Red Hat OVAL Patch Definition Merger 2 5.3 2012-05-23T04:51:58 Supplementary for Red Hat Enterprise Linux 5 The IBM Java SE version 1.4.2 release includes the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-3389, CVE-2011-3545, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM Java 1.4.2 SR13-FP11 release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3389 CVE-2011-3545 CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3552 CVE-2011-3556 CVE-2011-3557 CVE-2011-3560 CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936) CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600) CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417) CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466) CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012) CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773) CVE-2011-3545 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Sound) CVE-2011-3549 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Swing) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A buffer overflow flaw was found in the way the Linux kernel's XFS file system implementation handled links with overly long path names. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. (CVE-2011-4077, Important) * The fix for CVE-2011-2482 provided by RHSA-2011:1212 introduced a regression: on systems that do not have Security-Enhanced Linux (SELinux) in Enforcing mode, a socket lock race could occur between sctp_rcv() and sctp_accept(). A remote attacker could use this flaw to cause a denial of service. By default, SELinux runs in Enforcing mode on Red Hat Enterprise Linux 5. (CVE-2011-4348, Important) * The proc file system could allow a local, unprivileged user to obtain sensitive information or possibly cause integrity issues. (CVE-2011-1020, Moderate) * A missing validation flaw was found in the Linux kernel's m_stop() implementation. A local, unprivileged user could use this flaw to trigger a denial of service. (CVE-2011-3637, Moderate) * A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local attacker could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate) * A flaw was found in the Linux kernel's encode_share_access() implementation. A local, unprivileged user could use this flaw to trigger a denial of service by creating a regular file on an NFSv4 (Network File System version 4) file system via mknod(). (CVE-2011-4324, Moderate) * A flaw was found in the Linux kernel's NFS implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4325, Moderate) * A missing boundary check was found in the Linux kernel's HFS file system implementation. A local attacker could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. (CVE-2011-4330, Moderate) Red Hat would like to thank Kees Cook for reporting CVE-2011-1020, and Clement Lecigne for reporting CVE-2011-4330. This update also fixes several bugs and adds one enhancement. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2011-1020 CVE-2011-3637 CVE-2011-4077 CVE-2011-4132 CVE-2011-4324 CVE-2011-4325 CVE-2011-4330 CVE-2011-4348 CVE-2011-1020 kernel: no access restrictions of /proc/pid/* after setuid program exec CVE-2011-3637 kernel: proc: fix oops on invalid /proc/<pid>/maps access CVE-2011-4077 kernel: xfs: potential buffer overflow in xfs_readlink() CVE-2011-4132 kernel: jbd/jbd2: invalid value of first log block leads to oops CVE-2011-4330 kernel: hfs: add sanity check for file name length CVE-2011-4324 kernel: nfsv4: mknod(2) DoS CVE-2011-4325 kernel: nfs: diotest4 from LTP crash client null pointer deref CVE-2011-4348 kernel: incomplete fix for CVE-2011-2482 cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes two security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB11-30, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2011-2462, CVE-2011-4369) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.4.7, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-2462 CVE-2011-4369 CVE-2011-2462 acroread: U3D memory corruption vulnerability (APSB11-30) CVE-2011-4369 acroread: unspecified vulnerability in PRC component (APSB11-30) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 4 The libxml2 library is a development toolbox providing the implementation of various XML standards. One of those standards is the XML Path Language (XPath), which is a language for addressing parts of an XML document. A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3919) An off-by-one error, leading to a heap-based buffer overflow, was found in the way libxml2 parsed certain XML files. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0216) A flaw was found in the way libxml2 parsed certain XPath expressions. If an attacker were able to supply a specially-crafted XML file to an application using libxml2, as well as an XPath expression for that application to run against the crafted file, it could cause the application to crash. (CVE-2011-2834) Note: Red Hat does not ship any applications that use libxml2 in a way that would allow the CVE-2011-2834 flaw to be exploited; however, third-party applications may allow XPath expressions to be passed which could trigger this flaw. An out-of-bounds memory read flaw was found in libxml2. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash. (CVE-2011-3905) All users of libxml2 are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2011-0216 CVE-2011-2834 CVE-2011-3905 CVE-2011-3919 CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding CVE-2011-2834 libxml2: double-free caused by malformed XPath expression in XSLT CVE-2011-3905 libxml2 out of bounds read CVE-2011-3919 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The libxml2 library is a development toolbox providing the implementation of various XML standards. One of those standards is the XML Path Language (XPath), which is a language for addressing parts of an XML document. A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3919) An off-by-one error, leading to a heap-based buffer overflow, was found in the way libxml2 parsed certain XML files. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0216) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libxml2 parsed certain XPath expressions. If an attacker were able to supply a specially-crafted XML file to an application using libxml2, as well as an XPath expression for that application to run against the crafted file, it could cause the application to crash or, possibly, execute arbitrary code. (CVE-2011-1944) Flaws were found in the way libxml2 parsed certain XPath expressions. If an attacker were able to supply a specially-crafted XML file to an application using libxml2, as well as an XPath expression for that application to run against the crafted file, it could cause the application to crash. (CVE-2010-4008, CVE-2011-2834) An out-of-bounds memory read flaw was found in libxml2. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash. (CVE-2011-3905) Note: Red Hat does not ship any applications that use libxml2 in a way that would allow the CVE-2011-1944, CVE-2010-4008, and CVE-2011-2834 flaws to be exploited; however, third-party applications may allow XPath expressions to be passed which could trigger these flaws. Red Hat would like to thank the Google Security Team for reporting the CVE-2010-4008 issue. Upstream acknowledges Bui Quang Minh from Bkis as the original reporter of CVE-2010-4008. All users of libxml2 are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2010-4008 CVE-2011-0216 CVE-2011-1944 CVE-2011-2834 CVE-2011-3905 CVE-2011-3919 CVE-2010-4008 libxml2: Crash (stack frame overflow or NULL pointer dereference) by traversal of XPath axis CVE-2011-1944 libxml, libxml2: Heap-based buffer overflow by adding new namespace node to an existing nodeset or merging nodesets CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding CVE-2011-2834 libxml2: double-free caused by malformed XPath expression in XSLT CVE-2011-3905 libxml2 out of bounds read CVE-2011-3919 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The libxml2 library is a development toolbox providing the implementation of various XML standards. A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3919) An out-of-bounds memory read flaw was found in libxml2. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash. (CVE-2011-3905) All users of libxml2 are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2011-3905 CVE-2011-3919 CVE-2011-3905 libxml2 out of bounds read CVE-2011-3919 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by adding a new configuration directive, max_input_vars, that limits the maximum number of parameters processed per request. By default, max_input_vars is set to 1000. (CVE-2011-4885) An integer overflow flaw was found in the PHP exif extension. On 32-bit systems, a specially-crafted image file could cause the PHP interpreter to crash or disclose portions of its memory when a PHP script tries to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2011-4566) Red Hat would like to thank oCERT for reporting CVE-2011-4885. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters of CVE-2011-4885. All php53 and php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-4566 CVE-2011-4885 CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003) CVE-2011-4566 php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by adding a new configuration directive, max_input_vars, that limits the maximum number of parameters processed per request. By default, max_input_vars is set to 1000. (CVE-2011-4885) A use-after-free flaw was found in the PHP substr_replace() function. If a PHP script used the same variable as multiple function arguments, a remote attacker could possibly use this to crash the PHP interpreter or, possibly, execute arbitrary code. (CVE-2011-1148) An integer overflow flaw was found in the PHP exif extension. On 32-bit systems, a specially-crafted image file could cause the PHP interpreter to crash or disclose portions of its memory when a PHP script tries to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2011-4566) An insufficient input validation flaw, leading to a buffer over-read, was found in the PHP exif extension. A specially-crafted image file could cause the PHP interpreter to crash when a PHP script tries to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2011-0708) An integer overflow flaw was found in the PHP calendar extension. A remote attacker able to make a PHP script call SdnToJulian() with a large value could cause the PHP interpreter to crash. (CVE-2011-1466) A bug in the PHP Streams component caused the PHP interpreter to crash if an FTP wrapper connection was made through an HTTP proxy. A remote attacker could possibly trigger this issue if a PHP script accepted an untrusted URL to connect to. (CVE-2011-1469) An off-by-one flaw was found in PHP. If an attacker uploaded a file with a specially-crafted file name it could cause a PHP script to attempt to write a file to the root (/) directory. By default, PHP runs as the "apache" user, preventing it from writing to the root directory. (CVE-2011-2202) Red Hat would like to thank oCERT for reporting CVE-2011-4885. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters of CVE-2011-4885. All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-0708 CVE-2011-1148 CVE-2011-1466 CVE-2011-1469 CVE-2011-2202 CVE-2011-4566 CVE-2011-4885 CVE-2011-0708 php: buffer over-read in Exif extension CVE-2011-1148 php: use-after-free vulnerability in substr_replace() CVE-2011-1466 php: Crash by converting serial day numbers (SDN) into Julian calendar CVE-2011-1469 php: DoS when using HTTP proxy with the FTP wrapper CVE-2011-2202 php: file path injection vulnerability in RFC1867 file upload filename CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003) CVE-2011-4566 php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The IBM Java SE version 6 release includes the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560, CVE-2011-3561) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java 6 SR10 release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3389 CVE-2011-3516 CVE-2011-3521 CVE-2011-3544 CVE-2011-3545 CVE-2011-3546 CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3550 CVE-2011-3551 CVE-2011-3552 CVE-2011-3553 CVE-2011-3554 CVE-2011-3556 CVE-2011-3557 CVE-2011-3560 CVE-2011-3561 CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936) CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600) CVE-2011-3551 OpenJDK: Java2D TransformHelper integer overflow (2D, 7023640) CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417) CVE-2011-3544 OpenJDK: missing SecurityManager checks in scripting engine (Scripting, 7046823) CVE-2011-3521 OpenJDK: IIOP deserialization code execution (Deserialization, 7055902) CVE-2011-3554 OpenJDK: insufficient pack200 JAR files uncompress error checks (Runtime, 7057857) CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466) CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012) CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773) CVE-2011-3553 OpenJDK: JAX-WS stack-traces information leak (JAX-WS, 7046794) CVE-2011-3545 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Sound) CVE-2011-3549 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Swing) CVE-2011-3550 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (AWT) CVE-2011-3516 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment) CVE-2011-3546 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment) CVE-2011-3561 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) Red Hat would like to thank Nicolae Mogoreanu for reporting this issue. This update also fixes the following bug: * qemu-kvm has a "scsi" option, to be used, for example, with the "-device" option: "-device virtio-blk-pci,drive=[drive name],scsi=off". Previously, however, it only masked the feature bit, and did not reject SCSI commands if a malicious guest ignored the feature bit and issued a request. This update corrects this issue. The "scsi=off" option can be used to mitigate the virtualization aspect of CVE-2011-4127 before the RHSA-2011:1849 kernel update is installed on the host. This mitigation is only required if you do not have the RHSA-2011:1849 kernel update installed on the host and you are using raw format virtio disks backed by a partition or LVM volume. If you run guests by invoking /usr/libexec/qemu-kvm directly, use the "-global virtio-blk-pci.scsi=off" option to apply the mitigation. If you are using libvirt, as recommended by Red Hat, and have the RHBA-2012:0013 libvirt update installed, no manual action is required: guests will automatically use "scsi=off". (BZ#767721) Note: After installing the RHSA-2011:1849 kernel update, SCSI requests issued by guests via the SG_IO IOCTL will not be passed to the underlying block device when using raw format virtio disks backed by a partition or LVM volume, even if "scsi=on" is used. As well, this update adds the following enhancement: * Prior to this update, qemu-kvm was not built with RELRO or PIE support. qemu-kvm is now built with full RELRO and PIE support as a security enhancement. (BZ#767906) All users of qemu-kvm should upgrade to these updated packages, which correct these issues and add this enhancement. