Red Hat OVAL Patch Definition Merger 2 5.3 2011-12-27T11:51:51 Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw was found in sctp_packet_config() in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service. (CVE-2010-3432, Important) * A missing integer overflow check was found in snd_ctl_new() in the Linux kernel's sound subsystem. A local, unprivileged user on a 32-bit system could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-3442, Important) * A heap overflow flaw in the Linux kernel's Transparent Inter-Process Communication protocol (TIPC) implementation could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3859, Important) * An integer overflow flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important) * A flaw was found in the Xenbus code for the unified block-device I/O interface back end. A privileged guest user could use this flaw to cause a denial of service on the host system running the Xen hypervisor. (CVE-2010-3699, Moderate) * Missing sanity checks were found in setup_arg_pages() in the Linux kernel. When making the size of the argument and environment area on the stack very large, it could trigger a BUG_ON(), resulting in a local denial of service. (CVE-2010-3858, Moderate) * A flaw was found in inet_csk_diag_dump() in the Linux kernel's module for monitoring the sockets of INET transport protocols. By sending a netlink message with certain bytecode, a local, unprivileged user could cause a denial of service. (CVE-2010-3880, Moderate) * Missing sanity checks were found in gdth_ioctl_alloc() in the gdth driver in the Linux kernel. A local user with access to "/dev/gdth" on a 64-bit system could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-4157, Moderate) * The fix for Red Hat Bugzilla bug 484590 as provided in RHSA-2009:1243 introduced a regression. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4161, Moderate) * A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4242, Moderate) * It was found that a malicious guest running on the Xen hypervisor could place invalid data in the memory that the guest shared with the blkback and blktap back-end drivers, resulting in a denial of service on the host system. (CVE-2010-4247, Moderate) * A flaw was found in the Linux kernel's CPU time clocks implementation for the POSIX clock interface. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4248, Moderate) * Missing initialization flaws in the Linux kernel could lead to information leaks. (CVE-2010-3876, CVE-2010-4083, Low) Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-3442, CVE-2010-4161, and CVE-2010-4083; Thomas Pollet for reporting CVE-2010-3865; Brad Spengler for reporting CVE-2010-3858; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; and Vasiliy Kulikov for reporting CVE-2010-3876. This update also fixes several bugs and adds an enhancement. Documentation for the bug fixes and the enhancement will be available shortly from the Technical Notes document, linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-3432 CVE-2010-3442 CVE-2010-3699 CVE-2010-3858 CVE-2010-3859 CVE-2010-3865 CVE-2010-3876 CVE-2010-3880 CVE-2010-4083 CVE-2010-4157 CVE-2010-4161 CVE-2010-4242 CVE-2010-4247 CVE-2010-4248 CVE-2010-3699 kernel: guest->host denial of service from invalid xenbus transitions CVE-2010-3432 kernel: sctp: do not reset the packet during sctp_packet_config CVE-2010-3442 kernel: prevent heap corruption in snd_ctl_new() CVE-2010-4242 kernel: missing tty ops write function presence check in hci_uart_tty_open() [Intel/Cisco 5.6 Bug] ixgbe: include ability to disable MSI-X [rhel-5.5.z] kernel: Problem with execve(2) reintroduced [rhel-5.5.z] netback does not properly get to the Connected state after it's been Closed [rhel-5.5.z] kernel: security: testing the wrong variable in create_by_name() [rhel-5.5.z] CVE-2010-3858 kernel: setup_arg_pages: diagnose excessive argument size CVE-2010-3859 kernel: tipc: heap overflow in tipc_msg_build() RHEL5.6 Include DL580 G7 in bfsort whitelist [rhel-5.5.z] CVE-2010-3865 kernel: iovec integer overflow in net/rds/rdma.c bond0 only works in promisc mode [rhel-5.5.z] CVE-2010-4083 kernel: ipc/sem.c: reading uninitialized stack memory x86_64 host on Nehalem-EX machines will panic when installing a 4.8 GA kvm guest [rhel-5.5.z] bnx2 adapter periodically dropping received packets [rhel-5.5.z] CVE-2010-3876 kernel: net/packet/af_packet.c: reading uninitialized stack memory CVE-2010-4157 kernel: gdth: integer overflow in ioc_general() CVE-2010-3880 kernel: logic error in INET_DIAG bytecode auditing GFS2: stuck in inode wait, no glocks stuck [rhel-5.5.z] GFS2: BUG_ON kernel panic in gfs2_glock_hold on 2.6.18-226 [rhel-5.5.z] [5.5] Hangs up during booting due to a spinlock problem. [rhel-5.5.z] CVE-2010-4161 kernel: rhel5 commit 6865201191 caused deadlock Scheduling while atomic when removing slave tg3 interface from bonding [rhel-5.5.z] flock performance with DLM in RHEL 5.5 [rhel-5.5.z] CVE-2010-4247 xen: request-processing loop is unbounded in blkback CVE-2010-4248 kernel: posix-cpu-timers: workaround to suppress the problems with mt exec [NetApp 5.6 bug] SCSI ALUA handler fails to handle ALUA transitioning properly [rhel-5.5.z] [NetApp 5.6 bug] qla2xxx: Kernel panic on qla24xx_queuecommand [rhel-5.5.z] [Stratus 5.6 bug] System crashes at uhci_scan_schedule(). [rhel-5.5.z] lpfc: set heartbeat timer off by default [rhel-5.5.z] lpfc: fix a BUG_ON in lpfc_abort_handler [rhel-5.5.z] lpfc: fix panic in lpfc_scsi_cmd_iocb_cmpl [rhel-5.5.z] add round_jiffies_up and related routines [rhel-5.5.z] dcache unused accounting problem [rhel-5.5.z] lpfc: fix crashes on NULL pnode dereference [rhel-5.5.z] [NetApp 5.6 bug] regression: allow offlined devs to be set to running [rhel-5.5.z] System crashes at .nfs_flush_incompatible [rhel-5.5.z] [REG][5.6] kernel panic occurs by writing a file on optional mount "sync/noac" of NFSv4. [rhel-5.5.z] [REG][5.6] kernel panic occurs by reading an empty file on optional mount "sync/noac" of NFSv4. [rhel-5.5.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 * Buffer overflow in eCryptfs. When /dev/ecryptfs has world writable permissions (which it does not, by default, on Red Hat Enterprise Linux 6), a local, unprivileged user could use this flaw to cause a denial of service or possibly escalate their privileges. (CVE-2010-2492, Important) * Integer overflow in the RDS protocol implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important) * Missing boundary checks in the PPP over L2TP sockets implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4160, Important) * NULL pointer dereference in the igb driver. If both Single Root I/O Virtualization (SR-IOV) and promiscuous mode were enabled on an interface using igb, it could result in a denial of service when a tagged VLAN packet is received on that interface. (CVE-2010-4263, Important) * Missing initialization flaw in the XFS file system implementation, and in the network traffic policing implementation, could allow a local, unprivileged user to cause an information leak. (CVE-2010-3078, CVE-2010-3477, Moderate) * NULL pointer dereference in the Open Sound System compatible sequencer driver could allow a local, unprivileged user with access to /dev/sequencer to cause a denial of service. /dev/sequencer is only accessible to root and users in the audio group by default. (CVE-2010-3080, Moderate) * Flaw in the ethtool IOCTL handler could allow a local user to cause an information leak. (CVE-2010-3861, Moderate) * Flaw in bcm_connect() in the Controller Area Network (CAN) Broadcast Manager. On 64-bit systems, writing the socket address may overflow the procname character array. (CVE-2010-3874, Moderate) * Flaw in the module for monitoring the sockets of INET transport protocols could allow a local, unprivileged user to cause a denial of service. (CVE-2010-3880, Moderate) * Missing boundary checks in the block layer implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4162, CVE-2010-4163, CVE-2010-4668, Moderate) * NULL pointer dereference in the Bluetooth HCI UART driver could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4242, Moderate) * Flaw in the Linux kernel CPU time clocks implementation for the POSIX clock interface could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4248, Moderate) * Flaw in the garbage collector for AF_UNIX sockets could allow a local, unprivileged user to trigger a denial of service. (CVE-2010-4249, Moderate) * Missing upper bound integer check in the AIO implementation could allow a local, unprivileged user to cause an information leak. (CVE-2010-3067, Low) * Missing initialization flaws could lead to information leaks. (CVE-2010-3298, CVE-2010-3876, CVE-2010-4072, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, CVE-2010-4158, Low) * Missing initialization flaw in KVM could allow a privileged host user with access to /dev/kvm to cause an information leak. (CVE-2010-4525, Low) Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492; Thomas Pollet for reporting CVE-2010-3865; Dan Rosenberg for reporting CVE-2010-4160, CVE-2010-3078, CVE-2010-3874, CVE-2010-4162, CVE-2010-4163, CVE-2010-3298, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, and CVE-2010-4158; Kosuke Tatsukawa for reporting CVE-2010-4263; Tavis Ormandy for reporting CVE-2010-3080 and CVE-2010-3067; Kees Cook for reporting CVE-2010-3861 and CVE-2010-4072; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; Vegard Nossum for reporting CVE-2010-4249; Vasiliy Kulikov for reporting CVE-2010-3876; and Stephan Mueller of atsec information security for reporting CVE-2010-4525. Important Copyright 2011 Red Hat, Inc. CVE-2010-2492 CVE-2010-3067 CVE-2010-3078 CVE-2010-3080 CVE-2010-3298 CVE-2010-3477 CVE-2010-3861 CVE-2010-3865 CVE-2010-3874 CVE-2010-3876 CVE-2010-3880 CVE-2010-4072 CVE-2010-4073 CVE-2010-4074 CVE-2010-4075 CVE-2010-4077 CVE-2010-4079 CVE-2010-4080 CVE-2010-4081 CVE-2010-4082 CVE-2010-4083 CVE-2010-4158 CVE-2010-4160 CVE-2010-4162 CVE-2010-4163 CVE-2010-4242 CVE-2010-4248 CVE-2010-4249 CVE-2010-4263 CVE-2010-4525 CVE-2010-4668 CVE-2010-2492 kernel: ecryptfs_uid_hash() buffer overflow CVE-2010-3067 kernel: do_io_submit() infoleak CVE-2010-3080 kernel: /dev/sequencer open failure is not handled correctly CVE-2010-3078 kernel: xfs: XFS_IOC_FSGETXATTR ioctl memory leak CVE-2010-3298 kernel: drivers/net/usb/hso.c: prevent reading uninitialized memory CVE-2010-3477 kernel: net/sched/act_police.c infoleak CVE-2010-4242 kernel: missing tty ops write function presence check in hci_uart_tty_open() CVE-2010-3861 kernel: heap contents leak from ETHTOOL_GRXCLSRLALL kernel BUG at mm/migrate.c:113! [rhel-6.0.z] CVE-2010-3865 kernel: iovec integer overflow in net/rds/rdma.c Do not mix FMODE_ and O_ flags with break_lease() and may_open() [rhel-6.0.z] CVE-2010-4072 kernel: ipc/shm.c: reading uninitialized stack memory CVE-2010-4073 kernel: ipc/compat*.c: reading uninitialized stack memory CVE-2010-4074 kernel: drivers/usb/serial/mos*.c: reading uninitialized stack memory CVE-2010-4075 kernel: drivers/serial/serial_core.c: reading uninitialized stack memory CVE-2010-4077 kernel: drivers/char/nozomi.c: reading uninitialized stack memory CVE-2010-4079 kernel: drivers/video/ivtv/ivtvfb.c: reading uninitialized stack memory CVE-2010-4080 kernel: drivers/sound/pci/rme9652/hdsp.c: reading uninitialized stack memory CVE-2010-4081 kernel: drivers/sound/pci/rme9652/hdspm.c: reading uninitialized stack memory CVE-2010-4082 kernel: drivers/video/via/ioctl.c: reading uninitialized stack memory CVE-2010-4083 kernel: ipc/sem.c: reading uninitialized stack memory CVE-2010-3874 kernel: CAN minor heap overflow CVE-2010-3876 kernel: net/packet/af_packet.c: reading uninitialized stack memory CVE-2010-3880 kernel: logic error in INET_DIAG bytecode auditing CVE-2010-4158 kernel: socket filters infoleak CVE-2010-4160 kernel: L2TP send buffer allocation size overflows CVE-2010-4162 kernel: bio: integer overflow page count when mapping/copying user data CVE-2010-4163 CVE-2010-4668 kernel: panic when submitting certain 0-length I/O requests [kvm] VIRT-IO NIC state is reported as 'unknown' on vm running over RHEL6 host [rhel-6.0.z] CVE-2010-4248 kernel: posix-cpu-timers: workaround to suppress the problems with mt exec CVE-2010-4249 kernel: unix socket local dos kernel 2.6.32-84.el6 breaks systemtap [rhel-6.0.z] lpfc: Fixed crashes for BUG_ONs hit in the lpfc_abort_handler [rhel-6.0.z] CVE-2010-4263 kernel: igb panics when receiving tag vlan packet lpfc: Set heartbeat timer off by default [rhel-6.0.z] neighbour update causes an Oops when using tunnel device [rhel-6.0.z] CVE-2010-4525 kvm: x86: zero kvm_vcpu_events->interrupt.pad infoleak cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Evince is a document viewer. An array index error was found in the DeVice Independent (DVI) renderer's PK and VF font file parsers. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2640, CVE-2010-2641) A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2642) An integer overflow flaw was found in the DVI renderer's TFM font file parser. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. (CVE-2010-2643) Note: The above issues are not exploitable unless an attacker can trick the user into installing a malicious font file. Red Hat would like to thank the Evince development team for reporting these issues. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter of these issues. Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-2640 CVE-2010-2641 CVE-2010-2642 CVE-2010-2643 CVE-2010-2640 evince: Array index errror in DVI file PK font parser CVE-2010-2641 evince: Array index errror in DVI file VF font parser CVE-2010-2642 evince, t1lib: Heap based buffer overflow in DVI file AFM font parser CVE-2010-2643 evince: Integer overflow in DVI file TFM font parser cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. An array index error, leading to a stack-based buffer overflow, was found in the Wireshark ENTTEC dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2010-4538) Users of Wireshark should upgrade to these updated packages, which contain a backported patch to correct this issue. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4538 CVE-2010-4538 Wireshark: Stack-based array index error in ENTTEC dissector (upstream bug #5539) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A NULL pointer dereference flaw was found in the igb driver in the Linux kernel. If both the Single Root I/O Virtualization (SR-IOV) feature and promiscuous mode were enabled on an interface using igb, it could result in a denial of service when a tagged VLAN packet is received on that interface. (CVE-2010-4263, Important) * A missing sanity check was found in vbd_create() in the Xen hypervisor implementation. As CD-ROM drives are not supported by the blkback back-end driver, attempting to use a virtual CD-ROM drive with blkback could trigger a denial of service (crash) on the host system running the Xen hypervisor. (CVE-2010-4238, Moderate) * A flaw was found in the Linux kernel execve() system call implementation. A local, unprivileged user could cause large amounts of memory to be allocated but not visible to the OOM (Out of Memory) killer, triggering a denial of service. (CVE-2010-4243, Moderate) * A flaw was found in fixup_page_fault() in the Xen hypervisor implementation. If a 64-bit para-virtualized guest accessed a certain area of memory, it could cause a denial of service on the host system running the Xen hypervisor. (CVE-2010-4255, Moderate) * A missing initialization flaw was found in the bfa driver used by Brocade Fibre Channel Host Bus Adapters. A local, unprivileged user could use this flaw to cause a denial of service by reading a file in the "/sys/class/fc_host/host#/statistics/" directory. (CVE-2010-4343, Moderate) * Missing initialization flaws in the Linux kernel could lead to information leaks. (CVE-2010-3296, CVE-2010-3877, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4158, Low) Red Hat would like to thank Kosuke Tatsukawa for reporting CVE-2010-4263; Vladymyr Denysov for reporting CVE-2010-4238; Brad Spengler for reporting CVE-2010-4243; Dan Rosenberg for reporting CVE-2010-3296, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, and CVE-2010-4158; Vasiliy Kulikov for reporting CVE-2010-3877; and Kees Cook for reporting CVE-2010-4072. These updated packages also include several hundred bug fixes for and enhancements to the Linux kernel. Space precludes documenting each of these changes in this advisory and users are directed to the Red Hat Enterprise Linux 5.6 Release Notes for information on the most significant of these changes: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.6_Release_Notes/index.html Refer to the kernel chapter in the Red Hat Enterprise Linux 5.6 Technical Notes for further information: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.6_Technical_Notes/kernel.html All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which address these vulnerabilities as well as fixing the bugs and adding the enhancements noted in the Red Hat Enterprise Linux 5.6 Release Notes and Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-3296 CVE-2010-3877 CVE-2010-4072 CVE-2010-4073 CVE-2010-4075 CVE-2010-4080 CVE-2010-4081 CVE-2010-4158 CVE-2010-4238 CVE-2010-4243 CVE-2010-4255 CVE-2010-4263 CVE-2010-4343 Marvell PATA not supported Allocations on resume path can cause deadlock due to attempting to swap kernel keyring quotas exceeded No support for upstream /proc/sys/kernel/nmi_watchdog. kabitool blocks custom kernel builds when kernel version > 2.6.18-53.1.21.el5 race condition between AIO and setresuid() dm-snapshot: very slow write to snapshot origin when copy-on-write occurs kernel doesn't supply memory fields in getrusage, /usr/bin/time anything shows "... (0avgtext+0avgdata 0maxresident)k ..." Read from /proc/xen/xenbus does not honor O_NONBLOCK second cifs mount to samba server fails when samba using security=ADS [RHEL5] Netfilter modules unloading hangs cxgb3 driver very slow under Xen with HW acceleration enabled Oprofile - Add Dunnington processors to the list of ppro cores TCP: Treason uncloaked! during Network Stress Testing [RHEL5.5] e1000e devices fail to initialize interrupts properly Cannot generate proper stacktrace on xen-ia64 The USB storage cannot use >2TB. GFS1 vs GFS2 performance issue kdump hangs up if INIT is received while kdump is starting Balloon driver gives up too easily when ballooning up under memory pressure Keyboard LEDs constantly lit bonding: backport code to allow user-controlled output slave detection. [Stratus 5.6 bug] System crashes at uhci_scan_schedule(). When bonding is used and IPV6 is enabled the message of 'kernel: bond0: duplicate address detected!' is output Fix instances of #!/usr/bin/env python in kernel-devel-packages PCI SR-IOV BAR resources can't be reliably mapped [Adaptec/HCL 5.6 bug] Problems with aacraid - File system going into read-only. GFS2 fatal: filesystem consistency error on rename [Dell 5.5 FEAT] autoload tpm_tis driver Certain newer WDC SATA drives identified as SEMB Kernel panic: EDAC MC0: INTERNAL ERROR: channel-b out of range java.util.concurrent: long delay and intervals drift since kernel update to 164 tcp_disconnect should clear all of tp->rx_opt .... default txqueuelen of vif device is too small support supplementary groups of tun/tap devices net: possible leak of dst_entry (ipv4) soft lockup while unmounting a read-only filesystem with errors (As per Redhat Bug #429054) kernel bug: quota file size not a multiple of struct gfs2_quota kernel: no clue to find what is happening when hitting a lockdep limit Deadlock in aio nfsv4 hangs -- kernel: decode_op_hdr: reply buffer overflowed in line 2121 Guest could not join the multicast group with virtio NIC [RHEL5] ip_mc_sf_allow() has a lock problem nanosleep() is unstable on xen kernel and ntpd with -x option Kernel: network: bonding: scheduling while atomic: ifdown-eth/0x00000100/21775 Periodic ata exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen messages dm-raid1: fix data lost at mirror log failure kABI whitelist request for Fujitsu modules xen migration fails when a full virt guest uses the xen-vnif driver Update sfc driver (add SFC9000 support) nfs: sys_read sometimes returns -EIO [Broadcom 5.6 bug] kABI whitelist request for bnx2i ACPI _SDD failed (AE 0x5) messages on boot Reserve PNP enumerated system board iomem resources Update Neighbor Cache when IPv6 RA is received on a router IP PACKET DOES NOT TRANSMIT USING RAW SOCKETS ITE it887x chipset serial ports don't work [LSI 5.6 feat] update megaraid_sas to version 4.31 [5.6 FEAT] KVM network performance: Defer skb allocation in virtio-net [EMC 5.6 bug] security and PSF update patch for EMC CKD ioctl [5.6 FEAT] NFSv4 remove does not wait for close. Silly rename route: BUG at include/linux/timer.h:82 (call from rt_secret_rebuild_oneshot) Loading NAT module with/without rules affects ping behaviour [Emulex 5.6 bug] kABI whitelist request for lpfc possible recursive locking of inode by nfsd [QLogic 5.6 FEAT] Update qla2xxx driver to version 8.03.01.05.05.06-k RHEL5.6: cxgb3i driver update [Broadcom 5.6 feat] Update tg3 to version 3.108+ and add 5718 B0, 5719 support fasync_helper patch causing problems with GPFS [Regression] bonding: 802.3ad problems with link detection [Cisco 5.6 FEAT] Update enic driver to version 1.4.1.2 [Broadcom 5.6 FEAT] Update bnx2 to 2.0.8+ [Broadcom 5.6 FEAT] Update bnx2i driver and add 57712 support netconsole fails with tg3 [5.4] nfsd dereferences uninitialized list head on error exit in nfsd4_list_rec_dir() [Emulex 5.6 feat] Add be2iscsi driver for BE3 asic boot hangs if scsi read capacity fails on faulty non system drive kernel panic when rmmod and insmod rpcsec_gss_krb5 module cpu flags missing from /proc/cpuinfo vmalloc ENOMEM caused by iptables X can't get signals with DRI [RHEL5]: Add thread_siblings_list to /sys [RHEL5] bonding mode 0 doesn't resend IGMP after a failure REGRESSION: Fix iscsi failover time Timedrift on VM with pv_clock enabled, causing system hangs and sporadic time behaviour revalidate dentries provided by LAST_BIND symlinks backports of virtio_blk barrier support [Emulex 5.6 feat] Update lpfc driver to version 8.2.0.73.1p and include BE3 asic RHEL5: coretemp: fix cpu model output [LSI 5.6 FEAT] Update 3w-9xxx driver to v2.26.08.007-2.6.18RH [LSI 5.6 FEAT] Add 3w-sas driver and update to v3.26.00.028-2.6.18RH Add /sys/devices/system/node/nodeX/cpulist files Bad ext4 sync performance on 16 TB GPT partition [Stratus 5.6 bug] task md0_resync:18061 blocked for more than 120 seconds large storage data corruption on 32 bit Regression: AUTH_SYS cannot be requested using the 'sec=sys' export option. should set ISVM bit (ECX:31) for CPUID leaf 0x00000001 25% performance regression of concurrent O_DIRECT writes. [Cisco 5.6 bug] kABI request for fcoe memory leak when ipv6 interface disabled in sysctl.conf Kernel panic - not syncing: IO-APIC + timer doesn't work! nfsv4 hangs -- client/server deadlock between commit and delegation return missing power_meter release() function [Cisco 5.6 bug] fnic: flush Tx queue bug fix vxge: not enough MMIO resources for SR-IOV error [Broadcom 5.6 bug] Cannot login to iSCSI target when bnx2i is loaded last Network throughput drops seriously on DomU to DomU node traffic on RHEL5.3 Xen when NIC performs RSC. [5.5] SCTP: Check if the file structure is valid before checking the non-blocking flag e1000_clean_tx_irq: Detected Tx Unit Hang [RHEL5.5] soft lockup on vlan with bonding in balance-alb mode RHEL 5.3 on DL585 G6: testing NMI watchdog fails on bootup hwmon: (coretemp) Get TjMax value from MSR for i series CPUs [PATCH][RHEL5.5] Fix Time drift on KVM x86_64 RHEL5.5 Guest using PV clock RTL-8169 Gigatit Ethernet network devices mac address changes after soft reboot. pci_mmcfg_init() making some of main memory uncacheable Enable LED support in iwlagn and iwl3945 drivers (IWLWIFI_LEDS) "hung_task" feature port is incomplete VFS: Busy inodes after unmount issue. implement dev_disable_lro for RHEL5 [Stratus 5.6 bug] Circular lock dep warning on cfq_exit_lock TCP socket premature timeout with FRTO and TSO The assigned VF cannot be found in PV guest. set-cpu_llc_id-on-amd-cpus patch: undefined variable 'cpu' in in amd_detect_cmp() dev_set_name() undefined in net/wireless/cfg80211.ko in some cases transmission stops when tap does not consume The kvm clock couldn't go back after stop/continue Add log message for unhandled sense error REPORTED_LUNS_DATA_CHANGED ATIIXP IDE driver reuses ide_lock unsafely x86_64 host on Nehalem-EX machines will panic when installing a 4.8 GA kvm guest Kernel BUG at fs/ext3/super.c:425 compiling a xen config produces lots of pud_present warnings PG_error bit is never cleared, even when a fresh I/O to the page succeeds Unkillable processes netback does not properly get to the Connected state after it's been Closed [Emulex 5.6 bug] Update lpfc driver to version 8.2.0.76.1p [RHEL 5] Errors when Accessing iSCSI luns via iSER - timing out command Memory leak when nfs shares are mounted with option "nolock" ext3: fsync() does not flush disk caches TCP: avoid to send keepalive probes if receiving data [RHEL5.5] TCP bandwidth problems with TPA and bnx2x cards [RHEL5.5] Self-test using 'ethtool -t ethX' fails with "Cannot test: Operation not supported" [RHEL 5.5] vxge: unable to create VLAN [Intel 5.6 Bug] CPU synchronization required when doing MTRR register update kernel: security: testing the wrong variable in create_by_name() [rhel-5.6] GFS2: stuck in inode wait, no glocks stuck [Broadcom 5.6 bug] bnx2i: MTU change does not work [Broadcom 5.6 bug] cnic: Panic in cnic_iscsi_nl_msg_recv() dcache unused accounting problem Create reliable implementation of cancel_(delayed)_work_sync() in RHEL5 [LSI 5.6 bug] kABI request for mptsas, mpt2sas reg_regdb_search_lock calls kmalloc while holding spinlock [NetApp 5.6 bug] QLogic FC firmware errors seen on RHEL 5.5 Significant MSI performance issue due to redundant interrupt masking gfs2 kernel - Better error reporting when mounting a gfs fs without enough journals RFE virtio balloon driver does not include extended memory statistics NFS-over-GFS out-of-order GETATTR Reply causes corruption bnx2x panic dumps with multiple interfaces enabled cifs: busy file renames across directories should fail with error [Emulex 5.6 bug] Update lpfc driver to version 8.2.0.77 NFS4 breaks when server returns NFS4ERR_FILE_OPEN Page out activity when there is no current VM load tcp: sending reset to the already closed socket kernel bug in cfq merge logic need to backport 2e3219b5c8a2e44e0b83ae6e04f52f20a82ac0f2 [RHEL 5.5] 32-bit pvhvm guest on 64-bit host crash w/xm mem-set [RHEL 5.5] nfs: fix compatibility with hpux clients [RHEL 5.6] move Tausworthe net_random generator to lib/random32 Wrong /proc/cpuinfo for Pentium D reported on RHEL 4.8 (only x86_64) and RHEL 5.5 (both i386 and x86_64) soft lockup inside rhel5 guest vegas and veno possible division by zero bug [Emulex 5.6 bug] be2iscsi: IO stalls if any SGE size=65536 kswapd hung in D state with fragmented memory and large order allocations [5u6] Bonding in ALB mode sends ARP in loop [RHEL5u3] System panic at sunrpc xprt_autoclose() igb: typo in igb aer code [QLogic 5.6 FEAT] Add P3+ AER support to qla2xxx xen Windows 2008 guest crashes on RHEL 5.4 always print the number of triggered NMI during test at boot [RHEL 5.5] igb driver re-order UDP packets when multi-queue is enabled [QLogic 5.6 FEAT] Feature Updates and Bug Fixes for qlcnic ext4: mount error path corrupts slab memory fix oops in clusterip_seq_stop when memory allocation fails. fix oops in dl_seq_stop when memory allocation fails. [Emulex 5.6 feat] Update be2net to version 2.102.404r [Broadcom 5.6 FEAT] bnx2: add AER support. kernel crash in br_nf_pre_routing_finish ext4 and xfs wrong data returned on read after write if file size was changed with ftruncate RHEL5.5 boot fail with IDE controller enabled on Cobia Kernel panic on reading from /proc/bus/pci/XX/YY while hot-removing the device. [QLogic 5.6] kABI whitelist request for qla4xxx 802.3ad link aggregation won't work with newer (2.6.194-8.1.el5) kernel and ixgbe driver CIFS mount to samba3x share shows differing ownership on sequential stat() calls to same file [NetApp 5.6 bug] SCSI ALUA handler fails to handle ALUA transitioning properly Update cnic to 2.1.3 [Qlogic 5.6 bug] qla2xxx: Back port of upstream fixes [Emulex 5.6 feat] Update lpfc driver to version 8.2.0.80 virtio-serial - need to back port guest driver to RHEL 5 [NetApp 5.6 bug] RHEL NFS clients disconnected from NetApp NFSv4 shares with: v4 server returned a bad sequence-id error! system crashes due to corrupt net_device_wrapper structure backport wireless upstream 2.6.32.18 fixes [5u5] bonding: fix a race condition in calls to slave MII ioctls 64-bit kernel unable to oprofile 32-bit processes libata: fix suspend/resume for ATA SEMB devices ENOPERM when reading /proc/sys/vm/mmap_min_addr move iscsi/iser to passthrough mode, fix functioning and failover time under DM multipath [QLogic 5.6 feat] qla4xxx: Update driver to 5.02.03.00.05.06-d1 Win7 and Windows 2008 R2 xen guests with multiple vcpus can't restart [QLogic 5.6 FEAT] qla4xxx: Add PCIe AER support [rhel5.6] XFS incorrectly validates inodes igb doesn't see link status changes on 82580 NIC [QLogic 5.6 bug] netxen: Fix enabling VLAN TSO/LSO [QLogic 5.6 bug] qlcnic: Fix netdev features and other fixes CVE-2010-4243 kernel: mm: mem allocated invisible to oom_kill() when not attached to any threads lpfc ioctl crash in lpfc_nlp_put() [Xen] backport NMI injection for HVM guests [Xen] backport hardware task switching for HVM guests Allow using crc32c hardware accelerated engine on Intel Nehalem processor IPR driver needs fixes to support the new Cubic-R adapter AIO uses igrab in the submission path, which causes undue lock contention [QLogic 5.6 BUG] qla2xxx: Correctly displaying the link state for disconnected port. retry rather than fastfail DID_REQUEUE scsi errors with dm-multipath Scheduling while atomic when removing slave tg3 interface from bonding Fix hot-unplug handling of virtio-console ports Enable NAPI for forcedeth driver Bug 466441 reintroduced in kernel 2.6.18-194.el5 kernel: Problem with execve(2) reintroduced [rhel-5.6] vlan: control vlan device TSO status with ethtool groups_search() cannot handle large gid correctly add pr_*(), netdev_*(), netif_*() printk helper macros kernel panic in devinet_sysctl_forward when changing the /proc/sys/net/ipv4/conf/eth*/forwarding [RHEL 5.5] e100/e1000*/igb*/ixgb*: Add missing read memory barrier HVM guest w/ UP and PV driver hangs after live migration or suspend/resume Detect and recover from cxgb3 adapter parity errors [RHEL5 IA64 XEN] netfront driver: alloc_dev: Private data too big. kernel: additional stack guard patches [rhel-5.6] [Emulex 5.6 feat] Update be2net to version 2.102.453r [Broadcom 5.6 bug] tg3: 5717 / 57765 / 5719 devices leak memory [Broadcom 5.6 bug] bnx2: Remove some unnecessary smp_mb() in tx fast path CVE-2010-3296 kernel: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory sfc: creates too many queues [Broadcom 5.6 feat] tg3: Re-enable 5717 B0 support [Broadcom 5.6 bug] tg3: Incorrect FW version displayed and FW handshake update [RHEL5.6] Verify that driver version strings for updated network drivers Add dirty_background_bytes and dirty_bytes sysctls to RHEL 5 PATCH: virtio_console: Fix poll blocking even though there is data to read Disallow 0-sized writes to virtio ports to go through to host (leading to VM crash) read from virtio-serial returns if the host side is not connect to pipe TPM driver is not enabled in kernel-xen TPM driver complains about IRQ mismatches [Qlogic 5.6 bug] qlcnic: fix kernel NULL pointer dereference __qlcnic_shutdown+0xe/0x8a Bonded interface doesn't issue IGMP report (join) on slave interface during failover belkin usb nic card fails - module catc.ko Backport HVMOP_get_time hypercall [Emulex 5.6 feat] Update lpfc driver to version 8.2.0.85 bnx2 adapter periodically dropping received packets sata_sil24 - add support for Adaptec 1225SA RAID eSATA controller mpt2sas driver update causes boot failure with Dell PERC H200 SAS HBA [NetApp 5.6 bug] regression: allow offlined devs to be set to running tasks blocked after putting Nehalem CPU offline GFS2: BUG_ON kernel panic in gfs2_glock_hold on 2.6.18-226 [QLogic 5.6 bug] kdump: netxen_nic doesn't work in network dumping Stack size mapping is decreased through mlock/munlock call [kdump] soft lockup occurs when nmi watchdog lockup is being triggered Kernel build from source leaves kabideps file droppings in _tmppath [QLogic 5.6 bug] qla2xxx: Fix incorrect test for zero bnx2: Out of order arrival of UDP packets in application panic in find_ge_pid() due to race between lseek() and readdir() on /proc writing to a virtio serial port while no one is listening on the host side hangs the guest [NetApp 5.6 bug] qla2xxx: Kernel panic on qla24xx_queuecommand RHEL5.6 Include DL580 G7 in bfsort whitelist modprobe igb max_vfs>7(Max support is 7) leads to host reboot in loop [Emulex 5.6 feat] Update lpfc driver to version 8.2.0.86 regression: bnx2i driver returns garbage in host param callout and could oops [Emulex 5.6 bug] Update be2net to version 2.102.512r Direct IO write to a file on an nfs mount does not work CVE-2010-4072 kernel: ipc/shm.c: reading uninitialized stack memory CVE-2010-4073 kernel: ipc/compat*.c: reading uninitialized stack memory CVE-2010-4075 kernel: drivers/serial/serial_core.c: reading uninitialized stack memory CVE-2010-4080 kernel: drivers/sound/pci/rme9652/hdsp.c: reading uninitialized stack memory CVE-2010-4081 kernel: drivers/sound/pci/rme9652/hdspm.c: reading uninitialized stack memory [Emulex 5.6 bug] Update lpfc driver to version 8.2.0.87 CVE-2010-3877 kernel: net/tipc/socket.c: reading uninitialized stack memory [Broadcom 5.6 bug] cnic: Panic in uio_release() CVE-2010-4158 kernel: socket filters infoleak probe-remove loop of i7core_edac module causes oops ALSA: fix sysfs related issues (modules cannot be reloaded) and mutex problem in OSS mixer emulation [5.6 FEAT] POWER7 added to Aux Vextor kernel: restrict unprivileged access to kernel syslog [rhel-5.6] [5.6 Regression] network is lost after balloon-up fails netback tries to balloon up even if front-end doesn't do flipping [Broadcom 5.6 bug] bnx2i: add upstream bug fixes to 2.6.2.2 [QLogic 5.6 bug] qlge: Update driver to 1.0.0.27 RHEL5.6 : 10Gb network card (AD144 &AD385)will be missing in installation and can not be drived in system [Emulex 5.6 bug] Update lpfc driver to version 8.2.0.87.1p CVE-2010-4238 kernel: Xen Dom0 crash with Windows 2008 R2 64bit DomU + GPLPV [Qlogic 5.6 bug] qlcnic: Fix kdump issues [Broadcom 5.6 bug] tg3: Fix 5719 bugs CVE-2010-4255 xen: 64-bit PV xen guest can crash host by accessing hypervisor per-domain memory area forcedeth driver panics while booting debug kernel [REG][5.6] igb never counts up the number of tx packets CVE-2010-4258 kernel: failure to revert address limit override in OOPS error path [rhel-5.6] CVE-2010-4263 kernel: igb panics when receiving tag vlan packet [Broadcom 5.6 bug] tg3: Increase tx jumbo bd flag threshold [REG][5.6] kernel panic occurs by writing a file on optional mount "sync/noac" of NFSv4. CVE-2010-4343 kernel: bfa driver sysfs crash [IPv6] a specific route is ignored if the default gateway is reachable [Broadcom 5.6 bug] bnx2: calling pci_map_page() twice in tx path [REG][5.6] kernel panic occurs by reading an empty file on optional mount "sync/noac" of NFSv4. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The gcc packages include C, C++, Java, Fortran, Objective C, and Ada 95 GNU compilers, along with related support libraries. The libgcj package provides fastjar, an archive tool for Java Archive (JAR) files. Two directory traversal flaws were found in the way fastjar extracted JAR archive files. If a local, unsuspecting user extracted a specially-crafted JAR file, it could cause fastjar to overwrite arbitrary files writable by the user running fastjar. (CVE-2010-0831, CVE-2010-2322) This update also fixes the following bugs: * The option -print-multi-os-directory in the gcc --help output is not in the gcc(1) man page. This update applies an upstream patch to amend this. (BZ#529659) * An internal assertion in the compiler tried to check that a C++ static data member is external which resulted in errors. This was because when the compiler optimizes C++ anonymous namespaces the declarations were no longer marked external as everything on anonymous namespaces is local to the current translation. This update corrects the assertion to resolve this issue. (BZ#503565, BZ#508735, BZ#582682) * Attempting to compile certain .cpp files could have resulted in an internal compiler error. This update resolves this issue. (BZ#527510) * PrintServiceLookup.lookupPrintServices with an appropriate DocFlavor failed to return a list of printers under gcj. This update includes a backported patch to correct this bug in the printer lookup service. (BZ#578382) * GCC would not build against xulrunner-devel-1.9.2. This update removes gcjwebplugin from the GCC RPM. (BZ#596097) * When a SystemTap generated kernel module was compiled, gcc reported an internal compiler error and gets a segmentation fault. This update applies a patch that, instead of crashing, assumes it can point to anything. (BZ#605803) * There was a performance issue with libstdc++ regarding all objects derived from or using std::streambuf because of lock contention between threads. This patch ensures reload uses the same value from _S_global for the comparison, _M_add_reference () and _M_impl member of the class. (BZ#635708) All gcc users should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2011 Red Hat, Inc. CVE-2010-0831 CVE-2010-2322 libtorrent-rasterbar won't compile, internal compiler error: in make_rtl_for_nonlocal_decl internal gcc error Internal compiler error from gcc Option -print-multi-os-directory is not described in man page gcc(1) PrintServiceLookup.lookupPrintServices(DocFlavor.SERVICE_FORMATTED.PAGEABLE, null) in a simple test java program fails to list printers when run with gcj - Any conventional JRE seems to work that I have tested internal compiler error: in make_rtl_for_nonlocal_decl CVE-2010-0831 CVE-2010-2322 fastjar: directory traversal vulnerabilities gcc doesn't build against xulrunner-devel-1.9.2 gcc gets an internal compiler error when compiling a kernel module Huge performance problem with libstdc++ and multithread applications cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Python is an interpreted, interactive, object-oriented programming language. It was found that many applications embedding the Python interpreter did not specify a valid full path to the script or application when calling the PySys_SetArgv API function, which could result in the addition of the current working directory to the module search path (sys.path). A local attacker able to trick a victim into running such an application in an attacker-controlled directory could use this flaw to execute code with the victim's privileges. This update adds the PySys_SetArgvEx API. Developers can modify their applications to use this new API, which sets sys.argv without modifying sys.path. (CVE-2008-5983) Multiple flaws were found in the Python rgbimg module. If an application written in Python was using the rgbimg module and loaded a specially-crafted SGI image file, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-4134, CVE-2010-1449, CVE-2010-1450) Multiple flaws were found in the Python audioop module. Supplying certain inputs could cause the audioop module to crash or, possibly, execute arbitrary code. (CVE-2010-1634, CVE-2010-2089) This update also fixes the following bugs: * When starting a child process from the subprocess module in Python 2.4, the parent process could leak file descriptors if an error occurred. This update resolves the issue. (BZ#609017) * Prior to Python 2.7, programs that used "ulimit -n" to enable communication with large numbers of subprocesses could still monitor only 1024 file descriptors at a time, which caused an exception: ValueError: filedescriptor out of range in select() This was due to the subprocess module using the "select" system call. The module now uses the "poll" system call, removing this limitation. (BZ#609020) * Prior to Python 2.5, the tarfile module failed to unpack tar files if the path was longer than 100 characters. This update backports the tarfile module from Python 2.5 and the issue no longer occurs. (BZ#263401) * The email module incorrectly implemented the logic for obtaining attachment file names: the get_filename() fallback for using the deprecated "name" parameter of the "Content-Type" header erroneously used the "Content-Disposition" header. This update backports a fix from Python 2.6, which resolves this issue. (BZ#644147) * Prior to version 2.5, Python's optimized memory allocator never released memory back to the system. The memory usage of a long-running Python process would resemble a "high-water mark". This update backports a fix from Python 2.5a1, which frees unused arenas, and adds a non-standard sys._debugmallocstats() function, which prints diagnostic information to stderr. Finally, when running under Valgrind, the optimized allocator is deactivated, to allow more convenient debugging of Python memory usage issues. (BZ#569093) * The urllib and urllib2 modules ignored the no_proxy variable, which could lead to programs such as "yum" erroneously accessing a proxy server for URLs covered by a "no_proxy" exclusion. This update backports fixes of urllib and urllib2, which respect the "no_proxy" variable, which fixes these issues. (BZ#549372) As well, this update adds the following enhancements: * This update introduces a new python-libs package, subsuming the majority of the content of the core python package. This makes both 32-bit and 64-bit Python libraries available on PowerPC systems. (BZ#625372) * The python-libs.i386 package is now available for 64-bit Itanium with the 32-bit Itanium compatibility mode. (BZ#644761) All Python users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. Low Copyright 2011 Red Hat, Inc. CVE-2008-5983 CVE-2009-4134 CVE-2010-1449 CVE-2010-1450 CVE-2010-1634 CVE-2010-2089 CVE-2008-5983 python: untrusted python modules search path CVE-2009-4134 CVE-2010-1449 CVE-2010-1450 python: rgbimg: multiple security issues Python 2.4's arena allocator does not release memory back to the system, leading to "high-water mark" memory usage CVE-2010-1634 python: audioop: incorrect integer overflow checks CVE-2010-2089 Python: Memory corruption in audioop module subprocess leaves open fds on construction error subprocess fails in select when descriptors are large split python-libs subpackage Patch for get_filename in email.message when content-disposition is missing python-libs conflict on ia64 compatlayer cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A data structure field in kvm_vcpu_ioctl_x86_get_vcpu_events() in QEMU-KVM was not initialized properly before being copied to user-space. A privileged host user with access to "/dev/kvm" could use this flaw to leak kernel stack memory to user-space. (CVE-2010-4525) Red Hat would like to thank Stephan Mueller of atsec information security for reporting this issue. These updated packages also fix several bugs. Documentation for these bug fixes will be available shortly in the "kvm" section of the Red Hat Enterprise Linux 5.6 Technical Notes, linked to in the References. All KVM users should upgrade to these updated packages, which resolve this issue as well as fixing the bugs noted in the Technical Notes. Note: The procedure in the Solution section must be performed before this update will take effect. Low Copyright 2011 Red Hat, Inc. CVE-2010-4525 kvm doesn't run with older libgcrypt, but doesn't have a RPM dependency for it -drive arg has no way to request a read only disk Large guest ( 256G RAM + 16 vcpu ) hang during live migration kvm-qemu-img subpackage has dependency on qspice-libs build KVM modules for kernel-debug too Caps Lock the key's appearance of guest is not synchronous as host's --view kvm with vnc SR-IOV -- Guest exit and host hang on if boot VM with 8 VFs assigned emulated pcnet nic in qemu-kvm has wrong PCI subsystem ID for Windows XP driver use native smp_call_function_many/single functions use native pci_get_bus_and_slot function Guest suffers kernel panic when save snapshot then restart guest Time drift in win2k3-64bit and win2k8-64bit smp guest Change vnc password caused 'Segmentation fault' qcow2 image corruption when using cache=writeback Linux pvmmu guests (FC11, FC12, etc) crash on boot on AMD hosts with NPT disabled memory reported as used (by SwapCache and by Cache) though no process holds it. Failed to install kvm for failed dependencies: ksym Incorrect russian vnc keymap backport EPT accessed bit emulation Guest aborted when make guest stop on write error Qcow2 snapshot got corruption after commit using block device Failed to re-base qcow2 snapshot kvm spinning updating a guest pte, unkillable Rebooting a kernel with kvmclock enabled, into a kernel with kvmclock disabled, causes random crashes [rhel5.5] [kvm] dead lock in qemu during off-line migration race condition in pvclock wallclock calculation virtio-blk: Avoid zeroing every request structure qcow2 corruption bug in refcount table growth qemu-io: No permission to write image CPU save version is now 9, but the format is _very_ different from non-RHEL5 version 9 Backport qcow2 fixes to RHEL 5 Virtio: Transfer file caused guest in same vlan abnormally quit [kvm] debug-info missing from kvm-qemu-img-83-164.el5_5.12 [kvm] segmentation fault when running qemu-img check on faulty image [kvm] qemu image check returns cluster errors when using virtIO block (thinly provisioned) during e_no_space events (along with EIO errors) fork causes trouble for vcpu threads Monitor doesn't check for 'change' command failure rmmod kvm modules cause host kernel panic husb: ctrl buffer too small error received for passthrough usb device, fixed upstream fix build against kernel-devel-2.6.18-214.el5.x86_64: (cancel_work_sync() conflict) use native cancel_work_sync() function fix kvm build warnings and enable -Werror spec file changes for kmod + kernel-devel build Can not commit copy-on-write image's data to raw backing-image kmod-kvm has unresolved deps unresolved deps in kmod-kvm-debug-83-205.el5 "sendkey ctrl-alt-delete" don't work via VNC Add drive readonly option to help output TCP checksum overflows in qemu's e1000 emulation code when TSO is enabled in guest OS qemu-kvm aborted when installing the driver for the newly hotplugged rtl8139 nic clock drift when migrating a guest between mis-matched CPU clock speed CVE-2010-4525 kvm: x86: zero kvm_vcpu_events->interrupt.pad infoleak cpe:/a:redhat:rhel_virtualization Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP8 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes two vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-1321, CVE-2010-3574) Note: The RHSA-2010:0935 java-1.4.2-ibm update did not, unlike the erratum text stated, provide fixes for the above issues. All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP8 Java release. All running instances of IBM Java must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-1321 CVE-2010-3574 CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on UNIX systems connected to the Internet. A privilege escalation flaw was discovered in Exim. If an attacker were able to gain access to the "exim" user, they could cause Exim to execute arbitrary commands as the root user. (CVE-2010-4345) This update adds a new configuration file, "/etc/exim/trusted-configs". To prevent Exim from running arbitrary commands as root, Exim will now drop privileges when run with a configuration file not listed as trusted. This could break backwards compatibility with some Exim configurations, as the trusted-configs file only trusts "/etc/exim/exim.conf" and "/etc/exim/exim4.conf" by default. If you are using a configuration file not listed in the new trusted-configs file, you will need to add it manually. Additionally, Exim will no longer allow a user to execute exim as root with the -D command line option to override macro definitions. All macro definitions that require root permissions must now reside in a trusted configuration file. Users of Exim are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the exim daemon will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4345 CVE-2010-4345 exim privilege escalation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Hewlett-Packard Linux Imaging and Printing (HPLIP) provides drivers for Hewlett-Packard printers and multifunction peripherals, and tools for installing, using, and configuring them. A flaw was found in the way certain HPLIP tools discovered devices using the SNMP protocol. If a user ran certain HPLIP tools that search for supported devices using SNMP, and a malicious user is able to send specially-crafted SNMP responses, it could cause those HPLIP tools to crash or, possibly, execute arbitrary code with the privileges of the user running them. (CVE-2010-4267) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue. Users of hplip should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4267 CVE-2010-4267 hplip: remote stack overflow vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A heap overflow flaw was found in the Linux kernel's Transparent Inter-Process Communication protocol (TIPC) implementation. A local, unprivileged user could use this flaw to escalate their privileges. (CVE-2010-3859, Important) * Missing sanity checks were found in gdth_ioctl_alloc() in the gdth driver in the Linux kernel. A local user with access to "/dev/gdth" on a 64-bit system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2010-4157, Moderate) * A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4242, Moderate) * A flaw was found in the Linux kernel's garbage collector for AF_UNIX sockets. A local, unprivileged user could use this flaw to trigger a denial of service (out-of-memory condition). (CVE-2010-4249, Moderate) * Missing initialization flaws were found in the Linux kernel. A local, unprivileged user could use these flaws to cause information leaks. (CVE-2010-3876, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4083, CVE-2010-4158, Low) Red Hat would like to thank Alan Cox for reporting CVE-2010-4242; Vegard Nossum for reporting CVE-2010-4249; Vasiliy Kulikov for reporting CVE-2010-3876; Kees Cook for reporting CVE-2010-4072; and Dan Rosenberg for reporting CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4083, and CVE-2010-4158. This update also fixes the following bugs: * A flaw was found in the Linux kernel where, if used in conjunction with another flaw that can result in a kernel Oops, could possibly lead to privilege escalation. It does not affect Red Hat Enterprise Linux 4 as the sysctl panic_on_oops variable is turned on by default. However, as a preventive measure if the variable is turned off by an administrator, this update addresses the issue. Red Hat would like to thank Nelson Elhage for reporting this vulnerability. (BZ#659568) * On Intel I/O Controller Hub 9 (ICH9) hardware, jumbo frame support is achieved by using page-based sk_buff buffers without any packet split. The entire frame data is copied to the page(s) rather than some to the skb->data area and some to the page(s) when performing a typical packet-split. This caused problems with the filtering code and frames were getting dropped before they were received by listening applications. This bug could eventually lead to the IP address being released and not being able to be re-acquired from DHCP if the MTU (Maximum Transfer Unit) was changed (for an affected interface using the e1000e driver). With this update, frames are no longer dropped and an IP address is correctly re-acquired after a previous release. (BZ#664667) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-3859 CVE-2010-3876 CVE-2010-4072 CVE-2010-4073 CVE-2010-4075 CVE-2010-4080 CVE-2010-4083 CVE-2010-4157 CVE-2010-4158 CVE-2010-4242 CVE-2010-4249 CVE-2010-4242 kernel: missing tty ops write function presence check in hci_uart_tty_open() CVE-2010-3859 kernel: tipc: heap overflow in tipc_msg_build() CVE-2010-4072 kernel: ipc/shm.c: reading uninitialized stack memory CVE-2010-4073 kernel: ipc/compat*.c: reading uninitialized stack memory CVE-2010-4075 kernel: drivers/serial/serial_core.c: reading uninitialized stack memory CVE-2010-4080 kernel: drivers/sound/pci/rme9652/hdsp.c: reading uninitialized stack memory CVE-2010-4083 kernel: ipc/sem.c: reading uninitialized stack memory CVE-2010-3876 kernel: net/packet/af_packet.c: reading uninitialized stack memory CVE-2010-4157 kernel: gdth: integer overflow in ioc_general() CVE-2010-4158 kernel: socket filters infoleak CVE-2010-4249 kernel: unix socket local dos CVE-2010-4258 kernel: failure to revert address limit override in OOPS error path [rhel-4.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * A flaw was found in the sctp_icmp_proto_unreachable() function in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service. (CVE-2010-4526, Important) This update also fixes the following bugs: * Due to an off-by-one error, gfs2_grow failed to take the very last "rgrp" parameter into account when adding up the new free space. With this update, the GFS2 kernel properly counts all the new resource groups and fixes the "statfs" file correctly. (BZ#666792) * Prior to this update, a multi-threaded application, which invoked popen(3) internally, could cause a thread stall by FILE lock corruption. The application program waited for a FILE lock in glibc, but the lock seemed to be corrupted, which was caused by a race condition in the COW (Copy On Write) logic. With this update, the race condition was corrected and FILE lock corruption no longer occurs. (BZ#667050) * If an error occurred during I/O, the SCSI driver reset the "megaraid_sas" controller to restore it to normal state. However, on Red Hat Enterprise Linux 5, the waiting time to allow a full reset completion for the "megaraid_sas" controller was too short. The driver incorrectly recognized the controller as stalled, and, as a result, the system stalled as well. With this update, more time is given to the controller to properly restart, thus, the controller operates as expected after being reset. (BZ#667141) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-4526 CVE-2010-4526 kernel: sctp: a race between ICMP protocol unreachable and connect() fsck.gfs2 reported statfs error after gfs2_grow [rhel-5.6.z] COW corruption using popen(3). [rhel-5.6.z] [RHEL5.6] megaraid_sas stalls after driver is reset [rhel-5.6.