireshark should upgrade to these updated packages, which contain Wireshark version 1.0.11, and resolve these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-2560 CVE-2009-2562 CVE-2009-2563 CVE-2009-3550 CVE-2009-3829 CVE-2009-4377 CVE-2010-0304 CVE-2009-2562 Wireshark: Integer overflow in the AFS dissector CVE-2009-2563 Wireshark: Null-ptr dereference in the InfiniBand dissector CVE-2009-2560 Wireshark: various flaws in a) RADIUS, b) Bluetooth L2CAP, c) MIOP dissectors (DoS) CVE-2009-3550 Wireshark: NULL pointer dereference in the DCERPC over SMB packet disassembly CVE-2009-3829 wireshark: unsigned integer wrap vulnerability in ERF reader (VU#676492) CVE-2009-4377 wireshark: invalid pointer dereference in SMB/SMB2 dissectors CVE-2010-0304 wireshark: crash in LWRES dissector cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. The RHBA-2010:0212 sudo update released as part of Red Hat Enterprise Linux 5.5 added the ability to change the value of the ignore_dot option in the "/etc/sudoers" configuration file. This ability introduced a regression in the upstream fix for CVE-2010-0426. In configurations where the ignore_dot option was set to off (the default is on for the Red Hat Enterprise Linux 5 sudo package), a local user authorized to use the sudoedit pseudo-command could possibly run arbitrary commands with the privileges of the users sudoedit was authorized to run as. (CVE-2010-1163) Red Hat would like to thank Todd C. Miller, the upstream sudo maintainer, for responsibly reporting this issue. Upstream acknowledges Valerio Costamagna as the original reporter. Users of sudo should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1163 CVE-2010-1163 sudo: incomplete fix for the sudoedit privilege escalation issue CVE-2010-0426 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The scsi-target-utils package contains the daemon and tools to set up and monitor SCSI targets. Currently, iSCSI software and iSER targets are supported. A format string flaw was found in scsi-target-utils' tgtd daemon. A remote attacker could trigger this flaw by sending a carefully-crafted Internet Storage Name Service (iSNS) request, causing the tgtd daemon to crash. (CVE-2010-0743) All scsi-target-utils users should upgrade to this updated package, which contains a backported patch to correct this issue. All running scsi-target-utils services must be restarted for the update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0743 CVE-2010-0743 scsi-target-utils: format string vulnerability cpe:/a:redhat:rhel_cluster_storage Red Hat Enterprise Linux 5 X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. An incorrect calculation flaw was discovered in the X.Org Render extension. A malicious, authorized client could exploit this issue to crash the X.Org server or, potentially, execute arbitrary code with root privileges. (CVE-2010-1166) Users of xorg-x11-server should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running X.Org server instances must be restarted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-1166 Xorg crashes with latest firefox CVE-2010-1166 Xorg: X server Render extension memory corruption cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0846, CVE-2010-0848, CVE-2010-0849) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR8 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0090 CVE-2010-0091 CVE-2010-0092 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0839 CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0846 CVE-2010-0847 CVE-2010-0848 CVE-2010-0849 CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149) CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947) CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653) CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299) CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597) CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) CVE-2010-0846 JDK unspecified vulnerability in ImageIO component CVE-2010-0849 JDK unspecified vulnerability in Java2D component CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities CVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin component CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 In accordance with the Red Hat Enterprise Linux Errata Support Policy, the regular 7 year life-cycle of Red Hat Enterprise Linux 3 will end on October 31, 2010. After this date, Red Hat will discontinue the regular subscription services for Red Hat Enterprise Linux 3. Therefore, new bug fix, enhancement, and security errata updates, as well as technical support services will no longer be available for the following products: * Red Hat Enterprise Linux AS 3 * Red Hat Enterprise Linux ES 3 * Red Hat Enterprise Linux WS 3 * Red Hat Enterprise Linux Extras 3 * Red Hat Desktop 3 * Red Hat Global File System 3 * Red Hat Cluster Suite 3 Customers still running production workloads on Red Hat Enterprise Linux 3 are advised to begin planning the upgrade to Red Hat Enterprise Linux 5. Active subscribers of Red Hat Enterprise Linux already have access to all currently maintained versions of Red Hat Enterprise Linux, as part of their subscription without additional fees. For customers who are unable to migrate off Red Hat Enterprise Linux 3 before its end-of-life date, Red Hat may offer a limited, optional extension program. For more information, contact your Red Hat sales representative or channel partner. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: http://www.redhat.com/security/updates/errata/ Low Copyright 2010 Red Hat, Inc. Send Out RHEL 3 6-Month EOL Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * RHSA-2009:1024 introduced a flaw in the ptrace implementation on Itanium systems. ptrace_check_attach() was not called during certain ptrace() requests. Under certain circumstances, a local, unprivileged user could use this flaw to call ptrace() on a process they do not own, giving them control over that process. (CVE-2010-0729, Important) * a flaw was found in the kernel's Unidirectional Lightweight Encapsulation (ULE) implementation. A remote attacker could send a specially-crafted ISO MPEG-2 Transport Stream (TS) frame to a target system, resulting in a denial of service. (CVE-2010-1086, Important) * a use-after-free flaw was found in tcp_rcv_state_process() in the kernel's TCP/IP protocol suite implementation. If a system using IPv6 had the IPV6_RECVPKTINFO option set on a listening socket, a remote attacker could send an IPv6 packet to that system, causing a kernel panic. (CVE-2010-1188, Important) * a divide-by-zero flaw was found in azx_position_ok() in the Intel High Definition Audio driver, snd-hda-intel. A local, unprivileged user could trigger this flaw to cause a denial of service. (CVE-2010-1085, Moderate) * an information leak flaw was found in the kernel's USB implementation. Certain USB errors could result in an uninitialized kernel buffer being sent to user-space. An attacker with physical access to a target system could use this flaw to cause an information leak. (CVE-2010-1083, Low) Red Hat would like to thank Ang Way Chuang for reporting CVE-2010-1086. Bug fixes: * a regression prevented the Broadcom BCM5761 network device from working when in the first (top) PCI-E slot of Hewlett-Packard (HP) Z600 systems. Note: The card worked in the 2nd or 3rd PCI-E slot. (BZ#567205) * the Xen hypervisor supports 168 GB of RAM for 32-bit guests. The physical address range was set incorrectly, however, causing 32-bit, para-virtualized Red Hat Enterprise Linux 4.8 guests to crash when launched on AMD64 or Intel 64 hosts that have more than 64 GB of RAM. (BZ#574392) * RHSA-2009:1024 introduced a regression, causing diskdump to fail on systems with certain adapters using the qla2xxx driver. (BZ#577234) * a race condition caused TX to stop in a guest using the virtio_net driver. (BZ#580089) * on some systems, using the "arp_validate=3" bonding option caused both links to show as "down" even though the arp_target was responding to ARP requests sent by the bonding driver. (BZ#580842) * in some circumstances, when a Red Hat Enterprise Linux client connected to a re-booted Windows-based NFS server, server-side filehandle-to-inode mapping changes caused a kernel panic. "bad_inode_ops" handling was changed to prevent this. Note: filehandle-to-inode mapping changes may still cause errors, but not panics. (BZ#582908) * when installing a Red Hat Enterprise Linux 4 guest via PXE, hard-coded fixed-size scatterlists could conflict with host requests, causing the guest's kernel to panic. With this update, dynamically allocated scatterlists are used, resolving this issue. (BZ#582911) Enhancements: * kernel support for connlimit. Note: iptables errata update RHBA-2010:0395 is also required for connlimit to work correctly. (BZ#563223) * support for the Intel architectural performance monitoring subsystem (arch_perfmon). On supported CPUs, arch_perfmon offers means to mark performance events and options for configuring and counting these events. (BZ#582913) * kernel support for OProfile sampling of Intel microarchitecture (Nehalem) CPUs. This update alone does not address OProfile support for such CPUs. A future oprofile package update will allow OProfile to work on Intel Nehalem CPUs. (BZ#582241) Users should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0729 CVE-2010-1083 CVE-2010-1085 CVE-2010-1086 CVE-2010-1188 [RFE ] Connlimit kernel module support [rhel-4.9] [rhel-4.8.z] CVE-2010-1083 kernel: information leak via userspace USB interface CVE-2010-1085 kernel: ALSA: hda-intel: Avoid divide by zero crash RHEL4.8: Broadcom 5761 NIC does not work [rhel-4.8.z] CVE-2010-1086 kernel: dvb-core: DoS bug in ULE decapsulation code CVE-2010-0729 kernel: ia64: ptrace: peek_or_poke requests miss ptrace_check_attach() [RHEL4 Xen]: i386 Guest crash when host has >= 64G RAM [rhel-4.8.z] qla2xxx flash programming changes in 4.8 broke diskdump [rhel-4.8.z] CVE-2010-1188 kernel: ipv6: skb is unexpectedly freed virtio_net 'eth0' interface in a RHEL 4.8 KVM virtual machine becomes unresponsive due to stopped state [rhel-4.8.z] [RHEL 4] bonding option arp_validate=3 does not seem to function properly with vlan tagging [rhel-4.8.z] [RHEL 4.7] oprofile doesn't work with Nehalem (kernel support) [rhel-4.8.z] RHEL4.8-i686 panic in vfs_getattr64() Bad EIP value. [rhel-4.8.z] i386 rhel4.8 kvm guests crashes in virtio during installation [rhel-4.8.z] [Intel 4.9] Support arch_perfmon for oprofile (kernel support) [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a flaw was found in the Unidirectional Lightweight Encapsulation (ULE) implementation. A remote attacker could send a specially-crafted ISO MPEG-2 Transport Stream (TS) frame to a target system, resulting in an infinite loop (denial of service). (CVE-2010-1086, Important) * on AMD64 systems, it was discovered that the kernel did not ensure the ELF interpreter was available before making a call to the SET_PERSONALITY macro. A local attacker could use this flaw to cause a denial of service by running a 32-bit application that attempts to execute a 64-bit application. (CVE-2010-0307, Moderate) * a flaw was found in the kernel connector implementation. A local, unprivileged user could trigger this flaw by sending an arbitrary number of notification requests using specially-crafted netlink messages, resulting in a denial of service. (CVE-2010-0410, Moderate) * a flaw was found in the Memory-mapped I/O (MMIO) instruction decoder in the Xen hypervisor implementation. An unprivileged guest user could use this flaw to trick the hypervisor into emulating a certain instruction, which could crash the guest (denial of service). (CVE-2010-0730, Moderate) * a divide-by-zero flaw was found in the azx_position_ok() function in the driver for Intel High Definition Audio, snd-hda-intel. A local, unprivileged user could trigger this flaw to cause a kernel crash (denial of service). (CVE-2010-1085, Moderate) This update also fixes the following bugs: * in some cases, booting a system with the "iommu=on" kernel parameter resulted in a Xen hypervisor panic. (BZ#580199) * the fnic driver flushed the Rx queue instead of the Tx queue after fabric login. This caused crashes in some cases. (BZ#580829) * "kernel unaligned access" warnings were logged to the dmesg log on some systems. (BZ#580832) * the "Northbridge Error, node 1, core: -1 K8 ECC error" error occurred on some systems using the amd64_edac driver. (BZ#580836) * in rare circumstances, when using kdump and booting a kernel with "crashkernel=128M@16M", the kdump kernel did not boot after a crash. (BZ#580838) * TLB page table entry flushing was done incorrectly on IBM System z, possibly causing crashes, subtle data inconsistency, or other issues. (BZ#580839) * iSCSI failover times were slower than in Red Hat Enterprise Linux 5.3. (BZ#580840) * fixed floating point state corruption after signal. (BZ#580841) * in certain circumstances, under heavy load, certain network interface cards using the bnx2 driver and configured to use MSI-X, could stop processing interrupts and then network connectivity would cease. (BZ#587799) * cnic parts resets could cause a deadlock when the bnx2 device was enslaved in a bonding device and that device had an associated VLAN. (BZ#581148) * some BIOS implementations initialized interrupt remapping hardware in a way the Xen hypervisor implementation did not expect. This could have caused a system hang during boot. (BZ#581150) * AMD Magny-Cours systems panicked when booting a 32-bit kernel. (BZ#580846) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0307 CVE-2010-0410 CVE-2010-0730 CVE-2010-1085 CVE-2010-1086 CVE-2010-0307 kernel: DoS on x86_64 CVE-2010-0410 kernel: OOM/crash in drivers/connector CVE-2010-1085 kernel: ALSA: hda-intel: Avoid divide by zero crash CVE-2010-1086 kernel: dvb-core: DoS bug in ULE decapsulation code CVE-2010-0730 xen: emulator instruction decoding inconsistency xen: clear ioapic registers on boot [rhel-5.5.z] [Cisco 5.6 bug] fnic: flush Tx queue bug fix [rhel-5.5.z] kernel unaligned messages from mptsas_firmware_event_work [rhel-5.5.z] EDAC driver error on system with bad memory [rhel-5.5.z] [5.4]System panic occurred during boot sequence with the server which carries 256GMB physical memory. [rhel-5.5.z] kernel: correct TLB flush of page table entries concurrently used by another cpu [rhel-5.5.z] REGRESSION: Fix iscsi failover time [rhel-5.5.z] floating point register state corruption after handling SIGSEGV [rhel-5.5.z] Kernel: network: bonding: scheduling while atomic: ifdown-eth/0x00000100/21775 [rhel-5.5.z] [Intel 5.6 Virt Bug] [VT-d] Dom0 booting may hang on Westmere-EP with intremap enabled [rhel-5.5.z] NIC doesn't register packets [rhel-5.5.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 teTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input, and creates a typesetter-independent DeVice Independent (DVI) file as output. A buffer overflow flaw was found in the way teTeX processed virtual font files when converting DVI files into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash or, potentially, execute arbitrary code. (CVE-2010-0827) Multiple integer overflow flaws were found in the way teTeX processed special commands when converting DVI files into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash or, potentially, execute arbitrary code. (CVE-2010-0739, CVE-2010-1440) A stack-based buffer overflow flaw was found in the way teTeX processed DVI files containing HyperTeX references with long titles, when converting them into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash. (CVE-2007-5935) teTeX embeds a copy of Xpdf, an open source Portable Document Format (PDF) file viewer, to allow adding images in PDF format to the generated PDF documents. The following issues affect Xpdf code: Multiple integer overflow flaws were found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0147, CVE-2009-1179) Multiple integer overflow flaws were found in Xpdf. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0791, CVE-2009-3609) A heap-based buffer overflow flaw was found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0195) Multiple buffer overflow flaws were found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in Xpdf's JBIG2 decoder that could lead to the freeing of arbitrary memory. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0800) Multiple denial of service flaws were found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, Will Dormann of the CERT/CC, and Alin Rad Pop of Secunia Research, for responsibly reporting the Xpdf flaws. All users of tetex are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2007-5935 CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0791 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-3609 CVE-2010-0739 CVE-2010-0827 CVE-2010-1440 CVE-2007-5935 dvips -z buffer overflow with long href CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder CVE-2009-0791 xpdf: multiple integer overflows CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2010-0827 tetex, texlive: Buffer overflow flaw by processing virtual font files CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 teTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input, and creates a typesetter-independent DeVice Independent (DVI) file as output. Multiple integer overflow flaws were found in the way teTeX processed special commands when converting DVI files into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash or, potentially, execute arbitrary code. (CVE-2010-0739, CVE-2010-1440) Multiple array index errors were found in the way teTeX converted DVI files into the Portable Network Graphics (PNG) format. An attacker could create a malicious DVI file that would cause the dvipng executable to crash. (CVE-2010-0829) teTeX embeds a copy of Xpdf, an open source Portable Document Format (PDF) file viewer, to allow adding images in PDF format to the generated PDF documents. The following issues affect Xpdf code: Multiple integer overflow flaws were found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0147, CVE-2009-1179) Multiple integer overflow flaws were found in Xpdf. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0791, CVE-2009-3608, CVE-2009-3609) A heap-based buffer overflow flaw was found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0195) Multiple buffer overflow flaws were found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0146, CVE-2009-1182) Multiple flaws were found in Xpdf's JBIG2 decoder that could lead to the freeing of arbitrary memory. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0166, CVE-2009-1180) Multiple input validation flaws were found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0800) Multiple denial of service flaws were found in Xpdf's JBIG2 decoder. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product Security team, Will Dormann of the CERT/CC, Alin Rad Pop of Secunia Research, and Chris Rohlf, for responsibly reporting the Xpdf flaws. All users of tetex are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0195 CVE-2009-0791 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 CVE-2009-3608 CVE-2009-3609 CVE-2010-0739 CVE-2010-0829 CVE-2010-1440 CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195) CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder CVE-2009-0791 xpdf: multiple integer overflows CVE-2009-0799 PDF JBIG2 decoder OOB read CVE-2009-0800 PDF JBIG2 multiple input validation flaws CVE-2009-1179 PDF JBIG2 integer overflow CVE-2009-1180 PDF JBIG2 invalid free() CVE-2009-1181 PDF JBIG2 NULL dereference CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016) CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands CVE-2010-0829 tetex, dvipng: Multiple array index errors during DVI-to-PNG translation CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 teTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input, and creates a typesetter-independent DeVice Independent (DVI) file as output. A buffer overflow flaw was found in the way teTeX processed virtual font files when converting DVI files into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash or, potentially, execute arbitrary code. (CVE-2010-0827) Multiple integer overflow flaws were found in the way teTeX processed special commands when converting DVI files into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash or, potentially, execute arbitrary code. (CVE-2010-0739, CVE-2010-1440) A stack-based buffer overflow flaw was found in the way teTeX processed DVI files containing HyperTeX references with long titles, when converting them into PostScript. An attacker could create a malicious DVI file that would cause the dvips executable to crash. (CVE-2007-5935) teTeX embeds a copy of Xpdf, an open source Portable Document Format (PDF) file viewer, to allow adding images in PDF format to the generated PDF documents. The following issues affect Xpdf code: Multiple integer overflow flaws were found in Xpdf. If a local user generated a PDF file from a TeX document, referencing a specially-crafted PDF file, it would cause Xpdf to crash or, potentially, execute arbitrary code with the privileges of the user running pdflatex. (CVE-2009-0791, CVE-2009-3609) All users of tetex are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2007-5935 CVE-2009-0791 CVE-2009-3609 CVE-2010-0739 CVE-2010-0827 CVE-2010-1440 CVE-2007-5935 dvips -z buffer overflow with long href CVE-2009-0791 xpdf: multiple integer overflows CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2010-0827 tetex, texlive: Buffer overflow flaw by processing virtual font files CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A NULL pointer dereference flaw was discovered in the MIT Kerberos Generic Security Service Application Program Interface (GSS-API) library. A remote, authenticated attacker could use this flaw to crash any server application using the GSS-API authentication mechanism, by sending a specially-crafted GSS-API token with a missing checksum field. (CVE-2010-1321) Red Hat would like to thank the MIT Kerberos Team for responsibly reporting this issue. Upstream acknowledges Shawn Emery of Oracle as the original reporter. All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-1321 CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 PostgreSQL is an advanced object-relational database management system (DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the Perl and Tcl languages, and are installed in trusted mode by default. In trusted mode, certain operations, such as operating system level access, are restricted. A flaw was found in the way PostgreSQL enforced permission checks on scripts written in PL/Perl. If the PL/Perl procedural language was registered on a particular database, an authenticated database user running a specially-crafted PL/Perl script could use this flaw to bypass intended PL/Perl trusted mode restrictions, allowing them to run arbitrary Perl scripts with the privileges of the database server. (CVE-2010-1169) Red Hat would like to thank Tim Bunce for responsibly reporting the CVE-2010-1169 flaw. A flaw was found in the way PostgreSQL enforced permission checks on scripts written in PL/Tcl. If the PL/Tcl procedural language was registered on a particular database, an authenticated database user running a specially-crafted PL/Tcl script could use this flaw to bypass intended PL/Tcl trusted mode restrictions, allowing them to run arbitrary Tcl scripts with the privileges of the database server. (CVE-2010-1170) A buffer overflow flaw was found in the way PostgreSQL retrieved a substring from the bit string for BIT() and BIT VARYING() SQL data types. An authenticated database user running a specially-crafted SQL query could use this flaw to cause a temporary denial of service (postgres daemon crash) or, potentially, execute arbitrary code with the privileges of the database server. (CVE-2010-0442) An integer overflow flaw was found in the way PostgreSQL used to calculate the size of the hash table for joined relations. An authenticated database user could create a specially-crafted SQL query which could cause a temporary denial of service (postgres daemon crash) or, potentially, execute arbitrary code with the privileges of the database server. (CVE-2010-0733) PostgreSQL improperly protected session-local state during the execution of an index function by a database superuser during the database maintenance operations. An authenticated database user could use this flaw to elevate their privileges via specially-crafted index functions. (CVE-2009-4136) All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Running PostgreSQL instances must be restarted ("service rhdb restart") for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-4136 CVE-2010-0442 CVE-2010-0733 CVE-2010-1169 CVE-2010-1170 CVE-2009-4136 postgresql: SQL privilege escalation via modifications to session-local state CVE-2010-0733 postgresql: Integer overflow in hash table size calculation CVE-2010-0442 postgresql: substring() negative length argument buffer overflow CVE-2010-1169 PostgreSQL: PL/Perl Intended restriction bypass CVE-2010-1170 PostgreSQL: PL/Tcl Intended restriction bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PostgreSQL is an advanced object-relational database management system (DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the Perl and Tcl languages, and are installed in trusted mode by default. In trusted mode, certain operations, such as operating system level access, are restricted. A flaw was found in the way PostgreSQL enforced permission checks on scripts written in PL/Perl. If the PL/Perl procedural language was registered on a particular database, an authenticated database user running a specially-crafted PL/Perl script could use this flaw to bypass intended PL/Perl trusted mode restrictions, allowing them to run arbitrary Perl scripts with the privileges of the database server. (CVE-2010-1169) Red Hat would like to thank Tim Bunce for responsibly reporting the CVE-2010-1169 flaw. A flaw was found in the way PostgreSQL enforced permission checks on scripts written in PL/Tcl. If the PL/Tcl procedural language was registered on a particular database, an authenticated database user running a specially-crafted PL/Tcl script could use this flaw to bypass intended PL/Tcl trusted mode restrictions, allowing them to run arbitrary Tcl scripts with the privileges of the database server. (CVE-2010-1170) A buffer overflow flaw was found in the way PostgreSQL retrieved a substring from the bit string for BIT() and BIT VARYING() SQL data types. An authenticated database user running a specially-crafted SQL query could use this flaw to cause a temporary denial of service (postgres daemon crash) or, potentially, execute arbitrary code with the privileges of the database server. (CVE-2010-0442) An integer overflow flaw was found in the way PostgreSQL used to calculate the size of the hash table for joined relations. An authenticated database user could create a specially-crafted SQL query which could cause a temporary denial of service (postgres daemon crash) or, potentially, execute arbitrary code with the privileges of the database server. (CVE-2010-0733) PostgreSQL improperly protected session-local state during the execution of an index function by a database superuser during the database maintenance operations. An authenticated database user could use this flaw to elevate their privileges via specially-crafted index functions. (CVE-2009-4136) These packages upgrade PostgreSQL to version 7.4.29. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/7.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-4136 CVE-2010-0442 CVE-2010-0733 CVE-2010-1169 CVE-2010-1170 CVE-2010-1975 CVE-2009-4136 postgresql: SQL privilege escalation via modifications to session-local state CVE-2010-0733 postgresql: Integer overflow in hash table size calculation CVE-2010-0442 postgresql: substring() negative length argument buffer overflow CVE-2010-1169 PostgreSQL: PL/Perl Intended restriction bypass CVE-2010-1170 PostgreSQL: PL/Tcl Intended restriction bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PostgreSQL is an advanced object-relational database management system (DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the Perl and Tcl languages, and are installed in trusted mode by default. In trusted mode, certain operations, such as operating system level access, are restricted. A flaw was found in the way PostgreSQL enforced permission checks on scripts written in PL/Perl. If the PL/Perl procedural language was registered on a particular database, an authenticated database user running a specially-crafted PL/Perl script could use this flaw to bypass intended PL/Perl trusted mode restrictions, allowing them to run arbitrary Perl scripts with the privileges of the database server. (CVE-2010-1169) Red Hat would like to thank Tim Bunce for responsibly reporting the CVE-2010-1169 flaw. A flaw was found in the way PostgreSQL enforced permission checks on scripts written in PL/Tcl. If the PL/Tcl procedural language was registered on a particular database, an authenticated database user running a specially-crafted PL/Tcl script could use this flaw to bypass intended PL/Tcl trusted mode restrictions, allowing them to run arbitrary Tcl scripts with the privileges of the database server. (CVE-2010-1170) A buffer overflow flaw was found in the way PostgreSQL retrieved a substring from the bit string for BIT() and BIT VARYING() SQL data types. An authenticated database user running a specially-crafted SQL query could use this flaw to cause a temporary denial of service (postgres daemon crash) or, potentially, execute arbitrary code with the privileges of the database server. (CVE-2010-0442) An integer overflow flaw was found in the way PostgreSQL used to calculate the size of the hash table for joined relations. An authenticated database user could create a specially-crafted SQL query which could cause a temporary denial of service (postgres daemon crash) or, potentially, execute arbitrary code with the privileges of the database server. (CVE-2010-0733) PostgreSQL improperly protected session-local state during the execution of an index function by a database superuser during the database maintenance operations. An authenticated database user could use this flaw to elevate their privileges via specially-crafted index functions. (CVE-2009-4136) These packages upgrade PostgreSQL to version 8.1.21. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/8.1/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-4136 CVE-2010-0442 CVE-2010-0733 CVE-2010-1169 CVE-2010-1170 CVE-2010-1975 CVE-2009-4136 postgresql: SQL privilege escalation via modifications to session-local state CVE-2010-0733 postgresql: Integer overflow in hash table size calculation CVE-2010-0442 postgresql: substring() negative length argument buffer overflow CVE-2010-1169 PostgreSQL: PL/Perl Intended restriction bypass CVE-2010-1170 PostgreSQL: PL/Tcl Intended restriction bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PostgreSQL is an advanced object-relational database management system (DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the Perl and Tcl languages, and are installed in trusted mode by default. In trusted mode, certain operations, such as operating system level access, are restricted. A flaw was found in the way PostgreSQL enforced permission checks on scripts written in PL/Perl. If the PL/Perl procedural language was registered on a particular database, an authenticated database user running a specially-crafted PL/Perl script could use this flaw to bypass intended PL/Perl trusted mode restrictions, allowing them to run arbitrary Perl scripts with the privileges of the database server. (CVE-2010-1169) Red Hat would like to thank Tim Bunce for responsibly reporting the CVE-2010-1169 flaw. A flaw was found in the way PostgreSQL enforced permission checks on scripts written in PL/Tcl. If the PL/Tcl procedural language was registered on a particular database, an authenticated database user running a specially-crafted PL/Tcl script could use this flaw to bypass intended PL/Tcl trusted mode restrictions, allowing them to run arbitrary Tcl scripts with the privileges of the database server. (CVE-2010-1170) These packages upgrade PostgreSQL to version 8.4.4. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1169 CVE-2010-1170 CVE-2010-1975 CVE-2010-1169 PostgreSQL: PL/Perl Intended restriction bypass CVE-2010-1170 PostgreSQL: PL/Tcl Intended restriction bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. A buffer overflow flaw was found in the way MySQL handled the parameters of the MySQL COM_FIELD_LIST network protocol command (this command is sent when a client uses the MySQL mysql_list_fields() client library function). An authenticated database user could send a request with an excessively long table name to cause a temporary denial of service (mysqld crash) or, potentially, execute arbitrary code with the privileges of the database server. (CVE-2010-1850) A directory traversal flaw was found in the way MySQL handled the parameters of the MySQL COM_FIELD_LIST network protocol command. An authenticated database user could use this flaw to obtain descriptions of the fields of an arbitrary table using a request with a specially-crafted table name. (CVE-2010-1848) A flaw was discovered in the way MySQL handled symbolic links to tables created using the DATA DIRECTORY and INDEX DIRECTORY directives in CREATE TABLE statements. An attacker with CREATE and DROP table privileges, and shell access to the database server, could use this flaw to remove data and index files of tables created by other database users using the MyISAM storage engine. (CVE-2010-1626) All MySQL users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-1626 CVE-2010-1848 CVE-2010-1850 CVE-2010-1626 mysql: table destruction via DATA/INDEX DIRECTORY directives using symlinks CVE-2010-1848 mysql: multiple insufficient table name checks CVE-2010-1850 mysql: COM_FIELD_LIST table name buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Network Client Tools provide programs and libraries that allow your system to receive software updates from the Red Hat Network (RHN). It was discovered that rhn-client-tools set insecure permissions on the loginAuth.pkl file, used to store session credentials for authenticating connections to Red Hat Network servers. A local, unprivileged user could use these credentials to download packages from the Red Hat Network. They could also manipulate package or action lists associated with the system's profile. (CVE-2010-1439) Users of rhn-client-tools are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1439 CVE-2010-1439 rhn-client-tools: authorized information disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Perl is a high-level programming language commonly used for system administration utilities and web programming. The Safe extension module allows users to compile and execute Perl code in restricted compartments. The Safe module did not properly restrict the code of implicitly called methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects returned as a result of unsafe code evaluation. These methods could have been executed unrestricted by Safe when such objects were accessed or destroyed. A specially-crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions. (CVE-2010-1168) The Safe module did not properly restrict code compiled in a Safe compartment and executed out of the compartment via a subroutine reference returned as a result of unsafe code evaluation. A specially-crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions, if the returned subroutine reference was called from outside of the compartment. (CVE-2010-1447) Red Hat would like to thank Tim Bunce for responsibly reporting the CVE-2010-1168 and CVE-2010-1447 issues. Upstream acknowledges Nick Cleaton as the original reporter of CVE-2010-1168, and Tim Bunce and Rafaël Garcia-Suarez as the original reporters of CVE-2010-1447. These packages upgrade the Safe extension module to version 2.27. Refer to the Safe module's Changes file, linked to in the References, for a full list of changes. Users of perl are advised to upgrade to these updated packages, which correct these issues. All applications using the Safe extension module must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1168 CVE-2010-1447 CVE-2010-1168 perl Safe: Intended restriction bypass via object references CVE-2010-1447 perl: Safe restriction bypass when reference to subroutine in compartment is called from outside cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Perl is a high-level programming language commonly used for system administration utilities and web programming. The Safe extension module allows users to compile and execute Perl code in restricted compartments. The File::Path module allows users to create and remove directory trees. The Safe module did not properly restrict the code of implicitly called methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects returned as a result of unsafe code evaluation. These methods could have been executed unrestricted by Safe when such objects were accessed or destroyed. A specially-crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions. (CVE-2010-1168) The Safe module did not properly restrict code compiled in a Safe compartment and executed out of the compartment via a subroutine reference returned as a result of unsafe code evaluation. A specially-crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions, if the returned subroutine reference was called from outside of the compartment. (CVE-2010-1447) Multiple race conditions were found in the way the File::Path module's rmtree function removed directory trees. A malicious, local user with write access to a directory being removed by a victim, running a Perl script using rmtree, could cause the permissions of arbitrary files to be changed to world-writable and setuid, or delete arbitrary files via a symbolic link attack, if the victim had the privileges to change the permissions of the target files or to remove them. (CVE-2008-5302, CVE-2008-5303) Red Hat would like to thank Tim Bunce for responsibly reporting the CVE-2010-1168 and CVE-2010-1447 issues. Upstream acknowledges Nick Cleaton as the original reporter of CVE-2010-1168, and Tim Bunce and Rafaël Garcia-Suarez as the original reporters of CVE-2010-1447. These packages upgrade the Safe extension module to version 2.27. Refer to the Safe module's Changes file, linked to in the References, for a full list of changes. Users of perl are advised to upgrade to these updated packages, which correct these issues. All applications using the Safe or File::Path modules must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2008-5302 CVE-2008-5303 CVE-2010-1168 CVE-2010-1447 CVE-2008-5302 perl: File::Path rmtree race condition (CVE-2005-0448) reintroduced after upstream rebase to 5.8.8-1 CVE-2008-5303 symlink perl: File::Path rmtree race condition (CVE-2004-0452) reintroduced after upstream rebase to 5.8.8-1 CVE-2010-1168 perl Safe: Intended restriction bypass via object references CVE-2010-1447 perl: Safe restriction bypass when reference to subroutine in compartment is called from outside cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. A flaw was found in the way OpenOffice.org enforced a macro security setting for macros, written in the Python scripting language, that were embedded in OpenOffice.org documents. If a user were tricked into opening a specially-crafted OpenOffice.org document and previewed the macro directory structure, it could lead to Python macro execution even if macro execution was disabled. (CVE-2010-0395) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For Red Hat Enterprise Linux 4, this erratum provides updated openoffice.org2 packages. For Red Hat Enterprise Linux 5, this erratum provides updated openoffice.org packages. All running instances of OpenOffice.org applications must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0395 CVE-2010-0395 openoffice.org Execution of Python code when browsing macros cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security pages APSA10-01 and APSB10-14, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2009-3793, CVE-2010-1297, CVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, CVE-2010-2171, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187, CVE-2010-2188) An input sanitization flaw was found in the way flash-plugin processed certain URLs. An attacker could use this flaw to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. (CVE-2010-2179) A denial of service flaw was found in the way flash-plugin processed certain SWF content. An attacker could use this flaw to create a specially-crafted SWF file that would cause flash-plugin to crash. (CVE-2008-4546) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.1.53.64. Critical Copyright 2010 Red Hat, Inc. CVE-2008-4546 CVE-2009-3793 CVE-2010-1297 CVE-2010-2160 CVE-2010-2161 CVE-2010-2162 CVE-2010-2163 CVE-2010-2164 CVE-2010-2165 CVE-2010-2166 CVE-2010-2167 CVE-2010-2169 CVE-2010-2170 CVE-2010-2171 CVE-2010-2173 CVE-2010-2174 CVE-2010-2175 CVE-2010-2176 CVE-2010-2177 CVE-2010-2178 CVE-2010-2179 CVE-2010-2180 CVE-2010-2181 CVE-2010-2182 CVE-2010-2183 CVE-2010-2184 CVE-2010-2185 CVE-2010-2186 CVE-2010-2187 CVE-2010-2188 CVE-2008-4546 flash-plugin: crash caused by SWF files with different SWF versions obtained from the same URL CVE-2010-1297 acroread, flash-plugin: Arbitrary code execution by opening a specially-crafted PDF file with malicious SWF content (APSA10-01) flash-plugin: multiple security flaws (APSB10-14) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * a NULL pointer dereference flaw was found in the Linux kernel NFSv4 implementation. Several of the NFSv4 file locking functions failed to check whether a file had been opened on the server before performing locking operations on it. A local, unprivileged user on a system with an NFSv4 share mounted could possibly use this flaw to cause a kernel panic (denial of service) or escalate their privileges. (CVE-2009-3726, Important) * a flaw was found in the sctp_process_unk_param() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to an SCTP listening port on a target system, causing a kernel panic (denial of service). (CVE-2010-1173, Important) * a race condition between finding a keyring by name and destroying a freed keyring was found in the Linux kernel key management facility. A local, unprivileged user could use this flaw to cause a kernel panic (denial of service) or escalate their privileges. (CVE-2010-1437, Important) Red Hat would like to thank Simon Vallet for responsibly reporting CVE-2009-3726; and Jukka Taimisto and Olli Jarva of Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their customer, for responsibly reporting CVE-2010-1173. Bug fixes: * RHBA-2007:0791 introduced a regression in the Journaling Block Device (JBD). Under certain circumstances, removing a large file (such as 300 MB or more) did not result in inactive memory being freed, leading to the system having a large amount of inactive memory. Now, the memory is correctly freed. (BZ#589155) * the timer_interrupt() routine did not scale lost real ticks to logical ticks correctly, possibly causing time drift for 64-bit Red Hat Enterprise Linux 4 KVM (Kernel-based Virtual Machine) guests that were booted with the "divider=x" kernel parameter set to a value greater than 1. "warning: many lost ticks" messages may have been logged on the affected guest systems. (BZ#590551) * a bug could have prevented NFSv3 clients from having the most up-to-date file attributes for files on a given NFSv3 file system. In cases where a file type changed, such as if a file was removed and replaced with a directory of the same name, the NFSv3 client may not have noticed this change until stat(2) was called (for example, by running "ls -l"). (BZ#596372) * RHBA-2007:0791 introduced bugs in the Linux kernel PCI-X subsystem. These could have caused a system deadlock on some systems where the BIOS set the default Maximum Memory Read Byte Count (MMRBC) to 4096, and that also use the Intel PRO/1000 Linux driver, e1000. Errors such as "e1000: eth[x]: e1000_clean_tx_irq: Detected Tx Unit Hang" were logged. (BZ#596374) * an out of memory condition in a KVM guest, using the virtio-net network driver and also under heavy network stress, could have resulted in that guest being unable to receive network traffic. Users had to manually remove and re-add the virtio_net module and restart the network service before networking worked as expected. Such memory conditions no longer prevent KVM guests receiving network traffic. (BZ#597310) * when an SFQ qdisc that limited the queue size to two packets was added to a network interface, sending traffic through that interface resulted in a kernel crash. Such a qdisc no longer results in a kernel crash. (BZ#597312) * when an NFS client opened a file with the O_TRUNC flag set, it received a valid stateid, but did not use that stateid to perform the SETATTR call. Such cases were rejected by Red Hat Enterprise Linux 4 NFS servers with an "NFS4ERR_BAD_STATEID" error, possibly preventing some NFS clients from writing files to an NFS file system. (BZ#597314) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-3726 CVE-2010-1173 CVE-2010-1437 CVE-2009-3726 kernel: nfsv4: kernel panic in nfs4_proc_lock() CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet CVE-2010-1437 kernel: keyrings: find_keyring_by_name() can gain the freed keyring jbd not releasing data buffers, causing high inactive meory in RHEL4.6 /proc/meminfo [rhel-4.8.z] time drift due to incorrect accounting of lost ticks with VXTIME_PMTMR mode and VXTIME_TSC mode if 'tick_divider' > 1 [rhel-4.8.z] NFSv3 file attributes are not updated by READDIRPLUS reply [rhel-4.8.z] e1000_clean_tx_irq: Detected Tx Unit Hang [rhel-4.8.z] Lost the network in a KVM VM on top of 4.9 [rhel-4.8.z] SFQ qdisc crashes with limit of 2 packets [rhel-4.8.z] cthon test5 failing on nfsv4 with rhel6 client vs. rhel4 server [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the way sudo handled the presence of duplicated environment variables. A local user authorized to run commands using sudo could use this flaw to set additional values for the environment variables set by sudo, which could result in those values being used by the executed command instead of the values set by sudo. This could possibly lead to certain intended restrictions being bypassed, such as the secure_path setting. (CVE-2010-1646) Red Hat would like to thank Anders Kaseorg and Evan Broder of Ksplice, Inc. for responsibly reporting this issue. Users of sudo should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1646 CVE-2010-1646 sudo: insufficient environment sanitization issue cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. An input sanitization flaw was found in the way Samba parsed client data. A malicious client could send a specially-crafted SMB packet to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-2063) Red Hat would like to thank the Samba team for responsibly reporting this issue. Upstream acknowledges Jun Mao as the original reporter. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically. Critical Copyright 2010 Red Hat, Inc. CVE-2010-2063 CVE-2010-2063 samba: memory corruption vulnerability cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR11-FP2 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0846 CVE-2010-0847 CVE-2010-0848 CVE-2010-0849 CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597) CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability (6914866) CVE-2010-0846 JDK unspecified vulnerability in ImageIO component CVE-2010-0849 JDK unspecified vulnerability in Java2D component CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS "texttops" filter converts text files to PostScript. A missing memory allocation failure check flaw, leading to a NULL pointer dereference, was found in the CUPS "texttops" filter. An attacker could create a malicious text file that would cause "texttops" to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2010-0542) A Cross-Site Request Forgery (CSRF) issue was found in the CUPS web interface. If a remote attacker could trick a user, who is logged into the CUPS web interface as an administrator, into visiting a specially-crafted website, the attacker could reconfigure and disable CUPS, and gain access to print jobs and system files. (CVE-2010-0540) Note: As a result of the fix for CVE-2010-0540, cookies must now be enabled in your web browser to use the CUPS web interface. An uninitialized memory read issue was found in the CUPS web interface. If an attacker had access to the CUPS web interface, they could use a specially-crafted URL to leverage this flaw to read a limited amount of memory from the cupsd process, possibly obtaining sensitive information. (CVE-2010-1748) Red Hat would like to thank the Apple Product Security team for responsibly reporting these issues. Upstream acknowledges regenrecht as the original reporter of CVE-2010-0542; Adrian 'pagvac' Pastor of GNUCITIZEN and Tim Starling as the original reporters of CVE-2010-0540; and Luca Carettoni as the original reporter of CVE-2010-1748. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-0540 CVE-2010-0542 CVE-2010-1748 CVE-2010-0542 CUPS: texttops unchecked memory allocation failure leading to NULL pointer dereference CVE-2010-0540 CUPS administrator web interface CSRF CVE-2010-1748 cups: web interface memory disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-1200) A flaw was found in the way browser plug-ins interact. It was possible for a plug-in to reference the freed memory from a different plug-in, resulting in the execution of arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-1198) An integer overflow flaw was found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-1199) A flaw was found in the way SeaMonkey processed mail attachments. A specially-crafted mail message could cause SeaMonkey to crash. (CVE-2010-0163) A flaw was found in the way SeaMonkey handled the "Content-Disposition: attachment" HTTP header when the "Content-Type: multipart" HTTP header was also present. A website that allows arbitrary uploads and relies on the "Content-Disposition: attachment" HTTP header to prevent content from being displayed inline, could be used by an attacker to serve malicious content to users. (CVE-2010-1197) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0163 CVE-2010-1197 CVE-2010-1198 CVE-2010-1199 CVE-2010-1200 CVE-2010-0163 seamonkey/thunderbird: crash when indexing certain messages with attachments CVE-2010-1200 Mozilla Crashes with evidence of memory corruption CVE-2010-1198 Mozilla Freed object reuse across plugin instances CVE-2010-1199 Mozilla Integer Overflow in XSLT Node Sorting CVE-2010-1197 Mozilla Content-Disposition: attachment ignored if Content-Type: multipart also present cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-1121, CVE-2010-1200, CVE-2010-1202, CVE-2010-1203) A flaw was found in the way browser plug-ins interact. It was possible for a plug-in to reference the freed memory from a different plug-in, resulting in the execution of arbitrary code with the privileges of the user running Firefox. (CVE-2010-1198) Several integer overflow flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-1196, CVE-2010-1199) A focus stealing flaw was found in the way Firefox handled focus changes. A malicious website could use this flaw to steal sensitive data from a user, such as usernames and passwords. (CVE-2010-1125) A flaw was found in the way Firefox handled the "Content-Disposition: attachment" HTTP header when the "Content-Type: multipart" HTTP header was also present. A website that allows arbitrary uploads and relies on the "Content-Disposition: attachment" HTTP header to prevent content from being displayed inline, could be used by an attacker to serve malicious content to users. (CVE-2010-1197) A flaw was found in the Firefox Math.random() function. This function could be used to identify a browsing session and track a user across different websites. (CVE-2008-5913) A flaw was found in the Firefox XML document loading security checks. Certain security checks were not being called when an XML document was loaded. This could possibly be leveraged later by an attacker to load certain resources that violate the security policies of the browser or its add-ons. Note that this issue cannot be exploited by only loading an XML document. (CVE-2010-0182) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.4. You can find a link to the Mozilla advisories in the References section of this erratum. This erratum upgrades Firefox from version 3.0.19 to version 3.6.4, and as such, contains multiple bug fixes and numerous enhancements. Space precludes documenting these changes in this advisory. For details concerning these changes, refer to the Firefox Release Notes links in the References section of this erratum. Important: Firefox 3.6.4 is not completely backwards-compatible with all Mozilla Add-ons and Firefox plug-ins that worked with Firefox 3.0.19. Firefox 3.6 checks compatibility on first-launch, and, depending on the individual configuration and the installed Add-ons and plug-ins, may disable said Add-ons and plug-ins, or attempt to check for updates and upgrade them. Add-ons and plug-ins may have to be manually updated. All Firefox users should upgrade to this updated package, which contains Firefox version 3.6.4. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2008-5913 CVE-2009-5017 CVE-2010-0182 CVE-2010-1121 CVE-2010-1125 CVE-2010-1196 CVE-2010-1197 CVE-2010-1198 CVE-2010-1199 CVE-2010-1200 CVE-2010-1202 CVE-2010-1203 CVE-2008-5913 mozilla: in-session phishing attack CVE-2010-1121 firefox: arbitrary code execution via memory corruption CVE-2010-1125 firefox: keystrokes sent to hidden frame rather than visible frame due to javascript flaw CVE-2010-0182 mozilla: XMLDocument::load() doesn't check nsIContentPolicy (MFSA 2010-24) CVE-2010-1200 Mozilla Crashes with evidence of memory corruption CVE-2010-1202 Mozilla Crashes with evidence of memory corruption CVE-2010-1203 Mozilla Crashes with evidence of memory corruption CVE-2010-1198 Mozilla Freed object reuse across plugin instances CVE-2010-1196 Mozilla Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal CVE-2010-1199 Mozilla Integer Overflow in XSLT Node Sorting CVE-2010-1197 Mozilla Content-Disposition: attachment ignored if Content-Type: multipart also present cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-1121, CVE-2010-1200, CVE-2010-1202, CVE-2010-1203) A flaw was found in the way browser plug-ins interact. It was possible for a plug-in to reference the freed memory from a different plug-in, resulting in the execution of arbitrary code with the privileges of the user running Firefox. (CVE-2010-1198) Several integer overflow flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-1196, CVE-2010-1199) A focus stealing flaw was found in the way Firefox handled focus changes. A malicious website could use this flaw to steal sensitive data from a user, such as usernames and passwords. (CVE-2010-1125) A flaw was found in the way Firefox handled the "Content-Disposition: attachment" HTTP header when the "Content-Type: multipart" HTTP header was also present. A website that allows arbitrary uploads and relies on the "Content-Disposition: attachment" HTTP header to prevent content from being displayed inline, could be used by an attacker to serve malicious content to users. (CVE-2010-1197) A flaw was found in the Firefox Math.random() function. This function could be used to identify a browsing session and track a user across different websites. (CVE-2008-5913) A flaw was found in the Firefox XML document loading security checks. Certain security checks were not being called when an XML document was loaded. This could possibly be leveraged later by an attacker to load certain resources that violate the security policies of the browser or its add-ons. Note that this issue cannot be exploited by only loading an XML document. (CVE-2010-0182) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.4. You can find a link to the Mozilla advisories in the References section of this erratum. This erratum upgrades Firefox from version 3.0.19 to version 3.6.4. Due to the requirements of Firefox 3.6.4, this erratum also provides a number of other updated packages, including esc, totem, and yelp. This erratum also contains multiple bug fixes and numerous enhancements. Space precludes documenting these changes in this advisory. For details concerning these changes, refer to the Firefox Release Notes links in the References section of this erratum. Important: Firefox 3.6.4 is not completely backwards-compatible with all Mozilla Add-ons and Firefox plug-ins that worked with Firefox 3.0.19. Firefox 3.6 checks compatibility on first-launch, and, depending on the individual configuration and the installed Add-ons and plug-ins, may disable said Add-ons and plug-ins, or attempt to check for updates and upgrade them. Add-ons and plug-ins may have to be manually updated. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.4. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2008-5913 CVE-2009-5017 CVE-2010-0182 CVE-2010-1121 CVE-2010-1125 CVE-2010-1196 CVE-2010-1197 CVE-2010-1198 CVE-2010-1199 CVE-2010-1200 CVE-2010-1202 CVE-2010-1203 CVE-2008-5913 mozilla: in-session phishing attack CVE-2010-1121 firefox: arbitrary code execution via memory corruption CVE-2010-1125 firefox: keystrokes sent to hidden frame rather than visible frame due to javascript flaw CVE-2010-0182 mozilla: XMLDocument::load() doesn't check nsIContentPolicy (MFSA 2010-24) CVE-2010-1200 Mozilla Crashes with evidence of memory corruption CVE-2010-1202 Mozilla Crashes with evidence of memory corruption CVE-2010-1203 Mozilla Crashes with evidence of memory corruption CVE-2010-1198 Mozilla Freed object reuse across plugin instances CVE-2010-1196 Mozilla Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal CVE-2010-1199 Mozilla Integer Overflow in XSLT Node Sorting CVE-2010-1197 Mozilla Content-Disposition: attachment ignored if Content-Type: multipart also present cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes multiple vulnerabilities in Adobe Reader. These vulnerabilities are detailed on the Adobe security pages APSA10-01 and APSB10-15, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-1240, CVE-2010-1285, CVE-2010-1295, CVE-2010-1297, CVE-2010-2168, CVE-2010-2201, CVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205, CVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211, CVE-2010-2212) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.3.3, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-1240 CVE-2010-1285 CVE-2010-1295 CVE-2010-1297 CVE-2010-2168 CVE-2010-2201 CVE-2010-2202 CVE-2010-2203 CVE-2010-2204 CVE-2010-2205 CVE-2010-2206 CVE-2010-2207 CVE-2010-2208 CVE-2010-2209 CVE-2010-2210 CVE-2010-2211 CVE-2010-2212 CVE-2010-1297 acroread, flash-plugin: Arbitrary code execution by opening a specially-crafted PDF file with malicious SWF content (APSA10-01) acroread: multiple code execution flaws (APSB10-15) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * multiple flaws were found in the mmap and mremap implementations. A local user could use these flaws to cause a local denial of service or escalate their privileges. (CVE-2010-0291, Important) * a NULL pointer dereference flaw was found in the Fast Userspace Mutexes (futexes) implementation. The unlock code path did not check if the futex value associated with pi_state->owner had been modified. A local user could use this flaw to modify the futex value, possibly leading to a denial of service or privilege escalation when the pi_state->owner pointer is dereferenced. (CVE-2010-0622, Important) * a NULL pointer dereference flaw was found in the Linux kernel Network File System (NFS) implementation. A local user on a system that has an NFS-mounted file system could use this flaw to cause a denial of service or escalate their privileges on that system. (CVE-2010-1087, Important) * a flaw was found in the sctp_process_unk_param() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to an SCTP listening port on a target system, causing a kernel panic (denial of service). (CVE-2010-1173, Important) * a flaw was found in the Linux kernel Transparent Inter-Process Communication protocol (TIPC) implementation. If a client application, on a local system where the tipc module is not yet in network mode, attempted to send a message to a remote TIPC node, it would dereference a NULL pointer on the local system, causing a kernel panic (denial of service). (CVE-2010-1187, Important) * a buffer overflow flaw was found in the Linux kernel Global File System 2 (GFS2) implementation. In certain cases, a quota could be written past the end of a memory page, causing memory corruption, leaving the quota stored on disk in an invalid state. A user with write access to a GFS2 file system could trigger this flaw to cause a kernel crash (denial of service) or escalate their privileges on the GFS2 server. This issue can only be triggered if the GFS2 file system is mounted with the "quota=on" or "quota=account" mount option. (CVE-2010-1436, Important) * a race condition between finding a keyring by name and destroying a freed keyring was found in the Linux kernel key management facility. A local user could use this flaw to cause a kernel panic (denial of service) or escalate their privileges. (CVE-2010-1437, Important) * a flaw was found in the link_path_walk() function in the Linux kernel. Using the file descriptor returned by the open() function with the O_NOFOLLOW flag on a subordinate NFS-mounted file system, could result in a NULL pointer dereference, causing a denial of service or privilege escalation. (CVE-2010-1088, Moderate) * a missing permission check was found in the gfs2_set_flags() function in the Linux kernel GFS2 implementation. A local user could use this flaw to change certain file attributes of files, on a GFS2 file system, that they do not own. (CVE-2010-1641, Low) Red Hat would like to thank Jukka Taimisto and Olli Jarva of Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their customer, for responsibly reporting CVE-2010-1173; Mario Mikocevic for responsibly reporting CVE-2010-1436; and Dan Rosenberg for responsibly reporting CVE-2010-1641. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from http://www.redhat.com/docs/en-US/errata/RHSA-2010-0504/Kernel_Security_Update/index.html Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0291 CVE-2010-0622 CVE-2010-1087 CVE-2010-1088 CVE-2010-1173 CVE-2010-1187 CVE-2010-1436 CVE-2010-1437 CVE-2010-1641 CVE-2010-0291 kernel: untangle the do_mremap() CVE-2010-0622 kernel: futex: Handle user space corruption gracefully CVE-2010-1087 kernel: NFS: Fix an Oops when truncating a file CVE-2010-1088 kernel: fix LOOKUP_FOLLOW on automount "symlinks" CVE-2010-1187 kernel: tipc: Fix oops on send prior to entering networked mode CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet CVE-2010-1437 kernel: keyrings: find_keyring_by_name() can gain the freed keyring CVE-2010-1436 kernel: gfs2 buffer overflow Linux VM hangs while hot adding memory in VMware [rhel-5.5.z] 25% performance regression of concurrent O_DIRECT writes. [rhel-5.5.z] [Intel 5.6 Bug] Fix initialization of wakeup flags for e1000 [rhel-5.5.z] virtio balloon should not use pages from kernel's reserve pools for fill requests [rhel-5.5.z] RHEL5: tg3: 'SIOCSIFFLAGS: Invalid argument' setting IP [rhel-5.5.z] missing power_meter release() function [rhel-5.5.z] [5.5] SFQ qdisc crashes with limit of 2 packets [rhel-5.5.z] [RHEL5] bonding mode 0 doesn't resend IGMP after a failure [rhel-5.5.z] nfs: sys_read sometimes returns -EIO [rhel-5.5.z] CVE-2010-1641 kernel: GFS2: The setflags ioctl() doesn't check file ownership VFS: Busy inodes after unmount issue. [rhel-5.5.z] implement dev_disable_lro for RHEL5 [rhel-5.5.z] [5.5] SCTP: Check if the file structure is valid before checking the non-blocking flag [rhel-5.5.z] e1000 and e1000e driver behaviour differences [rhel-5.5.z] fasync_helper patch causing problems with GPFS [rhel-5.5.z] should set ISVM bit (ECX:31) for CPUID leaf 0x00000001 [rhel-5.5.z] vm.drop_caches corrupts hugepages and causes Oracle Database ORA-600 crashes [rhel-5.5.z] PG_error bit is never cleared, even when a fresh I/O to the page succeeds [rhel-5.5.z] [RHEL5] Netfilter modules unloading hangs [rhel-5.5.z] netconsole fails with tg3 [rhel-5.5.z] Timedrift on VM with pv_clock enabled, causing system hangs and sporadic time behaviour [rhel-5.5.z] time drift due to incorrect accounting of lost ticks with VXTIME_PMTMR mode and VXTIME_TSC mode if 'tick_divider' > 1 [rhel-5.5.z] bnx2x panic dumps with multiple interfaces enabled [rhel-5.5.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The Archive::Tar module provides a mechanism for Perl scripts to manipulate tar archive files. Multiple directory traversal flaws were discovered in the Archive::Tar module. A specially-crafted tar file could cause a Perl script, using the Archive::Tar module to extract the archive, to overwrite an arbitrary file writable by the user running the script. (CVE-2007-4829) This package upgrades the Archive::Tar module to version 1.39_01. Refer to the Archive::Tar module's changes file, linked to in the References, for a full list of changes. Users of perl-Archive-Tar are advised to upgrade to this updated package, which corrects these issues. All applications using the Archive::Tar module must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2007-4829 CVE-2007-4829 perl-Archive-Tar directory traversal flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The scsi-target-utils package contains the daemon and tools to set up and monitor SCSI targets. Currently, iSCSI software and iSER targets are supported. Multiple buffer overflow flaws were found in scsi-target-utils' tgtd daemon. A remote attacker could trigger these flaws by sending a carefully-crafted Internet Storage Name Service (iSNS) request, causing the tgtd daemon to crash. (CVE-2010-2221) Red Hat would like to thank the Vulnerability Research Team at TELUS Security Labs and Fujita Tomonori for responsibly reporting these flaws. All scsi-target-utils users should upgrade to this updated package, which contains a backported patch to correct these issues. All running scsi-target-utils services must be restarted for the update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2221 CVE-2010-2221 scsi-target-utils: stack buffer overflow vulnerability cpe:/a:redhat:rhel_cluster_storage Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Multiple integer overflow flaws, leading to a buffer overflow, were discovered in libtiff. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. (CVE-2010-1411) Multiple input validation flaws were discovered in libtiff. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash. (CVE-2010-2481, CVE-2010-2483, CVE-2010-2595, CVE-2010-2597) Red Hat would like to thank Apple Product Security for responsibly reporting the CVE-2010-1411 flaw, who credit Kevin Finisterre of digitalmunition.com for the discovery of the issue. All libtiff users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications linked against libtiff must be restarted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-1411 CVE-2010-2481 CVE-2010-2483 CVE-2010-2595 CVE-2010-2597 CVE-2010-4665 CVE-2010-1411 libtiff: integer overflows leading to heap overflow in Fax3SetupState CVE-2010-2595 libtiff: Array index error due improper handling of invalid ReferenceBlackWhite values CVE-2010-2597 libtiff: use of uninitialized values crash CVE-2010-2481 libtiff: TIFFExtractData out-of-bounds read crash CVE-2010-2483 libtiff: out-of-bounds read crash on images with invalid SamplesPerPixel values cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Multiple integer overflow flaws, leading to a buffer overflow, were discovered in libtiff. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. (CVE-2010-1411) An input validation flaw was discovered in libtiff. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash. (CVE-2010-2598) Red Hat would like to thank Apple Product Security for responsibly reporting the CVE-2010-1411 flaw, who credit Kevin Finisterre of digitalmunition.com for the discovery of the issue. All libtiff users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications linked against libtiff must be restarted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-1411 CVE-2010-2598 CVE-2010-1411 libtiff: integer overflows leading to heap overflow in Fax3SetupState CVE-2010-2598 libtiff: crash when reading image with not configured compression cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zero Configuration Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, view printers to print to, and find shared files on other computers. A flaw was found in the way the Avahi daemon (avahi-daemon) processed Multicast DNS (mDNS) packets with corrupted checksums. An attacker on the local network could use this flaw to cause avahi-daemon on a target system to exit unexpectedly via specially-crafted mDNS packets. (CVE-2010-2244) A flaw was found in the way avahi-daemon processed incoming unicast mDNS messages. If the mDNS reflector were enabled on a system, an attacker on the local network could send a specially-crafted unicast mDNS message to that system, resulting in its avahi-daemon flooding the network with a multicast packet storm, and consuming a large amount of CPU. Note: The mDNS reflector is disabled by default. (CVE-2009-0758) All users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, avahi-daemon will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-0758 CVE-2010-2244 CVE-2009-0758 avahi: remote DoS via legacy unicast mDNS queries CVE-2010-2244 avahi: assertion failure after receiving a packet with corrupted checksum cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PC/SC Lite provides a Windows SCard compatible interface for communicating with smart cards, smart card readers, and other security tokens. Multiple buffer overflow flaws were discovered in the way the pcscd daemon, a resource manager that coordinates communications with smart card readers and smart cards connected to the system, handled client requests. A local user could create a specially-crafted request that would cause the pcscd daemon to crash or, possibly, execute arbitrary code. (CVE-2010-0407, CVE-2009-4901) Users of pcsc-lite should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing this update, the pcscd daemon will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-4901 CVE-2010-0407 CVE-2009-4901 CVE-2009-4902 CVE-2010-0407 pcsc-lite: Privilege escalation via specially-crafted client to PC/SC Smart Card daemon messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A memory corruption flaw was found in the way applications, using the libpng library and its progressive reading method, decoded certain PNG images. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-1205) A denial of service flaw was found in the way applications using the libpng library decoded PNG images that have certain, highly compressed ancillary chunks. An attacker could create a specially-crafted PNG image that could cause an application using libpng to consume excessive amounts of memory and CPU time, and possibly crash. (CVE-2010-0205) A memory leak flaw was found in the way applications using the libpng library decoded PNG images that use the Physical Scale (sCAL) extension. An attacker could create a specially-crafted PNG image that could cause an application using libpng to exhaust all available memory and possibly crash or exit. (CVE-2010-2249) A sensitive information disclosure flaw was found in the way applications using the libpng library processed 1-bit interlaced PNG images. An attacker could create a specially-crafted PNG image that could cause an application using libpng to disclose uninitialized memory. (CVE-2009-2042) Users of libpng and libpng10 should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libpng or libpng10 must be restarted for the update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-2042 CVE-2010-0205 CVE-2010-1205 CVE-2010-2249 CVE-2009-2042 libpng: Interlaced Images Information Disclosure Vulnerability CVE-2010-0205 libpng: excessive memory consumption due to highly compressed huge ancillary chunk CVE-2010-1205 libpng: out-of-bounds memory write CVE-2010-2249 libpng: Memory leak when processing Physical Scale (sCAL) images cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. Multiple flaws were discovered in the way the slapd daemon handled modify relative distinguished name (modrdn) requests. An authenticated user with privileges to perform modrdn operations could use these flaws to crash the slapd daemon via specially-crafted modrdn requests. (CVE-2010-0211, CVE-2010-0212) Red Hat would like to thank CERT-FI for responsibly reporting these flaws, who credit Ilkka Mattila and Tuomas Salomäki for the discovery of the issues. Users of OpenLDAP should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing this update, the OpenLDAP daemons will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0211 CVE-2010-0212 CVE-2010-0211 openldap: modrdn processing uninitialized pointer free CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. An uninitialized pointer use flaw was discovered in the way the slapd daemon handled modify relative distinguished name (modrdn) requests. An authenticated user with privileges to perform modrdn operations could use this flaw to crash the slapd daemon via specially-crafted modrdn requests. (CVE-2010-0211) Red Hat would like to thank CERT-FI for responsibly reporting the CVE-2010-0211 flaw, who credit Ilkka Mattila and Tuomas Salomäki for the discovery of the issue. A flaw was found in the way OpenLDAP handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick applications using OpenLDAP libraries into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack. (CVE-2009-3767) Users of OpenLDAP should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the OpenLDAP daemons will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-3767 CVE-2010-0211 CVE-2009-3767 OpenLDAP: Doesn't properly handle NULL character in subject Common Name CVE-2010-0211 openldap: modrdn processing uninitialized pointer free cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-0174, CVE-2010-1200, CVE-2010-1211, CVE-2010-1214, CVE-2010-2753) An integer overflow flaw was found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-1199) Several use-after-free flaws were found in Thunderbird. Viewing an HTML mail message containing malicious content could result in Thunderbird executing arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-0175, CVE-2010-0176, CVE-2010-0177) A flaw was found in the way Thunderbird plug-ins interact. It was possible for a plug-in to reference the freed memory from a different plug-in, resulting in the execution of arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-1198) A flaw was found in the way Thunderbird handled the "Content-Disposition: attachment" HTTP header when the "Content-Type: multipart" HTTP header was also present. Loading remote HTTP content that allows arbitrary uploads and relies on the "Content-Disposition: attachment" HTTP header to prevent content from being displayed inline, could be used by an attacker to serve malicious content to users. (CVE-2010-1197) A same-origin policy bypass flaw was found in Thunderbird. Remote HTML content could steal private data from different remote HTML content Thunderbird has loaded. (CVE-2010-2754) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-0174 CVE-2010-0175 CVE-2010-0176 CVE-2010-0177 CVE-2010-1197 CVE-2010-1198 CVE-2010-1199 CVE-2010-1200 CVE-2010-1211 CVE-2010-1214 CVE-2010-2753 CVE-2010-2754 CVE-2010-0174 Mozilla crashes with evidence of memory corruption CVE-2010-0175 Mozilla remote code execution with use-after-free in nsTreeSelection CVE-2010-0176 Mozilla Dangling pointer vulnerability in nsTreeContentView CVE-2010-0177 Mozilla Dangling pointer vulnerability in nsPluginArray CVE-2010-1200 Mozilla Crashes with evidence of memory corruption CVE-2010-1198 Mozilla Freed object reuse across plugin instances CVE-2010-1199 Mozilla Integer Overflow in XSLT Node Sorting CVE-2010-1197 Mozilla Content-Disposition: attachment ignored if Content-Type: multipart also present CVE-2010-1211 Mozilla miscellaneous memory safety hazards CVE-2010-1214 Mozilla Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability CVE-2010-2753 Mozilla nsTreeSelection dangling pointer remote code execution vulnerability CVE-2010-2754 Mozilla Cross-origin data leakage from script filename in error messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A memory corruption flaw was found in the way Thunderbird decoded certain PNG images. An attacker could create a mail message containing a specially-crafted PNG image that, when opened, could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-1205) Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-0174, CVE-2010-1200, CVE-2010-1211, CVE-2010-1214, CVE-2010-2753) An integer overflow flaw was found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-1199) Several use-after-free flaws were found in Thunderbird. Viewing an HTML mail message containing malicious content could result in Thunderbird executing arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-0175, CVE-2010-0176, CVE-2010-0177) A flaw was found in the way Thunderbird plug-ins interact. It was possible for a plug-in to reference the freed memory from a different plug-in, resulting in the execution of arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-1198) A flaw was found in the way Thunderbird handled the "Content-Disposition: attachment" HTTP header when the "Content-Type: multipart" HTTP header was also present. Loading remote HTTP content that allows arbitrary uploads and relies on the "Content-Disposition: attachment" HTTP header to prevent content from being displayed inline, could be used by an attacker to serve malicious content to users. (CVE-2010-1197) A same-origin policy bypass flaw was found in Thunderbird. Remote HTML content could steal private data from different remote HTML content Thunderbird has loaded. (CVE-2010-2754) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0174 CVE-2010-0175 CVE-2010-0176 CVE-2010-0177 CVE-2010-1197 CVE-2010-1198 CVE-2010-1199 CVE-2010-1200 CVE-2010-1205 CVE-2010-1211 CVE-2010-1214 CVE-2010-2753 CVE-2010-2754 CVE-2010-0174 Mozilla crashes with evidence of memory corruption CVE-2010-0175 Mozilla remote code execution with use-after-free in nsTreeSelection CVE-2010-0176 Mozilla Dangling pointer vulnerability in nsTreeContentView CVE-2010-0177 Mozilla Dangling pointer vulnerability in nsPluginArray CVE-2010-1200 Mozilla Crashes with evidence of memory corruption CVE-2010-1198 Mozilla Freed object reuse across plugin instances CVE-2010-1199 Mozilla Integer Overflow in XSLT Node Sorting CVE-2010-1197 Mozilla Content-Disposition: attachment ignored if Content-Type: multipart also present CVE-2010-1205 libpng: out-of-bounds memory write CVE-2010-1211 Mozilla miscellaneous memory safety hazards CVE-2010-1214 Mozilla Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability CVE-2010-2753 Mozilla nsTreeSelection dangling pointer remote code execution vulnerability CVE-2010-2754 Mozilla Cross-origin data leakage from script filename in error messages cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-1211, CVE-2010-2753, CVE-2010-1214) A memory corruption flaw was found in the way SeaMonkey decoded certain PNG images. An attacker could create a specially-crafted PNG image that, when opened, could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-1205) A same-origin policy bypass flaw was found in SeaMonkey. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim has loaded with SeaMonkey. (CVE-2010-2754) A flaw was found in the way SeaMonkey displayed the location bar when visiting a secure web page. A malicious server could use this flaw to present data that appears to originate from a secure server, even though it does not. (CVE-2010-2751) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-1205 CVE-2010-1211 CVE-2010-1214 CVE-2010-2751 CVE-2010-2753 CVE-2010-2754 CVE-2010-1205 libpng: out-of-bounds memory write CVE-2010-1211 Mozilla miscellaneous memory safety hazards CVE-2010-1214 Mozilla Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability CVE-2010-2753 Mozilla nsTreeSelection dangling pointer remote code execution vulnerability CVE-2010-2751 Mozilla SSL spoofing with history.back() and history.forward() CVE-2010-2754 Mozilla Cross-origin data leakage from script filename in error messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-1208, CVE-2010-1209, CVE-2010-1211, CVE-2010-1212, CVE-2010-1214, CVE-2010-1215, CVE-2010-2752, CVE-2010-2753) A memory corruption flaw was found in the way Firefox decoded certain PNG images. An attacker could create a specially-crafted PNG image that, when opened, could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-1205) Several same-origin policy bypass flaws were found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim has loaded with Firefox. (CVE-2010-0654, CVE-2010-1207, CVE-2010-1213, CVE-2010-2754) A flaw was found in the way Firefox presented the location bar to a user. A malicious website could trick a user into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker. (CVE-2010-1206) A flaw was found in the way Firefox displayed the location bar when visiting a secure web page. A malicious server could use this flaw to present data that appears to originate from a secure server, even though it does not. (CVE-2010-2751) A flaw was found in the way Firefox displayed certain malformed characters. A malicious web page could use this flaw to bypass certain string sanitization methods, allowing it to display malicious information to users. (CVE-2010-1210) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.7. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.7, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0654 CVE-2010-1205 CVE-2010-1206 CVE-2010-1207 CVE-2010-1208 CVE-2010-1209 CVE-2010-1210 CVE-2010-1211 CVE-2010-1212 CVE-2010-1213 CVE-2010-1214 CVE-2010-1215 CVE-2010-2751 CVE-2010-2752 CVE-2010-2753 CVE-2010-2754 CVE-2010-0654 firefox: cross-domain information disclosure CVE-2010-1205 libpng: out-of-bounds memory write CVE-2010-1206 Firefox: Spoofing attacks via vectors involving 'No Content' status code or via a windows.stop call CVE-2010-1211 Mozilla miscellaneous memory safety hazards CVE-2010-1212 Mozilla miscellaneous memory safety hazards CVE-2010-1208 Mozilla DOM attribute cloning remote code execution vulnerability CVE-2010-1209 Mozilla Use-after-free error in NodeIterator CVE-2010-1214 Mozilla Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability CVE-2010-1215 Mozilla Arbitrary code execution using SJOW and fast native function CVE-2010-2752 Mozilla nsCSSValue::Array index integer overflow CVE-2010-2753 Mozilla nsTreeSelection dangling pointer remote code execution vulnerability CVE-2010-1213 Mozilla Cross-origin data disclosure via Web Workers and importScripts CVE-2010-1207 Mozilla Same-origin bypass using canvas context CVE-2010-1210 Mozilla Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish CVE-2010-2751 Mozilla SSL spoofing with history.back() and history.forward() CVE-2010-2754 Mozilla Cross-origin data leakage from script filename in error messages cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes one vulnerability in the IBM Java 2 Runtime Environment. This vulnerability is summarized on the IBM "Security alerts" page listed in the References section. (CVE-2010-0887) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR8-FP1 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0887 CVE-2010-0886 CVE-2010-0887 Sun Java: Java Web Start arbitrary command line injection cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. An invalid free flaw was found in Firefox's plugin handler. Malicious web content could result in an invalid memory pointer being freed, causing Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running the Firefox application. (CVE-2010-2755) All Firefox users should upgrade to these updated packages, which contain a backported patch that corrects this issue. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-2755 CVE-2010-2755 Mozilla arbitrary free flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. An invalid free flaw was found in SeaMonkey's plugin handler. Malicious web content could result in an invalid memory pointer being freed, causing SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-2755) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-2755 CVE-2010-2755 Mozilla arbitrary free flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source web browser. An invalid free flaw was found in Firefox's plugin handler. Malicious web content could result in an invalid memory pointer being freed, causing Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-2755) All Firefox users should upgrade to these updated packages, which contain a backported patch that corrects this issue. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-2755 CVE-2010-2755 Mozilla arbitrary free flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The w3m program is a pager (or text file viewer) that can also be used as a text mode web browser. It was discovered that w3m is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse w3m into accepting it by mistake. (CVE-2010-2074) All w3m users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2074 CVE-2010-2074 w3m: doesn't handle NULL in Common Name properly cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The lvm2-cluster package contains support for Logical Volume Management (LVM) in a clustered environment. It was discovered that the cluster logical volume manager daemon (clvmd) did not verify the credentials of clients connecting to its control UNIX abstract socket, allowing local, unprivileged users to send control commands that were intended to only be available to the privileged root user. This could allow a local, unprivileged user to cause clvmd to exit, or request clvmd to activate, deactivate, or reload any logical volume on the local system or another system in the cluster. (CVE-2010-2526) Note: This update changes clvmd to use a pathname-based socket rather than an abstract socket. As such, the lvm2 update RHBA-2010:0569, which changes LVM to also use this pathname-based socket, must also be installed for LVM to be able to communicate with the updated clvmd. All lvm2-cluster users should upgrade to this updated package, which contains a backported patch to correct this issue. After installing the updated package, clvmd must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2526 CVE-2010-2526 lvm2-cluster: insecurity when communicating between lvm2 and clvmd cpe:/a:redhat:rhel_cluster_storage Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP5 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0091, CVE-2010-0095, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP5 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0091 CVE-2010-0095 CVE-2010-0839 CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0846 CVE-2010-0847 CVE-2010-0848 CVE-2010-0849 CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872) CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390) CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393) CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703) CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954) CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691) CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597) CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823) CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability (6914866) CVE-2010-0846 JDK unspecified vulnerability in ImageIO component CVE-2010-0849 JDK unspecified vulnerability in Java2D component CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 In accordance with the Red Hat Enterprise Linux Errata Support Policy, the regular 7 year life-cycle of Red Hat Enterprise Linux 3 will end on October 31, 2010. After this date, Red Hat will discontinue the regular subscription services for Red Hat Enterprise Linux 3. Therefore, new bug fix, enhancement, and security errata updates, as well as technical support services will no longer be available for the following products: * Red Hat Enterprise Linux AS 3 * Red Hat Enterprise Linux ES 3 * Red Hat Enterprise Linux WS 3 * Red Hat Enterprise Linux Extras 3 * Red Hat Desktop 3 * Red Hat Global File System 3 * Red Hat Cluster Suite 3 Customers still running production workloads on Red Hat Enterprise Linux 3 are advised to begin planning the upgrade to Red Hat Enterprise Linux 5. Active subscribers of Red Hat Enterprise Linux already have access to all currently maintained versions of Red Hat Enterprise Linux, as part of their subscription without additional fees. For customers who are unable to migrate off Red Hat Enterprise Linux 3 before its end-of-life date, Red Hat may offer a limited, optional extension program. For more information, contact your Red Hat sales representative or channel partner. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: http://www.redhat.com/security/updates/errata/ Low Copyright 2010 Red Hat, Inc. Send Out RHEL 3 3-Month EOL Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines. An integer overflow flaw was found in the way the FreeType font engine processed font files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2500) Several buffer overflow flaws were found in the FreeType demo applications. If a user loaded a carefully-crafted font file with a demo application, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2527, CVE-2010-2541) Red Hat would like to thank Robert Swiecki of the Google Security Team for the discovery of the CVE-2010-2500 and CVE-2010-2527 issues. Note: All of the issues in this erratum only affect the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2500 CVE-2010-2527 CVE-2010-2541 CVE-2010-2500 freetype: integer overflow vulnerability in smooth/ftgrays.c CVE-2010-2527 Freetype demos multiple buffer overflows CVE-2010-2541 Freetype ftmulti buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. The freetype packages for Red Hat Enterprise Linux 4 provide both the FreeType 1 and FreeType 2 font engines. The freetype packages for Red Hat Enterprise Linux 5 provide only the FreeType 2 font engine. An invalid memory management flaw was found in the way the FreeType font engine processed font files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2498) An integer overflow flaw was found in the way the FreeType font engine processed font files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2500) Several buffer overflow flaws were found in the way the FreeType font engine processed font files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2499, CVE-2010-2519) Several buffer overflow flaws were found in the FreeType demo applications. If a user loaded a carefully-crafted font file with a demo application, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2527, CVE-2010-2541) Red Hat would like to thank Robert Swiecki of the Google Security Team for the discovery of the CVE-2010-2498, CVE-2010-2500, CVE-2010-2499, CVE-2010-2519, and CVE-2010-2527 issues. Note: All of the issues in this erratum only affect the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2498 CVE-2010-2499 CVE-2010-2500 CVE-2010-2519 CVE-2010-2527 CVE-2010-2541 CVE-2010-2498 freetype: invalid free vulnerability with possible heap corruption CVE-2010-2499 freetype: buffer overflow vulnerability CVE-2010-2500 freetype: integer overflow vulnerability in smooth/ftgrays.c CVE-2010-2519 freetype: heap buffer overflow vulnerability when processing certain font files CVE-2010-2527 Freetype demos multiple buffer overflows CVE-2010-2541 Freetype ftmulti buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. A flaw was found in the way Tomcat handled the Transfer-Encoding header in HTTP requests. A specially-crafted HTTP request could prevent Tomcat from sending replies, or cause Tomcat to return truncated replies, or replies containing data related to the requests of other users, for all subsequent HTTP requests. (CVE-2010-2227) The Tomcat security update RHSA-2009:1164 did not, unlike the erratum text stated, provide a fix for CVE-2009-0781, a cross-site scripting (XSS) flaw in the examples calendar application. With some web browsers, remote attackers could use this flaw to inject arbitrary web script or HTML via the "time" parameter. (CVE-2009-2696) Two directory traversal flaws were found in the Tomcat deployment process. A specially-crafted WAR file could, when deployed, cause a file to be created outside of the web root into any directory writable by the Tomcat user, or could lead to the deletion of files in the Tomcat host's work directory. (CVE-2009-2693, CVE-2009-2902) Users of Tomcat should upgrade to these updated packages, which contain backported patches to resolve these issues. Tomcat must be restarted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2009-2693 CVE-2009-2696 CVE-2009-2902 CVE-2010-2227 CVE-2009-2693 tomcat: unexpected file deletion and/or alteration CVE-2009-2902 tomcat: unexpected file deletion in work directory CVE-2010-2227 tomcat: information leak vulnerability in the handling of 'Transfer-Encoding' header CVE-2009-2696 tomcat: missing fix for CVE-2009-0781 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 LFTP is a sophisticated file transfer program for the FTP and HTTP protocols. Like Bash, it has job control and uses the Readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind. It was discovered that lftp trusted the file name provided in the Content-Disposition HTTP header. A malicious HTTP server could use this flaw to write or overwrite files in the current working directory of a victim running lftp, by sending a different file from what the victim requested. (CVE-2010-2251) To correct this flaw, the following changes were made to lftp: the "xfer:clobber" option now defaults to "no", causing lftp to not overwrite existing files, and a new option, "xfer:auto-rename", which defaults to "no", has been introduced to control whether lftp should use server-suggested file names. Refer to the "Settings" section of the lftp(1) manual page for additional details on changing lftp settings. All lftp users should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2251 CVE-2010-2251 lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. A use-after-free flaw was found in the way gpgsm, a Cryptographic Message Syntax (CMS) encryption and signing tool, handled X.509 certificates with a large number of Subject Alternate Names. A specially-crafted X.509 certificate could, when imported, cause gpgsm to crash or, possibly, execute arbitrary code. (CVE-2010-2547) All gnupg2 users should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2547 CVE-2010-2547 GnuPG 2: use-after-free when importing certificate with many alternate names cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * a flaw was found in the CIFSSMBWrite() function in the Linux kernel Common Internet File System (CIFS) implementation. A remote attacker could send a specially-crafted SMB response packet to a target CIFS client, resulting in a kernel panic (denial of service). (CVE-2010-2248, Important) * buffer overflow flaws were found in the Linux kernel's implementation of the server-side External Data Representation (XDR) for the Network File System (NFS) version 4. An attacker on the local network could send a specially-crafted large compound request to the NFSv4 server, which could possibly result in a kernel panic (denial of service) or, potentially, code execution. (CVE-2010-2521, Important) This update also fixes the following bug: * the rpc_call_async() function in the SUN Remote Procedure Call (RPC) subsystem in the Linux kernel had a reference counting bug. In certain situations, some Network Lock Manager (NLM) messages may have triggered this bug on NFSv2 and NFSv3 servers, leading to a kernel panic (with "kernel BUG at fs/lockd/host.c:[xxx]!" logged to "/var/log/messages"). (BZ#612962) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2248 CVE-2010-2521 CVE-2010-2248 kernel: cifs: Fix a kernel BUG with remote OS/2 server CVE-2010-2521 kernel: nfsd4: bug in read_buf [4.4] The kernel BUG occurred with the message 'fs/lockd/host.c:252!' [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. The freetype packages for Red Hat Enterprise Linux 3 and 4 provide both the FreeType 1 and FreeType 2 font engines. The freetype packages for Red Hat Enterprise Linux 5 provide only the FreeType 2 font engine. Two stack overflow flaws were found in the way the FreeType font engine processed certain Compact Font Format (CFF) character strings (opcodes). If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-1797) Red Hat would like to thank Braden Thomas of the Apple Product Security team for reporting these issues. Note: CVE-2010-1797 only affects the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-1797 CVE-2010-1797 FreeType: Multiple stack overflows by processing CFF opcodes cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * instances of unsafe sprintf() use were found in the Linux kernel Bluetooth implementation. Creating a large number of Bluetooth L2CAP, SCO, or RFCOMM sockets could result in arbitrary memory pages being overwritten. A local, unprivileged user could use this flaw to cause a kernel panic (denial of service) or escalate their privileges. (CVE-2010-1084, Important) * a flaw was found in the Xen hypervisor implementation when using the Intel Itanium architecture, allowing guests to enter an unsupported state. An unprivileged guest user could trigger this flaw by setting the BE (Big Endian) bit of the Processor Status Register (PSR), leading to the guest crashing (denial of service). (CVE-2010-2070, Important) * a flaw was found in the CIFSSMBWrite() function in the Linux kernel Common Internet File System (CIFS) implementation. A remote attacker could send a specially-crafted SMB response packet to a target CIFS client, resulting in a kernel panic (denial of service). (CVE-2010-2248, Important) * buffer overflow flaws were found in the Linux kernel's implementation of the server-side External Data Representation (XDR) for the Network File System (NFS) version 4. An attacker on the local network could send a specially-crafted large compound request to the NFSv4 server, which could possibly result in a kernel panic (denial of service) or, potentially, code execution. (CVE-2010-2521, Important) * a flaw was found in the handling of the SWAPEXT IOCTL in the Linux kernel XFS file system implementation. A local user could use this flaw to read write-only files, that they do not own, on an XFS file system. This could lead to unintended information disclosure. (CVE-2010-2226, Moderate) * a flaw was found in the dns_resolver upcall used by CIFS. A local, unprivileged user could redirect a Microsoft Distributed File System link to another IP address, tricking the client into mounting the share from a server of the user's choosing. (CVE-2010-2524, Moderate) * a missing check was found in the mext_check_arguments() function in the ext4 file system code. A local user could use this flaw to cause the MOVE_EXT IOCTL to overwrite the contents of an append-only file on an ext4 file system, if they have write permissions for that file. (CVE-2010-2066, Low) Red Hat would like to thank Neil Brown for reporting CVE-2010-1084, and Dan Rosenberg for reporting CVE-2010-2226 and CVE-2010-2066. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-1084 CVE-2010-2066 CVE-2010-2070 CVE-2010-2226 CVE-2010-2248 CVE-2010-2521 CVE-2010-2524 CVE-2010-1084 kernel: bluetooth: potential bad memory access with sysfs files CVE-2010-2070 /kernel/security/CVE-2006-0742 test cause kernel-xen panic on ia64 CVE-2010-2066 kernel: ext4: Make sure the MOVE_EXT ioctl can't overwrite append-only files CVE-2010-2226 kernel: xfs swapext ioctl minor security issue [Stratus 5.6 bug] Circular lock dep warning on cfq_exit_lock [rhel-5.5.z] RHEL5u4 2.6.18-160.el5: modprobe of acpiphp on system with no hotpluggable stots causes kernel PANIC [rhel-5.5.z] CVE-2010-2248 kernel: cifs: Fix a kernel BUG with remote OS/2 server CVE-2010-2521 kernel: nfsd4: bug in read_buf CVE-2010-2524 kernel: dns_resolver upcall security issue [5.4]The addition of SAS disk fails because of the timeout. [rhel-5.5.z] [NetApp 5.6 bug] QLogic FC firmware errors seen on RHEL 5.5 [rhel-5.5.z] [RHEL5.5] TCP bandwidth problems with TPA and bnx2x cards [rhel-5.5.z] [Broadcom 5.6 bug] cnic: Panic in cnic_iscsi_nl_msg_recv() [rhel-5.5.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems. It was found that libvirt did not set the user-defined backing store format when creating a new image, possibly resulting in applications having to probe the backing store to discover the format. A privileged guest user could use this flaw to read arbitrary files on the host. (CVE-2010-2239) It was found that libvirt created insecure iptables rules on the host when a guest system was configured for IP masquerading, allowing the guest to use privileged ports on the host when accessing network resources. A privileged guest user could use this flaw to access network resources that would otherwise not be accessible to the guest. (CVE-2010-2242) Red Hat would like to thank Jeremy Nickurak for reporting the CVE-2010-2242 issue. This update also fixes the following bugs: * a Linux software bridge assumes the MAC address of the enslaved interface with the numerically lowest MAC address. When the bridge changes its MAC address, for a period of time it does not relay packets across network segments, resulting in a temporary network "blackout". The bridge should thus avoid changing its MAC address in order not to disrupt network communications. The Linux kernel assigns network TAP devices a random MAC address. Occasionally, this random MAC address is lower than that of the physical interface which is enslaved (for example, eth0 or eth1), which causes the bridge to change its MAC address, thereby disrupting network communications for a period of time. With this update, libvirt now sets an explicit MAC address for all TAP devices created using the configured MAC address from the XML, but with the high bit set to 0xFE. The result is that TAP device MAC addresses are now numerically greater than those for physical interfaces, and bridges should no longer attempt to switch their MAC address to that of the TAP device, thus avoiding potential spurious network disruptions. (BZ#617243) * a memory leak in the libvirt driver for the Xen hypervisor has been fixed with this update. (BZ#619711) * the xm and virsh management user interfaces for virtual guests can be called on the command line to list the number of active guests. However, under certain circumstances, running the "virsh list" command resulted in virsh not listing all of the virtual guests that were active (that is, running) at the time. This update incorporates a fix that matches the logic used for determining active guests with that of "xm list", such that both commands should now list the same number of active virtual guests under all circumstances. (BZ#618200) All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the system must be rebooted for the update to take effect. Low Copyright 2010 Red Hat, Inc. CVE-2010-2239 CVE-2010-2242 CVE-2010-2242 libvirt: improperly mapped source privileged ports may allow for obtaining privileged resources on the host CVE-2010-2239 libvirt: not setting user defined backing store format when creating new image libvirt should not use the MAC address assigned to tap devices/vnet interfaces by the TAP/TUN driver. Discrepancy between xm and virsh output when listing active Xen domains Memory leak in libvirtd cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 5 dbus-glib is an add-on library to integrate the standard D-Bus library with the GLib main loop and threading model. NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. It was discovered that dbus-glib did not enforce the "access" flag on exported GObject properties. If such a property were read/write internally but specified as read-only externally, a malicious, local user could use this flaw to modify that property of an application. Such a change could impact the application's behavior (for example, if an IP address were changed the network may not come up properly after reboot) and possibly lead to a denial of service. (CVE-2010-1172) Due to the way dbus-glib translates an application's XML definitions of service interfaces and properties into C code at application build time, applications built against dbus-glib that use read-only properties needed to be rebuilt to fully fix the flaw. As such, this update provides NetworkManager packages that have been rebuilt against the updated dbus-glib packages. No other applications shipped with Red Hat Enterprise Linux 5 were affected. All dbus-glib and NetworkManager users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Running instances of NetworkManager must be restarted (service NetworkManager restart) for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1172 CVE-2010-1172 dbus-glib: property access not validated cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB10-16, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2010-0209, CVE-2010-2213, CVE-2010-2214, CVE-2010-2216) A clickjacking flaw was discovered in flash-plugin. A specially-crafted SWF file could trick a user into unintentionally or mistakenly clicking a link or a dialog. (CVE-2010-2215) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.1.82.76. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0209 CVE-2010-2213 CVE-2010-2214 CVE-2010-2215 CVE-2010-2216 CVE-2010-0209 CVE-2010-2213 CVE-2010-2214 CVE-2010-2215 CVE-2010-2216 flash-plugin: multiple security flaws (APSB10-16) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. Multiple buffer overflow flaws were found in the Wireshark SigComp Universal Decompressor Virtual Machine (UDVM) dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2010-2287, CVE-2010-2995) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2010-1455, CVE-2010-2283, CVE-2010-2284, CVE-2010-2286) Users of Wireshark should upgrade to these updated packages, which contain Wireshark version 1.0.15, and resolve these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1455 CVE-2010-2283 CVE-2010-2284 CVE-2010-2286 CVE-2010-2287 CVE-2010-2995 CVE-2010-1455 wireshark: DOCSIS dissector crash CVE-2010-2283 wireshark: SMB dissector NULL pointer dereference CVE-2010-2284 wireshark: ASN.1 BER dissector stack overrun CVE-2010-2286 wireshark: SigComp UDVM dissector infinite loop CVE-2010-2287 CVE-2010-2995 wireshark: SigComp UDVM dissector buffer overruns cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. It was found that QEMU-KVM on the host did not validate all pointers provided from a guest system's QXL graphics card driver. A privileged guest user could use this flaw to cause the host to dereference an invalid pointer, causing the guest to crash (denial of service) or, possibly, resulting in the privileged guest user escalating their privileges on the host. (CVE-2010-0431) A flaw was found in QEMU-KVM, allowing the guest some control over the index used to access the callback array during sub-page MMIO initialization. A privileged guest user could use this flaw to crash the guest (denial of service) or, possibly, escalate their privileges on the host. (CVE-2010-2784) A NULL pointer dereference flaw was found when the host system had a processor with the Intel VT-x extension enabled. A privileged guest user could use this flaw to trick the host into emulating a certain instruction, which could crash the host (denial of service). (CVE-2010-0435) This update also fixes the following bugs: * running a "qemu-img" check on a faulty virtual machine image ended with a segmentation fault. With this update, the segmentation fault no longer occurs when running the "qemu-img" check. (BZ#610342) * when attempting to transfer a file between two guests that were joined in the same virtual LAN (VLAN), the receiving guest unexpectedly quit. With this update, the transfer completes successfully. (BZ#610343) * installation of a system was occasionally failing in KVM. This was caused by KVM using wrong permissions for large guest pages. With this update, the installation completes successfully. (BZ#616796) * previously, the migration process would fail for a virtual machine because the virtual machine could not map all the memory. This was caused by a conflict that was initiated when a virtual machine was initially run and then migrated right away. With this update, the conflict no longer occurs and the migration process no longer fails. (BZ#618205) * using a thinly provisioned VirtIO disk on iSCSI storage and performing a "qemu-img" check during an "e_no_space" event returned cluster errors. With this update, the errors no longer appear. (BZ#618206) All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The procedure in the Solution section must be performed before this update will take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0431 CVE-2010-0435 CVE-2010-2784 CVE-2010-0431 qemu: Insufficient guest provided pointers validation CVE-2010-0435 kvm: vmx null pointer dereference [kvm] segmentation fault when running qemu-img check on faulty image Virtio: Transfer file caused guest in same vlan abnormally quit KVM uses wrong permissions for large guest pages SPICE - race in KVM/Spice would cause migration to fail (slots are not registered properly?) [kvm] qemu image check returns cluster errors when using virtIO block (thinly provisioned) during e_no_space events (along with EIO errors) CVE-2010-2784 qemu: insufficient constraints checking in exec.c:subpage_register() cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 5 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor, or on Red Hat Enterprise Virtualization Hypervisor. The qspice-client package provides the client side of the SPICE protocol. A race condition was found in the way the SPICE Mozilla Firefox plug-in and the SPICE client communicated. A local attacker could use this flaw to trick the plug-in and the SPICE client into communicating over an attacker-controlled socket, possibly gaining access to authentication details, or resulting in a man-in-the-middle attack on the SPICE connection. (CVE-2010-2792) Users of qspice-client should upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2792 CVE-2010-2792 spice-xpi/qspice-client unix socket race cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor, or on Red Hat Enterprise Virtualization Hypervisor. It was found that the libspice component of QEMU-KVM on the host did not validate all pointers provided from a guest system's QXL graphics card driver. A privileged guest user could use this flaw to cause the host to dereference an invalid pointer, causing the guest to crash (denial of service) or, possibly, resulting in the privileged guest user escalating their privileges on the host. (CVE-2010-0428) It was found that the libspice component of QEMU-KVM on the host could be forced to perform certain memory management operations on memory addresses controlled by a guest. A privileged guest user could use this flaw to crash the guest (denial of service) or, possibly, escalate their privileges on the host. (CVE-2010-0429) All qspice users should upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2010-0428 CVE-2010-0429 CVE-2010-0428 libspice: Insufficient guest provided pointers validation CVE-2010-0429 libspice: Relying on guest provided data structures to indicate memory allocation cpe:/a:redhat:rhel_virtualization Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes a vulnerability in Adobe Reader. This vulnerability is detailed on the Adobe security page APSB10-17, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-2862) Multiple security flaws were found in Adobe Flash Player embedded in Adobe Reader. These vulnerabilities are detailed on the Adobe security page APSB10-16, listed in the References section. A PDF file with embedded specially-crafted SWF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-0209, CVE-2010-2213, CVE-2010-2214, CVE-2010-2215, CVE-2010-2216) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.3.4, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-0209 CVE-2010-2213 CVE-2010-2214 CVE-2010-2215 CVE-2010-2216 CVE-2010-2862 CVE-2010-2862 acroread: integer overflow flaw allows remote arbitrary code execution CVE-2010-0209 CVE-2010-2213 CVE-2010-2214 CVE-2010-2215 CVE-2010-2216 flash-plugin: multiple security flaws (APSB10-16) acroread: multiple critical security flaws (APSB10-17) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. An integer truncation error, leading to a heap-based buffer overflow, was found in the way the OpenOffice.org Impress presentation application sanitized a file's dictionary property items. An attacker could use this flaw to create a specially-crafted Microsoft Office PowerPoint file that, when opened, would cause OpenOffice.org Impress to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org Impress. (CVE-2010-2935) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way OpenOffice.org Impress processed polygons in input documents. An attacker could use this flaw to create a specially-crafted Microsoft Office PowerPoint file that, when opened, would cause OpenOffice.org Impress to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org Impress. (CVE-2010-2936) All users of OpenOffice.org are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For Red Hat Enterprise Linux 3, this erratum provides updated openoffice.org packages. For Red Hat Enterprise Linux 4, this erratum provides updated openoffice.org and openoffice.org2 packages. All running instances of OpenOffice.org applications must be restarted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2935 CVE-2010-2936 CVE-2010-2935 OpenOffice.Org: Integer truncation error by parsing specially-crafted Microsoft PowerPoint document CVE-2010-2936 OpenOffice.org: Heap-based buffer overflow by parsing specially-crafted Microsoft PowerPoint document cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor, or on Red Hat Enterprise Virtualization Hypervisor. The spice-xpi package provides a plug-in that allows the SPICE client to run from within Mozilla Firefox. A race condition was found in the way the SPICE Firefox plug-in and the SPICE client communicated. A local attacker could use this flaw to trick the plug-in and the SPICE client into communicating over an attacker-controlled socket, possibly gaining access to authentication details, or resulting in a man-in-the-middle attack on the SPICE connection. (CVE-2010-2792) It was found that the SPICE Firefox plug-in used a predictable name for its log file. A local attacker could use this flaw to conduct a symbolic link attack, allowing them to overwrite arbitrary files accessible to the user running Firefox. (CVE-2010-2794) This update also fixes the following bugs: * a bug prevented users of Red Hat Enterprise Linux 5.5, with all updates applied, from running the SPICE Firefox plug-in when using Firefox 3.6.4. With this update, the plug-in works correctly with Firefox 3.6.4 and the latest version in Red Hat Enterprise Linux 5.5, Firefox 3.6.7. (BZ#618244) * unused code has been removed during source code refactoring. This also resolves a bug in the SPICE Firefox plug-in that caused it to close random file descriptors. (BZ#594006, BZ#619067) Note: This update should be installed together with the RHSA-2010:0632 qspice-client update: https://rhn.redhat.com/errata/RHSA-2010-0632.html Users of spice-xpi should upgrade to this updated package, which contains backported patches to correct these issues. After installing the update, Firefox must be restarted for the changes to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2792 CVE-2010-2794 SPICE-XPI : Spice cannot be opened from RHEL5.5 client user-portal using FireFox 3.6.4. CVE-2010-2792 spice-xpi/qspice-client unix socket race CVE-2010-2794 spice-xpi symlink attack cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the ImageMagick routine responsible for creating X11 images. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. (CVE-2009-1882) This update also fixes the following bug: * previously, portions of certain RGB images on the right side were not rendered and left black when converting or displaying them. With this update, RGB images display correctly. (BZ#625058) Users of ImageMagick are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of ImageMagick must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-1882 CVE-2009-1882 ImageMagick, GraphicsMagick: Integer overflow in the routine creating X11 images CRM.1902920 - Issue displaying SGI image with ImageMagick cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the ImageMagick routine responsible for creating X11 images. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. (CVE-2009-1882) Users of ImageMagick are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running instances of ImageMagick must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-1882 CVE-2009-1882 ImageMagick, GraphicsMagick: Integer overflow in the routine creating X11 images cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GNOME Display Manager (GDM) is a configurable re-implementation of XDM, the X Display Manager. GDM allows you to log in to your system with the X Window System running, and supports running several different X sessions on your local machine at the same time. A flaw was found in the way the gdm package was built. The gdm package was missing TCP wrappers support on 64-bit platforms, which could result in an administrator believing they had access restrictions enabled when they did not. (CVE-2007-5079) This update also fixes the following bug: * sometimes the system would hang instead of properly shutting down when a user chose "Shut down" from the login screen. (BZ#625818) All users should upgrade to this updated package, which contains backported patches to correct these issues. GDM must be restarted for this update to take effect. Rebooting achieves this, but changing the runlevel from 5 to 3 and back to 5 also restarts GDM. Low Copyright 2010 Red Hat, Inc. CVE-2007-5079 CVE-2007-5079 gdm with xdmcp ignoring tcp_wrappers on x86_64 gdm/ cannot shutdown system cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular web server. A flaw was discovered in the way the mod_proxy module of the Apache HTTP Server handled the timeouts of requests forwarded by a reverse proxy to the back-end server. If the proxy was configured to reuse existing back-end connections, it could return a response intended for another user under certain timeout conditions, possibly leading to information disclosure. (CVE-2010-2791) A flaw was found in the way the mod_dav module of the Apache HTTP Server handled certain requests. If a remote attacker were to send a carefully crafted request to the server, it could cause the httpd child process to crash. (CVE-2010-1452) This update also fixes the following bugs: * numerous issues in the INFLATE filter provided by mod_deflate. "Inflate error -5 on flush" errors may have been logged. This update upgrades mod_deflate to the newer upstream version from Apache HTTP Server 2.2.15. (BZ#625435) * the response would be corrupted if mod_filter applied the DEFLATE filter to a resource requiring a subrequest with an internal redirect. (BZ#625451) * the OID() function used in the mod_ssl "SSLRequire" directive did not correctly evaluate extensions of an unknown type. (BZ#625452) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1452 CVE-2010-2791 CVE-2010-2791 httpd: Reverse proxy sends wrong responses after time-outs CVE-2010-1452 httpd mod_cache, mod_dav: DoS (httpd child process crash) by parsing URI structure with missing path segments mod_deflate/mod_proxy generating 'Inflate error -5 on flush' errors [APACHE BUG] filter handling issues with subrequests and internal redirects mod_ssl: Further fix for SSLRequire OID() function cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * when an application has a stack overflow, the stack could silently overwrite another memory mapped area instead of a segmentation fault occurring, which could cause an application to execute arbitrary code, possibly leading to privilege escalation. It is known that the X Window System server can be used to trigger this flaw. (CVE-2010-2240, Important) Red Hat would like to thank the X.Org security team for reporting this issue. Upstream acknowledges Rafal Wojtczuk as the original reporter. Users should upgrade to these updated packages, which contain backported patches to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2240 CVE-2010-2240 kernel: mm: keep a guard page below a grow-down stack segment cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the way sudo handled Runas specifications containing both a user and a group list. If a local user were authorized by the sudoers file to perform their sudo commands with the privileges of a specified user and group, they could use this flaw to run those commands with the privileges of either an arbitrary user or group on the system. (CVE-2010-2956) Red Hat would like to thank Markus Wuethrich of Swiss Post - PostFinance for reporting this issue. Users of sudo should upgrade to this updated package, which contains a backported patch to correct this issue. Important Copyright 2010 Red Hat, Inc. CVE-2010-2956 CVE-2010-2956 sudo: incorrect handling of RunAs specification with both user and group lists cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * When an application has a stack overflow, the stack could silently overwrite another memory mapped area instead of a segmentation fault occurring, which could cause an application to execute arbitrary code, possibly leading to privilege escalation. It is known that the X Window System server can be used to trigger this flaw. (CVE-2010-2240, Important) Red Hat would like to thank the X.Org security team for reporting this issue. Upstream acknowledges Rafal Wojtczuk as the original reporter. Users should upgrade to these updated packages, which contain backported patches to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2240 CVE-2010-2240 kernel: mm: keep a guard page below a grow-down stack segment cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The RPM Package Manager (RPM) is a command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. It was discovered that RPM did not remove setuid and setgid bits set on binaries when upgrading or removing packages. A local attacker able to create hard links to binaries could use this flaw to keep those binaries on the system, at a specific version level and with the setuid or setgid bit set, even if the package providing them was upgraded or removed by a system administrator. This could have security implications if a package was upgraded or removed because of a security flaw in a setuid or setgid program. (CVE-2005-4889, CVE-2010-2059) All users of rpm are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2005-4889 CVE-2010-2059 CVE-2010-2059 rpm: fails to drop SUID/SGID bits on package upgrade CVE-2005-4889 rpm: fails to drop SUID/SGID bits on package removal cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The RPM Package Manager (RPM) is a command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. It was discovered that RPM did not remove setuid and setgid bits set on binaries when upgrading packages. A local attacker able to create hard links to binaries could use this flaw to keep those binaries on the system, at a specific version level and with the setuid or setgid bit set, even if the package providing them was upgraded by a system administrator. This could have security implications if a package was upgraded because of a security flaw in a setuid or setgid program. (CVE-2010-2059) This update also fixes the following bug: * A memory leak in the communication between RPM and the Security-Enhanced Linux (SELinux) subsystem, which could have caused extensive memory consumption. In reported cases, this issue was triggered by running rhn_check when errata were scheduled to be applied. (BZ#627630) All users of rpm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2059 CVE-2010-2059 rpm: fails to drop SUID/SGID bits on package upgrade rpm: selinux context initialization memory leak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-3169) A buffer overflow flaw was found in SeaMonkey. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-2765) A use-after-free flaw and several dangling pointer flaws were found in SeaMonkey. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-2760, CVE-2010-2767, CVE-2010-3167, CVE-2010-3168) A cross-site scripting (XSS) flaw was found in SeaMonkey. A web page containing malicious content could cause SeaMonkey to run JavaScript code with the permissions of a different website. (CVE-2010-2768) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-2760 CVE-2010-2765 CVE-2010-2767 CVE-2010-2768 CVE-2010-3167 CVE-2010-3168 CVE-2010-3169 CVE-2010-3169 Mozilla Miscellaneous memory safety hazards CVE-2010-2765 Mozilla Frameset integer overflow vulnerability (MFSA 2010-50) CVE-2010-2767 Mozilla Dangling pointer vulnerability using DOM plugin array (MFSA 2010-51) CVE-2010-2760 Mozilla Dangling pointer vulnerability in nsTreeSelection (MFSA 2010-54) CVE-2010-3168 Mozilla XUL tree removal crash and remote code execution (MFSA 2010-55) CVE-2010-3167 Mozilla Dangling pointer vulnerability in nsTreeContentView (MFSA 2010-56) CVE-2010-2768 Mozilla UTF-7 XSS by overriding document charset using <object> type attribute (MFSA 2010-61) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3169, CVE-2010-2762) Several use-after-free and dangling pointer flaws were found in Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-2760, CVE-2010-2766, CVE-2010-2767, CVE-2010-3167, CVE-2010-3168) Multiple buffer overflow flaws were found in Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-2765, CVE-2010-3166) Multiple cross-site scripting (XSS) flaws were found in Firefox. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website. (CVE-2010-2768, CVE-2010-2769) A flaw was found in the Firefox XMLHttpRequest object. A remote site could use this flaw to gather information about servers on an internal private network. (CVE-2010-2764) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.9. You can find a link to the Mozilla advisories in the References section of this erratum. Note: After installing this update, Firefox will fail to connect (with HTTPS) to a server using the SSL DHE (Diffie-Hellman Ephemeral) key exchange if the server's ephemeral key is too small. Connecting to such servers is a security risk as an ephemeral key that is too small makes the SSL connection vulnerable to attack. Refer to the Solution section for further information. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.9, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-2760 CVE-2010-2762 CVE-2010-2764 CVE-2010-2765 CVE-2010-2766 CVE-2010-2767 CVE-2010-2768 CVE-2010-2769 CVE-2010-3166 CVE-2010-3167 CVE-2010-3168 CVE-2010-3169 CVE-2010-3169 Mozilla Miscellaneous memory safety hazards CVE-2010-2765 Mozilla Frameset integer overflow vulnerability (MFSA 2010-50) CVE-2010-2767 Mozilla Dangling pointer vulnerability using DOM plugin array (MFSA 2010-51) CVE-2010-3166 Mozilla Heap buffer overflow in nsTextFrameUtils::TransformText (MFSA 2010-53) CVE-2010-2760 Mozilla Dangling pointer vulnerability in nsTreeSelection (MFSA 2010-54) CVE-2010-3168 Mozilla XUL tree removal crash and remote code execution (MFSA 2010-55) CVE-2010-3167 Mozilla Dangling pointer vulnerability in nsTreeContentView (MFSA 2010-56) CVE-2010-2766 Mozilla Crash and remote code execution in normalizeDocument (MFSA 2010-57) CVE-2010-2762 Mozilla SJOW creates scope chains ending in outer object (MFSA 2010-59) CVE-2010-2768 Mozilla UTF-7 XSS by overriding document charset using <object> type attribute (MFSA 2010-61) CVE-2010-2769 Mozilla Copy-and-paste or drag-and-drop into designMode document allows XSS (MFSA 2010-62) CVE-2010-2764 Mozilla Information leak via XMLHttpRequest statusText (MFSA 2010-63) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3169) A buffer overflow flaw was found in Thunderbird. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-2765) A use-after-free flaw and several dangling pointer flaws were found in Thunderbird. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-2760, CVE-2010-2767, CVE-2010-3167, CVE-2010-3168) A cross-site scripting (XSS) flaw was found in Thunderbird. Remote HTML content could cause Thunderbird to execute JavaScript code with the permissions of different remote HTML content. (CVE-2010-2768) Note: JavaScript support is disabled by default in Thunderbird. None of the above issues are exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2760 CVE-2010-2765 CVE-2010-2767 CVE-2010-2768 CVE-2010-3167 CVE-2010-3168 CVE-2010-3169 CVE-2010-3169 Mozilla Miscellaneous memory safety hazards CVE-2010-2765 Mozilla Frameset integer overflow vulnerability (MFSA 2010-50) CVE-2010-2767 Mozilla Dangling pointer vulnerability using DOM plugin array (MFSA 2010-51) CVE-2010-2760 Mozilla Dangling pointer vulnerability in nsTreeSelection (MFSA 2010-54) CVE-2010-3168 Mozilla XUL tree removal crash and remote code execution (MFSA 2010-55) CVE-2010-3167 Mozilla Dangling pointer vulnerability in nsTreeContentView (MFSA 2010-56) CVE-2010-2768 Mozilla UTF-7 XSS by overriding document charset using <object> type attribute (MFSA 2010-61) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. A missing array boundary checking flaw was found in the way Samba parsed the binary representation of Windows security identifiers (SIDs). A malicious client could send a specially-crafted SMB request to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-3069) For Red Hat Enterprise Linux 4, this update also fixes the following bug: * Previously, the restorecon utility was required during the installation of the samba-common package. As a result, attempting to update samba without this utility installed may have failed with the following error: /var/tmp/rpm-tmp.[xxxxx]: line 7: restorecon: command not found With this update, the utility is only used when it is already present on the system, and the package is now always updated as expected. (BZ#629602) Users of Samba are advised to upgrade to these updated packages, which correct these issues. After installing this update, the smb service will be restarted automatically. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3069 restorecon: command not found after upgrade - leaves two samba-common versions CVE-2010-3069 Samba: Stack-based buffer overflow by processing specially-crafted SID records cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. A missing array boundary checking flaw was found in the way Samba parsed the binary representation of Windows security identifiers (SIDs). A malicious client could send a specially-crafted SMB request to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-3069) Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3069 CVE-2010-3069 Samba: Stack-based buffer overflow by processing specially-crafted SID records cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 bzip2 is a freely available, high-quality data compressor. It provides both standalone compression and decompression utilities, as well as a shared library for use with other programs. An integer overflow flaw was discovered in the bzip2 decompression routine. This issue could, when decompressing malformed archives, cause bzip2, or an application linked against the libbz2 library, to crash or, potentially, execute arbitrary code. (CVE-2010-0405) Users of bzip2 should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running applications using the libbz2 library must be restarted for the update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0405 CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Red Hat is aware that a public exploit for this issue is available. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-3081 CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB10-22, listed in the References section. If a victim loaded a page containing specially-crafted SWF content, it could cause flash-plugin to crash or, potentially, execute arbitrary code. (CVE-2010-2884) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.1.85.3 for users of Red Hat Enterprise Linux 5 Supplementary, and version 9.0.283 for users of Red Hat Enterprise Linux 3 and 4 Extras. Critical Copyright 2010 Red Hat, Inc. CVE-2010-2884 CVE-2010-2884 Adobe Flash: crash or potential arbitrary code execution (APSB10-22) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) Red Hat would like to thank Ben Hawkes for reporting this issue. Refer to Knowledgebase article DOC-40265 for further details: https://access.redhat.com/kb/docs/DOC-40265 Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-3081 CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 MikMod is a MOD music file player for Linux, UNIX, and similar operating systems. It supports various file formats including MOD, STM, S3M, MTM, XM, ULT, and IT. Multiple input validation flaws, resulting in buffer overflows, were discovered in MikMod. Specially-crafted music files in various formats could, when played, cause an application using the MikMod library to crash or, potentially, execute arbitrary code. (CVE-2009-3995, CVE-2009-3996, CVE-2007-6720) All MikMod users should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using the MikMod library must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2007-6720 CVE-2009-3995 CVE-2009-3996 CVE-2007-6720 mikmod: crash or abort when loading/playing multiple files with different number of channels CVE-2009-3995 CVE-2009-3996 libmikmod: arbitrary code execution via crafted Impulse Tracker or Ultratracker files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A buffer overflow flaw was found in the ecryptfs_uid_hash() function in the Linux kernel eCryptfs implementation. On systems that have the eCryptfs netlink transport (Red Hat Enterprise Linux 5 does) or where the "/dev/ecryptfs" file has world writable permissions (which it does not, by default, on Red Hat Enterprise Linux 5), a local, unprivileged user could use this flaw to cause a denial of service or possibly escalate their privileges. (CVE-2010-2492, Important) * A miscalculation of the size of the free space of the initial directory entry in a directory leaf block was found in the Linux kernel Global File System 2 (GFS2) implementation. A local, unprivileged user with write access to a GFS2-mounted file system could perform a rename operation on that file system to trigger a NULL pointer dereference, possibly resulting in a denial of service or privilege escalation. (CVE-2010-2798, Important) * A flaw was found in the Xen hypervisor implementation when running a system that has an Intel CPU without Extended Page Tables (EPT) support. While attempting to dump information about a crashing fully-virtualized guest, the flaw could cause the hypervisor to crash the host as well. A user with permissions to configure a fully-virtualized guest system could use this flaw to crash the host. (CVE-2010-2938, Moderate) * Information leak flaws were found in the Linux kernel's Traffic Control Unit implementation. A local attacker could use these flaws to cause the kernel to leak kernel memory to user-space, possibly leading to the disclosure of sensitive information. (CVE-2010-2942, Moderate) * A flaw was found in the Linux kernel's XFS file system implementation. The file handle lookup could return an invalid inode as valid. If an XFS file system was mounted via NFS (Network File System), a local attacker could access stale data or overwrite existing data that reused the inodes. (CVE-2010-2943, Moderate) * An integer overflow flaw was found in the extent range checking code in the Linux kernel's ext4 file system implementation. A local, unprivileged user with write access to an ext4-mounted file system could trigger this flaw by writing to a file at a very large file offset, resulting in a local denial of service. (CVE-2010-3015, Moderate) * An information leak flaw was found in the Linux kernel's USB implementation. Certain USB errors could result in an uninitialized kernel buffer being sent to user-space. An attacker with physical access to a target system could use this flaw to cause an information leak. (CVE-2010-1083, Low) Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492; Grant Diffey of CenITex for reporting CVE-2010-2798; Toshiyuki Okajima for reporting CVE-2010-3015; and Marcus Meissner for reporting CVE-2010-1083. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-1083 CVE-2010-2492 CVE-2010-2798 CVE-2010-2938 CVE-2010-2942 CVE-2010-2943 CVE-2010-3015 CVE-2010-1083 kernel: information leak via userspace USB interface CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow CVE-2010-2798 kernel: gfs2: rename causes kernel panic CVE-2010-2938 kernel: guest crashes on non-EPT machines may crash the host as well ips driver sleeps while holding spin_lock [rhel-5.5.z] Significant MSI performance issue due to redundant interrupt masking [rhel-5.5.z] High CPU overhead from mapping/unmapping the zero page [rhel-5.5.z] [5u6] Bonding in ALB mode sends ARP in loop [rhel-5.5.z] CVE-2010-3015 kernel: integer overflow in ext4_ext_get_blocks() cpu flags missing from /proc/cpuinfo [rhel-5.5.z] need to backport 2e3219b5c8a2e44e0b83ae6e04f52f20a82ac0f2 [rhel-5.5.z] CVE-2010-2942 kernel: net sched: fix some kernel memory leaks CVE-2010-2943 kernel: xfs: validate inode numbers in file handles correctly dasd: force online does not work. [rhel-5.5.z] dasd: allocate fallback cqr for reserve/release [rhel-5.5.z] [rhel5.6] XFS incorrectly validates inodes [rhel-5.5.z] Detect and recover from cxgb3 adapter parity errors [rhel-5.5.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 In accordance with the Red Hat Enterprise Linux Errata Support Policy, the regular 7 year life-cycle of Red Hat Enterprise Linux 3 will end on October 31, 2010. After this date, Red Hat will discontinue the regular subscription services for Red Hat Enterprise Linux 3. Therefore, new bug fix, enhancement, and security errata updates, as well as technical support services will no longer be available for the following products: * Red Hat Enterprise Linux AS 3 * Red Hat Enterprise Linux ES 3 * Red Hat Enterprise Linux WS 3 * Red Hat Enterprise Linux Extras 3 * Red Hat Desktop 3 * Red Hat Global File System 3 * Red Hat Cluster Suite 3 Customers still running production workloads on Red Hat Enterprise Linux 3 are advised to begin planning the upgrade to Red Hat Enterprise Linux 5. Active subscribers of Red Hat Enterprise Linux already have access to all currently maintained versions of Red Hat Enterprise Linux, as part of their subscription without additional fees. For customers who are unable to migrate off Red Hat Enterprise Linux 3 before its end-of-life date, Red Hat is offering a limited, optional extension program referred to as RHEL 3 ELS. For more information, contact your Red Hat sales representative or channel partner on this program. Once you are eligible for subscribing to the RHEL 3 ELS channels, read the Red Hat Knowledgebase article DOC-40489 at https://access.redhat.com/kb/docs/DOC-40489 for detailed information on how to subscribe to the RHEL 3 ELS channels. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: http://www.redhat.com/security/updates/errata/ Low Copyright 2010 Red Hat, Inc. Send Out RHEL 3 1-Month EOL Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. The freetype packages for Red Hat Enterprise Linux 3 provide both the FreeType 1 and FreeType 2 font engines. It was discovered that the FreeType font rendering engine improperly validated certain position values when processing input streams. If a user loaded a specially-crafted font file with an application linked against FreeType, and the relevant font glyphs were subsequently rendered with the X FreeType library (libXft), it could trigger a heap-based buffer overflow in the libXft library, causing the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-3311) An array index error was found in the way the FreeType font rendering engine processed certain PostScript Type 42 font files. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2806) A stack overflow flaw was found in the way the FreeType font rendering engine processed PostScript Type 1 font files that contain nested Standard Encoding Accented Character (seac) calls. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash. (CVE-2010-3054) Note: All of the issues in this erratum only affect the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2806 CVE-2010-3054 CVE-2010-3311 CVE-2010-2806 FreeType: Heap-based buffer overflow by processing FontType42 fonts with negative length of SFNT strings (FT bug #30656) CVE-2010-3311 freetype: Input stream position error by processing Compact Font Format (CFF) font files CVE-2010-3054 freetype: DoS via nested "seac" calls cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. The freetype packages for Red Hat Enterprise Linux 4 provide both the FreeType 1 and FreeType 2 font engines. The freetype packages for Red Hat Enterprise Linux 5 provide only the FreeType 2 font engine. It was discovered that the FreeType font rendering engine improperly validated certain position values when processing input streams. If a user loaded a specially-crafted font file with an application linked against FreeType, and the relevant font glyphs were subsequently rendered with the X FreeType library (libXft), it could trigger a heap-based buffer overflow in the libXft library, causing the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-3311) A stack-based buffer overflow flaw was found in the way the FreeType font rendering engine processed some PostScript Type 1 fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2808) An array index error was found in the way the FreeType font rendering engine processed certain PostScript Type 42 font files. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2806) A stack overflow flaw was found in the way the FreeType font rendering engine processed PostScript Type 1 font files that contain nested Standard Encoding Accented Character (seac) calls. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash. (CVE-2010-3054) Note: All of the issues in this erratum only affect the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2806 CVE-2010-2808 CVE-2010-3054 CVE-2010-3311 CVE-2010-2808 FreeType: Stack-based buffer overflow by processing certain LWFN fonts CVE-2010-2806 FreeType: Heap-based buffer overflow by processing FontType42 fonts with negative length of SFNT strings (FT bug #30656) CVE-2010-3311 freetype: Input stream position error by processing Compact Font Format (CFF) font files CVE-2010-3054 freetype: DoS via nested "seac" calls cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 PostgreSQL is an advanced object-relational database management system (DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the Perl and Tcl languages. The PostgreSQL SECURITY DEFINER parameter, which can be used when creating a new PostgreSQL function, specifies that the function will be executed with the privileges of the user that created it. It was discovered that a user could utilize the features of the PL/Perl and PL/Tcl languages to modify the behavior of a SECURITY DEFINER function created by a different user. If the PL/Perl or PL/Tcl language was used to implement a SECURITY DEFINER function, an authenticated database user could use a PL/Perl or PL/Tcl script to modify the behavior of that function during subsequent calls in the same session. This would result in the modified or injected code also being executed with the privileges of the user who created the SECURITY DEFINER function, possibly leading to privilege escalation. (CVE-2010-3433) For Red Hat Enterprise Linux 4, the updated postgresql packages upgrade PostgreSQL to version 7.4.30. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/7.4/static/release.html For Red Hat Enterprise Linux 5, the updated postgresql packages upgrade PostgreSQL to version 8.1.22, and the updated postgresql84 packages upgrade PostgreSQL to version 8.4.5. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/8.1/static/release.html http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3433 CVE-2010-3433 PostgreSQL (PL/Perl, PL/Tcl): SECURITY DEFINER function keyword bypass cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes multiple vulnerabilities in Adobe Reader. These vulnerabilities are detailed on the Adobe security page APSB10-21, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-2883, CVE-2010-2884, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3632, CVE-2010-3658) An insecure relative RPATH (runtime library search path) set in some Adobe Reader libraries could allow a local attacker, who is able to convince another user to run Adobe Reader in an attacker-controlled directory, to execute arbitrary code with the privileges of the victim. (CVE-2010-2887) A specially-crafted PDF file could cause Adobe Reader to crash when opened. (CVE-2010-3656, CVE-2010-3657) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.4, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-2883 CVE-2010-2884 CVE-2010-2887 CVE-2010-2889 CVE-2010-2890 CVE-2010-3619 CVE-2010-3620 CVE-2010-3621 CVE-2010-3622 CVE-2010-3625 CVE-2010-3626 CVE-2010-3627 CVE-2010-3628 CVE-2010-3629 CVE-2010-3630 CVE-2010-3632 CVE-2010-3656 CVE-2010-3657 CVE-2010-3658 CVE-2010-2883 Acroread: Stack-based buffer overflow by processing certain fonts (APSA10-02) CVE-2010-2884 Adobe Flash: crash or potential arbitrary code execution (APSB10-22) acroread: multiple code execution flaws (APSB10-21) acroread: denial of service flaws (APSB10-21) CVE-2010-2887 acroread: use of insecure RPATH (APSB10-21) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. An uninitialized pointer use flaw was discovered in poppler. An attacker could create a malicious PDF file that, when opened, would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code. (CVE-2010-3702) An array index error was found in the way poppler parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code. (CVE-2010-3704) Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2010-3702 CVE-2010-3704 CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. An uninitialized pointer use flaw was discovered in Xpdf. An attacker could create a malicious PDF file that, when opened, would cause Xpdf to crash or, potentially, execute arbitrary code. (CVE-2010-3702) Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Important Copyright 2010 Red Hat, Inc. CVE-2010-3702 CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. An uninitialized pointer use flaw was discovered in Xpdf. An attacker could create a malicious PDF file that, when opened, would cause Xpdf to crash or, potentially, execute arbitrary code. (CVE-2010-3702) An array index error was found in the way Xpdf parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause Xpdf to crash or, potentially, execute arbitrary code. (CVE-2010-3704) Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2010-3702 CVE-2010-3704 CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 GPdf is a viewer for Portable Document Format (PDF) files. An uninitialized pointer use flaw was discovered in GPdf. An attacker could create a malicious PDF file that, when opened, would cause GPdf to crash or, potentially, execute arbitrary code. (CVE-2010-3702) An array index error was found in the way GPdf parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause GPdf to crash or, potentially, execute arbitrary code. (CVE-2010-3704) Users are advised to upgrade to this updated package, which contains backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2010-3702 CVE-2010-3704 CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The kdegraphics packages contain applications for the K Desktop Environment, including KPDF, a viewer for Portable Document Format (PDF) files. An uninitialized pointer use flaw was discovered in KPDF. An attacker could create a malicious PDF file that, when opened, would cause KPDF to crash or, potentially, execute arbitrary code. (CVE-2010-3702) An array index error was found in the way KPDF parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause KPDF to crash or, potentially, execute arbitrary code. (CVE-2010-3704) Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2010-3702 CVE-2010-3704 CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse() cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript. An uninitialized pointer use flaw was discovered in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that, when printed, would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user. (CVE-2010-3702) Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-3702 CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript. Multiple flaws were discovered in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that, when printed, would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user. (CVE-2010-3702, CVE-2009-3609) Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2009-3609 CVE-2010-3702 CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. defaultReadObject of the Serialization API could be tricked into setting a volatile field multiple times, which could allow a remote attacker to execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3569) Race condition in the way objects were deserialized could allow an untrusted applet or application to misuse the privileges of the user running the applet or application. (CVE-2010-3568) Miscalculation in the OpenType font rendering implementation caused out-of-bounds memory access, which could allow remote attackers to execute code with the privileges of the user running the java process. (CVE-2010-3567) JPEGImageWriter.writeImage in the imageio API improperly checked certain image metadata, which could allow a remote attacker to execute arbitrary code in the context of the user running the applet or application. (CVE-2010-3565) Double free in IndexColorModel could cause an untrusted applet or application to crash or, possibly, execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3562) The privileged accept method of the ServerSocket class in the Common Object Request Broker Architecture (CORBA) implementation in OpenJDK allowed it to receive connections from any host, instead of just the host of the current connection. An attacker could use this flaw to bypass restrictions defined by network permissions. (CVE-2010-3561) Flaws in the Swing library could allow an untrusted application to modify the behavior and state of certain JDK classes. (CVE-2010-3557) Flaws in the CORBA implementation could allow an attacker to execute arbitrary code by misusing permissions granted to certain system objects. (CVE-2010-3554) UIDefault.ProxyLazyValue had unsafe reflection usage, allowing untrusted callers to create objects via ProxyLazyValue values. (CVE-2010-3553) HttpURLConnection improperly handled the "chunked" transfer encoding method, which could allow remote attackers to conduct HTTP response splitting attacks. (CVE-2010-3549) HttpURLConnection improperly checked whether the calling code was granted the "allowHttpTrace" permission, allowing untrusted code to create HTTP TRACE requests. (CVE-2010-3574) HttpURLConnection did not validate request headers set by applets, which could allow remote attackers to trigger actions otherwise restricted to HTTP clients. (CVE-2010-3541, CVE-2010-3573) The Kerberos implementation improperly checked the sanity of AP-REQ requests, which could cause a denial of service condition in the receiving Java Virtual Machine. (CVE-2010-3564) The RHSA-2010:0339 update mitigated a man-in-the-middle attack in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation by disabling renegotiation. This update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, allowing secure renegotiation between updated clients and servers. (CVE-2009-3555) The NetworkInterface class improperly checked the network "connect" permissions for local network addresses, which could allow remote attackers to read local network addresses. (CVE-2010-3551) Information leak flaw in the Java Naming and Directory Interface (JNDI) could allow a remote attacker to access information about otherwise-protected internal network names. (CVE-2010-3548) Note: Flaws concerning applets in this advisory (CVE-2010-3568, CVE-2010-3554, CVE-2009-3555, CVE-2010-3562, CVE-2010-3557, CVE-2010-3548, CVE-2010-3564, CVE-2010-3565, CVE-2010-3569) can only be triggered in OpenJDK by calling the "appletviewer" application. Bug fixes: * This update provides one defense in depth patch. (BZ#639922) * Problems for certain SSL connections. In a reported case, this prevented the JBoss JAAS modules from connecting over SSL to Microsoft Active Directory servers. (BZ#618290) Important Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3551 CVE-2010-3553 CVE-2010-3554 CVE-2010-3557 CVE-2010-3561 CVE-2010-3562 CVE-2010-3564 CVE-2010-3565 CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3573 CVE-2010-3574 CVE-2009-3555 TLS: MITM attacks via session renegotiation Error connecting to Active Directory (AD) over SSL. CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) CVE-2010-3554 CVE-2010-3561 OpenJDK corba reflection vulnerabilities (6891766,6925672) CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) CVE-2010-3557 OpenJDK Swing mutable static (6938813) CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) CVE-2010-3564 OpenJDK kerberos vulnerability (6958060) CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) CVE-2010-3551 OpenJDK local network address disclosure (6952603) CVE-2010-3567 OpenJDK ICU Opentype layout engine crash (6963285) CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the "Oracle Java SE and Java for Business Critical Patch Update Advisory" page, listed in the References section. (CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574) The RHSA-2010:0337 update mitigated a man-in-the-middle attack in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation by disabling renegotiation. This update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, allowing secure renegotiation between updated clients and servers. (CVE-2009-3555) Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3550 CVE-2010-3551 CVE-2010-3552 CVE-2010-3553 CVE-2010-3554 CVE-2010-3555 CVE-2010-3556 CVE-2010-3557 CVE-2010-3558 CVE-2010-3559 CVE-2010-3560 CVE-2010-3561 CVE-2010-3562 CVE-2010-3563 CVE-2010-3565 CVE-2010-3566 CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3570 CVE-2010-3571 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574 CVE-2009-3555 TLS: MITM attacks via session renegotiation CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) CVE-2010-3554 CVE-2010-3561 OpenJDK corba reflection vulnerabilities (6891766,6925672) CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) CVE-2010-3557 OpenJDK Swing mutable static (6938813) CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) CVE-2010-3551 OpenJDK local network address disclosure (6952603) CVE-2010-3567 OpenJDK ICU Opentype layout engine crash (6963285) CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) CVE-2010-3555 JDK unspecified vulnerability in Deployment component CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component CVE-2010-3570 JDK unspecified vulnerability in Deployment Toolkit CVE-2010-3560 JDK unspecified vulnerability in Networking component CVE-2010-3556 JDK unspecified vulnerability in 2D component CVE-2010-3571 JDK unspecified vulnerability in 2D component CVE-2010-3563 JDK unspecified vulnerability in Deployment component CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component CVE-2010-3552 JDK unspecified vulnerability in New Java Plugin component CVE-2010-3559 JDK unspecified vulnerability in Sound component CVE-2010-3572 JDK unspecified vulnerability in Sound component cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * Information leak flaws were found in the Linux kernel Traffic Control Unit implementation. A local attacker could use these flaws to cause the kernel to leak kernel memory to user-space, possibly leading to the disclosure of sensitive information. (CVE-2010-2942, Moderate) * A flaw was found in the tcf_act_police_dump() function in the Linux kernel network traffic policing implementation. A data structure in tcf_act_police_dump() was not initialized properly before being copied to user-space. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3477, Moderate) * A missing upper bound integer check was found in the sys_io_submit() function in the Linux kernel asynchronous I/O implementation. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3067, Low) Red Hat would like to thank Tavis Ormandy for reporting CVE-2010-3067. This update also fixes the following bugs: * When two systems using bonding devices in the adaptive load balancing (ALB) mode communicated with each other, an endless loop of ARP replies started between these two systems due to a faulty MAC address update. With this update, the MAC address update no longer creates unneeded ARP replies. (BZ#629239) * When running the Connectathon NFS Testsuite with certain clients and Red Hat Enterprise Linux 4.8 as the server, nfsvers4, lock, and test2 failed the Connectathon test. (BZ#625535) * For UDP/UNIX domain sockets, due to insufficient memory barriers in the network code, a process sleeping in select() may have missed notifications about new data. In rare cases, this bug may have caused a process to sleep forever. (BZ#640117) * In certain situations, a bug found in either the HTB or TBF network packet schedulers in the Linux kernel could have caused a kernel panic when using Broadcom network cards with the bnx2 driver. (BZ#624363) * Previously, allocating fallback cqr for DASD reserve/release IOCTLs failed because it used the memory pool of the respective device. This update preallocates sufficient memory for a single reserve/release request. (BZ#626828) * In some situations a bug prevented "force online" succeeding for a DASD device. (BZ#626827) * Using the "fsstress" utility may have caused a kernel panic. (BZ#633968) * This update introduces additional stack guard patches. (BZ#632515) * A bug was found in the way the megaraid_sas driver handled physical disks and management IOCTLs. All physical disks were exported to the disk layer, allowing an oops in megasas_complete_cmd_dpc() when completing the IOCTL command if a timeout occurred. (BZ#631903) * Previously, a warning message was returned when a large amount of messages was passed through netconsole and a considerable amount of network load was added. With this update, the warning message is no longer displayed. (BZ#637729) * Executing a large "dd" command (1 to 5GB) on an iSCSI device with the qla3xxx driver caused a system crash due to the incorrect storing of a private data structure. With this update, the size of the stored data structure is checked and the system crashes no longer occur. (BZ#624364) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2942 CVE-2010-3067 CVE-2010-3477 bnx2: panic in bnx2_poll_work() [rhel-4.8.z] system crashes due to corrupt net_device_wrapper structure [rhel-4.8.z] CVE-2010-2942 kernel: net sched: fix some kernel memory leaks [Kernel] cthon nfsvers4, lock, test2 failing with rhel6 client vs. rhel4 server [rhel-4.8.z] dasd: force online does not work. [rhel-4.8.z] dasd: allocate fallback cqr for reserve/release [rhel-4.8.z] [4u8] Bonding in ALB mode sends ARP in loop [rhel-4.8.z] CVE-2010-3067 kernel: do_io_submit() infoleak megaraid_sas: fix physical disk handling [rhel-4.8.z] kernel: additional stack guard patches [rhel-4.9] [rhel-4.8.z] kernel BUG at fs/mpage.c:417! [rhel-4.8.z] CVE-2010-3477 kernel: net/sched/act_police.c infoleak netconsole on e1000 cause "Badness in local_bh_enable at kernel/softirq.c:141" [rhel-4.8.z] [RHEL4.5] select() cannot return in UDP/UNIX domain socket [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3176, CVE-2010-3180) Note: JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable unless JavaScript is enabled. A flaw was found in the script that launches Thunderbird. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Thunderbird, if that user ran Thunderbird from within an attacker-controlled directory. (CVE-2010-3182) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3176 CVE-2010-3180 CVE-2010-3182 CVE-2010-3176 Mozilla miscellaneous memory safety hazards CVE-2010-3180 Mozilla use-after-free error in nsBarProp CVE-2010-3182 Mozilla unsafe library loading flaw cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-3176, CVE-2010-3180) A flaw was found in the way the Gopher parser in SeaMonkey converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running SeaMonkey, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A flaw was found in the script that launches SeaMonkey. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running SeaMonkey, if that user ran SeaMonkey from within an attacker-controlled directory. (CVE-2010-3182) It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode implementation for key exchanges in SeaMonkey accepted DHE keys that were 256 bits in length. This update removes support for 256 bit DHE keys, as such keys are easily broken using modern hardware. (CVE-2010-3173) A flaw was found in the way SeaMonkey matched SSL certificates when the certificates had a Common Name containing a wildcard and a partial IP address. SeaMonkey incorrectly accepted connections to IP addresses that fell within the SSL certificate's wildcard range as valid SSL connections, possibly allowing an attacker to conduct a man-in-the-middle attack. (CVE-2010-3170) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3170 CVE-2010-3173 CVE-2010-3176 CVE-2010-3177 CVE-2010-3180 CVE-2010-3182 CVE-2010-3170 firefox/nss: doesn't handle IP-based wildcards in X509 certificates safely CVE-2010-3176 Mozilla miscellaneous memory safety hazards CVE-2010-3180 Mozilla use-after-free error in nsBarProp CVE-2010-3177 Mozilla XSS in gopher parser when parsing hrefs CVE-2010-3182 Mozilla unsafe library loading flaw CVE-2010-3173 NSS: insecure Diffie-Hellman key exchange cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Network Security Services (NSS) is a set of libraries designed to support the development of security-enabled client and server applications. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180) A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim has loaded with Firefox. (CVE-2010-3178) A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory. (CVE-2010-3182) This update also provides NSS version 3.12.8 which is required by the updated Firefox version, fixing the following security issues: It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode implementation for key exchanges in Firefox accepted DHE keys that were 256 bits in length. This update removes support for 256 bit DHE keys, as such keys are easily broken using modern hardware. (CVE-2010-3173) A flaw was found in the way NSS matched SSL certificates when the certificates had a Common Name containing a wildcard and a partial IP address. NSS incorrectly accepted connections to IP addresses that fell within the SSL certificate's wildcard range as valid SSL connections, possibly allowing an attacker to conduct a man-in-the-middle attack. (CVE-2010-3170) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.11. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.11, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3170 CVE-2010-3173 CVE-2010-3175 CVE-2010-3176 CVE-2010-3177 CVE-2010-3178 CVE-2010-3179 CVE-2010-3180 CVE-2010-3182 CVE-2010-3183 CVE-2010-3170 firefox/nss: doesn't handle IP-based wildcards in X509 certificates safely CVE-2010-3176 Mozilla miscellaneous memory safety hazards CVE-2010-3175 Mozilla miscellaneous memory safety hazards CVE-2010-3179 Mozilla buffer overflow and memory corruption using document.write CVE-2010-3180 Mozilla use-after-free error in nsBarProp CVE-2010-3183 Mozilla dangling pointer vulnerability in LookupGetterOrSetter CVE-2010-3177 Mozilla XSS in gopher parser when parsing hrefs CVE-2010-3178 Mozilla cross-site information disclosure via modal calls CVE-2010-3182 Mozilla unsafe library loading flaw CVE-2010-3173 NSS: insecure Diffie-Hellman key exchange cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. A stack-based buffer overflow flaw was found in the way the Quagga bgpd daemon processed certain BGP Route Refresh (RR) messages. A configured BGP peer could send a specially-crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. (CVE-2010-2948) Note: On Red Hat Enterprise Linux 5 it is not possible to exploit CVE-2010-2948 to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. Multiple NULL pointer dereference flaws were found in the way the Quagga bgpd daemon processed certain specially-crafted BGP messages. A configured BGP peer could crash bgpd on a target system via specially-crafted BGP messages. (CVE-2007-4826) Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd daemon must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2007-4826 CVE-2010-2948 CVE-2007-4826 quagga bgpd DoS CVE-2010-2948 Quagga (bgpd): Stack buffer overflow by processing certain Route-Refresh messages cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP6 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3551, CVE-2010-3553, CVE-2010-3556, CVE-2010-3557, CVE-2010-3562, CVE-2010-3565, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572) The RHSA-2010:0155 update mitigated a man-in-the-middle attack in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation by disabling renegotiation. This update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, allowing secure renegotiation between updated clients and servers. (CVE-2009-3555) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP6 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3551 CVE-2010-3553 CVE-2010-3556 CVE-2010-3557 CVE-2010-3562 CVE-2010-3565 CVE-2010-3568 CVE-2010-3569 CVE-2010-3571 CVE-2010-3572 CVE-2009-3555 TLS: MITM attacks via session renegotiation CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) CVE-2010-3557 OpenJDK Swing mutable static (6938813) CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) CVE-2010-3551 OpenJDK local network address disclosure (6952603) CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) CVE-2010-3556 JDK unspecified vulnerability in 2D component CVE-2010-3571 JDK unspecified vulnerability in 2D component CVE-2010-3572 JDK unspecified vulnerability in Sound component cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) Red Hat would like to thank Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2010 Red Hat, Inc. CVE-2010-3847 CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. Multiple NULL pointer dereference flaws were found in the way Pidgin handled Base64 decoding. A remote attacker could use these flaws to crash Pidgin if the target Pidgin user was using the Yahoo! Messenger Protocol, MSN, MySpace, or Extensible Messaging and Presence Protocol (XMPP) protocol plug-ins, or using the Microsoft NT LAN Manager (NTLM) protocol for authentication. (CVE-2010-3711) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in processed custom emoticon messages. A remote attacker could use this flaw to crash Pidgin by sending specially-crafted emoticon messages during mutual communication. (CVE-2010-1624) Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Daniel Atallah as the original reporter of CVE-2010-3711, and Pierre Noguès of Meta Security as the original reporter of CVE-2010-1624. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1624 CVE-2010-3711 CVE-2010-1624 Pidgin: MSN SLP emoticon DoS (NULL pointer dereference) CVE-2010-3711 Pidgin (libpurple): Multiple DoS (crash) flaws by processing of unsanitized Base64 decoder values cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * The rds_page_copy_user() function in the Linux kernel Reliable Datagram Sockets (RDS) protocol implementation was missing sanity checks. A local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3904, Important) Red Hat would like to thank Dan Rosenberg of Virtual Security Research for reporting this issue. Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-3904 CVE-2010-3904 kernel: RDS sockets local privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Ben Hawkes and Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2010 Red Hat, Inc. CVE-2010-3856 CVE-2010-3856 glibc: ld.so arbitrary DSO loading via LD_AUDIT in setuid/setgid programs cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3556, CVE-2010-3559, CVE-2010-3562, CVE-2010-3565, CVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574) The RHSA-2010:0130 update mitigated a man-in-the-middle attack in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation by disabling renegotiation. This update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, allowing secure renegotiation between updated clients and servers. (CVE-2009-3555) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR12-FP2 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3550 CVE-2010-3551 CVE-2010-3556 CVE-2010-3559 CVE-2010-3562 CVE-2010-3565 CVE-2010-3566 CVE-2010-3568 CVE-2010-3569 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574 CVE-2009-3555 TLS: MITM attacks via session renegotiation CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) CVE-2010-3551 OpenJDK local network address disclosure (6952603) CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component CVE-2010-3556 JDK unspecified vulnerability in 2D component CVE-2010-3559 JDK unspecified vulnerability in Sound component CVE-2010-3572 JDK unspecified vulnerability in Sound component cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Mozilla Firefox is an open source web browser. A race condition flaw was found in the way Firefox handled Document Object Model (DOM) element properties. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3765) For technical details regarding this flaw, refer to the Mozilla security advisories for Firefox 3.6.12. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to this updated package, which contains a backported patch to correct this issue. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3765 CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 XULRunner provides the XUL Runtime environment for applications using the Gecko layout engine. A race condition flaw was found in the way XULRunner handled Document Object Model (DOM) element properties. Malicious HTML content could cause an application linked against XULRunner (such as Firefox) to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-3765) For technical details regarding this flaw, refer to the Mozilla security advisories for Firefox 3.6.12. You can find a link to the Mozilla advisories in the References section of this erratum. All XULRunner users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, applications using XULRunner must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3765 CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. A race condition flaw was found in the way SeaMonkey handled Document Object Model (DOM) element properties. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-3765) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3765 CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. A use-after-free flaw was found in the way the CUPS server parsed Internet Printing Protocol (IPP) packets. A malicious user able to send IPP requests to the CUPS server could use this flaw to crash the CUPS server or, potentially, execute arbitrary code with the privileges of the CUPS server. (CVE-2010-2941) A possible privilege escalation flaw was found in CUPS. An unprivileged process running as the "lp" user (such as a compromised external filter program spawned by the CUPS server) could trick the CUPS server into overwriting arbitrary files as the root user. (CVE-2010-2431) Red Hat would like to thank Emmanuel Bouillon of NATO C3 Agency for reporting the CVE-2010-2941 issue. Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-2431 CVE-2010-2941 CVE-2010-2431 cups: latent privilege escalation vulnerability CVE-2010-2941 cups: cupsd memory corruption vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A race condition flaw was found in the way Thunderbird handled Document Object Model (DOM) element properties. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3765) Note: JavaScript support is disabled by default in Thunderbird. The CVE-2010-3765 issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to this updated package, which resolves this issue. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3765 CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 3 In accordance with the Red Hat Enterprise Linux Errata Support Policy, the regular 7 year life-cycle of Red Hat Enterprise Linux 3 has ended. Red Hat has discontinued the regular subscription services for Red Hat Enterprise Linux 3. Therefore, new bug fix, enhancement, and security errata updates, as well as technical support services are no longer available for the following products: * Red Hat Enterprise Linux AS 3 * Red Hat Enterprise Linux ES 3 * Red Hat Enterprise Linux WS 3 * Red Hat Enterprise Linux Extras 3 * Red Hat Desktop 3 * Red Hat Global File System 3 * Red Hat Cluster Suite 3 Servers subscribed to Red Hat Enterprise Linux 3 channels on the Red Hat Network will shortly become unsubscribed. As a benefit of the Red Hat subscription model, those subscriptions can be used to entitle any system on any currently supported release of Red Hat Enterprise Linux. Red Hat Enterprise Linux Subscriptions are version-independent and allow access to all major releases of Red Hat Enterprise Linux, that are currently supported within their regular 7-year life-cycle. Therefore customers retain access to Red Hat Enterprise Linux 4, 5 and soon to be released 6. There are no additional upgrade fees when moving from Red Hat Enterprise Linux 3 to any of these newer releases. For customers who are unable to migrate off Red Hat Enterprise Linux 3, Red Hat is offering a limited, optional extension program referred to as RHEL 3 Extended Life Cycle Support (ELS). For more information, contact your Red Hat sales representative or channel partner on this program. Additionally you can find more information on this program here: http://www.redhat.com/rhel/server/extended_lifecycle_support/ Once you are eligible for subscribing to the RHEL 3 ELS channels, read the Red Hat Knowledgebase article DOC-40489 at https://access.redhat.com/kb/docs/DOC-40489 for detailed information on how to subscribe to the RHEL 3 ELS channels. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: http://www.redhat.com/security/updates/errata/ Low Copyright 2010 Red Hat, Inc. Send Out RHEL 3 final EOL Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs that handle authentication. It was discovered that the pam_namespace module executed the external script namespace.init with an unchanged environment inherited from an application calling PAM. In cases where such an environment was untrusted (for example, when pam_namespace was configured for setuid applications such as su or sudo), a local, unprivileged user could possibly use this flaw to escalate their privileges. (CVE-2010-3853) It was discovered that the pam_mail module used root privileges while accessing users' files. In certain configurations, a local, unprivileged user could use this flaw to obtain limited information about files or directories that they do not have access to. (CVE-2010-3435) It was discovered that the pam_xauth module did not verify the return values of the setuid() and setgid() system calls. A local, unprivileged user could use this flaw to execute the xauth command with root privileges and make it read an arbitrary input file. (CVE-2010-3316) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting the CVE-2010-3435 issue. All pam users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3316 CVE-2010-3435 CVE-2010-3853 CVE-2010-4707 CVE-2010-3316 pam: pam_xauth missing return value checks from setuid() and similar calls CVE-2010-3435 pam: pam_env and pam_mail accessing users' file with root privileges CVE-2010-3853 pam: pam_namespace executes namespace.init with service's environment cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. It was found that the MySQL PolyFromWKB() function did not sanity check Well-Known Binary (WKB) data. A remote, authenticated attacker could use specially-crafted WKB data to crash mysqld. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3840) A flaw was found in the way MySQL processed certain alternating READ requests provided by HANDLER statements. A remote, authenticated attacker could use this flaw to provide such requests, causing mysqld to crash. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3681) A directory traversal flaw was found in the way MySQL handled the parameters of the MySQL COM_FIELD_LIST network protocol command. A remote, authenticated attacker could use this flaw to obtain descriptions of the fields of an arbitrary table using a request with a specially-crafted table name. (CVE-2010-1848) All MySQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1848 CVE-2010-3681 CVE-2010-3840 CVE-2010-1848 mysql: multiple insufficient table name checks CVE-2010-3681 MySQL: mysqld DoS (assertion failure) by alternate reads from two indexes on a table using the HANDLER interface (MySQL bug #54007) CVE-2010-3840 MySQL: crash when loading data into geometry function PolyFromWKB() (MySQL Bug#51875) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. It was found that the MySQL PolyFromWKB() function did not sanity check Well-Known Binary (WKB) data. A remote, authenticated attacker could use specially-crafted WKB data to crash mysqld. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3840) A flaw was found in the way MySQL processed certain JOIN queries. If a stored procedure contained JOIN queries, and that procedure was executed twice in sequence, it could cause an infinite loop, leading to excessive CPU use (up to 100%). A remote, authenticated attacker could use this flaw to cause a denial of service. (CVE-2010-3839) A flaw was found in the way MySQL processed queries that provide a mixture of numeric and longblob data types to the LEAST or GREATEST function. A remote, authenticated attacker could use this flaw to crash mysqld. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3838) A flaw was found in the way MySQL processed PREPARE statements containing both GROUP_CONCAT and the WITH ROLLUP modifier. A remote, authenticated attacker could use this flaw to crash mysqld. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3837) It was found that MySQL did not properly pre-evaluate LIKE arguments in view prepare mode. A remote, authenticated attacker could possibly use this flaw to crash mysqld. (CVE-2010-3836) A flaw was found in the way MySQL processed statements that assign a value to a user-defined variable and that also contain a logical value evaluation. A remote, authenticated attacker could use this flaw to crash mysqld. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3835) A flaw was found in the way MySQL evaluated the arguments of extreme-value functions, such as LEAST and GREATEST. A remote, authenticated attacker could use this flaw to crash mysqld. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3833) A flaw was found in the way MySQL processed EXPLAIN statements for some complex SELECT queries. A remote, authenticated attacker could use this flaw to crash mysqld. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3682) A flaw was found in the way MySQL processed certain alternating READ requests provided by HANDLER statements. A remote, authenticated attacker could use this flaw to provide such requests, causing mysqld to crash. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3681) A flaw was found in the way MySQL processed CREATE TEMPORARY TABLE statements that define NULL columns when using the InnoDB storage engine. A remote, authenticated attacker could use this flaw to crash mysqld. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3680) A flaw was found in the way MySQL processed JOIN queries that attempt to retrieve data from a unique SET column. A remote, authenticated attacker could use this flaw to crash mysqld. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. (CVE-2010-3677) All MySQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3677 CVE-2010-3680 CVE-2010-3681 CVE-2010-3682 CVE-2010-3833 CVE-2010-3835 CVE-2010-3836 CVE-2010-3837 CVE-2010-3838 CVE-2010-3839 CVE-2010-3840 CVE-2010-3677 MySQL: Mysqld DoS (crash) by processing joins involving a table with a unique SET column (MySQL BZ#54575) CVE-2010-3680 MySQL: mysqld DoS (assertion failure) by using temporary InnoDB engine tables with nullable columns (MySQL bug #54044) CVE-2010-3682 MySQL: mysqld DoS (crash) by processing EXPLAIN statements for complex SQL queries (MySQL bug #52711) CVE-2010-3681 MySQL: mysqld DoS (assertion failure) by alternate reads from two indexes on a table using the HANDLER interface (MySQL bug #54007) CVE-2010-3833 MySQL: CREATE TABLE ... SELECT causes crash when KILL_BAD_DATA is returned (MySQL Bug#55826) CVE-2010-3835 MySQL: crash with user variables, assignments, joins... (MySQL Bug #55564) CVE-2010-3836 MySQL: pre-evaluating LIKE arguments in view prepare mode causes crash (MySQL Bug#54568) CVE-2010-3837 MySQL: crash when group_concat and "with rollup" in prepared statements (MySQL Bug#54476) CVE-2010-3838 MySQL: crash with LONGBLOB and union or update with subquery (MySQL Bug#54461) CVE-2010-3839 MySQL: server hangs during JOIN query in stored procedures called twice in a row (MySQL Bug#53544) CVE-2010-3840 MySQL: crash when loading data into geometry function PolyFromWKB() (MySQL Bug#51875) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB10-26, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652, CVE-2010-3654) An input validation flaw was discovered in flash-plugin. Certain server encodings could lead to a bypass of cross-domain policy file restrictions, possibly leading to cross-domain information disclosure. (CVE-2010-3636) During testing, it was discovered that there were regressions with Flash Player on certain sites, such as fullscreen playback on YouTube. Despite these regressions, we feel these security flaws are serious enough to update the package with what Adobe has provided. All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.1.102.64. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3636 CVE-2010-3639 CVE-2010-3640 CVE-2010-3641 CVE-2010-3642 CVE-2010-3643 CVE-2010-3644 CVE-2010-3645 CVE-2010-3646 CVE-2010-3647 CVE-2010-3648 CVE-2010-3649 CVE-2010-3650 CVE-2010-3652 CVE-2010-3654 CVE-2010-3654 acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26) flash-plugin: security bulletin APSB10-26 cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A NULL pointer dereference flaw was found in the io_submit_one() function in the Linux kernel asynchronous I/O implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-3066, Moderate) * A flaw was found in the xfs_ioc_fsgetxattr() function in the Linux kernel XFS file system implementation. A data structure in xfs_ioc_fsgetxattr() was not initialized properly before being copied to user-space. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3078, Moderate) * The exception fixup code for the __futex_atomic_op1, __futex_atomic_op2, and futex_atomic_cmpxchg_inatomic() macros replaced the LOCK prefix with a NOP instruction. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-3086, Moderate) * A flaw was found in the tcf_act_police_dump() function in the Linux kernel network traffic policing implementation. A data structure in tcf_act_police_dump() was not initialized properly before being copied to user-space. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3477, Moderate) * A missing upper bound integer check was found in the sys_io_submit() function in the Linux kernel asynchronous I/O implementation. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3067, Low) Red Hat would like to thank Tavis Ormandy for reporting CVE-2010-3066, CVE-2010-3086, and CVE-2010-3067, and Dan Rosenberg for reporting CVE-2010-3078. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3066 CVE-2010-3067 CVE-2010-3078 CVE-2010-3086 CVE-2010-3448 CVE-2010-3477 [LSI 5.6 feat] update megaraid_sas to version 4.31 [rhel-5.5.z] [NetApp 5.6 bug] RHEL NFS clients disconnected from NetApp NFSv4 shares with: v4 server returned a bad sequence-id error! [rhel-5.5.z] CVE-2010-3448 kernel: thinkpad-acpi: lock down video output state access [rhel-5.5.z] CVE-2010-3067 kernel: do_io_submit() infoleak Reserve PNP enumerated system board iomem resources [rhel-5.5.z] [RHEL5.5] soft lockup on vlan with bonding in balance-alb mode [rhel-5.5.z] CVE-2010-3078 kernel: xfs: XFS_IOC_FSGETXATTR ioctl memory leak HVM guest w/ UP and PV driver hangs after live migration or suspend/resume [rhel-5.5.z] CVE-2010-3066 kernel: io_submit_one() NULL ptr deref RHEVH - Vdsm - Storage: lvextend fails during VMs intensive power up [rhel-5.5.z] CVE-2010-3086 kernel panic via futex icmpmsg_put() in kernel writes beyond array bounds, leading to junk in /proc/net/snmp and memory corruption [rhel-5.5.z] Spinning up disk for device on standby path causing long boot up [rhel-5.5.z] CVE-2010-3477 kernel: net/sched/act_police.c infoleak time drift with VXTIME_PMTMR mode in case of early / short real ticks [rhel-5.5.z] system crashes due to corrupt net_device_wrapper structure [rhel-5.5.z] [RHEL5 IA64 XEN] netfront driver: alloc_dev: Private data too big. [rhel-5.5.z] lpfc ioctl crash in lpfc_nlp_put() [rhel-5.5.z] dasd: fix race between tasklet and dasd_sleep_on [rhel-5.5.z] [5.5] a race in pid generation that causes pids to be reused immediately. [rhel-5.5.z] GFS1 vs GFS2 performance issue [rhel-5.5.z] Bonded interface doesn't issue IGMP report (join) on slave interface during failover [rhel-5.5.z] backward time drift in RHEL4, 5, and 6 Xen HVM guests that use PM timer / bug in hypervisor routine pmt_update_time() [rhel-5.5.z] CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [rhel-5.5.z] [5.6 FEAT] NFSv4 remove does not wait for close. Silly rename [rhel-5.5.z] [NetApp/QLogic 5.5.z bug] Kernel panic hit on RHEL 5.5 QLogic FC host at qla2x00_abort_fcport_cmds [rhel-5.5.z] [EMC 5.6 bug] severe fragmentation with xfs file system [rhel-5.5.z] Add OFED-1.5.2 patch to increase log_mtts_per_seg for 5.5z-stream [rhel-5.5.z] 802.3ad link aggregation won't work with newer (2.6.194-8.1.el5) kernel and ixgbe driver [rhel-5.5.z] Direct IO write to a file on an nfs mount does not work [rhel-5.5.