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-0029 CVE-2012-0029 qemu-kvm: e1000: process_tx_desc legacy mode packets heap overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing. (CVE-2011-4622) Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029. All KVM users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: The procedure in the Solution section must be performed before this update will take effect. Important Copyright 2012 Red Hat, Inc. CVE-2011-4622 CVE-2012-0029 CVE-2011-4622 kernel: kvm: pit timer with no irqchip crashes the system CVE-2012-0029 qemu-kvm: e1000: process_tx_desc legacy mode packets heap overflow cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * It was found that permissions were not checked properly in the Linux kernel when handling the /proc/[pid]/mem writing functionality. A local, unprivileged user could use this flaw to escalate their privileges. Refer to Red Hat Knowledgebase article DOC-69129, linked to in the References, for further information. (CVE-2012-0056, Important) Red Hat would like to thank Jüri Aedla for reporting this issue. This update fixes the following bugs: * The RHSA-2011:1849 kernel update introduced a bug in the Linux kernel scheduler, causing a "WARNING: at kernel/sched.c:5915 thread_return" message and a call trace to be logged. This message was harmless, and was not due to any system malfunctions or adverse behavior. With this update, the WARN_ON_ONCE() call in the scheduler that caused this harmless message has been removed. (BZ#768288) * The RHSA-2011:1530 kernel update introduced a regression in the way the Linux kernel maps ELF headers for kernel modules into kernel memory. If a third-party kernel module is compiled on a Red Hat Enterprise Linux system with a kernel prior to RHSA-2011:1530, then loading that module on a system with RHSA-2011:1530 kernel would result in corruption of one byte in the memory reserved for the module. In some cases, this could prevent the module from functioning correctly. (BZ#769595) * On some SMP systems the tsc may erroneously be marked as unstable during early system boot or while the system is under heavy load. A "Clocksource tsc unstable" message was logged when this occurred. As a result the system would switch to the slower access, but higher precision HPET clock. The "tsc=reliable" kernel parameter is supposed to avoid this problem by indicating that the system has a known good clock, however, the parameter only affected run time checks. A fix has been put in to avoid the boot time checks so that the TSC remains as the clock for the duration of system runtime. (BZ#755867) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-0056 CVE-2012-0056 kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-5029) A denial of service flaw was found in the remote procedure call (RPC) implementation in glibc. A remote attacker able to open a large number of connections to an RPC service that is using the RPC implementation from glibc, could use this flaw to make that service use an excessive amount of CPU time. (CVE-2011-4609) This update also fixes the following bugs: * glibc had incorrect information for numeric separators and groupings for specific French, Spanish, and German locales. Therefore, applications utilizing glibc's locale support printed numbers with the wrong separators and groupings when those locales were in use. With this update, the separator and grouping information has been fixed. (BZ#754116) * The RHBA-2011:1179 glibc update introduced a regression, causing glibc to incorrectly parse groups with more than 126 members, resulting in applications such as "id" failing to list all the groups a particular user was a member of. With this update, group parsing has been fixed. (BZ#766484) * glibc incorrectly allocated too much memory due to a race condition within its own malloc routines. This could cause a multi-threaded application to allocate more memory than was expected. With this update, the race condition has been fixed, and malloc's behavior is now consistent with the documentation regarding the MALLOC_ARENA_TEST and MALLOC_ARENA_MAX environment variables. (BZ#769594) Users should upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2012 Red Hat, Inc. CVE-2009-5029 CVE-2011-4609 CVE-2009-5029 glibc: __tzfile_read integer overflow to buffer overflow CVE-2011-4609 glibc: svc_run() produces high cpu usage when accept() fails with EMFILE error cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was discovered that the Datagram Transport Layer Security (DTLS) protocol implementation in OpenSSL leaked timing information when performing certain operations. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a DTLS server as a padding oracle. (CVE-2011-4108) An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) A denial of service flaw was found in the RFC 3779 implementation in OpenSSL. A remote attacker could use this flaw to make an application using OpenSSL exit unexpectedly by providing a specially-crafted X.509 certificate that has malformed RFC 3779 extension data. (CVE-2011-4577) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-4108 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 CVE-2011-4108 openssl: DTLS plaintext recovery attack CVE-2011-4576 openssl: uninitialized SSL 3.0 padding CVE-2011-4577 openssl: malformed RFC 3779 data can cause assertion failures CVE-2011-4619 openssl: SGC restart DoS attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was discovered that the Datagram Transport Layer Security (DTLS) protocol implementation in OpenSSL leaked timing information when performing certain operations. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a DTLS server as a padding oracle. (CVE-2011-4108) A double free flaw was discovered in the policy checking code in OpenSSL. A remote attacker could use this flaw to crash an application that uses OpenSSL by providing an X.509 certificate that has specially-crafted policy extension data. (CVE-2011-4109) An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4619 CVE-2011-4108 openssl: DTLS plaintext recovery attack CVE-2011-4109 openssl: double-free in policy checks CVE-2011-4576 openssl: uninitialized SSL 3.0 padding CVE-2011-4619 openssl: SGC restart DoS attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The t1lib library allows you to rasterize bitmaps from PostScript Type 1 fonts. Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by an application linked against t1lib, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2642, CVE-2011-0433) An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0764) A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-1553) An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-1554) An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash. (CVE-2011-1552) Red Hat would like to thank the Evince development team for reporting CVE-2010-2642. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter of CVE-2010-2642. All users of t1lib are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All applications linked against t1lib must be restarted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2010-2642 CVE-2011-0433 CVE-2011-0764 CVE-2011-1552 CVE-2011-1553 CVE-2011-1554 CVE-2010-2642 evince, t1lib: Heap based buffer overflow in DVI file AFM font parser CVE-2011-0433 evince, t1lib: Heap-based buffer overflow DVI file AFM font parser CVE-2011-1552 t1lib: invalid read crash via crafted Type 1 font CVE-2011-1553 t1lib: Use-after-free via crafted Type 1 font CVE-2011-1554 t1lib: Off-by-one via crafted Type 1 font CVE-2011-0764 t1lib: Invalid pointer dereference via crafted Type 1 font cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2011-4815) Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters. All users of ruby are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-4815 CVE-2011-4815 ruby: hash table collisions CPU usage DoS (oCERT-2011-003) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2011-4815) It was found that Ruby did not reinitialize the PRNG (pseudorandom number generator) after forking a child process. This could eventually lead to the PRNG returning the same result twice. An attacker keeping track of the values returned by one child process could use this flaw to predict the values the PRNG would return in other child processes (as long as the parent process persisted). (CVE-2011-3009) Red Hat would like to thank oCERT for reporting CVE-2011-4815. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters of CVE-2011-4815. All users of ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-3009 CVE-2011-4815 CVE-2011-2686 CVE-2011-2705 CVE-2011-3009 ruby: Properly initialize the random number generator when forking new process CVE-2011-4815 ruby: hash table collisions CPU usage DoS (oCERT-2011-003) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by adding a new configuration directive, max_input_vars, that limits the maximum number of parameters processed per request. By default, max_input_vars is set to 1000. (CVE-2011-4885) An integer overflow flaw was found in the PHP exif extension. On 32-bit systems, a specially-crafted image file could cause the PHP interpreter to crash or disclose portions of its memory when a PHP script tries to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2011-4566) An insufficient input validation flaw, leading to a buffer over-read, was found in the PHP exif extension. A specially-crafted image file could cause the PHP interpreter to crash when a PHP script tries to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2011-0708) An integer overflow flaw was found in the PHP calendar extension. A remote attacker able to make a PHP script call SdnToJulian() with a large value could cause the PHP interpreter to crash. (CVE-2011-1466) An off-by-one flaw was found in PHP. If an attacker uploaded a file with a specially-crafted file name it could cause a PHP script to attempt to write a file to the root (/) directory. By default, PHP runs as the "apache" user, preventing it from writing to the root directory. (CVE-2011-2202) Red Hat would like to thank oCERT for reporting CVE-2011-4885. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters of CVE-2011-4885. All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-0708 CVE-2011-1466 CVE-2011-2202 CVE-2011-4566 CVE-2011-4885 CVE-2011-0708 php: buffer over-read in Exif extension CVE-2011-1466 php: Crash by converting serial day numbers (SDN) into Julian calendar CVE-2011-2202 php: file path injection vulnerability in RFC1867 file upload filename CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003) CVE-2011-4566 php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 In accordance with the Red Hat Enterprise Linux Errata Support Policy, the 7 year life-cycle of Red Hat Enterprise Linux 4 will end on February 29, 2012 and your subscription services for that version will change. Active Red Hat Enterprise Linux subscribers using Red Hat Enterprise Linux 4 will have the option to upgrade to currently supported versions of Red Hat Enterprise Linux and receive the full benefits of the subscription. After February 29, 2012, Red Hat will discontinue technical support services as well as software maintenance services for Red Hat Enterprise Linux 4 meaning that new bug fixes, security errata and product enhancements will no longer be provided for the following products: * Red Hat Enterprise Linux AS 4 * Red Hat Enterprise Linux ES 4 * Red Hat Enterprise Linux WS 4 * Red Hat Desktop 4 * Red Hat Global File System 4 * Red Hat Cluster Suite 4 Customers who choose to continue to deploy Red Hat Enterprise Linux 4 offerings will continue to have access via Red Hat Network (RHN) to the following content as part of their active Red Hat Enterprise Linux subscription: - Previously released bug fixes, security errata and product enhancements. - Red Hat Knowledge Base and other content (whitepapers, reference architectures, etc) found in the Red Hat Customer Portal. - All Red Hat Enterprise Linux 4 documentation. Customers are strongly encouraged to take advantage of the upgrade benefits of their active Red Hat Enterprise Linux subscription and migrate to an active version of Red Hat Enterprise Linux such as version 5 or 6. For customers who are unable to migrate off Red Hat Enterprise Linux 4 before its end-of-life date and require software maintenance and/or technical support, Red Hat offers an optional support extension called the Extended Life-cycle Support (ELS) Add-On Subscription. The ELS Subscription provides up to three additional years of limited Software Maintenance (Production 3 Phase) for Red Hat Enterprise Linux 4 with unlimited technical support, critical Security Advisories (RHSAs) and selected Urgent Priority Bug Advisories (RHBAs). For more information, contact your Red Hat sales representative or channel partner. Details of the Red Hat Enterprise Linux life-cycle can be found on the Red Hat website: https://access.redhat.com/support/policy/updates/errata/ Low Copyright 2012 Red Hat, Inc. Send Out RHEL 4 30 day EOL Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A use-after-free flaw was found in the way Firefox removed nsDOMAttribute child nodes. In certain circumstances, due to the premature notification of AttributeChildRemoved, a malicious script could possibly use this flaw to cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3659) Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0442) A flaw was found in the way Firefox parsed Ogg Vorbis media files. A web page containing a malicious Ogg Vorbis media file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0444) A flaw was found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files that contained eXtensible Style Sheet Language Transformations (XSLT). A web page containing a malicious SVG image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0449) The same-origin policy in Firefox treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets. (CVE-2011-3670) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.26. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.26, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3659 CVE-2011-3670 CVE-2012-0442 CVE-2012-0444 CVE-2012-0449 CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01) CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02) CVE-2012-0449 Mozilla: Crash when rendering SVG+XSLT (MFSA 2012-08) CVE-2012-0444 Firefox: Ogg Vorbis Decoding Memory Corruption (MFSA 2012-07) CVE-2011-3659 Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. A use-after-free flaw was found in the way Thunderbird removed nsDOMAttribute child nodes. In certain circumstances, due to the premature notification of AttributeChildRemoved, a malicious script could possibly use this flaw to cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3659) Several flaws were found in the processing of malformed content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0442) A flaw was found in the way Thunderbird parsed certain Scalable Vector Graphics (SVG) image files that contained eXtensible Style Sheet Language Transformations (XSLT). An HTML mail message containing a malicious SVG image file could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0449) The same-origin policy in Thunderbird treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets. (CVE-2011-3670) Note: The CVE-2011-3659 and CVE-2011-3670 issues cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 3.1.18. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to these updated packages, which contain Thunderbird version 3.1.18, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3659 CVE-2011-3670 CVE-2012-0442 CVE-2012-0449 CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01) CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02) CVE-2012-0449 Mozilla: Crash when rendering SVG+XSLT (MFSA 2012-08) CVE-2011-3659 Mozilla: child nodes from nsDOMAttribute still accessible after removal of nodes (MFSA 2012-04) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, e-mail and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2012-0442) The same-origin policy in SeaMonkey treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets. (CVE-2011-3670) All SeaMonkey users should upgrade to these updated packages, which correct these issues. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3670 CVE-2012-0442 CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01) CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the processing of malformed content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0442) The same-origin policy in Thunderbird treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets. (CVE-2011-3670) Note: The CVE-2011-3670 issue cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which resolves these issues. All running instances of Thunderbird must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3670 CVE-2012-0442 CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01) CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-like hostname syntax (MFSA 2012-02) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-4576 CVE-2011-4619 CVE-2011-4576 openssl: uninitialized SSL 3.0 padding CVE-2011-4619 openssl: SGC restart DoS attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0019 for php53 packages in Red Hat Enterprise Linux 5) introduced an uninitialized memory use flaw. A remote attacker could send a specially- crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-0830) All php53 users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2012-0830 CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0071, RHSA-2012:0033, and RHSA-2012:0019 for php packages in Red Hat Enterprise Linux 4, 5, and 6 respectively) introduced an uninitialized memory use flaw. A remote attacker could send a specially-crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2012-0830) All php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2012-0830 CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. An integer overflow flaw was found in Ghostscript's TrueType bytecode interpreter. An attacker could create a specially-crafted PostScript or PDF file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2009-3743) It was found that Ghostscript always tried to read Ghostscript system initialization files from the current working directory before checking other directories, even if a search path that did not contain the current working directory was specified with the "-I" option, or the "-P-" option was used (to prevent the current working directory being searched first). If a user ran Ghostscript in an attacker-controlled directory containing a system initialization file, it could cause Ghostscript to execute arbitrary PostScript code. (CVE-2010-2055) Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default. (CVE-2010-4820) Note: The fix for CVE-2010-4820 could possibly break existing configurations. To use the previous, vulnerable behavior, run Ghostscript with the "-P" option (to always search the current working directory first). A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type 2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2010-4054) Users of Ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2012 Red Hat, Inc. CVE-2009-3743 CVE-2010-2055 CVE-2010-4054 CVE-2010-4820 CVE-2010-2055 ghostscript: gs_init.ps searched in current directory despite -P- CVE-2009-3743 ghostscript: TrueType bytecode intepreter integer overflow or wraparound CVE-2010-4054 ghostscript: glyph data access improper input validation CVE-2010-4820 ghostscript: CWD included in the default library search path cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default. (CVE-2010-4820) Note: The fix for CVE-2010-4820 could possibly break existing configurations. To use the previous, vulnerable behavior, run Ghostscript with the "-P" option (to always search the current working directory first). A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type 2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2010-4054) Users of Ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2012 Red Hat, Inc. CVE-2010-4054 CVE-2010-4820 CVE-2010-4054 ghostscript: glyph data access improper input validation CVE-2010-4820 ghostscript: CWD included in the default library search path cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 SquirrelMail is a standards-based webmail package written in PHP. A cross-site scripting (XSS) flaw was found in the way SquirrelMail performed the sanitization of HTML style tag content. A remote attacker could use this flaw to send a specially-crafted Multipurpose Internet Mail Extensions (MIME) message that, when opened by a victim, would lead to arbitrary web script execution in the context of their SquirrelMail session. (CVE-2011-2023) Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. A remote attacker could possibly use these flaws to execute arbitrary web script in the context of a victim's SquirrelMail session. (CVE-2010-4555) An input sanitization flaw was found in the way SquirrelMail handled the content of various HTML input fields. A remote attacker could use this flaw to alter user preference values via a newline character contained in the input for these fields. (CVE-2011-2752) It was found that the SquirrelMail Empty Trash and Index Order pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into SquirrelMail, into visiting a specially-crafted URL, the attacker could empty the victim's trash folder or alter the ordering of the columns on the message index page. (CVE-2011-2753) SquirrelMail was allowed to be loaded into an HTML sub-frame, allowing a remote attacker to perform a clickjacking attack against logged in users and possibly gain access to sensitive user data. With this update, the SquirrelMail main frame can only be loaded into the top most browser frame. (CVE-2010-4554) A flaw was found in the way SquirrelMail handled failed log in attempts. A user preference file was created when attempting to log in with a password containing an 8-bit character, even if the username was not valid. A remote attacker could use this flaw to eventually consume all hard disk space on the target SquirrelMail server. (CVE-2010-2813) A flaw was found in the SquirrelMail Mail Fetch plug-in. If an administrator enabled this plug-in, a SquirrelMail user could use this flaw to port scan the local network the server was on. (CVE-2010-1637) Users of SquirrelMail should upgrade to this updated package, which contains backported patches to correct these issues. Moderate Copyright 2012 Red Hat, Inc. CVE-2010-1637 CVE-2010-2813 CVE-2010-4554 CVE-2010-4555 CVE-2011-2023 CVE-2011-2752 CVE-2011-2753 CVE-2010-1637 SquirrelMail: Mail Fetch plugin -- port-scans via non-standard POP3 server ports CVE-2010-2813 SquirrelMail: DoS (disk space consumption) by random IMAP login attempts with 8-bit characters in the password CVE-2010-4554 SquirrelMail: Prone to clickjacking attacks CVE-2010-4555 SquirrelMail: Multiple XSS flaws CVE-2011-2023 SquirrelMail: XSS in <style> tag handling CVE-2011-2752 SquirrelMail: CRLF injection vulnerability CVE-2011-2753 SquirrelMail: CSRF in the empty trash feature and in Index Order page cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2011-2262, CVE-2012-0075, CVE-2012-0087, CVE-2012-0101, CVE-2012-0102, CVE-2012-0112, CVE-2012-0113, CVE-2012-0114, CVE-2012-0115, CVE-2012-0116, CVE-2012-0118, CVE-2012-0119, CVE-2012-0120, CVE-2012-0484, CVE-2012-0485, CVE-2012-0490, CVE-2012-0492) These updated packages upgrade MySQL to version 5.1.61. Refer to the MySQL release notes for a full list of changes: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. Important Copyright 2012 Red Hat, Inc. CVE-2011-2262 CVE-2012-0075 CVE-2012-0087 CVE-2012-0101 CVE-2012-0102 CVE-2012-0112 CVE-2012-0113 CVE-2012-0114 CVE-2012-0115 CVE-2012-0116 CVE-2012-0118 CVE-2012-0119 CVE-2012-0120 CVE-2012-0484 CVE-2012-0485 CVE-2012-0490 CVE-2012-0492 CVE-2011-2262 mysql: Unspecified vulnerability allows remote attackers to affect availability CVE-2012-0075 mysql: Unspecified vulnerability allows remote authenticated users to affect integrity CVE-2012-0087 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0101 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0102 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0112 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0113 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and availability CVE-2012-0114 mysql: Unspecified vulnerability allows local users to affect confidentiality and integrity CVE-2012-0115 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0116 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and integrity CVE-2012-0118 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and availability CVE-2012-0119 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0120 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0484 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality CVE-2012-0485 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0490 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0492 mysql: Unspecified vulnerability allows remote authenticated users to affect availability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * Using the SG_IO ioctl to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device. Refer to Red Hat Knowledgebase article DOC-67874, linked to in the References, for further details about this issue. (CVE-2011-4127, Important) * A flaw was found in the way the Linux kernel handled robust list pointers of user-space held futexes across exec() calls. A local, unprivileged user could use this flaw to cause a denial of service or, eventually, escalate their privileges. (CVE-2012-0028, Important) * A flaw was found in the Linux kernel in the way splitting two extents in ext4_ext_convert_to_initialized() worked. A local, unprivileged user with the ability to mount and unmount ext4 file systems could use this flaw to cause a denial of service. (CVE-2011-3638, Moderate) * A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4086, Moderate) * A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service. (CVE-2012-0207, Moderate) Red Hat would like to thank Zheng Liu for reporting CVE-2011-3638, and Simon McVittie for reporting CVE-2012-0207. This update also fixes the following bugs: * When a host was in recovery mode and a SCSI scan operation was initiated, the scan operation failed and provided no error output. This bug has been fixed and the SCSI layer now waits for recovery of the host to complete scan operations for devices. (BZ#772162) * SG_IO ioctls were not implemented correctly in the Red Hat Enterprise Linux 5 virtio-blk driver. Sending an SG_IO ioctl request to a virtio-blk disk caused the sending thread to enter an uninterruptible sleep state ("D" state). With this update, SG_IO ioctls are rejected by the virtio-blk driver: the ioctl system call will simply return an ENOTTY ("Inappropriate ioctl for device") error and the thread will continue normally. (BZ#773322) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2011-3638 CVE-2011-4086 CVE-2011-4127 CVE-2012-0028 CVE-2012-0207 CVE-2011-3638 kernel: ext4: ext4_ext_insert_extent() kernel oops CVE-2011-4086 kernel: jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS CVE-2011-4127 kernel: possible privilege escalation via SG_IO ioctl CVE-2012-0028 kernel: futex: clear robust_list on execve CVE-2012-0207 kernel: igmp: Avoid zero delay when receiving odd mixture of IGMP queries cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-5029) A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd. (CVE-2009-5064) It was discovered that the glibc addmntent() function, used by various mount helper utilities, did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into the mtab (mounted file systems table) file via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library loaded ELF (Executable and Linking Format) files. If a carefully-crafted ELF file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-0830) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was found that the glibc addmntent() function, used by various mount helper utilities, did not handle certain errors correctly when updating the mtab (mounted file systems table) file. If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab file. (CVE-2011-1089) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker's, it could execute arbitrary code with the privileges of the script. (CVE-2011-1095) An integer overflow flaw was found in the glibc fnmatch() function. If an attacker supplied a long UTF-8 string to an application linked against glibc, it could cause the application to crash. (CVE-2011-1659) A denial of service flaw was found in the remote procedure call (RPC) implementation in glibc. A remote attacker able to open a large number of connections to an RPC service that is using the RPC implementation from glibc, could use this flaw to make that service use an excessive amount of CPU time. (CVE-2011-4609) Red Hat would like to thank the Ubuntu Security Team for reporting CVE-2010-0830, and Dan Rosenberg for reporting CVE-2011-1089. The Ubuntu Security Team acknowledges Dan Rosenberg as the original reporter of CVE-2010-0830. This update