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. The MySQL PolyFromWKB() function did not sanity check Well-Known Binary (WKB) data, which could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3840) A flaw in the way MySQL processed certain JOIN queries could allow a remote, authenticated attacker to cause excessive CPU use (up to 100%), if a stored procedure contained JOIN queries, and that procedure was executed twice in sequence. (CVE-2010-3839) A flaw in the way MySQL processed queries that provide a mixture of numeric and longblob data types to the LEAST or GREATEST function, could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3838) A flaw in the way MySQL processed PREPARE statements containing both GROUP_CONCAT and the WITH ROLLUP modifier could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3837) MySQL did not properly pre-evaluate LIKE arguments in view prepare mode, possibly allowing a remote, authenticated attacker to crash mysqld. (CVE-2010-3836) A flaw in the way MySQL processed statements that assign a value to a user-defined variable and that also contain a logical value evaluation could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3835) A flaw in the way MySQL evaluated the arguments of extreme-value functions, such as LEAST and GREATEST, could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3833) A flaw in the way MySQL handled LOAD DATA INFILE requests allowed MySQL to send OK packets even when there were errors. (CVE-2010-3683) A flaw in the way MySQL processed EXPLAIN statements for some complex SELECT queries could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3682) A flaw in the way MySQL processed certain alternating READ requests provided by HANDLER statements could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3681) A flaw in the way MySQL processed CREATE TEMPORARY TABLE statements that define NULL columns when using the InnoDB storage engine, could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3680) A flaw in the way MySQL processed certain values provided to the BINLOG statement caused MySQL to read unassigned memory. A remote, authenticated attacker could possibly use this flaw to crash mysqld. (CVE-2010-3679) A flaw in the way MySQL processed SQL queries containing IN or CASE statements, when a NULL argument was provided as one of the arguments to the query, could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3678) A flaw in the way MySQL processed JOIN queries that attempt to retrieve data from a unique SET column could allow a remote, authenticated attacker to crash mysqld. (CVE-2010-3677) Note: CVE-2010-3840, CVE-2010-3838, CVE-2010-3837, CVE-2010-3835, CVE-2010-3833, CVE-2010-3682, CVE-2010-3681, CVE-2010-3680, CVE-2010-3678, and CVE-2010-3677 only cause a temporary denial of service, as mysqld was automatically restarted after each crash. These updated packages upgrade MySQL to version 5.1.52. Refer to the MySQL release notes for a full list of changes: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-52.html All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3677 CVE-2010-3678 CVE-2010-3679 CVE-2010-3680 CVE-2010-3681 CVE-2010-3682 CVE-2010-3683 CVE-2010-3833 CVE-2010-3835 CVE-2010-3836 CVE-2010-3837 CVE-2010-3838 CVE-2010-3839 CVE-2010-3840 CVE-2010-3677 MySQL: Mysqld DoS (crash) by processing joins involving a table with a unique SET column (MySQL BZ#54575) CVE-2010-3679 MySQL: Use of unassigned memory (valgrind errors / crash) by providing certain values to BINLOG statement (MySQL BZ#54393) CVE-2010-3678 MySQL: mysqld DoS (crash) by processing IN / CASE statements with NULL arguments (MySQL bug #54477) CVE-2010-3680 MySQL: mysqld DoS (assertion failure) by using temporary InnoDB engine tables with nullable columns (MySQL bug #54044) CVE-2010-3682 MySQL: mysqld DoS (crash) by processing EXPLAIN statements for complex SQL queries (MySQL bug #52711) CVE-2010-3681 MySQL: mysqld DoS (assertion failure) by alternate reads from two indexes on a table using the HANDLER interface (MySQL bug #54007) CVE-2010-3683 MySQL: mysqld DoS (assertion failure) while reading the file back into a table (MySQL bug #52512) CVE-2010-3833 MySQL: CREATE TABLE ... SELECT causes crash when KILL_BAD_DATA is returned (MySQL Bug#55826) CVE-2010-3835 MySQL: crash with user variables, assignments, joins... (MySQL Bug #55564) CVE-2010-3836 MySQL: pre-evaluating LIKE arguments in view prepare mode causes crash (MySQL Bug#54568) CVE-2010-3837 MySQL: crash when group_concat and "with rollup" in prepared statements (MySQL Bug#54476) CVE-2010-3838 MySQL: crash with LONGBLOB and union or update with subquery (MySQL Bug#54461) CVE-2010-3839 MySQL: server hangs during JOIN query in stored procedures called twice in a row (MySQL Bug#53544) CVE-2010-3840 MySQL: crash when loading data into geometry function PolyFromWKB() (MySQL Bug#51875) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes multiple vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-3553, CVE-2010-3557, CVE-2010-3571) This update also fixes the following bug: * An error in the java-1.5.0-ibm RPM spec file caused an incorrect path to be included in HtmlConverter, preventing it from running. (BZ#659710) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR12-FP3 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2010-3553 CVE-2010-3557 CVE-2010-3571 CVE-2010-3557 OpenJDK Swing mutable static (6938813) CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) CVE-2010-3571 JDK unspecified vulnerability in 2D component IBM Java5 files modified & Missing cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The libuser library implements a standardized interface for manipulating and administering user and group accounts. Sample applications that are modeled after applications from the shadow password suite (shadow-utils) are included in these packages. It was discovered that libuser did not set the password entry correctly when creating LDAP (Lightweight Directory Access Protocol) users. If an administrator did not assign a password to an LDAP based user account, either at account creation with luseradd, or with lpasswd after account creation, an attacker could use this flaw to log into that account with a default password string that should have been rejected. (CVE-2011-0002) Note: LDAP administrators that have used libuser tools to add users should check existing user accounts for plain text passwords, and reset them as necessary. Users of libuser should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0002 CVE-2011-0002 libuser creates LDAP users with a default password cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The javaws command can be used to launch Java Web Start applications. A public static field declaration allowed untrusted JNLP (Java Network Launching Protocol) applications to read privileged data. A remote attacker could directly or indirectly read the values of restricted system properties, such as "user.name", "user.home", and "java.home", which untrusted applications should not be allowed to read. (CVE-2010-3860) It was found that JNLPSecurityManager could silently return without throwing an exception when permission was denied. If the javaws command was used to launch a Java Web Start application that relies on this exception being thrown, it could result in that application being run with elevated privileges, allowing it to bypass security manager restrictions and gain access to privileged functionality. (CVE-2010-4351) Note: The RHSA-2010:0339 java-1.6.0-openjdk update installed javaws by mistake. As part of the fixes for CVE-2010-3860 and CVE-2010-4351, this update removes javaws. Red Hat would like to thank the TippingPoint Zero Day Initiative project for reporting CVE-2010-4351. The original issue reporter wishes to stay anonymous. This erratum also upgrades the OpenJDK package to IcedTea6 1.7.7. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3860 CVE-2010-4351 CVE-2010-3860 IcedTea System property information leak via public static CVE-2010-4351 IcedTea jnlp security manager bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. Multiple memory corruption flaws were found in WebKit. Malicious web content could cause an application using WebKitGTK+ to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-1782, CVE-2010-1783, CVE-2010-1784, CVE-2010-1785, CVE-2010-1787, CVE-2010-1788, CVE-2010-1790, CVE-2010-1792, CVE-2010-1807, CVE-2010-1814, CVE-2010-3114, CVE-2010-3116, CVE-2010-3119, CVE-2010-3255, CVE-2010-3812, CVE-2010-4198) Multiple use-after-free flaws were found in WebKit. Malicious web content could cause an application using WebKitGTK+ to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-1780, CVE-2010-1786, CVE-2010-1793, CVE-2010-1812, CVE-2010-1815, CVE-2010-3113, CVE-2010-3257, CVE-2010-4197, CVE-2010-4204) Two array index errors, leading to out-of-bounds memory reads, were found in WebKit. Malicious web content could cause an application using WebKitGTK+ to crash. (CVE-2010-4206, CVE-2010-4577) A flaw in WebKit could allow malicious web content to trick a user into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker. (CVE-2010-3115) It was found that WebKit did not correctly restrict read access to images created from the "canvas" element. Malicious web content could allow a remote attacker to bypass the same-origin policy and potentially access sensitive image data. (CVE-2010-3259) A flaw was found in the way WebKit handled DNS prefetching. Even when it was disabled, web content containing certain "link" elements could cause WebKitGTK+ to perform DNS prefetching. (CVE-2010-3813) Users of WebKitGTK+ should upgrade to these updated packages, which contain WebKitGTK+ version 1.2.6, and resolve these issues. All running applications that use WebKitGTK+ must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-1780 CVE-2010-1782 CVE-2010-1783 CVE-2010-1784 CVE-2010-1785 CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790 CVE-2010-1792 CVE-2010-1793 CVE-2010-1807 CVE-2010-1812 CVE-2010-1814 CVE-2010-1815 CVE-2010-3113 CVE-2010-3114 CVE-2010-3115 CVE-2010-3116 CVE-2010-3119 CVE-2010-3255 CVE-2010-3257 CVE-2010-3259 CVE-2010-3812 CVE-2010-3813 CVE-2010-4197 CVE-2010-4198 CVE-2010-4204 CVE-2010-4206 CVE-2010-4577 CVE-2010-1780 CVE-2010-1782 CVE-2010-1783 CVE-2010-1784 CVE-2010-1785 CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790 CVE-2010-1792 CVE-2010-1793 WebKit: multiple vulnerabilities in WebKitGTK CVE-2010-1807 webkit: input validation error when parsing certain NaN values CVE-2010-3113 webkit: memory corruption when handling SVG documents CVE-2010-3114 webkit: bad cast with text editing CVE-2010-3115 webkit: address bar spoofing with history bug CVE-2010-3119 webkit: DoS due to improper Ruby support CVE-2010-1812 webkit: use-after-free flaw in handling of selections CVE-2010-1814 webkit: memory corruption flaw when handling form menus CVE-2010-1815 webkit: use-after-free flaw when handling scrollbars CVE-2010-3116 webkit: memory corruption with MIME types CVE-2010-3257 webkit: stale pointer issue with focusing CVE-2010-3259 webkit: cross-origin image theft CVE-2010-3255 webkit: DoS via improper handling of counter nodes CVE-2010-4197 WebKit: Use-after-free vulnerabiity related to text editing causes memory corruption CVE-2010-4198 WebKit: Memory corruption due to improper handling of large text area CVE-2010-4204 WebKit: Use-after-free vulnerability related frame object CVE-2010-4206 WebKit: Array index error during processing of an SVG document CVE-2010-3812 webkit: Integer overflow in WebKit's handling of Text objects CVE-2010-3813 webkit: HTMLLinkElement ignores dnsPrefetchingEnabled setting CVE-2010-4577 webkit: CSS Font Face Parsing Type Confusion Vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 Pango is a library used for the layout and rendering of internationalized text. An input sanitization flaw, leading to a heap-based buffer overflow, was found in the way Pango displayed font files when using the FreeType font engine back end. If a user loaded a malformed font file with an application that uses Pango, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0020) Users of pango and evolution28-pango are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, you must restart your system or restart your X session for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0020 CVE-2011-0020 pango: Heap-based buffer overflow by rendering glyph box for certain FT_Bitmap objects cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. An array index error and an integer signedness error were found in the way OpenOffice.org parsed certain Rich Text Format (RTF) files. An attacker could use these flaws to create a specially-crafted RTF file that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-3451, CVE-2010-3452) A heap-based buffer overflow flaw and an array index error were found in the way OpenOffice.org parsed certain Microsoft Office Word documents. An attacker could use these flaws to create a specially-crafted Microsoft Office Word document that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-3453, CVE-2010-3454) A heap-based buffer overflow flaw was found in the way OpenOffice.org parsed certain TARGA (Truevision TGA) files. An attacker could use this flaw to create a specially-crafted TARGA file. If a document containing this specially-crafted TARGA file was opened, or if a user tried to insert the file into an existing document, it would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-4643) A directory traversal flaw was found in the way OpenOffice.org handled the installation of XSLT filter descriptions packaged in Java Archive (JAR) files, as well as the installation of OpenOffice.org Extension (.oxt) files. An attacker could use these flaws to create a specially-crafted XSLT filter description or extension file that, when opened, would cause the OpenOffice.org Extension Manager to modify files accessible to the user installing the JAR or extension file. (CVE-2010-3450) Red Hat would like to thank OpenOffice.org for reporting the CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454, and CVE-2010-4643 issues. Upstream acknowledges Dan Rosenberg of Virtual Security Research as the original reporter of the CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 issues. All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of OpenOffice.org applications must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-4643 CVE-2010-3450 OpenOffice.org: directory traversal flaws in handling of XSLT jar filter descriptions and OXT extension files CVE-2010-3452 OpenOffice.org: Integer signedness error (crash) by processing certain RTF tags CVE-2010-3453 OpenOffice.org: Heap-based buffer overflow by processing *.doc files with WW8 list styles with specially-crafted count of list levels CVE-2010-3454 OpenOffice.org: Array index error by scanning document typography information of certain *.doc files CVE-2010-3451 OpenOffice.org: Array index error by insecure parsing of broken rtf tables CVE-2010-4643 OpenOffice.org: heap based buffer overflow when parsing TGA files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. An array index error and an integer signedness error were found in the way OpenOffice.org parsed certain Rich Text Format (RTF) files. An attacker could use these flaws to create a specially-crafted RTF file that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-3451, CVE-2010-3452) A heap-based buffer overflow flaw and an array index error were found in the way OpenOffice.org parsed certain Microsoft Office Word documents. An attacker could use these flaws to create a specially-crafted Microsoft Office Word document that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-3453, CVE-2010-3454) A heap-based buffer overflow flaw was found in the way OpenOffice.org parsed certain Microsoft Office PowerPoint files. An attacker could use this flaw to create a specially-crafted Microsoft Office PowerPoint file that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-4253) A heap-based buffer overflow flaw was found in the way OpenOffice.org parsed certain TARGA (Truevision TGA) files. An attacker could use this flaw to create a specially-crafted TARGA file. If a document containing this specially-crafted TARGA file was opened, or if a user tried to insert the file into an existing document, it would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-4643) A directory traversal flaw was found in the way OpenOffice.org handled the installation of XSLT filter descriptions packaged in Java Archive (JAR) files, as well as the installation of OpenOffice.org Extension (.oxt) files. An attacker could use these flaws to create a specially-crafted XSLT filter description or extension file that, when opened, would cause the OpenOffice.org Extension Manager to modify files accessible to the user installing the JAR or extension file. (CVE-2010-3450) A flaw was found in the script that launches OpenOffice.org. In some situations, a "." character could be included in the LD_LIBRARY_PATH variable, allowing a local attacker to execute arbitrary code with the privileges of the user running OpenOffice.org, if that user ran OpenOffice.org from within an attacker-controlled directory. (CVE-2010-3689) Red Hat would like to thank OpenOffice.org for reporting the CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454, and CVE-2010-4643 issues; and Dmitri Gribenko for reporting the CVE-2010-3689 issue. Upstream acknowledges Dan Rosenberg of Virtual Security Research as the original reporter of the CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 issues. All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of OpenOffice.org applications must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 CVE-2010-3450 OpenOffice.org: directory traversal flaws in handling of XSLT jar filter descriptions and OXT extension files CVE-2010-3452 OpenOffice.org: Integer signedness error (crash) by processing certain RTF tags CVE-2010-3453 OpenOffice.org: Heap-based buffer overflow by processing *.doc files with WW8 list styles with specially-crafted count of list levels CVE-2010-3454 OpenOffice.org: Array index error by scanning document typography information of certain *.doc files CVE-2010-3689 OpenOffice.org: soffice insecure LD_LIBRARY_PATH setting CVE-2010-3451 OpenOffice.org: Array index error by insecure parsing of broken rtf tables CVE-2010-4253 OpenOffice.org: heap based buffer overflow in PPT import CVE-2010-4643 OpenOffice.org: heap based buffer overflow when parsing TGA files cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. An array index error and an integer signedness error were found in the way OpenOffice.org parsed certain Rich Text Format (RTF) files. An attacker could use these flaws to create a specially-crafted RTF file that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-3451, CVE-2010-3452) A heap-based buffer overflow flaw and an array index error were found in the way OpenOffice.org parsed certain Microsoft Office Word documents. An attacker could use these flaws to create a specially-crafted Microsoft Office Word document that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-3453, CVE-2010-3454) A heap-based buffer overflow flaw was found in the way OpenOffice.org parsed certain Microsoft Office PowerPoint files. An attacker could use this flaw to create a specially-crafted Microsoft Office PowerPoint file that, when opened, would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-4253) A heap-based buffer overflow flaw was found in the way OpenOffice.org parsed certain TARGA (Truevision TGA) files. An attacker could use this flaw to create a specially-crafted TARGA file. If a document containing this specially-crafted TARGA file was opened, or if a user tried to insert the file into an existing document, it would cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2010-4643) A directory traversal flaw was found in the way OpenOffice.org handled the installation of XSLT filter descriptions packaged in Java Archive (JAR) files, as well as the installation of OpenOffice.org Extension (.oxt) files. An attacker could use these flaws to create a specially-crafted XSLT filter description or extension file that, when opened, would cause the OpenOffice.org Extension Manager to modify files accessible to the user installing the JAR or extension file. (CVE-2010-3450) A flaw was found in the script that launches OpenOffice.org. In some situations, a "." character could be included in the LD_LIBRARY_PATH variable, allowing a local attacker to execute arbitrary code with the privileges of the user running OpenOffice.org, if that user ran OpenOffice.org from within an attacker-controlled directory. (CVE-2010-3689) Red Hat would like to thank OpenOffice.org for reporting the CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454, and CVE-2010-4643 issues; and Dmitri Gribenko for reporting the CVE-2010-3689 issue. Upstream acknowledges Dan Rosenberg of Virtual Security Research as the original reporter of the CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, and CVE-2010-3454 issues. This update also fixes the following bug: * OpenOffice.org did not create a lock file when opening a file that was on a share mounted via SFTP. Additionally, if there was a lock file, it was ignored. This could result in data loss if a file in this situation was opened simultaneously by another user. (BZ#671087) All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of OpenOffice.org applications must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 CVE-2010-3450 OpenOffice.org: directory traversal flaws in handling of XSLT jar filter descriptions and OXT extension files CVE-2010-3452 OpenOffice.org: Integer signedness error (crash) by processing certain RTF tags CVE-2010-3453 OpenOffice.org: Heap-based buffer overflow by processing *.doc files with WW8 list styles with specially-crafted count of list levels CVE-2010-3454 OpenOffice.org: Array index error by scanning document typography information of certain *.doc files CVE-2010-3689 OpenOffice.org: soffice insecure LD_LIBRARY_PATH setting CVE-2010-3451 OpenOffice.org: Array index error by insecure parsing of broken rtf tables CVE-2010-4253 OpenOffice.org: heap based buffer overflow in PPT import CVE-2010-4643 OpenOffice.org: heap based buffer overflow when parsing TGA files [fix available] file locks are not created with gvfs-sftp volumes with OpenOffice.org cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP converted certain floating point values from string representation to a number. If a PHP script evaluated an attacker's input in a numeric context, the PHP interpreter could cause high CPU usage until the script execution time limit is reached. This issue only affected i386 systems. (CVE-2010-4645) A numeric truncation error and an input validation flaw were found in the way the PHP utf8_decode() function decoded partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use these flaws to perform a cross-site scripting attack. (CVE-2009-5016, CVE-2010-3870) A NULL pointer dereference flaw was found in the PHP ZipArchive::getArchiveComment function. If a script used this function to inspect a specially-crafted ZIP archive file, it could cause the PHP interpreter to crash. (CVE-2010-3709) All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2009-5016 CVE-2010-3709 CVE-2010-3870 CVE-2010-4645 CVE-2010-3870 php: XSS mitigation bypass via utf8_decode() CVE-2010-3709 php: NULL pointer dereference in ZipArchive::getArchiveComment CVE-2009-5016 php: XSS and SQL injection bypass via crafted overlong UTF-8 encoded string CVE-2010-4645 php: hang on numeric value 2.2250738585072011e-308 with x87 fpu cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP converted certain floating point values from string representation to a number. If a PHP script evaluated an attacker's input in a numeric context, the PHP interpreter could cause high CPU usage until the script execution time limit is reached. This issue only affected i386 systems. (CVE-2010-4645) A stack memory exhaustion flaw was found in the way the PHP filter_var() function validated email addresses. An attacker could use this flaw to crash the PHP interpreter by providing excessively long input to be validated as an email address. (CVE-2010-3710) A memory disclosure flaw was found in the PHP multi-byte string extension. If the mb_strcut() function was called with a length argument exceeding the input string size, the function could disclose a portion of the PHP interpreter's memory. (CVE-2010-4156) All php53 users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3710 CVE-2010-4156 CVE-2010-4645 CVE-2010-3710 php: DoS in filter_var() via long email string CVE-2010-4156 php information disclosure via mb_strcut() CVE-2010-4645 php: hang on numeric value 2.2250738585072011e-308 with x87 fpu cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 PostgreSQL is an advanced object-relational database management system (DBMS). A stack-based buffer overflow flaw was found in the way PostgreSQL processed certain tokens from an SQL query when the intarray module was enabled on a particular database. An authenticated database user running a specially-crafted SQL query could use this flaw to cause a temporary denial of service (postgres daemon crash) or, potentially, execute arbitrary code with the privileges of the database server. (CVE-2010-4015) Red Hat would like to thank Geoff Keating of the Apple Product Security team for reporting this issue. For Red Hat Enterprise Linux 4, the updated postgresql packages contain a backported patch for this issue; there are no other changes. For Red Hat Enterprise Linux 5, the updated postgresql packages upgrade PostgreSQL to version 8.1.23, and contain a backported patch for this issue. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.1/static/release.html For Red Hat Enterprise Linux 6, the updated postgresql packages upgrade PostgreSQL to version 8.4.7, which includes a fix for this issue. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4015 CVE-2010-4015 PostgreSQL: Stack-based buffer overflow by processing certain tokens from SQL query string when intarray module enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PostgreSQL is an advanced object-relational database management system (DBMS). A stack-based buffer overflow flaw was found in the way PostgreSQL processed certain tokens from an SQL query when the intarray module was enabled on a particular database. An authenticated database user running a specially-crafted SQL query could use this flaw to cause a temporary denial of service (postgres daemon crash) or, potentially, execute arbitrary code with the privileges of the database server. (CVE-2010-4015) Red Hat would like to thank Geoff Keating of the Apple Product Security team for reporting this issue. These updated postgresql84 packages upgrade PostgreSQL to version 8.4.7. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4015 CVE-2010-4015 PostgreSQL: Stack-based buffer overflow by processing certain tokens from SQL query string when intarray module enabled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed principal names that were not null terminated, when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to crash the KDC via a specially-crafted request. (CVE-2011-0282) A denial of service flaw was found in the way the MIT Kerberos KDC processed certain principal names when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to cause the KDC to hang via a specially-crafted request. (CVE-2011-0281) Red Hat would like to thank the MIT Kerberos Team for reporting these issues. Upstream acknowledges Kevin Longfellow of Oracle Corporation as the original reporter of the CVE-2011-0281 issue. All krb5 users should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-0281 CVE-2011-0282 CVE-2011-0281 krb5: KDC hang when using LDAP backend caused by special principal name (MITKRB5-SA-2011-002) CVE-2011-0282 krb5: KDC crash when using LDAP backend caused by a special principal name (MITKRB5-SA-2011-002) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed principal names that were not null terminated, when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to crash the KDC via a specially-crafted request. (CVE-2011-0282) A denial of service flaw was found in the way the MIT Kerberos KDC processed certain principal names when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to cause the KDC to hang via a specially-crafted request. (CVE-2011-0281) A denial of service flaw was found in the way the MIT Kerberos V5 slave KDC update server (kpropd) processed certain update requests for KDC database propagation. A remote attacker could use this flaw to terminate the kpropd daemon via a specially-crafted update request. (CVE-2010-4022) Red Hat would like to thank the MIT Kerberos Team for reporting the CVE-2011-0282 and CVE-2011-0281 issues. Upstream acknowledges Kevin Longfellow of Oracle Corporation as the original reporter of the CVE-2011-0281 issue. All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2010-4022 CVE-2011-0281 CVE-2011-0282 CVE-2010-4022 krb5: kpropd unexpected termination on invalid input (MITKRB5-SA-2011-001) CVE-2011-0281 krb5: KDC hang when using LDAP backend caused by special principal name (MITKRB5-SA-2011-002) CVE-2011-0282 krb5: KDC crash when using LDAP backend caused by a special principal name (MITKRB5-SA-2011-002) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB11-02, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2011-0558, CVE-2011-0559, CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, CVE-2011-0575, CVE-2011-0577, CVE-2011-0578, CVE-2011-0607, CVE-2011-0608) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.2.152.27. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0558 CVE-2011-0559 CVE-2011-0560 CVE-2011-0561 CVE-2011-0571 CVE-2011-0572 CVE-2011-0573 CVE-2011-0574 CVE-2011-0575 CVE-2011-0577 CVE-2011-0578 CVE-2011-0607 CVE-2011-0608 CVE-2011-0558 CVE-2011-0559 CVE-2011-0560 CVE-2011-0561 CVE-2011-0571 CVE-2011-0572 CVE-2011-0573 CVE-2011-0574 CVE-2011-0575 CVE-2011-0577 CVE-2011-0578 CVE-2011-0607 CVE-2011-0608 flash-plugin: multiple code execution flaws (APSB11-02) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java-based applications to hang, for instance if they parse Double values in a specially-crafted HTTP request. (CVE-2010-4476) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve this issue. All running instances of OpenJDK Java must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4476 CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 In accordance with the Red Hat Enterprise Linux Errata Support Policy, the regular 7 year life-cycle of Red Hat Enterprise Linux 4 will end on February 29, 2012. After this date, Red Hat will discontinue the regular subscription services for Red Hat Enterprise Linux 4. Therefore, new bug fix, enhancement, and security errata updates, as well as technical support services will no longer be available for the following products: * Red Hat Enterprise Linux AS 4 * Red Hat Enterprise Linux ES 4 * Red Hat Enterprise Linux WS 4 * Red Hat Enterprise Linux Extras 4 * Red Hat Desktop 4 * Red Hat Global File System 4 * Red Hat Cluster Suite 4 Customers still running production workloads on Red Hat Enterprise Linux 4 are advised to begin planning the upgrade to Red Hat Enterprise Linux 5 or 6. Active subscribers of Red Hat Enterprise Linux already have access to all currently maintained versions of Red Hat Enterprise Linux, as part of their subscription without additional fees. For customers who are unable to migrate off Red Hat Enterprise Linux 4 before its end-of-life date, Red Hat intends to offer a limited, optional extension program. For more information, contact your Red Hat sales representative or channel partner. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: https://access.redhat.com/support/policy/updates/errata/ Low Copyright 2011 Red Hat, Inc. Send Out RHEL 4 1-Year EOL Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. DHCPv6 is the DHCP protocol version for IPv6 networks. A flaw was found in the way the dhcpd daemon processed certain DHCPv6 messages for addresses that had previously been declined and marked as abandoned internally. If a remote attacker sent such messages to dhcpd, it could cause dhcpd to crash due to an assertion failure if it was running as a DHCPv6 server. (CVE-2011-0413) Red Hat would like to thank Internet Systems Consortium for reporting this issue. Users running dhcpd as a DHCPv6 server should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all DHCP servers will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0413 CVE-2011-0413 dhcp: unexpected abort caused by a DHCPv6 decline message cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. A server-side memory leak was found in the Subversion server. If a malicious, remote user performed "svn blame" or "svn log" operations on certain repository files, it could cause the Subversion server to consume a large amount of system memory. (CVE-2010-4644) A NULL pointer dereference flaw was found in the way the mod_dav_svn module (for use with the Apache HTTP Server) processed certain requests. If a malicious, remote user issued a certain type of request to display a collection of Subversion repositories on a host that has the SVNListParentPath directive enabled, it could cause the httpd process serving the request to crash. Note that SVNListParentPath is not enabled by default. (CVE-2010-4539) All Subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the Subversion server must be restarted for the update to take effect: restart httpd if you are using mod_dav_svn, or restart svnserve if it is used. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4539 CVE-2010-4644 CVE-2010-4539 Subversion (mod_dav_svn): DoS (crash) by processing certain requests to display all available repositories to a web browser CVE-2010-4644 Subversion: DoS (memory consumption) by processing blame or log -g requests on certain files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. An access restriction bypass flaw was found in the mod_dav_svn module. If the SVNPathAuthz directive was set to "short_circuit", certain access rules were not enforced, possibly allowing sensitive repository data to be leaked to remote users. Note that SVNPathAuthz is set to "On" by default. (CVE-2010-3315) A server-side memory leak was found in the Subversion server. If a malicious, remote user performed "svn blame" or "svn log" operations on certain repository files, it could cause the Subversion server to consume a large amount of system memory. (CVE-2010-4644) A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed certain requests. If a malicious, remote user issued a certain type of request to display a collection of Subversion repositories on a host that has the SVNListParentPath directive enabled, it could cause the httpd process serving the request to crash. Note that SVNListParentPath is not enabled by default. (CVE-2010-4539) All Subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the Subversion server must be restarted for the update to take effect: restart httpd if you are using mod_dav_svn, or restart svnserve if it is used. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3315 CVE-2010-4539 CVE-2010-4644 CVE-2010-3315 Subversion: Access restriction bypass by checkout of the root of the repository CVE-2010-4539 Subversion (mod_dav_svn): DoS (crash) by processing certain requests to display all available repositories to a web browser CVE-2010-4644 Subversion: DoS (memory consumption) by processing blame or log -g requests on certain files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Python is an interpreted, interactive, object-oriented programming language. Multiple flaws were found in the Python rgbimg module. If an application written in Python was using the rgbimg module and loaded a specially-crafted SGI image file, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2009-4134, CVE-2010-1449, CVE-2010-1450) This update also fixes the following bugs: * Python 2.3.4's time.strptime() function did not correctly handle the "%W" week number format string. This update backports the _strptime implementation from Python 2.3.6, fixing this issue. (BZ#436001) * Python 2.3.4's socket.htons() function returned partially-uninitialized data on IBM System z, generally leading to incorrect results. (BZ#513341) * Python 2.3.4's pwd.getpwuid() and grp.getgrgid() functions did not support the full range of user and group IDs on 64-bit architectures, leading to "OverflowError" exceptions for large input values. This update adds support for the full range of user and group IDs on 64-bit architectures. (BZ#497540) Users of Python should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2011 Red Hat, Inc. CVE-2009-4134 CVE-2010-1449 CVE-2010-1450 grp module does not support whole uid/gid range CVE-2009-4134 CVE-2010-1449 CVE-2010-1450 python: rgbimg: multiple security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Bash (Bourne-again shell) is the default shell for Red Hat Enterprise Linux. It was found that certain scripts bundled with the Bash documentation created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files accessible to the victim running the scripts. (CVE-2008-5374) This update also fixes the following bugs: * If a child process's PID was the same as the PID of a previously ended child process, Bash did not wait for that child process. In some cases this caused "Resource temporarily unavailable" errors. With this update, Bash recycles PIDs and waits for processes with recycled PIDs. (BZ#521134) * Bash's built-in "read" command had a memory leak when "read" failed due to no input (pipe for stdin). With this update, the memory is correctly freed. (BZ#537029) * Bash did not correctly check for a valid multi-byte string when setting the IFS value, causing Bash to crash. With this update, Bash checks the multi-byte string and no longer crashes. (BZ#539536) * Bash incorrectly set locale settings when using the built-in "export" command and setting the locale on the same line (for example, with "LC_ALL=C export LC_ALL"). With this update, Bash correctly sets locale settings. (BZ#539538) All bash users should upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2011 Red Hat, Inc. CVE-2008-5374 CVE-2008-5374 bash: Insecure temporary file use in aliasconv.sh, aliasconv.bash, cshtobash (symlink attack) Bash doesn't wait for backgrounded process if its PID is recycled cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Sendmail is a Mail Transport Agent (MTA) used to send mail between machines. A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565) The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration. This update also fixes the following bugs: * Previously, sendmail did not correctly handle mail messages that had a long first header line. A line with more than 2048 characters was split, causing the part of the line exceeding the limit, as well as all of the following mail headers, to be incorrectly handled as the message body. (BZ#499450) * When an SMTP-sender is sending mail data to sendmail, it may spool that data to a file in the mail queue. It was found that, if the SMTP-sender stopped sending data and a timeout occurred, the file may have been left stalled in the mail queue, instead of being deleted. This update may not correct this issue for every situation and configuration. Refer to the Solution section for further information. (BZ#434645) * Previously, the sendmail macro MAXHOSTNAMELEN used 64 characters as the limit for the hostname length. However, in some cases, it was used against an FQDN length, which has a maximum length of 255 characters. With this update, the MAXHOSTNAMELEN limit has been changed to 255. (BZ#485380) All sendmail users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, sendmail will be restarted automatically. Low Copyright 2011 Red Hat, Inc. CVE-2009-4565 DATA timeouts leave behind stale df files in mqueue sendmail applies MAXHOSTNAMELEN for FQDN. CVE-2009-4565 sendmail: incorrect verification of SSL certificate with NUL in name cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A buffer overflow flaw was found in the load_mixer_volumes() function in the Linux kernel's Open Sound System (OSS) sound driver. On 64-bit PowerPC systems, a local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-4527, Important) * A missing boundary check was found in the dvb_ca_ioctl() function in the Linux kernel's av7110 module. On systems that use old DVB cards that require the av7110 module, a local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-0521, Important) * A missing initialization flaw was found in the ethtool_get_regs() function in the Linux kernel's ethtool IOCTL handler. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause an information leak. (CVE-2010-4655, Low) Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-4527, and Kees Cook for reporting CVE-2010-4655. These updated kernel packages also fix hundreds of bugs and add numerous enhancements. For details on individual bug fixes and enhancements included in this update, refer to the Red Hat Enterprise Linux 4.9 Release Notes, linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-4527 CVE-2010-4655 CVE-2011-0521 NLM: Fix Oops in nlmclnt_mark_reclaim() kernel: serious ugliness in iget() uses by nfsd [rhel-4.9] Powernow driver does not work properly with different voltage CPUs RFE: Add debug to bonding driver as module option Increase timeout for device connection on boot RHEL4: Can enter no tick idle mode with RCU pending leading to hang Change "decode_getfattr: xdr error %d!" to dprintk Kernel Panic at end_bio_bh_io_sync+44 xenbus suspend_mutex remains locked after transaction failure groups_search() cannot handle large gid correctly kernel: binfmt_misc.c: avoid potential kernel stack overflow [rhel-4.8] proc_loginuid_write() uses simple_strtoul() on non-terminated array el4u5 pv guest user coredump crashing system IPVS wrr scheduler bug BUG() in end_buffer_async_write() Loss of USB HID devices when switching with a KVM Panic in do_cciss_intr removeQ [RHEL4] lost siginfo when a signal queue is full kernel BUG at fs/mpage.c:417! RHEL-4: Deadlock in Xen netfront driver. [RHEL4.7] Original ether's status is keeping PROMISC MULTICAST mode PG_error bit is never cleared, even when a fresh I/O to the page succeeds kernel hid-input.c divide error crash CCISS device-mapper-multipath support: missing sysfs attributes [RHEL4] Netfilter modules unloading hangs ACLs on NFS mounted directories disappear Xen domU, RAID1, LVM, iscsi target export with blockio bug [x86_64]: copy_user_c can zero more data than needed Xen guest kernel advertises absolute mouse pointer feature which it is incapable of setting up correctly EL4U7 kernel bug fix update (Oracle bug 7916406 - JVM process hang) [RHEL4.5] Even if a process have received data but schedule() in select() cannot return e1000e: sporadic hang in netdump show_partition() oops when race with rescan_partitions(). [RHEL4] Nscd consumes many cpu resources ( nearly 100% ) continuously. PVFB frontend can send bogus screen updates xenkbd can crash when probe fails PVFB frontend mouse wheel support Bonding driver updelay parameter actual behavior doesn't match documented behavior e1000_clean_tx_irq: Detected Tx Unit Hang kernel: proc: avoid information leaks to non-privileged processes [rhel-4.9] [RHEL4-U8] Kernel - testing NMI watchdog ... CPU#0: NMI appears to be stuck (0)! A bond's preferred primary setting is lost after bringing down and up of the primary slave. Various IPv4/v6 SNMP counter fixes renaming file on a share w/o write permissions causes oops [Stratus 4.9 bug] panic reading /proc/bus/input/devices during input device removal oops in nfs4_put_open_state oops in nfsd_svc after forced unmount of stale nfs4 filesystem and reboot kernel: random: ICE at get_random_int() [rhel-4.3] Failure logging execve with lots of arguments NFSv4 Issue/slowdown when testing against the NetApp server [NetApp 4.8 bug] Issues with "qioctlmod" module on RHEL4.8 hosts with QLogic FC inbox drivers Adding bonding in balance-alb mode to bridge cause network connectivity to be lost [rhel-4.9] MegaRAID SAS 1078 tape I/O errors when using mt erase rtl8139 doesn't work with bonding in alb mode [rhel-4.9] [RHEL 4] Lookups due to infinite loops in posix_locks_deadlock LRO patch to 4.7 breaks SANGOMA WANPIPE drivers build FEAT RHEL4.9: Support new PCI IDS to support VX800 in via82cxxx [RHEL4 Xen]: i386 Guest crash when host has >= 64G RAM [RHEL4.8 Xen]: Xenbus warnings in a FV guest on shutdown Make Aborted Command (internal target failure) retryable at SCSI layer (sense B 44 00) RHEL4.8: crash in do_cciss_request() Bug in lockd prevents a locks being freed. kernel: ptrace: don't use REMOVE_LINKS/SET_LINKS for reparenting [rhel-4.9] NFSD returns NFS4_OK when the owner opens a file with permission set to 000 Balloon driver gives up too easily when ballooning up under memory pressure [4.8]Kernel can not increase the counter of Icmp6OutDestUnreachs when forwarding packet with address unreachable. i386 rhel4.8 kvm guests crashes in virtio during installation kernel: fd leak if pipe() is called with an invalid address [rhel-4.9] cciss: spinlock deadlock causes NMI on HP systems NFSD returns NFS4_OK(0) when OPEN with access==read/write on a read-denied/write-denied file num_mtt settings of 2097152 fails in RHEL with infiniband HCA [IPv6] No fragment header in ICMPv6 reply after packet_too_big message kernel: build with -fno-delete-null-pointer-checks [rhel-4.9] kernel: security: implement mmap_min_addr infrastructure [rhel-4.9] NFS: mounted NFSv4/krb5 export inaccessible following an NFS server reboot /proc/net/dev sometimes contains bogus values (BCM5706) netconsole on e1000 cause "Badness in local_bh_enable at kernel/softirq.c:141" CIFS - crash in small_smb_init cthon test5 failing on nfsv4 with rhel6 client vs. rhel4 server [RHEL4.8] igb driver doesn't allocate enough buffer for ethtool_get_strings() get_partstats() returns NULL and causes panic statfs on NFS partition always returns 0 kernel: ipv4: make ip_append_data() handle NULL routing table [rhel-4.9] [RFE ] Connlimit kernel module support [rhel-4.9] kernel: ipt_recent: sanity check hit count [rhel-4.9] reading from /proc/net/ip_conntrack returns ENOSPC RHEL4: Unable to write to file as non-root user with setuid and setgid bit set OOM on i686 kernel-smp bnx2x fails when iptables is on [Cisco/LSI 4.9 bug] mptctl module dereferences a userspace address, triggering a crash qla2xxx flash programming changes in 4.8 broke diskdump [4.6] TCP conntrack doesn't handle half-open state connection correctly SCTP Messages out of order Upgrade from RHEL4U7 to U8 fails to bring up networking with forcedeth driver. [simple patch] IBM HS22: SOL drops on bnx2 driver load scsi device add/remove panic at sysfs_hash_and_remove Write barrier operations not working for libata and general SCSI disks [4.7] wait4 blocks on non-existing pid [RHEL4 Xen]: PV guest crash on poweroff [RHEL4]: A new xenfb thread is created on every save/restore [RHEL4.5] select() cannot return in UDP/UNIX domain socket TCP receive window clamping problem ext2online resize hangs [Emulex 4.9 bug] lpfc driver doesn't acquire lock when searching hba for target "forcedeth" driver issue: eth0 fails to get ip address on boot with RHEL4 kernel No output of xmit_hash_policy on IEEE 802.3ad Bonding Kernel panic due to recursive lock in 3c59x driver. e1000e: wol is broken in kernel 2.6.9-89.19 platform:ahern:rmmod hangs at 100% cpu removing usbnet module problems with aliased dentries and case-insensitivity in CIFS readdir code Please implement upstream fix for potential filesystem corruption bug [QLogic 4.9 bug] qla2xxx: Fix srb cache destroy issue on driver unload and FDMI registration issue (8.02.10.01.04.09-d) [RHEL4] boot hangs if scsi read capacity fails on faulty non system drive megaraid_sas: fix physical disk handling NFSv3 file attributes are not updated by READDIRPLUS reply Add log message for unhandled sense error REPORTED_LUNS_DATA_CHANGED Lost the network in a KVM VM on top of 4.9 cifs: busy file renames across directories should fail with error kernel: security: testing the wrong variable in create_by_name() [rhel-4.9] second cifs mount to samba server fails when samba using security=ADS EXT3-fs error: do_get_write_access: OOM for frozen_buffer Read from /proc/xen/xenbus does not honor O_NONBLOCK Vhost:Fail to transfer file between two guests in same vlan [4u8] Bonding in ALB mode sends ARP in loop sky2 issue with 4.8 kernel system crashes due to corrupt net_device_wrapper structure [4u9] bonding: fix a race condition in calls to slave MII ioctls bnx2: panic in bnx2_poll_work() recording fails when usb audio device is connected to EHCI controller (ehci_hcd) [RHEL4] Problems with aacraid - File system going into read-only. Assertion failure in ext3_put_super() at fs/ext3/super.c:426: "list_empty(&sbi->s_orphan)" kernel: additional stack guard patches [rhel-4.9] nfs4_reclaim_open_state: unhandled error -5. Zeroing state Bonded interface doesn't issue IGMP report (join) on slave interface during failover [RHEL 4.8] 32-bit pvhvm guest on 64-bit host crash w/xm mem-set [RHEL4.8.z] soft lockup on vlan with bonding in balance-alb mode bonding does not switch to slave Kernel maintainer's bz for spec file changes [RFE] kernel: modules: sysctl to block module loading [rhel-4.9] temporary loss of path to SAN results in persistent EIO with msync [netfront] ethtool -i should return proper information for netfront device RFE: Virtio nic should support "ethtool -i virtio nic" RHEL4.9: EHCI: AMD periodic frame list table quirk kernel: restrict unprivileged access to kernel syslog [rhel-4.9] [4.9 Regression] network is lost after balloon-up fails The USB storage cannot use >2TB. [REG][4.9] Filesystem corruption happens on ext2 filesystem CVE-2010-4527 kernel: buffer overflow in OSS load_mixer_volumes CVE-2011-0521 kernel: av7110 negative array offset CVE-2010-4655 kernel: heap contents leak for CAP_NET_ADMIN via ethtool ioctl cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. A flaw was found in the Swing library. Forged TimerEvents could be used to bypass SecurityManager checks, allowing access to otherwise blocked files and directories. (CVE-2010-4465) A flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), which could lead to heap corruption. (CVE-2010-4469) A flaw was found in the way JAXP (Java API for XML Processing) components were handled, allowing them to be manipulated by untrusted applets. This could be used to elevate privileges and bypass secure XML processing restrictions. (CVE-2010-4470) It was found that untrusted applets could create and place cache entries in the name resolution cache. This could allow an attacker targeted manipulation over name resolution until the OpenJDK VM is restarted. (CVE-2010-4448) It was found that the Java launcher provided by OpenJDK did not check the LD_LIBRARY_PATH environment variable for insecure empty path elements. A local attacker able to trick a user into running the Java launcher while working from an attacker-writable directory could use this flaw to load an untrusted library, subverting the Java security model. (CVE-2010-4450) A flaw was found in the XML Digital Signature component in OpenJDK. Untrusted code could use this flaw to replace the Java Runtime Environment (JRE) XML Digital Signature Transform or C14N algorithm implementations to intercept digital signature operations. (CVE-2010-4472) Note: All of the above flaws can only be remotely triggered in OpenJDK by calling the "appletviewer" application. This update also provides one defense in depth patch. (BZ#676019) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-4448 CVE-2010-4450 CVE-2010-4465 CVE-2010-4469 CVE-2010-4470 CVE-2010-4472 CVE-2010-4472 OpenJDK untrusted code allowed to replace DSIG/C14N implementation (6994263) CVE-2010-4469 OpenJDK Hotspot verifier heap corruption (6878713) CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662) CVE-2010-4470 OpenJDK JAXP untrusted component state manipulation (6927050) CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453) CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922) CVE-2010-4450 OpenJDK Launcher incorrect processing of empty library path entries (6983554) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the "Oracle Java SE and Java for Business Critical Patch Update Advisory" page, listed in the References section. (CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4451, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476) All users of java-1.6.0-sun are advised to upgrade to these updated packages, which resolve these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2010-4422 CVE-2010-4447 CVE-2010-4448 CVE-2010-4450 CVE-2010-4451 CVE-2010-4452 CVE-2010-4454 CVE-2010-4462 CVE-2010-4463 CVE-2010-4465 CVE-2010-4466 CVE-2010-4467 CVE-2010-4468 CVE-2010-4469 CVE-2010-4470 CVE-2010-4471 CVE-2010-4472 CVE-2010-4473 CVE-2010-4475 CVE-2010-4476 CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service CVE-2010-4472 OpenJDK untrusted code allowed to replace DSIG/C14N implementation (6994263) CVE-2010-4469 OpenJDK Hotspot verifier heap corruption (6878713) CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662) CVE-2010-4470 OpenJDK JAXP untrusted component state manipulation (6927050) CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453) CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922) CVE-2010-4450 OpenJDK Launcher incorrect processing of empty library path entries (6983554) CVE-2010-4475 JDK unspecified vulnerability in Deployment component CVE-2010-4473 JDK unspecified vulnerability in Sound component CVE-2010-4468 JDK unspecified vulnerability in JDBC component CVE-2010-4467 JDK unspecified vulnerability in Deployment component CVE-2010-4466 JDK unspecified vulnerability in Deployment component CVE-2010-4463 JDK unspecified vulnerability in Deployment component CVE-2010-4462 JDK unspecified vulnerability in Sound component CVE-2010-4454 JDK unspecified vulnerability in Sound component CVE-2010-4452 JDK unspecified vulnerability in Deployment component CVE-2010-4451 JDK unspecified vulnerability in Install component CVE-2010-4447 JDK unspecified vulnerability in Deployment component CVE-2010-4422 JDK unspecified vulnerability in Deployment component cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A divide-by-zero flaw was found in the tcp_select_initial_window() function in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to trigger a denial of service by calling setsockopt() with certain options. (CVE-2010-4165, Moderate) * A use-after-free flaw in the mprotect() system call in the Linux kernel could allow a local, unprivileged user to cause a local denial of service. (CVE-2010-4169, Moderate) * A flaw was found in the Linux kernel execve() system call implementation. A local, unprivileged user could cause large amounts of memory to be allocated but not visible to the OOM (Out of Memory) killer, triggering a denial of service. (CVE-2010-4243, Moderate) Red Hat would like to thank Steve Chen for reporting CVE-2010-4165, and Brad Spengler for reporting CVE-2010-4243. This update also fixes several bugs and adds two enhancements. Documentation for these bug fixes and enhancements will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancements noted in the Technical Notes. The system must be rebooted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4165 CVE-2010-4169 CVE-2010-4243 CVE-2010-4243 kernel: mm: mem allocated invisible to oom_kill() when not attached to any threads CVE-2010-4169 kernel: perf bug CVE-2010-4165 kernel: possible kernel oops from user MSS read from virtio-serial returns if the host side is not connect to pipe [rhel-6.0.z] [NetApp 6.1 bug] RHEL6.0 FC host hits kernel panic at scsi_error_handler [rhel-6.0.z] [6.0.z FEAT] Port KVM bug fixes for cr_access to RHEL 6 [rhel-6.0.z] [NetApp 6.1 bug] SCSI ALUA handler fails to handle ALUA transitioning properly [rhel-6.0.z] [NetApp 6.1 bug] regression: allow offlined devs to be set to running [rhel-6.0.z] NFS4 clients cannot reclaim locks after server reboot [rhel-6.0.z] kernel: Problem with execve(2) reintroduced [rhel-6.1] [rhel-6.0.z] xen PV guest kernel 2.6.32 processes lock up in D state [rhel-6.0.z] Fix hot-unplug handling of virtio-console ports [rhel-6.0.z] UV: WAR for interrupt-IOPort deadlock [rhel-6.0.z] QLogic qla2xxx: Backport critical parts of 8.03.05.01.06.1-k0 to [rhel-6.0.z] System panic in pskb_expand_head When arp_validate option is specified in bonding ARP monitor mode [rhel-6.0.z] [NetApp 6.0 Bug] Erroneous TPG ID check in SCSI ALUA Handler [rhel-6.0.z] cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java based applications to hang, for example, if they parsed Double values in a specially-crafted HTTP request. (CVE-2010-4476) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR9 Java release. All running instances of IBM Java must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4476 CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java based applications to hang, for example, if they parsed Double values in a specially-crafted HTTP request. (CVE-2010-4476) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR12-FP3 Java release. All running instances of IBM Java must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4476 CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP8 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java based applications to hang, for example, if they parsed Double values in a specially-crafted HTTP request. (CVE-2010-4476) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP8 Java release. All running instances of IBM Java must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4476 CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes multiple vulnerabilities in Adobe Reader. These vulnerabilities are detailed on the Adobe security page APSB11-03, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2011-0562, CVE-2011-0563, CVE-2011-0565, CVE-2011-0566, CVE-2011-0567, CVE-2011-0585, CVE-2011-0586, CVE-2011-0589, CVE-2011-0590, CVE-2011-0591, CVE-2011-0592, CVE-2011-0593, CVE-2011-0594, CVE-2011-0595, CVE-2011-0596, CVE-2011-0598, CVE-2011-0599, CVE-2011-0600, CVE-2011-0602, CVE-2011-0603, CVE-2011-0606) Multiple security flaws were found in Adobe reader. A specially-crafted PDF file could cause cross-site scripting (XSS) attacks against the user running Adobe Reader when opened. (CVE-2011-0587, CVE-2011-0604) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.4.2, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0562 CVE-2011-0563 CVE-2011-0565 CVE-2011-0566 CVE-2011-0567 CVE-2011-0585 CVE-2011-0586 CVE-2011-0587 CVE-2011-0589 CVE-2011-0590 CVE-2011-0591 CVE-2011-0592 CVE-2011-0593 CVE-2011-0594 CVE-2011-0595 CVE-2011-0596 CVE-2011-0598 CVE-2011-0599 CVE-2011-0600 CVE-2011-0602 CVE-2011-0603 CVE-2011-0604 CVE-2011-0606 CVE-2011-0562 CVE-2011-0563 CVE-2011-0565 CVE-2011-0566 CVE-2011-0567 CVE-2011-0585 CVE-2011-0586 CVE-2011-0589 CVE-2011-0590 CVE-2011-0591 CVE-2011-0592 CVE-2011-0593 CVE-2011-0594 CVE-2011-0595 acroread: critical APSB11-03 CVE-2011-0587 CVE-2011-0604 acroread: multiple XSS flaws (APSB11-03) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw was found in the Linux kernel's garbage collector for AF_UNIX sockets. A local, unprivileged user could use this flaw to trigger a denial of service (out-of-memory condition). (CVE-2010-4249, Moderate) * A flaw was found in the Linux kernel's networking subsystem. If the number of packets received exceeded the receiver's buffer limit, they were queued in a backlog, consuming memory, instead of being discarded. A remote attacker could abuse this flaw to cause a denial of service (out-of-memory condition). (CVE-2010-4251, Moderate) * A missing initialization flaw was found in the ethtool_get_regs() function in the Linux kernel's ethtool IOCTL handler. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause an information leak. (CVE-2010-4655, Low) Red Hat would like to thank Vegard Nossum for reporting CVE-2010-4249, and Kees Cook for reporting CVE-2010-4655. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4249 CVE-2010-4251 CVE-2010-4655 CVE-2010-4805 CVE-2010-4249 kernel: unix socket local dos CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS a test unit ready causes a panic on 5.6 (CCISS driver) [rhel-5.6.z] Fix shrinking windows with window scaling [rhel-5.6.z] panic in kfree() due to race condition in acpi_bus_receive_event() [rhel-5.6.z] e1000 driver tracebacks when running under VMware ESX4 [rhel-5.6.z] CVE-2010-4655 kernel: heap contents leak for CAP_NET_ADMIN via ethtool ioctl virtio_console driver never returns from selecting for write when the queue is full [rhel-5.6.z] Flapping errors (and panic) with bonding and arp_interval while using be2net included in 2.6.18-238 [rhel-5.6.z] vdso gettimeofday causes a segmentation fault [rhel-5.6.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Samba is a suite of programs used by machines to share files, printers, and other information. A flaw was found in the way Samba handled file descriptors. If an attacker were able to open a large number of file descriptors on the Samba server, they could flip certain stack bits to "1" values, resulting in the Samba server (smbd) crashing. (CVE-2011-0719) Red Hat would like to thank the Samba team for reporting this issue. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-0719 CVE-2011-0719 Samba unsafe fd_set usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. A flaw was found in the way Samba handled file descriptors. If an attacker were able to open a large number of file descriptors on the Samba server, they could flip certain stack bits to "1" values, resulting in the Samba server (smbd) crashing. (CVE-2011-0719) Red Hat would like to thank the Samba team for reporting this issue. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-0719 CVE-2011-0719 Samba unsafe fd_set usage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mailman is a program used to help manage email discussion lists. Multiple input sanitization flaws were found in the way Mailman displayed usernames of subscribed users on certain pages. If a user who is subscribed to a mailing list were able to trick a victim into visiting one of those pages, they could perform a cross-site scripting (XSS) attack against the victim. (CVE-2011-0707) Multiple input sanitization flaws were found in the way Mailman displayed mailing list information. A mailing list administrator could use this flaw to conduct a cross-site scripting (XSS) attack against victims viewing a list's "listinfo" page. (CVE-2008-0564, CVE-2010-3089) Red Hat would like to thank Mark Sapiro for reporting the CVE-2011-0707 and CVE-2010-3089 issues. Users of mailman should upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2008-0564 CVE-2010-3089 CVE-2011-0707 CVE-2008-0564 mailman: XSS triggerable by list administrator CVE-2010-3089 mailman: Multiple security flaws leading to cross-site scripting (XSS) attacks CVE-2011-0707 Mailman: Three XSS flaws due improper escaping of the full name of the member cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mailman is a program used to help manage email discussion lists. Multiple input sanitization flaws were found in the way Mailman displayed usernames of subscribed users on certain pages. If a user who is subscribed to a mailing list were able to trick a victim into visiting one of those pages, they could perform a cross-site scripting (XSS) attack against the victim. (CVE-2011-0707) Multiple input sanitization flaws were found in the way Mailman displayed mailing list information. A mailing list administrator could use this flaw to conduct a cross-site scripting (XSS) attack against victims viewing a list's "listinfo" page. (CVE-2010-3089) Red Hat would like to thank Mark Sapiro for reporting these issues. Users of mailman should upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3089 CVE-2011-0707 CVE-2010-3089 mailman: Multiple security flaws leading to cross-site scripting (XSS) attacks CVE-2011-0707 Mailman: Three XSS flaws due improper escaping of the full name of the member cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Pango is a library used for the layout and rendering of internationalized text. It was discovered that Pango did not check for memory reallocation failures in the hb_buffer_ensure() function. An attacker able to trigger a reallocation failure by passing sufficiently large input to an application using Pango could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0064) Red Hat would like to thank the Mozilla Security Team for reporting this issue. All pango users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, you must restart your system or restart the X server for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0064 CVE-2011-0064 pango: missing memory reallocation failure checking in hb_buffer_ensure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the way Firefox sanitized HTML content in extensions. If an extension loaded or rendered malicious content using the ParanoidFragmentSink class, it could fail to safely display the content, causing Firefox to execute arbitrary JavaScript with the privileges of the user running Firefox. (CVE-2010-1585) A flaw was found in the way Firefox handled dialog boxes. An attacker could use this flaw to create a malicious web page that would present a blank dialog box that has non-functioning buttons. If a user closes the dialog box window, it could unexpectedly grant the malicious web page elevated privileges. (CVE-2011-0051) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0053, CVE-2011-0055, CVE-2011-0058, CVE-2011-0062) Several flaws were found in the way Firefox handled malformed JavaScript. A website containing malicious JavaScript could cause Firefox to execute that JavaScript with the privileges of the user running Firefox. (CVE-2011-0054, CVE-2011-0056, CVE-2011-0057) A flaw was found in the way Firefox handled malformed JPEG images. A website containing a malicious JPEG image could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0061) A flaw was found in the way Firefox handled plug-ins that perform HTTP requests. If a plug-in performed an HTTP request, and the server sent a 307 redirect response, the plug-in was not notified, and the HTTP request was forwarded. The forwarded request could contain custom headers, which could result in a Cross Site Request Forgery attack. (CVE-2011-0059) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.14. You can find a link to the Mozilla advisories in the References section of this erratum. This update also fixes the following bug: * On Red Hat Enterprise Linux 4 and 5, running the "firefox -setDefaultBrowser" command caused warnings such as the following: libgnomevfs-WARNING **: Deprecated function. User modifications to the MIME database are no longer supported. This update disables the "setDefaultBrowser" option. Red Hat Enterprise Linux 4 users wishing to set a default web browser can use Applications -> Preferences -> More Preferences -> Preferred Applications. Red Hat Enterprise Linux 5 users can use System -> Preferences -> Preferred Applications. (BZ#463131, BZ#665031) All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.14, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2010-1585 CVE-2011-0051 CVE-2011-0053 CVE-2011-0054 CVE-2011-0055 CVE-2011-0056 CVE-2011-0057 CVE-2011-0058 CVE-2011-0059 CVE-2011-0061 CVE-2011-0062 libgnomevfs-WARNING when making firefox as default browser firefox -setDefaultBrowser throws warnings CVE-2011-0053 Mozilla miscellaneous memory safety hazards (MFSA 2011-01) CVE-2011-0062 Mozilla miscellaneous memory safety hazards (MFSA 2011-01) CVE-2011-0051 Mozilla recursive eval call causes confirm dialog to evaluate to true (MFSA 2011-02) CVE-2011-0055 Mozilla use-after-free error in JSON.stringify (MFSA2011-03) CVE-2011-0054 Mozilla Buffer overflow in JavaScript upvarMap (MFSA 2011-04) CVE-2011-0056 Mozilla Buffer overflow in JavaScript atom map (MFSA 2011-05) CVE-2011-0057 Mozilla use-after-free error using Web Workers (MFSA 2011-06) CVE-2010-1585 Mozilla ParanoidFragmentSink allows javascript: URLs in chrome documents (MFSA 2011-08) CVE-2011-0061 Mozilla crash caused by corrupted JPEG image (MFSA 2011-09) CVE-2011-0058 Mozilla memory corruption during text run construction (MFSA 2011-07) CVE-2011-0059 Mozilla CSRF risk with plugins and 307 redirects (MFSA 2011-10) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML content. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2010-1585, CVE-2011-0053, CVE-2011-0062) A flaw was found in the way Thunderbird handled malformed JPEG images. An HTML mail message containing a malicious JPEG image could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0061) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2010-1585 CVE-2011-0053 CVE-2011-0061 CVE-2011-0062 CVE-2011-0053 Mozilla miscellaneous memory safety hazards (MFSA 2011-01) CVE-2011-0062 Mozilla miscellaneous memory safety hazards (MFSA 2011-01) CVE-2010-1585 Mozilla ParanoidFragmentSink allows javascript: URLs in chrome documents (MFSA 2011-08) CVE-2011-0061 Mozilla crash caused by corrupted JPEG image (MFSA 2011-09) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML content. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0051, CVE-2011-0053) Note: JavaScript support is disabled by default in Thunderbird. The above issues are not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0051 CVE-2011-0053 CVE-2011-0053 Mozilla miscellaneous memory safety hazards (MFSA 2011-01) CVE-2011-0051 Mozilla recursive eval call causes confirm dialog to evaluate to true (MFSA 2011-02) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the way SeaMonkey handled dialog boxes. An attacker could use this flaw to create a malicious web page that would present a blank dialog box that has non-functioning buttons. If a user closes the dialog box window, it could unexpectedly grant the malicious web page elevated privileges. (CVE-2011-0051) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-0053) A flaw was found in the way SeaMonkey handled plug-ins that perform HTTP requests. If a plug-in performed an HTTP request, and the server sent a 307 redirect response, the plug-in was not notified, and the HTTP request was forwarded. The forwarded request could contain custom headers, which could result in a Cross Site Request Forgery attack. (CVE-2011-0059) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0051 CVE-2011-0053 CVE-2011-0059 CVE-2011-0053 Mozilla miscellaneous memory safety hazards (MFSA 2011-01) CVE-2011-0051 Mozilla recursive eval call causes confirm dialog to evaluate to true (MFSA 2011-02) CVE-2011-0059 Mozilla CSRF risk with plugins and 307 redirects (MFSA 2011-10) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF Internet Fax image files, compressed with the CCITT Group 4 compression algorithm. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. (CVE-2011-0192) Red Hat would like to thank Apple Product Security for reporting this issue. All libtiff users should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running applications linked against libtiff must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-0192 CVE-2011-0192 libtiff: buffer overflow in Fax4Decode cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The libcgroup packages provide tools and libraries to control and monitor control groups. A heap-based buffer overflow flaw was found in the way libcgroup converted a list of user-provided controllers for a particular task into an array of strings. A local attacker could use this flaw to escalate their privileges via a specially-crafted list of controllers. (CVE-2011-1006) It was discovered that libcgroup did not properly check the origin of Netlink messages. A local attacker could use this flaw to send crafted Netlink messages to the cgrulesengd daemon, causing it to put processes into one or more existing control groups, based on the attacker's choosing, possibly allowing the particular tasks to run with more resources (memory, CPU, etc.) than originally intended. (CVE-2011-1022) Red Hat would like to thank Nelson Elhage for reporting the CVE-2011-1006 issue. All libcgroup users should upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2011 Red Hat, Inc. CVE-2011-1006 CVE-2011-1022 CVE-2011-1006 libcgroup: Heap-based buffer overflow by converting list of controllers for given task into an array of strings CVE-2011-1022 libcgroup: Uncheck origin of NETLINK messages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Logwatch is a customizable log analysis system. Logwatch parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. A flaw was found in the way Logwatch processed log files. If an attacker were able to create a log file with a malicious file name, it could result in arbitrary code execution with the privileges of the root user when that log file is analyzed by Logwatch. (CVE-2011-1018) Users of logwatch should upgrade to this updated package, which contains a backported patch to resolve this issue. Important Copyright 2011 Red Hat, Inc. CVE-2011-1018 CVE-2011-1018 logwatch: Privilege escalation due improper sanitization of special characters in log file names cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed certain requests to lock working copy paths in a repository. A remote attacker could issue a lock request that could cause the httpd process serving the request to crash. (CVE-2011-0715) Red Hat would like to thank Hyrum Wright of the Apache Subversion project for reporting this issue. Upstream acknowledges Philip Martin, WANdisco, Inc. as the original reporter. This update also fixes the following bug: * A regression was found in the handling of repositories which do not have a "db/fsfs.conf" file. The "svnadmin hotcopy" command would fail when trying to produce a copy of such a repository. This command has been fixed to ignore the absence of the "fsfs.conf" file. The "svnadmin hotcopy" command will now succeed for this type of repository. (BZ#681522) All Subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, you must restart the httpd daemon, if you are using mod_dav_svn, for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0715 CVE-2011-0715 subversion (mod_dav_svn): DoS (NULL ptr deref) by a lock token sent from a not authenticated Subversion client Regression: svnadmin hotcopy throws error cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed certain requests to lock working copy paths in a repository. A remote attacker could issue a lock request that could cause the httpd process serving the request to crash. (CVE-2011-0715) Red Hat would like to thank Hyrum Wright of the Apache Subversion project for reporting this issue. Upstream acknowledges Philip Martin, WANdisco, Inc. as the original reporter. All Subversion users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, you must restart the httpd daemon, if you are using mod_dav_svn, for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0715 CVE-2011-0715 subversion (mod_dav_svn): DoS (NULL ptr deref) by a lock token sent from a not authenticated Subversion client cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * A use-after-free flaw was found in the Linux kernel's RPC server sockets implementation. A remote attacker could use this flaw to trigger a denial of service by sending a corrupted packet to a target system. (CVE-2011-0714, Important) Red Hat would like to thank Adam Prince for reporting this issue. Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-0714 CVE-2011-0714 kernel: deficiency in handling of invalid data packets in lockd cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The scsi-target-utils package contains the daemon and tools to set up and monitor SCSI targets. Currently, iSCSI software and iSER targets are supported. A double-free flaw was found in scsi-target-utils' tgtd daemon. A remote attacker could trigger this flaw by sending carefully-crafted network traffic, causing the tgtd daemon to crash. (CVE-2011-0001) Red Hat would like to thank Emmanuel Bouillon of NATO C3 Agency for reporting this issue. All scsi-target-utils users should upgrade to this updated package, which contains a backported patch to correct this issue. All running scsi-target-utils services must be restarted for the update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-0001 CVE-2011-0001 scsi-target-utils: double-free vulnerability leads to pre-authenticated crash cpe:/a:redhat:rhel_cluster_storage cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Tomcat to hang via a specially-crafted HTTP request. (CVE-2010-4476) A flaw was found in the Tomcat NIO (Non-Blocking I/O) connector. A remote attacker could use this flaw to cause a denial of service (out-of-memory condition) via a specially-crafted request containing a large NIO buffer size request value. (CVE-2011-0534) This update also fixes the following bug: * A bug in the "tomcat6" init script prevented additional Tomcat instances from starting. As well, running "service tomcat6 start" caused configuration options applied from "/etc/sysconfig/tomcat6" to be overwritten with those from "/etc/tomcat6/tomcat6.conf". With this update, multiple instances of Tomcat run as expected. (BZ#676922) Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-4476 CVE-2011-0534 CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service CVE-2011-0534 tomcat: remote DoS via NIO connector Additionally Created Instances of Tomcat are broken / don't work cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Tomcat to hang via a specially-crafted HTTP request. (CVE-2010-4476) Users of Tomcat should upgrade to these updated packages, which contain a backported patch to correct this issue. Tomcat must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-4476 CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 vsftpd (Very Secure File Transfer Protocol (FTP) daemon) is a secure FTP server for Linux, UNIX, and similar operating systems. A flaw was discovered in the way vsftpd processed file name patterns. An FTP user could use this flaw to cause the vsftpd process to use an excessive amount of CPU time, when processing a request with a specially-crafted file name pattern. (CVE-2011-0762) All vsftpd users should upgrade to this updated package, which contains a backported patch to correct this issue. The vsftpd daemon must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-0762 CVE-2011-0762 vsftpd: remote DoS via crafted glob pattern cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. Virtual Network Computing (VNC) is a remote display system. A flaw was found in the way the VNC "password" option was handled. Clearing a password disabled VNC authentication, allowing a remote user able to connect to the virtual machines' VNC ports to open a VNC session without authentication. (CVE-2011-0011) All users of qemu-kvm should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0011 CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. A flaw was found in the way OpenLDAP handled authentication failures being passed from an OpenLDAP slave to the master. If OpenLDAP was configured with a chain overlay and it forwarded authentication failures, OpenLDAP would bind to the directory as an anonymous user and return success, rather than return failure on the authenticated bind. This could allow a user on a system that uses LDAP for authentication to log into a directory-based account without knowing the password. (CVE-2011-1024) This update also fixes the following bug: * Previously, multiple concurrent connections to an OpenLDAP server could cause the slapd service to terminate unexpectedly with an assertion error. This update adds mutexes to protect multiple threads from accessing a structure with a connection, and the slapd service no longer crashes. (BZ#677611) Users of OpenLDAP should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the OpenLDAP daemons will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1024 CVE-2011-1024 openldap: forwarded bind failure messages cause success cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. A flaw was found in the way OpenLDAP handled authentication failures being passed from an OpenLDAP slave to the master. If OpenLDAP was configured with a chain overlay and it forwarded authentication failures, OpenLDAP would bind to the directory as an anonymous user and return success, rather than return failure on the authenticated bind. This could allow a user on a system that uses LDAP for authentication to log into a directory-based account without knowing the password. (CVE-2011-1024) It was found that the OpenLDAP back-ndb back end allowed successful authentication to the root distinguished name (DN) when any string was provided as a password. A remote user could use this flaw to access an OpenLDAP directory if they knew the value of the root DN. Note: This issue only affected OpenLDAP installations using the NDB back-end, which is only available for Red Hat Enterprise Linux 6 via third-party software. (CVE-2011-1025) A flaw was found in the way OpenLDAP handled modify relative distinguished name (modrdn) requests. A remote, unauthenticated user could use this flaw to crash an OpenLDAP server via a modrdn request containing an empty old RDN value. (CVE-2011-1081) Users of OpenLDAP should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the OpenLDAP daemons will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1024 CVE-2011-1025 CVE-2011-1081 CVE-2011-1024 openldap: forwarded bind failure messages cause success CVE-2011-1025 openldap: rootpw not verified via slapd.conf when using the NDB backend CVE-2011-1081 openldap: DoS when submitting special MODRDN request cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). The Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) capability provides support for using public-key authentication with Kerberos. A double-free flaw was found in the way the MIT Kerberos KDC handled initial authentication requests (AS-REQ), when the KDC was configured to provide the PKINIT capability. A remote attacker could use this flaw to cause the KDC daemon to abort by using a specially-crafted AS-REQ request. (CVE-2011-0284) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-0284 CVE-2011-0284 krb5 (krb5kdc): Double-free flaw by handling error messages upon receiving certain AS_REQ's (MITKRB5-SA-2011-003) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4471, CVE-2010-4473, CVE-2010-4475) Note: The RHSA-2010:0987 and RHSA-2011:0290 java-1.6.0-ibm errata were missing 64-bit PowerPC packages for Red Hat Enterprise Linux 4 Extras. This erratum provides 64-bit PowerPC packages for Red Hat Enterprise Linux 4 Extras as expected. All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR9-FP1 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2010-4422 CVE-2010-4447 CVE-2010-4448 CVE-2010-4452 CVE-2010-4454 CVE-2010-4462 CVE-2010-4463 CVE-2010-4465 CVE-2010-4466 CVE-2010-4467 CVE-2010-4468 CVE-2010-4471 CVE-2010-4473 CVE-2010-4475 CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662) CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453) CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922) CVE-2010-4475 JDK unspecified vulnerability in Deployment component CVE-2010-4473 JDK unspecified vulnerability in Sound component CVE-2010-4468 JDK unspecified vulnerability in JDBC component CVE-2010-4467 JDK unspecified vulnerability in Deployment component CVE-2010-4466 JDK unspecified vulnerability in Deployment component CVE-2010-4463 JDK unspecified vulnerability in Deployment component CVE-2010-4462 JDK unspecified vulnerability in Sound component CVE-2010-4454 JDK unspecified vulnerability in Sound component CVE-2010-4452 JDK unspecified vulnerability in Deployment component CVE-2010-4447 JDK unspecified vulnerability in Deployment component CVE-2010-4422 JDK unspecified vulnerability in Deployment component cpe:/a:redhat:rhel_extras Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466, CVE-2010-4468, CVE-2010-4471, CVE-2010-4473, CVE-2010-4475) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR12-FP4 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2010-4447 CVE-2010-4448 CVE-2010-4450 CVE-2010-4454 CVE-2010-4462 CVE-2010-4465 CVE-2010-4466 CVE-2010-4468 CVE-2010-4471 CVE-2010-4473 CVE-2010-4475 CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662) CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453) CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922) CVE-2010-4450 OpenJDK Launcher incorrect processing of empty library path entries (6983554) CVE-2010-4475 JDK unspecified vulnerability in Deployment component CVE-2010-4473 JDK unspecified vulnerability in Sound component CVE-2010-4468 JDK unspecified vulnerability in JDBC component CVE-2010-4466 JDK unspecified vulnerability in Deployment component CVE-2010-4462 JDK unspecified vulnerability in Sound component CVE-2010-4454 JDK unspecified vulnerability in Sound component CVE-2010-4447 JDK unspecified vulnerability in Deployment component cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. A heap-based buffer overflow flaw was found in the Wireshark MAC-LTE dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-0444) A heap-based buffer overflow flaw was found in the way Wireshark processed signaling traces generated by the Gammu utility on Nokia DCT3 phones running in Netmonitor mode. If Wireshark opened a specially-crafted capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-0713) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2011-0538, CVE-2011-1139, CVE-2011-1140, CVE-2011-1141) Users of Wireshark should upgrade to these updated packages, which contain Wireshark version 1.2.15, and resolve these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0444 CVE-2011-0538 CVE-2011-0713 CVE-2011-1139 CVE-2011-1140 CVE-2011-1141 CVE-2011-0444 wireshark: buffer overflow in MAC-LTE disector (upstream bug #5530) CVE-2011-0538 Wireshark: memory corruption when reading a malformed pcap file (upstream bug #5652) CVE-2011-0713 Wireshark: heap-based buffer overflow when reading malformed Nokia DCT3 phone signalling traces CVE-2011-1139 Wireshark: Denial Of Service (application crash) via a pcap-ng file that contains a large packet-length field CVE-2011-1140 Wireshark: Multiple stack consumption vulnerabilities caused DoS via crafted SMB or CLDAP packet CVE-2011-1141 Wireshark: Malformed LDAP filter string causes Denial of Service via excessive memory consumption cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. A heap-based buffer overflow flaw was found in Wireshark. If Wireshark opened a specially-crafted capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-0024) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2010-3445, CVE-2011-0538, CVE-2011-1139, CVE-2011-1140, CVE-2011-1141, CVE-2011-1143) Users of Wireshark should upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3445 CVE-2011-0024 CVE-2011-0538 CVE-2011-1139 CVE-2011-1140 CVE-2011-1141 CVE-2011-1143 CVE-2010-3445 wireshark: stack overflow in BER dissector CVE-2011-0024 heap-based buffer overflow in wireshark < 1.2 when reading malformed capture files CVE-2011-0538 Wireshark: memory corruption when reading a malformed pcap file (upstream bug #5652) CVE-2011-1139 Wireshark: Denial Of Service (application crash) via a pcap-ng file that contains a large packet-length field CVE-2011-1140 Wireshark: Multiple stack consumption vulnerabilities caused DoS via crafted SMB or CLDAP packet CVE-2011-1141 Wireshark: Malformed LDAP filter string causes Denial of Service via excessive memory consumption CVE-2011-1143 Wireshark: Null pointer dereference causing application crash when reading malformed pcap file cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB11-05, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code. (CVE-2011-0609) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.2.153.1. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0609 CVE-2011-0609 flash-plugin: crash and potential arbitrary code execution (APSB11-05) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. This erratum blacklists a small number of HTTPS certificates. (BZ#689430) All Firefox users should upgrade to these updated packages, which contain a backported patch. After installing the update, Firefox must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. Compromised certificates cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. This erratum blacklists a small number of HTTPS certificates. (BZ#689430) This update also fixes the following bug: * The RHSA-2011:0312 and RHSA-2011:0311 updates introduced a regression, preventing some Java content and plug-ins written in Java from loading. With this update, the Java content and plug-ins work as expected. (BZ#683076) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Important Copyright 2011 Red Hat, Inc. Mozilla 3.6.14 regression [rhel-6.1] Compromised certificates cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. This erratum blacklists a small number of HTTPS certificates. (BZ#689430) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. Compromised certificates cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. A denial of service flaw was discovered in the system for sending messages between applications. A local user could send a message with an excessive number of nested variants to the system-wide message bus, causing the message bus (and, consequently, any process using libdbus to receive messages) to abort. (CVE-2010-4352) All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4352 CVE-2010-4352 D-BUS: Stack overflow by validating message with excessive number of nested variants cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 rsync is a program for synchronizing files over a network. A memory corruption flaw was found in the way the rsync client processed malformed file list data. If an rsync client used the "--recursive" and "--delete" options without the "--owner" option when connecting to a malicious rsync server, the malicious server could cause rsync on the client system to crash or, possibly, execute arbitrary code with the privileges of the user running rsync. (CVE-2011-1097) Red Hat would like to thank Wayne Davison and Matt McCutchen for reporting this issue. Users of rsync should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1097 CVE-2011-1097 rsync: Incremental file-list corruption due to temporary file_extra_cnt increments cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems. It was found that several libvirt API calls did not honor the read-only permission for connections. A local attacker able to establish a read-only connection to libvirtd on a server could use this flaw to execute commands that should be restricted to read-write connections, possibly leading to a denial of service or privilege escalation. (CVE-2011-1146) Note: Previously, using rpmbuild without the '--define "rhel 5"' option to build the libvirt source RPM on Red Hat Enterprise Linux 5 failed with a "Failed build dependencies" error for the device-mapper-devel package, as this -devel sub-package is not available on Red Hat Enterprise Linux 5. With this update, the -devel sub-package is no longer checked by default as a dependency when building on Red Hat Enterprise Linux 5, allowing the libvirt source RPM to build as expected. All libvirt users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, libvirtd must be restarted ("service libvirtd restart") for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-1146 CVE-2011-1146 libvirt: several API calls do not honour read-only connection cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF files encoded with a 4-bit run-length encoding scheme from ThunderScan. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. (CVE-2011-1167) This update also fixes the following bug: * The RHSA-2011:0318 libtiff update introduced a regression that prevented certain TIFF Internet Fax image files, compressed with the CCITT Group 4 compression algorithm, from being read. (BZ#688825) All libtiff users should upgrade to these updated packages, which contain a backported patch to resolve these issues. All running applications linked against libtiff must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-1167 CVE-2011-1167 libtiff: heap-based buffer overflow in thunder decoder (ZDI-11-107) Regression in libtiff due to CVE-2011-0192 fix cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The conga packages provide a web-based administration tool for remote cluster and storage management. A privilege escalation flaw was found in luci, the Conga web-based administration application. A remote attacker could possibly use this flaw to obtain administrative access, allowing them to read, create, or modify the content of the luci application. (CVE-2011-0720) Users of Conga are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, luci must be restarted ("service luci restart") for the update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-0720 CVE-2011-0720 plone: unauthorized remote administrative access cpe:/a:redhat:rhel_cluster Red Hat Enterprise Linux 6 The GNOME Display Manager (GDM) provides the graphical login screen, shown shortly after boot up, log out, and when user-switching. A race condition flaw was found in the way GDM handled the cache directories used to store users' dmrc and face icon files. A local attacker could use this flaw to trick GDM into changing the ownership of an arbitrary file via a symbolic link attack, allowing them to escalate their privileges. (CVE-2011-0727) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. GDM must be restarted for this update to take effect. Rebooting achieves this, but changing the runlevel from 5 to 3 and back to 5 also restarts GDM. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0727 CVE-2011-0727 gdm: privilege escalation vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. A denial of service flaw was found in the way the Quagga bgpd daemon processed certain route metrics information. A BGP message with a specially-crafted path limit attribute would cause the bgpd daemon to reset its session with the peer through which this message was received. (CVE-2010-1675) A NULL pointer dereference flaw was found in the way the Quagga bgpd daemon processed malformed route extended communities attributes. A configured BGP peer could crash bgpd on a target system via a specially-crafted BGP message. (CVE-2010-1674) Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd daemon must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-1674 CVE-2010-1675 CVE-2010-1674 quagga: DoS (crash) by processing malformed extended community attribute in a route CVE-2010-1675 quagga: BGP session reset by processing BGP Update message with malformed AS-path attributes cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The logrotate utility simplifies the administration of multiple log files, allowing the automatic rotation, compression, removal, and mailing of log files. A shell command injection flaw was found in the way logrotate handled the shred directive. A specially-crafted log file could cause logrotate to execute arbitrary commands with the privileges of the user running logrotate (root, by default). Note: The shred directive is not enabled by default. (CVE-2011-1154) A race condition flaw was found in the way logrotate applied permissions when creating new log files. In some specific configurations, a local attacker could use this flaw to open new log files before logrotate applies the final permissions, possibly leading to the disclosure of sensitive information. (CVE-2011-1098) An input sanitization flaw was found in logrotate. A log file with a specially-crafted file name could cause logrotate to abort when attempting to process that file a subsequent time. (CVE-2011-1155) All logrotate users should upgrade to this updated package, which contains backported patches to resolve these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1098 CVE-2011-1154 CVE-2011-1155 CVE-2011-1154 logrotate: Shell command injection by using the shred configuration directive CVE-2011-1155 logrotate: DoS due improper escaping of file names within 'write state' action CVE-2011-1098 logrotate: TOCTOU race condition by creation of new files (between opening the file and moment, final permissions have been applied) [information disclosure] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker's, it could execute arbitrary code with the privileges of the script. (CVE-2011-1095) All users should upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2011 Red Hat, Inc. CVE-2010-0296 CVE-2011-0536 CVE-2011-1071 CVE-2011-1095 CVE-2011-1658 CVE-2011-1659 CVE-2010-0296 glibc: Improper encoding of names with certain special character in utilities for writing to mtab table CVE-2011-1095 glibc: insufficient quoting in the locale command output CVE-2011-0536 glibc: CVE-2010-3847 fix causes linker to search CWD when running privileged program with $ORIGIN in R*PATH CVE-2011-1071 CVE-2011-1659 glibc: fnmatch() alloca()-based memory corruption flaw iconv regression cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker's, it could execute arbitrary code with the privileges of the script. (CVE-2011-1095) All users should upgrade to these updated packages, which contain backported patches to correct these issues. Important Copyright 2011 Red Hat, Inc. CVE-2011-0536 CVE-2011-1071 CVE-2011-1095 CVE-2011-1658 CVE-2011-1659 CVE-2011-1095 glibc: insufficient quoting in the locale command output CVE-2011-0536 glibc: CVE-2010-3847 fix causes linker to search CWD when running privileged program with $ORIGIN in R*PATH CVE-2011-1071 CVE-2011-1659 glibc: fnmatch() alloca()-based memory corruption flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The policycoreutils packages contain the core utilities that are required for the basic operation of a Security-Enhanced Linux (SELinux) system and its policies. It was discovered that the seunshare utility did not enforce proper file permissions on the directory used as an alternate temporary directory mounted as /tmp/. A local user could use this flaw to overwrite files or, possibly, execute arbitrary code with the privileges of a setuid or setgid application that relies on proper /tmp/ permissions, by running that application via seunshare. (CVE-2011-1011) Red Hat would like to thank Tavis Ormandy for reporting this issue. This update also introduces the following changes: * The seunshare utility was moved from the main policycoreutils subpackage to the policycoreutils-sandbox subpackage. This utility is only required by the sandbox feature and does not need to be installed by default. * Updated selinux-policy packages that add the SELinux policy changes required by the seunshare fixes. All policycoreutils users should upgrade to these updated packages, which correct this issue. Important Copyright 2011 Red Hat, Inc. CVE-2011-1011 CVE-2011-1011 policycoreutils: insecure temporary directory handling in seunshare cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw was found in the sctp_icmp_proto_unreachable() function in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service. (CVE-2010-4526, Important) * A missing boundary check was found in the dvb_ca_ioctl() function in the Linux kernel's av7110 module. On systems that use old DVB cards that require the av7110 module, a local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-0521, Important) * A race condition was found in the way the Linux kernel's InfiniBand implementation set up new connections. This could allow a remote user to cause a denial of service. (CVE-2011-0695, Important) * A heap overflow flaw in the iowarrior_write() function could allow a user with access to an IO-Warrior USB device, that supports more than 8 bytes per report, to cause a denial of service or escalate their privileges. (CVE-2010-4656, Moderate) * A flaw was found in the way the Linux Ethernet bridge implementation handled certain IGMP (Internet Group Management Protocol) packets. A local, unprivileged user on a system that has a network interface in an Ethernet bridge could use this flaw to crash that system. (CVE-2011-0716, Moderate) * A NULL pointer dereference flaw was found in the Generic Receive Offload (GRO) functionality in the Linux kernel's networking implementation. If both GRO and promiscuous mode were enabled on an interface in a virtual LAN (VLAN), it could result in a denial of service when a malformed VLAN frame is received on that interface. (CVE-2011-1478, Moderate) * A missing initialization flaw in the Linux kernel could lead to an information leak. (CVE-2010-3296, Low) * A missing security check in the Linux kernel's implementation of the install_special_mapping() function could allow a local, unprivileged user to bypass the mmap_min_addr protection mechanism. (CVE-2010-4346, Low) * A logic error in the orinoco_ioctl_set_auth() function in the Linux kernel's ORiNOCO wireless extensions support implementation could render TKIP countermeasures ineffective when it is enabled, as it enabled the card instead of shutting it down. (CVE-2010-4648, Low) * A missing initialization flaw was found in the ethtool_get_regs() function in the Linux kernel's ethtool IOCTL handler. A local user who has the CAP_NET_ADMIN capability could use this flaw to cause an information leak. (CVE-2010-4655, Low) * An information leak was found in the Linux kernel's task_show_regs() implementation. On IBM S/390 systems, a local, unprivileged user could use this flaw to read /proc/[PID]/status files, allowing them to discover the CPU register values of processes. (CVE-2011-0710, Low) Red Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695; Kees Cook for reporting CVE-2010-4656 and CVE-2010-4655; Dan Rosenberg for reporting CVE-2010-3296; and Tavis Ormandy for reporting CVE-2010-4346. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-3296 CVE-2010-4346 CVE-2010-4526 CVE-2010-4648 CVE-2010-4655 CVE-2010-4656 CVE-2011-0521 CVE-2011-0695 CVE-2011-0710 CVE-2011-0716 CVE-2011-1478 CVE-2010-3296 kernel: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory CVE-2011-0695 kernel: panic in ib_cm:cm_work_handler CVE-2010-4346 kernel: install_special_mapping skips security_file_mmap check CVE-2010-4526 kernel: sctp: a race between ICMP protocol unreachable and connect() CVE-2010-4648 kernel: orinoco: fix TKIP countermeasure behaviour CVE-2011-0521 kernel: av7110 negative array offset CVE-2010-4656 kernel: iowarrior usb device heap overflow CVE-2010-4655 kernel: heap contents leak for CAP_NET_ADMIN via ethtool ioctl CVE-2011-0710 kernel: s390 task_show_regs infoleak CVE-2011-0716 kernel: deficiency in processing igmp host membership reports in br_multicast virtio_console driver never returns from selecting for write when the queue is full [rhel-6.0.z] Disallow 0-sized writes to virtio ports to go through to host (leading to VM crash) [rhel-6.0.z] writing to a virtio serial port while no one is listening on the host side hangs the guest [rhel-6.0.z] Start multi RHEL5.5 64 bit guests triggers rtl8169_interrupt hang [rhel-6.0.z] backport set_iounmap_nonlazy() to speedup reading of /proc/vmcore [rhel-6.0.z] Backport upstream cacheing fix for optimizing reads from /proc/vmcore [rhel-6.0.z] kvm: guest stale memory after migration [rhel-6.0.z] guest kernel panic when boot with nmi_watchdog=1 [rhel-6.0.z] kernel: restrict unprivileged access to kernel syslog [rhel-6.1] [rhel-6.0.z] kernel: missing CONFIG_STRICT_DEVMEM=y in S390x [rhel-6.0.z] virtio_net: missing schedule on oom [rhel-6.0.z] CVE-2011-1478 kernel: gro: reset dev and skb_iff on skb reuse cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. It was discovered that Postfix did not flush the received SMTP commands buffer after switching to TLS encryption for an SMTP session. A man-in-the-middle attacker could use this flaw to inject SMTP commands into a victim's session during the plain text phase. This would lead to those commands being processed by Postfix after TLS encryption is enabled, possibly allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-0411) It was discovered that Postfix did not properly check the permissions of users' mailbox files. A local attacker able to create files in the mail spool directory could use this flaw to create mailbox files for other local users, and be able to read mail delivered to those users. (CVE-2008-2937) Red Hat would like to thank the CERT/CC for reporting CVE-2011-0411, and Sebastian Krahmer of the SuSE Security Team for reporting CVE-2008-2937. The CERT/CC acknowledges Wietse Venema as the original reporter of CVE-2011-0411. Users of Postfix are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the postfix service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2008-2937 CVE-2011-0411 CVE-2008-2937 postfix improper mailbox permissions CVE-2011-0411 postfix: SMTP commands injection during plaintext to TLS session switch cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. It was discovered that Postfix did not flush the received SMTP commands buffer after switching to TLS encryption for an SMTP session. A man-in-the-middle attacker could use this flaw to inject SMTP commands into a victim's session during the plain text phase. This would lead to those commands being processed by Postfix after TLS encryption is enabled, possibly allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-0411) Red Hat would like to thank the CERT/CC for reporting CVE-2011-0411. The CERT/CC acknowledges Wietse Venema as the original reporter. Users of Postfix are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the postfix service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0411 CVE-2011-0411 postfix: SMTP commands injection during plaintext to TLS session switch cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor, or on Red Hat Enterprise Virtualization Hypervisor. The spice-xpi package provides a plug-in that allows the SPICE client to run from within Mozilla Firefox. An uninitialized pointer use flaw was found in the SPICE Firefox plug-in. If a user were tricked into visiting a malicious web page with Firefox while the SPICE plug-in was enabled, it could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-1179) It was found that the SPICE Firefox plug-in used a predictable name for one of its log files. A local attacker could use this flaw to conduct a symbolic link attack, allowing them to overwrite arbitrary files accessible to the user running Firefox. (CVE-2011-0012) Users of spice-xpi should upgrade to this updated package, which contains backported patches to correct these issues. After installing the update, Firefox must be restarted for the changes to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0012 CVE-2011-1179 CVE-2011-0012 spice-xpi: symlink attack on usbrdrctl log file CVE-2011-1179 spice-xpi: unitialized pointer writes possible when getting plugin properties cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor, or on Red Hat Enterprise Virtualization Hypervisor. The spice-xpi package provides a plug-in that allows the SPICE client to run from within Mozilla Firefox. An uninitialized pointer use flaw was found in the SPICE Firefox plug-in. If a user were tricked into visiting a malicious web page with Firefox while the SPICE plug-in was enabled, it could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-1179) Users of spice-xpi should upgrade to this updated package, which contains a backported patch to correct this issue. After installing the update, Firefox must be restarted for the changes to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1179 CVE-2011-1179 spice-xpi: unitialized pointer writes possible when getting plugin properties cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. It was discovered that the DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. (CVE-2011-0997) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue. All dhclient users should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2011 Red Hat, Inc. CVE-2011-0997 CVE-2011-0997 dhclient: insufficient sanitization of certain DHCP response values cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A missing boundary check was found in the dvb_ca_ioctl() function in the Linux kernel's av7110 module. On systems that use old DVB cards that require the av7110 module, a local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-0521, Important) * An inconsistency was found in the interaction between the Linux kernel's method for allocating NFSv4 (Network File System version 4) ACL data and the method by which it was freed. This inconsistency led to a kernel panic which could be triggered by a local, unprivileged user with files owned by said user on an NFSv4 share. (CVE-2011-1090, Moderate) * A NULL pointer dereference flaw was found in the Generic Receive Offload (GRO) functionality in the Linux kernel's networking implementation. If both GRO and promiscuous mode were enabled on an interface in a virtual LAN (VLAN), it could result in a denial of service when a malformed VLAN frame is received on that interface. (CVE-2011-1478, Moderate) * A missing security check in the Linux kernel's implementation of the install_special_mapping() function could allow a local, unprivileged user to bypass the mmap_min_addr protection mechanism. (CVE-2010-4346, Low) * An information leak was found in the Linux kernel's task_show_regs() implementation. On IBM S/390 systems, a local, unprivileged user could use this flaw to read /proc/[PID]/status files, allowing them to discover the CPU register values of processes. (CVE-2011-0710, Low) * A missing validation check was found in the Linux kernel's mac_partition() implementation, used for supporting file systems created on Mac OS operating systems. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially-crafted partitions. (CVE-2011-1010, Low) Red Hat would like to thank Ryan Sweat for reporting CVE-2011-1478; Tavis Ormandy for reporting CVE-2010-4346; and Timo Warns for reporting CVE-2011-1010. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-4346 CVE-2011-0521 CVE-2011-0710 CVE-2011-1010 CVE-2011-1090 CVE-2011-1478 CVE-2010-4346 kernel: install_special_mapping skips security_file_mmap check CVE-2011-0521 kernel: av7110 negative array offset Kernel panic when restart network on vlan with bonding [rhel-5.6.z] GFS2: Blocks not marked free on delete [rhel-5.6.z] mpctl module doesn't release fasync_struct at file close [rhel-5.6.z] CVE-2011-0710 kernel: s390 task_show_regs infoleak CVE-2011-1010 kernel: fs/partitions: Validate map_count in Mac partition tables [usb-audio] unable to set capture mixer levels [rhel-5.6.z] WARNING: APIC timer calibration may be wrong [rhel-5.6.z] [NetApp 5.6 Bug] Erroneous TPG ID check in SCSI ALUA Handler [rhel-5.6.z] CVE-2011-1090 kernel: nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab system fails to boot do to x86-64 kernel corrupting bios memory area [rhel-5.6.z] kernel panic in pg_init_done - pgpath already deleted [rhel-5.6.z] HP_GETHOSTINFO ioctl always causes mpt controller reset [rhel-5.6.z] CVE-2011-1478 kernel: gro: reset dev and skb_iff on skb reuse cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. A flaw was found in the X.Org X server resource database utility, xrdb. Certain variables were not properly sanitized during the launch of a user's graphical session, which could possibly allow a remote attacker to execute arbitrary code with root privileges, if they were able to make the display manager execute xrdb with a specially-crafted X client hostname. For example, by configuring the hostname on the target system via a crafted DHCP reply, or by using the X Display Manager Control Protocol (XDMCP) to connect to that system from a host that has a special DNS name. (CVE-2011-0465) Red Hat would like to thank Matthieu Herrb for reporting this issue. Upstream acknowledges Sebastian Krahmer of the SuSE Security Team as the original reporter. Users of xorg-x11 should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running X.Org server instances must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0465 CVE-2011-0465 xorg: xrdb code execution via crafted X client hostname cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The xorg-x11-server-utils package contains a collection of utilities used to modify and query the runtime configuration of the X.Org server. X.Org is an open source implementation of the X Window System. A flaw was found in the X.Org X server resource database utility, xrdb. Certain variables were not properly sanitized during the launch of a user's graphical session, which could possibly allow a remote attacker to execute arbitrary code with root privileges, if they were able to make the display manager execute xrdb with a specially-crafted X client hostname. For example, by configuring the hostname on the target system via a crafted DHCP reply, or by using the X Display Manager Control Protocol (XDMCP) to connect to that system from a host that has a special DNS name. (CVE-2011-0465) Red Hat would like to thank Matthieu Herrb for reporting this issue. Upstream acknowledges Sebastian Krahmer of the SuSE Security Team as the original reporter. Users of xorg-x11-server-utils should upgrade to this updated package, which contains a backported patch to resolve this issue. All running X.Org server instances must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0465 CVE-2011-0465 xorg: xrdb code execution via crafted X client hostname cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zero Configuration Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, view printers to print to, and find shared files on other computers. A flaw was found in the way the Avahi daemon (avahi-daemon) processed Multicast DNS (mDNS) packets with an empty payload. An attacker on the local network could use this flaw to cause avahi-daemon on a target system to enter an infinite loop via an empty mDNS UDP packet. (CVE-2011-1002) All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, avahi-daemon will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1002 CVE-2011-1002 avahi: daemon infinite loop triggered by an empty UDP packet (CVE-2010-2244 fix regression) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). An invalid free flaw was found in the password-changing capability of the MIT Kerberos administration daemon, kadmind. A remote, unauthenticated attacker could use this flaw to cause kadmind to abort via a specially-crafted request. (CVE-2011-0285) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the kadmind daemon will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0285 CVE-2011-0285 krb5: kadmind invalid pointer free() (MITKRB5-SA-004) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB11-07, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code. (CVE-2011-0611) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.2.159.1. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0611 CVE-2011-0611 flash-plugin: crash and potential arbitrary code execution (APSB11-07) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF image files that were compressed with the JPEG compression algorithm. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. (CVE-2009-5022) All libtiff users should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running applications linked against libtiff must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2009-5022 CVE-2009-5022 libtiff ojpeg buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 PolicyKit is a toolkit for defining and handling authorizations. A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. (CVE-2011-1485) Red Hat would like to thank Neel Mehta of Google for reporting this issue. All polkit users should upgrade to these updated packages, which contain backported patches to correct this issue. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-1485 CVE-2011-1485 polkitd/pkexec vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kdelibs packages provide libraries for the K Desktop Environment (KDE). A cross-site scripting (XSS) flaw was found in the way KHTML, the HTML layout engine used by KDE applications such as the Konqueror web browser, displayed certain error pages. A remote attacker could use this flaw to perform a cross-site scripting attack against victims by tricking them into visiting a specially-crafted URL. (CVE-2011-1168) A flaw was found in the way kdelibs checked the user specified hostname against the name in the server's SSL certificate. A man-in-the-middle attacker could use this flaw to trick an application using kdelibs into mistakenly accepting a certificate as if it was valid for the host, if that certificate was issued for an IP address to which the user specified hostname was resolved to. (CVE-2011-1094) Note: As part of the fix for CVE-2011-1094, this update also introduces stricter handling for wildcards used in servers' SSL certificates. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1094 CVE-2011-1168 CVE-2011-1094 kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP CVE-2011-1168 kdelibs: partially universal XSS in Konqueror error pages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kdenetwork packages contain networking applications for the K Desktop Environment (KDE). A directory traversal flaw was found in the way KGet, a download manager, handled the "file" element in Metalink files. An attacker could use this flaw to create a specially-crafted Metalink file that, when opened, would cause KGet to overwrite arbitrary files accessible to the user running KGet. (CVE-2011-1586) Users of kdenetwork should upgrade to these updated packages, which contain a backported patch to resolve this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-1586 CVE-2011-1586 kdenetwork: incomplete fix for CVE-2010-1000 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could possibly lead to arbitrary code execution with the privileges of the user running Firefox. (CVE-2011-0080, CVE-2011-0081) An arbitrary memory write flaw was found in the way Firefox handled out-of-memory conditions. If all memory was consumed when a user visited a malicious web page, it could possibly lead to arbitrary code execution with the privileges of the user running Firefox. (CVE-2011-0078) An integer overflow flaw was found in the way Firefox handled the HTML frameset tag. A web page with a frameset tag containing large values for the "rows" and "cols" attributes could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Firefox. (CVE-2011-0077) A flaw was found in the way Firefox handled the HTML iframe tag. A web page with an iframe tag containing a specially-crafted source address could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Firefox. (CVE-2011-0075) A flaw was found in the way Firefox displayed multiple marquee elements. A malformed HTML document could cause Firefox to execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0074) A flaw was found in the way Firefox handled the nsTreeSelection element. Malformed content could cause Firefox to execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0073) A use-after-free flaw was found in the way Firefox appended frame and iframe elements to a DOM tree when the NoScript add-on was enabled. Malicious HTML content could cause Firefox to execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0072) A directory traversal flaw was found in the Firefox resource:// protocol handler. Malicious content could cause Firefox to access arbitrary files accessible to the user running Firefox. (CVE-2011-0071) A double free flaw was found in the way Firefox handled "application/http-index-format" documents. A malformed HTTP response could cause Firefox to execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0070) A flaw was found in the way Firefox handled certain JavaScript cross-domain requests. If malicious content generated a large number of cross-domain JavaScript requests, it could cause Firefox to execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0069) A flaw was found in the way Firefox displayed the autocomplete pop-up. Malicious content could use this flaw to steal form history information. (CVE-2011-0067) Two use-after-free flaws were found in the Firefox mObserverList and mChannel objects. Malicious content could use these flaws to execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0066, CVE-2011-0065) A flaw was found in the Firefox XSLT generate-id() function. This function returned the memory address of an object in memory, which could possibly be used by attackers to bypass address randomization protections. (CVE-2011-1202) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.17. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.17, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0065 CVE-2011-0066 CVE-2011-0067 CVE-2011-0069 CVE-2011-0070 CVE-2011-0071 CVE-2011-0072 CVE-2011-0073 CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078 CVE-2011-0080 CVE-2011-0081 CVE-2011-1202 CVE-2011-1202 libxslt: Heap address leak in XLST CVE-2011-0078 Mozilla OOM condition arbitrary memory write (MFSA 2011-12) CVE-2011-0077 Mozilla integer overflow in frameset spec (MFSA 2011-12) CVE-2011-0075 Mozilla crash from bad iframe source (MFSA 2011-12) CVE-2011-0074 Mozilla crash from several marquee elements (MFSA 2011-12) CVE-2011-0073 Mozilla dangling pointer flaw (MFSA 2011-13) CVE-2011-0072 Mozilla use after free flaw (MFSA 2011-12) CVE-2011-0071 Mozilla directory traversal via resource protocol (MFSA 2011-16) CVE-2011-0070 Mozilla double free flaw (MFSA 2011-12) CVE-2011-0069 Mozilla javascript crash (MFSA 2011-12) CVE-2011-0067 Mozilla untrusted events can trigger autocomplete popup (MFSA 2011-14) CVE-2011-0066 Mozilla mObserverList use after free (MFSA 2011-13) CVE-2011-0065 Mozilla mChannel use after free (MFSA 2011-13) CVE-2011-0081 Mozilla memory safety issue (MFSA 2011-12) CVE-2011-0080 Mozilla memory safety issue (MFSA 2011-12) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Network Security Services (NSS) is a set of libraries designed to support the development of security-enabled client and server applications. This erratum blacklists a small number of HTTPS certificates by adding them, flagged as untrusted, to the NSS Builtin Object Token (the libnssckbi.so library) certificate store. (BZ#689430) Note: This fix only applies to applications using the NSS Builtin Object Token. It does not blacklist the certificates for applications that use the NSS library, but do not use the NSS Builtin Object Token (such as curl). All NSS users should upgrade to these updated packages, which correct this issue. After installing the update, applications using NSS must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. Compromised certificates cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could possibly lead to arbitrary code execution with the privileges of the user running SeaMonkey. (CVE-2011-0080) An arbitrary memory write flaw was found in the way SeaMonkey handled out-of-memory conditions. If all memory was consumed when a user visited a malicious web page, it could possibly lead to arbitrary code execution with the privileges of the user running SeaMonkey. (CVE-2011-0078) An integer overflow flaw was found in the way SeaMonkey handled the HTML frameset tag. A web page with a frameset tag containing large values for the "rows" and "cols" attributes could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running SeaMonkey. (CVE-2011-0077) A flaw was found in the way SeaMonkey handled the HTML iframe tag. A web page with an iframe tag containing a specially-crafted source address could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running SeaMonkey. (CVE-2011-0075) A flaw was found in the way SeaMonkey displayed multiple marquee elements. A malformed HTML document could cause SeaMonkey to execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-0074) A flaw was found in the way SeaMonkey handled the nsTreeSelection element. Malformed content could cause SeaMonkey to execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-0073) A use-after-free flaw was found in the way SeaMonkey appended frame and iframe elements to a DOM tree when the NoScript add-on was enabled. Malicious HTML content could cause SeaMonkey to execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-0072) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0072 CVE-2011-0073 CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078 CVE-2011-0080 CVE-2011-0078 Mozilla OOM condition arbitrary memory write (MFSA 2011-12) CVE-2011-0077 Mozilla integer overflow in frameset spec (MFSA 2011-12) CVE-2011-0075 Mozilla crash from bad iframe source (MFSA 2011-12) CVE-2011-0074 Mozilla crash from several marquee elements (MFSA 2011-12) CVE-2011-0073 Mozilla dangling pointer flaw (MFSA 2011-13) CVE-2011-0072 Mozilla use after free flaw (MFSA 2011-12) CVE-2011-0080 Mozilla memory safety issue (MFSA 2011-12) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML content. An HTML mail message containing malicious content could possibly lead to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-0080) An arbitrary memory write flaw was found in the way Thunderbird handled out-of-memory conditions. If all memory was consumed when a user viewed a malicious HTML mail message, it could possibly lead to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-0078) An integer overflow flaw was found in the way Thunderbird handled the HTML frameset tag. An HTML mail message with a frameset tag containing large values for the "rows" and "cols" attributes could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-0077) A flaw was found in the way Thunderbird handled the HTML iframe tag. An HTML mail message with an iframe tag containing a specially-crafted source address could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-0075) A flaw was found in the way Thunderbird displayed multiple marquee elements. A malformed HTML mail message could cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0074) A flaw was found in the way Thunderbird handled the nsTreeSelection element. Malformed content could cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0073) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0073 CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078 CVE-2011-0080 CVE-2011-0078 Mozilla OOM condition arbitrary memory write (MFSA 2011-12) CVE-2011-0077 Mozilla integer overflow in frameset spec (MFSA 2011-12) CVE-2011-0075 Mozilla crash from bad iframe source (MFSA 2011-12) CVE-2011-0074 Mozilla crash from several marquee elements (MFSA 2011-12) CVE-2011-0073 Mozilla dangling pointer flaw (MFSA 2011-13) CVE-2011-0080 Mozilla memory safety issue (MFSA 2011-12) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML content. An HTML mail message containing malicious content could possibly lead to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-0080, CVE-2011-0081) An arbitrary memory write flaw was found in the way Thunderbird handled out-of-memory conditions. If all memory was consumed when a user viewed a malicious HTML mail message, it could possibly lead to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-0078) An integer overflow flaw was found in the way Thunderbird handled the HTML frameset tag. An HTML mail message with a frameset tag containing large values for the "rows" and "cols" attributes could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-0077) A flaw was found in the way Thunderbird handled the HTML iframe tag. An HTML mail message with an iframe tag containing a specially-crafted source address could trigger this flaw, possibly leading to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-0075) A flaw was found in the way Thunderbird displayed multiple marquee elements. A malformed HTML mail message could cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0074) A flaw was found in the way Thunderbird handled the nsTreeSelection element. Malformed content could cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0073) A directory traversal flaw was found in the Thunderbird resource:// protocol handler. Malicious content could cause Thunderbird to access arbitrary files accessible to the user running Thunderbird. (CVE-2011-0071) A double free flaw was found in the way Thunderbird handled "application/http-index-format" documents. A malformed HTTP response could cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0070) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0070 CVE-2011-0071 CVE-2011-0073 CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078 CVE-2011-0080 CVE-2011-0081 CVE-2011-0078 Mozilla OOM condition arbitrary memory write (MFSA 2011-12) CVE-2011-0077 Mozilla integer overflow in frameset spec (MFSA 2011-12) CVE-2011-0075 Mozilla crash from bad iframe source (MFSA 2011-12) CVE-2011-0074 Mozilla crash from several marquee elements (MFSA 2011-12) CVE-2011-0073 Mozilla dangling pointer flaw (MFSA 2011-13) CVE-2011-0071 Mozilla directory traversal via resource protocol (MFSA 2011-16) CVE-2011-0070 Mozilla double free flaw (MFSA 2011-12) CVE-2011-0081 Mozilla memory safety issue (MFSA 2011-12) CVE-2011-0080 Mozilla memory safety issue (MFSA 2011-12) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gstreamer-plugins packages contain plug-ins used by the GStreamer streaming-media framework to support a wide variety of media formats. An integer overflow flaw, leading to a heap-based buffer overflow, and a stack-based buffer overflow flaw were found in various ModPlug music file format library (libmodplug) modules, embedded in GStreamer. An attacker could create specially-crafted music files that, when played by a victim, would cause applications using GStreamer to crash or, potentially, execute arbitrary code. (CVE-2006-4192, CVE-2011-1574) All users of gstreamer-plugins are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications using GStreamer (such as Rhythmbox) must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2006-4192 CVE-2011-1574 CVE-2006-4192 libmodplug: Integer overflow when reading samples of AMF files CVE-2011-1574 libmodplug: ReadS3M stack overflow vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems. A flaw was found in the way libvirtd handled error reporting for concurrent connections. A remote attacker able to establish read-only connections to libvirtd on a server could use this flaw to crash libvirtd. (CVE-2011-1486) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue. After installing the updated packages, libvirtd must be restarted ("service libvirtd restart") for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1486 CVE-2011-1486 libvirt: error reporting in libvirtd is not thread safe cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 6 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems. A flaw was found in the way libvirtd handled error reporting for concurrent connections. A remote attacker able to establish read-only connections to libvirtd on a server could use this flaw to crash libvirtd. (CVE-2011-1486) This update also fixes the following bug: * Previously, running qemu under a different UID prevented it from accessing files with mode 0660 permissions that were owned by a different user, but by a group that qemu was a member of. (BZ#668692) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, libvirtd must be restarted ("service libvirtd restart") for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1486 qemu process is spawned with no supplementary groups CVE-2011-1486 libvirt: error reporting in libvirtd is not thread safe cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The XML Security Library is a C library based on libxml2 and OpenSSL that implements the XML Digital Signature and XML Encryption standards. A flaw was found in the way xmlsec1 handled XML files that contain an XSLT transformation specification. A specially-crafted XML file could cause xmlsec1 to create or overwrite an arbitrary file while performing the verification of a file's digital signature. (CVE-2011-1425) Red Hat would like to thank Nicolas Grégoire and Aleksey Sanin for reporting this issue. This update also fixes the following bug: * xmlsec1 previously used an incorrect search path when searching for crypto plug-in libraries, possibly trying to access such libraries using a relative path. (BZ#558480, BZ#700467) Users of xmlsec1 should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all running applications that use the xmlsec1 library must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1425 xmlsec1: bogus lt_dlopen() search path [rhel-4] CVE-2011-1425 xmlsec1: arbitrary file creation when verifying signatures xmlsec1: bogus lt_dlopen() search path [rhel-5] cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP9 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2010-4447, CVE-2010-4448, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466, CVE-2010-4473, CVE-2010-4475, CVE-2011-0311) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP9 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2010-4447 CVE-2010-4448 CVE-2010-4454 CVE-2010-4462 CVE-2010-4465 CVE-2010-4466 CVE-2010-4473 CVE-2010-4475 CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662) CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922) CVE-2010-4475 JDK unspecified vulnerability in Deployment component CVE-2010-4473 JDK unspecified vulnerability in Sound component CVE-2010-4466 JDK unspecified vulnerability in Deployment component CVE-2010-4462 JDK unspecified vulnerability in Sound component CVE-2010-4454 JDK unspecified vulnerability in Sound component CVE-2010-4447 JDK unspecified vulnerability in Deployment component CVE-2011-0311 IBM JDK Class file parsing denial-of-service cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the "file://" URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) Multiple flaws were found in the Python audioop module. Supplying certain inputs could cause the audioop module to crash or, possibly, execute arbitrary code. (CVE-2010-1634, CVE-2010-2089) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially-crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially-crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes Python use the system Expat library rather than its own internal copy; therefore, users must have the version of Expat shipped with RHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2009-3720 CVE-2010-1634 CVE-2010-2089 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 sequences CVE-2010-1634 python: audioop: incorrect integer overflow checks CVE-2010-2089 Python: Memory corruption in audioop module CVE-2010-3493 Python: SMTP proxy RFC 2821 module DoS (uncaught exception) (Issue #9129) CVE-2011-1015 python (CGIHTTPServer): CGI script source code disclosure CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the "file://" URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially-crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially-crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes Python use the system Expat library rather than its own internal copy; therefore, users must have the version of Expat shipped with RHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2009-3720 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 sequences CVE-2010-3493 Python: SMTP proxy RFC 2821 module DoS (uncaught exception) (Issue #9129) CVE-2011-1015 python (CGIHTTPServer): CGI script source code disclosure CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. It was found that the xc_try_bzip2_decode() and xc_try_lzma_decode() decode routines did not correctly check for a possible buffer size overflow in the decoding loop. As well, several integer overflow flaws and missing error/range checking were found that could lead to an infinite loop. A privileged guest user could use these flaws to crash the guest or, possibly, execute arbitrary code in the privileged management domain (Dom0). (CVE-2011-1583) All xen users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-1583 CVE-2011-1583 xen: insufficiencies in pv kernel image validation cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important) * An integer signedness flaw in drm_modeset_ctl() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1013, Important) * The Radeon GPU drivers in the Linux kernel were missing sanity checks for the Anti Aliasing (AA) resolve register values which could allow a local, unprivileged user to cause a denial of service or escalate their privileges on systems using a graphics card from the ATI Radeon R300, R400, or R500 family of cards. (CVE-2011-1016, Important) * A flaw in dccp_rcv_state_process() could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important) * A flaw in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl "net.sctp.addip_enable" and "auth_enable" variables were turned on (they are off by default). (CVE-2011-1573, Important) * A memory leak in the inotify_init() system call. In some cases, it could leak a group, which could allow a local, unprivileged user to eventually cause a denial of service. (CVE-2010-4250, Moderate) * A missing validation of a null-terminated string data structure element in bnep_sock_ioctl() could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate) * An information leak in bcm_connect() in the Controller Area Network (CAN) Broadcast Manager implementation could allow a local, unprivileged user to leak kernel mode addresses in "/proc/net/can-bcm". (CVE-2010-4565, Low) * A flaw was found in the Linux kernel's Integrity Measurement Architecture (IMA) implementation. When SELinux was disabled, adding an IMA rule which was supposed to be processed by SELinux would cause ima_match_rules() to always succeed, ignoring any remaining rules. (CVE-2011-0006, Low) * A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low) * Buffer overflow flaws in snd_usb_caiaq_audio_init() and snd_usb_caiaq_midi_init() could allow a local, unprivileged user with access to a Native Instruments USB audio device to cause a denial of service or escalate their privileges. (CVE-2011-0712, Low) * The start_code and end_code values in "/proc/[pid]/stat" were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low) * A flaw in dev_load() could allow a local user who has the CAP_NET_ADMIN capability to load arbitrary modules from "/lib/modules/", instead of only netdev modules. (CVE-2011-1019, Low) * A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low) * A missing validation of a null-terminated string data structure element in do_replace() could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low) Red Hat would like to thank Vegard Nossum for reporting CVE-2010-4250; Vasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1019, and CVE-2011-1080; Dan Rosenberg for reporting CVE-2010-4565 and CVE-2011-0711; Rafael Dominguez Vega for reporting CVE-2011-0712; and Kees Cook for reporting CVE-2011-0726. This update also fixes various bugs and adds an enhancement. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to resolve these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-4250 CVE-2010-4565 CVE-2010-4649 CVE-2011-0006 CVE-2011-0711 CVE-2011-0712 CVE-2011-0726 CVE-2011-1013 CVE-2011-1016 CVE-2011-1019 CVE-2011-1044 CVE-2011-1079 CVE-2011-1080 CVE-2011-1093 CVE-2011-1573 CVE-2010-4250 kernel: inotify memory leak CVE-2010-4565 kernel: CAN info leak CVE-2011-0006 kernel: ima: fix add LSM rule bug CVE-2010-4649 CVE-2011-1044 kernel: IB/uverbs: Handle large number of entries in poll CQ [6.0] System reset when changing EFI variable on large memory system [rhel-6.0.z] CVE-2011-0711 kernel: xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1 CVE-2011-0712 kernel: ALSA: caiaq - Fix possible string-buffer overflow CVE-2011-1013 kernel: drm_modeset_ctl signedness issue CVE-2011-1016 kernel: drm/radeon/kms: check AA resolve registers on r300 CVE-2011-1019 kernel: CAP_SYS_MODULE bypass via CAP_NET_ADMIN CVE-2011-1079 kernel: bnep device field missing NULL terminator CVE-2011-1080 kernel: ebtables stack infoleak CVE-2011-1093 kernel: dccp: fix oops on Reset after close [6.1] Common code infrastructure for VLAN null tagging [rhel-6.0.z] kernel: BUG: warning at drivers/char/tty_audit.c:55/tty_audit_buf_free() [rhel-6.0.z] CVE-2011-0726 kernel: proc: protect mm start_code/end_code in /proc/pid/stat Bonded and vlan tagged network does not work in KVM guest [rhel-6.0.z] 82576 stuck after PCI AER error [rhel-6.0.z] kswapd0 100% [rhel-6.0.z] CVE-2011-1573 kernel: sctp: fix to calc the INIT/INIT-ACK chunk length correctly to set emc_clariion error handler panics with multiple failures [rhel-6.0.z] Bond interface flapping and increasing rx_missed_errors [rhel-6.0.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 rdesktop is a client for the Remote Desktop Server (previously, Terminal Server) in Microsoft Windows. It uses the Remote Desktop Protocol (RDP) to remotely present a user's desktop. A directory traversal flaw was found in the way rdesktop shared a local path with a remote server. If a user connects to a malicious server with rdesktop, the server could use this flaw to cause rdesktop to read and write to arbitrary, local files accessible to the user running rdesktop. (CVE-2011-1595) Red Hat would like to thank Cendio AB for reporting this issue. Cendio AB acknowledges an anonymous contributor working with the SecuriTeam Secure Disclosure program as the original reporter. Users of rdesktop should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1595 CVE-2011-1595 rdesktop remote file access cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. It was discovered that the apr_fnmatch() function used an unconstrained recursion when processing patterns with the '*' wildcard. An attacker could use this flaw to cause an application using this function, which also accepted untrusted input as a pattern for matching (such as an httpd server using the mod_autoindex module), to exhaust all stack memory or use an excessive amount of CPU time when performing matching. (CVE-2011-0419) Red Hat would like to thank Maksymilian Arciemowicz for reporting this issue. All apr users should upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the apr library, such as httpd, must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0419 CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB11-12, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2011-0618, CVE-2011-0619, CVE-2011-0620, CVE-2011-0621, CVE-2011-0622, CVE-2011-0623, CVE-2011-0624, CVE-2011-0625, CVE-2011-0626, CVE-2011-0627) This update also fixes an information disclosure flaw in flash-plugin. (CVE-2011-0579) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.181.14. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0579 CVE-2011-0618 CVE-2011-0619 CVE-2011-0620 CVE-2011-0621 CVE-2011-0622 CVE-2011-0623 CVE-2011-0624 CVE-2011-0625 CVE-2011-0626 CVE-2011-0627 CVE-2011-0628 CVE-2011-0579 CVE-2011-0618 CVE-2011-0619 CVE-2011-0620 CVE-2011-0621 CVE-2011-0622 CVE-2011-0623 CVE-2011-0624 CVE-2011-0625 CVE-2011-0626 CVE-2011-0627 CVE-2011-0628 flash-plugin: crash and potential arbitrary code execution (APSB11-12) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. It was found that the virtio-blk driver in qemu-kvm did not properly validate read and write requests from guests. A privileged guest user could use this flaw to crash the guest or, possibly, execute arbitrary code on the host. (CVE-2011-1750) It was found that the PIIX4 Power Management emulation layer in qemu-kvm did not properly check for hot plug eligibility during device removals. A privileged guest user could use this flaw to crash the guest or, possibly, execute arbitrary code on the host. (CVE-2011-1751) Red Hat would like to thank Nelson Elhage for reporting CVE-2011-1751. This update also fixes several bugs and adds various enhancements. Documentation for these bug fixes and enhancements will be available shortly from the Technical Notes document, linked to in the References section. All users of qemu-kvm should upgrade to these updated packages, which contain backported patches to resolve these issues, and fix the bugs and add the enhancements noted in the Technical Notes. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-1750 CVE-2011-1751 support high resolutions Vhost: Segfault when assigning a none vhostfd "Guest moved used index from 0 to 61440" if remove virtio serial device before virtserialport info snapshot return "bdrv_snapshot_list: error -95" Could not ping guest successfully after changing e1000 MTU RHEL3.9 guest netdump hung with e1000 index is empty in qemu-doc.html Incorrect & misleading error reporting when failing to open a drive due to block driver whitelist denial QEMU doesn't respect hardware sector size of underlying block device when doing O_DIRECT incorrect committed memory on idle host [RFE] qemu-io enable truncate function for qcow2. RFE QMP: support of query spice for guest vmware device emulation enabled but not supported mrg buffers: migration breaks between systems with/without vhost qemu-kvm core dump with virtio-serial-pci max-port greater than 31 Qemu becomes unresponsive during unattended_installation qemu should more clearly indicate internal detection of this host out-of-memory condition at startup.. qemu "-cpu [check | enforce ]" should work even when a model name is not specified on the command line SCP image fails from host to guest with vhost on when do migration hot unplug of vhost net virtio NIC causes qemu segfault migration failed after hot-unplug virtserialport - Unknown savevm section or instance '0000:00:07.0/virtio-console' 0 time drift after guest running for more than 12 hours [qemu] [rhel6] guest installation stop (pause) on 'eother' event over COW disks (thin-provisioning) [qemu] [rhel6] bad error handling when qemu has no 'read' permissions over {kernel,initrd} files [pass boot options] Replace virtio-net TX timer mitigation with bottom half handler pass through fails with KVM using Neterion Inc's X3100 Series 10GbE PCIe I/O Virtualized Server Adapter in Multifunction mode. Failed to update the media in floppy device qemu treatment of -nodefconfig and -readconfig problematic for debug RFE QMP: should have command to disconnect and connect network card for whql testing qemu exits when hot adding rtl8139 nic to win2k8 guest vhost_net: untested error handling in vhost_net_start spice: prepare qxl for 6.1 update. Duplicate CPU fea.tures in cpu-x86_64.conf Guest may core dump when booting with spice and qxl. [6.1 FEAT] QEMU static tracing framework [6.1 FEAT] virtio-blk ioeventfd support Cannot hot-plug nic in windows VM when the vmem is larger coredumped when enable qxl without spice Can not commit copy-on-write image's data to raw backing-image Allow enable/disable ksm per VM KVM:qemu-img re-base poor performance(on local storage) when snapshot to a new disk RFE: Assigned device should block migration -cpu check does not correctly enforce CPUID items watchdog timer isn't reset when qemu resets ksmtuned: give a nicer message if retune is called while ksmtuned is off [qemu-kvm] bochs vga lfb @ 0xe0000000 causes trouble for hot-plug Incorrect russian vnc keymap qemu-img ignores close() errors qemu-kvm aborts of 'qemu_spice_display_create_update: unhandled depth: 0 bits' Do not advertise boot=on capability to libvirt Allow to specify boot order on qemu command line. guest migration turns failed by the end (16G + stress load) Implement QEMU driver for modern sound device like Intel HDA Support slow mapping of PCI Bars Support Westmere as a CPU model or included within existing models.. QMP: provide a hmp_passthrough command to allow execution of non-converted commands support 2560x1440 in qxl TCP checksum overflows in qemu's e1000 emulation code when TSO is enabled in guest OS Changing media with -snapshot deletes image file qcow2: Backport performance related patches qemu-kvm (or libvirt?) permission denied errors when exporting readonly IDE disk to guest Can only see 16 virtio ports while assigned 30 virtio serial ports on commandLine Include (disabled by default) -fake-machine patch on qemu-kvm RPM spec Fix build problem with recent compilers Option -enable-kvm should exit when KVM is unavailable lost double clicks on slow connections load vhost-net by default device-assignment leaks option ROM memory WinXP hang when reboot after setup copies files to the installation folders Block devices don't implement correct flush error handling Hot plug the 14st VF to guest causes guest shut down possible migration failure due to erroneous interpretation of subsection Improper responsive message when shrinking qcow2 image spicevmc: flow control on the spice agent channel is missing in both directions romfile memory leak Tracetool autogenerate qemu-kvm.stp with wrong qemu-kvm path getting 'ctrl buffer too small' error on USB passthrough slow guests block other guests on the same lan disable vhost-net for rhel5 and older guests Install of cpu-x86_64.conf bombs for an out of tree build.. set_link <tap> off not working with vhost-net core dumped when save snapshot to non-exist disk segment fault happens after hot drive add then drive delete disabling vmware device emulation breaks old->new migration qemu-kvm hangs when installing guest with -spice option Exec based migration randomly fails, particularly under high load can't hotplug second vf successful with message "Too many open files" floppy I/O error after live migration while floppy in use qemu-kvm: Invalid parameter 'vhostforce' Segfault occurred during migration guest with assigned nic got kernel panic when send system_reset signal in QEMU monitor Drive serial number gets truncated qcow2: qcow2_open doesn't return useful errors qcow2: Some paths fail to handle I/O errors qcow2: Reads fail with backing file smaller than snapshot qemu-kvm -no-kvm segfaults on pci_add spice-server does not switch back to server mouse mode if guest spice-agent dies. Backport qemu_get_ram_ptr() performance improvement qemu-img re-base fail with read-only new backing file Migration fails when migrate guest from RHEL6.1 host to RHEL6 host with the same libvirt version RHEL 6.1 qemu-kvm: Specifying ipv6 addresses breaks migration CVE-2011-1750 virtio-blk: heap buffer overflow caused by unaligned requests CVE-2011-1751 qemu: acpi_piix4: missing hotplug check during device removal cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * Multiple buffer overflow flaws were found in the Linux kernel's Management Module Support for Message Passing Technology (MPT) based controllers. A local, unprivileged user could use these flaws to cause a denial of service, an information leak, or escalate their privileges. (CVE-2011-1494, CVE-2011-1495, Important) * A flaw was found in the Linux kernel's Ethernet bonding driver implementation. Packets coming in from network devices that have more than 16 receive queues to a bonding interface could cause a denial of service. (CVE-2011-1581, Important) * A flaw was found in the Linux kernel's networking subsystem. If the number of packets received exceeded the receiver's buffer limit, they were queued in a backlog, consuming memory, instead of being discarded. A remote attacker could abuse this flaw to cause a denial of service (out-of-memory condition). (CVE-2010-4251, Moderate) * A flaw was found in the Linux kernel's Transparent Huge Pages (THP) implementation. A local, unprivileged user could abuse this flaw to allow the user stack (when it is using huge pages) to grow and cause a denial of service. (CVE-2011-0999, Moderate) * A flaw was found in the transmit methods (xmit) for the loopback and InfiniBand transports in the Linux kernel's Reliable Datagram Sockets (RDS) implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-1023, Moderate) * A flaw in the Linux kernel's Event Poll (epoll) implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1082, Moderate) * An inconsistency was found in the interaction between the Linux kernel's method for allocating NFSv4 (Network File System version 4) ACL data and the method by which it was freed. This inconsistency led to a kernel panic which could be triggered by a local, unprivileged user with files owned by said user on an NFSv4 share. (CVE-2011-1090, Moderate) * A missing validation check was found in the Linux kernel's mac_partition() implementation, used for supporting file systems created on Mac OS operating systems. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially-crafted partitions. (CVE-2011-1010, Low) * A buffer overflow flaw in the DEC Alpha OSF partition implementation in the Linux kernel could allow a local attacker to cause an information leak by mounting a disk that contains specially-crafted partition tables. (CVE-2011-1163, Low) * Missing validations of null-terminated string data structure elements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low) Red Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494 and CVE-2011-1495; Nelson Elhage for reporting CVE-2011-1082; Timo Warns for reporting CVE-2011-1010 and CVE-2011-1163; and Vasiliy Kulikov for reporting CVE-2011-1170, CVE-2011-1171, and CVE-2011-1172. This update also fixes several hundred bugs and adds enhancements. Refer to the Red Hat Enterprise Linux 6.1 Release Notes for information on the most significant of these changes, and the Technical Notes for further information, both linked to in the References. All Red Hat Enterprise Linux 6 users are advised to install these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Red Hat Enterprise Linux 6.1 Release Notes and Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-3881 CVE-2010-4251 CVE-2010-4805 CVE-2011-0999 CVE-2011-1010 CVE-2011-1023 CVE-2011-1082 CVE-2011-1090 CVE-2011-1163 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1494 CVE-2011-1495 CVE-2011-1581 [LTC 6.0 FEAT] 201227:NFS over RDMA support new ext4 ioctls, tunables etc undocumented xen PV guest kernel 2.6.32 processes lock up in D state Virtio Net/Disk block devices get wrong parent in node device info [abrt] crash in kernel: Your BIOS is broken; DMAR reported at address fed90000 returns all ones! Garbled image with zc3xx-based webcam IPv6 tproxy support is not present in RHEL 6 Beta [abrt] WARNING: at fs/buffer.c:1159 mark_buffer_dirty+0x82/0xa0() ACPI Error: Illegal I/O port address/length above 64K CDTRDSR missing from <asm/termios.h> bonding: backport code to allow user-controlled output slave detection. Read from /proc/xen/xenbus does not honor O_NONBLOCK [6u0] Bonding in ALB mode sends ARP in loop udevd report unexpected exit when guest boot up with nmi_watchdog = 1 and using debugfs tracing KVM (AMD) problems with 64b division on 32b platforms. guest kernel panic when boot with nmi_watchdog=1 mrg buffers: migration breaks between systems with/without vhost make exclusively owned pages belong to the local anon_vma on swapin cifs: NT_STATUS_MEDIA_WRITE_PROTECTED not being mapped appropriately to POSIX error jbd2/ocfs2: Fix block checksumming when a buffer is used in several transactions core_pattern handler truncates parameters RHEL UV: kernel patch for kexec Intel HDA audio: popping/clicking sound distortion Host kernel oops after a series of virsh {attach,detach}-device backport wireless 2.6.32-longterm fixes networking may go away after migration due to missing arp update Bonded and vlan tagged network does not work in KVM guest [RHEL6][Kernel] BUG: spinlock wrong CPU on CPU#2, modprobe/713 (Not tainted) K10 temp support in lm_sensors Upgrading NFS client to 2.6.36 release. read from virtio-serial returns if the host side is not connect to pipe [RHEL6][Kernel] FATAL: Error inserting ipv6, Cannot allocate memory, causes panic GFS2: [RFE] fallocate support for GFS2 block IO controller: Pull in Group idle tunable patches from upstream [RHEL6.0] e1000e devices fail to initialize interrupts properly be2net: A bad assert in processing async messages from NIC Fix hot-unplug handling of virtio-console ports kernel: Problem with execve(2) reintroduced [rhel-6.1] i8259 state is corrupted during migration modpost segmentation fault module signing failing on cross-builds due to linker misuse groups_search() cannot handle large gid correctly kernel ABI whitelist request for kspice-usb driver [Red Hat] GFS1 vs GFS2 performance issue kernel: additional stack guard patches [rhel-6.1] Big performance regression found on connect/request/response test through IPSEC (openswan) transport Cannot unplug emulated ide and rtl8139 devices in RHEL6 HVM xen guest block: fix s390 tape block driver crash that occurs when it switches the IO scheduler [6.1 FEAT] KVM Network Performance: mergeable rx buffers support in vhost-net kswapd0 100% migrate_cancel under STRESS caused guest to hang PATCH: virtio_console: Fix poll blocking even though there is data to read audit filtering on selinux label of userspace audit messages tg3: Disable TSS GFS2: inode glock stuck without holder Disallow 0-sized writes to virtio ports to go through to host (leading to VM crash) Disable lseek(2) for virtio ports WinXP BSOD when boot up with -cpu Penryn ptrace: the tracee can get the extra trap after PTRACE_DETACH [LSI 6.1 bug] RHEL 6.0 iSCSI offload (cxgb3i) sessions do not log back in after several controller reset cycles [LSI CR184419] 32bit compat vectored aio routines are broken [NetApp 6.1 bug] SCSI ALUA handler fails to handle ALUA transitioning properly Bug fixes to the 2.6.36 NFS Client Bug fixes to the 2.6.36 NFS Server GFS2: Not enough space reserved in gfs2_write_begin and possibly elsewhere. Replies to broadcast SNMP and NetBIOS queries are dropped NFS4 clients cannot reclaim locks after server reboot GFS2 fatal: filesystem consistency error on rename Ensure we detect removed symbols in check-kabi Bonded interface doesn't issue IGMP report (join) on slave interface during failover Backport upstream cacheing fix for optimizing reads from /proc/vmcore /proc/bus/usb/devices formatting error iscsi: get nopout and conn errors. [NetApp 6.1 bug] regression: allow offlined devs to be set to running sysctl: bad user of proc_doulongvec_minmax() can oops the kernel virtio_console driver never returns from selecting for write when the queue is full writing to a virtio serial port while no one is listening on the host side hangs the guest Kernel divide by zero in find_busiest_group Enable extraction of hugepage pfn(s) from /proc/<pid>/pagemap [PATCH] fix size checks for mmap() on /proc/bus/pci files Backport support for TCP thin-streams Expose hw packet timestamps to network packet capture utilities - backport from 2.6.36 ext4: Don't error out the fs if the user tries to make a file too big [6.1 FEAT] Port KVM bug fixes for cr_access to RHEL 6 cifs: multiuser mount support [kvm] VIRT-IO NIC state is reported as 'unknown' on vm running over RHEL6 host kernel BUG at mm/migrate.c:113! [6.0] write system call returns with 0 when it should return with EFBIG. Kernel warning at boot: i7core_edac: probe of 0000:80:14.0 failed with error -22 Allow KSM to split hugepages kvm: guest stale memory after migration install_process_keyring() may return wrong error code ext4: writeback performance fixes ethtool: Provide a default implementation of ethtool_ops::get_drvinfo DMAR Errors on HP RAID controller with intel_iommu set to on, system hangs Excessive fpu swap entering and exiting kvm from host userspace Enable discard/UNMAP/WRITE_SAME for enterprise class arrays RHEL6.1: EHCI: AMD periodic frame list table quirk NULL pointer dereference in reading vs. truncating race GFS2: BUG_ON kernel panic in gfs2_glock_hold on 2.6.18-226 On AMD host, running an F14 guest with 2 cores assigned hangs for "a long time" (several 10's of minutes) at start of boot cifs: bug fixes for 6.1 cifs: mfsymlinks support If EXT4_EXTENTS_FL flag is not set, the max file size of write() is different than seek(). temporary loss of path to SAN results in persistent EIO with msync Upgrading NFS client to 2.6.37 release Upgrading NFS server to 2.6.37 release kernel: restrict unprivileged access to kernel syslog [rhel-6.1] Guest BSOD during installation EFI/UEFI page table initialization is incorrect for x86_64 in physical mode. kernel 2.6.32-84.el6 breaks systemtap e1000 driver tracebacks when running under VMware ESX4 Win2008 and Win7 fail to load files at the beginning of installation jbd2_stats_proc_init has wrong location. kabitool blocks custom kernel builds when kernel version > 2.6.18-53.1.21.el5 [Emulex 6.1] Update lpfc driver to 8.3.5.28 [RFE] Include autogroup patch to aid in automatic creation of cgroups cifs: fix problems with filehandle management and reporting of writeback errors Memory leak in virtio-console driver if driver probe routine fails GFS2: [RFE] glock scalability patches Guest kernels need 'noapic' to get kexec working with virtio-blk CVE-2010-4251 CVE-2010-4805 kernel: unlimited socket backlog DoS [xfstests 243] ext4 incosistency with EOFBLOCK_FL [Emulex 6.1 feat] add BSG and FC Transport patches from Upstream guest kernel panic when transfering file from host to guest during migration block IO controller: Allow creation of cgroup hierarchies neighbour update causes an Oops when using tunnel device GFS2: Use 512 B block sizes to communicate with userland quota tools khugepaged numa memcg minor memleak GFS2: Kernel changes necessary to allow growing completely full filesystems. UV: WAR for interrupt-IOPort deadlock (Mellanox) Add CX3 PCI IDs to mlx4 driver iw_cxgb3 advertises incorrect max cq depth causing stalls on large MPI clusters fsck.gfs2 reported statfs error after gfs2_grow MCP55 message on screen at boot even with quiet lldpad is generating selinux errors on 6.0-RC-4. nfs4 callback from client returned to wrong address OS halt on the login screen Bug fixes to the 2.6.37 NFS Client gfs2 FIEMAP oops [Emulex 6.1 feat] Update lpfc driver to 8.3.5.30 [Cisco 6.1 bug] Fix memory leak in fnic and bump version to 1.5.0.1 Update drivers/media to 2.6.38 codebase Bug fixes to the 2.6.37 NFS Server Add AES to CPUID ext_features recognized by kvm.. Btrfs: update to latest upstream RHEL6 Xen domU freeze after migrate to lower (MHz) CPU kernel: restrict access to /proc/kcore to just elf headers [rhel-6.1] kernels don't build on make-3.82 [6.0] System reset when changing EFI variable on large memory system THP updates from -mm System panic in pskb_expand_head When arp_validate option is specified in bonding ARP monitor mode kexec: limit root to call kexec_load() vhost-net/kvm lacks fixes/optimizations in net-next as of Dec 23 KVM crashes inside SeaBIOS when attempting to boot MS-DOS ftrace: kernel/trace/ring_buffer.c:1987 rb_reserve_next_event Add upstream performance enhancement to reduce time page fault handler holds mmap_sem semaphore. Bug for patches outside AGP/DRM required for AGP/DRM backport. lib: fix vscnprintf() if @size is == 0 kexec: Make sure to stop all CPUs before exiting the kernel PV cdrom should be disabled on HVM guests xen: unplug the emulated devices at resume time forward port xen pvops changes for evtchn xenfs: enable for HVM domains too cifs.upcall not called when mounting second CIFS share from same server using different krb5 credentials [NetApp 6.1 Bug] Include new NetApp PID entry to the alua_dev_list array in the ALUA hardware handler update Documentation/vm/page-types.c to latest upstream fcoe fails to login with Cisco Eaglehawk switch firmware on VFC shut/no shut NUMA is not recognized for nec-em25.rhts.eng.bos.redhat.com PCI sysfs rom file needs owner write access Server cannot boot with kernel-2.6.32-85 setfacl does not update ctime when changing file permission on ext3/4 [XEN]RHEL6 guest fail to save/restore xfs: need upstream unaligned aio/dio data corruption fixes ath9k: inconsistent lock state khugepaged blocking on page locks net: add receive functions that return GRO result codes netif_vdbg() is broken, does not compile if VERBOSE_DEBUG is not defined disable NUMA for Xen PV guests Additional upstream functions that make backporting easier [Broadcom 6.1 feat] bnx2: Update firmware to 6.2.1+ GFS2: Blocks not marked free on delete pages stuck in ksm pages_volatile [NetApp 6.0 Bug] Erroneous TPG ID check in SCSI ALUA Handler kernel panic at __rpc_create_common() when mounting nfs [RHEL6.1][Kernel] BUG: unable to handle kernel NULL pointer dereference, IP: [<ffffffff814115f0>] get_rps_cpu+0x290/0x340 xen 64-bit PV guests fail to save-restore with kernels >= -95 xen microcode WARN on save-restore GFS2: allow gfs2 to update quota usage through quotactl [RHEL6.1] possible vmalloc_sync_all() bug add POLLPRI to sock_def_readable() Repeatable NFS mount hang GFS2: recovery stuck on transaction lock section mismatch due to wrong annotation of hugetlb_sysfs_add_hstate() backport set_iounmap_nonlazy() to speedup reading of /proc/vmcore DOMU-HVM FULLVIRT Guest issue sfc: the rss_cpus module parameter is ignored [RHEL6] panic in scsi_init_io() during connectathon SPECsfs NFS V3 workload on RHEL6 running kernels 2.6.32-85 have a massive performance regression due to compact-kswap behavior mmapping a read only file on a gfs2 filesystem incorrectly acquires an exclusive glock usb: latest xhci fixes kernel-headers 2.6.32-112.el6 broken GFS2: Fails to clear glocks during unmount [RHEL6.1] s/390x hang while running LTP test 'tail -f' waits forever for inotify Fix potential deadlock in intel-iommu GFS2: panics on quotacheck update Back port Bug fixes from the 2.6.38 NFS Client to the RHEL6 Client /dev/crash does not require CAP_SYS_RAWIO for access xen fix save/restore: unmask event channel for IRQF_TIMER ip_gre module throws slab corruption errors upon removal from the kernel [Cisco 6.1 Bug Fix] enic: Update enic driver to latest upstream version 2.1.1.10 drivers/xen/events.c clean up section mismatch warning virtio_net: missing schedule on oom ixgbe: update to 3.0.12-k2 causing a panic on boot [RFE][6.1] sched: Try not to migrate higher priority RT tasks system_reset cause KVM internal error. Suberror: 2 [kdump] WARNING: at kernel/watchdog.c:229 watchdog_overflow_callback+0xa9/0xd0() (Not tainted Panic in get_rps_cpu+0x1ad/0x320 on kvm guest when attempting to run LTP containers test. qeth: allow channel path changes in recovery CVE-2011-0999 kernel: thp: prevent hugepages during args/env copying into the user stack online disk resizing may cause data corruption [RHEL6.1] [Kernel] When booting previous kernel we are missing the firmware Wifi connection speed is very slow (intel PRO/Wireless 3945ABG), caused by plcp check semantic difference between mapped file counters of memcg and global VM memcg: upstream backport of various race condition fixes md: Do not replace request queue lock internally CVE-2011-1010 kernel: fs/partitions: Validate map_count in Mac partition tables qeth: remove needless IPA-commands in offline [ext4/xfstests] kernel BUG at fs/jbd2/transaction.c:1027! kernel: BUG: warning at drivers/char/tty_audit.c:55/tty_audit_buf_free() emc_clariion error handler panics with multiple failures CVE-2011-1023 kernel: BUG_ON() in rds_send_xmit() 82576 stuck after PCI AER error RHEL 5.6 32bit SMP guest hang at boot up tape: deadlock on global work queue block IO controller: Do not use kblockd workqueue for throttle work [ext4/xfstests] 133 task blocked for more than 120 seconds CVE-2011-1082 kernel: potential kernel deadlock when creating circular epoll file structures kdump dont't work on megaraid_sas [RHEL 6] libsas: flush initial device discovery before completing ->scan_finished() CVE-2011-1090 kernel: nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab fix skb leak in iwlwifi iwlagn: Support new 5000 microcode Bad ext4 sync performance on 16 TB GPT partition GFS2: umount stuck on gfs2_gl_hash_clear page_referenced() sometime ignores young bits with THP pE for /sbin/init has special logic that makes it unboundable missed unlock_page() in gfs2_write_begin() Windows guests hang when rebooting with kernel-2.6.32-121.el6 occasional NVS 3100 X server lockups RHEL6.1-Alpha: kABI breakage on UV memcg: premature oom-kill with transparent huge pages thp+memcg-numa: fix BUG at include/linux/mm.h:370! nfsv4 server leaking struct file on every lock operation CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak RHEL6.1-20110316.1 dell-pe2800 NMI received for unknown reason CVE-2011-1170 kernel: ipv4: netfilter: arp_tables: fix infoleak to userspace CVE-2011-1171 kernel: ipv4: netfilter: ip_tables: fix infoleak to userspace CVE-2011-1172 kernel: ipv6: netfilter: ip6_tables: fix infoleak to userspace cfq-iosched: Fix a potential crash upon frequent group weight change mark drivers as tech preview Veritas SF 5.1 disagrees about version of symbol aio_complete NFS4 with sec=krb5 does not work with 6.1 beta kernel BUG at drivers/gpu/drm/i915/i915_gem.c:4238! slab corruption after seeing some nfs-related BUG: warning Fix compaction deadlock with SLUB and loop over tmpfs RHEL6.1 HVM guest with hda+hdc or hdb+hdd crashes; plus hdb/hdd are mapped incorrectly to xvde sha512hmac expects different checksum, fails on PPC64 CVE-2011-1494 CVE-2011-1495 kernel: drivers/scsi/mpt2sas: prevent heap overflows [regression] fix be2iscsi rmmod CVE-2011-1581 kernel: bonding: Incorrect TX queue offset [Broadcom 6.1 feat] Support bnx2i hba-mode and non-hba mode for boot in kernel Bond interface flapping and increasing rx_missed_errors server BUG() on receipt of bad NFSv4 lock request cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. It was found that string comparison functions in Squid did not properly handle the comparisons of NULL and empty strings. A remote, trusted web client could use this flaw to cause the squid daemon to crash via a specially-crafted request. (CVE-2010-3072) This update also fixes the following bugs: * A small memory leak in Squid caused multiple "ctx: enter level" messages to be logged to "/var/log/squid/cache.log". This update resolves the memory leak. (BZ#666533) * This erratum upgrades Squid to upstream version 3.1.10. This upgraded version supports the Google Instant service and introduces various code improvements. (BZ#639365) Users of squid should upgrade to this updated package, which resolves these issues. After installing this update, the squid service will be restarted automatically. Low Copyright 2011 Red Hat, Inc. CVE-2010-3072 CVE-2010-3072 Squid: Denial of service due internal error in string handling (SQUID-2010:3) Rebase squid to version 3.1.10 small memleak in squid-3.1.4 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the "file://" URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially-crafted request to obtain the CGI script's source code. (CVE-2011-1015) This erratum also upgrades Python to upstream version 2.6.6, and includes a number of bug fixes and enhancements. Documentation for these bug fixes and enhancements is available from the Technical Notes document, linked to in the References section. All users of Python are advised to upgrade to these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Technical Notes. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 python >>> help() >>> modules command traceback when used without DISPLAY Try to print repr() when a fatal garbage collection assertion fails adjust test_commands unit test to the updated output of the ls command include the tests/data directory in the python-test rpm test_dbm fails on ppc64 & s390x Rebase python from 2.6.5 to 2.6.6 in RHEL 6.1 CVE-2010-3493 Python: SMTP proxy RFC 2821 module DoS (uncaught exception) (Issue #9129) rpmlint errors and warnings Generating python backtrace with "py-bt" fails with a traceback Infinite recursion in urllib2 on basicauth failure subprocess fails in select when descriptors are large (rhel6) urllib2's AbstractBasicAuthHandler is limited to 6 requests CVE-2011-1015 python (CGIHTTPServer): CGI script source code disclosure python update causes rhythmbox to crash python occasionally fails to build on machines with more than one core CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Perl is a high-level programming language commonly used for system administration utilities and web programming. The Perl CGI module provides resources for preparing and processing Common Gateway Interface (CGI) based HTTP requests and responses. It was found that the Perl CGI module used a hard-coded value for the MIME boundary string in multipart/x-mixed-replace content. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request. (CVE-2010-2761) A CRLF injection flaw was found in the way the Perl CGI module processed a sequence of non-whitespace preceded by newline characters in the header. A remote attacker could use this flaw to conduct an HTTP response splitting attack via a specially-crafted sequence of characters provided to the CGI module. (CVE-2010-4410) It was found that certain Perl string manipulation functions (such as uc() and lc()) failed to preserve the taint bit. A remote attacker could use this flaw to bypass the Perl taint mode protection mechanism in scripts that use the affected functions to process tainted input. (CVE-2011-1487) These packages upgrade the CGI module to version 3.51. Refer to the CGI module's Changes file, linked to in the References, for a full list of changes. This update also fixes the following bugs: * When using the "threads" module, an attempt to send a signal to a thread that did not have a signal handler specified caused the perl interpreter to terminate unexpectedly with a segmentation fault. With this update, the "threads" module has been updated to upstream version 1.82, which fixes this bug. As a result, sending a signal to a thread that does not have the signal handler specified no longer causes perl to crash. (BZ#626330) * Prior to this update, the perl packages did not require the Digest::SHA module as a dependency. Consequent to this, when a user started the cpan command line interface and attempted to download a distribution from CPAN, they may have been presented with the following message: CPAN: checksum security checks disabled because Digest::SHA not installed. Please consider installing the Digest::SHA module. This update corrects the spec file for the perl package to require the perl-Digest-SHA package as a dependency, and cpan no longer displays the above message. (BZ#640716) * When using the "threads" module, continual creation and destruction of threads could cause the Perl program to consume an increasing amount of memory. With this update, the underlying source code has been corrected to free the allocated memory when a thread is destroyed, and the continual creation and destruction of threads in Perl programs no longer leads to memory leaks. (BZ#640720) * Due to a packaging error, the perl packages did not include the "NDBM_File" module. This update corrects this error, and "NDBM_File" is now included as expected. (BZ#640729) * Prior to this update, the prove(1) manual page and the "prove --help" command listed "--fork" as a valid command line option. However, version 3.17 of the Test::Harness distribution removed the support for the fork-based parallel testing, and the prove utility thus no longer supports this option. This update corrects both the manual page and the output of the "prove --help" command, so that "--fork" is no longer included in the list of available command line options. (BZ#609492) Users of Perl, especially those of Perl threads, are advised to upgrade to these updated packages, which correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-2761 CVE-2010-4410 CVE-2011-1487 unknown option fork with prove Sending signal to thread without signal handler in thread causes perl to segfault Let perl-CPAN Require: perl(Digest::SHA) Thread desctructor leaks NDBM_File module is missing in perl core perl-CGI, perl-CGI-Simple: CVE-2010-2761 - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting CVE-2011-1487 perl: lc(), uc() routines are laundering tainted data cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA. A flaw was found in the SSSD PAM responder that could allow a local attacker to crash SSSD via a carefully-crafted packet. With SSSD unresponsive, legitimate users could be denied the ability to log in to the system. (CVE-2010-4341) Red Hat would like to thank Sebastian Krahmer for reporting this issue. This update also fixes several bugs and adds various enhancements. Documentation for these bug fixes and enhancements will be available shortly from the Technical Notes document, linked to in the References section. Users of SSSD should upgrade to these updated packages, which upgrade SSSD to upstream version 1.5.1 to correct this issue, and fix the bugs and add the enhancements noted in the Technical Notes. Low Copyright 2011 Red Hat, Inc. CVE-2010-4341 Better support for Kerberos ticket cache management SSSD doesn't follow LDAP referrals when using non-anonymous bind the krb5 locator plugin isn't packaged for multilib SSSD initgroups does not behave as expected sssd is not escaping correctly LDAP searches Rebase SSSD to 1.5 NSS responder dies if DP dies during a request 'getent passwd <username>' returns nothing if its uidNumber gt 2147483647. Login screen freezes for more than 2mins when configured SSSD for proxy auth. SSSD will sometimes lose groups from the cache sssd stops on upgrade SSSD shutdown sometimes hangs Provide an option to specify DNS domain for service discovery CVE-2010-4341 sssd: DoS in sssd PAM responder can prevent logins nss client blocks when enumerating local domain after restart. '-s' option in sss_obfuscate command is a bit redundant. Obfuscated passwords can kill LDAP provider if OpenLDAP uses NSS. SSSD and sftp-only jailed users with pubkey login Missing primary group with simple access provider. Nested groups are not unrolled during the first enumeration. authconfig-tui/gtk removes "ldap_user_home_directory" from sssd.conf Traceback call messages displayed while "sss_obfuscate" command is executed as a non-root user. sss_obfuscate fails if there's no domain named "default". Group members are not sanitized in nested group processing -p option always uses empty string to obfuscate password. "no matching rule" message logged on all successful requests. Remove HBAC time rules from SSSD SSSD attempts to use START_TLS over LDAPS for authentication Does not read renewable ccache at startup. sssd crashes at the next tgt renewals it tries. SSSD in 6.0 can not locate HBAC rules from FreeIPAv2 name service caches names, so id command shows recently deleted users User information not updated on login for secondary domains SSSD needs to look at IPA's compat tree for netgroups IPA provider does not update removed group memberships on initgroups SSSD IPA provider should honor the krb5_realm option sssd not thread-safe sssd-be segmentation fault - ipa-client on ipa-server sssd_nss core dumps with certain lookups IPA provider should use realm instead of ipa_domain for base DN multiple problems with sssd + ldap (Active-Directory) and groups members. sudo/ldap lookup via sssd gets stuck for 5min waiting on netgroup sssd 1.5.1-9 breaks AD authentication SSSD should skip over groups with multiple names authconfig fails when access_provider is set as krb5 in sssd.conf. group memberships are not populated correctly during IPA provider initgroups Traceback messages seen while interrupting sss_obfuscate using ctrl+d. [abrt] sssd-1.2.1-28.el6_0.4: _talloc_free: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) Groups with a zero-length memberuid attribute can cause SSSD to stop caching and responding to requests SSSD needs to fall back to 'cn' for GECOS information (was: SSSD configuration problem when configured with MSAD) Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) SSSD consumes GBs of RAM, possible memory leak Unable to resolve SRV record when called with _srv_,<fixed ldap uri> in ldap_uri SSSD crashes during getent when anonymous bind is disabled. [REGRESSION] Filters not honoured against fully-qualified users. sssd client libraries use select() but should use poll() instead cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The Eclipse software development environment provides a set of tools for C/C++ and Java development. A cross-site scripting (XSS) flaw was found in the Eclipse Help Contents web application. An attacker could use this flaw to perform a cross-site scripting attack against victims by tricking them into visiting a specially-crafted Eclipse Help URL. (CVE-2010-4647) The following Eclipse packages have been upgraded to the versions found in the official upstream Eclipse Helios SR1 release, providing a number of bug fixes and enhancements over the previous versions: * eclipse to 3.6.1. (BZ#656329) * eclipse-cdt to 7.0.1. (BZ#656333) * eclipse-birt to 2.6.0. (BZ#656391) * eclipse-emf to 2.6.0. (BZ#656344) * eclipse-gef to 3.6.1. (BZ#656347) * eclipse-mylyn to 3.4.2. (BZ#656337) * eclipse-rse to 3.2. (BZ#656338) * eclipse-dtp to 1.8.1. (BZ#656397) * eclipse-changelog to 2.7.0. (BZ#669499) * eclipse-valgrind to 0.6.1. (BZ#669460) * eclipse-callgraph to 0.6.1. (BZ#669462) * eclipse-oprofile to 0.6.1. (BZ#670228) * eclipse-linuxprofilingframework to 0.6.1. (BZ#669461) In addition, the following updates were made to the dependencies of the Eclipse packages above: * icu4j to 4.2.1. (BZ#656342) * sat4j to 2.2.0. (BZ#661842) * objectweb-asm to 3.2. (BZ#664019) * jetty-eclipse to 6.1.24. (BZ#661845) This update includes numerous upstream bug fixes and enhancements, such as: * The Eclipse IDE and Java Development Tools (JDT): - projects and folders can filter out resources in the workspace. - new virtual folder and linked files support. - the full set of UNIX file permissions is now supported. - addition of the stop button to cancel long-running wizard tasks. - Java editor now shows multiple quick-fixes via problem hover. - new support for running JUnit version 4 tests. - over 200 upstream bug fixes. * The Eclipse C/C++ Development Tooling (CDT): - new Codan framework has been added for static code analysis. - refactoring improvements such as stored refactoring history. - compile and build errors now highlighted in the build console. - switch to the new DSF debugger framework. - new template view support. - over 600 upstream bug fixes. This update also fixes the following bugs: * Incorrect URIs for GNU Tools in the "Help Contents" window have been fixed. (BZ#622713) * The profiling of binaries did not work if an Eclipse project was not in an Eclipse workspace. This update adds an automated test for external project profiling, which corrects this issue. (BZ#622867) * Running a C/C++ application in Eclipse successfully terminated, but returned an I/O exception not related to the application itself in the Error Log window. With this update, the exception is no longer returned. (BZ#668890) * The eclipse-mylyn package showed a "20100916-0100-e3x" qualifier. The qualifier has been modified to "v20100902-0100-e3x" to match the upstream version of eclipse-mylyn. (BZ#669819) * Installing the eclipse-mylyn package failed and returned a "Resource temporarily unavailable" error message due to a bug in the packaging. This update fixes this bug and installation now works as expected. (BZ#673174) * Building the eclipse-cdt package could fail due to an incorrect interaction with the local file system. Interaction with the local file system is now prevented and the build no longer fails. (BZ#678364) * The libhover plug-in, provided by the eclipse-cdt package, used binary data to search for hover topics. The data location was specified externally as a URL which could cause an exception to occur on a system with no Internet access. This update modifies the plug-in so that it pulls the needed data from a local location. (BZ#679543) Users of eclipse should upgrade to these updated packages, which correct these issues and add these enhancements. Low Copyright 2011 Red Hat, Inc. CVE-2010-4647 Help Contents: Wrong URIs to GNU Tools Profiling of binaries does not work if Eclipse project is NOT in Eclipse workspace [eclipse] Re-base to Helios SR1 [eclipse-cdt] Re-base to Helios SR1(7.0.1) [eclipse-mylyn] Re-base to Helios SR1(3.4.0) [eclipse-rse] Re-base to Helios SR1(3.2.0) Re-base icu4j to 4.2.1 [eclipse-emf] Re-base to Helios SR1(2.6.0) [eclipse-gef] Re-base to Helios SR1(3.6.0) Re-base eclipse-birt to Helios SR1(2.6.0) [eclipse-dtp] Re-base to Helios SR1(1.8.0) Re-base to sat4j 2.2.0 Re-base to jetty-eclipse 6.1.24 CVE-2010-4647 eclipse: Help Content web application vulnerable to multiple XSS Re-base to objectweb-asm 3.2 Debug core logs spawner IO exception when running C/C++ executable [eclipse-valgrind] Update to work with updated eclipse-birt [eclipse-linuxprofilingframework] new version to allow updated eclipse-valgrind [eclipse-callgraph] Updates to callgraph to work with newer GEF [eclipse-changelog] Update eclipse-changelog plug-in Update eclipse-mylyn qualifier to 20100916-0100-e3x [eclipse-oprofile] Re-base to upstream 0.6.1 release error: unpacking of archive failed: cpio: lstat failed - Resource temporarily unavailable eclipse-cdt build touching local filesystem cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 libguestfs is a library for accessing and modifying guest disk images. libguestfs relied on the format auto-detection in QEMU rather than allowing the guest image file format to be specified. A privileged guest user could potentially use this flaw to read arbitrary files on the host that were accessible to a user on that host who was running a program that utilized the libguestfs library. (CVE-2010-3851) This erratum upgrades libguestfs to upstream version 1.7.17, which includes a number of bug fixes and one enhancement. Documentation for these bug fixes and this enhancement is provided in the Technical Notes document, linked to in the References section. All libguestfs users are advised to upgrade to these updated packages, which correct this issue, and fix the bugs and add the enhancement noted in the Technical Notes. Low Copyright 2011 Red Hat, Inc. CVE-2010-3851 document that mkmountpoint and umount-all cannot be mixed qemu -net / vlan option deprecated. Use -netdev instead. Rebase libguestfs in RHEL 6.1 vfs-type could not read just-created filesystem guestfish: fails to tilde expand '~' when the $HOME env is unset [RFE]It's better to emphasize "libguestfs-winsupport" in V2V manpage or error output [RFE] guestfish should print outputs in a suitable base (eg. octal for modes) get-e2uuid should use blkid instead of "tune2fs -l" to get filesystem UUID some guestfish sub commands can not handle special files properly "virt-ls" command failed to parse domain name "#" ""virt-list-filesystems" fails to parse the command line argument if the domain name is "#". CVE-2010-3851 libguestfs: missing disk format specifier when adding a disk checksum: wrong check sum type causes umount to fail virt-inspector depends on EPEL package perl-String-ShellQuote but does not require it libguestfs: unknown filesystem /dev/fd0 libguestfs: unknown filesystem /dev/hd{x} (cdrom) virt-filesystems command fails on guest with corrupt filesystem label guestfish -i is trying to mount all mounts from /etc/fstab and fails with an error when device doesn't exists Add a grep-friendly string to LIBGUESTFS_TRACE output Typo in virt-make-fs manual page libguestfs trace segfaults when list-filesystems returns error appliance doesn't include augeas device_map lens virt-inspector reports unknown filesystem /dev/vda1 Remove dependency on gfs2-utils cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the sudo password checking logic. In configurations where the sudoers settings allowed a user to run a command using sudo with only the group ID changed, sudo failed to prompt for the user's password before running the specified command with the elevated group privileges. (CVE-2011-0010) This update also fixes the following bugs: * When the "/etc/sudoers" file contained entries with multiple hosts, running the "sudo -l" command incorrectly reported that a certain user does not have permissions to use sudo on the system. With this update, running the "sudo -l" command now produces the correct output. (BZ#603823) * Prior to this update, the manual page for sudoers.ldap was not installed, even though it contains important information on how to set up an LDAP (Lightweight Directory Access Protocol) sudoers source, and other documents refer to it. With this update, the manual page is now properly included in the package. Additionally, various POD files have been removed from the package, as they are required for build purposes only. (BZ#634159) * The previous version of sudo did not use the same location for the LDAP configuration files as the nss_ldap package. This has been fixed and sudo now looks for these files in the same location as the nss_ldap package. (BZ#652726) * When a file was edited using the "sudo -e file" or the "sudoedit file" command, the editor being executed for this task was logged only as "sudoedit". With this update, the full path to the executable being used as an editor is now logged (instead of "sudoedit"). (BZ#665131) * A comment regarding the "visiblepw" option of the "Defaults" directive has been added to the default "/etc/sudoers" file to clarify its usage. (BZ#688640) * This erratum upgrades sudo to upstream version 1.7.4p5, which provides a number of bug fixes and enhancements over the previous version. (BZ#615087) All users of sudo are advised to upgrade to this updated package, which resolves these issues. Low Copyright 2011 Red Hat, Inc. CVE-2011-0010 sudo - fix printing of entries with multiple host entries on a single line. Rebase sudo to version 1.7.3 .pod files are packaged under /usr/share/doc/sudo*, and man page for sudoers.ldap is missing sudo and nss_ldap use different ldap.conf CVE-2011-0010 sudo: does not ask for password on GID changes Add comment about the visiblepw option into sudoers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Dovecot is an IMAP server for Linux, UNIX, and similar operating systems, primarily written with security in mind. A flaw was found in the way Dovecot handled SIGCHLD signals. If a large amount of IMAP or POP3 session disconnects caused the Dovecot master process to receive these signals rapidly, it could cause the master process to crash. (CVE-2010-3780) A flaw was found in the way Dovecot processed multiple Access Control Lists (ACL) defined for a mailbox. In some cases, Dovecot could fail to apply the more specific ACL entry, possibly resulting in more access being granted to the user than intended. (CVE-2010-3707) This update also adds the following enhancement: * This erratum upgrades Dovecot to upstream version 2.0.9, providing multiple fixes for the "dsync" utility and improving overall performance. Refer to the "/usr/share/doc/dovecot-2.0.9/ChangeLog" file after installing this update for further information about the changes. (BZ#637056) Users of dovecot are advised to upgrade to these updated packages, which resolve these issues and add this enhancement. After installing the updated packages, the dovecot service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3707 CVE-2010-3780 rebase dovecot to 2.0 final CVE-2010-3707 Dovecot: Failed to properly update ACL cache, when multiple rules defined rights for one subject CVE-2010-3780 Dovecot: Busy master process, receiving a lot of SIGCHLD signals rapidly while logging, could die cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. Multiple NULL pointer dereference flaws were found in the way the Pidgin Yahoo! Messenger Protocol plug-in handled malformed YMSG packets. A remote attacker could use these flaws to crash Pidgin via a specially-crafted notification message. (CVE-2011-1091) Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Marius Wachtler as the original reporter. This update also fixes the following bugs: * Previous versions of the pidgin package did not properly clear certain data structures used in libpurple/cipher.c when attempting to free them. Partial information could potentially be extracted from the incorrectly cleared regions of the previously freed memory. With this update, data structures are properly cleared when freed. (BZ#684685) * This erratum upgrades Pidgin to upstream version 2.7.9. For a list of all changes addressed in this upgrade, refer to http://developer.pidgin.im/wiki/ChangeLog (BZ#616917) * Some incomplete translations for the kn_IN and ta_IN locales have been corrected. (BZ#633860, BZ#640170) Users of pidgin should upgrade to these updated packages, which resolve these issues. Pidgin must be restarted for this update to take effect. Low Copyright 2011 Red Hat, Inc. CVE-2011-1091 [kn_IN] Translation is not complete, untranslated message in Screenshot [ta_IN] Translation need to review for "Add Account" CVE-2011-1091 Pidgin: Multiple NULL pointer dereference flaws in Yahoo protocol plug-in Cipher API information disclosure in pidgin cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A buffer over-read flaw was discovered in the way OpenSSL parsed the Certificate Status Request TLS extensions in ClientHello TLS handshake messages. A remote attacker could possibly use this flaw to crash an SSL server using the affected OpenSSL functionality. (CVE-2011-0014) This update fixes the following bugs: * The "openssl speed" command (which provides algorithm speed measurement) failed when openssl was running in FIPS (Federal Information Processing Standards) mode, even if testing of FIPS approved algorithms was requested. FIPS mode disables ciphers and cryptographic hash algorithms that are not approved by the NIST (National Institute of Standards and Technology) standards. With this update, the "openssl speed" command no longer fails. (BZ#619762) * The "openssl pkcs12 -export" command failed to export a PKCS#12 file in FIPS mode. The default algorithm for encrypting a certificate in the PKCS#12 file was not FIPS approved and thus did not work. The command now uses a FIPS approved algorithm by default in FIPS mode. (BZ#673453) This update also adds the following enhancements: * The "openssl s_server" command, which previously accepted connections only over IPv4, now accepts connections over IPv6. (BZ#601612) * For the purpose of allowing certain maintenance commands to be run (such as "rsync"), an "OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW" environment variable has been added. When a system is configured for FIPS mode and is in a maintenance state, this newly added environment variable can be set to allow software that requires the use of an MD5 cryptographic hash algorithm to be run, even though the hash algorithm is not approved by the FIPS-140-2 standard. (BZ#673071) Users of OpenSSL are advised to upgrade to these updated packages, which contain backported patches to resolve these issues and add these enhancements. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0014 s_server doesn't listen for ipv6 connections openssl speed cmd fails on FIPS enabled machine CVE-2011-0014 openssl: OCSP stapling vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zero Configuration Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, view printers to print to, and find shared files on other computers. A flaw was found in the way the Avahi daemon (avahi-daemon) processed Multicast DNS (mDNS) packets with an empty payload. An attacker on the local network could use this flaw to cause avahi-daemon on a target system to enter an infinite loop via an empty mDNS UDP packet. (CVE-2011-1002) This update also fixes the following bug: * Previously, the avahi packages in Red Hat Enterprise Linux 6 were not compiled with standard RPM CFLAGS; therefore, the Stack Protector and Fortify Source protections were not enabled, and the debuginfo packages did not contain the information required for debugging. This update corrects this issue by using proper CFLAGS when compiling the packages. (BZ#629954, BZ#684276) All users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the update, avahi-daemon will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1002 CVE-2011-1002 avahi: daemon infinite loop triggered by an empty UDP packet (CVE-2010-2244 fix regression) [PATCH] avahi debuginfo useless cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that web applications could modify the location of the Tomcat host's work directory. As web applications deployed on Tomcat have read and write access to this directory, a malicious web application could use this flaw to trick Tomcat into giving it read and write access to an arbitrary directory on the file system. (CVE-2010-3718) A cross-site scripting (XSS) flaw was found in the Manager application, used for managing web applications on Tomcat. If a remote attacker could trick a user who is logged into the Manager application into visiting a specially-crafted URL, the attacker could perform Manager application tasks with the privileges of the logged in user. (CVE-2010-4172) A second cross-site scripting (XSS) flaw was found in the Manager application. A malicious web application could use this flaw to conduct an XSS attack, leading to arbitrary web script execution with the privileges of victims who are logged into and viewing Manager application web pages. (CVE-2011-0013) This update also fixes the following bugs: * A bug in the "tomcat6" init script prevented additional Tomcat instances from starting. As well, running "service tomcat6 start" caused configuration options applied from "/etc/sysconfig/tomcat6" to be overwritten with those from "/etc/tomcat6/tomcat6.conf". With this update, multiple instances of Tomcat run as expected. (BZ#636997) * The "/usr/share/java/" directory was missing a symbolic link to the "/usr/share/tomcat6/bin/tomcat-juli.jar" library. Because this library was mandatory for certain operations (such as running the Jasper JSP precompiler), the "build-jar-repository" command was unable to compose a valid classpath. With this update, the missing symbolic link has been added. (BZ#661244) * Previously, the "tomcat6" init script failed to start Tomcat with a "This account is currently not available." message when Tomcat was configured to run under a user that did not have a valid shell configured as a login shell. This update modifies the init script to work correctly regardless of the daemon user's login shell. Additionally, these new tomcat6 packages now set "/sbin/nologin" as the login shell for the "tomcat" user upon installation, as recommended by deployment best practices. (BZ#678671) * Some standard Tomcat directories were missing write permissions for the "tomcat" group, which could cause certain applications to fail with errors such as "No output folder". This update adds write permissions for the "tomcat" group to the affected directories. (BZ#643809) * The "/usr/sbin/tomcat6" wrapper script used a hard-coded path to the "catalina.out" file, which may have caused problems (such as for logging init script output) if Tomcat was being run with a user other than "tomcat" and with CATALINA_BASE set to a directory other than the default. (BZ#695284, BZ#697504) * Stopping Tomcat could have resulted in traceback errors being logged to "catalina.out" when certain web applications were deployed. (BZ#698624) Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3718 CVE-2010-4172 CVE-2011-0013 Additionally Created Instances of Tomcat are broken / don't work Bad permissions on tomcat folders CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application Missing tomcat6-juli link in /usr/share/java CVE-2011-0013 tomcat: XSS vulnerability in HTML Manager interface CVE-2010-3718 tomcat: file permission bypass flaw tomcat user requires login shell catalina.out path hard-coded in /usr/sbin/tomcat6 tomcat6-6.0.wrapper redirects init script output to wrong place cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw in the dccp_rcv_state_process() function could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important) * Multiple buffer overflow flaws were found in the Linux kernel's Management Module Support for Message Passing Technology (MPT) based controllers. A local, unprivileged user could use these flaws to cause a denial of service, an information leak, or escalate their privileges. (CVE-2011-1494, CVE-2011-1495, Important) * A missing validation of a null-terminated string data structure element in the bnep_sock_ioctl() function could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate) * Missing error checking in the way page tables were handled in the Xen hypervisor implementation could allow a privileged guest user to cause the host, and the guests, to lock up. (CVE-2011-1166, Moderate) * A flaw was found in the way the Xen hypervisor implementation checked for the upper boundary when getting a new event channel port. A privileged guest user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-1763, Moderate) * The start_code and end_code values in "/proc/[pid]/stat" were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low) * A missing initialization flaw in the sco_sock_getsockopt() function could allow a local, unprivileged user to cause an information leak. (CVE-2011-1078, Low) * A missing validation of a null-terminated string data structure element in the do_replace() function could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low) * A buffer overflow flaw in the DEC Alpha OSF partition implementation in the Linux kernel could allow a local attacker to cause an information leak by mounting a disk that contains specially-crafted partition tables. (CVE-2011-1163, Low) * Missing validations of null-terminated string data structure elements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low) * A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially-crafted partition tables. (CVE-2011-1577, Low) Red Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494 and CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1078, CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and CVE-2011-1172; Kees Cook for reporting CVE-2011-0726; and Timo Warns for reporting CVE-2011-1163 and CVE-2011-1577. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-0726 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080 CVE-2011-1093 CVE-2011-1163 CVE-2011-1166 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1494 CVE-2011-1495 CVE-2011-1577 CVE-2011-1763 CVE-2011-1078 kernel: bt sco_conninfo infoleak CVE-2011-1079 kernel: bnep device field missing NULL terminator CVE-2011-1080 kernel: ebtables stack infoleak CVE-2011-1093 kernel: dccp: fix oops on Reset after close CVE-2011-0726 kernel: proc: protect mm start_code/end_code in /proc/pid/stat CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak [5.6][REG]for some uses of 'nfsservctl' system call, the kernel crashes. [rhel-5.6.z] CVE-2011-1166 kernel: xen: x86_64: fix error checking in arch_set_info_guest() CVE-2011-1170 ipv4: netfilter: arp_tables: fix infoleak to userspace CVE-2011-1171 ipv4: netfilter: ip_tables: fix infoleak to userspace CVE-2011-1172 ipv6: netfilter: ip6_tables: fix infoleak to userspace Deadlock between device driver attachment and device removal with a USB device [rhel-5.6.z] [NetApp 5.6 Bug] QLogic 8G FC firmware dumps seen during IO [rhel-5.6.z] Time runs too fast in a VM on processors with > 4GHZ freq [rhel-5.6.z] gfs2: creating large files suddenly slow to a crawl [rhel-5.6.z] CVE-2011-1494 CVE-2011-1495 kernel: drivers/scsi/mpt2sas: prevent heap overflows CVE-2011-1577 kernel: corrupted GUID partition tables can cause kernel oops RHEL 5.6 (kernel -238) causes audio issues [rhel-5.6.z] slab corruption after seeing some nfs-related BUG: warning [rhel-5.6.z] dasd: fix race between open and offline [rhel-5.6.z] CVE-2011-1763 kernel: xen: improper upper boundary check in get_free_port() function cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * An integer underflow flaw, leading to a buffer overflow, was found in the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. (CVE-2011-1770, Important) * Missing sanity checks were found in setup_arg_pages() in the Linux kernel. When making the size of the argument and environment area on the stack very large, it could trigger a BUG_ON(), resulting in a local denial of service. (CVE-2010-3858, Moderate) * A missing validation check was found in the bcm_release() and raw_release() functions in the Linux kernel's Controller Area Network (CAN) implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1598, CVE-2011-1748, Moderate) * The fix for Red Hat Bugzilla bug 656461, as provided in RHSA-2011:0542, introduced a regression in the cifs_close() function in the Linux kernel's Common Internet File System (CIFS) implementation. A local, unprivileged user with write access to a CIFS file system could use this flaw to cause a denial of service. (CVE-2011-1771, Moderate) Red Hat would like to thank Dan Rosenberg for reporting CVE-2011-1770; Brad Spengler for reporting CVE-2010-3858; and Oliver Hartkopp for reporting CVE-2011-1748. This update also fixes various bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to resolve these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-3858 CVE-2011-1598 CVE-2011-1748 CVE-2011-1770 CVE-2011-1771 CVE-2010-3858 kernel: setup_arg_pages: diagnose excessive argument size CVE-2011-1598 CVE-2011-1748 kernel: missing check in can/bcm and can/raw socket releases CVE-2011-1770 kernel: dccp: handle invalid feature options length CVE-2011-1771 kernel: cifs oops when creating file with O_DIRECT set [brocade 6.1 bug] bfa fc staying tech preview [rhel-6.1.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The GIMP (GNU Image Manipulation Program) is an image composition and editing program. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the GIMP's Microsoft Windows Bitmap (BMP) and Personal Computer eXchange (PCX) image file plug-ins. An attacker could create a specially-crafted BMP or PCX image file that, when opened, could cause the relevant plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP. (CVE-2009-1570, CVE-2011-1178) A heap-based buffer overflow flaw was found in the GIMP's Paint Shop Pro (PSP) image file plug-in. An attacker could create a specially-crafted PSP image file that, when opened, could cause the PSP plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP. (CVE-2010-4543) A stack-based buffer overflow flaw was found in the GIMP's Sphere Designer image filter. An attacker could create a specially-crafted Sphere Designer filter configuration file that, when opened, could cause the Sphere Designer plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP. (CVE-2010-4541) Red Hat would like to thank Stefan Cornelius of Secunia Research for responsibly reporting the CVE-2009-1570 flaw. Users of the GIMP are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The GIMP must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2009-1570 CVE-2010-4541 CVE-2010-4543 CVE-2011-1178 CVE-2009-1570 Gimp: Integer overflow in the BMP image file plugin CVE-2011-1178 Gimp: Integer overflow in the PCX image file plug-in CVE-2010-4541 Gimp: Stack-based buffer overflow in SphereDesigner plug-in CVE-2010-4543 Gimp: Heap-based buffer overflow in Paint Shop Pro (PSP) plug-in cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The GIMP (GNU Image Manipulation Program) is an image composition and editing program. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the GIMP's Microsoft Windows Bitmap (BMP) and Personal Computer eXchange (PCX) image file plug-ins. An attacker could create a specially-crafted BMP or PCX image file that, when opened, could cause the relevant plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP. (CVE-2009-1570, CVE-2011-1178) A heap-based buffer overflow flaw was found in the GIMP's Paint Shop Pro (PSP) image file plug-in. An attacker could create a specially-crafted PSP image file that, when opened, could cause the PSP plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP. (CVE-2010-4543) A stack-based buffer overflow flaw was found in the GIMP's Lightning, Sphere Designer, and Gfig image filters. An attacker could create a specially-crafted Lightning, Sphere Designer, or Gfig filter configuration file that, when opened, could cause the relevant plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP. (CVE-2010-4540, CVE-2010-4541, CVE-2010-4542) Red Hat would like to thank Stefan Cornelius of Secunia Research for responsibly reporting the CVE-2009-1570 flaw. Users of the GIMP are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The GIMP must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2009-1570 CVE-2010-4540 CVE-2010-4541 CVE-2010-4542 CVE-2010-4543 CVE-2011-1178 CVE-2009-1570 Gimp: Integer overflow in the BMP image file plugin CVE-2010-4540 Gimp: Stack-based buffer overflow in Lighting plug-in CVE-2011-1178 Gimp: Integer overflow in the PCX image file plug-in CVE-2010-4541 Gimp: Stack-based buffer overflow in SphereDesigner plug-in CVE-2010-4542 Gimp: Stack-based buffer overflow in Gfig plug-in CVE-2010-4543 Gimp: Heap-based buffer overflow in Paint Shop Pro (PSP) plug-in cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The GIMP (GNU Image Manipulation Program) is an image composition and editing program. A heap-based buffer overflow flaw was found in the GIMP's Paint Shop Pro (PSP) image file plug-in. An attacker could create a specially-crafted PSP image file that, when opened, could cause the PSP plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP. (CVE-2010-4543) A stack-based buffer overflow flaw was found in the GIMP's Lightning, Sphere Designer, and Gfig image filters. An attacker could create a specially-crafted Lightning, Sphere Designer, or Gfig filter configuration file that, when opened, could cause the relevant plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP. (CVE-2010-4540, CVE-2010-4541, CVE-2010-4542) Users of the GIMP are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The GIMP must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4540 CVE-2010-4541 CVE-2010-4542 CVE-2010-4543 CVE-2010-4540 Gimp: Stack-based buffer overflow in Lighting plug-in CVE-2010-4541 Gimp: Stack-based buffer overflow in SphereDesigner plug-in CVE-2010-4542 Gimp: Stack-based buffer overflow in Gfig plug-in CVE-2010-4543 Gimp: Heap-based buffer overflow in Paint Shop Pro (PSP) plug-in cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A divide-by-zero flaw was found in the way SystemTap handled malformed debugging information in DWARF format. When SystemTap unprivileged mode was enabled, an unprivileged user in the stapusr group could use this flaw to crash the system. Additionally, a privileged user (root, or a member of the stapdev group) could trigger this flaw when tricked into instrumenting a specially-crafted ELF binary, even when unprivileged mode was not enabled. (CVE-2011-1769) SystemTap users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1769 CVE-2011-1769 systemtap: does not guard against DWARF operations div-by-zero errors, which can cause a kernel panic cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. Two divide-by-zero flaws were found in the way SystemTap handled malformed debugging information in DWARF format. When SystemTap unprivileged mode was enabled, an unprivileged user in the stapusr group could use these flaws to crash the system. Additionally, a privileged user (root, or a member of the stapdev group) could trigger these flaws when tricked into instrumenting a specially-crafted ELF binary, even when unprivileged mode was not enabled. (CVE-2011-1769, CVE-2011-1781) SystemTap users should upgrade to these updated packages, which contain a backported patch to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1769 CVE-2011-1781 CVE-2011-1769 systemtap: does not guard against DWARF operations div-by-zero errors, which can cause a kernel panic CVE-2011-1781 systemtap: divide by zero stack unwinding flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), and TLS. A heap-based buffer over-read flaw was found in the way Postfix performed SASL handlers management for SMTP sessions, when Cyrus SASL authentication was enabled. A remote attacker could use this flaw to cause the Postfix smtpd server to crash via a specially-crafted SASL authentication request. The smtpd process was automatically restarted by the postfix master process after the time configured with service_throttle_time elapsed. (CVE-2011-1720) Note: Cyrus SASL authentication for Postfix is not enabled by default. Red Hat would like to thank the CERT/CC for reporting this issue. Upstream acknowledges Thomas Jarosch of Intra2net AG as the original reporter. Users of Postfix are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the postfix service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1720 CVE-2011-1720 postfix (smtpd): Crash due to improper management of SASL handlers for SMTP sessions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. The fix for CVE-2011-0419 (released via RHSA-2011:0507) introduced an infinite loop flaw in the apr_fnmatch() function when the APR_FNM_PATHNAME matching flag was used. A remote attacker could possibly use this flaw to cause a denial of service on an application using the apr_fnmatch() function. (CVE-2011-1928) Note: This problem affected httpd configurations using the "Location" directive with wildcard URLs. The denial of service could have been triggered during normal operation; it did not specifically require a malicious HTTP request. This update also addresses additional problems introduced by the rewrite of the apr_fnmatch() function, which was necessary to address the CVE-2011-0419 flaw. All apr users should upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the apr library, such as httpd, must be restarted for this update to take effect. Low Copyright 2011 Red Hat, Inc. CVE-2011-1928 CVE-2011-1928 apr: DoS flaw in apr_fnmatch() due to fix for CVE-2011-0419 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. An off-by-one flaw was found in the way BIND processed negative responses with large resource record sets (RRSets). An attacker able to send recursive queries to a BIND server that is configured as a caching resolver could use this flaw to cause named to exit with an assertion failure. (CVE-2011-1910) All BIND users are advised to upgrade to these updated packages, which resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-1910 CVE-2011-1910 bind: Large RRSIG RRsets and Negative Caching can crash named cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB11-13, listed in the References section. (CVE-2011-2107) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.181.22 Important Copyright 2011 Red Hat, Inc. CVE-2011-2107 CVE-2011-2107 flash-plugin: Cross-site scripting vulnerability (APSB11-13) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. Integer overflow flaws were found in the way Java2D parsed JPEG images and user-supplied fonts. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted applet or application. (CVE-2011-0862) It was found that the MediaTracker implementation created Component instances with unnecessary access privileges. A remote attacker could use this flaw to elevate their privileges by utilizing an untrusted applet or application that uses Swing. (CVE-2011-0871) A flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), resulting in an applet or application crashing. (CVE-2011-0864) An information leak flaw was found in the NetworkInterface class. An untrusted applet or application could use this flaw to access information about available network interfaces that should only be available to privileged code. (CVE-2011-0867) An incorrect float-to-long conversion, leading to an overflow, was found in the way certain objects (such as images and text) were transformed in Java2D. A remote attacker could use this flaw to crash an untrusted applet or application that uses Java2D. (CVE-2011-0868) It was found that untrusted applets and applications could misuse a SOAP connection to incorrectly set global HTTP proxy settings instead of setting them in a local scope. This flaw could be used to intercept HTTP requests. (CVE-2011-0869) A flaw was found in the way signed objects were deserialized. If trusted and untrusted code were running in the same Java Virtual Machine (JVM), and both were deserializing the same signed object, the untrusted code could modify said object by using this flaw to bypass the validation checks on signed objects. (CVE-2011-0865) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0862 CVE-2011-0864 CVE-2011-0865 CVE-2011-0867 CVE-2011-0868 CVE-2011-0869 CVE-2011-0871 CVE-2011-0865 OpenJDK: Deserialization allows creation of mutable SignedObject (Deserialization, 6618658) CVE-2011-0862 OpenJDK: integer overflows in JPEGImageReader and font SunLayoutEngine (2D, 7013519) CVE-2011-0867 OpenJDK: NetworkInterface information leak (Networking, 7013969) CVE-2011-0869 OpenJDK: unprivileged proxy settings change via SOAPConnection (SAAJ, 7013971) CVE-2011-0868 OpenJDK: incorrect numeric type conversion in TransformHelper (2D, 7016495) CVE-2011-0864 OpenJDK: JVM memory corruption via certain bytecode (HotSpot, 7020373) CVE-2011-0871 OpenJDK: MediaTracker created Component instances with unnecessary privileges (Swing, 7020198) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. Integer overflow flaws were found in the way Java2D parsed JPEG images and user-supplied fonts. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted applet or application. (CVE-2011-0862) It was found that the MediaTracker implementation created Component instances with unnecessary access privileges. A remote attacker could use this flaw to elevate their privileges by utilizing an untrusted applet or application that uses Swing. (CVE-2011-0871) A flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), resulting in an applet or application crashing. (CVE-2011-0864) An information leak flaw was found in the NetworkInterface class. An untrusted applet or application could use this flaw to access information about available network interfaces that should only be available to privileged code. (CVE-2011-0867) An incorrect float-to-long conversion, leading to an overflow, was found in the way certain objects (such as images and text) were transformed in Java2D. A remote attacker could use this flaw to crash an untrusted applet or application that uses Java2D. (CVE-2011-0868) It was found that untrusted applets and applications could misuse a SOAP connection to incorrectly set global HTTP proxy settings instead of setting them in a local scope. This flaw could be used to intercept HTTP requests. (CVE-2011-0869) A flaw was found in the way signed objects were deserialized. If trusted and untrusted code were running in the same Java Virtual Machine (JVM), and both were deserializing the same signed object, the untrusted code could modify said object by using this flaw to bypass the validation checks on signed objects. (CVE-2011-0865) Note: All of the above flaws can only be remotely triggered in OpenJDK by calling the "appletviewer" application. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which provide OpenJDK 6 b20 / IcedTea 1.9.8 and resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-0862 CVE-2011-0864 CVE-2011-0865 CVE-2011-0867 CVE-2011-0868 CVE-2011-0869 CVE-2011-0871 CVE-2011-0865 OpenJDK: Deserialization allows creation of mutable SignedObject (Deserialization, 6618658) CVE-2011-0862 OpenJDK: integer overflows in JPEGImageReader and font SunLayoutEngine (2D, 7013519) CVE-2011-0867 OpenJDK: NetworkInterface information leak (Networking, 7013969) CVE-2011-0869 OpenJDK: unprivileged proxy settings change via SOAPConnection (SAAJ, 7013971) CVE-2011-0868 OpenJDK: incorrect numeric type conversion in TransformHelper (2D, 7016495) CVE-2011-0864 OpenJDK: JVM memory corruption via certain bytecode (HotSpot, 7020373) CVE-2011-0871 OpenJDK: MediaTracker created Component instances with unnecessary privileges (Swing, 7020198) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The xerces-j2 packages provide the Apache Xerces2 Java Parser, a high-performance XML parser. A Document Type Definition (DTD) defines the legal syntax (and also which elements can be used) for certain types of files, such as XML files. A flaw was found in the way the Apache Xerces2 Java Parser processed the SYSTEM identifier in DTDs. A remote attacker could provide a specially-crafted XML file, which once parsed by an application using the Apache Xerces2 Java Parser, would lead to a denial of service (application hang due to excessive CPU use). (CVE-2009-2625) Users should upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the Apache Xerces2 Java Parser must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2009-2625 CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support. It was discovered that cyrus-imapd did not flush the received commands buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3 sessions. A man-in-the-middle attacker could use this flaw to inject protocol commands into a victim's TLS session initialization messages. This could lead to those commands being processed by cyrus-imapd, potentially allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-1926) Users of cyrus-imapd are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, cyrus-imapd will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1926 CVE-2011-1926 cyrus-imapd: STARTTLS plaintext command injection cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the "Oracle Java SE Critical Patch Update Advisory" page, listed in the References section. (CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0873) All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide JDK and JRE 6 Update 26 and resolve these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0802 CVE-2011-0814 CVE-2011-0862 CVE-2011-0863 CVE-2011-0864 CVE-2011-0865 CVE-2011-0867 CVE-2011-0868 CVE-2011-0869 CVE-2011-0871 CVE-2011-0873 CVE-2011-0865 OpenJDK: Deserialization allows creation of mutable SignedObject (Deserialization, 6618658) CVE-2011-0862 OpenJDK: integer overflows in JPEGImageReader and font SunLayoutEngine (2D, 7013519) CVE-2011-0867 OpenJDK: NetworkInterface information leak (Networking, 7013969) CVE-2011-0869 OpenJDK: unprivileged proxy settings change via SOAPConnection (SAAJ, 7013971) CVE-2011-0868 OpenJDK: incorrect numeric type conversion in TransformHelper (2D, 7016495) CVE-2011-0864 OpenJDK: JVM memory corruption via certain bytecode (HotSpot, 7020373) CVE-2011-0871 OpenJDK: MediaTracker created Component instances with unnecessary privileges (Swing, 7020198) CVE-2011-0873 Oracle/IBM JDK: unspecified vulnerability fixed in 6u26 (2D) CVE-2011-0863 Oracle/IBM JDK: unspecified vulnerability fixed in 6u26 (Deployment) CVE-2011-0802 CVE-2011-0814 Oracle/IBM JDK: unspecified vulnerabilities fixed in 6u26 (Sound) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed requests submitted against the URL of a baselined resource. A malicious, remote user could use this flaw to cause the httpd process serving the request to crash. (CVE-2011-1752) Red Hat would like to thank the Apache Subversion project for reporting this issue. Upstream acknowledges Joe Schaefer of the Apache Software Foundation as the original reporter. All Subversion users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, you must restart the httpd daemon, if you are using mod_dav_svn, for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1752 CVE-2011-1752 subversion (mod_dav_svn): DoS (crash) via request to deliver baselined WebDAV resources cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. An infinite loop flaw was found in the way the mod_dav_svn module processed certain data sets. If the SVNPathAuthz directive was set to "short_circuit", and path-based access control for files and directories was enabled, a malicious, remote user could use this flaw to cause the httpd process serving the request to consume an excessive amount of system memory. (CVE-2011-1783) A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed requests submitted against the URL of a baselined resource. A malicious, remote user could use this flaw to cause the httpd process serving the request to crash. (CVE-2011-1752) An information disclosure flaw was found in the way the mod_dav_svn module processed certain URLs when path-based access control for files and directories was enabled. A malicious, remote user could possibly use this flaw to access certain files in a repository that would otherwise not be accessible to them. Note: This vulnerability cannot be triggered if the SVNPathAuthz directive is set to "short_circuit". (CVE-2011-1921) Red Hat would like to thank the Apache Subversion project for reporting these issues. Upstream acknowledges Joe Schaefer of the Apache Software Foundation as the original reporter of CVE-2011-1752; Ivan Zhakov of VisualSVN as the original reporter of CVE-2011-1783; and Kamesh Jayachandran of CollabNet, Inc. as the original reporter of CVE-2011-1921. All Subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, you must restart the httpd daemon, if you are using mod_dav_svn, for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1752 CVE-2011-1783 CVE-2011-1921 CVE-2011-1752 subversion (mod_dav_svn): DoS (crash) via request to deliver baselined WebDAV resources CVE-2011-1783 subversion (mod_dav_svn): DoS (excessive memory use) when configured to provide path-based access control CVE-2011-1921 subversion (mod_dav_svn): File contents disclosure of files configured to be unreadable by those users cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB11-18, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code. (CVE-2011-2110) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.181.26. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2110 CVE-2011-2110 flash-plugin: memory corruption can lead to arbitrary code execution (APSB11-18) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 Virtual Network Computing (VNC) is a remote display system which allows you to view a computer's desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. It was discovered that vncviewer could prompt for and send authentication credentials to a remote server without first properly validating the server's X.509 certificate. As vncviewer did not indicate that the certificate was bad or missing, a man-in-the-middle attacker could use this flaw to trick a vncviewer client into connecting to a spoofed VNC server, allowing the attacker to obtain the client's credentials. (CVE-2011-1775) All tigervnc users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1775 CVE-2011-1775 tigervnc: vncviewer can send password to server without proper validation of the X.509 certificate cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the way Firefox handled malformed JPEG images. A website containing a malicious JPEG image could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-2377) Multiple dangling pointer flaws were found in Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0083, CVE-2011-0085, CVE-2011-2363) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-2364, CVE-2011-2365, CVE-2011-2374, CVE-2011-2375, CVE-2011-2376) An integer overflow flaw was found in the way Firefox handled JavaScript Array objects. A website containing malicious JavaScript could cause Firefox to execute that JavaScript with the privileges of the user running Firefox. (CVE-2011-2371) A use-after-free flaw was found in the way Firefox handled malformed JavaScript. A website containing malicious JavaScript could cause Firefox to execute that JavaScript with the privileges of the user running Firefox. (CVE-2011-2373) It was found that Firefox could treat two separate cookies as interchangeable if both were for the same domain name but one of those domain names had a trailing "." character. This violates the same-origin policy and could possibly lead to data being leaked to the wrong domain. (CVE-2011-2362) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.18. You can find a link to the Mozilla advisories in the References section of this erratum. This update also fixes the following bug: * With previous versions of Firefox on Red Hat Enterprise Linux 5, the "background-repeat" CSS (Cascading Style Sheets) property did not work (such images were not displayed and repeated as expected). (BZ#698313) All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.18, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2364 CVE-2011-2365 CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2377 CVE-2011-2605 "background-repeat" css property isn't rendered well in Firefox 3.6.x CVE-2011-2364 CVE-2011-2365 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2605 Mozilla Miscellaneous memory safety hazards (MFSA 2011-19) CVE-2011-2373 Mozilla Use-after-free vulnerability when viewing XUL document with script disabled (MFSA 2011-20) CVE-2011-2371 Mozilla Integer overflow and arbitrary code execution (MFSA 2011-22) CVE-2011-0083 CVE-2011-0085 CVE-2011-2363 Mozilla Multiple dangling pointer vulnerabilities (MFSA 2011-23) CVE-2011-2362 Mozilla Cookie isolation error (MFSA 2011-24) CVE-2011-2377 Mozilla Crash caused by corrupted JPEG image (MFSA 2011-21) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the way Thunderbird handled malformed JPEG images. An HTML mail message containing a malicious JPEG image could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2377) Multiple dangling pointer flaws were found in Thunderbird. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0083, CVE-2011-0085, CVE-2011-2363) Several flaws were found in the processing of malformed HTML content. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2364, CVE-2011-2365, CVE-2011-2374, CVE-2011-2375, CVE-2011-2376) It was found that Thunderbird could treat two separate cookies (for web content) as interchangeable if both were for the same domain name but one of those domain names had a trailing "." character. This violates the same-origin policy and could possibly lead to data being leaked to the wrong domain. (CVE-2011-2362) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2364 CVE-2011-2365 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2377 CVE-2011-2605 CVE-2011-2364 CVE-2011-2365 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2605 Mozilla Miscellaneous memory safety hazards (MFSA 2011-19) CVE-2011-0083 CVE-2011-0085 CVE-2011-2363 Mozilla Multiple dangling pointer vulnerabilities (MFSA 2011-23) CVE-2011-2362 Mozilla Cookie isolation error (MFSA 2011-24) CVE-2011-2377 Mozilla Crash caused by corrupted JPEG image (MFSA 2011-21) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the way Thunderbird handled malformed JPEG images. An HTML mail message containing a malicious JPEG image could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2377) Multiple dangling pointer flaws were found in Thunderbird. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0083, CVE-2011-0085, CVE-2011-2363) Several flaws were found in the processing of malformed HTML content. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2364, CVE-2011-2365, CVE-2011-2374, CVE-2011-2375, CVE-2011-2376) An integer overflow flaw was found in the way Thunderbird handled JavaScript Array objects. Malicious content could cause Thunderbird to execute JavaScript with the privileges of the user running Thunderbird. (CVE-2011-2371) A use-after-free flaw was found in the way Thunderbird handled malformed JavaScript. Malicious content could cause Thunderbird to execute JavaScript with the privileges of the user running Thunderbird. (CVE-2011-2373) It was found that Thunderbird could treat two separate cookies (for web content) as interchangeable if both were for the same domain name but one of those domain names had a trailing "." character. This violates the same-origin policy and could possibly lead to data being leaked to the wrong domain. (CVE-2011-2362) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2364 CVE-2011-2365 CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2377 CVE-2011-2605 CVE-2011-2364 CVE-2011-2365 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2605 Mozilla Miscellaneous memory safety hazards (MFSA 2011-19) CVE-2011-2373 Mozilla Use-after-free vulnerability when viewing XUL document with script disabled (MFSA 2011-20) CVE-2011-2371 Mozilla Integer overflow and arbitrary code execution (MFSA 2011-22) CVE-2011-0083 CVE-2011-0085 CVE-2011-2363 Mozilla Multiple dangling pointer vulnerabilities (MFSA 2011-23) CVE-2011-2362 Mozilla Cookie isolation error (MFSA 2011-24) CVE-2011-2377 Mozilla Crash caused by corrupted JPEG image (MFSA 2011-21) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the way SeaMonkey handled malformed JPEG images. A website containing a malicious JPEG image could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-2377) Multiple dangling pointer flaws were found in SeaMonkey. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-0083, CVE-2011-0085, CVE-2011-2363) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-2364, CVE-2011-2365, CVE-2011-2374, CVE-2011-2375, CVE-2011-2376) An integer overflow flaw was found in the way SeaMonkey handled JavaScript Array objects. A website containing malicious JavaScript could cause SeaMonkey to execute that JavaScript with the privileges of the user running SeaMonkey. (CVE-2011-2371) A use-after-free flaw was found in the way SeaMonkey handled malformed JavaScript. A website containing malicious JavaScript could cause SeaMonkey to execute that JavaScript with the privileges of the user running SeaMonkey. (CVE-2011-2373) It was found that SeaMonkey could treat two separate cookies as interchangeable if both were for the same domain name but one of those domain names had a trailing "." character. This violates the same-origin policy and could possibly lead to data being leaked to the wrong domain. (CVE-2011-2362) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2364 CVE-2011-2365 CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2377 CVE-2011-2605 CVE-2011-2364 CVE-2011-2365 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2605 Mozilla Miscellaneous memory safety hazards (MFSA 2011-19) CVE-2011-2373 Mozilla Use-after-free vulnerability when viewing XUL document with script disabled (MFSA 2011-20) CVE-2011-2371 Mozilla Integer overflow and arbitrary code execution (MFSA 2011-22) CVE-2011-0083 CVE-2011-0085 CVE-2011-2363 Mozilla Multiple dangling pointer vulnerabilities (MFSA 2011-23) CVE-2011-2362 Mozilla Cookie isolation error (MFSA 2011-24) CVE-2011-2377 Mozilla Crash caused by corrupted JPEG image (MFSA 2011-21) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in the way large amounts of memory were allocated on 64-bit systems when using the BigDecimal class. A context-dependent attacker could use this flaw to cause memory corruption, causing a Ruby application that uses the BigDecimal class to crash or, possibly, execute arbitrary code. This issue did not affect 32-bit systems. (CVE-2011-0188) It was found that WEBrick (the Ruby HTTP server toolkit) did not filter terminal escape sequences from its log files. A remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the WEBrick log files. If a victim viewed the log files with a terminal emulator, it could result in control characters being executed with the privileges of that user. (CVE-2009-4492) A cross-site scripting (XSS) flaw was found in the way WEBrick displayed error pages. A remote attacker could use this flaw to perform a cross-site scripting attack against victims by tricking them into visiting a specially-crafted URL. (CVE-2010-0541) A flaw was found in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2011-1005) Red Hat would like to thank Drew Yao of Apple Product Security for reporting the CVE-2011-0188 and CVE-2010-0541 issues. All Ruby users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2009-4492 CVE-2010-0541 CVE-2011-0188 CVE-2011-1005 CVE-2009-4492 ruby WEBrick log escape sequence CVE-2010-0541 Ruby WEBrick javascript injection flaw CVE-2011-1005 Ruby: Untrusted codes able to modify arbitrary strings CVE-2011-0188 ruby: memory corruption in BigDecimal on 64bit platforms cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in the way large amounts of memory were allocated on 64-bit systems when using the BigDecimal class. A context-dependent attacker could use this flaw to cause memory corruption, causing a Ruby application that uses the BigDecimal class to crash or, possibly, execute arbitrary code. This issue did not affect 32-bit systems. (CVE-2011-0188) A race condition flaw was found in the remove system entries method in the FileUtils module. If a local user ran a Ruby script that uses this method, a local attacker could use this flaw to delete arbitrary files and directories accessible to that user via a symbolic link attack. (CVE-2011-1004) It was found that WEBrick (the Ruby HTTP server toolkit) did not filter terminal escape sequences from its log files. A remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the WEBrick log files. If a victim viewed the log files with a terminal emulator, it could result in control characters being executed with the privileges of that user. (CVE-2009-4492) A cross-site scripting (XSS) flaw was found in the way WEBrick displayed error pages. A remote attacker could use this flaw to perform a cross-site scripting attack against victims by tricking them into visiting a specially-crafted URL. (CVE-2010-0541) A flaw was found in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2011-1005) Red Hat would like to thank Drew Yao of Apple Product Security for reporting the CVE-2011-0188 and CVE-2010-0541 issues. All Ruby users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2009-4492 CVE-2010-0541 CVE-2011-0188 CVE-2011-1004 CVE-2011-1005 CVE-2009-4492 ruby WEBrick log escape sequence CVE-2010-0541 Ruby WEBrick javascript injection flaw CVE-2011-1004 Ruby: Symlink race condition by removing directory trees in fileutils module CVE-2011-1005 Ruby: Untrusted codes able to modify arbitrary strings CVE-2011-0188 ruby: memory corruption in BigDecimal on 64bit platforms cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A flaw was found in the way large amounts of memory were allocated on 64-bit systems when using the BigDecimal class. A context-dependent attacker could use this flaw to cause memory corruption, causing a Ruby application that uses the BigDecimal class to crash or, possibly, execute arbitrary code. This issue did not affect 32-bit systems. (CVE-2011-0188) A race condition flaw was found in the remove system entries method in the FileUtils module. If a local user ran a Ruby script that uses this method, a local attacker could use this flaw to delete arbitrary files and directories accessible to that user via a symbolic link attack. (CVE-2011-1004) A flaw was found in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2011-1005) Red Hat would like to thank Drew Yao of Apple Product Security for reporting the CVE-2011-0188 issue. All Ruby users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0188 CVE-2011-1004 CVE-2011-1005 CVE-2011-1004 Ruby: Symlink race condition by removing directory trees in fileutils module CVE-2011-1005 Ruby: Untrusted codes able to modify arbitrary strings CVE-2011-0188 ruby: memory corruption in BigDecimal on 64bit platforms cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that cURL always performed credential delegation when authenticating with GSSAPI. A rogue server could use this flaw to obtain the client's credentials and impersonate that client to other servers that are using GSSAPI. (CVE-2011-2192) Users of curl should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libcurl must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2192 CVE-2011-2192 curl: Improper delegation of client credentials during GSS negotiation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. It was found that the virtio subsystem in qemu-kvm did not properly validate virtqueue in and out requests from the guest. A privileged guest user could use this flaw to trigger a buffer overflow, allowing them to crash the guest (denial of service) or, possibly, escalate their privileges on the host. (CVE-2011-2212) It was found that the virtio_queue_notify() function in qemu-kvm did not perform sufficient input validation on the value later used as an index into the array of virtqueues. An unprivileged guest user could use this flaw to crash the guest (denial of service) or, possibly, escalate their privileges on the host. (CVE-2011-2512) Red Hat would like to thank Nelson Elhage for reporting CVE-2011-2212. This update also fixes the following bug: * A bug was found in the way vhost (in qemu-kvm) set up mappings with the host kernel's vhost module. This could result in the host kernel's vhost module not having a complete view of a guest system's memory, if that guest had more than 4 GB of memory. Consequently, hot plugging a vhost-net network device and restarting the guest may have resulted in that device no longer working. (BZ#701771) All users of qemu-kvm should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-2212 CVE-2011-2512 CVE-2011-2212 qemu-kvm: virtqueue: too-large indirect descriptor buffer overflow CVE-2011-2512 qemu-kvm: OOB memory access caused by negative vq notifies cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. While these have been replaced by tools such as OpenSSH in most environments, they remain in use in others. It was found that gssftp, a Kerberos-aware FTP server, did not properly drop privileges. A remote FTP user could use this flaw to gain unauthorized read or write access to files that are owned by the root group. (CVE-2011-1526) Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Tim Zingelman as the original reporter. All krb5-appl users should upgrade to these updated packages, which contain a backported patch to correct this issue. Important Copyright 2011 Red Hat, Inc. CVE-2011-1526 CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was discovered in the way BIND handled certain DNS requests. A remote attacker could use this flaw to send a specially-crafted DNS request packet to BIND, causing it to exit unexpectedly due to a failed assertion. (CVE-2011-2464) Users of bind97 on Red Hat Enterprise Linux 5, and bind on Red Hat Enterprise Linux 6, are advised to upgrade to these updated packages, which resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-2464 CVE-2011-2464 bind: Specially constructed packet will cause named to exit cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important) * A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service. (CVE-2011-0695, Important) * A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl "net.sctp.addip_enable" variable was turned on (it is off by default). (CVE-2011-1573, Important) * Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important) * An integer overflow flaw in agp_allocate_memory() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important) * A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially-crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576, Moderate) * An integer signedness error in next_pidmap() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate) * A flaw in the way the Xen hypervisor implementation handled CPUID instruction emulation during virtual machine exits could allow an unprivileged guest user to crash a guest. This only affects systems that have an Intel x86 processor with the Intel VT-x extension enabled. (CVE-2011-1936, Moderate) * A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service (infinite loop). (CVE-2011-2213, Moderate) * A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low) * A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low) * A missing validation check was found in the signals implementation. A local, unprivileged user could use this flaw to send signals via the sigqueueinfo system call, with the si_code set to SI_TKILL and with spoofed process and user IDs, to other processes. Note: This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low) * A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing specially-crafted partition tables. (CVE-2011-1776, Low) * Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492, Low) Red Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695; Vasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and CVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki for reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213 and CVE-2011-0711; Julien Tinnes of the Google Security Team for reporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and Marek Kroemeke and Filip Palian for reporting CVE-2011-2492. Bug fix documentation will be available shortly from the Technical Notes document linked to in the References. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2010-4649 CVE-2011-0695 CVE-2011-0711 CVE-2011-1044 CVE-2011-1182 CVE-2011-1573 CVE-2011-1576 CVE-2011-1593 CVE-2011-1745 CVE-2011-1746 CVE-2011-1776 CVE-2011-1936 CVE-2011-2022 CVE-2011-2213 CVE-2011-2492 CVE-2011-0695 kernel: panic in ib_cm:cm_work_handler CVE-2010-4649 CVE-2011-1044 kernel: IB/uverbs: Handle large number of entries in poll CQ CVE-2011-0711 kernel: xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1 CVE-2011-1182 kernel signal spoofing issue CVE-2011-1576 kernel: net: Fix memory leak/corruption on VLAN GRO_DROP CVE-2011-1573 kernel: sctp: fix to calc the INIT/INIT-ACK chunk length correctly to set CVE-2011-1593 kernel: proc: signedness issue in next_pidmap() CVE-2011-1745 CVE-2011-2022 kernel: agp: insufficient pg_start parameter checking in AGPIOC_BIND and AGPIOC_UNBIND ioctls CVE-2011-1746 kernel: agp: insufficient page_count parameter checking in agp_allocate_memory() CVE-2011-2492 kernel: bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace CVE-2011-1776 kernel: validate size of EFI GUID partition entries [RHEL5.5] Panic in iscsi_sw_tcp_data_ready() [rhel-5.6.z] CVE-2011-1936 kernel: xen: vmx: insecure cpuid vmexit The pci resource for vf is not released after hot-removing Intel 82576 NIC [rhel-5.6.z] GFS2: resource group bitmap corruption resulting in panics and withdraws CVE-2011-2213 kernel: inet_diag: insufficient validation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * It was found that the receive hook in the ipip_init() function in the ipip module, and in the ipgre_init() function in the ip_gre module, could be called before network namespaces setup is complete. If packets were received at the time the ipip or ip_gre module was still being loaded into the kernel, it could cause a denial of service. (CVE-2011-1767, CVE-2011-1768, Moderate) * It was found that an mmap() call with the MAP_PRIVATE flag on "/dev/zero" would create transparent hugepages and trigger a certain robustness check. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-2479, Moderate) This update also fixes various bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to resolve these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1767 CVE-2011-1768 CVE-2011-2479 CVE-2011-1767 CVE-2011-1768 kernel: netns vs proto registration ordering RHEL6.1 x86_64 HVM guest crashes on AMD host when guest memory size is larger than 8G Cannot find the extended attribute of #11 inode after remount [RHEL6.1] [Kernel] Panic while running testing MLS - cgconfigparser cannot search on /cgroup/ dirs intel-iommu: missing flush prior to removing domains + avoid broken vm/si domain unlinking System Hang when there is smart error on IBM platform CVE-2011-2479 kernel: thp: madvise on top of /dev/zero private mapping can lead to panic cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. It was found that NetworkManager did not properly enforce PolicyKit settings controlling the permissions to configure wireless network sharing. A local, unprivileged user could use this flaw to bypass intended PolicyKit restrictions, allowing them to enable wireless network sharing. (CVE-2011-2176) Users of NetworkManager should upgrade to these updated packages, which contain a backported patch to correct this issue. Running instances of NetworkManager must be restarted ("service NetworkManager restart") for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2176 CVE-2011-2176 NetworkManager: Did not honour PolicyKit auth_admin action element by creation of Ad-Hoc wireless networks cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0863, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0873) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR9-FP2 Java release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0802 CVE-2011-0814 CVE-2011-0862 CVE-2011-0863 CVE-2011-0865 CVE-2011-0867 CVE-2011-0868 CVE-2011-0869 CVE-2011-0871 CVE-2011-0873 CVE-2011-0865 OpenJDK: Deserialization allows creation of mutable SignedObject (Deserialization, 6618658) CVE-2011-0862 OpenJDK: integer overflows in JPEGImageReader and font SunLayoutEngine (2D, 7013519) CVE-2011-0867 OpenJDK: NetworkInterface information leak (Networking, 7013969) CVE-2011-0869 OpenJDK: unprivileged proxy settings change via SOAPConnection (SAAJ, 7013971) CVE-2011-0868 OpenJDK: incorrect numeric type conversion in TransformHelper (2D, 7016495) CVE-2011-0871 OpenJDK: MediaTracker created Component instances with unnecessary privileges (Swing, 7020198) CVE-2011-0873 Oracle/IBM JDK: unspecified vulnerability fixed in 6u26 (2D) CVE-2011-0863 Oracle/IBM JDK: unspecified vulnerability fixed in 6u26 (Deployment) CVE-2011-0802 CVE-2011-0814 Oracle/IBM JDK: unspecified vulnerabilities fixed in 6u26 (Sound) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 system-config-firewall is a graphical user interface for basic firewall setup. It was found that system-config-firewall used the Python pickle module in an insecure way when sending data (via D-Bus) to the privileged back-end mechanism. A local user authorized to configure firewall rules using system-config-firewall could use this flaw to execute arbitrary code with root privileges, by sending a specially-crafted serialized object. (CVE-2011-2520) Red Hat would like to thank Marco Slaviero of SensePost for reporting this issue. This erratum updates system-config-firewall to use JSON (JavaScript Object Notation) for data exchange, instead of pickle. Therefore, an updated version of system-config-printer that uses this new communication data format is also provided in this erratum. Users of system-config-firewall are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Running instances of system-config-firewall must be restarted before the utility will be able to communicate with its updated back-end. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2520 CVE-2011-2520 system-config-firewall: privilege escalation flaw via use of python pickle cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mutt is a text-mode mail user agent. A flaw was found in the way Mutt verified SSL certificates. When a server presented an SSL certificate chain, Mutt could ignore a server hostname check failure. A remote attacker able to get a certificate from a trusted Certificate Authority could use this flaw to trick Mutt into accepting a certificate issued for a different hostname, and perform man-in-the-middle attacks against Mutt's SSL connections. (CVE-2011-1429) All Mutt users should upgrade to this updated package, which contains a backported patch to correct this issue. All running instances of Mutt must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1429 CVE-2011-1429 mutt: SSL host name check may be skipped when verifying certificate chain cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA. A flaw was found in the SSSD PAM responder that could allow a local attacker to force SSSD to enter an infinite loop via a carefully-crafted packet. With SSSD unresponsive, legitimate users could be denied the ability to log in to the system. (CVE-2010-4341) Red Hat would like to thank Sebastian Krahmer for reporting this issue. These updated sssd packages include a number of bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Refer to the Red Hat Enterprise Linux 5.7 Technical Notes for information about these changes: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.7_Technical_Notes/sssd.html#RHSA-2011-0975 All sssd users are advised to upgrade to these updated sssd packages, which upgrade SSSD to upstream version 1.5.1 to correct this issue, and fix the bugs and add the enhancements noted in the Technical Notes. Low Copyright 2011 Red Hat, Inc. CVE-2010-4341 sssd is not escaping correctly LDAP searches CVE-2010-4341 sssd: DoS in sssd PAM responder can prevent logins sssd corrupts group cache sssd segfault when first entry of ldap_uri is unreachable Remove HBAC time rules from SSSD SSSD in 5.6 can not locate HBAC rules from FreeIPAv2 name service caches names, so id command shows recently deleted users User information not updated on login for secondary domains SSSD needs to look at IPA's compat tree for netgroups IPA provider does not update removed group memberships on initgroups sssd crashes at the next tgt renewals it tries. SSSD IPA provider should honor the krb5_realm option Does not read renewable ccache at startup. sssd-be segmentation fault - ipa-client on ipa-server sssd_nss core dumps with certain lookups IPA provider should use realm instead of ipa_domain for base DN sudo/ldap lookup via sssd gets stuck for 5min waiting on netgroup Build SSSD in RHEL 5.7 against openldap24-libs authconfig fails when access_provider is set as krb5 in sssd.conf. sssd 1.5.1-9 breaks AD authentication group memberships are not populated correctly during IPA provider initgroups multiple problems with sssd + ldap (Active-Directory) and groups members. SSSD should skip over groups with multiple names Traceback messages seen while interrupting sss_obfuscate using ctrl+d. [abrt] sssd-1.2.1-28.el6_0.4: _talloc_free: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) Groups with a zero-length memberuid attribute can cause SSSD to stop caching and responding to requests SSSD needs to fall back to 'cn' for GECOS information (was: SSSD configuration problem when configured with MSAD) Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) SSSD consumes GBs of RAM, possible memory leak SSSD crashes during getent when anonymous bind is disabled. Unable to resolve SRV record when called with _srv_,<fixed ldap uri> in ldap_uri [REGRESSION] Filters not honoured against fully-qualified users. sssd client libraries use select() but should use poll() instead latest sssd fails if ldap_default_authtok_type is not mentioned SSSD's async resolver only tries the first nameserver in /etc/resolv.conf cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 rsync is a program for synchronizing files over a network. A flaw was found in the way the rsync daemon handled the "filter", "exclude", and "exclude from" options, used for hiding files and preventing access to them from rsync clients. A remote attacker could use this flaw to bypass those restrictions by using certain command line options and symbolic links, allowing the attacker to overwrite those files if they knew their file names and had write access to them. (CVE-2007-6200) Note: This issue only affected users running rsync as a writable daemon: "read only" set to "false" in the rsync configuration file (for example, "/etc/rsyncd.conf"). By default, this option is set to "true". This update also fixes the following bugs: * The rsync package has been upgraded to upstream version 3.0.6, which provides a number of bug fixes and enhancements over the previous version. (BZ#339971) * When running an rsync daemon that was receiving files, a deferred info, error or log message could have been sent directly to the sender instead of being handled by the "rwrite()" function in the generator. Also, under certain circumstances, a deferred info or error message from the receiver could have bypassed the log file and could have been sent only to the client process. As a result, an "unexpected tag 3" fatal error could have been displayed. These problems have been fixed in this update so that an rsync daemon receiving files now works as expected. (BZ#471182) * Prior to this update, the rsync daemon called a number of timezone-using functions after doing a chroot. As a result, certain C libraries were unable to generate proper timestamps from inside a chrooted daemon. This bug has been fixed in this update so that the rsync daemon now calls the respective timezone-using functions prior to doing a chroot, and proper timestamps are now generated as expected. (BZ#575022) * When running rsync under a non-root user with the "-A" ("--acls") option and without using the "--numeric-ids" option, if there was an Access Control List (ACL) that included a group entry for a group that the respective user was not a member of on the receiving side, the "acl_set_file()" function returned an invalid argument value ("EINVAL"). This was caused by rsync mistakenly mapping the group name to the Group ID "GID_NONE" ("-1"), which failed. The bug has been fixed in this update so that no invalid argument is returned and rsync works as expected. (BZ#616093) * When creating a sparse file that was zero blocks long, the "rsync --sparse" command did not properly truncate the sparse file at the end of the copy transaction. As a result, the file size was bigger than expected. This bug has been fixed in this update by properly truncating the file so that rsync now copies such files as expected. (BZ#530866) * Under certain circumstances, when using rsync in daemon mode, rsync generator instances could have entered an infinitive loop, trying to write an error message for the receiver to an invalid socket. This problem has been fixed in this update by adding a new sibling message: when the receiver is reporting a socket-read error, the generator will notice this fact and avoid writing an error message down the socket, allowing it to close down gracefully when the pipe from the receiver closes. (BZ#690148) * Prior to this update, there were missing deallocations found in the "start_client()" function. This bug has been fixed in this update and no longer occurs. (BZ#700450) All users of rsync are advised to upgrade to this updated package, which resolves these issues and adds enhancements. Moderate Copyright 2011 Red Hat, Inc. CVE-2007-6200 [RFE] Rebase rsync packages to version 3 CVE-2007-6200 rsync excluded content access restrictions bypass via symlinks rsync errors: unexpected tag 3 [sender] rsync --sparse does not properly copy sparse files rsyncd gets confused with timezones when logging to syslog EINVAL (Invalid argument) setting group --acls Rsync instances stay in memory when using in daemon mode Resource leaks revealed by Coverity scan. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The rgmanager package contains the Red Hat Resource Group Manager, which provides the ability to create and manage high-availability server applications in the event of system downtime. It was discovered that certain resource agent scripts set the LD_LIBRARY_PATH environment variable to an insecure value containing empty path elements. A local user able to trick a user running those scripts to run them while working from an attacker-writable directory could use this flaw to escalate their privileges via a specially-crafted dynamic library. (CVE-2010-3389) Red Hat would like to thank Raphael Geissert for reporting this issue. This update also fixes the following bugs: * The failover domain "nofailback" option was not honored if a service was in the "starting" state. This bug has been fixed. (BZ#669440) * PID files with white spaces in the file name are now handled correctly. (BZ#632704) * The /usr/sbin/rhev-check.sh script can now be used from within Cron. (BZ#634225) * The clustat utility now reports the correct version. (BZ#654160) * The oracledb.sh agent now attempts to try the "shutdown immediate" command instead of using the "shutdown abort" command. (BZ#633992) * The SAPInstance and SAPDatabase scripts now use proper directory name quoting so they no longer collide with directory names like "/u". (BZ#637154) * The clufindhostname utility now returns the correct value in all cases. (BZ#592613) * The nfsclient resource agent now handles paths with trailing slashes correctly. (BZ#592624) * The last owner of a service is now reported correctly after a failover. (BZ#610483) * The /usr/share/cluster/fs.sh script no longer runs the "quotaoff" command if quotas were not configured. (BZ#637678) * The "listen" line in the /etc/httpd/conf/httpd.conf file generated by the Apache resource agent is now correct. (BZ#675739) * The tomcat-5 resource agent no longer generates incorrect configurations. (BZ#637802) * The time required to stop an NFS resource when the server is unavailable has been reduced. (BZ#678494) * When using exclusive prioritization, a higher priority service now preempts a lower priority service after status check failures. (BZ#680256) * The postgres-8 resource agent now correctly detects failed start operations. (BZ#663827) * The handling of reference counts passed by rgmanager to resource agents now works properly, as expected. (BZ#692771) As well, this update adds the following enhancements: * It is now possible to disable updates to static routes by the IP resource agent. (BZ#620700) * It is now possible to use XFS as a file system within a cluster service. (BZ#661893) * It is now possible to use the "clustat" command as a non-root user, so long as that user is in the "root" group. (BZ#510300) * It is now possible to migrate virtual machines when central processing is enabled. (BZ#525271) * The rgmanager init script will now delay after stopping services in order to allow time for other nodes to restart them. (BZ#619468) * The handling of failed independent subtrees has been corrected. (BZ#711521) All users of Red Hat Resource Group Manager are advised to upgrade to this updated package, which contains backported patches to correct these issues and add these enhancements. Low Copyright 2011 Red Hat, Inc. CVE-2010-3389 clufindhostname -i returns random value nfsclient exports doens't work. last_owner is not correctly updated on service reallocarion on failover If whitespace in mysql resource name then pid file is not found rhev-check.sh needs /usr/sbin in path SAPInstance and SAPDatabase fail to start/stop/status if /u exists service failover hangs at quotaoff in /usr/share/cluster/fs.sh Fix problems in generated config file for tomcat-5 CVE-2010-3389 rgmanager: insecure library loading vulnerability clustat -v reports "clustat version DEVEL" on release package Support/testing of XFS filesystem as part of RHEL Cluster postgres-8 resource agent does not detect a failed start of postgres server Service will failback on "nofailback" failover domain if service is in "starting" state Listen line in generated httpd.conf incorrect netfs.sh patch, when network is lost it takes too long to unmount the NFS filesystems Service with highest exclusive prio should be relocated to another node with lower exclusive prio Dependencies in independent_tree resources does not work as expected cpe:/a:redhat:rhel_cluster Red Hat Enterprise Linux 5 The sysstat package contains a set of utilities which enable system monitoring of disks, network, and other I/O activity. It was found that the sysstat initscript created a temporary file in an insecure way. A local attacker could use this flaw to create arbitrary files via a symbolic link attack. (CVE-2007-3852) This update fixes the following bugs: * On systems under heavy load, the sadc utility would sometimes output the following error message if a write() call was unable to write all of the requested input: "Cannot write data to system activity file: Success." In this updated package, the sadc utility tries to write the remaining input, resolving this issue. (BZ#454617) * On the Itanium architecture, the "sar -I" command provided incorrect information about the interrupt statistics of the system. With this update, the "sar -I" command has been disabled for this architecture, preventing this bug. (BZ#468340) * Previously, the "iostat -n" command used invalid data to create statistics for read and write operations. With this update, the data source for these statistics has been fixed, and the iostat utility now returns correct information. (BZ#484439) * The "sar -d" command used to output invalid data about block devices. With this update, the sar utility recognizes disk registration and disk overflow statistics properly, and only correct and relevant data is now displayed. (BZ#517490) * Previously, the sar utility set the maximum number of days to be logged in one month too high. Consequently, data from a month was appended to data from the preceding month. With this update, the maximum number of days has been set to 25, and data from a month now correctly replaces data from the preceding month. (BZ#578929) * In previous versions of the iostat utility, the number of NFS mount points was hard-coded. Consequently, various issues occurred while iostat was running and NFS mount points were mounted or unmounted; certain values in iostat reports overflowed and some mount points were not reported at all. With this update, iostat properly recognizes when an NFS mount point mounts or unmounts, fixing these issues. (BZ#675058, BZ#706095, BZ#694767) * When a device name was longer than 13 characters, the iostat utility printed a redundant new line character, making its output less readable. This bug has been fixed and now, no extra characters are printed if a long device name occurs in iostat output. (BZ#604637) * Previously, if kernel interrupt counters overflowed, the sar utility provided confusing output. This bug has been fixed and the sum of interrupts is now reported correctly. (BZ#622557) * When some processors were disabled on a multi-processor system, the sar utility sometimes failed to provide information about the CPU activity. With this update, the uptime of a single processor is used to compute the statistics, rather than the total uptime of all processors, and this bug no longer occurs. (BZ#630559) * Previously, the mpstat utility wrongly interpreted data about processors in the system. Consequently, it reported a processor that did not exist. This bug has been fixed and non-existent CPUs are no longer reported by mpstat. (BZ#579409) * Previously, there was no easy way to enable the collection of statistics about disks and interrupts. Now, the SADC_OPTIONS variable can be used to set parameters for the sadc utility, fixing this bug. (BZ#598794) * The read_uptime() function failed to close its open file upon exit. A patch has been provided to fix this bug. (BZ#696672) This update also adds the following enhancement: * With this update, the cifsiostat utility has been added to the sysstat package to provide CIFS (Common Internet File System) mount point I/O statistics. (BZ#591530) All sysstat users are advised to upgrade to this updated package, which contains backported patches to correct these issues and add this enhancement. Low Copyright 2011 Red Hat, Inc. CVE-2007-3852 CVE-2007-3852 sysstat insecure temporary file usage [RHEL5] Though function write() executed sucessful, sadc end with an error. iostat -n enhancement not report NFS client stats correctly The 'sar -d ' command outputs invalid data March sar data was appended to February data The sysstat's programs such as mpstat shows one extra cpu. Enable parametrization of sadc arguments extraneous newline in iostat report for long device names sar interrupt count goes backward 'sar -P ALL -f xxxx ' does not display activity information. iostat: bogus value appears when device is unmounted/mounted iostat doesn't report statistics for shares with long names Resource leak iostat -n - values in output overflows cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. An integer overflow flaw was found in libvirtd's RPC call handling. An attacker able to establish read-only connections to libvirtd could trigger this flaw by calling virDomainGetVcpus() with specially-crafted parameters, causing libvirtd to crash. (CVE-2011-2511) This update fixes the following bugs: * libvirt was rebased from version 0.6.3 to version 0.8.2 in Red Hat Enterprise Linux 5.6. A code audit found a minor API change that effected error messages seen by libvirt 0.8.2 clients talking to libvirt 0.7.1 – 0.7.7 (0.7.x) servers. A libvirt 0.7.x server could send VIR_ERR_BUILD_FIREWALL errors where a libvirt 0.8.2 client expected VIR_ERR_CONFIG_UNSUPPORTED errors. In other circumstances, a libvirt 0.8.2 client saw a "Timed out during operation" message where it should see an "Invalid network filter" error. This update adds a backported patch that allows libvirt 0.8.2 clients to interoperate with the API as used by libvirt 0.7.x servers, ensuring correct error messages are sent. (BZ#665075) * libvirt could crash if the maximum number of open file descriptors (_SC_OPEN_MAX) grew larger than the FD_SETSIZE value because it accessed file descriptors outside the bounds of the set. With this update the maximum number of open file descriptors can no longer grow larger than the FD_SETSIZE value. (BZ#665549) * A libvirt race condition was found. An array in the libvirt event handlers was accessed with a lock temporarily released. In rare cases, if one thread attempted to access this array but a second thread reallocated the array before the first thread reacquired a lock, it could lead to the first thread attempting to access freed memory, potentially causing libvirt to crash. With this update libvirt no longer refers to the old array and, consequently, behaves as expected. (BZ#671569) * Guests connected to a passthrough NIC would kernel panic if a system_reset signal was sent through the QEMU monitor. With this update you can reset such guests as expected. (BZ#689880) * When using the Xen kernel, the rpmbuild command failed on the xencapstest test. With this update you can run rpmbuild successfully when using the Xen kernel. (BZ#690459) * When a disk was hot unplugged, "ret >= 0" was passed to the qemuAuditDisk calls in disk hotunplug operations before ret was, in fact, set to 0. As well, the error path jumped to the "cleanup" label prematurely. As a consequence, hotunplug failures were not audited and hotunplug successes were audited as failures. This was corrected and hot unplugging checks now behave as expected. (BZ#710151) * A conflict existed between filter update locking sequences and virtual machine startup locking sequences. When a filter update occurred on one or more virtual machines, a deadlock could consequently occur if a virtual machine referencing a filter was started. This update changes and makes more flexible several qemu locking sequences ensuring this deadlock no longer occurs. (BZ#697749) * qemudDomainSaveImageStartVM closed some incoming file descriptor (fd) arguments without informing the caller. The consequent double-closes could cause Domain restoration failure. This update alters the qemudDomainSaveImageStartVM signature to prevent the double-closes. (BZ#681623) This update also adds the following enhancements: * The libvirt Xen driver now supports more than one serial port. (BZ#670789) * Enabling and disabling the High Precision Event Timer (HPET) in Xen domains is now possible. (BZ#703193) All libvirt users should install this update which addresses this vulnerability, fixes these bugs and adds these enhancements. After installing the updated packages, libvirtd must be restarted ("service libvirtd restart") for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2511 minor libvirt API break in error reporting libvirt crash on src/util/util.c in __virExec race condition in libvirt could lead to crash on event handling libvirt double-close bug in tight loop of save/restore [5.7] guest with passthrough nic got kernel panic when send system_reset signal in QEMU monitor rpmbuild failed on xencapstest when running under xen kernel Deadlock between VM ops and filter update support enabling/disabling xen hpet Auditing of QEMU driver disk hotunplug events logs is missing and/or incorrect CVE-2011-2511 libvirt: integer overflow in VirDomainGetVcpus cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw was found in the way the Xen hypervisor implementation handled instruction emulation during virtual machine exits. A malicious user-space process running in an SMP guest could trick the emulator into reading a different instruction than the one that caused the virtual machine to exit. An unprivileged guest user could trigger this flaw to crash the host. This only affects systems with both an AMD x86 processor and the AMD Virtualization (AMD-V) extensions enabled. (CVE-2011-1780, Important) * A flaw allowed the tc_fill_qdisc() function in the Linux kernel's packet scheduler API implementation to be called on built-in qdisc structures. A local, unprivileged user could use this flaw to trigger a NULL pointer dereference, resulting in a denial of service. (CVE-2011-2525, Moderate) * A flaw was found in the way space was allocated in the Linux kernel's Global File System 2 (GFS2) implementation. If the file system was almost full, and a local, unprivileged user made an fallocate() request, it could result in a denial of service. Note: Setting quotas to prevent users from using all available disk space would prevent exploitation of this flaw. (CVE-2011-2689, Moderate) These updated kernel packages include a number of bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Refer to the Red Hat Enterprise Linux 5.7 Technical Notes for information about the most significant bug fixes and enhancements included in this update: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.7_Technical_Notes/kernel.html#RHSA-2011-1065 All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-1780 CVE-2011-2525 CVE-2011-2689 Pick up paging performance improvements from upstream Xen lsattr doesn't show attributes of ext3 quota files [rhts] connectathon nfsidem test failing [RHEL5.2]: Blktap is limited to 100 disks total pv-on-hvm: disk shows up twice. NMI Watchdog detected LOCKUP in :sctp:sctp_copy_local_addr_list kdump hang on HP xw9400 HTB qdisc miscalculates bandwidth with TSO enabled update myri10g driver from 1.3.2 to 1.5.2 export of an NFSV3 file system via kerberos requires AUTH_SYS as well s2io should check inputs for rx_ring_sz Read-only filesystem after 'ext3_free_blocks_sb: bit already cleared for block' errors No beep when running xen kernel [NFS]: silly renamed .nfs0000* files can be left on fs forever Sequence id issue with nfs4/kerberos between RHEL kernel and Fedora 11 soft lockups with kswapd in RHEL 5.4 kernel 2.6.18-164.el5 x86_64 KERNEL: QLA2XXX 0000:0E:00.0: RISC PAUSED -- HCCR=0, DUMPING FIRMWARE! xts crypto module missing from RHEL5 installer runtime GFS2: recovery stuck on transaction lock RHEL5.6: iw_cxgb4 driver inclusion unregister_netdevice: waiting for veth5 to become free when I remove netloop [RFE] Support L2 packets under bonding layer Wrong RX bytes/packet count on vlan interface with igb driver slab corruption after seeing some nfs-related BUG: warning i5k_amb does not work for Intel 5000 Chipset (kernel) System panic in pskb_expand_head When arp_validate option is specified in bonding ARP monitor mode kvm guest unable to kdump without noapic Host panic on cross-vendor migration (RHEL 5.5 guest) Xorg failures on machines using intel video card driver Reading /proc/locks yelds corrupt data synch arch/i386/pci/irq-xen.c GFS2: [RFE] fallocate support for GFS2 nfs: too many GETATTR and ACCESS calls after direct i/o [nfs] make close(2) asynchronous when closing nfs o_direct files Fix shrinking windows with window scaling remove FS-Cache code from NFS Misleading message from fs/nfs/file.c:do_vfs_lock() testing NMI watchdog ... <4>WARNING: CPU#0: NMI appears to be stuck (62->62)! Areca driver, arcmsr, update GFS2: Not enough space reserved in gfs2_write_begin and possibly elsewhere. ip_nat_ftp not working if ack for "227 Enter Passive mode" packet is lost [netfront] ethtool -i should return proper information for netfront device [netback] ethtool -i should return proper information for netback device ISCSI/multipath hang - must propagate SCSI device deletion to DM mpath SIGPROF keeps a large task from ever completing a fork() RFE: Virtio nic should be support "ethtool -i virtio nic" HP_GETHOSTINFO ioctl always causes mpt controller reset virtio GSO makes IPv6 very slow fseek()/NFS performance regression between RHEL4 and RHEL5 linux-2.6.18: netback: take net_schedule_list_lock when removing entry from net_schedule_list RHEL5.6: EHCI: AMD periodic frame list table quirk BAD SEQID error messages returned by the NFS server e1000 driver tracebacks when running under VMware ESX4 jbd2_stats_proc_init has wrong location. temporary loss of path to SAN results in persistent EIO with msync [5.6][REG]for some uses of 'nfsservctl' system call, the kernel crashes. bonding failover in every monitor interval with virtio-net driver sunrpc: need a better way to set tcp_slot_table_entries in RHEL 5 Memory leak in virtio-console driver if driver probe routine fails XFS causes kernel panic due to double free of log tickets NMI panic during xfs forced shutdown Kernel warning at boot: i7core_edac: probe of 0000:80:14.0 failed with error -22 Kernel panic when restart network on vlan with bonding cifs: ia64 kernel unaligned access Performance counters don't work on HP Magnycours machines dm-crypt: backport changes to support xts crypto mode fsck.gfs2 reported statfs error after gfs2_grow [LSI 5.7 feat] Update megaraid_sas to 5.34 and Include "Thunderbolt" support mpctl module doesn't release fasync_struct at file close xfstest 222: filesystem on /dev/loop0 is inconsistent [Cisco 5.7 FEAT] Update enic driver to version 2.1.1.9 GFS2: Kernel changes necessary to allow growing completely full filesystems. gfs2 FIEMAP oops /proc/partitions not updating after creating LUNs via hpacucli [ext4/xfstests] 011 caused filesystem corruption after running many times in a loop a test unit ready causes a panic on 5.6 (CCISS driver) COW corruption using popen(3). WARNING: APIC timer calibration may be wrong ISVM bit (ECX:31) for CPUID 0x00000001 is missing for HVM on AMD GFS2: Blocks not marked free on delete scsi_dh_emc gives "error attaching hardware handler" for EMC active-active SANs Heavy load on ath5k wireless device makes system unresponsive lib: fix vscnprintf() if @size is == 0 [NetApp 5.7 Bug] Include new NetApp PID entry to the alua_dev_list array in the ALUA hardware handler "modprobe ip_conntrack hashsize=NNNN" panics kernel if /etc/modprobe.conf has hashsize=MMMM UDP transmit under VLAN causes guest freeze incomplete local port reservation [NetApp 5.6 Bug] Erroneous TPG ID check in SCSI ALUA Handler scsi_dh_emc get_req function should set REQ_FAILFAST flags same as upstream and other modules panic in kfree() due to race condition in acpi_bus_receive_event() [bonding] crash when adding/removing slaves with master interface down Flapping errors (and panic) with bonding and arp_interval while using be2net included in 2.6.18-238 transmission stops when tap does not consume mmapping a read only file on a gfs2 filesystem incorrectly acquires an exclusive glock lseek() over NFS is returning an incorrect file length under some circumstances kernel panic in pg_init_done - pgpath already deleted Time runs too fast in a VM on processors with > 4GHZ freq virtio_console driver never returns from selecting for write when the queue is full vdso gettimeofday causes a segmentation fault Impossible to load sctp module with ipv6 disable=1 Panic in selinux_bprm_post_apply_creds() due to an empty tty_files list [NetApp 5.6 Bug] QLogic 8G FC firmware dumps seen during IO xenctx shows nonsensical values for 32-on-64 and HVM domains vdso: missing wall_to_monotomic export Fix block based fiemap [RHEL5.5] Panic in iscsi_sw_tcp_data_ready() [TestOnly] gfs regression testing for 5.7 beta Incorrect "Speed" is recorded in the file "/proc/net/bonding/bondX" qeth: allow channel path changes in recovery [usb-audio] unable to set capture mixer levels online disk resizing may cause data corruption hap_gva_to_gfn_* do not preserve domain context gdbsx hypervisor part backport qeth: remove needless IPA-commands in offline [5.7] niu: Fix races between up/down and get_stats. [5.7] net: Fix netdev_run_todo serialization sunrpc: reconnect race can lead to socket read corruption backport vzalloc and vzalloc_node in support of drivers needing these functions Out of vmalloc space gfs2: creating large files suddenly slow to a crawl need to backport common vpd infrastructure to rhel 5 missed unlock_page() in gfs2_write_begin() intel_iommu domain id exhaustion [5.6] sysctl tcp_syn_retries is not honored guest with passthrough nic got kernel panic when send system_reset signal in QEMU monitor GFS2 causes kernel panic in spectator mode GFS2: resource group bitmap corruption resulting in panics and withdraws need to backport debugfs_remove_recursive functionality dasd: fix race between open and offline Missing patch for full use of tcp_rto_min parameter [Emulex 5.7] Update lpfc driver to version 8.2.0.96.1p The pci resource for vf is not released after hot-removing Intel 82576 NIC RHEL5: apparent file system corruption of snapshot fs with qla2xxx driver NFS: Fix build break with CONFIG_NFS_V4=n provide option to disable HPET CVE-2011-1780 kernel: xen: svm: insufficiencies in handling emulated instructions during vm exits GFS2: Add "dlm callback owed" glock flag host kernel panic while guest running on 10G public bridge. VT-d: Fix resource leaks on error paths in intremap code cifs: regression in unicode conversion routines when mounting with -o mapchars intel-iommu: missing flush prior to removing domains + avoid broken vm/si domain unlinking hvm guest time may go backwards on some hosts Adding slave to balance-tlb bond device results in soft lockup setfacl does not update ctime when changing file permission on ext3/4 12% degradation running IOzone with Outcache testing Kernel panics during Veritas SF testing. [RHEL5.7][kernel-xen] HVM guests hang during installation on AMD systems CVE-2011-2525 kernel: kernel: net_sched: fix qdisc_notify() CVE-2011-2689 kernel: gfs2: make sure fallocate bytes is a multiple of blksize cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Bash is the default shell for Red Hat Enterprise Linux. It was found that certain scripts bundled with the Bash documentation created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files accessible to the victim running the scripts. (CVE-2008-5374) This update fixes the following bugs: * When using the source builtin at location ".", occasionally, bash opted to preserve internal consistency and abort scripts. This caused bash to abort scripts that assigned values to read-only variables. This is now fixed to ensure that such scripts are now executed as written and not aborted. (BZ#448508) * When the tab key was pressed for auto-completion options for the typed text, the cursor moved to an unexpected position on a previous line if the prompt contained characters that cannot be viewed and a "\]". This is now fixed to retain the cursor at the expected position at the end of the target line after autocomplete options correctly display. (BZ#463880) * Bash attempted to interpret the NOBITS .dynamic section of the ELF header. This resulted in a "^D: bad ELF interpreter: No such file or directory" message. This is fixed to ensure that the invalid "^D" does not appear in the error message. (BZ#484809) * The $RANDOM variable in Bash carried over values from a previous execution for later jobs. This is fixed and the $RANDOM variable generates a new random number for each use. (BZ#492908) * When Bash ran a shell script with an embedded null character, bash's source builtin parsed the script incorrectly. This is fixed and bash's source builtin correctly parses shell script null characters. (BZ#503701) * The bash manual page for "trap" did not mention that signals ignored upon entry cannot be listed later. The manual page was updated for this update and now specifically notes that "Signals ignored upon entry to the shell cannot be trapped, reset or listed". (BZ#504904) * Bash's readline incorrectly displayed additional text when resizing the terminal window when text spanned more than one line, which caused incorrect display output. This is now fixed to ensure that text in more than one line in a resized window displays as expected. (BZ#525474) * Previously, bash incorrectly displayed "Broken pipe" messages for builtins like "echo" and "printf" when output did not succeed due to EPIPE. This is fixed to ensure that the unnecessary "Broken pipe" messages no longer display. (BZ#546529) * Inserts with the repeat function were not possible after a deletion in vi-mode. This has been corrected and, with this update, the repeat function works as expected after a deletion. (BZ#575076) * In some situations, bash incorrectly appended "/" to files instead of just directories during tab-completion, causing incorrect auto-completions. This is fixed and auto-complete appends "/" only to directories. (BZ#583919) * Bash had a memory leak in the "read" builtin when the number of fields being read was not equal to the number of variables passed as arguments, causing a shell script crash. This is fixed to prevent a memory leak and shell script crash. (BZ#618393) * /usr/share/doc/bash-3.2/loadables in the bash package contained source files which would not build due to missing C header files. With this update, the unusable (and unbuildable) source files were removed from the package. (BZ#663656) This update also adds the following enhancement: * The system-wide "/etc/bash.bash_logout" bash logout file is now enabled. This allows administrators to write system-wide logout actions for all users. (BZ#592979) Users of bash are advised to upgrade to this updated package, which contains backported patches to resolve these issues and add this enhancement. Low Copyright 2011 Red Hat, Inc. CVE-2008-5374 Parsing of {} broken; breaks startup scripts bash completion in UTF8 locale has cursor positioning errors with long $PS1 CVE-2008-5374 bash: Insecure temporary file use in aliasconv.sh, aliasconv.bash, cshtobash (symlink attack) [RHEL5] bash includes Control-D in "bad ELF interpreter" message $RANDOM value remains the same Cannot process scripts beyond an embedded NULL character when running in 'source' mode trap -p not displaying ignored signal when run from child bash bash/readline not detecting window resize properly tab-completion appends slash to non-directories system global bash.bash_logout is diabled in config-top.h memory leak in bash reading files Unusable loadables in /doc cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 FUSE (Filesystem in Userspace) can implement a fully functional file system in a user-space program. These packages provide the mount utility, fusermount, the tool used to mount FUSE file systems. Multiple flaws were found in the way fusermount handled the mounting and unmounting of directories when symbolic links were present. A local user in the fuse group could use these flaws to unmount file systems, which they would otherwise not be able to unmount and that were not mounted using FUSE, via a symbolic link attack. (CVE-2010-3879, CVE-2011-0541, CVE-2011-0542, CVE-2011-0543) Note: The util-linux-ng RHBA-2011:0699 update must also be installed to fully correct the above flaws. All users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-3879 CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 CVE-2010-3879 CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The libsndfile packages provide a library for reading and writing sound files. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the libsndfile library processed certain Ensoniq PARIS Audio Format (PAF) audio files. An attacker could create a specially-crafted PAF file that, when opened, could cause an application using libsndfile to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-2696) Users of libsndfile are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libsndfile must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2696 CVE-2011-2696 libsndfile: Application crash due integer overflow by processing certain PAF audio files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide the FreeType 2 font engine. A flaw was found in the way the FreeType font rendering engine processed certain PostScript Type 1 fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0226) Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-0226 CVE-2011-0226 freetype: postscript type1 font parsing vulnerability cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0865, CVE-2011-0867, CVE-2011-0871, CVE-2011-0873) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR12-FP5 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0802 CVE-2011-0814 CVE-2011-0862 CVE-2011-0865 CVE-2011-0867 CVE-2011-0871 CVE-2011-0873 CVE-2011-0865 OpenJDK: Deserialization allows creation of mutable SignedObject (Deserialization, 6618658) CVE-2011-0862 OpenJDK: integer overflows in JPEGImageReader and font SunLayoutEngine (2D, 7013519) CVE-2011-0867 OpenJDK: NetworkInterface information leak (Networking, 7013969) CVE-2011-0871 OpenJDK: MediaTracker created Component instances with unnecessary privileges (Swing, 7020198) CVE-2011-0873 Oracle/IBM JDK: unspecified vulnerability fixed in 6u26 (2D) CVE-2011-0802 CVE-2011-0814 Oracle/IBM JDK: unspecified vulnerabilities fixed in 6u26 (Sound) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 SystemTap is an instrumentation system for systems running the Linux kernel. The system allows developers to write scripts to collect data on the operation of the system. It was found that SystemTap did not perform proper module path sanity checking if a user specified a custom path to the uprobes module, used when performing user-space probing ("staprun -u"). A local user who is a member of the stapusr group could use this flaw to bypass intended module-loading restrictions, allowing them to escalate their privileges by loading an arbitrary, unsigned module. (CVE-2011-2502) A race condition flaw was found in the way the staprun utility performed module loading. A local user who is a member of the stapusr group could use this flaw to modify a signed module while it is being loaded, allowing them to escalate their privileges. (CVE-2011-2503) SystemTap users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2502 CVE-2011-2503 CVE-2011-2502 systemtap: insufficient security check when loading uprobes kernel module CVE-2011-2503 systemtap: signed module loading race condition cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 SystemTap is an instrumentation system for systems running the Linux kernel. The system allows developers to write scripts to collect data on the operation of the system. A race condition flaw was found in the way the staprun utility performed module loading. A local user who is a member of the stapusr group could use this flaw to modify a signed module while it is being loaded, allowing them to escalate their privileges. (CVE-2011-2503) SystemTap users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2503 CVE-2011-2503 systemtap: signed module loading race condition cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. A flaw was discovered in the JNLP (Java Network Launching Protocol) implementation in IcedTea-Web. An unsigned Java Web Start application could use this flaw to manipulate the content of a Security Warning dialog box, to trick a user into granting the application unintended access permissions to local files. (CVE-2011-2514) An information disclosure flaw was discovered in the JNLP implementation in IcedTea-Web. An unsigned Java Web Start application or Java applet could use this flaw to determine the path to the cache directory used to store downloaded Java class and archive files, and therefore determine the user's login name. (CVE-2011-2513) All icedtea-web users should upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2513 CVE-2011-2514 CVE-2011-2513 icedtea, icedtea-web: home directory path disclosure to untrusted applications CVE-2011-2514 icedtea-web: Java Web Start security warning dialog manipulation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 libsoup is an HTTP client/library implementation for GNOME. A directory traversal flaw was found in libsoup's SoupServer. If an application used SoupServer to implement an HTTP service, a remote attacker who is able to connect to that service could use this flaw to access any local files accessible to that application via a specially-crafted request. (CVE-2011-2524) All users of libsoup should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running applications using libsoup's SoupServer must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2524 CVE-2011-2524 libsoup: SoupServer directory traversal flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. An uninitialized memory read issue was found in the way libpng processed certain PNG images that use the Physical Scale (sCAL) extension. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash. (CVE-2011-2692) Users of libpng and libpng10 should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libpng or libpng10 must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2692 CVE-2011-2692 libpng: Invalid read when handling empty sCAL chunks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A buffer overflow flaw was found in the way libpng processed certain PNG image files. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-2690) Note: The application behavior required to exploit CVE-2011-2690 is rarely used. No application shipped with Red Hat Enterprise Linux behaves this way, for example. An uninitialized memory read issue was found in the way libpng processed certain PNG images that use the Physical Scale (sCAL) extension. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash. (CVE-2011-2692) Users of libpng should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libpng must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2690 CVE-2011-2692 CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray CVE-2011-2692 libpng: Invalid read when handling empty sCAL chunks Red Hat Enterprise Linux 6 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A buffer overflow flaw was found in the way libpng processed certain PNG image files. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-2690) Note: The application behavior required to exploit CVE-2011-2690 is rarely used. No application shipped with Red Hat Enterprise Linux behaves this way, for example. An out-of-bounds memory read flaw was found in the way libpng processed certain PNG image files. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash. (CVE-2011-2501) An uninitialized memory read issue was found in the way libpng processed certain PNG images that use the Physical Scale (sCAL) extension. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash. (CVE-2011-2692) Users of libpng should upgrade to these updated packages, which upgrade libpng to version 1.2.46 to correct these issues. All running applications using libpng must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2501 CVE-2011-2690 CVE-2011-2692 CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ CVE-2011-2690 libpng: buffer overwrite in png_rgb_to_gray CVE-2011-2692 libpng: Invalid read when handling empty sCAL chunks cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Foomatic is a comprehensive, spooler-independent database of printers, printer drivers, and driver descriptions. The package also includes spooler-independent command line interfaces to manipulate queues and to print files and manipulate print jobs. foomatic-rip is a print filter written in Perl. An input sanitization flaw was found in the foomatic-rip print filter. An attacker could submit a print job with the username, title, or job options set to appear as a command line option that caused the filter to use a specified PostScript printer description (PPD) file, rather than the administrator-set one. This could lead to arbitrary code execution with the privileges of the "lp" user. (CVE-2011-2697) All foomatic users should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2697 CVE-2011-2697 foomatic: Improper sanitization of command line option in foomatic-rip cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Foomatic is a comprehensive, spooler-independent database of printers, printer drivers, and driver descriptions. The package also includes spooler-independent command line interfaces to manipulate queues and to print files and manipulate print jobs. foomatic-rip is a print filter written in C. An input sanitization flaw was found in the foomatic-rip print filter. An attacker could submit a print job with the username, title, or job options set to appear as a command line option that caused the filter to use a specified PostScript printer description (PPD) file, rather than the administrator-set one. This could lead to arbitrary code execution with the privileges of the "lp" user. (CVE-2011-2964) All foomatic users should upgrade to this updated package, which contains a backported patch to resolve this issue. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2964 CVE-2011-2964 foomatic: Improper sanitization of command line option in foomatic-rip (foomatic.c) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility. A denial of service flaw was found in the way the D-Bus library handled endianness conversion when receiving messages. A local user could use this flaw to send a specially-crafted message to dbus-daemon or to a service using the bus, such as Avahi or NetworkManager, possibly causing the daemon to exit or the service to disconnect from the bus. (CVE-2011-2200) All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2200 CVE-2011-2200 dbus: Local DoS via messages with non-native byte order cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB11-21, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2425) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.5. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2424 CVE-2011-2425 CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The libXfont packages provide the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. A buffer overflow flaw was found in the way the libXfont library, used by the X.Org server, handled malformed font files compressed using UNIX compress. A malicious, local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server. (CVE-2011-2895) Users of libXfont should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running X.Org server instances must be restarted for the update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-2895 CVE-2011-2895 libXfont: LZW decompression heap corruption / infinite loop CVE-2011-2895 BSD compress LZW decoder buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. These xorg-x11 packages also provide the X.Org libXfont runtime library. A buffer overflow flaw was found in the way the libXfont library, used by the X.Org server, handled malformed font files compressed using UNIX compress. A malicious, local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server. (CVE-2011-2895) Users of xorg-x11 should upgrade to these updated packages, which contain a backported patch to resolve this issue. All running X.Org server instances must be restarted for the update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-2895 CVE-2011-2895 libXfont: LZW decompression heap corruption / infinite loop CVE-2011-2895 BSD compress LZW decoder buffer overflow cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 The IBM 1.4.2 SR13-FP10 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-0311, CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0865, CVE-2011-0867, CVE-2011-0871) Note: The RHSA-2011:0490 java-1.4.2-ibm update did not, unlike the erratum text stated, provide a complete fix for the CVE-2011-0311 issue. All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP10 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0311 CVE-2011-0802 CVE-2011-0814 CVE-2011-0862 CVE-2011-0865 CVE-2011-0867 CVE-2011-0871 CVE-2011-3387 CVE-2011-0311 IBM JDK Class file parsing denial-of-service CVE-2011-0865 OpenJDK: Deserialization allows creation of mutable SignedObject (Deserialization, 6618658) CVE-2011-0862 OpenJDK: integer overflows in JPEGImageReader and font SunLayoutEngine (2D, 7013519) CVE-2011-0867 OpenJDK: NetworkInterface information leak (Networking, 7013969) CVE-2011-0871 OpenJDK: MediaTracker created Component instances with unnecessary privileges (Swing, 7020198) CVE-2011-0802 CVE-2011-0814 Oracle/IBM JDK: unspecified vulnerabilities fixed in 6u26 (Sound) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. Two denial of service flaws were found in the way the dhcpd daemon handled certain incomplete request packets. A remote attacker could use these flaws to crash dhcpd via a specially-crafted request. (CVE-2011-2748, CVE-2011-2749) Users of DHCP should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing this update, all DHCP servers will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2748 CVE-2011-2749 CVE-2011-2748 CVE-2011-2749 dhcp: denial of service flaws cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. These packages provide both the FreeType 1 and FreeType 2 font engines. A buffer overflow flaw was found in the way the FreeType library handled malformed font files compressed using UNIX compress. If a user loaded a specially-crafted compressed font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-2895) Note: This issue only affects the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The X server must be restarted (log out, then log back in) for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2895 CVE-2011-2895 BSD compress LZW decoder buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-2982) A dangling pointer flaw was found in the Firefox Scalable Vector Graphics (SVG) text manipulation routine. A web page containing a malicious SVG image could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-0084) A dangling pointer flaw was found in the way Firefox handled a certain Document Object Model (DOM) element. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-2378) A flaw was found in the event management code in Firefox. A website containing malicious JavaScript could cause Firefox to execute that JavaScript with the privileges of the user running Firefox. (CVE-2011-2981) A flaw was found in the way Firefox handled malformed JavaScript. A web page containing malicious JavaScript could cause Firefox to access already freed memory, causing Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-2983) It was found that a malicious web page could execute arbitrary code with the privileges of the user running Firefox if the user dropped a tab onto the malicious web page. (CVE-2011-2984) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.20. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.20, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0084 CVE-2011-2378 CVE-2011-2981 CVE-2011-2982 CVE-2011-2983 CVE-2011-2984 CVE-2011-2982 Mozilla: Miscellaneous memory safety hazards CVE-2011-0084 Mozilla: Crash in SVGTextElement.getCharNumAtPosition() CVE-2011-2981 Mozilla: Privilege escalation using event handlers CVE-2011-2378 Mozilla: Dangling pointer vulnerability in appendChild CVE-2011-2984 Mozilla: Privilege escalation dropping a tab element in content area CVE-2011-2983 Mozilla: Private data leakage using RegExp.input cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML content. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2982) A flaw was found in the way Thunderbird handled malformed JavaScript. Malicious content could cause Thunderbird to access already freed memory, causing Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2983) Note: This update disables support for Scalable Vector Graphics (SVG) images in Thunderbird on Red Hat Enterprise Linux 5. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2982 CVE-2011-2983 CVE-2011-2982 Mozilla: Miscellaneous memory safety hazards CVE-2011-2983 Mozilla: Private data leakage using RegExp.input cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML content. Malicious HTML content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2982) A dangling pointer flaw was found in the Thunderbird Scalable Vector Graphics (SVG) text manipulation routine. An HTML mail message containing a malicious SVG image could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-0084) A dangling pointer flaw was found in the way Thunderbird handled a certain Document Object Model (DOM) element. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2378) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-0084 CVE-2011-2378 CVE-2011-2982 CVE-2011-2982 Mozilla: Miscellaneous memory safety hazards CVE-2011-0084 Mozilla: Crash in SVGTextElement.getCharNumAtPosition() CVE-2011-2378 Mozilla: Dangling pointer vulnerability in appendChild cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-2982) A flaw was found in the way SeaMonkey handled malformed JavaScript. A web page containing malicious JavaScript could cause SeaMonkey to access already freed memory, causing SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-2983) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2982 CVE-2011-2983 CVE-2011-2982 Mozilla: Miscellaneous memory safety hazards CVE-2011-2983 Mozilla: Private data leakage using RegExp.input cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Dovecot is an IMAP server for Linux, UNIX, and similar operating systems, primarily written with security in mind. A denial of service flaw was found in the way Dovecot handled NULL characters in certain header names. A mail message with specially-crafted headers could cause the Dovecot child process handling the target user's connection to crash, blocking them from downloading the message successfully and possibly leading to the corruption of their mailbox. (CVE-2011-1929) Users of dovecot are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the dovecot service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1929 CVE-2011-1929 dovecot: potential crash when parsing header names that contain NUL characters cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Security issues: * Using PCI passthrough without interrupt remapping support allowed KVM guests to generate MSI interrupts and thus potentially inject traps. A privileged guest user could use this flaw to crash the host or possibly escalate their privileges on the host. The fix for this issue can prevent PCI passthrough working and guests starting. Refer to Red Hat Bugzilla bug 715555 for details. (CVE-2011-1898, Important) * Flaw in the client-side NLM implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2491, Important) * Integer underflow in the Bluetooth implementation could allow a remote attacker to cause a denial of service or escalate their privileges by sending a specially-crafted request to a target system via Bluetooth. (CVE-2011-2497, Important) * Buffer overflows in the netlink-based wireless configuration interface implementation could allow a local user, who has the CAP_NET_ADMIN capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface. (CVE-2011-2517, Important) * Flaw in the way the maximum file offset was handled for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) * Flaw allowed napi_reuse_skb() to be called on VLAN packets. An attacker on the local network could use this flaw to send crafted packets to a target, possibly causing a denial of service. (CVE-2011-1576, Moderate) * Integer signedness error in next_pidmap() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate) * Race condition in the memory merging support (KSM) could allow a local, unprivileged user to cause a denial of service. KSM is off by default, but on systems running VDSM, or on KVM hosts, it is likely turned on by the ksm/ksmtuned services. (CVE-2011-2183, Moderate) * Flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2213, Moderate) * Flaw in the way space was allocated in the Global File System 2 (GFS2) implementation. If the file system was almost full, and a local, unprivileged user made an fallocate() request, it could result in a denial of service. Setting quotas to prevent users from using all available disk space would prevent exploitation of this flaw. (CVE-2011-2689, Moderate) * Local, unprivileged users could send signals via the sigqueueinfo system call, with si_code set to SI_TKILL and with spoofed process and user IDs, to other processes. This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low) * Heap overflow in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing crafted partition tables. (CVE-2011-1776, Low) * Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492, Low) * /proc/[PID]/io is world-readable by default. Previously, these files could be read without any further restrictions. A local, unprivileged user could read these files, belonging to other, possibly privileged processes to gather confidential information, such as the length of a password used in a process. (CVE-2011-2495, Low) Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491; Dan Rosenberg for reporting CVE-2011-2497 and CVE-2011-2213; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki for reporting CVE-2011-1593; Andrea Righi for reporting CVE-2011-2183; Julien Tinnes of the Google Security Team for reporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; Marek Kroemeke and Filip Palian for reporting CVE-2011-2492; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2495. Important Copyright 2011 Red Hat, Inc. CVE-2011-1182 CVE-2011-1576 CVE-2011-1593 CVE-2011-1776 CVE-2011-1898 CVE-2011-2183 CVE-2011-2213 CVE-2011-2491 CVE-2011-2492 CVE-2011-2495 CVE-2011-2497 CVE-2011-2517 CVE-2011-2689 CVE-2011-2695 CVE-2011-1182 kernel signal spoofing issue CVE-2011-1576 kernel: net: Fix memory leak/corruption on VLAN GRO_DROP CVE-2011-1593 kernel: proc: signedness issue in next_pidmap() CVE-2011-2492 kernel: bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace CVE-2011-1776 kernel: validate size of EFI GUID partition entries CVE-2011-2491 kernel: rpc task leak after flock()ing NFS share CVE-2011-2183 kernel: ksm: race between ksmd and exiting task Parallel port issue in RHEL 6.0 server CVE-2011-2213 kernel: inet_diag: insufficient validation GFS2: Update to rhel6.1 broke dovecot writing to a gfs2 filesystem CVE-2011-1898 virt: VT-d (PCI passthrough) MSI trap injection bump domain memory limits [6.1.z] CVE-2011-2497 kernel: bluetooth: buffer overflow in l2cap config request CVE-2011-2495 kernel: /proc/PID/io infoleak CVE-2011-2517 kernel: nl80211: missing check for valid SSID size in scan operations CVE-2011-2689 kernel: gfs2: make sure fallocate bytes is a multiple of blksize CVE-2011-2695 kernel: ext4: kernel panic when writing data to the last block of sparse file cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 system-config-printer is a print queue configuration tool with a graphical user interface. It was found that system-config-printer did not properly sanitize NetBIOS and workgroup names when searching for network printers. A remote attacker could use this flaw to execute arbitrary code with the privileges of the user running system-config-printer. (CVE-2011-2899) All users of system-config-printer are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Running instances of system-config-printer must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2899 CVE-2011-2899 system-config-printer: possible arbitrary code execution in pysmb.py due to improper escaping of hostnames cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems. An integer overflow flaw was found in libvirtd's RPC call handling. An attacker able to establish read-only connections to libvirtd could trigger this flaw by calling virDomainGetVcpus() with specially-crafted parameters, causing libvirtd to crash. (CVE-2011-2511) This update also fixes the following bugs: * Previously, when the "virsh vol-create-from" command was run on an LVM (Logical Volume Manager) storage pool, performance of the command was very low and the operation consumed an excessive amount of time. This bug has been fixed in the virStorageVolCreateXMLFrom() function, and the performance problem of the command no longer occurs. * Due to a regression, libvirt used undocumented command line options, instead of the recommended ones. Consequently, the qemu-img utility used an invalid argument while creating an encrypted volume, and the process eventually failed. With this update, the bug in the backing format of the storage back end has been fixed, and encrypted volumes can now be created as expected. (BZ#726617) * Due to a bug in the qemuAuditDisk() function, hot unplug failures were never audited, and a hot unplug success was audited as a failure. This bug has been fixed, and auditing of disk hot unplug operations now works as expected. (BZ#728516) * Previously, when a debug process was being activated, the act of preparing a debug message ended up with dereferencing a UUID (universally unique identifier) prior to the NULL argument check. Consequently, an API running the debug process sometimes terminated with a segmentation fault. With this update, a patch has been provided to address this issue, and the crashes no longer occur in the described scenario. (BZ#728546) * The libvirt library uses the "boot=on" option to mark which disk is bootable but it only uses that option if Qemu advertises its support. The qemu-kvm utility in Red Hat Enterprise Linux 6.1 removed support for that option and libvirt could not use it. As a consequence, when an IDE disk was added as the second storage with a virtio disk being set up as the first one by default, the operating system tried to boot from the IDE disk rather than the virtio disk and either failed to boot with the "No bootable disk" error message returned, or the system booted whatever operating system was on the IDE disk. With this update, the boot configuration is translated into bootindex, which provides control over which device is used for booting a guest operating system, thus fixing this bug. All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd must be restarted ("service libvirtd restart") for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2511 CVE-2011-2511 libvirt: integer overflow in VirDomainGetVcpus libvirt regression with creating encrypted volume Auditing of QEMU driver disk hotunplug events logs is missing and/or incorrect [libvirt] [logs] null dereference while preparing libvirt logs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A NULL pointer dereference flaw was found in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2011-2482, Important) * A flaw in the Linux kernel's client-side NFS Lock Manager (NLM) implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2491, Important) * Buffer overflow flaws in the Linux kernel's netlink-based wireless configuration interface implementation could allow a local user, who has the CAP_NET_ADMIN capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface. (CVE-2011-2517, Important) * A flaw was found in the way the Linux kernel's Xen hypervisor implementation emulated the SAHF instruction. When using a fully-virtualized guest on a host that does not use hardware assisted paging (HAP), such as those running CPUs that do not have support for (or those that have it disabled) Intel Extended Page Tables (EPT) or AMD Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), a privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2519, Moderate) * An off-by-one flaw was found in the __addr_ok() macro in the Linux kernel's Xen hypervisor implementation when running on 64-bit systems. A privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2901, Moderate) * /proc/[PID]/io is world-readable by default. Previously, these files could be read without any further restrictions. A local, unprivileged user could read these files, belonging to other, possibly privileged processes to gather confidential information, such as the length of a password used in a process. (CVE-2011-2495, Low) Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, and Vasiliy Kulikov of Openwall for reporting CVE-2011-2495. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-2482 CVE-2011-2491 CVE-2011-2495 CVE-2011-2517 CVE-2011-2519 CVE-2011-2901 CVE-2011-2491 kernel: rpc task leak after flock()ing NFS share RHEL6.1 32bit xen hvm guest crash randomly CVE-2011-2482 kernel: sctp dos CVE-2011-2495 kernel: /proc/PID/io infoleak CVE-2011-2517 kernel: nl80211: missing check for valid SSID size in scan operations CVE-2011-2519 kernel: xen: x86_emulate: fix SAHF emulation [xfs] mis-sized O_DIRECT I/O results in hung task timeouts [rhel-5.7.z] xfs_error_report() oops when passed-in mp is NULL [rhel-5.7.z] CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) A race condition flaw was found in the way the mount.cifs tool mounted CIFS (Common Internet File System) shares. If mount.cifs had the setuid bit set, a local attacker could conduct a symbolic link attack to trick mount.cifs into mounting a share over an arbitrary directory they were otherwise not allowed to mount to, possibly allowing them to escalate their privileges. (CVE-2010-0787) It was found that the mount.cifs tool did not properly handle share or directory names containing a newline character. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab (mounted file systems table) file via a specially-crafted CIFS share mount request. (CVE-2010-0547) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522; the Debian Security Team for reporting CVE-2010-0787; and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694; Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522; and the Debian Security Team acknowledges Ronald Volgers as the original reporter of CVE-2010-0787. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-0547 CVE-2010-0787 CVE-2011-1678 CVE-2011-2522 CVE-2011-2694 CVE-2011-3585 CVE-2010-0547 samba: mount.cifs improper device name and mountpoint strings sanitization CVE-2010-0787 samba: Race condition by mount (mount.cifs) operations CVE-2011-1678 samba/cifs-utils: mount.cifs and umount.cifs fail to anticipate RLIMIT_FSIZE CVE-2011-2522 samba (SWAT): Absent CSRF protection in various Samba web configuration formulars CVE-2011-2694 samba (SWAT): XSS flaw in Change Password page cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) It was found that the fix for CVE-2010-0547, provided by the Samba rebase in RHBA-2011:0054, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially-crafted CIFS (Common Internet File System) share mount request, if mount.cifs had the setuid bit set. (CVE-2011-2724) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba3x packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522, and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694, and Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1678 CVE-2011-2522 CVE-2011-2694 CVE-2011-2724 CVE-2011-1678 samba/cifs-utils: mount.cifs and umount.cifs fail to anticipate RLIMIT_FSIZE CVE-2011-2522 samba (SWAT): Absent CSRF protection in various Samba web configuration formulars CVE-2011-2694 samba (SWAT): XSS flaw in Change Password page CVE-2011-2724 samba, cifs-utils: mount.cifs incorrect fix for CVE-2010-0547 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Samba is a suite of programs used by machines to share files, printers, and other information. The cifs-utils package contains utilities for mounting and managing CIFS (Common Internet File System) shares. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) It was found that the fix for CVE-2010-0547, provided in the cifs-utils package included in the GA release of Red Hat Enterprise Linux 6, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially-crafted CIFS share mount request, if mount.cifs had the setuid bit set. (CVE-2011-2724) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the cifs-utils package distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522, and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694, and Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522. This update also fixes the following bug: * If plain text passwords were used ("encrypt passwords = no" in "/etc/samba/smb.conf"), Samba clients running the Windows XP or Windows Server 2003 operating system may not have been able to access Samba shares after installing the Microsoft Security Bulletin MS11-043. This update corrects this issue, allowing such clients to use plain text passwords to access Samba shares. (BZ#728517) Users of samba and cifs-utils are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1678 CVE-2011-2522 CVE-2011-2694 CVE-2011-2724 CVE-2011-3585 CVE-2011-1678 samba/cifs-utils: mount.cifs and umount.cifs fail to anticipate RLIMIT_FSIZE CVE-2011-2522 samba (SWAT): Absent CSRF protection in various Samba web configuration formulars CVE-2011-2694 samba (SWAT): XSS flaw in Change Password page CVE-2011-2724 samba, cifs-utils: mount.cifs incorrect fix for CVE-2010-0547 Windows security patch KB2536276 prevents access to samba shares cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 In accordance with the Red Hat Enterprise Linux Errata Support Policy, the regular 7 year life-cycle of Red Hat Enterprise Linux 4 will end on February 29, 2012. After this date, Red Hat will discontinue the regular subscription services for Red Hat Enterprise Linux 4. Therefore, new bug fix, enhancement, and security errata updates, as well as technical support services will no longer be available for the following products: * Red Hat Enterprise Linux AS 4 * Red Hat Enterprise Linux ES 4 * Red Hat Enterprise Linux WS 4 * Red Hat Enterprise Linux Extras 4 * Red Hat Desktop 4 * Red Hat Global File System 4 * Red Hat Cluster Suite 4 Customers still running production workloads on Red Hat Enterprise Linux 4 are advised to begin planning the upgrade to Red Hat Enterprise Linux 5 or 6. Active subscribers of Red Hat Enterprise Linux already have access to all currently maintained versions of Red Hat Enterprise Linux, as part of their subscription without additional fees. For customers who are unable to migrate off Red Hat Enterprise Linux 4 before its end-of-life date, Red Hat intends to offer a limited, optional extension program. For more information, contact your Red Hat sales representative or channel partner. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: https://access.redhat.com/support/policy/updates/errata/ Low Copyright 2011 Red Hat, Inc. Send Out RHEL 4 6-Month EOL Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is released as a Technology Preview for Red Hat Enterprise Linux 5 and 6. The setuid mount.ecryptfs_private utility allows users to mount an eCryptfs file system. This utility can only be run by users in the "ecryptfs" group. A race condition flaw was found in the way mount.ecryptfs_private checked the permissions of a requested mount point when mounting an encrypted file system. A local attacker could possibly use this flaw to escalate their privileges by mounting over an arbitrary directory. (CVE-2011-1831) A race condition flaw in umount.ecryptfs_private could allow a local attacker to unmount an arbitrary file system. (CVE-2011-1832) It was found that mount.ecryptfs_private did not handle certain errors correctly when updating the mtab (mounted file systems table) file, allowing a local attacker to corrupt the mtab file and possibly unmount an arbitrary file system. (CVE-2011-1834) An insecure temporary file use flaw was found in the ecryptfs-setup-private script. A local attacker could use this script to insert their own key that will subsequently be used by a new user, possibly giving the attacker access to the user's encrypted data if existing file permissions allow access. (CVE-2011-1835) A race condition flaw in mount.ecryptfs_private could allow a local attacker to overwrite arbitrary files. (CVE-2011-1837) A race condition flaw in the way temporary files were accessed in mount.ecryptfs_private could allow a malicious, local user to make arbitrary modifications to the mtab file. (CVE-2011-3145) A race condition flaw was found in the way mount.ecryptfs_private checked the permissions of the directory to mount. A local attacker could use this flaw to mount (and then access) a directory they would otherwise not have access to. Note: The fix for this issue is incomplete until a kernel-space change is made. Future Red Hat Enterprise Linux 5 and 6 kernel updates will correct this issue. (CVE-2011-1833) Red Hat would like to thank the Ubuntu Security Team for reporting these issues. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1831, CVE-2011-1832, and CVE-2011-1833; Dan Rosenberg and Marc Deslauriers as the original reporters of CVE-2011-1834; Marc Deslauriers as the original reporter of CVE-2011-1835; and Vasiliy Kulikov of Openwall as the original reporter of CVE-2011-1837. Users of ecryptfs-utils are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1831 CVE-2011-1832 CVE-2011-1834 CVE-2011-1835 CVE-2011-1837 CVE-2011-3145 CVE-2011-1831 CVE-2011-1832 CVE-2011-1834 CVE-2011-1835 CVE-2011-1837 ecryptfs: multiple flaws to mount/umount arbitrary locations and possibly disclose confidential information CVE-2011-3145 ecryptfs-utils: incorrect mtab group ownership cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. It was found that a Certificate Authority (CA) issued a fraudulent HTTPS certificate. This update renders any HTTPS certificates signed by that CA as untrusted, except for a select few. The now untrusted certificates that were issued before July 1, 2011 can be manually re-enabled and used again at your own risk in Firefox; however, affected certificates issued after this date cannot be re-enabled or used. (BZ#734316) All Firefox users should upgrade to these updated packages, which contain a backported patch. After installing the update, Firefox must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. Fraudulent certificates signed by DigiNotar CA certificate (MFSA 2011-34) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. It was found that a Certificate Authority (CA) issued a fraudulent HTTPS certificate. This update renders any HTTPS certificates signed by that CA as untrusted, except for a select few. The now untrusted certificates that were issued before July 1, 2011 can be manually re-enabled and used again at your own risk in Thunderbird; however, affected certificates issued after this date cannot be re-enabled or used. (BZ#734316) All Thunderbird users should upgrade to this updated package, which resolves this issue. All running instances of Thunderbird must be restarted for the update to take effect. Important Copyright 2011 Red Hat, Inc. Fraudulent certificates signed by DigiNotar CA certificate (MFSA 2011-34) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. It was found that a Certificate Authority (CA) issued a fraudulent HTTPS certificate. This update renders any HTTPS certificates signed by that CA as untrusted, except for a select few. The now untrusted certificates that were issued before July 1, 2011 can be manually re-enabled and used again at your own risk in SeaMonkey; however, affected certificates issued after this date cannot be re-enabled or used. (BZ#734316) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. Fraudulent certificates signed by DigiNotar CA certificate (MFSA 2011-34) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular web server. A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. (CVE-2011-3192) All httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-3192 CVE-2011-3192 httpd: multiple ranges DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The rsyslog packages provide an enhanced, multi-threaded syslog daemon that supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine grained output format control. A two byte buffer overflow flaw was found in the rsyslog daemon's parseLegacySyslogMsg function. An attacker able to submit log messages to rsyslogd could use this flaw to crash the daemon. (CVE-2011-3200) All rsyslog users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the rsyslog daemon will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3200 CVE-2011-3200 rsyslog: parseLegacySyslogMsg off-by-two buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 This package contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet Public Key Infrastructure (PKI). It was found that a Certificate Authority (CA) issued fraudulent HTTPS certificates. This update removes that CA's root certificate from the ca-certificates package, rendering any HTTPS certificates signed by that CA as untrusted. (BZ#734381) All users should upgrade to this updated package. After installing the update, all applications using the ca-certificates package must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. Remove DigiNotar CA cert from RHEL packages cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The gstreamer-plugins packages contain plug-ins used by the GStreamer streaming-media framework to support a wide variety of media formats. An integer overflow flaw, a boundary error, and multiple off-by-one flaws were found in various ModPlug music file format library (libmodplug) modules, embedded in GStreamer. An attacker could create specially-crafted music files that, when played by a victim, would cause applications using GStreamer to crash or, potentially, execute arbitrary code. (CVE-2011-2911, CVE-2011-2912, CVE-2011-2913, CVE-2011-2914, CVE-2011-2915) All users of gstreamer-plugins are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, all applications using GStreamer (such as Rhythmbox) must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-2911 CVE-2011-2912 CVE-2011-2913 CVE-2011-2914 CVE-2011-2915 CVE-2011-2911 CVE-2011-2912 CVE-2011-2913 CVE-2011-2914 CVE-2011-2915 libmodplug: multiple vulnerabilities reported in <= 0.8.8.3 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. The RHSA-2011:1244 SeaMonkey update rendered HTTPS certificates signed by a certain Certificate Authority (CA) as untrusted, but made an exception for a select few. This update removes that exception, rendering every HTTPS certificate signed by that CA as untrusted. (BZ#735483) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. Additional certificates signed by DigiNotar CA certificate to be revoked (MFSA 2011-35) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. The RHSA-2011:1243 Thunderbird update rendered HTTPS certificates signed by a certain Certificate Authority (CA) as untrusted, but made an exception for a select few. This update removes that exception, rendering every HTTPS certificate signed by that CA as untrusted. (BZ#735483) All Thunderbird users should upgrade to this updated package, which resolves this issue. All running instances of Thunderbird must be restarted for the update to take effect. Important Copyright 2011 Red Hat, Inc. Additional certificates signed by DigiNotar CA certificate to be revoked (MFSA 2011-35) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. The RHSA-2011:1242 Firefox update rendered HTTPS certificates signed by a certain Certificate Authority (CA) as untrusted, but made an exception for a select few. This update removes that exception, rendering every HTTPS certificate signed by that CA as untrusted. (BZ#735483) All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.22. After installing the update, Firefox must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. Additional certificates signed by DigiNotar CA certificate to be revoked (MFSA 2011-35) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. It was found that a Certificate Authority (CA) issued fraudulent HTTPS certificates. This update renders any HTTPS certificates signed by that CA as untrusted. This covers all uses of the certificates, including SSL, S/MIME, and code signing. (BZ#734316) Note: This fix only applies to applications using the NSS Builtin Object Token. It does not render the certificates untrusted for applications that use the NSS library, but do not use the NSS Builtin Object Token. These updated packages upgrade NSS to version 3.12.10 on Red Hat Enterprise Linux 4 and 5. As well, they upgrade NSPR to version 4.8.8 on Red Hat Enterprise Linux 4 and 5, as required by the NSS update. The packages for Red Hat Enterprise Linux 6 include a backported patch. All NSS and NSPR users should upgrade to these updated packages, which correct this issue. After installing the update, applications using NSS and NSPR must be restarted for the changes to take effect. Important Copyright 2011 Red Hat, Inc. Fraudulent certificates signed by DigiNotar CA certificate (MFSA 2011-34) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The librsvg2 packages provide an SVG (Scalable Vector Graphics) library based on libart. A flaw was found in the way librsvg2 parsed certain SVG files. An attacker could create a specially-crafted SVG file that, when opened, would cause applications that use librsvg2 (such as Eye of GNOME) to crash or, potentially, execute arbitrary code. (CVE-2011-3146) Red Hat would like to thank the Ubuntu Security Team for reporting this issue. The Ubuntu Security Team acknowledges Sauli Pahlman as the original reporter. All librsvg2 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications that use librsvg2 must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3146 CVE-2011-3146 librsvg: object type mismatch leading to invalid pointer dereference cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. A buffer overflow flaw was found in the way Squid parsed replies from remote Gopher servers. A remote user allowed to send Gopher requests to a Squid proxy could possibly use this flaw to cause the squid child process to crash or execute arbitrary code with the privileges of the squid user, by making Squid perform a request to an attacker-controlled Gopher server. (CVE-2011-3205) Users of squid should upgrade to this updated package, which contains a backported patch to correct this issue. After installing this update, the squid service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3205 CVE-2011-3205 squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support. A buffer overflow flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to crash the nntpd child process or, possibly, execute arbitrary code with the privileges of the cyrus user. (CVE-2011-3208) Red Hat would like to thank Greg Banks for reporting this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, cyrus-imapd will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-3208 CVE-2011-3208 cyrus-imapd: nntpd buffer overflow in split_wildmats() cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. HarfBuzz is an OpenType text shaping engine. A buffer overflow flaw was found in the harfbuzz module in Qt. If a user loaded a specially-crafted font file with an application linked against Qt, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3193) A buffer overflow flaw was found in the way Qt handled certain gray-scale image files. If a user loaded a specially-crafted gray-scale image file with an application linked against Qt, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3194) Users of Qt should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against Qt libraries must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3193 CVE-2011-3194 CVE-2011-3193 qt/harfbuzz buffer overflow CVE-2011-3194 qt buffer overflow in greyscale images cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Qt 4 is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. HarfBuzz is an OpenType text shaping engine. A flaw in the way Qt 4 expanded certain UTF-8 characters could be used to prevent a Qt 4 based application from properly sanitizing user input. Depending on the application, this could allow an attacker to perform directory traversal, or for web applications, a cross-site scripting (XSS) attack. (CVE-2007-0242) A buffer overflow flaw was found in the harfbuzz module in Qt 4. If a user loaded a specially-crafted font file with an application linked against Qt 4, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3193) Users of Qt 4 should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against Qt 4 libraries must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2007-0242 CVE-2011-3193 CVE-2007-0242 QT UTF8 improper character expansion CVE-2011-3193 qt/harfbuzz buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Pango is a library used for the layout and rendering of internationalized text. A buffer overflow flaw was found in HarfBuzz, an OpenType text shaping engine used in Pango. If a user loaded a specially-crafted font file with an application that uses Pango, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3193) Users of evolution28-pango are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, you must restart your system or restart the X server for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3193 CVE-2011-3193 qt/harfbuzz buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Pango is a library used for the layout and rendering of internationalized text. A buffer overflow flaw was found in HarfBuzz, an OpenType text shaping engine used in Pango. If a user loaded a specially-crafted font file with an application that uses Pango, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3193) Users of pango are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, you must restart your system or restart the X server for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3193 CVE-2011-3193 qt/harfbuzz buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 frysk is an execution-analysis technology implemented using native Java and C++. It provides developers and system administrators with the ability to examine and analyze multi-host, multi-process, and multithreaded systems while they are running. frysk is released as a Technology Preview for Red Hat Enterprise Linux 4. A buffer overflow flaw was found in HarfBuzz, an OpenType text shaping engine used in the embedded Pango library. If a frysk application were used to debug or trace a process that uses HarfBuzz while it loaded a specially-crafted font file, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3193) Users of frysk are advised to upgrade to this updated package, which contains a backported patch to correct this issue. All running frysk applications must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3193 CVE-2011-3193 qt/harfbuzz buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. HarfBuzz is an OpenType text shaping engine. A buffer overflow flaw was found in the harfbuzz module in Qt. If a user loaded a specially-crafted font file with an application linked against Qt, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3193) A buffer overflow flaw was found in the way Qt handled certain gray-scale image files. If a user loaded a specially-crafted gray-scale image file with an application linked against Qt, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3194) Users of Qt should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications linked against Qt libraries must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3193 CVE-2011-3194 CVE-2011-3193 qt/harfbuzz buffer overflow CVE-2011-3194 qt buffer overflow in greyscale images cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB11-26, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. (CVE-2011-2444) This update also fixes an information disclosure flaw in flash-plugin. (CVE-2011-2429) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.10. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2429 CVE-2011-2430 CVE-2011-2444 CVE-2011-2444 flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26 CVE-2011-2429 flash-plugin: security control bypass information disclosure fixed in APSB11-26 CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 flash-plugin: critical flaws fixed in APSB11-26 cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. The ifcfg-rh NetworkManager plug-in is used in Red Hat Enterprise Linux distributions to read and write configuration information from the /etc/sysconfig/network-scripts/ifcfg-* files. An input sanitization flaw was found in the way the ifcfg-rh NetworkManager plug-in escaped network connection names containing special characters. If PolicyKit was configured to allow local, unprivileged users to create and save new network connections, they could create a connection with a specially-crafted name, leading to the escalation of their privileges. Note: By default, PolicyKit prevents unprivileged users from creating and saving network connections. (CVE-2011-3364) Red Hat would like to thank Matt McCutchen for reporting this issue. Users of NetworkManager should upgrade to these updated packages, which contain a backported patch to correct this issue. Running instances of NetworkManager must be restarted ("service NetworkManager restart") for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3364 CVE-2011-3364 NetworkManager: Console user can escalate to root via newlines in ifcfg-rh connection name cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-2995) A flaw was found in the way Firefox processed the "Enter" keypress event. A malicious web page could present a download dialog while the key is pressed, activating the default "Open" action. A remote attacker could exploit this vulnerability by causing the browser to open malicious web content. (CVE-2011-2372) A flaw was found in the way Firefox handled Location headers in redirect responses. Two copies of this header with different values could be a symptom of a CRLF injection attack against a vulnerable server. Firefox now treats two copies of the Location, Content-Length, or Content-Disposition header as an error condition. (CVE-2011-3000) A flaw was found in the way Firefox handled frame objects with certain names. An attacker could use this flaw to cause a plug-in to grant its content access to another site or the local file system, violating the same-origin policy. (CVE-2011-2999) An integer underflow flaw was found in the way Firefox handled large JavaScript regular expressions. A web page containing malicious JavaScript could cause Firefox to access already freed memory, causing Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-2998) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.23. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.23, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2372 CVE-2011-2995 CVE-2011-2998 CVE-2011-2999 CVE-2011-3000 CVE-2011-2995 Mozilla: Miscellaneous memory safety hazards (MFSA 2011-36) CVE-2011-2999 Mozilla: XSS via plugins and shadowed window.location object (MFSA 2011-38) CVE-2011-3000 Mozilla:Defense against multiple Location headers due to CRLF Injection (MFSA 2011-39) CVE-2011-2372 Mozilla:Code installation through holding down Enter (MFSA 2011-40) CVE-2011-2998 Mozilla: Integer underflow when using JavaScript RegExp (MFSA 2011-37) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed HTML content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2995) A flaw was found in the way Thunderbird processed the "Enter" keypress event. A malicious HTML mail message could present a download dialog while the key is pressed, activating the default "Open" action. A remote attacker could exploit this vulnerability by causing the mail client to open malicious web content. (CVE-2011-2372) A flaw was found in the way Thunderbird handled Location headers in redirect responses. Two copies of this header with different values could be a symptom of a CRLF injection attack against a vulnerable server. Thunderbird now treats two copies of the Location, Content-Length, or Content-Disposition header as an error condition. (CVE-2011-3000) A flaw was found in the way Thunderbird handled frame objects with certain names. An attacker could use this flaw to cause a plug-in to grant its content access to another site or the local file system, violating the same-origin policy. (CVE-2011-2999) An integer underflow flaw was found in the way Thunderbird handled large JavaScript regular expressions. An HTML mail message containing malicious JavaScript could cause Thunderbird to access already freed memory, causing Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2998) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2372 CVE-2011-2995 CVE-2011-2998 CVE-2011-2999 CVE-2011-3000 CVE-2011-2995 Mozilla: Miscellaneous memory safety hazards (MFSA 2011-36) CVE-2011-2999 Mozilla: XSS via plugins and shadowed window.location object (MFSA 2011-38) CVE-2011-3000 Mozilla:Defense against multiple Location headers due to CRLF Injection (MFSA 2011-39) CVE-2011-2372 Mozilla:Code installation through holding down Enter (MFSA 2011-40) CVE-2011-2998 Mozilla: Integer underflow when using JavaScript RegExp (MFSA 2011-37) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the way Thunderbird handled frame objects with certain names. An attacker could use this flaw to cause a plug-in to grant its content access to another site or the local file system, violating the same-origin policy. (CVE-2011-2999) An integer underflow flaw was found in the way Thunderbird handled large JavaScript regular expressions. An HTML mail message containing malicious JavaScript could cause Thunderbird to access already freed memory, causing Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-2998) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2998 CVE-2011-2999 CVE-2011-2999 Mozilla: XSS via plugins and shadowed window.location object (MFSA 2011-38) CVE-2011-2998 Mozilla: Integer underflow when using JavaScript RegExp (MFSA 2011-37) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the way SeaMonkey handled frame objects with certain names. An attacker could use this flaw to cause a plug-in to grant its content access to another site or the local file system, violating the same-origin policy. (CVE-2011-2999) An integer underflow flaw was found in the way SeaMonkey handled large JavaScript regular expressions. A web page containing malicious JavaScript could cause SeaMonkey to access already freed memory, causing SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-2998) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2998 CVE-2011-2999 CVE-2011-2999 Mozilla: XSS via plugins and shadowed window.location object (MFSA 2011-38) CVE-2011-2998 Mozilla: Integer underflow when using JavaScript RegExp (MFSA 2011-37) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 The RPM Package Manager (RPM) is a command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Multiple flaws were found in the way the RPM library parsed package headers. An attacker could create a specially-crafted RPM package that, when queried or installed, would cause rpm to crash or, potentially, execute arbitrary code. (CVE-2011-3378) Note: Although an RPM package can, by design, execute arbitrary code when installed, this issue would allow a specially-crafted RPM package to execute arbitrary code before its digital signature has been verified. Package downloads from the Red Hat Network remain secure due to certificate checks performed on the secure connection. All RPM users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-3378 CVE-2011-3378 rpm: crashes and overflows on malformed header cpe:/o:redhat:rhel_aus cpe:/o:redhat:rhel_els cpe:/o:redhat:enterprise_linux cpe:/o:redhat:rhel_eus Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important) * An integer overflow flaw in agp_allocate_memory() could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important) * A race condition flaw was found in the Linux kernel's eCryptfs implementation. A local attacker could use the mount.ecryptfs_private utility to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update, which provides the user-space part of the fix, must also be installed. (CVE-2011-1833, Moderate) * A denial of service flaw was found in the way the taskstats subsystem handled the registration of process exit handlers. A local, unprivileged user could register an unlimited amount of these handlers, leading to excessive CPU time and memory use. (CVE-2011-2484, Moderate) * A flaw was found in the way mapping expansions were handled. A local, unprivileged user could use this flaw to cause a wrapping condition, triggering a denial of service. (CVE-2011-2496, Moderate) * A flaw was found in the Linux kernel's Performance Events implementation. It could falsely lead the NMI (Non-Maskable Interrupt) Watchdog to detect a lockup and panic the system. A local, unprivileged user could use this flaw to cause a denial of service (kernel panic) using the perf tool. (CVE-2011-2521, Moderate) * A flaw in skb_gro_header_slow() in the Linux kernel could lead to GRO (Generic Receive Offload) fields being left in an inconsistent state. An attacker on the local network could use this flaw to trigger a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate) * A flaw was found in the way the Linux kernel's Performance Events implementation handled PERF_COUNT_SW_CPU_CLOCK counter overflow. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-2918, Moderate) * A flaw was found in the Linux kernel's Trusted Platform Module (TPM) implementation. A local, unprivileged user could use this flaw to leak information to user-space. (CVE-2011-1160, Low) * Flaws were found in the tpacket_rcv() and packet_recvmsg() functions in the Linux kernel. A local, unprivileged user could use these flaws to leak information to user-space. (CVE-2011-2898, Low) Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting CVE-2011-1745, CVE-2011-2022, CVE-2011-1746, and CVE-2011-2484; the Ubuntu Security Team for reporting CVE-2011-1833; Robert Swiecki for reporting CVE-2011-2496; Li Yu for reporting CVE-2011-2521; Brent Meshier for reporting CVE-2011-2723; and Peter Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1833. This update also fixes various bugs and adds one enhancement. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-1160 CVE-2011-1745 CVE-2011-1746 CVE-2011-1833 CVE-2011-2022 CVE-2011-2484 CVE-2011-2496 CVE-2011-2521 CVE-2011-2723 CVE-2011-2898 CVE-2011-2918 CVE-2011-1160 kernel: tpm infoleaks CVE-2011-1745 CVE-2011-2022 kernel: agp: insufficient pg_start parameter checking in AGPIOC_BIND and AGPIOC_UNBIND ioctls CVE-2011-1746 kernel: agp: insufficient page_count parameter checking in agp_allocate_memory() UV: fscache taints kernel; NFS requires fscache; NFS taints kernel CVE-2011-2484 kernel: taskstats: duplicate entries in listener mode can lead to DoS CVE-2011-2496 kernel: mm: avoid wrapping vm_pgoff in mremap() and stack expansions CVE-2011-2521 kernel: perf, x86: fix Intel fixed counters base initialization CVE-2011-2723 kernel: gro: only reset frag0 when skb can be pulled CVE-2011-2898 kernel: af_packet: infoleak CVE-2011-2918 kernel: perf: Fix software event overflow CVE-2011-1833 kernel: ecryptfs: mount source TOCTOU race [bnx2x_extract_max_cfg:1079(ethxx)]Illegal configuration detected for Max BW - using 100 instead [rhel-6.1.