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * Missing sanity checks in the Intel i915 driver in the Linux kernel could allow a local, unprivileged user to escalate their privileges. (CVE-2010-2962, Important) * compat_alloc_user_space() in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3081, Important) * A buffer overflow flaw in niu_get_ethtool_tcam_all() in the niu Ethernet driver in the Linux kernel, could allow a local user to cause a denial of service or escalate their privileges. (CVE-2010-3084, Important) * A flaw in the IA32 system call emulation provided in 64-bit Linux kernels could allow a local user to escalate their privileges. (CVE-2010-3301, Important) * A flaw in sctp_packet_config() in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service. (CVE-2010-3432, Important) * A missing integer overflow check in snd_ctl_new() in the Linux kernel's sound subsystem could allow a local, unprivileged user on a 32-bit system to cause a denial of service or escalate their privileges. (CVE-2010-3442, Important) * A flaw was found in sctp_auth_asoc_get_hmac() in the Linux kernel's SCTP implementation. When iterating through the hmac_ids array, it did not reset the last id element if it was out of range. This could allow a remote attacker to cause a denial of service. (CVE-2010-3705, Important) * A function in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was missing sanity checks, which could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3904, Important) * A flaw in drm_ioctl() in the Linux kernel's Direct Rendering Manager (DRM) implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-2803, Moderate) * It was found that wireless drivers might not always clear allocated buffers when handling a driver-specific IOCTL information request. A local user could trigger this flaw to cause an information leak. (CVE-2010-2955, Moderate) * A NULL pointer dereference flaw in ftrace_regex_lseek() in the Linux kernel's ftrace implementation could allow a local, unprivileged user to cause a denial of service. Note: The debugfs file system must be mounted locally to exploit this issue. It is not mounted by default. (CVE-2010-3079, Moderate) * A flaw in the Linux kernel's packet writing driver could be triggered via the PKT_CTRL_CMD_STATUS IOCTL request, possibly allowing a local, unprivileged user with access to "/dev/pktcdvd/control" to cause an information leak. Note: By default, only users in the cdrom group have access to "/dev/pktcdvd/control". (CVE-2010-3437, Moderate) * A flaw was found in the way KVM (Kernel-based Virtual Machine) handled the reloading of fs and gs segment registers when they had invalid selectors. A privileged host user with access to "/dev/kvm" could use this flaw to crash the host. (CVE-2010-3698, Moderate) Red Hat would like to thank Kees Cook for reporting CVE-2010-2962 and CVE-2010-2803; Ben Hawkes for reporting CVE-2010-3081 and CVE-2010-3301; Dan Rosenberg for reporting CVE-2010-3442, CVE-2010-3705, CVE-2010-3904, and CVE-2010-3437; and Robert Swiecki for reporting CVE-2010-3079. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2803 CVE-2010-2955 CVE-2010-2962 CVE-2010-3079 CVE-2010-3081 CVE-2010-3084 CVE-2010-3301 CVE-2010-3432 CVE-2010-3437 CVE-2010-3442 CVE-2010-3698 CVE-2010-3705 CVE-2010-3904 CVE-2010-2803 kernel: drm ioctls infoleak CVE-2010-2955 kernel: wireless: fix 64K kernel heap content leak via ioctl CVE-2010-3079 kernel: ftrace NULL ptr deref CVE-2010-3084 kernel: niu: buffer overflow for ETHTOOL_GRXCLSRLALL RHEL55.x32 crashes when installing under RHEL6 KVM on an AMD host [rhel-6.0.z] block: fix s390 tape block driver crash that occurs when it switches the IO scheduler [rhel-6.0.z] [FIPS140][RHEL6] kernel module should failed to load if DSA signature check fails when FIPS mode is on [rhel-6.0.z] RHEL-UV: kernel panic on boot uvsw-sys [rhel-6.0.z] winxp BSOD when boot with cpu mode name [rhel-6.0.z] CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow Detect and recover from cxgb3 adapter parity errors [rhel-6.0.z] RHEL6 can NOT boot(displays nothing) on boards with RS880 [rhel-6.0.z] kernel-kdump-debuginfo rpm does not contain debug symbols for s390 [rhel-6.0.z] MADV_HUGEPAGE undeclared [rhel-6.0.z] Kernel Memory dump to a FCP device fails with panic [rhel-6.0.z] CVE-2010-3432 kernel: sctp: do not reset the packet during sctp_packet_config CVE-2010-2962 kernel: arbitrary kernel memory write via i915 GEM ioctl CVE-2010-3437 kernel: pktcdvd ioctl dev_minor missing range check CVE-2010-3442 kernel: prevent heap corruption in snd_ctl_new() [RHEL6 Snapshot 13]: The boot parameters 'nomodeset xforcevesa' is needed to install on Precision M4500 [rhel-6.0.z] block: must prevent merges of discard and write requests [rhel-6.0.z] CVE-2010-3698 kvm: invalid selector in fs/gs causes kernel panic CVE-2010-3705 kernel: sctp memory corruption in HMAC handling fix split_huge_page error like mapcount 3 page_mapcount 2 [rhel-6.0.z] Output 'JBD: spotted dirty metadata buffer' message when usrquota is enabled [rhel-6.0.z] [Intel 6.0 Bug] NPIV broken in SW FCoE [rhel-6.0.z] [Intel 6.1 Bug] FCoE Boot ROM, unable to see LUN during system install thru NPV [rhel-6.0.z] FCoE: Do not fall back to non-FIP FLOGI [rhel-6.0.z] vmstat incorrectly reports disk IO as swap in [rhel-6.0.z] Don't lose dirty bits leading to data corruption during KSM swapping [rhel-6.0.z] KSM: fix page_address_in_vma anon_vma oops [rhel-6.0.z] Stack size mapping is decreased through mlock/munlock call [rhel-6.0.z] lpfc driver oops during rhel6 installation with snapshot 12/13 and emulex FC [rhel-6.0.z] slow memory leak in i915 module on all intel hw [rhel-6.0.z] major memory leak in radeon driver due when scrolling certain sites in firefox [rhel-6.0.z] CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write kernel BUG at mm/huge_memory.c:1279! [rhel-6.0.z] XFS: accounting of reclaimable inodes is incorrect [rhel-6.0.z] CVE-2010-3904 kernel: RDS sockets local privilege escalation kernel BUG at mm/huge_memory.c:1267! - mapcount 5 page_mapcount 4 [rhel-6.0.z] avoid crashes: backport hold mm->page_table_lock patch [rhel-6.0.z] kernel wastes huge amounts of memory due to CONFIG_IMA [rhel-6.0.z] calling elevator_change immediately after blk_init_queue results in a null pointer dereference [rhel-6.0.z] Booting AMD Dinar system results in softlockups in ttm code [rhel-6.0.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 bzip2 is a freely available, high-quality data compressor. It provides both standalone compression and decompression utilities, as well as a shared library for use with other programs. An integer overflow flaw was discovered in the bzip2 decompression routine. This issue could, when decompressing malformed archives, cause bzip2, or an application linked against the libbz2 library, to crash or, potentially, execute arbitrary code. (CVE-2010-0405) Users of bzip2 should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running applications using the libbz2 library must be restarted for the update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-0405 CVE-2010-0405 bzip2: integer overflow flaw in BZ2_decompress cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Two uninitialized pointer use flaws were discovered in poppler. An attacker could create a malicious PDF file that, when opened, would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code. (CVE-2010-3702, CVE-2010-3703) An array index error was found in the way poppler parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code. (CVE-2010-3704) Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2010-3702 CVE-2010-3703 CVE-2010-3704 CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse() CVE-2010-3703 poppler: use of initialized pointer in PostScriptFunction cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Samba is a suite of programs used by machines to share files, printers, and other information. A missing array boundary checking flaw was found in the way Samba parsed the binary representation of Windows security identifiers (SIDs). A malicious client could send a specially-crafted SMB request to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-3069) Users of Samba are advised to upgrade to these updated packages, which correct this issue. After installing this update, the smb service will be restarted automatically. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3069 CVE-2010-3069 Samba: Stack-based buffer overflow by processing specially-crafted SID records cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A race condition flaw was found in the way Firefox handled Document Object Model (DOM) element properties. Malicious HTML content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3765) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183, CVE-2010-3180) A flaw was found in the way the Gopher parser in Firefox converted text into HTML. A malformed file name on a Gopher server could, when accessed by a victim running Firefox, allow arbitrary JavaScript to be executed in the context of the Gopher domain. (CVE-2010-3177) A same-origin policy bypass flaw was found in Firefox. An attacker could create a malicious web page that, when viewed by a victim, could steal private data from a different website the victim had loaded with Firefox. (CVE-2010-3178) A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Firefox, if that user ran Firefox from within an attacker-controlled directory. (CVE-2010-3182) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.11 and 3.6.12. You can find links to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.12, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3175 CVE-2010-3176 CVE-2010-3177 CVE-2010-3178 CVE-2010-3179 CVE-2010-3180 CVE-2010-3182 CVE-2010-3183 CVE-2010-3765 CVE-2010-3176 Mozilla miscellaneous memory safety hazards CVE-2010-3175 Mozilla miscellaneous memory safety hazards CVE-2010-3179 Mozilla buffer overflow and memory corruption using document.write CVE-2010-3180 Mozilla use-after-free error in nsBarProp CVE-2010-3183 Mozilla dangling pointer vulnerability in LookupGetterOrSetter CVE-2010-3177 Mozilla XSS in gopher parser when parsing hrefs CVE-2010-3178 Mozilla cross-site information disclosure via modal calls CVE-2010-3182 Mozilla unsafe library loading flaw CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Network Security Services (NSS) is a set of libraries designed to support the development of security-enabled client and server applications. A flaw was found in the way NSS matched SSL certificates when the certificates had a Common Name containing a wildcard and a partial IP address. NSS incorrectly accepted connections to IP addresses that fell within the SSL certificate's wildcard range as valid SSL connections, possibly allowing an attacker to conduct a man-in-the-middle attack. (CVE-2010-3170) All NSS users should upgrade to these updated packages, which provide NSS version 3.12.8 to resolve this issue. After installing the update, applications using NSS must be restarted for the changes to take effect. Low Copyright 2010 Red Hat, Inc. CVE-2010-3170 CVE-2010-3170 firefox/nss: doesn't handle IP-based wildcards in X509 certificates safely nss update needed for firefox cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An uninitialized pointer use flaw was found in the way the MIT Kerberos KDC handled TGS (Ticket-granting Server) request messages. A remote, authenticated attacker could use this flaw to crash the KDC or, possibly, disclose KDC memory or execute arbitrary code with the privileges of the KDC (krb5kdc). (CVE-2010-1322) Red Hat would like to thank the MIT Kerberos Team for reporting this issue. Upstream acknowledges Mike Roszkowski as the original reporter. All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-1322 CVE-2010-1322 krb5: KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide the FreeType 2 font engine. It was found that the FreeType font rendering engine improperly validated certain position values when processing input streams. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2805, CVE-2010-3311) A stack-based buffer overflow flaw was found in the way the FreeType font rendering engine processed some PostScript Type 1 fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2808) An array index error was found in the way the FreeType font rendering engine processed certain PostScript Type 42 font files. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2806) Note: All of the issues in this erratum only affect the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-2805 CVE-2010-2806 CVE-2010-2808 CVE-2010-3311 CVE-2010-2808 FreeType: Stack-based buffer overflow by processing certain LWFN fonts CVE-2010-2806 FreeType: Heap-based buffer overflow by processing FontType42 fonts with negative length of SFNT strings (FT bug #30656) CVE-2010-3311 freetype: Input stream position error by processing Compact Font Format (CFF) font files CVE-2010-2805 freetype: FT_Stream_EnterFrame() does not properly validate certain position values cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. defaultReadObject of the Serialization API could be tricked into setting a volatile field multiple times, which could allow a remote attacker to execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3569) Race condition in the way objects were deserialized could allow an untrusted applet or application to misuse the privileges of the user running the applet or application. (CVE-2010-3568) Miscalculation in the OpenType font rendering implementation caused out-of-bounds memory access, which could allow remote attackers to execute code with the privileges of the user running the java process. (CVE-2010-3567) JPEGImageWriter.writeImage in the imageio API improperly checked certain image metadata, which could allow a remote attacker to execute arbitrary code in the context of the user running the applet or application. (CVE-2010-3565) Double free in IndexColorModel could cause an untrusted applet or application to crash or, possibly, execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3562) The privileged accept method of the ServerSocket class in the Common Object Request Broker Architecture (CORBA) implementation in OpenJDK allowed it to receive connections from any host, instead of just the host of the current connection. An attacker could use this flaw to bypass restrictions defined by network permissions. (CVE-2010-3561) Flaws in the Swing library could allow an untrusted application to modify the behavior and state of certain JDK classes. (CVE-2010-3557) Flaws in the CORBA implementation could allow an attacker to execute arbitrary code by misusing permissions granted to certain system objects. (CVE-2010-3554) UIDefault.ProxyLazyValue had unsafe reflection usage, allowing untrusted callers to create objects via ProxyLazyValue values. (CVE-2010-3553) HttpURLConnection improperly handled the "chunked" transfer encoding method, which could allow remote attackers to conduct HTTP response splitting attacks. (CVE-2010-3549) HttpURLConnection improperly checked whether the calling code was granted the "allowHttpTrace" permission, allowing untrusted code to create HTTP TRACE requests. (CVE-2010-3574) HttpURLConnection did not validate request headers set by applets, which could allow remote attackers to trigger actions otherwise restricted to HTTP clients. (CVE-2010-3541, CVE-2010-3573) The Kerberos implementation improperly checked the sanity of AP-REQ requests, which could cause a denial of service condition in the receiving Java Virtual Machine. (CVE-2010-3564) The java-1.6.0-openjdk packages shipped with the GA release of Red Hat Enterprise Linux 6 mitigated a man-in-the-middle attack in the way the TLS/SSL protocols handle session renegotiation by disabling renegotiation. This update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, allowing secure renegotiation between updated clients and servers. (CVE-2009-3555) The NetworkInterface class improperly checked the network "connect" permissions for local network addresses, which could allow remote attackers to read local network addresses. (CVE-2010-3551) Information leak flaw in the Java Naming and Directory Interface (JNDI) could allow a remote attacker to access information about otherwise-protected internal network names. (CVE-2010-3548) Note: Flaws concerning applets in this advisory (CVE-2010-3568, CVE-2010-3554, CVE-2009-3555, CVE-2010-3562, CVE-2010-3557, CVE-2010-3548, CVE-2010-3564, CVE-2010-3565, CVE-2010-3569) can only be triggered in OpenJDK by calling the "appletviewer" application. Bug fixes: * One defense in depth patch. (BZ#639922) * Problems for certain SSL connections. In a reported case, this prevented the JBoss JAAS modules from connecting over SSL to Microsoft Active Directory servers. (BZ#642779) Important Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3551 CVE-2010-3553 CVE-2010-3554 CVE-2010-3557 CVE-2010-3561 CVE-2010-3562 CVE-2010-3564 CVE-2010-3565 CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3573 CVE-2010-3574 CVE-2009-3555 TLS: MITM attacks via session renegotiation CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) CVE-2010-3554 CVE-2010-3561 OpenJDK corba reflection vulnerabilities (6891766,6925672) CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) CVE-2010-3557 OpenJDK Swing mutable static (6938813) CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) CVE-2010-3564 OpenJDK kerberos vulnerability (6958060) CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) CVE-2010-3551 OpenJDK local network address disclosure (6952603) CVE-2010-3567 OpenJDK ICU Opentype layout engine crash (6963285) CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) Error connecting to Active Directory (AD) over SSL. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. An invalid free flaw was found in the way the CUPS server parsed Internet Printing Protocol (IPP) packets. A malicious user able to send IPP requests to the CUPS server could use this flaw to crash the CUPS server. (CVE-2010-2941) Red Hat would like to thank Emmanuel Bouillon of NATO C3 Agency for reporting this issue. Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the cupsd daemon will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-2941 CVE-2010-2941 cups: cupsd memory corruption vulnerability cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB10-26, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652, CVE-2010-3654) An input validation flaw was discovered in flash-plugin. Certain server encodings could lead to a bypass of cross-domain policy file restrictions, possibly leading to cross-domain information disclosure. (CVE-2010-3636) During testing, it was discovered that there were regressions with Flash Player on certain sites, such as fullscreen playback on YouTube. Despite these regressions, we feel these security flaws are serious enough to update the package with what Adobe has provided. All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.1.102.64. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3636 CVE-2010-3639 CVE-2010-3640 CVE-2010-3641 CVE-2010-3642 CVE-2010-3643 CVE-2010-3644 CVE-2010-3645 CVE-2010-3646 CVE-2010-3647 CVE-2010-3648 CVE-2010-3649 CVE-2010-3650 CVE-2010-3652 CVE-2010-3654 CVE-2010-3654 acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26) flash-plugin: security bulletin APSB10-26 cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Tavis Ormandy for reporting the CVE-2010-3847 issue, and Ben Hawkes and Tavis Ormandy for reporting the CVE-2010-3856 issue. This update also fixes the following bugs: * Previously, the generic implementation of the strstr() and memmem() functions did not handle certain periodic patterns correctly and could find a false positive match. This error has been fixed, and both functions now work as expected. (BZ#643341) * The "TCB_ALIGNMENT" value has been increased to 32 bytes to prevent applications from crashing during symbol resolution on 64-bit systems with support for Intel AVX vector registers. (BZ#643343) All users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2010-3847 CVE-2010-3856 CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs memmem, strstr, and strcasestr are broken [Intel 6.0 Bug] Dynamic linker failed to align TCB for AVX CVE-2010-3856 glibc: ld.so arbitrary DSO loading via LD_AUDIT in setuid/setgid programs cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3556, CVE-2010-3559, CVE-2010-3562, CVE-2010-3565, CVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR12-FP2 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3550 CVE-2010-3551 CVE-2010-3556 CVE-2010-3559 CVE-2010-3562 CVE-2010-3565 CVE-2010-3566 CVE-2010-3568 CVE-2010-3569 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574 CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) CVE-2010-3551 OpenJDK local network address disclosure (6952603) CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component CVE-2010-3556 JDK unspecified vulnerability in 2D component CVE-2010-3559 JDK unspecified vulnerability in Sound component CVE-2010-3572 JDK unspecified vulnerability in Sound component cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A race condition flaw has been found in the OpenSSL TLS server extension parsing code, which could affect some multithreaded OpenSSL applications. Under certain specific conditions, it may be possible for a remote attacker to trigger this race condition and cause such an application to crash, or possibly execute arbitrary code with the permissions of the application. (CVE-2010-3864) Note that this issue does not affect the Apache HTTP Server. Refer to Red Hat Bugzilla bug 649304 for more technical details on how to determine if your application is affected. Red Hat would like to thank Rob Hulswit for reporting this issue. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Important Copyright 2010 Red Hat, Inc. CVE-2010-3864 CVE-2010-3864 OpenSSL TLS extension parsing race condition cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. The freetype packages for Red Hat Enterprise Linux 4 provide both the FreeType 1 and FreeType 2 font engines. The freetype packages for Red Hat Enterprise Linux 5 and 6 provide only the FreeType 2 font engine. A heap-based buffer overflow flaw was found in the way the FreeType font rendering engine processed certain TrueType GX fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-3855) Note: This issue only affects the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-3855 CVE-2010-3855 Freetype : Heap based buffer overflow in ft_var_readpackedpoints() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. Multiple NULL pointer dereference flaws were found in the way Pidgin handled Base64 decoding. A remote attacker could use these flaws to crash Pidgin if the target Pidgin user was using the Yahoo! Messenger Protocol, MSN, MySpace, or Extensible Messaging and Presence Protocol (XMPP) protocol plug-ins, or using the Microsoft NT LAN Manager (NTLM) protocol for authentication. (CVE-2010-3711) Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Daniel Atallah as the original reporter. All Pidgin users should upgrade to these updated packages, which contain a backported patch to resolve these issues. Pidgin must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3711 CVE-2010-3711 Pidgin (libpurple): Multiple DoS (crash) flaws by processing of unsanitized Base64 decoder values cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs that handle authentication. It was discovered that the pam_namespace module executed the external script namespace.init with an unchanged environment inherited from an application calling PAM. In cases where such an environment was untrusted (for example, when pam_namespace was configured for setuid applications such as su or sudo), a local, unprivileged user could possibly use this flaw to escalate their privileges. (CVE-2010-3853) It was discovered that the pam_env and pam_mail modules used root privileges while accessing user's files. A local, unprivileged user could use this flaw to obtain information, from the lines that have the KEY=VALUE format expected by pam_env, from an arbitrary file. Also, in certain configurations, a local, unprivileged user using a service for which the pam_mail module was configured for, could use this flaw to obtain limited information about files or directories that they do not have access to. (CVE-2010-3435) Note: As part of the fix for CVE-2010-3435, this update changes the default value of pam_env's configuration option user_readenv to 0, causing the module to not read user's ~/.pam_environment configuration file by default, as reading it may introduce unexpected changes to the environment of the service using PAM, or PAM modules consulted after pam_env. It was discovered that the pam_xauth module did not verify the return values of the setuid() and setgid() system calls. A local, unprivileged user could use this flaw to execute the xauth command with root privileges and make it read an arbitrary input file. (CVE-2010-3316) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting the CVE-2010-3435 issue. All pam users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3316 CVE-2010-3435 CVE-2010-3853 CVE-2010-4707 CVE-2010-4708 CVE-2010-3316 pam: pam_xauth missing return value checks from setuid() and similar calls CVE-2010-3435 pam: pam_env and pam_mail accessing users' file with root privileges CVE-2010-3853 pam: pam_namespace executes namespace.init with service's environment cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Two buffer overflow flaws were found in the Openswan client-side XAUTH handling code used when connecting to certain Cisco gateways. A malicious or compromised VPN gateway could use these flaws to execute arbitrary code on the connecting Openswan client. (CVE-2010-3302, CVE-2010-3308) Two input sanitization flaws were found in the Openswan client-side handling of Cisco gateway banners. A malicious or compromised VPN gateway could use these flaws to execute arbitrary code on the connecting Openswan client. (CVE-2010-3752, CVE-2010-3753) Red Hat would like to thank the Openswan project for reporting these issues. Upstream acknowledges D. Hugh Redelmeier and Paul Wouters as the original reporters. All users of openswan are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the ipsec service will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3302 CVE-2010-3308 CVE-2010-3752 CVE-2010-3753 CVE-2010-3302 openswan: buffer overflow vulnerability in XAUTH client-side support CVE-2010-3308 Openswan cisco banner option handling vulnerability CVE-2010-3752 Openswan: Gateway arbitrary code execution via shell metacharacters in cisco_dns_info or cisco_domain_info data in packet CVE-2010-3753 Openswan: Gateway arbitrary execution via shell metacharacters in the cisco_banner cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. staprun, the SystemTap runtime tool, is used for managing SystemTap kernel modules (for example, loading them). It was discovered that staprun did not properly sanitize the environment before executing the modprobe command to load an additional kernel module. A local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-4170) It was discovered that staprun did not check if the module to be unloaded was previously loaded by SystemTap. A local, unprivileged user could use this flaw to unload an arbitrary kernel module that was not in use. (CVE-2010-4171) Note: After installing this update, users already in the stapdev group must be added to the stapusr group in order to be able to run the staprun tool. Red Hat would like to thank Tavis Ormandy for reporting these issues. SystemTap users should upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2010 Red Hat, Inc. CVE-2010-4170 CVE-2010-4171 CVE-2010-4170 Systemtap: Insecure loading of modules CVE-2010-4171 Systemtap: Ability to remove unused modules by unprivileged user cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. staprun, the SystemTap runtime tool, is used for managing SystemTap kernel modules (for example, loading them). It was discovered that staprun did not properly sanitize the environment before executing the modprobe command to load an additional kernel module. A local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-4170) Note: On Red Hat Enterprise Linux 4, an attacker must be a member of the stapusr group to exploit this issue. Also note that, after installing this update, users already in the stapdev group must be added to the stapusr group in order to be able to run the staprun tool. Red Hat would like to thank Tavis Ormandy for reporting this issue. SystemTap users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-4170 CVE-2010-4170 Systemtap: Insecure loading of modules cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. A race condition flaw was found in the way Thunderbird handled Document Object Model (DOM) element properties. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3765) Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3180, CVE-2010-3183) A same-origin policy bypass flaw was found in Thunderbird. Remote HTML content could steal private data from different remote HTML content Thunderbird had loaded. (CVE-2010-3178) Note: JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable unless JavaScript is enabled. A flaw was found in the script that launches Thunderbird. The LD_LIBRARY_PATH variable was appending a "." character, which could allow a local attacker to execute arbitrary code with the privileges of a different user running Thunderbird, if that user ran Thunderbird from within an attacker-controlled directory. (CVE-2010-3182) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3175 CVE-2010-3176 CVE-2010-3178 CVE-2010-3179 CVE-2010-3180 CVE-2010-3182 CVE-2010-3183 CVE-2010-3765 CVE-2010-3176 Mozilla miscellaneous memory safety hazards CVE-2010-3175 Mozilla miscellaneous memory safety hazards CVE-2010-3179 Mozilla buffer overflow and memory corruption using document.write CVE-2010-3180 Mozilla use-after-free error in nsBarProp CVE-2010-3183 Mozilla dangling pointer vulnerability in LookupGetterOrSetter CVE-2010-3178 Mozilla cross-site information disclosure via modal calls CVE-2010-3182 Mozilla unsafe library loading flaw CVE-2010-3765 Firefox race condition flaw (MFSA 2010-73) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way QEMU-KVM handled the reloading of fs and gs segment registers when they had invalid selectors. A privileged host user with access to "/dev/kvm" could use this flaw to crash the host (denial of service). (CVE-2010-3698) All KVM users should upgrade to these updated packages, which contain a backported patch to correct this issue. Note: The procedure in the Solution section must be performed before this update will take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3698 CVE-2010-3698 kvm: invalid selector in fs/gs causes kernel panic cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 6 PostgreSQL is an advanced object-relational database management system (DBMS). PL/Perl and PL/Tcl allow users to write PostgreSQL functions in the Perl and Tcl languages. The PostgreSQL SECURITY DEFINER parameter, which can be used when creating a new PostgreSQL function, specifies that the function will be executed with the privileges of the user that created it. It was discovered that a user could utilize the features of the PL/Perl and PL/Tcl languages to modify the behavior of a SECURITY DEFINER function created by a different user. If the PL/Perl or PL/Tcl language was used to implement a SECURITY DEFINER function, an authenticated database user could use a PL/Perl or PL/Tcl script to modify the behavior of that function during subsequent calls in the same session. This would result in the modified or injected code also being executed with the privileges of the user who created the SECURITY DEFINER function, possibly leading to privilege escalation. (CVE-2010-3433) These updated postgresql packages upgrade PostgreSQL to version 8.4.5. Refer to the PostgreSQL Release Notes for a list of changes: http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3433 CVE-2010-3433 PostgreSQL (PL/Perl, PL/Tcl): SECURITY DEFINER function keyword bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Concurrent Version System (CVS) is a version control system that can record the history of your files. An array index error, leading to a heap-based buffer overflow, was found in the way CVS applied certain delta fragment changes from input files in the RCS (Revision Control System file) format. If an attacker in control of a CVS repository stored a specially-crafted RCS file in that repository, and then tricked a remote victim into checking out (updating their CVS repository tree) a revision containing that file, it could lead to arbitrary code execution with the privileges of the CVS server process on the system hosting the CVS repository. (CVE-2010-3846) Red Hat would like to thank Ralph Loader for reporting this issue. All users of cvs are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3846 CVE-2010-3846 cvs: Heap-based buffer overflow by applying RCS file changes cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. An input validation flaw was discovered in the PHP session serializer. If a PHP script generated session variable names from untrusted user input, a remote attacker could use this flaw to inject an arbitrary variable into the PHP session. (CVE-2010-3065) An information leak flaw was discovered in the PHP var_export() function implementation. If some fatal error occurred during the execution of this function (such as the exhaustion of memory or script execution time limit), part of the function's output was sent to the user as script output, possibly leading to the disclosure of sensitive information. (CVE-2010-2531) A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870) It was discovered that the PHP lcg_value() function used insufficient entropy to seed the pseudo-random number generator. A remote attacker could possibly use this flaw to predict values returned by the function, which are used to generate session identifiers by default. This update changes the function's implementation to use more entropy during seeding. (CVE-2010-1128) It was discovered that the PHP fnmatch() function did not restrict the length of the pattern argument. A remote attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted matching patterns. (CVE-2010-1917) A NULL pointer dereference flaw was discovered in the PHP XML-RPC extension. A malicious XML-RPC client or server could use this flaw to crash the PHP interpreter via a specially-crafted XML-RPC request. (CVE-2010-0397) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2009-5016 CVE-2010-0397 CVE-2010-1128 CVE-2010-1917 CVE-2010-2531 CVE-2010-3065 CVE-2010-3870 CVE-2010-0397 php: NULL pointer dereference in XML-RPC extension CVE-2010-1128 php: LCG entropy weakness CVE-2010-1917 php: fnmatch long pattern stack memory exhaustion (MOPS-2010-021) CVE-2010-2531 php: information leak vulnerability in var_export() CVE-2010-3065 php: session serializer session data injection vulnerability (MOPS-2010-060) CVE-2010-3870 php: XSS mitigation bypass via utf8_decode() CVE-2009-5016 php: XSS and SQL injection bypass via crafted overlong UTF-8 encoded string cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. DHCPv6 is the DHCP protocol version for IPv6 networks. A NULL pointer dereference flaw was discovered in the way the dhcpd daemon parsed DHCPv6 packets. A remote attacker could use this flaw to crash dhcpd via a specially-crafted DHCPv6 packet, if dhcpd was running as a DHCPv6 server. (CVE-2010-3611) Users running dhcpd as a DHCPv6 server should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all DHCP servers will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3611 CVE-2010-3611 dhcp: NULL pointer dereference crash via crafted DHCPv6 packet cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. A heap-based buffer overflow flaw was found in the Wireshark Local Download Sharing Service (LDSS) dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2010-4300) A denial of service flaw was found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2010-3445) Users of Wireshark should upgrade to these updated packages, which contain Wireshark version 1.2.13, and resolve these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3445 CVE-2010-4300 CVE-2010-3445 wireshark: stack overflow in BER dissector CVE-2010-4300 Wireshark: Heap-based buffer overflow in LDSS dissector cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). Multiple checksum validation flaws were discovered in the MIT Kerberos implementation. A remote attacker could use these flaws to tamper with certain Kerberos protocol packets and, possibly, bypass authentication or authorization mechanisms and escalate their privileges. (CVE-2010-1323, CVE-2010-1324, CVE-2010-4020) Red Hat would like to thank the MIT Kerberos Team for reporting these issues. This update also fixes the following bug: * When attempting to perform PKINIT pre-authentication, if the client had more than one possible candidate certificate the client could fail to select the certificate and key to use. This usually occurred if certificate selection was configured to use the value of the keyUsage extension, or if any of the candidate certificates did not contain a subjectAltName extension. Consequently, the client attempted to perform pre-authentication using a different (usually password-based) mechanism. (BZ#644825) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-1323 CVE-2010-1324 CVE-2010-4020 'kinit' with smart card login fails to authenticate to the kdc using the cert and its private key. CVE-2010-1324 krb5: multiple checksum handling vulnerabilities (MITKRB5-SA-2010-007) CVE-2010-1323 krb5: incorrect acceptance of certain checksums (MITKRB5-SA-2010-007) CVE-2010-4020 krb5: krb5 may accept authdata checksums with low-entropy derived keys (MITKRB5-SA-2010-007) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). Multiple checksum validation flaws were discovered in the MIT Kerberos implementation. A remote attacker could use these flaws to tamper with certain Kerberos protocol packets and, possibly, bypass authentication mechanisms in certain configurations using Single-use Authentication Mechanisms. (CVE-2010-1323) Red Hat would like to thank the MIT Kerberos Team for reporting these issues. All krb5 users should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1323 CVE-2010-1323 krb5: incorrect acceptance of certain checksums (MITKRB5-SA-2010-007) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes two vulnerabilities in Adobe Reader. These vulnerabilities are detailed on the Adobe security page APSB10-28, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-3654, CVE-2010-4091) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.4.1, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3654 CVE-2010-4091 CVE-2010-3654 acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26) CVE-2010-4091 acroread: remote DoS or possible arbitrary code execution via EScript.api plugin cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP7 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes two vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-1321, CVE-2010-3574) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP7 Java release. All running instances of IBM Java must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1321 CVE-2010-3574 CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * A flaw in sctp_packet_config() in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service. (CVE-2010-3432, Important) * A missing integer overflow check in snd_ctl_new() in the Linux kernel's sound subsystem could allow a local, unprivileged user on a 32-bit system to cause a denial of service or escalate their privileges. (CVE-2010-3442, Important) Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-3442. Bug fixes: * Forward time drift was observed on virtual machines using PM timer-based kernel tick accounting and running on KVM or the Microsoft Hyper-V Server hypervisor. Virtual machines that were booted with the divider=x kernel parameter set to a value greater than 1 and that showed the following in the kernel boot messages were subject to this issue: time.c: Using PM based timekeeping Fine grained accounting for the PM timer is introduced which eliminates this issue. However, this fix uncovered a bug in the Xen hypervisor, possibly causing backward time drift. If this erratum is installed in Xen HVM guests that meet the aforementioned conditions, it is recommended that the host use kernel-xen-2.6.18-194.26.1.el5 or newer, which includes a fix (BZ#641915) for the backward time drift. (BZ#629237) * With multipath enabled, systems would occasionally halt when the do_cciss_request function was used. This was caused by wrongly-generated requests. Additional checks have been added to avoid the aforementioned issue. (BZ#640193) * A Sun X4200 system equipped with a QLogic HBA spontaneously rebooted and logged a Hyper-Transport Sync Flood Error to the system event log. A Maximum Memory Read Byte Count restriction was added to fix this bug. (BZ#640919) * For an active/backup bonding network interface with VLANs on top of it, when a link failed over, it took a minute for the multicast domain to be rejoined. This was caused by the driver not sending any IGMP join packets. The driver now sends IGMP join packets and the multicast domain is rejoined immediately. (BZ#641002) * Replacing a disk and trying to rebuild it afterwards caused the system to panic. When a domain validation request for a hot plugged drive was sent, the mptscsi driver did not validate its existence. This could result in the driver accessing random memory and causing the crash. A check has been added that describes the newly-added device and reloads the iocPg3 data from the firmware if needed. (BZ#641137) * An attempt to create a VLAN interface on a bond of two bnx2 adapters in two switch configurations resulted in a soft lockup after a few seconds. This was caused by an incorrect use of a bonding pointer. With this update, soft lockups no longer occur and creating a VLAN interface works as expected. (BZ#641254) * Erroneous pointer checks could have caused a kernel panic. This was due to a critical value not being copied when a network buffer was duplicated and consumed by multiple portions of the kernel's network stack. Fixing the copy operation resolved this bug. (BZ#642746) * A typo in a variable name caused it to be dereferenced in either mkdir() or create() which could cause a kernel panic. (BZ#643342) * SCSI high level drivers can submit SCSI commands which would never be completed when the device was offline. This was caused by a missing callback for the request to complete the given command. SCSI requests are now terminated by calling their callback when a device is offline. (BZ#644816) * A kernel panic could have occurred on systems due to a recursive lock in the 3c59x driver. Recursion is now avoided and this kernel panic no longer occurs. (BZ#648407) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2010 Red Hat, Inc. CVE-2010-3432 CVE-2010-3442 time drift with VXTIME_PMTMR mode in case of early / short real ticks [rhel-4.8.z] CVE-2010-3432 kernel: sctp: do not reset the packet during sctp_packet_config CVE-2010-3442 kernel: prevent heap corruption in snd_ctl_new() RHEL 4.8: With multipath enabled, system occasionally halts in do_cciss_request [rhel-4.8.z] Work around HyperTransport Sync Flood Error on Sun X4200 with qla2xxx [rhel-4.8.z] Bonded interface doesn't issue IGMP report (join) on slave interface during failover [rhel-4.8.z] mptbase: panic with domain validation while rebuilding after the disk is replaced. [rhel-4.8.z] [RHEL4.8.z] soft lockup on vlan with bonding in balance-alb mode [rhel-4.8.z] RHEL4.8 panic in netif_receive_skb [rhel-4.8.z] kernel: security: testing the wrong variable in create_by_name() [rhel-4.9] [rhel-4.8.z] scsi_do_req() submitted commands (tape) never complete when device goes offline [rhel-4.8.z] Kernel panic due to recursive lock in 3c59x driver. [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. A stack-based buffer overflow flaw was found in the way the Quagga bgpd daemon processed certain BGP Route Refresh (RR) messages. A configured BGP peer could send a specially-crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. (CVE-2010-2948) Note: On Red Hat Enterprise Linux 6 it is not possible to exploit CVE-2010-2948 to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. A NULL pointer dereference flaw was found in the way the Quagga bgpd daemon parsed the paths of autonomous systems (AS). A configured BGP peer could crash bgpd on a target system via a specially-crafted BGP message. (CVE-2010-2949) Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd daemon must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-2948 CVE-2010-2949 CVE-2010-2948 Quagga (bgpd): Stack buffer overflow by processing certain Route-Refresh messages CVE-2010-2949 Quagga (bgpd): DoS (crash) while processing certain BGP update AS path messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. apr-util is a library which provides additional utility interfaces for APR; including support for XML parsing, LDAP, database interfaces, URI parsing, and more. It was found that certain input could cause the apr-util library to allocate more memory than intended in the apr_brigade_split_line() function. An attacker able to provide input in small chunks to an application using the apr-util library (such as httpd) could possibly use this flaw to trigger high memory consumption. (CVE-2010-1623) All apr-util users should upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the apr-util library, such as httpd, must be restarted for this update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-1623 CVE-2010-1623 apr-util: high memory consumption in apr_brigade_split_line() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-3766, CVE-2010-3767, CVE-2010-3772, CVE-2010-3776, CVE-2010-3777) A flaw was found in the way Firefox handled malformed JavaScript. A website with an object containing malicious JavaScript could cause Firefox to execute that JavaScript with the privileges of the user running Firefox. (CVE-2010-3771) This update adds support for the Sanitiser for OpenType (OTS) library to Firefox. This library helps prevent potential exploits in malformed OpenType fonts by verifying the font file prior to use. (CVE-2010-3768) A flaw was found in the way Firefox loaded Java LiveConnect scripts. Malicious web content could load a Java LiveConnect script in a way that would result in the plug-in object having elevated privileges, allowing it to execute Java code with the privileges of the user running Firefox. (CVE-2010-3775) It was found that the fix for CVE-2010-0179 was incomplete when the Firebug add-on was used. If a user visited a website containing malicious JavaScript while the Firebug add-on was enabled, it could cause Firefox to execute arbitrary JavaScript with the privileges of the user running Firefox. (CVE-2010-3773) A flaw was found in the way Firefox presented the location bar to users. A malicious website could trick a user into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker. (CVE-2010-3774) A cross-site scripting (XSS) flaw was found in the Firefox x-mac-arabic, x-mac-farsi, and x-mac-hebrew character encodings. Certain characters were converted to angle brackets when displayed. If server-side script filtering missed these cases, it could result in Firefox executing JavaScript code with the permissions of a different website. (CVE-2010-3770) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.13. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.13, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3766 CVE-2010-3767 CVE-2010-3768 CVE-2010-3770 CVE-2010-3771 CVE-2010-3772 CVE-2010-3773 CVE-2010-3774 CVE-2010-3775 CVE-2010-3776 CVE-2010-3777 CVE-2010-3776 Mozilla miscellaneous memory safety hazards (MFSA 2010-74) CVE-2010-3777 Mozilla miscellaneous memory safety hazards (MFSA 2010-74) CVE-2010-3771 Mozilla Chrome privilege escalation with window.open and <isindex> element (MFSA 2010-76) CVE-2010-3772 Mozilla crash and remote code execution using HTML tags inside a XUL tree (MFSA 2010-77) CVE-2010-3768 Mozilla add support for OTS font sanitizer (MFSA 2010-78) CVE-2010-3775 Mozilla Java security bypass from LiveConnect loaded via data: URL meta refresh (MFSA 2010-79) CVE-2010-3766 Mozilla use-after-free error with nsDOMAttribute MutationObserver (MFSA 2010-80) CVE-2010-3767 Mozilla integer overflow vulnerability in NewIdArray (MFSA 2010-81) CVE-2010-3773 Mozilla incomplete fix for CVE-2010-0179 (MFSA 2010-82) CVE-2010-3774 Mozilla location bar SSL spoofing using network error page (MFSA 2010-83) CVE-2010-3770 Mozilla XSS hazard in multiple character encodings (MFSA 2010-84) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2010-3767, CVE-2010-3772, CVE-2010-3776) A flaw was found in the way SeaMonkey loaded Java LiveConnect scripts. Malicious web content could load a Java LiveConnect script in a way that would result in the plug-in object having elevated privileges, allowing it to execute Java code with the privileges of the user running SeaMonkey. (CVE-2010-3775) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2010-3767 CVE-2010-3772 CVE-2010-3775 CVE-2010-3776 CVE-2010-3776 Mozilla miscellaneous memory safety hazards (MFSA 2010-74) CVE-2010-3772 Mozilla crash and remote code execution using HTML tags inside a XUL tree (MFSA 2010-77) CVE-2010-3775 Mozilla Java security bypass from LiveConnect loaded via data: URL meta refresh (MFSA 2010-79) CVE-2010-3767 Mozilla integer overflow vulnerability in NewIdArray (MFSA 2010-81) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML content. HTML containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3767, CVE-2010-3772, CVE-2010-3776) Note: JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3767 CVE-2010-3772 CVE-2010-3776 CVE-2010-3776 Mozilla miscellaneous memory safety hazards (MFSA 2010-74) CVE-2010-3772 Mozilla crash and remote code execution using HTML tags inside a XUL tree (MFSA 2010-77) CVE-2010-3767 Mozilla integer overflow vulnerability in NewIdArray (MFSA 2010-81) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML content. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-3776, CVE-2010-3777) Note: JavaScript support is disabled in Thunderbird for mail messages. The above issues are believed to not be exploitable without JavaScript. This update adds support for the Sanitiser for OpenType (OTS) library to Thunderbird. This library helps prevent potential exploits in malformed OpenType fonts by verifying the font file prior to use. (CVE-2010-3768) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3768 CVE-2010-3776 CVE-2010-3777 CVE-2010-3776 Mozilla miscellaneous memory safety hazards (MFSA 2010-74) CVE-2010-3777 Mozilla miscellaneous memory safety hazards (MFSA 2010-74) CVE-2010-3768 Mozilla add support for OTS font sanitizer (MFSA 2010-78) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow flaw was discovered in Exim's internal string_vformat() function. A remote attacker could use this flaw to execute arbitrary code on the mail server running Exim. (CVE-2010-4344) Note: successful exploitation would allow a remote attacker to execute arbitrary code as root on a Red Hat Enterprise Linux 4 or 5 system that is running the Exim mail server. An exploit for this issue is known to exist. For additional information regarding this flaw, along with mitigation advice, please see the Knowledge Base article linked to in the References section of this advisory. Users of Exim are advised to update to these erratum packages which contain a backported patch to correct this issue. After installing this update, the Exim daemon will be restarted automatically. Critical Copyright 2010 Red Hat, Inc. CVE-2010-4344 CVE-2010-4344 exim remote code execution flaw cpe:/o:redhat:rhel_eus cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. It was discovered that named did not invalidate previously cached RRSIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named. (CVE-2010-3613) It was discovered that, in certain cases, named did not properly perform DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY algorithm rollover. This flaw could cause the validator to incorrectly determine that the zone is insecure and not protected by DNSSEC. (CVE-2010-3614) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-3613 CVE-2010-3614 CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named CVE-2010-3614 bind: key algorithm rollover may mark secure answers as insecure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. It was discovered that named did not invalidate previously cached RRSIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named. (CVE-2010-3613) A flaw was found in the DNSSEC validation code in named. If named had multiple trust anchors configured for a zone, a response to a request for a record in that zone with a bad signature could cause named to crash. (CVE-2010-3762) It was discovered that, in certain cases, named did not properly perform DNSSEC validation of an NS RRset for zones in the middle of a DNSKEY algorithm rollover. This flaw could cause the validator to incorrectly determine that the zone is insecure and not protected by DNSSEC. (CVE-2010-3614) All BIND users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-3613 CVE-2010-3614 CVE-2010-3762 CVE-2010-3762 Bind: DoS (assertion failure) via a DNS query with bad signatures CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named CVE-2010-3614 bind: key algorithm rollover may mark secure answers as insecure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could possibly crash an application using the OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2010 Red Hat, Inc. CVE-2008-7270 CVE-2009-3245 CVE-2010-4180 CVE-2009-3245 openssl: missing bn_wexpand return value checks CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2010 Red Hat, Inc. CVE-2008-7270 CVE-2010-4180 CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-4180 CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Helix Player is a media player. Multiple security flaws were discovered in RealPlayer. Helix Player and RealPlayer share a common source code base; therefore, some of the flaws discovered in RealPlayer may also affect Helix Player. Some of these flaws could, when opening, viewing, or playing a malicious media file or stream, lead to arbitrary code execution with the privileges of the user running Helix Player. (CVE-2010-2997, CVE-2010-4375, CVE-2010-4378, CVE-2010-4379, CVE-2010-4382, CVE-2010-4383, CVE-2010-4384, CVE-2010-4385, CVE-2010-4386, CVE-2010-4392) The Red Hat Security Response Team is unable to properly determine the impact or fix all of these issues in Helix Player, due to the source code for RealPlayer being unavailable. Due to the security concerns this update removes the HelixPlayer package from Red Hat Enterprise Linux 4. Users wishing to continue to use Helix Player should download it directly from https://player.helixcommunity.org/ Critical Copyright 2010 Red Hat, Inc. CVE-2010-2997 CVE-2010-4375 CVE-2010-4378 CVE-2010-4379 CVE-2010-4382 CVE-2010-4383 CVE-2010-4384 CVE-2010-4385 CVE-2010-4386 CVE-2010-4392 CVE-2010-4384 HelixPlayer multiple flaws (CVE-2010-2997, CVE-2010-4375, CVE-2010-4378, CVE-2010-4379, CVE-2010-4382, CVE-2010-4383, CVE-2010-4385, CVE-2010-4386, CVE-2010-4392, CVE-2010-4376) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3553, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3560, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574) This update also fixes the following bugs: * An error in the java-1.6.0-ibm RPM spec file caused an incorrect path to be included in HtmlConverter, preventing it from running. (BZ#659716) * On AMD64 and Intel 64 systems, if only the 64-bit java-1.6.0-ibm packages were installed, IBM Java 6 Web Start was not available as an application that could open JNLP (Java Network Launching Protocol) files. This affected file management and web browser tools. Users had to manually open them with the "/usr/lib/jvm/jre-1.6.0-ibm.x86_64/bin/javaws" command. This update resolves this issue. (BZ#633341) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR9 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2010 Red Hat, Inc. CVE-2009-3555 CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3550 CVE-2010-3551 CVE-2010-3553 CVE-2010-3555 CVE-2010-3556 CVE-2010-3557 CVE-2010-3558 CVE-2010-3560 CVE-2010-3562 CVE-2010-3563 CVE-2010-3565 CVE-2010-3566 CVE-2010-3568 CVE-2010-3569 CVE-2010-3571 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574 CVE-2009-3555 TLS: MITM attacks via session renegotiation CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) CVE-2010-3557 OpenJDK Swing mutable static (6938813) CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) CVE-2010-3551 OpenJDK local network address disclosure (6952603) CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) CVE-2010-3555 JDK unspecified vulnerability in Deployment component CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component CVE-2010-3560 JDK unspecified vulnerability in Networking component CVE-2010-3556 JDK unspecified vulnerability in 2D component CVE-2010-3571 JDK unspecified vulnerability in 2D component CVE-2010-3563 JDK unspecified vulnerability in Deployment component CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component CVE-2010-3572 JDK unspecified vulnerability in Sound component IBM Java6 file modified cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. It was found that some structure padding and reserved fields in certain data structures in QEMU-KVM were not initialized properly before being copied to user-space. A privileged host user with access to "/dev/kvm" could use this flaw to leak kernel stack memory to user-space. (CVE-2010-3881) Red Hat would like to thank Vasiliy Kulikov for reporting this issue. This update also fixes the following bugs: * The 'kvm_amd' kernel module did not initialize the TSC (Time Stamp Counter) offset in the VMCB (Virtual Machine Control Block) correctly. After a vCPU (virtual CPU) has been created, the TSC offset in the VMCB should have a negative value so that the virtual machine will see TSC values starting at zero. However, the TSC offset was set to zero and therefore the virtual machine saw the same TSC value as the host. With this update, the TSC offset has been updated to show the correct values. (BZ#656984) * Setting the boot settings of a virtual machine to, firstly, boot from PXE and, secondly, to boot from the hard drive would result in a PXE boot loop, that is, the virtual machine would not continue to boot from the hard drive if the PXE boot failed. This was caused by a flaw in the 'bochs-bios' (part of KVM) code. With this update, after a virtual machine tries to boot from PXE and fails, it continues to boot from a hard drive if there is one present. (BZ#659850) * If a 64-bit Red Hat Enterprise Linux 5.5 virtual machine was migrated to another host with a different CPU clock speed, the clock of that virtual machine would consistently lose or gain time (approximately half a second for every second the host is running). On machines that do not use the kvm clock, the network time protocol daemon (ntpd) could correct the time drifts caused by migration. However, using the pvclock caused the time to change consistently. This was due to flaws in the save/load functions of pvclock. With this update, the issue has been fixed and migrating a virtual machine no longer causes time drift. (BZ#660239) All KVM users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: The procedure in the Solution section must be performed before this update will take effect. Low Copyright 2010 Red Hat, Inc. CVE-2010-3881 CVE-2010-3881 kvm: arch/x86/kvm/x86.c: reading uninitialized stack memory TSC offset of virtual machines is not initialized correctly by 'kvm_amd' kernel module. If VM boot seq. is set up as nc (PXE then disk) the VM is always stuck on trying to PXE boot clock drift when migrating a guest between mis-matched CPU clock speed cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 6 The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. An integer overflow flaw, leading to arbitrary memory writes, was found in libvpx. An attacker could create a specially-crafted video encoded using the VP8 codec that, when played by a victim with an application using libvpx (such as Totem), would cause the application to crash or, potentially, execute arbitrary code. (CVE-2010-4203) All users of libvpx are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libvpx must be restarted for the changes to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-4203 CVE-2010-4203 libvpx: memory corruption flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. It was discovered that named did not invalidate previously cached SIG records when adding an NCACHE record for the same entry to the cache. A remote attacker allowed to send recursive DNS queries to named could use this flaw to crash named. (CVE-2010-3613) All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2010 Red Hat, Inc. CVE-2010-3613 CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The mod_auth_mysql package includes an extension module for the Apache HTTP Server, which can be used to implement web user authentication against a MySQL database. A flaw was found in the way mod_auth_mysql escaped certain multibyte-encoded strings. If mod_auth_mysql was configured to use a multibyte character set that allowed a backslash ("\") as part of the character encodings, a remote attacker could inject arbitrary SQL commands into a login request. (CVE-2008-2384) Note: This flaw only affected non-default installations where AuthMySQLCharacterSet is configured to use one of the affected multibyte character sets. Installations that did not use the AuthMySQLCharacterSet configuration option were not vulnerable to this flaw. All mod_auth_mysql users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. After installing the updated package, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2010 Red Hat, Inc. CVE-2008-2384 CVE-2008-2384 mod_auth_mysql: character encoding SQL injection flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Git is a fast, scalable, distributed revision control system. A cross-site scripting (XSS) flaw was found in gitweb, a simple web interface for Git repositories. A remote attacker could perform an XSS attack against victims by tricking them into visiting a specially-crafted gitweb URL. (CVE-2010-3906) All gitweb users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2010 Red Hat, Inc. CVE-2010-3906 CVE-2010-3906 Git (gitweb): XSS due to missing escaping of HTML element attributes cpe:/o:redhat:enterprise_linux