also fixes the following bug: * When using an nscd package that is a different version than the glibc package, the nscd service could fail to start. This update makes the nscd package require a specific glibc version to prevent this problem. (BZ#657009) Users should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2012 Red Hat, Inc. CVE-2009-5029 CVE-2009-5064 CVE-2010-0296 CVE-2010-0830 CVE-2011-1071 CVE-2011-1089 CVE-2011-1095 CVE-2011-1659 CVE-2011-4609 CVE-2010-0296 glibc: Improper encoding of names with certain special character in utilities for writing to mtab table CVE-2010-0830 glibc: ld.so d_tag signedness error in elf_get_dynamic_info CVE-2011-1095 glibc: insufficient quoting in the locale command output nscd rpm installation doesn't check dependencies CVE-2011-1071 CVE-2011-1659 glibc: fnmatch() alloca()-based memory corruption flaw CVE-2011-1089 glibc: Suid mount helpers fail to anticipate RLIMIT_FSIZE CVE-2009-5064 glibc: ldd unexpected code execution issue CVE-2009-5029 glibc: __tzfile_read integer overflow to buffer overflow CVE-2011-4609 glibc: svc_run() produces high cpu usage when accept() fails with EMFILE error cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-5029) A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd. (CVE-2009-5064) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library loaded ELF (Executable and Linking Format) files. If a carefully-crafted ELF file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-0830) It was found that the glibc addmntent() function, used by various mount helper utilities, did not handle certain errors correctly when updating the mtab (mounted file systems table) file. If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab file. (CVE-2011-1089) A denial of service flaw was found in the remote procedure call (RPC) implementation in glibc. A remote attacker able to open a large number of connections to an RPC service that is using the RPC implementation from glibc, could use this flaw to make that service use an excessive amount of CPU time. (CVE-2011-4609) Red Hat would like to thank the Ubuntu Security Team for reporting CVE-2010-0830, and Dan Rosenberg for reporting CVE-2011-1089. The Ubuntu Security Team acknowledges Dan Rosenberg as the original reporter of CVE-2010-0830. Users should upgrade to these updated packages, which resolve these issues. Moderate Copyright 2012 Red Hat, Inc. CVE-2009-5029 CVE-2009-5064 CVE-2010-0830 CVE-2011-1089 CVE-2011-4609 CVE-2010-0830 glibc: ld.so d_tag signedness error in elf_get_dynamic_info CVE-2011-1089 glibc: Suid mount helpers fail to anticipate RLIMIT_FSIZE CVE-2009-5064 glibc: ldd unexpected code execution issue CVE-2009-5029 glibc: __tzfile_read integer overflow to buffer overflow CVE-2011-4609 glibc: svc_run() produces high cpu usage when accept() fails with EMFILE error cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2012-0075, CVE-2012-0087, CVE-2012-0101, CVE-2012-0102, CVE-2012-0114, CVE-2012-0484, CVE-2012-0490) These updated packages upgrade MySQL to version 5.0.95. Refer to the MySQL release notes for a full list of changes: http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html All MySQL users should upgrade to these updated packages, which correct these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0075 CVE-2012-0087 CVE-2012-0101 CVE-2012-0102 CVE-2012-0114 CVE-2012-0484 CVE-2012-0490 CVE-2012-0075 mysql: Unspecified vulnerability allows remote authenticated users to affect integrity CVE-2012-0087 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0101 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0102 mysql: Unspecified vulnerability allows remote authenticated users to affect availability CVE-2012-0114 mysql: Unspecified vulnerability allows local users to affect confidentiality and integrity CVE-2012-0484 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality CVE-2012-0490 mysql: Unspecified vulnerability allows remote authenticated users to affect availability cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The Apache HTTP Server is a popular web server. It was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1391) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317) The httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies. (CVE-2012-0053) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a ".htaccess" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the "apache" user. (CVE-2011-3607) A flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown. (CVE-2012-0031) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-3607 CVE-2011-3639 CVE-2011-4317 CVE-2012-0031 CVE-2012-0053 CVE-2011-3639 httpd: http 0.9 request bypass of the reverse proxy vulnerability CVE-2011-3368 fix CVE-2011-4317 httpd: uri scheme bypass of the reverse proxy vulnerability CVE-2011-3368 fix CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling CVE-2012-0053 httpd: cookie exposure due to error responses cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505) The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571) It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503) The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially-crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035) The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563) A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502) It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506) An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially-crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3563 CVE-2011-3571 CVE-2011-5035 CVE-2012-0497 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506 CVE-2012-0507 CVE-2011-5035 OpenJDK: HttpServer no header count limit (Lightweight HTTP Server, 7126960) CVE-2012-0501 OpenJDK: off-by-one bug in ZIP reading code (JRE, 7118283) CVE-2012-0503 OpenJDK: unrestricted use of TimeZone.setDefault() (i18n, 7110687) CVE-2012-0507 OpenJDK: AtomicReferenceArray insufficient array type check (Concurrency, 7082299) CVE-2011-3563 OpenJDK: JavaSound incorrect bounds check (Sound, 7088367) CVE-2012-0502 OpenJDK: KeyboardFocusManager focus stealing (AWT, 7110683) CVE-2012-0505 OpenJDK: incomplete info in the deserialization exception (Serialization, 7110700) CVE-2012-0506 OpenJDK: mutable repository identifiers (CORBA, 7110704) CVE-2012-0497 OpenJDK: insufficient checking of the graphics rendering object (2D, 7112642) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format. A heap-based buffer overflow flaw was found in the way the libvorbis library parsed Ogg Vorbis media files. If a specially-crafted Ogg Vorbis media file was opened by an application using libvorbis, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2012-0444) Users of libvorbis should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-0444 CVE-2012-0444 Firefox: Ogg Vorbis Decoding Memory Corruption (MFSA 2012-07) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 TeX Live is an implementation of TeX. TeX takes a text file and a set of formatting commands as input, and creates a typesetter-independent DeVice Independent (DVI) file as output. The texlive packages provide a number of utilities, including dvips. TeX Live embeds a copy of t1lib. The t1lib library allows you to rasterize bitmaps from PostScript Type 1 fonts. The following issues affect t1lib code: Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by a TeX Live utility, it could cause the utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. (CVE-2010-2642, CVE-2011-0433) An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. (CVE-2011-0764) A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. (CVE-2011-1553) An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. (CVE-2011-1554) An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash. (CVE-2011-1552) Red Hat would like to thank the Evince development team for reporting CVE-2010-2642. Upstream acknowledges Jon Larimer of IBM X-Force as the original reporter of CVE-2010-2642. All users of texlive are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Moderate Copyright 2012 Red Hat, Inc. CVE-2010-2642 CVE-2011-0433 CVE-2011-0764 CVE-2011-1552 CVE-2011-1553 CVE-2011-1554 CVE-2010-2642 evince, t1lib: Heap based buffer overflow in DVI file AFM font parser CVE-2011-0433 evince, t1lib: Heap-based buffer overflow DVI file AFM font parser CVE-2011-1552 t1lib: invalid read crash via crafted Type 1 font CVE-2011-1553 t1lib: Use-after-free via crafted Type 1 font CVE-2011-1554 t1lib: Off-by-one via crafted Type 1 font CVE-2011-0764 t1lib: Invalid pointer dereference via crafted Type 1 font cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page, listed in the References section. (CVE-2011-3563, CVE-2011-3571, CVE-2011-5035, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506) All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide JDK and JRE 6 Update 31 and resolve these issues. All running instances of Sun Java must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3563 CVE-2011-3571 CVE-2011-5035 CVE-2012-0498 CVE-2012-0499 CVE-2012-0500 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506 CVE-2012-0507 CVE-2011-5035 OpenJDK: HttpServer no header count limit (Lightweight HTTP Server, 7126960) CVE-2012-0501 OpenJDK: off-by-one bug in ZIP reading code (JRE, 7118283) CVE-2012-0503 OpenJDK: unrestricted use of TimeZone.setDefault() (i18n, 7110687) CVE-2012-0507 OpenJDK: AtomicReferenceArray insufficient array type check (Concurrency, 7082299) CVE-2011-3563 OpenJDK: JavaSound incorrect bounds check (Sound, 7088367) CVE-2012-0502 OpenJDK: KeyboardFocusManager focus stealing (AWT, 7110683) CVE-2012-0505 OpenJDK: incomplete info in the deserialization exception (Serialization, 7110700) CVE-2012-0506 OpenJDK: mutable repository identifiers (CORBA, 7110704) CVE-2012-0498 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D) CVE-2012-0499 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D) CVE-2012-0500 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (Deployment) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. A heap-based buffer overflow flaw was found in the way Thunderbird handled PNG (Portable Network Graphics) images. An HTML mail message or remote content containing a specially-crafted PNG image could cause Thunderbird to crash or, possibly, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3026) All Thunderbird users should upgrade to this updated package, which corrects this issue. After installing the update, Thunderbird must be restarted for the changes to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3026 CVE-2011-3026 libpng: Heap-buffer-overflow in png_decompress_chunk cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 SeaMonkey is an open source web browser, e-mail and newsgroup client, IRC chat client, and HTML editor. A heap-based buffer overflow flaw was found in the way SeaMonkey handled PNG (Portable Network Graphics) images. A web page containing a malicious PNG image could cause SeaMonkey to crash or, possibly, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2011-3026) All SeaMonkey users should upgrade to these updated packages, which correct this issue. After installing the update, SeaMonkey must be restarted for the changes to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3026 CVE-2011-3026 libpng: Heap-buffer-overflow in png_decompress_chunk cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Mozilla Firefox is an open source web browser. A heap-based buffer overflow flaw was found in the way Firefox handled PNG (Portable Network Graphics) images. A web page containing a malicious PNG image could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3026) All Firefox users should upgrade to this updated package, which corrects this issue. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3026 CVE-2011-3026 libpng: Heap-buffer-overflow in png_decompress_chunk cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 XULRunner provides the XUL Runtime environment for applications using the Gecko layout engine. A heap-based buffer overflow flaw was found in the way XULRunner handled PNG (Portable Network Graphics) images. A web page containing a malicious PNG image could cause an application linked against XULRunner (such as Firefox) to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3026) All XULRunner users should upgrade to these updated packages, which correct this issue. After installing the update, applications using XULRunner must be restarted for the changes to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3026 CVE-2011-3026 libpng: Heap-buffer-overflow in png_decompress_chunk cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-03, listed in the References section. Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-0752, CVE-2012-0753, CVE-2012-0754, CVE-2012-0755, CVE-2012-0756) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially-crafted web page. (CVE-2012-0767) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.15. Critical Copyright 2012 Red Hat, Inc. CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 CVE-2012-0767 CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03) CVE-2012-0767 flash-plugin: universal cross-site scripting flaw (APSB12-03) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * A flaw was found in the way the Linux kernel's Event Poll (epoll) subsystem handled large, nested epoll structures. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-1083, Moderate) Red Hat would like to thank Nelson Elhage for reporting this issue. These updated kernel packages include a number of bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 5.8 Technical Notes, linked to in the References, for information on the most significant of these changes. All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-1083 kernel/module-verify-sig.c with memory uncleaned bug kernel multipath driver behaves badly on medium errors [RHEL5 Xen]: Mask out CPU features by default No NUMA node hash function found on a EX machine Cannot use Quickcam Pro 9000 with Ekiga, fails with "uvcvideo: Failed to query ..." Bug in RHEL-5.4/5.5 nfs_access_cache_shrinker kernel panic if bonding initialization fails RFE: RHEL5 Xen: support online dynamic resize of guest virtual disks [5.4] OS cannot recognize DVD disk replace in rescue mode. unexpected error message when sending a unsolicited NA from user code Spare disk added to a raid1 array by mdadm command is dropped upon next boot. vlapic: Fix possible guest tick losing after save/restore CVE-2011-1083 kernel: excessive in kernel CPU consumption when creating large nested epoll structures GFS2: Add readahead to sequential directory traversal NFS4: Incorrect server behavior when using OPEN call with O_CREATE on a directory on which the process has no WRITE permissions. PCI Virtual Function Passthrough - SR-IOV, Paravirt Guest fails to obtain IRQ after reboot dropwatch>stop: Waiting for deactivation ack (forever) Incorrect values in /proc/sys/vm/dirty_writeback_centises and dirty_expire_centisecs Non-responsive scsi target leads to excessive scsi recovery and dm-mp failover time Patch needed to allow MTU >1500 on vif prior to connecting to bridge kvmclock: MP-BIOS bug: 8254 timer not connected to IO-APIC VLAN interface with changed MAC address fails to communicate RHEL6.1 32bit xen hvm guest crash randomly 32-bit PV guest crash on restore on x64_86 host RHEL5.6 TSC used as default clock source on multi-chassis system multiple resource leaks on error paths in blkfront and netfront 300 seconds time shift in vdso version of clock_gettime() panic in cifsd code after unexpected lookup error -88. open/closed files in cifs mount points 2.6.18-238.1.1.el5 or newer won't boot under Xen HVM due to linux-2.6-virt-nmi-don-t-print-nmi-stuck-messages-on-guests.patch net.ipv6.conf.default.dad_transmits has no effect on tentative IPv6 addresses Kernel panic at nfs4_callback_compound+0x2dd mask the SMEP bit for PV, do the same or backport SMEP emulation for HVM Backport "x86: extend debug key 't' to collect useful clock skew info" Backport "vmx: Print advanced features during boot" Backport "x86/hvm: fix off-by-one errors in vcpuid range checks" pull missing fixes from upstream x86_emulate() couple nice-to-have xen hypervisor patches TCP_CRR and concurrent TCP stream tests over IPv6 sometime fails on rhel5.7 ext4: Don't error out the fs if the user tries to make a file too big 'dmesg' command is swamped with the message: pci_set_power_state(): 0000:05:05.0: state=3, current state=5 Unable to attach a cdrom device to guest domain miss xmit_hash_policy=layer2+3 in modinfo bonding output [xfs] mis-sized O_DIRECT I/O results in hung task timeouts Can't change lacp_rate in bonding mode=802.3ad [EL5.7] igb: failed to activate WOL on 2nd LAN port on i350 RHEL 6.1 Xen paravirt guest is getting network outage during live migration (host side) xfs_error_report() oops when passed-in mp is NULL Windows guests may hang/BSOD on some AMD processors. vlapic: backport EOI fast path win2003 i386 guest BSOD when created with e1000 nic Huge performance regression in NFS client ext3/ext4 mbcache causes high CPU load exclude VMX_PROCBASED_CTL2 from the MSRs a VMX guest is allowed to access netfront MTU drops to 1500 after domain migration xen modules - unable to handle kernel NULL pointer dereference Panic, NMI Watchdog detected LOCKUP on CPU 6 nfs4_getfacl decoding causes kernel oops Host crash when pass-through fails [RTC] - The ioctl RTC_IRPQ_READ doesn't return the correct value [RFE] backport Xen watchdog (hypervisor side only) BNX2I: Fixed the endian on TTT for NOP out transmission system cannot suspend with "stopping tasks timed out - bnx2i_thread/0 remaining" Install RHEV-H to virtual machine cause VM kernel panic when boot [ALL LANG] [anaconda] The installation halted when clicking 'Skip' button (select 'Skip entering Installation Number') cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kexec-tools package contains the /sbin/kexec binary and utilities that together form the user-space component of the kernel's kexec feature. The /sbin/kexec binary facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel. Kdump used the SSH (Secure Shell) "StrictHostKeyChecking=no" option when dumping to SSH targets, causing the target kdump server's SSH host key not to be checked. This could make it easier for a man-in-the-middle attacker on the local network to impersonate the kdump SSH target server and possibly gain access to sensitive information in the vmcore dumps. (CVE-2011-3588) The mkdumprd utility created initrd files with world-readable permissions. A local user could possibly use this flaw to gain access to sensitive information, such as the private SSH key used to authenticate to a remote server when kdump was configured to dump to an SSH target. (CVE-2011-3589) The mkdumprd utility included unneeded sensitive files (such as all files from the "/root/.ssh/" directory and the host's private SSH keys) in the resulting initrd. This could lead to an information leak when initrd files were previously created with world-readable permissions. Note: With this update, only the SSH client configuration, known hosts files, and the SSH key configured via the newly introduced sshkey option in "/etc/kdump.conf" are included in the initrd. The default is the key generated when running the "service kdump propagate" command, "/root/.ssh/kdump_id_rsa". (CVE-2011-3590) Red Hat would like to thank Kevan Carstensen for reporting these issues. This updated kexec-tools package also includes numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 5.8 Technical Notes, linked to in the References, for information on the most significant of these changes. All users of kexec-tools are advised to upgrade to this updated package, which resolves these security issues, fixes these bugs and adds these enhancements. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-3588 CVE-2011-3589 CVE-2011-3590 ln: creating symbolic link `/tmp/initrd.ta4308/lib/libc.so.6' to `/lib/power6/libc.so.6': File exists kexec kernel crashes due to use of reserved memory range Non-portable "while" loop form used CVE-2011-3588 CVE-2011-3589 CVE-2011-3590 kexec-tools: Multiple security flaws by management of kdump core files and ramdisk images fsck: WARNING: couldn't open /etc/fstab: No such file or directory cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Sos is a set of tools that gather information about system hardware and configuration. The sosreport utility incorrectly included Certificate-based Red Hat Network private entitlement keys in the resulting archive of debugging information. An attacker able to access the archive could use the keys to access Red Hat Network content available to the host. This issue did not affect users of Red Hat Network Classic. (CVE-2011-4083) This updated sos package also includes numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 5.8 Technical Notes, linked to in the References, for information on the most significant of these changes. All sos users are advised to upgrade to this updated package, which resolves these issues and adds these enhancements. Low Copyright 2012 Red Hat, Inc. CVE-2011-4083 sos rfe - request to update sos plugin cs.py for Red Hat Certificate System [RFE] improve sos plugin to capture MRG GRID related information sosreport French translation of y/n prompt is wrong and confusing [RFE] include output of ibv_devinfo command (libibverbs-utils package) in sosreport RFE: iSCSI Target plugin for sosreport. sosreport hangs the system when multiple SIGTERMs received Relative symlink in created report for truncated log files is wrong make non-standard log file collection more robust Fix problems hidden by __raisePlugins__ = 0, create logging for plugin errors When copying directory into report using addCopySpec, links inside are not handled correctly [RFE] sosreport should collect the result of ethtool -g, ethtool -c, and ethtool -a by default CVE-2011-4083 sos: sosreport is gathering certificate-based RHN entitlement private keys sosreport cluster modules fail with badly formed cluster.conf cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. It was found that ImageMagick utilities tried to load ImageMagick configuration files from the current working directory. If a user ran an ImageMagick utility in an attacker-controlled directory containing a specially-crafted ImageMagick configuration file, it could cause the utility to execute arbitrary code. (CVE-2010-4167) This update also fixes the following bugs: * Previously, the "identify -verbose" command failed with an assertion if there was no image information available. An upstream patch has been applied, so that GetImageOption() is now called correctly. Now, the "identify -verbose" command works correctly even if no image information is available. (BZ#502626) * Previously, an incorrect use of the semaphore data type led to a deadlock. As a consequence, the ImageMagick utility could become unresponsive when converting JPEG files to PDF (Portable Document Format) files. A patch has been applied to address the deadlock issue, and JPEG files can now be properly converted to PDF files. (BZ#530592) * Previously, running the "convert" command with the "-color" option failed with a memory allocation error. The source code has been modified to fix problems with memory allocation. Now, using the "convert" command with the "-color" option works correctly. (BZ#616538) * Previously, ImageMagick could become unresponsive when using the "display" command on damaged GIF files. The source code has been revised to prevent the issue. ImageMagick now produces an error message in the described scenario. A file selector is now opened so the user can choose another image to display. (BZ#693989) * Prior to this update, the "convert" command did not handle rotated PDF files correctly. As a consequence, the output was rendered as a portrait with the content being cropped. With this update, the PDF render geometry is modified, and the output produced by the "convert" command is properly rendered as a landscape. (BZ#694922) All users of ImageMagick are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of ImageMagick must be restarted for this update to take effect. Low Copyright 2012 Red Hat, Inc. CVE-2010-4167 Using "-page" option in ImageMagick's "convert" set bogus page size in PostScript CVE-2010-4167 ImageMagick: configuration files read from $CWD may allow arbitrary code execution cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Common UNIX Printing System (CUPS) provides a portable printing layer for Linux, UNIX, and similar operating systems. A heap-based buffer overflow flaw was found in the Lempel-Ziv-Welch (LZW) decompression algorithm implementation used by the CUPS GIF image format reader. An attacker could create a malicious GIF image file that, when printed, could possibly cause CUPS to crash or, potentially, execute arbitrary code with the privileges of the "lp" user. (CVE-2011-2896) This update also fixes the following bugs: * Prior to this update, the "Show Completed Jobs," "Show All Jobs," and "Show Active Jobs" buttons returned results globally across all printers and not the results for the specified printer. With this update, jobs from only the selected printer are shown. (BZ#625900) * Prior to this update, the code of the serial backend contained a wrong condition. As a consequence, print jobs on the raw print queue could not be canceled. This update modifies the condition in the serial backend code. Now, the user can cancel these print jobs. (BZ#625955) * Prior to this update, the textonly filter did not work if used as a pipe, for example when the command line did not specify the filename and the number of copies was always 1. This update modifies the condition in the textonly filter. Now, the data are sent to the printer regardless of the number of copies specified. (BZ#660518) * Prior to this update, the file descriptor count increased until it ran out of resources when the cups daemon was running with enabled Security-Enhanced Linux (SELinux) features. With this update, all resources are allocated only once. (BZ#668009) * Prior to this update, CUPS incorrectly handled the en_US.ASCII value for the LANG environment variable. As a consequence, the lpadmin, lpstat, and lpinfo binaries failed to write to standard output if using LANG with the value. This update fixes the handling of the en_US.ASCII value and the binaries now write to standard output properly. (BZ#759081) All users of cups are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the cupsd daemon will be restarted automatically. Low Copyright 2012 Red Hat, Inc. CVE-2011-2896 STR #3436: Jobs buttons not working correctly when viewing a specific printer Serial back end has inverted SIGTERM block textonly filter won't work as a pipe with copies=1 avc calls leak file descriptors CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the effective group ID change system call. If the group ID change failed, a remote FTP user could use this flaw to gain unauthorized read or write access to files that are owned by the root group. (CVE-2011-1526) Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Tim Zingelman as the original reporter. This update also fixes the following bugs: * Due to a mistake in the Kerberos libraries, a client could fail to contact a Key Distribution Center (KDC) or terminate unexpectedly if the client had already more than 1024 file descriptors in use. This update backports modifications to the Kerberos libraries and the libraries use the poll() function instead of the select() function, as poll() does not have this limitation. (BZ#701444) * The KDC failed to release memory when processing a TGS (ticket-granting server) request from a client if the client request included an authenticator with a subkey. As a result, the KDC consumed an excessive amount of memory. With this update, the code releasing the memory has been added and the problem no longer occurs. (BZ#708516) * Under certain circumstances, if services requiring Kerberos authentication sent two authentication requests to the authenticating server, the second authentication request was flagged as a replay attack. As a result, the second authentication attempt was denied. This update applies an upstream patch that fixes this bug. (BZ#713500) * Previously, if Kerberos credentials had expired, the klist command could terminate unexpectedly with a segmentation fault when invoked with the -s option. This happened when klist encountered and failed to process an entry with no realm name while scanning the credential cache. With this update, the underlying code has been modified and the command handles such entries correctly. (BZ#729067) * Due to a regression, multi-line FTP macros terminated prematurely with a segmentation fault. This occurred because the previously-added patch failed to properly support multi-line macros. This update restores the support for multi-line macros and the problem no longer occurs. (BZ#735363, BZ#736132) All users of krb5 are advised to upgrade to these updated packages, which resolve these issues. Low Copyright 2012 Red Hat, Inc. CVE-2011-1526 Fix libkrb5 to work when > 1024 file descriptors are in use memory leak during kdc TGS request CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005) klist -s segfaults with expired credentials Newly introduced defect into krb5 cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, util-linux contains the fdisk configuration tool and the login program. Multiple flaws were found in the way the mount and umount commands performed mtab (mounted file systems