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A NULL pointer dereference flaw was found in the way Openswan's pluto IKE daemon handled certain error conditions. A remote, unauthenticated attacker could send a specially-crafted IKE packet that would crash the pluto daemon. (CVE-2011-3380) Red Hat would like to thank the Openswan project for reporting this issue. Upstream acknowledges Paul Wouters as the original reporter. All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the ipsec service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3380 CVE-2011-3380 openswan: IKE invalid key length allows remote unauthenticated user to crash openswan cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Multiple input sanitization flaws were found in the X.Org GLX (OpenGL extension to the X Window System) extension. A malicious, authorized client could use these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. (CVE-2010-4818) An input sanitization flaw was found in the X.Org Render extension. A malicious, authorized client could use this flaw to leak arbitrary memory from the X.Org server process, or possibly crash the X.Org server. (CVE-2010-4819) Users of xorg-x11-server should upgrade to these updated packages, which contain backported patches to resolve these issues. All running X.Org server instances must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4818 CVE-2010-4819 CVE-2010-4818 X.org: multiple GLX input sanitization flaws CVE-2010-4819 X.org: ProcRenderAddGlyphs input sanitization flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Multiple input sanitization flaws were found in the X.Org GLX (OpenGL extension to the X Window System) extension. A malicious, authorized client could use these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. (CVE-2010-4818) An input sanitization flaw was found in the X.Org Render extension. A malicious, authorized client could use this flaw to leak arbitrary memory from the X.Org server process, or possibly crash the X.Org server. (CVE-2010-4819) Users of xorg-x11 should upgrade to these updated packages, which contain a backported patch to resolve these issues. All running X.Org server instances must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2010-4818 CVE-2010-4819 CVE-2010-4818 X.org: multiple GLX input sanitization flaws CVE-2010-4819 X.org: ProcRenderAddGlyphs input sanitization flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An input sanitization flaw was found in the way the Pidgin SILC (Secure Internet Live Conferencing) protocol plug-in escaped certain UTF-8 characters. A remote attacker could use this flaw to crash Pidgin via a specially-crafted SILC message. (CVE-2011-3594) Multiple NULL pointer dereference flaws were found in the way the Pidgin Yahoo! Messenger Protocol plug-in handled malformed YMSG packets. A remote attacker could use these flaws to crash Pidgin via a specially-crafted notification message. (CVE-2011-1091) Red Hat would like to thank the Pidgin project for reporting CVE-2011-1091. Upstream acknowledges Marius Wachtler as the original reporter of CVE-2011-1091. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1091 CVE-2011-3594 CVE-2011-1091 Pidgin: Multiple NULL pointer dereference flaws in Yahoo protocol plug-in CVE-2011-3594 libpurple: invalid UTF-8 string handling in SILC messages cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 PostgreSQL is an advanced object-relational database management system (DBMS). A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. (CVE-2011-2483) Note: Due to the CVE-2011-2483 fix, after installing this update some users may not be able to log in to applications that store user passwords, hashed with Blowfish using the PostgreSQL crypt() function, in a back-end PostgreSQL database. Unsafe processing can be re-enabled for specific passwords (allowing affected users to log in) by changing their hash prefix to "$2x$". For Red Hat Enterprise Linux 6, the updated postgresql packages upgrade PostgreSQL to version 8.4.9. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.4/static/release.html For Red Hat Enterprise Linux 4 and 5, the updated postgresql packages contain a backported patch. All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2483 CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PostgreSQL is an advanced object-relational database management system (DBMS). A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. (CVE-2011-2483) Note: Due to the CVE-2011-2483 fix, after installing this update some users may not be able to log in to applications that store user passwords, hashed with Blowfish using the PostgreSQL crypt() function, in a back-end PostgreSQL database. Unsafe processing can be re-enabled for specific passwords (allowing affected users to log in) by changing their hash prefix to "$2x$". These updated postgresql84 packages upgrade PostgreSQL to version 8.4.9. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2483 CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). Multiple NULL pointer dereference and assertion failure flaws were found in the MIT Kerberos KDC when it was configured to use an LDAP (Lightweight Directory Access Protocol) or Berkeley Database (Berkeley DB) back end. A remote attacker could use these flaws to crash the KDC. (CVE-2011-1527, CVE-2011-1528, CVE-2011-1529) Red Hat would like to thank the MIT Kerberos project for reporting the CVE-2011-1527 issue. Upstream acknowledges Andrej Ota as the original reporter of CVE-2011-1527. All krb5 users should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1527 CVE-2011-1528 CVE-2011-1529 CVE-2011-1527 CVE-2011-1528 CVE-2011-1529 krb5: KDC denial of service vulnerabilities (MITKRB5-SA-2011-006) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. A flaw was found in the Java RMI (Remote Method Invocation) registry implementation. A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry. (CVE-2011-3556) A flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute code on the RMI server with unrestricted privileges. (CVE-2011-3557) A flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization code. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions by deserializing specially-crafted input. (CVE-2011-3521) It was found that the Java ScriptingEngine did not properly restrict the privileges of sandboxed applications. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3544) A flaw was found in the AWTKeyStroke implementation. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3548) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the Java2D code used to perform transformations of graphic shapes and images. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3551) An insufficient error checking flaw was found in the unpacker for JAR files in pack200 format. A specially-crafted JAR file could use this flaw to crash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code with JVM privileges. (CVE-2011-3554) It was found that HttpsURLConnection did not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy. (CVE-2011-3560) A flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection. (CVE-2011-3389) Note: This update mitigates the CVE-2011-3389 issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag "-Djsse.enableCBCProtection=false" to the java command. An information leak flaw was found in the InputStream.skip implementation. An untrusted Java application or applet could possibly use this flaw to obtain bytes skipped by other threads. (CVE-2011-3547) A flaw was found in the Java HotSpot virtual machine. An untrusted Java application or applet could use this flaw to disclose portions of the VM memory, or cause it to crash. (CVE-2011-3558) The Java API for XML Web Services (JAX-WS) implementation in OpenJDK was configured to include the stack trace in error messages sent to clients. A remote client could possibly use this flaw to obtain sensitive information. (CVE-2011-3553) It was found that Java applications running with SecurityManager restrictions were allowed to use too many UDP sockets by default. If multiple instances of a malicious application were started at the same time, they could exhaust all available UDP sockets on the system. (CVE-2011-3552) This erratum also upgrades the OpenJDK package to IcedTea6 1.9.10. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-3389 CVE-2011-3521 CVE-2011-3544 CVE-2011-3547 CVE-2011-3548 CVE-2011-3551 CVE-2011-3552 CVE-2011-3553 CVE-2011-3554 CVE-2011-3556 CVE-2011-3557 CVE-2011-3558 CVE-2011-3560 CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936) CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600) CVE-2011-3551 OpenJDK: Java2D TransformHelper integer overflow (2D, 7023640) CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417) CVE-2011-3544 OpenJDK: missing SecurityManager checks in scripting engine (Scripting, 7046823) CVE-2011-3521 OpenJDK: IIOP deserialization code execution (Deserialization, 7055902) CVE-2011-3554 OpenJDK: insufficient pack200 JAR files uncompress error checks (Runtime, 7057857) CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466) CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012) CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773) CVE-2011-3553 OpenJDK: JAX-WS stack-traces information leak (JAX-WS, 7046794) CVE-2011-3558 OpenJDK: Hotspot unspecified issue (Hotspot, 7070134) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page, listed in the References section. (CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561) All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide JDK and JRE 6 Update 29 and resolve these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-3389 CVE-2011-3516 CVE-2011-3521 CVE-2011-3544 CVE-2011-3545 CVE-2011-3546 CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3550 CVE-2011-3551 CVE-2011-3552 CVE-2011-3553 CVE-2011-3554 CVE-2011-3556 CVE-2011-3557 CVE-2011-3558 CVE-2011-3560 CVE-2011-3561 CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936) CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600) CVE-2011-3551 OpenJDK: Java2D TransformHelper integer overflow (2D, 7023640) CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417) CVE-2011-3544 OpenJDK: missing SecurityManager checks in scripting engine (Scripting, 7046823) CVE-2011-3521 OpenJDK: IIOP deserialization code execution (Deserialization, 7055902) CVE-2011-3554 OpenJDK: insufficient pack200 JAR files uncompress error checks (Runtime, 7057857) CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466) CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012) CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773) CVE-2011-3553 OpenJDK: JAX-WS stack-traces information leak (JAX-WS, 7046794) CVE-2011-3558 OpenJDK: Hotspot unspecified issue (Hotspot, 7070134) CVE-2011-3545 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Sound) CVE-2011-3549 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Swing) CVE-2011-3550 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (AWT) CVE-2011-3516 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment) CVE-2011-3546 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment) CVE-2011-3555 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (JRE) CVE-2011-3561 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The kdelibs and kdelibs3 packages provide libraries for the K Desktop Environment (KDE). An input sanitization flaw was found in the KSSL (KDE SSL Wrapper) API. An attacker could supply a specially-crafted SSL certificate (for example, via a web page) to an application using KSSL, such as the Konqueror web browser, causing misleading information to be presented to the user, possibly tricking them into accepting the certificate as valid. (CVE-2011-3365) Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3365 CVE-2011-3365 kdelibs: input validation failure in KSSL cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important) * A malicious CIFS (Common Internet File System) server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important) * A local attacker could use mount.ecryptfs_private to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update must also be installed. (CVE-2011-1833, Moderate) * A flaw in the taskstats subsystem could allow a local, unprivileged user to cause excessive CPU time and memory use. (CVE-2011-2484, Moderate) * Mapping expansion handling could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2496, Moderate) * GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate) * RHSA-2011:1065 introduced a regression in the Ethernet bridge implementation. If a system had an interface in a bridge, and an attacker on the local network could send packets to that interface, they could cause a denial of service on that system. Xen hypervisor and KVM (Kernel-based Virtual Machine) hosts often deploy bridge interfaces. (CVE-2011-2942, Moderate) * A flaw in the Xen hypervisor IOMMU error handling implementation could allow a privileged guest user, within a guest operating system that has direct control of a PCI device, to cause performance degradation on the host and possibly cause it to hang. (CVE-2011-3131, Moderate) * IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence number and fragment IDs are now more random. (CVE-2011-3188, Moderate) * A flaw in the kernel's clock implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-3209, Moderate) * Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the be2net driver could allow an attacker on the local network to cause a denial of service. (CVE-2011-3347, Moderate) * A flaw in the auerswald USB driver could allow a local, unprivileged user to cause a denial of service or escalate their privileges by inserting a specially-crafted USB device. (CVE-2009-4067, Low) * A flaw in the Trusted Platform Module (TPM) implementation could allow a local, unprivileged user to leak information to user space. (CVE-2011-1160, Low) * A local, unprivileged user could possibly mount a CIFS share that requires authentication without knowing the correct password if the mount was already mounted by another local user. (CVE-2011-1585, Low) Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699; Darren Lavender for reporting CVE-2011-3191; the Ubuntu Security Team for reporting CVE-2011-1833; Vasiliy Kulikov of Openwall for reporting CVE-2011-2484; Robert Swiecki for reporting CVE-2011-2496; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yasuaki Ishimatsu for reporting CVE-2011-3209; Somnath Kotur for reporting CVE-2011-3347; Rafael Dominguez Vega for reporting CVE-2009-4067; and Peter Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1833. Important Copyright 2011 Red Hat, Inc. CVE-2009-4067 CVE-2011-1160 CVE-2011-1585 CVE-2011-1833 CVE-2011-2484 CVE-2011-2496 CVE-2011-2695 CVE-2011-2699 CVE-2011-2723 CVE-2011-2942 CVE-2011-3131 CVE-2011-3188 CVE-2011-3191 CVE-2011-3209 CVE-2011-3347 CVE-2011-1160 kernel: tpm infoleaks CVE-2011-1585 kernel: cifs session reuse CVE-2011-2484 kernel: taskstats: duplicate entries in listener mode can lead to DoS CVE-2011-2496 kernel: mm: avoid wrapping vm_pgoff in mremap() and stack expansions CVE-2009-4067 kernel: usb: buffer overflow in auerswald_probe() CVE-2011-2695 kernel: ext4: kernel panic when writing data to the last block of sparse file CVE-2011-2699 kernel: ipv6: make fragment identifications less predictable CVE-2011-2723 kernel: gro: only reset frag0 when skb can be pulled win2003 i386 guest BSOD when created with e1000 nic [rhel-5.7.z] CVE-2011-3131 kernel: xen: IOMMU fault livelock [EL5.7] igb: failed to activate WOL on 2nd LAN port on i350 [rhel-5.7.z] Huge performance regression in NFS client [rhel-5.7.z] CVE-2011-2942 kernel: bridge: null pointer dereference in __br_deliver CVE-2011-1833 kernel: ecryptfs: mount source TOCTOU race CVE-2011-3188 kernel: net: improve sequence number generation CVE-2011-3191 kernel: cifs: signedness issue in CIFSFindNext() CVE-2011-3209 kernel: panic occurs when clock_gettime() is called Incorrect values in /proc/sys/vm/dirty_writeback_centises and dirty_expire_centisecs [rhel-5.7.z] CVE-2011-3347 kernel: be2net: promiscuous mode and non-member VLAN packets DoS Patch needed to allow MTU >1500 on vif prior to connecting to bridge [rhel-5.7.z] netfront MTU drops to 1500 after domain migration [rhel-5.7.z] 2.6.18-238.1.1.el5 or newer won't boot under Xen HVM due to linux-2.6-virt-nmi-don-t-print-nmi-stuck-messages-on-guests.patch [rhel-5.7.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The Apache HTTP Server is a popular web server. It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368) It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2011-3348) Red Hat would like to thank Context Information Security for reporting the CVE-2011-3368 issue. This update also fixes the following bug: * The fix for CVE-2011-3192 provided by the RHSA-2011:1245 update introduced regressions in the way httpd handled certain Range HTTP header values. This update corrects those regressions. (BZ#736592) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3348 CVE-2011-3368 httpd: RHSA-2011:1245 regressions [rhel-6] CVE-2011-3348 httpd: mod_proxy_ajp remote temporary DoS CVE-2011-3368 httpd: reverse web proxy vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The Apache HTTP Server is a popular web server. It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368) Red Hat would like to thank Context Information Security for reporting this issue. This update also fixes the following bug: * The fix for CVE-2011-3192 provided by the RHSA-2011:1245 update introduced regressions in the way httpd handled certain Range HTTP header values. This update corrects those regressions. (BZ#736593, BZ#736594) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3368 httpd: RHSA-2011:1245 regressions [rhel-5] httpd: RHSA-2011:1245 regressions [rhel-4] CVE-2011-3368 httpd: reverse web proxy vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A buffer overflow flaw was found in the Xen hypervisor SCSI subsystem emulation. An unprivileged, local guest user could provide a large number of bytes that are used to zero out a fixed-sized buffer via a SAI READ CAPACITY SCSI command, overwriting memory and causing the guest to crash. (CVE-2011-3346) This update also fixes the following bugs: * Prior to this update, the vif-bridge script used a maximum transmission unit (MTU) of 1500 for a new Virtual Interface (VIF). As a result, the MTU of the VIF could differ from that of the target bridge. This update fixes the VIF hot-plug script so that the default MTU for new VIFs will match that of the target Xen hypervisor bridge. In combination with a new enough kernel (RHSA-2011:1386), this enables the use of jumbo frames in Xen hypervisor guests. (BZ#738608) * Prior to this update, the network-bridge script set the MTU of the bridge to 1500. As a result, the MTU of the Xen hypervisor bridge could differ from that of the physical interface. This update fixes the network script so the MTU of the bridge can be set higher than 1500, thus also providing support for jumbo frames. Now, the MTU of the Xen hypervisor bridge will match that of the physical interface. (BZ#738610) * Red Hat Enterprise Linux 5.6 introduced an optimized migration handling that speeds up the migration of guests with large memory. However, the new migration procedure can theoretically cause data corruption. While no cases were observed in practice, with this update, the xend daemon properly waits for correct device release before the guest is started on a destination machine, thus fixing this bug. (BZ#743850) Note: Before a guest is using a new enough kernel (RHSA-2011:1386), the MTU of the VIF will drop back to 1500 (if it was set higher) after migration. All xen users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the xend service must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3346 CVE-2011-3346 qemu: local DoS with SCSI CD-ROM vif (netback) should take its default MTU from the bridge The network-bridge script does not set the MTU of the bridge to match the MTU of the physical interface cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. The freetype packages for Red Hat Enterprise Linux 4 provide both the FreeType 1 and FreeType 2 font engines. The freetype packages for Red Hat Enterprise Linux 5 and 6 provide only the FreeType 2 font engine. Multiple input validation flaws were found in the way FreeType processed bitmap font files. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3256) Note: These issues only affected the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-3256 CVE-2011-3256 FreeType FT_Bitmap_New integer overflow to buffer overflow, FreeType TT_Vary_Get_Glyph_Deltas improper input validation cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An uninitialized variable use flaw was found in OpenSSL. This flaw could cause an application using the OpenSSL Certificate Revocation List (CRL) checking functionality to incorrectly accept a CRL that has a nextUpdate date in the past. (CVE-2011-3207) All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3207 CVE-2011-3207 openssl: CRL verification vulnerability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially-crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled. The helpers are disabled by default on Red Hat Enterprise Linux 5, but enabled by default on Red Hat Enterprise Linux 6. (CVE-2011-4073) Red Hat would like to thank the Openswan project for reporting this issue. Upstream acknowledges Petar Tsankov, Mohammad Torabi Dashti and David Basin of the information security group at ETH Zurich as the original reporters. All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the ipsec service will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-4073 CVE-2011-4073 openswan: use-after-free vulnerability leads to DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A signedness issue was found in the way the PHP crypt() function handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. (CVE-2011-2483) Note: Due to the CVE-2011-2483 fix, after installing this update some users may not be able to log in to PHP applications that hash passwords with Blowfish using the PHP crypt() function. Refer to the upstream "CRYPT_BLOWFISH security fix details" document, linked to in the References, for details. An insufficient input validation flaw, leading to a buffer over-read, was found in the PHP exif extension. A specially-crafted image file could cause the PHP interpreter to crash when a PHP script tries to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2011-0708) An integer overflow flaw was found in the PHP calendar extension. A remote attacker able to make a PHP script call SdnToJulian() with a large value could cause the PHP interpreter to crash. (CVE-2011-1466) Multiple memory leak flaws were found in the PHP OpenSSL extension. A remote attacker able to make a PHP script use openssl_encrypt() or openssl_decrypt() repeatedly could cause the PHP interpreter to use an excessive amount of memory. (CVE-2011-1468) A use-after-free flaw was found in the PHP substr_replace() function. If a PHP script used the same variable as multiple function arguments, a remote attacker could possibly use this to crash the PHP interpreter or, possibly, execute arbitrary code. (CVE-2011-1148) A bug in the PHP Streams component caused the PHP interpreter to crash if an FTP wrapper connection was made through an HTTP proxy. A remote attacker could possibly trigger this issue if a PHP script accepted an untrusted URL to connect to. (CVE-2011-1469) An integer signedness issue was found in the PHP zip extension. An attacker could use a specially-crafted ZIP archive to cause the PHP interpreter to use an excessive amount of CPU time until the script execution time limit is reached. (CVE-2011-1471) A stack-based buffer overflow flaw was found in the way the PHP socket extension handled long AF_UNIX socket addresses. An attacker able to make a PHP script connect to a long AF_UNIX socket address could use this flaw to crash the PHP interpreter. (CVE-2011-1938) An off-by-one flaw was found in PHP. If an attacker uploaded a file with a specially-crafted file name it could cause a PHP script to attempt to write a file to the root (/) directory. By default, PHP runs as the "apache" user, preventing it from writing to the root directory. (CVE-2011-2202) All php53 and php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-0708 CVE-2011-1148 CVE-2011-1466 CVE-2011-1468 CVE-2011-1469 CVE-2011-1471 CVE-2011-1938 CVE-2011-2202 CVE-2011-2483 CVE-2011-0708 php: buffer over-read in Exif extension CVE-2011-1148 php: use-after-free vulnerability in substr_replace() CVE-2011-1466 php: Crash by converting serial day numbers (SDN) into Julian calendar CVE-2011-1468 php: Multiple memory leaks in the OpenSSL extension CVE-2011-1469 php: DoS when using HTTP proxy with the FTP wrapper CVE-2011-1471 php: DoS (excessive CPU consumption) by processing certain Zip archive files CVE-2011-1938 php: stack-based buffer overflow in socket_connect() CVE-2011-2202 php: file path injection vulnerability in RFC1867 file upload filename CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Perl is a high-level programming language commonly used for system administration utilities and web programming. A heap-based buffer overflow flaw was found in the way Perl decoded Unicode strings. An attacker could create a malicious Unicode string that, when decoded by a Perl program, would cause the program to crash or, potentially, execute arbitrary code with the permissions of the user running the program. (CVE-2011-2939) It was found that the "new" constructor of the Digest module used its argument as part of the string expression passed to the eval() function. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl program that uses untrusted input as an argument to the constructor. (CVE-2011-3597) All Perl users should upgrade to these updated packages, which contain backported patches to correct these issues. All running Perl programs must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-2939 CVE-2011-3597 CVE-2011-2939 Perl decode_xs heap-based buffer overflow CVE-2011-3597 Perl Digest improper control of generation of code cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes multiple security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB11-24, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2011-2431, CVE-2011-2432, CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436, CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440, CVE-2011-2442) This update also fixes multiple security flaws in Adobe Flash Player embedded in Adobe Reader. These flaws are detailed on the Adobe security pages APSB11-21 and APSB11-26, listed in the References section. A PDF file with an embedded, specially-crafted SWF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430) A flaw in Adobe Flash Player could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. (CVE-2011-2444) This update also fixes an information disclosure flaw in Adobe Flash Player. (CVE-2011-2429) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.4.6, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2094 CVE-2011-2095 CVE-2011-2096 CVE-2011-2097 CVE-2011-2098 CVE-2011-2099 CVE-2011-2101 CVE-2011-2104 CVE-2011-2105 CVE-2011-2107 CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2424 CVE-2011-2425 CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2429 CVE-2011-2430 CVE-2011-2431 CVE-2011-2432 CVE-2011-2433 CVE-2011-2434 CVE-2011-2435 CVE-2011-2436 CVE-2011-2437 CVE-2011-2438 CVE-2011-2439 CVE-2011-2440 CVE-2011-2442 CVE-2011-2444 CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21) CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26 CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26 CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26 acroread: multiple code execution flaws (APSB11-24) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the way Firefox handled certain add-ons. A web page containing malicious content could cause an add-on to grant itself full browser privileges, which could lead to arbitrary code execution with the privileges of the user running Firefox. (CVE-2011-3647) A cross-site scripting (XSS) flaw was found in the way Firefox handled certain multibyte character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website. (CVE-2011-3648) A flaw was found in the way Firefox handled large JavaScript scripts. A web page containing malicious JavaScript could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3650) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.24. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.24, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 CVE-2011-3647 Mozilla: Security problem with loadSubScript on 1.9.2 branch (MFSA 2011-46) CVE-2011-3648 Mozilla: Universal XSS likely with MultiByte charset (MFSA 2011-47) CVE-2011-3650 Mozilla: crash while profiling page with many functions (MFSA 2011-49) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious, remote content could cause Thunderbird to run JavaScript code with the permissions of different remote content. (CVE-2011-3648) Note: This issue cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which resolves this issue. All running instances of Thunderbird must be restarted for the update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3648 CVE-2011-3648 Mozilla: Universal XSS likely with MultiByte charset (MFSA 2011-47) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the way Thunderbird handled certain add-ons. Malicious, remote content could cause an add-on to elevate its privileges, which could lead to arbitrary code execution with the privileges of the user running Thunderbird. (CVE-2011-3647) A cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious, remote content could cause Thunderbird to run JavaScript code with the permissions of different remote content. (CVE-2011-3648) A flaw was found in the way Thunderbird handled large JavaScript scripts. Malicious, remote content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3650) All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 CVE-2011-3647 Mozilla: Security problem with loadSubScript on 1.9.2 branch (MFSA 2011-46) CVE-2011-3648 Mozilla: Universal XSS likely with MultiByte charset (MFSA 2011-47) CVE-2011-3650 Mozilla: crash while profiling page with many functions (MFSA 2011-49) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, email and newsgroup client, IRC chat client, and HTML editor. A cross-site scripting (XSS) flaw was found in the way SeaMonkey handled certain multibyte character sets. A web page containing malicious content could cause SeaMonkey to run JavaScript code with the permissions of a different website. (CVE-2011-3648) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3648 CVE-2011-3648 Mozilla: Universal XSS likely with MultiByte charset (MFSA 2011-47) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. A flaw was found in the same-origin policy implementation in the IcedTea-Web browser plug-in. A malicious Java applet could use this flaw to open network connections to hosts other than the originating host, violating the same-origin policy. (CVE-2011-3377) All IcedTea-Web users should upgrade to these updated packages, which upgrade IcedTea-Web to version 1.0.6 to correct this issue. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3377 CVE-2011-3377 IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Network Security Services (NSS) is a set of libraries designed to support the development of security-enabled client and server applications. It was found that the Malaysia-based Digicert Sdn. Bhd. subordinate Certificate Authority (CA) issued HTTPS certificates with weak keys. This update renders any HTTPS certificates signed by that CA as untrusted. This covers all uses of the certificates, including SSL, S/MIME, and code signing. Note: Digicert Sdn. Bhd. is not the same company as found at digicert.com. (BZ#751366) Note: This fix only applies to applications using the NSS Builtin Object Token. It does not render the certificates untrusted for applications that use the NSS library, but do not use the NSS Builtin Object Token. This update also fixes the following bug on Red Hat Enterprise Linux 5: * When using mod_nss with the Apache HTTP Server, a bug in NSS on Red Hat Enterprise Linux 5 resulted in file descriptors leaking each time the Apache HTTP Server was restarted with the "service httpd reload" command. This could have prevented the Apache HTTP Server from functioning properly if all available file descriptors were consumed. (BZ#743508) For Red Hat Enterprise Linux 6, these updated packages upgrade NSS to version 3.12.10. As well, they upgrade NSPR (Netscape Portable Runtime) to version 4.8.8 and nss-util to version 3.12.10 on Red Hat Enterprise Linux 6, as required by the NSS update. (BZ#735972, BZ#736272, BZ#735973) All NSS users should upgrade to these updated packages, which correct this issue. After installing the update, applications using NSS must be restarted for the changes to take effect. In addition, on Red Hat Enterprise Linux 6, applications using NSPR and nss-util must also be restarted. Important Copyright 2011 Red Hat, Inc. Update nss to 3.12.10 Update nss-util to 3.12.10 Update nspr to 4.8.8 File descriptor leak after "service httpd reload" Revoking Trust in DigiCert Sdn. Bhd Intermediate Certificate Authority from nss cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB11-28, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2459, CVE-2011-2460) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.11. Critical Copyright 2011 Red Hat, Inc. CVE-2011-2445 CVE-2011-2450 CVE-2011-2451 CVE-2011-2452 CVE-2011-2453 CVE-2011-2454 CVE-2011-2455 CVE-2011-2456 CVE-2011-2457 CVE-2011-2459 CVE-2011-2460 flash-plugin: mulitple code execution flaws (APSB11-28) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. The freetype packages for Red Hat Enterprise Linux 4 provide both the FreeType 1 and FreeType 2 font engines. The freetype packages for Red Hat Enterprise Linux 5 and 6 provide only the FreeType 2 font engine. Multiple input validation flaws were found in the way FreeType processed CID-keyed fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3439) Note: These issues only affected the FreeType 2 font engine. Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-3439 CVE-2011-3439 freetype: Multiple security flaws when loading CID-keyed Type 1 fonts cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was discovered in the way BIND handled certain DNS queries, which caused it to cache an invalid record. A remote attacker could use this flaw to send repeated queries for this invalid record, causing the resolvers to exit unexpectedly due to a failed assertion. (CVE-2011-4313) Users of bind are advised to upgrade to these updated packages, which resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-4313 CVE-2011-4313 bind: Remote denial of service against recursive servers via logging negative cache entry cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was discovered in the way BIND handled certain DNS queries, which caused it to cache an invalid record. A remote attacker could use this flaw to send repeated queries for this invalid record, causing the resolvers to exit unexpectedly due to a failed assertion. (CVE-2011-4313) Users of bind97 are advised to upgrade to these updated packages, which resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-4313 CVE-2011-4313 bind: Remote denial of service against recursive servers via logging negative cache entry cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important) * A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important) * A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. (CVE-2011-4326, Important) * The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate) * A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service. (CVE-2011-3353, Moderate) * A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially-crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate) * A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate) * A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. (CVE-2011-3593, Moderate) * A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low) * A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially-crafted partition tables. (CVE-2011-1577, Low) * The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low) * It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially-crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user. (CVE-2011-2905, Low) Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699; Darren Lavender for reporting CVE-2011-3191; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363; Gideon Naim for reporting CVE-2011-3593; Peter Huewe for reporting CVE-2011-1162; Timo Warns for reporting CVE-2011-1577; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494. This update also fixes various bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Important Copyright 2011 Red Hat, Inc. CVE-2011-1162 CVE-2011-1577 CVE-2011-2494 CVE-2011-2699 CVE-2011-2905 CVE-2011-3188 CVE-2011-3191 CVE-2011-3353 CVE-2011-3359 CVE-2011-3363 CVE-2011-3593 CVE-2011-4326 CVE-2011-1577 kernel: corrupted GUID partition tables can cause kernel oops CVE-2011-2494 kernel: taskstats io infoleak CVE-2011-2699 kernel: ipv6: make fragment identifications less predictable CVE-2011-2905 kernel: perf tools: may parse user-controlled configuration file CVE-2011-1162 kernel: tpm: infoleak CVE-2011-3188 kernel: net: improve sequence number generation CVE-2011-3191 kernel: cifs: signedness issue in CIFSFindNext() CVE-2011-3353 kernel: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message CVE-2011-3359 kernel: b43: allocate receive buffers big enough for max frame len + offset CVE-2011-3363 kernel: cifs: always do is_path_accessible check in cifs_mount make guest mode entry to be rcu quiescent state [rhel-6.1.z] enclosure fix [rhel-6.1.z] CVE-2011-3593 kernel: vlan: fix panic when handling priority tagged frames igb: failed to activate WOL on 2nd LAN port on i350 [rhel-6.1.z] Non-responsive scsi target leads to excessive scsi recovery and dm-mp failover time [rhel-6.1.z] Host got crash when guest running netperf client with UDP_STREAM protocol with IPV6 [rhel-6.1.z] CVE-2011-4326 kernel: wrong headroom check in udp6_ufo_fragment() cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-3545, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3554, CVE-2011-3556) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR13 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2011 Red Hat, Inc. CVE-2011-3545 CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3552 CVE-2011-3554 CVE-2011-3556 CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600) CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417) CVE-2011-3554 OpenJDK: insufficient pack200 JAR files uncompress error checks (Runtime, 7057857) CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466) CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773) CVE-2011-3545 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Sound) CVE-2011-3549 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Swing) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * Using PCI passthrough without interrupt remapping support allowed Xen hypervisor guests to generate MSI interrupts and thus potentially inject traps. A privileged guest user could use this flaw to crash the host or possibly escalate their privileges on the host. The fix for this issue can prevent PCI passthrough working and guests starting. Refer to Red Hat Bugzilla bug 715555 for details. (CVE-2011-1898, Important) * A flaw was found in the way CIFS (Common Internet File System) shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate) * A NULL pointer dereference flaw was found in the way the Linux kernel's key management facility handled user-defined key types. A local, unprivileged user could use the keyctl utility to cause a denial of service. (CVE-2011-4110, Moderate) * A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low) * A NULL pointer dereference flaw was found in the Linux kernel's HFS file system implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains a specially-crafted HFS file system with a corrupted MDB extent record. (CVE-2011-2203, Low) * The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low) Red Hat would like to thank Yogesh Sharma for reporting CVE-2011-3363; Peter Huewe for reporting CVE-2011-1162; Clement Lecigne for reporting CVE-2011-2203; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494. This update also fixes several bugs and adds one enhancement. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2011 Red Hat, Inc. CVE-2011-1162 CVE-2011-1898 CVE-2011-2203 CVE-2011-2494 CVE-2011-3363 CVE-2011-4110 CVE-2011-2203 kernel: hfs_find_init() sb->ext_tree NULL pointer dereference CVE-2011-1898 virt: VT-d (PCI passthrough) MSI trap injection CVE-2011-2494 kernel: taskstats io infoleak CVE-2011-1162 kernel: tpm: infoleak CVE-2011-3363 kernel: cifs: always do is_path_accessible check in cifs_mount Non-responsive scsi target leads to excessive scsi recovery and dm-mp failover time [rhel-5.7.z] Host crash when pass-through fails [rhel-5.7.z] CVE-2011-4110 kernel: keys: NULL pointer deref in the user-defined key type cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was discovered in the way BIND handled certain DNS queries, which caused it to cache an invalid record. A remote attacker could use this flaw to send repeated queries for this invalid record, causing the resolvers to exit unexpectedly due to a failed assertion. (CVE-2011-4313) Users of bind are advised to upgrade to these updated packages, which resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically. Important Copyright 2011 Red Hat, Inc. CVE-2011-4313 CVE-2011-4313 bind: Remote denial of service against recursive servers via logging negative cache entry cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 In accordance with the Red Hat Enterprise Linux Errata Support Policy, the regular 7 year life-cycle of Red Hat Enterprise Linux 4 will end on February 29, 2012. After this date, Red Hat will discontinue the regular subscription services for Red Hat Enterprise Linux 4. Therefore, new bug fix, enhancement, and security errata updates, as well as technical support services will no longer be available for the following products: * Red Hat Enterprise Linux AS 4 * Red Hat Enterprise Linux ES 4 * Red Hat Enterprise Linux WS 4 * Red Hat Enterprise Linux Extras 4 * Red Hat Desktop 4 * Red Hat Global File System 4 * Red Hat Cluster Suite 4 Customers still running production workloads on Red Hat Enterprise Linux 4 are advised to begin planning the upgrade to Red Hat Enterprise Linux 5 or 6. Active subscribers of Red Hat Enterprise Linux already have access to all currently maintained versions of Red Hat Enterprise Linux, as part of their subscription without additional fees. For customers who are unable to migrate off Red Hat Enterprise Linux 4 before its end-of-life date, Red Hat intends to offer a limited, optional extension program. For more information, contact your Red Hat sales representative or channel partner. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: https://access.redhat.com/support/policy/updates/errata/ Low Copyright 2011 Red Hat, Inc. Send Out RHEL 4 3-Month EOL Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The libarchive programming library can create and read several different streaming archive formats, including GNU tar and cpio. It can also read ISO 9660 CD-ROM images. Two heap-based buffer overflow flaws were discovered in libarchive. If a user were tricked into expanding a specially-crafted ISO 9660 CD-ROM image or tar archive with an application using libarchive, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-1777, CVE-2011-1778) All libarchive users should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libarchive must be restarted for this update to take effect. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-1777 CVE-2011-1778 CVE-2010-4666 CVE-2011-1777 CVE-2011-1778 CVE-2011-1779 Libarchive multiple security issues cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support. An authentication bypass flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to read or post newsgroup messages on an NNTP server configured to require user authentication, without providing valid authentication credentials. (CVE-2011-3372) A NULL pointer dereference flaw was found in the cyrus-imapd IMAP server, imapd. A remote attacker could send a specially-crafted mail message to a victim that would possibly prevent them from accessing their mail normally, if they were using an IMAP client that relies on the server threading IMAP feature. (CVE-2011-3481) Red Hat would like to thank the Cyrus IMAP project for reporting the CVE-2011-3372 issue. Upstream acknowledges Stefan Cornelius of Secunia Research as the original reporter of CVE-2011-3372. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, cyrus-imapd will be restarted automatically. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3372 CVE-2011-3481 CVE-2011-3481 cyrus-imapd: NULL pointer dereference via crafted References header in email CVE-2011-3372 cyrus-imapd: nntpd authentication bypass cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large scale Linux and UNIX deployments. A Cross-Site Request Forgery (CSRF) flaw was found in Red Hat Identity Management. If a remote attacker could trick a user, who was logged into the management web interface, into visiting a specially-crafted URL, the attacker could perform Red Hat Identity Management configuration changes with the privileges of the logged in user. (CVE-2011-3636) Due to the changes required to fix CVE-2011-3636, client tools will need to be updated for client systems to communicate with updated Red Hat Identity Management servers. New client systems will need to have the updated ipa-client package installed to be enrolled. Already enrolled client systems will need to have the updated certmonger package installed to be able to renew their system certificate. Note that system certificates are valid for two years by default. Updated ipa-client and certmonger packages for Red Hat Enterprise Linux 6 were released as part of Red Hat Enterprise Linux 6.2. Future updates will provide updated packages for Red Hat Enterprise Linux 5. This update includes several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.2 Technical Notes for information on the most significant of these changes, linked to in the References section. Users of Red Hat Identity Management should upgrade to these updated packages, which correct these issues. Moderate Copyright 2011 Red Hat, Inc. CVE-2011-3636 Can not delete reverse DNS record - interactive CLI mode Uninstalling client if the server is installed should be prevented Man page is not clear for ipa-client-install --on-master option usage IPA Replica Install Hangs if DS port is unreachable by Master Server Can't create password policy via UI Inconsistent Error message attempting to add duplicate user Uninstalling ipa-client doesn't restore some files, if reinstalled with -force option Installing ipa-client indicates DNS is updated for this unknown hostname, but is not on server Uninstalling ipa-client doesn't restore sssd.conf, if previously installed with --no-sssd option Installing ipa server with --no-reverse option sets up reverse zone Make explicit reference to ds-replication package Duplicate GIDs Mismatch in man page and --help for ipa-server-install Preinstall check needed if zonemgr has special char Client install fails on ipa-join when master is down, and replica is running. IPA server install with DNS setup, and with --ip-address cannot resolve hostnames Preinstall check needed if subject is not specified in required format ipa-replica-manage: man page and help pages do not match IPA server install should wait for Directory Server port to open after every restart of dirsrv Uninstalling ipa-client fails, if it joined replica when being installed IPA Replica Installing failing on during replication update brand name error in ipa-dns-install cli, it still says "FreeIPA Server" Unable to Download Certificate with Browser TPS: Source rebuild Failures on x86_64 client and workstation Managed Entry Configuration Not Setup when installing replica server IPA Replica Installation Fails - reverse address doesn't match error IPA Replica not started on reboot Improve debug logging in ipa-client-install Illegal CL input results in NULL csr when requesting external ca. IPA server with external CA fails with cannot concatenate 'str' and 'NoneType' objects Successful "ipa-nis-manage enable" command has exit status as 1. ipa-server-install with --no-host-dns still checks DNS Add support for loading new zones from LDAP No output while deleting a sudorule. Remaining external hosts not displayed while removing one from a sudorule. Removed external host is displayed in the output when "--all" switch is used. Added option to Sudo rule message is displayed even when the given option already exists. Removed option from Sudo rule message is displayed even when the given option doesn't exist. RunAs group is not displayed in output while adding as sudorule-add-runasuser with --groups swtich. ipa-nis-manage crashes if the specified passwd file does not exist. ipa-nis-manage does not quit when an empty password is entered. ipa sudocmd-add accepts blank spaces as sudo commands. ipa sudocmdgroup-add accepts blank spaces as sudocmdgroup name. ipa sudorule-add accepts blank spaces as sudorule name. Comma separated values for --runasexternaluser option in sudorule-mod are accepted as a single value. Comma separated values for --runasexternalgroup option in sudorule-mod are accepted as a single value. Internal error while removing sudorule option without "--sudooption". sudorunasgroup automatically picks up incorrect value while adding a sudorunasuser. Internal Error: ipa cert-remove-hold ; revocation reason 7 Comma separated values for --externaluser option in sudorule-mod are accepted as a single value. Misleading purpose statement for "ipa help sudorule-remove-runasuser" RunAs group is not displayed in output while removing as sudorule-add-runasuser with --groups swtich. Missing label for "ipasudorunas_group". Removed "RunAs External Group" is displayed in the output when "--all" switch is used. Inconsistency in how "runas" is termed. [ipa webui] error msg does not match with UI label [ipa webui] Deleting more than 2 elements leaves the Delete prompt open [ipa webui] inconsistent user member list Set allow-recursion by default in IPA DNS --sizelimit unhelpful error with *-find commands ipa-client-install adds duplicate information to krb5.conf ipa-client-install should configure sssd to store password if offline ipa-client-install should configure hostname ipa-client-install complains about non-existing nss_ldap Managed Entries: mep_mod_post_op: Unable to update mapped attributes from origin entry ipa host-mod --setattr should not allow enrolledBy to be changed when directory server debugging enabled, ipactl should not display debugging IPA with integrated DNS - reverse zone is now being added incorrectly [ipa webui] When deactivating user, it updates the user, without having to click on "update" btn [ipa webui] Unable to update config changes [ipa webui] Config: Certificate Subject Base - Should not be Editable [ipa webui] Config: Name on the configuration page is irrelevant and means nothing to an admin [ipa webui] Config: Missing configurable options [ipa webui] Config: Page Needs Better Organization ipa config-show : should display new "Password Expiration Notification" When admin resets a user's password with "ipa passwd" user's failed log in count is not reset Disabling ipa-nis-manage removes netgroup compat suffix in DS. [ipa webui] Add Host: dns zone filter replaces text already typed in hostname. [ipa webui] Add Host: dns zone filter should not list reverse zones WebUI not displaying admin options if the user is admin, but only via nested group Users are not matched from sudo client. [ipa webui] Force Add Host with IP address - Allows cancel but still adds host and dns record [ipa webui] Host Edit Page lists Host Name twice [ipa webui] Host Edit Page Missing Fields HBAC rule :: invalid error message now that deny rule is deprecated and help needs update Unexpected error message with krb Failure Count Interval on i386 Need an arch-specific Requires on cyrus-sasl-gssapi Regression: Internal Error: Adding Host Groups No output while deleting an automount location. Missing message summary while adding an automount location. [ipa webui] Host OTP from previously added host appears in new host's edit page Regression: Incorrect Error message returned attempting to add user with uid 0 Can not create replication package with ipa-replica-prepare Internal error revoking certificate - default revocation reason automountmap gets added even though the return code is 1. Incorrect message summary while adding an automountkey. Automountkey value doesn't get renamed. Unable to use "--continue" option with "ipa automountkey-del". [ipa webui] After setting an OTP the Web UI does not indicate one was set Reduce number of ports used by CS in IPA by default Importing /etc/auto.master does not detect and import /etc/auto.direct. Error message states 'automountlocationcn' while add/mod/del automountmap or automountkey with empty location. Error message states 'automountmapautomountmapname' while add/mod/del automountkey with empty automountmap name. [ipa webui] Hostgroups :: enroll :: Error 'cn' required when attempting to filter groups with hide already enrolled unchecked IPA should enable configurable ports for its management web interface [ipa webui] Can not get or view host certificate - Regression [IPA WebUI] Identity->DNS : why there is "member" and "setting" under DNS operation [ipa webui] Hostgroup :: No memberOf Net Groups Tab Regression: Unknown attribute 'ipasudorunasgroup_group" displayed while adding sudo runasgroup. el61 - ipa-replica-install does not check for dbus, fails on certmonger IPA should start even if certs are expired [ipa webui] Does not return appropriate error when deleting an external host but checking update dns ipa-server-install creates wrong reverse zone record in LDAP Regression: Missing message summary while adding sudooption. Regression: Missing message summary while removing sudooption. ipa-server-install fails on DNS errors when no DNS check is required [ipa webui] Checking/Unchecking "Hide already enrolled" doesn't change list; use slapi_rwlock instead of NSPR PR_RWLock directly [ipa webui] Checkbox stays checked after deleting a list of objects [ipa webui] inconsistency in enabling "delete" buttons Add Requires on subscription-manager for entitlements [IPA] When upgrading ipa from 2.0.0-23 to 2.1.0-1 uninstall is leaving leftovers and reinstall fails. [ipa webui] in-consistency error msg IPA 2.1 won't start if SELinux is disabled IPA man page is unclear about allowed combinations of arguments ipa-client-install should set LDAPSASL_NOCANON when calling ipa-getkeytab ipa entitle-register : prompts for rhsm password twice like you are trying to set a new password Rebase IPA to upstream 2.1.1 Access denied by HBAC rules while using the default ftp hbac service. ipa-client-install says system configured after an unsuccessful run IPA does not always properly detect its configuration status ipa-client-install breaks network configuration ipa hbactest does not evaluate users from groups in an hbacrule. Incorrect service name in examples of ipa help hbactest. [ipa webui] Sudo Rule has extra User group section in "As Whom" section ipa hbactest fails if sourcehost is external. [ipa webui] Sudo Rule includes indirect hosts and users members in its list to add ipa-client-install mishandles ntp service configuration ipa-client-install should sync time before kinit ipa-client-install fails to join ipa server. ipa-client-install calls authconfig with wrong parameters ipa-server files with incorrect selinux context ipa host-add Allowed to add host - hostname trailing space File parameter fails if prompted for should enforce some naming constraints on users and groups [ipa webui] Remove Category info from HBAC and Sudo pages ipa-ldap-updater : Not an end user utility and the man pages should reflect this [ipa webui] Encode special chars in values when displaying user is not prompted to enter current password when changing to a new password Traceback message displayed while installing ipa client on IPv6 machine. Disable entitlement plugin and CAL counting Disable entitlement plugin in Web UI Unable to add ipa user on IPv6 machine. [ipa webui] Unprovisioning keytab does not have cancel option ipa-server-install :: failing to configure CA :: restorecon returning 1 when changing context [ipa webui] Allowed to add service without defining service name [ipa webui] IPA Server Configuration :: Issue with Default Size Limit and Default User Group [ipa webui] Posix checkbox for group-add has no effect Intermittently see "search criteria was not specific enough." while adding a hbacrule Missing additional info while adding a non-existing service to an hbacrule. Missing additional info while removing a non-existing service from an hbacrule. hbactest does not resolve canonical names during simulation. Inconsistency in the error output while providing an invalid rule name. [ipa webui] In adder_dialog, an object can be selected to be added multiple times. [ipa webui] In adder_dialog, change order of >> and << [ipa webui] In adder_dialog, no error indicated when choosing to enroll without selecting an object [ipa webui] Deleting a host in HBAC Rule without selecting it, throws a browser error instead of an IPA error Unable to configure IPA client against IPA server with anonymous bind disabled [ipa webui] IN HBAC & Sudo, when a category is set to 'All', entries in that category are not deleted ipa-client-install --password=$PASSWORD will cause /var/log/ipaclient-install.log to contain the password. ipa migrate-ds does not migrate all groups that are expected to migrate [ipa webui] Missing option in Config tab to set default shell Default DNS Administration Role - Permissions missing IPA man pages should be more clear about the meaning of --selfsign named fails to start after installing ipa server when short hostname preceeds fqdn in /etc/hosts. duplicate hostgroup and netgroup [ipa webui] If adding non-posix group, unchecking posix box should disable GID field Title is missing while configuring browser first time [ipa webui] Unable to access Webui Cert error when accessing host in webui or cli ipa-client-install return code indicates a success, even though it failed [ipa webui] global password policy should not be able to be deleted Client install fails when anonymous bind is disabled Internal Server Error adding invalid reverse DNS zone [ipa webui] missing fields in password policy page Unable to add Windows Synchronization Agreement ipa hbactest does not evaluate indirect members from groups. Leaks KDC password and master password via command line arguments Traceback when upgrading from ipa-server-2.1.1-1 to ipa-server-2.1.2-2 ipa-client-install hangs if the discovered server is unresponsive [ipa webui] Co