table) file updates. A local, unprivileged user allowed to mount or unmount file systems could use these flaws to corrupt the mtab file and create a stale lock file, preventing other users from mounting and unmounting file systems. (CVE-2011-1675, CVE-2011-1677) This update also fixes the following bugs: * When the user logged into a telnet server, the login utility did not update the utmp database properly if the utility was executed from the telnetd daemon. This was due to telnetd not creating an appropriate entry in a utmp file before executing login. With this update, correct entries are created and the database is updated properly. (BZ#646300) * Various options were not described on the blockdev(8) manual page. With this update, the blockdev(8) manual page includes all the relevant options. (BZ#650937) * Prior to this update, the build process of the util-linux package failed in the po directory with the following error message: "@MKINSTALLDIRS@: No such file or directory". An upstream patch has been applied to address this issue, and the util-linux package now builds successfully. (BZ#677452) * Previously, the ipcs(1) and ipcrm(1) manual pages mentioned an invalid option, "-b". With this update, only valid options are listed on those manual pages. (BZ#678407) * Previously, the mount(8) manual page contained incomplete information about the ext4 and XFS file systems. With this update, the mount(8) manual page contains the missing information. (BZ#699639) In addition, this update adds the following enhancements: * Previously, if DOS mode was enabled on a device, the fdisk utility could report error messages similar to the following: Partition 1 has different physical/logical beginnings (non-Linux?): phys=(0, 1, 1) logical=(0, 2, 7) This update enables users to switch off DOS compatible mode (by specifying the "-c" option), and such error messages are no longer displayed. (BZ#678430) * This update adds the "fsfreeze" command which halts access to a file system on a disk. (BZ#726572) All users of util-linux are advised to upgrade to this updated package, which contains backported patches to correct these issues and add these enhancements. Low Copyright 2012 Red Hat, Inc. CVE-2011-1675 CVE-2011-1677 login doesn't update /var/run/utmp properly blockdev man page missing information util-linux fails to build with gettext-0.17 [RHEL 5] ipcs and ipcrm in wrong man section CVE-2011-1675 util-linux: mount fails to anticipate RLIMIT_FSIZE CVE-2011-1677 util-linux: umount may fail to remove /etc/mtab~ lock file mount man page is missing support for ext4/xfs cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially-crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs: * Prior to this update, the cp command wrongly returned the exit code 0 to indicate success if a device ran out of space while attempting to copy files of more than 4 gigabytes. This update modifies BusyBox, so that in such situations, the exit code 1 is returned. Now, the cp command shows correctly whether a process failed. (BZ#689659) * Prior to this update, the findfs command failed to check all existing block devices on a system with thousands of block device nodes in "/dev/". This update modifies BusyBox so that findfs checks all block devices even in this case. (BZ#756723) All users of busybox are advised to upgrade to these updated packages, which correct these issues. Low Copyright 2012 Red Hat, Inc. CVE-2006-1168 CVE-2011-2716 CVE-2006-1168 ncompress: .bss buffer underflow in decompression "busybox cp" does not return a correct exit code when "No space left on device" CVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the sudo password checking logic. In configurations where the sudoers settings allowed a user to run a command using sudo with only the group ID changed, sudo failed to prompt for the user's password before running the specified command with the elevated group privileges. (CVE-2011-0010) In addition, this update fixes the following bugs: * A NULL pointer dereference bug caused the sudo utility to terminate unexpectedly with a segmentation fault. This happened if the utility was run with the -g option and configured not to demand the password from the user who ran the sudo utility. With this update, the code has been modified and the problem no longer occurs. (BZ#673072) * The sudo utility failed to load sudoers from an LDAP (Lightweight Directory Access Protocol) server after the sudo tool was upgraded. This happened because the upgraded nsswitch.conf file did not contain the instruction to search for sudoers on the LDAP server. This update adds the lost instruction to /etc/nsswitch.conf and the system searches for sources of sudoers on the local file system and then on LDAP, if applicable. (BZ#617061) * The sudo tool interpreted a Runas alias specifying a group incorrectly as a user alias and the alias seemed to be ignored. With this update, the code for interpreting such aliases has been modified and the Runas group aliases are honored as expected. (BZ#627543) * Prior to this update, sudo did not parse comment characters (#) in the ldap.conf file correctly and could fail to work. With this update, parsing of the LDAP configuration file has been modified and the comment characters are parsed correctly. (BZ#750318) * The sudo utility formats its output to fit the width of the terminal window. However, this behavior is undesirable if the output is redirected through a pipeline. With this update, the output formatting is not applied in the scenario described. (BZ#697111) * Previously, the sudo utility performed Security-Enhanced Linux (SELinux) related initialization after switching to an unprivileged user. This prevented the correct setup of the SELinux environment before executing the specified command and could potentially cause an access denial. The bug has been fixed by backporting the SELinux related code and the execution model from a newer version of sudo. (BZ#477185) * On execv(3) function failure, the sudo tool executed an auditing call before reporting the failure. The call reset the error state and, consequently, the tool incorrectly reported that the command succeeded. With this update, the code has been modified and the problem no longer occurs. (BZ#673157) All users of sudo are advised to upgrade to this updated package, which resolves these issues. Low Copyright 2012 Red Hat, Inc. CVE-2011-0010 sudo changes uid before calling SELInux calls, preventing it from setting terminal context when using non priv account The Runas_Spec are ignored in sudoers file CVE-2011-0010 sudo: does not ask for password on GID changes sudo segfault sudo fails to report error correctly when execv(3) fails sudo -l inserts new lines based on terminal width, causing errors when output is piped. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The nfs-utils package provides a daemon for the kernel Network File System (NFS) server, and related tools such as the mount.nfs, umount.nfs, and showmount programs. It was found that the mount.nfs tool did not handle certain errors correctly when updating the mtab (mounted file systems table) file. A local attacker could use this flaw to corrupt the mtab file. (CVE-2011-1749) This update also fixes the following bugs: * The nfs service failed to start if the NFSv1, NFSv2, and NFSv4 support was disabled (the MOUNTD_NFS_V1="no", MOUNTD_NFS_V2="no" MOUNTD_NFS_V3="no" lines in /etc/sysconfig/nfs were uncommented) because the mountd daemon failed to handle the settings correctly. With this update, the underlying code has been modified and the nfs service starts successfully in the described scenario. (BZ#529588) * When a user's Kerberos ticket expired, the "sh rpc.gssd" messages flooded the /var/log/messages file. With this update, the excessive logging has been suppressed. (BZ#593097) * The crash simulation (SM_SIMU_CRASH) of the rpc.statd service had a vulnerability that could be detected by ISS (Internet Security Scanner). As a result, the rpc.statd service terminated unexpectedly with the following error after an ISS scan: rpc.statd[xxxx]: recv_rply: can't decode RPC message! rpc.statd[xxxx]: *** SIMULATING CRASH! *** rpc.statd[xxxx]: unable to register (statd, 1, udp). However, the rpc.statd service ignored SM_SIMU_CRASH. This update removes the simulation crash support from the service and the problem no longer occurs. (BZ#600497) * The nfs-utils init scripts returned incorrect status codes in the following cases: if the rpcgssd and rpcsvcgssd daemon were not configured, were provided an unknown argument, their function call failed, if a program was no longer running and a /var/lock/subsys/$SERVICE file existed, if starting a service under an unprivileged user, if a program was no longer running and its pid file still existed in the /var/run/ directory. With this update, the correct codes are returned in these scenarios. (BZ#710020) * The "nfsstat -m" command did not display NFSv4 mounts. With this update, the underlying code has been modified and the command returns the list of all mounts, including any NFSv4 mounts, as expected. (BZ#712438) * Previously, the nfs manual pages described the fsc mount option; however, this option is not supported. This update removes the option description from the manual pages. (BZ#715523) * The nfs-utils preinstall scriptlet failed to change the default group ID for the nfsnobody user to 65534. This update modifies the preinstall scriptlet and the default group ID is changed to 65534 after nfs-utils upgrade as expected. (BZ#729603) * The mount.nfs command with the "-o retry" option did not try to mount for the time specified in the "retry=X" configuration option. This occurred due to incorrect error handling by the command. With this update, the underlying code has been fixed and the "-o retry" option works as expected. (BZ#736677) In addition, this update adds the following enhancement: * The noresvport option, which allows NFS clients to use insecure ports (ports above 1023), has been added to the NFS server configuration options. (BZ#513094) All nfs-utils users are advised to upgrade to this updated package, which resolves these issues and adds this enhancement. After installing this update, the nfs service will be restarted automatically. Low Copyright 2012 Red Hat, Inc. CVE-2011-1749 CVE-2011-1749 nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The ibutils packages provide InfiniBand network and path diagnostics. It was found that the ibmssh executable had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user to run ibmssh in an attacker-controlled directory could run arbitrary code with the privileges of the victim. (CVE-2008-3277) This update also fixes the following bug: * Under certain circumstances, the "ibdiagnet -r" command could suffer from memory corruption and terminate with a "double free or corruption" message and a backtrace. With this update, the correct memory management function is used to prevent the corruption. (BZ#711779) All users of ibutils are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Low Copyright 2012 Red Hat, Inc. CVE-2008-3277 CVE-2008-3277 ibutils: insecure relative RPATH cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The initscripts package contains system scripts to boot your system, change runlevels, activate and deactivate most network interfaces, and shut the system down cleanly. With the default IPsec (Internet Protocol Security) ifup script configuration, the racoon IKE key management daemon used aggressive IKE mode instead of main IKE mode. This resulted in the preshared key (PSK) hash being sent unencrypted, which could make it easier for an attacker able to sniff network traffic to obtain the plain text PSK from a transmitted hash. (CVE-2008-1198) Red Hat would like to thank Aleksander Adamowski for reporting this issue. This update also fixes the following bugs: * Prior to this update, the DHCPv6 client was not terminated when the network service was stopped. This update modifies the source so that the client is now terminated when stopping the network service. (BZ#568896) * Prior to this update, on some systems the rm command failed and reported the error message "rm: cannot remove directory `/var/run/dovecot/login/': Is a directory" during system boot. This update modifies the source so that this error message no longer appears. (BZ#679998) * Prior to this update, the netconsole script could not discover and resolve the MAC address of the router specified in the /etc/sysconfig/netconsole file. This update modifies the netconsole script so that the script no longer fails when the arping tool returns the MAC address of the router more than once. (BZ#744734) * Prior to this update, the arp_ip_target was, due to a logic error, not correctly removed via sysfs. As a consequence, the error "ifdown-eth: line 64: echo: write error: Invalid argument" was reported when attempting to shut down a bonding device. This update modifies the script so that the error no longer appears and arp_ip_target is now correctly removed. (BZ#745681) All users of initscripts are advised to upgrade to this updated package, which fixes these issues. Low Copyright 2012 Red Hat, Inc. CVE-2008-1198 CVE-2008-1198 IPSec ifup script allows for aggressive IKE mode [REG][5.6] rm command reports an error message during system booting. cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. The default Samba server configuration enabled both the "wide links" and "unix extensions" options, allowing Samba clients with write access to a share to create symbolic links that point to any location on the file system. Clients connecting with CIFS UNIX extensions disabled could have such links resolved on the server, allowing them to access and possibly overwrite files outside of the share. With this update, "wide links" is set to "no" by default. In addition, the update ensures "wide links" is disabled for shares that have "unix extensions" enabled. (CVE-2010-0926) Warning: This update may cause files and directories that are only linked to Samba shares using symbolic links to become inaccessible to Samba clients. In deployments where support for CIFS UNIX extensions is not needed (such as when files are exported to Microsoft Windows clients), administrators may prefer to set the "unix extensions" option to "no" to allow the use of symbolic links to access files out of the shared directories. All existing symbolic links in a share should be reviewed before re-enabling "wide links". These updated samba packages also fix the following bug: * The smbclient tool sometimes failed to return the proper exit status code. Consequently, using smbclient in a script caused some scripts to fail. With this update, an upstream patch has been applied and smbclient now returns the correct exit status. (BZ#768908) In addition, these updated samba packages provide the following enhancement: * With this update, support for Windows Server 2008 R2 domains has been added. (BZ#736124) Users are advised to upgrade to these updated samba packages, which correct these issues and add this enhancement. After installing this update, the smb service will be restarted automatically. Low Copyright 2012 Red Hat, Inc. CVE-2010-0926 CVE-2010-0926 samba: insecure "wide links" default cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A heap-based buffer overflow flaw was found in libpng. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3026) Users of libpng and libpng10 should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libpng or libpng10 must be restarted for the update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2011-3026 CVE-2011-3026 libpng: Heap-buffer-overflow in png_decompress_chunk (MFSA 2012-11) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Concurrent Version System (CVS) is a version control system that can record the history of your files. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. (CVE-2012-0804) All users of cvs are advised to upgrade to these updated packages, which contain a patch to correct this issue. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0804 CVE-2012-0804 cvs: client proxy_connect heap-based buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505) The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571) It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503) The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially-crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035) The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563) A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502) It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506) An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially-crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501) This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2011-3563 CVE-2011-3571 CVE-2011-5035 CVE-2012-0497 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506 CVE-2012-0507 CVE-2011-5035 OpenJDK: HttpServer no header count limit (Lightweight HTTP Server, 7126960) CVE-2012-0501 OpenJDK: off-by-one bug in ZIP reading code (JRE, 7118283) CVE-2012-0503 OpenJDK: unrestricted use of TimeZone.setDefault() (i18n, 7110687) CVE-2012-0507 OpenJDK: AtomicReferenceArray insufficient array type check (Concurrency, 7082299) CVE-2011-3563 OpenJDK: JavaSound incorrect bounds check (Sound, 7088367) CVE-2012-0502 OpenJDK: KeyboardFocusManager focus stealing (AWT, 7110683) CVE-2012-0505 OpenJDK: incomplete info in the deserialization exception (Serialization, 7110700) CVE-2012-0506 OpenJDK: mutable repository identifiers (CORBA, 7110704) CVE-2012-0497 OpenJDK: insufficient checking of the graphics rendering object (2D, 7112642) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The Apache HTTP Server is a popular web server. It was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1392) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request. (CVE-2011-3639) The httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies. (CVE-2012-0053) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a ".htaccess" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the "apache" user. (CVE-2011-3607) A flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown. (CVE-2012-0031) All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-3607 CVE-2011-3639 CVE-2012-0031 CVE-2012-0053 CVE-2011-3639 httpd: http 0.9 request bypass of the reverse proxy vulnerability CVE-2011-3368 fix CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling CVE-2012-0053 httpd: cookie exposure due to error responses cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The libxml2 library is a development toolbox providing the implementation of various XML standards. It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. To mitigate this issue, randomization has been added to the hashing function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-0841) All users of libxml2 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0841 CVE-2012-0841 libxml2: hash table collisions CPU usage DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Samba is a suite of programs used by machines to share files, printers, and other information. An input validation flaw was found in the way Samba handled Any Batched (AndX) requests. A remote, unauthenticated attacker could send a specially-crafted SMB packet to the Samba server, possibly resulting in arbitrary code execution with the privileges of the Samba server (root). (CVE-2012-0870) Red Hat would like to thank the Samba team for reporting this issue. Upstream acknowledges Andy Davis of NGS Secure as the original reporter. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically. Critical Copyright 2012 Red Hat, Inc. CVE-2012-0870 CVE-2012-0870 samba: Any Batched ("AndX") request processing infinite recursion and heap-based buffer overflow cpe:/o:redhat:enterprise_linux cpe:/o:redhat:rhel_aus cpe:/o:redhat:rhel_eus Red Hat Enterprise Linux 4 On March 01, 2012, all Red Hat Enterprise Linux 4-based products listed below transition from the Production Phase to the Extended Life Phase: Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux ES 4 Red Hat Enterprise Linux WS 4 Red Hat Desktop 4 Red Hat Global File System 4 Red Hat Cluster Suite 4 Red Hat offers support and services for each major release of Red Hat Enterprise Linux throughout four phases – Production 1, 2, and 3, and Extended Life Phase. For Red Hat Enterprise Linux 4, the Production Phase spans seven years, followed by a three-year Extended Life Phase. Together, these four phases constitute the "life cycle". The specific support and services provided during each phase is described in detail at: http://redhat.com/rhel/lifecycle On March 01, 2012, Red Hat Enterprise Linux 4 systems continue to be subscribed to Red Hat Enterprise Linux 4 channels on Red Hat Network (RHN), continue to require a Red Hat Enterprise Linux entitlement, and continue to have access to: * Limited technical support for existing Red Hat Enterprise Linux 4 deployments (for customers with Basic, Premium, or Standard support). * Previously released bug fixes (RHBAs), security errata (RHSAs), and product enhancements (RHEAs) via RHN. Software maintenance (new bug fix and security errata) are no longer provided for the Red Hat Enterprise Linux 4 product family. * Red Hat Knowledgebase and other content (white papers, reference architectures, etc.) found in the Red Hat Customer Portal. * Red Hat Enterprise Linux 4 documentation. Please also note that new bug fix, security, or product enhancements advisories (RHBAs, RHSAs, and RHEAs) are no longer provided for the Red Hat Enterprise Linux 4 Add-Ons after March 01. After March 01, you have several options. Your Red Hat subscription gives you continuous access to all active versions of the Red Hat software in both binary and source form, including all security updates and bug fixes. As Red Hat Enterprise Linux 4 transitions out of the Production Phase, we strongly recommend that you take full advantage of your subscription services and upgrade to Red Hat Enterprise Linux 5 or 6, which contain compelling new features and enablement for modern hardware platforms and ISV applications. If you must remain on Red Hat Enterprise Linux 4, we recommend that you add the Red Hat Enterprise Linux Extended Life Cycle Support (ELS) Add-On subscription to your current Red Hat Enterprise Linux subscription. The ELS Add-On complements your Red Hat Enterprise Linux subscription and provides software maintenance services not otherwise available in the Extended Life Phase. Customers who purchase the ELS Add-On continue to receive software maintenance (critical impact security and urgent priority bug fixes) and technical support as provided in the Production 3 Phase. ELS is available for up to three years and requires that you have an existing Red Hat Enterprise Linux subscription with equivalent subscription terms and support level. For more information on the Red Hat Enterprise Linux ELS Add-On, visit: http://www.redhat.com/products/enterprise-linux-add-ons/extended-lifecycle-support/ Low Copyright 2012 Red Hat, Inc. Send Out RHEL 4 Transition to Extended Life Phase Notice cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A buffer overflow flaw was found in the way the Linux kernel's XFS file system implementation handled links with overly long path names. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. (CVE-2011-4077, Moderate) * Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-4081, Moderate) * A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local, unprivileged user could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate) * It was found that the kvm_vm_ioctl_assign_device() function in the KVM (Kernel-based Virtual Machine) subsystem of a Linux kernel did not check if the user requesting device assignment was privileged or not. A local, unprivileged user on the host could assign unused PCI devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers, which could result in the host crashing. (CVE-2011-4347, Moderate) * Two flaws were found in the way the Linux kernel's __sys_sendmsg() function, when invoked via the sendmmsg() system call, accessed user-space memory. A local, unprivileged user could use these flaws to cause a denial of service. (CVE-2011-4594, Moderate) * The RHSA-2011:1530 kernel update introduced an integer overflow flaw in the Linux kernel. On PowerPC systems, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4611, Moderate) * A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A local, unprivileged user on the host could force this situation to occur, resulting in the host crashing. (CVE-2011-4622, Moderate) * A flaw was found in the way the Linux kernel's XFS file system implementation handled on-disk Access Control Lists (ACLs). A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. (CVE-2012-0038, Moderate) * A flaw was found in the way the Linux kernel's KVM hypervisor implementation emulated the syscall instruction for 32-bit guests. An unprivileged guest user could trigger this flaw to crash the guest. (CVE-2012-0045, Moderate) * A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service. (CVE-2012-0207, Moderate) Red Hat would like to thank Nick Bowler for reporting CVE-2011-4081; Sasha Levin for reporting CVE-2011-4347; Tetsuo Handa for reporting CVE-2011-4594; Maynard Johnson for reporting CVE-2011-4611; Wang Xi for reporting CVE-2012-0038; Stephan Bärwolf for reporting CVE-2012-0045; and Simon McVittie for reporting CVE-2012-0207. Upstream acknowledges Mathieu Desnoyers as the original reporter of CVE-2011-4594. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-4077 CVE-2011-4081 CVE-2011-4132 CVE-2011-4347 CVE-2011-4594 CVE-2011-4611 CVE-2011-4622 CVE-2012-0038 CVE-2012-0045 CVE-2012-0207 CVE-2011-4077 kernel: xfs: potential buffer overflow in xfs_readlink() CVE-2011-4081 kernel: crypto: ghash: null pointer deref if no key is set CVE-2011-4132 kernel: jbd/jbd2: invalid value of first log block leads to oops CVE-2011-4347 kernel: kvm: device assignment DoS CVE-2011-4594 kernel: send(m)msg: user pointer dereferences CVE-2011-4611 kernel: perf, powerpc: Handle events that raise an exception without overflowing CVE-2011-4622 kernel: kvm: pit timer with no irqchip crashes the system CVE-2012-0207 kernel: igmp: Avoid zero delay when receiving odd mixture of IGMP queries CVE-2012-0038 kernel: xfs heap overflow CVE-2012-0045 kernel: kvm: syscall instruction induced guest panic cifs: i/o error on copying file > 102336 bytes [rhel-6.2.z] cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes two vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-05, listed in the References section. A flaw was found in the way flash-plugin displayed certain SWF content. An attacker could use this flaw to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2012-0768) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. (CVE-2012-0769) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.16. Critical Copyright 2012 Red Hat, Inc. CVE-2012-0768 CVE-2012-0769 CVE-2012-0768 flash-plugin: code execution flaw (APSB12-05) CVE-2012-0769 flash-plugin: information disclosure flaw (APSB12-05) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 SQLAlchemy is an Object Relational Mapper (ORM) that provides a flexible, high-level interface to SQL databases. It was discovered that SQLAlchemy did not sanitize values for the limit and offset keywords for SQL select statements. If an application using SQLAlchemy accepted values for these keywords, and did not filter or sanitize them before passing them to SQLAlchemy, it could allow an attacker to perform an SQL injection attack against the application. (CVE-2012-0805) All users of python-sqlalchemy are advised to upgrade to this updated package, which contains a patch to correct this issue. All running applications using SQLAlchemy must be restarted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0805 CVE-2012-0805 python-sqlalchemy: SQL injection flaw due to not checking LIMIT input for correct type cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A heap overflow flaw was found in the way QEMU emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash QEMU or, possibly, escalate their privileges on the host. (CVE-2012-0029) Red Hat would like to thank Nicolae Mogoreanu for reporting this issue. This update also fixes the following bugs: * Adding support for jumbo frames introduced incorrect network device expansion when a bridge is created. The expansion worked correctly with the default configuration, but could have caused network setup failures when a user-defined network script was used. This update changes the expansion so network setup will not fail, even when a user-defined network script is used. (BZ#797191) * A bug was found in xenconsoled, the Xen hypervisor console daemon. If timestamp logging for this daemon was enabled (using both the XENCONSOLED_TIMESTAMP_HYPERVISOR_LOG and XENCONSOLED_TIMESTAMP_GUEST_LOG options in "/etc/sysconfig/xend"), xenconsoled could crash if the guest emitted a lot of information to its serial console in a short period of time. Eventually, the guest would freeze after the console buffer was filled due to the crashed xenconsoled. Timestamp logging is disabled by default. (BZ#797836) All xen users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-0029 CVE-2012-0029 qemu: e1000: process_tx_desc legacy mode packets heap overflow xen-network-common.sh scripting typo cpe:/a:redhat:rhel_virtualization cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 SystemTap is an instrumentation system for systems running the Linux kernel. The system allows developers to write scripts to collect data on the operation of the system. An invalid pointer read flaw was found in the way SystemTap handled malformed debugging information in DWARF format. When SystemTap unprivileged mode was enabled, an unprivileged user in the stapusr group could use this flaw to crash the system or, potentially, read arbitrary kernel memory. Additionally, a privileged user (root, or a member of the stapdev group) could trigger this flaw when tricked into instrumenting a specially-crafted ELF binary, even when unprivileged mode was not enabled. (CVE-2012-0875) SystemTap users should upgrade to these updated packages, which contain a backported patch to correct this issue. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0875 CVE-2012-0875 systemtap: kernel panic when processing malformed DWARF unwind data cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464) Two flaws were found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files. A web page containing a malicious SVG image file could cause an information leak, or cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0456, CVE-2012-0457) A flaw could allow a malicious site to bypass intended restrictions, possibly leading to a cross-site scripting (XSS) attack if a user were tricked into dropping a "javascript:" link onto a frame. (CVE-2012-0455) It was found that the home page could be set to a "javascript:" link. If a user were tricked into setting such a home page by dragging a link to the home button, it could cause Firefox to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the user running Firefox. (CVE-2012-0458) A flaw was found in the way Firefox parsed certain web content containing "cssText". A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0459) It was found that by using the DOM fullscreen API, untrusted content could bypass the mozRequestFullscreen security protections. A web page containing malicious web content could exploit this API flaw to cause user interface spoofing. (CVE-2012-0460) A flaw was found in the way Firefox handled pages with multiple Content Security Policy (CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a website that has a header injection flaw. (CVE-2012-0451) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.3 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. This update also fixes the following bugs: * When using the Traditional Chinese locale (zh-TW), a segmentation fault sometimes occurred when closing Firefox. (BZ#729632) * Inputting any text in the Web Console (Tools -> Web Developer -> Web Console) caused Firefox to crash. (BZ#784048) * The java-1.6.0-ibm-plugin and java-1.6.0-sun-plugin packages require the "/usr/lib/mozilla/plugins/" directory on 32-bit systems, and the "/usr/lib64/mozilla/plugins/" directory on 64-bit systems. These directories are created by the xulrunner package; however, they were missing from the xulrunner package provided by the RHEA-2012:0327 update. Therefore, upgrading to RHEA-2012:0327 removed those directories, causing dependency errors when attempting to install the java-1.6.0-ibm-plugin or java-1.6.0-sun-plugin package. With this update, xulrunner once again creates the plugins directory. This issue did not affect users of Red Hat Enterprise Linux 6. (BZ#799042) All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.3 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2012-0451 CVE-2012-0455 CVE-2012-0456 CVE-2012-0457 CVE-2012-0458 CVE-2012-0459 CVE-2012-0460 CVE-2012-0461 CVE-2012-0462 CVE-2012-0464 Segfault on quit with Chinese locale [ @ gdk_display_close() ] Typing into Web Console in Firefox causes crashing - gcc 4.4.3 not able to install java-plugin CVE-2012-0461 CVE-2012-0462 CVE-2012-0464 Mozilla: Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) (MFSA 2012-19) CVE-2012-0460 Mozilla: window.fullScreen writeable by untrusted content (MFSA 2012-18) CVE-2012-0459 Mozilla: Crash when accessing keyframe cssText after dynamic modification (MFSA 2012-17) CVE-2012-0458 Mozilla: Escalation of privilege with Javascript: URL as home page (MFSA 2012-16) CVE-2012-0451 Mozilla: XSS with multiple Content Security Policy headers (MFSA 2012-15) CVE-2012-0456 CVE-2012-0457 Mozilla: SVG issues found with Address Sanitizer (MFSA 2012-14) CVE-2012-0455 Mozilla: XSS with Drag and Drop and Javascript: URL (MFSA 2012-13) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464) Two flaws were found in the way Thunderbird parsed certain Scalable Vector Graphics (SVG) image files. An HTML mail message containing a malicious SVG image file could cause an information leak, or cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0456, CVE-2012-0457) A flaw could allow malicious content to bypass intended restrictions, possibly leading to a cross-site scripting (XSS) attack if a user were tricked into dropping a "javascript:" link onto a frame. (CVE-2012-0455) It was found that the home page could be set to a "javascript:" link. If a user were tricked into setting such a home page by dragging a link to the home button, it could cause Firefox to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the user running Firefox. A similar flaw was found and fixed in Thunderbird. (CVE-2012-0458) A flaw was found in the way Thunderbird parsed certain, remote content containing "cssText". Malicious, remote content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0459) It was found that by using the DOM fullscreen API, untrusted content could bypass the mozRequestFullscreen security protections. Malicious content could exploit this API flaw to cause user interface spoofing. (CVE-2012-0460) A flaw was found in the way Thunderbird handled content with multiple Content Security Policy (CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a website that has a header injection flaw. (CVE-2012-0451) Note: All issues except CVE-2012-0456 and CVE-2012-0457 cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.3 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2012-0451 CVE-2012-0455 CVE-2012-0456 CVE-2012-0457 CVE-2012-0458 CVE-2012-0459 CVE-2012-0460 CVE-2012-0461 CVE-2012-0462 CVE-2012-0464 CVE-2012-0461 CVE-2012-0462 CVE-2012-0464 Mozilla: Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) (MFSA 2012-19) CVE-2012-0460 Mozilla: window.fullScreen writeable by untrusted content (MFSA 2012-18) CVE-2012-0459 Mozilla: Crash when accessing keyframe cssText after dynamic modification (MFSA 2012-17) CVE-2012-0458 Mozilla: Escalation of privilege with Javascript: URL as home page (MFSA 2012-16) CVE-2012-0451 Mozilla: XSS with multiple Content Security Policy headers (MFSA 2012-15) CVE-2012-0456 CVE-2012-0457 Mozilla: SVG issues found with Address Sanitizer (MFSA 2012-14) CVE-2012-0455 Mozilla: XSS with Drag and Drop and Javascript: URL (MFSA 2012-13) cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-0864) This update also fixes the following bugs: * Previously, the dynamic loader generated an incorrect ordering for initialization according to the ELF specification. This could result in incorrect ordering of DSO constructors and destructors. With this update, dependency resolution has been fixed. (BZ#783999) * Previously, locking of the main malloc arena was incorrect in the retry path. This could result in a deadlock if an sbrk request failed. With this update, locking of the main arena in the retry path has been fixed. This issue was exposed by a bug fix provided in the RHSA-2012:0058 update. (BZ#795328) * Calling memcpy with overlapping arguments on certain processors would generate unexpected results. While such code is a clear violation of ANSI/ISO standards, this update restores prior memcpy behavior. (BZ#799259) All users of glibc are advised to upgrade to these updated packages, which contain patches to resolve these issues. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0864 CVE-2012-0864 glibc: FORTIFY_SOURCE format string protection bypass via "nargs" integer overflow Change in memcpy behavior for overlapping arguments breaks existing applications cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-0864) All users of glibc are advised to upgrade to these updated packages, which contain a patch to resolve this issue. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0864 CVE-2012-0864 glibc: FORTIFY_SOURCE format string protection bypass via "nargs" integer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A heap-based buffer overflow flaw was found in the way libpng processed compressed chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3045) Users of libpng should upgrade to these updated packages, which correct this issue. For Red Hat Enterprise Linux 5, they contain a backported patch. For Red Hat Enterprise Linux 6, they upgrade libpng to version 1.2.48. All running applications using libpng must be restarted for the update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-3045 CVE-2011-3045 libpng: buffer overflow in png_inflate caused by invalid type conversions cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Raptor provides parsers for Resource Description Framework (RDF) files. An XML External Entity expansion flaw was found in the way Raptor processed RDF files. If an application linked against Raptor were to open a specially-crafted RDF file, it could possibly allow a remote attacker to obtain a copy of an arbitrary local file that the user running the application had access to. A bug in the way Raptor handled external entities could cause that application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2012-0037) Red Hat would like to thank Timothy D. Morgan of VSR for reporting this issue. All Raptor users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications linked against Raptor must be restarted for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-0037 CVE-2012-0037 raptor: XML External Entity (XXE) attack via RDF files cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. OpenOffice.org embeds a copy of Raptor, which provides parsers for Resource Description Framework (RDF) files. An XML External Entity expansion flaw was found in the way Raptor processed RDF files. If OpenOffice.org were to open a specially-crafted file (such as an OpenDocument Format or OpenDocument Presentation file), it could possibly allow a remote attacker to obtain a copy of an arbitrary local file that the user running OpenOffice.org had access to. A bug in the way Raptor handled external entities could cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org. (CVE-2012-0037) Red Hat would like to thank Timothy D. Morgan of VSR for reporting this issue. All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct this issue. All running instances of OpenOffice.org applications must be restarted for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-0037 CVE-2012-0037 raptor: XML External Entity (XXE) attack via RDF files cpe:/a:redhat:rhel_productivity cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. (CVE-2012-1165) A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times. (CVE-2012-0884) This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA-2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to fail. All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0884 CVE-2012-1165 CVE-2012-1165 openssl: mime_param_cmp NULL dereference crash CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 libtasn1 is a library developed for ASN.1 (Abstract Syntax Notation One) structures management that includes DER (Distinguished Encoding Rules) encoding and decoding. A flaw was found in the way libtasn1 decoded DER data. An attacker could create carefully-crafted DER encoded input (such as an X.509 certificate) that, when parsed by an application that uses libtasn1 (such as applications using GnuTLS), could cause the application to crash. (CVE-2012-1569) Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting this issue. Users of libtasn1 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications linked to the libtasn1 library must be restarted, or the system rebooted. Important Copyright 2012 Red Hat, Inc. CVE-2012-1569 CVE-2012-1569 libtasn1: DER decoding buffer overflow (GNUTLS-SA-2012-3, MU-201202-02) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). GnuTLS includes libtasn1, a library developed for ASN.1 (Abstract Syntax Notation One) structures management that includes DER (Distinguished Encoding Rules) encoding and decoding. A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer. (CVE-2012-1573) A flaw was found in the way libtasn1 decoded DER data. An attacker could create a carefully-crafted X.509 certificate that, when parsed by an application that uses GnuTLS, could cause the application to crash. (CVE-2012-1569) A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server. (CVE-2011-4128) Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting CVE-2012-1573 and CVE-2012-1569. Users of GnuTLS are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted, or the system rebooted. Important Copyright 2012 Red Hat, Inc. CVE-2011-4128 CVE-2012-1569 CVE-2012-1573 CVE-2011-4128 gnutls: buffer overflow in gnutls_session_get_data() (GNUTLS-SA-2011-2) CVE-2012-1569 libtasn1: DER decoding buffer overflow (GNUTLS-SA-2012-3, MU-201202-02) CVE-2012-1573 gnutls: TLS record handling issue (GNUTLS-SA-2012-2, MU-201202-01) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer. (CVE-2012-1573) A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server. (CVE-2011-4128) Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting CVE-2012-1573. Users of GnuTLS are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted, or the system rebooted. Important Copyright 2012 Red Hat, Inc. CVE-2011-4128 CVE-2012-1573 CVE-2011-4128 gnutls: buffer overflow in gnutls_session_get_data() (GNUTLS-SA-2011-2) CVE-2012-1573 gnutls: TLS record handling issue (GNUTLS-SA-2012-2, MU-201202-01) cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-07, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content. (CVE-2012-0773) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.18. Critical Copyright 2012 Red Hat, Inc. CVE-2012-0773 CVE-2012-0773 flash-plugin: arbitrary code execution via memory corruption flaw in NetStream class (APSB12-07) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The RPM Package Manager (RPM) is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Multiple flaws were found in the way RPM parsed package file headers. An attacker could create a specially-crafted RPM package that, when its package header was accessed, or during package signature verification, could cause an application using the RPM library (such as the rpm command line tool, or the yum and up2date package managers) to crash or, potentially, execute arbitrary code. (CVE-2012-0060, CVE-2012-0061, CVE-2012-0815) Note: Although an RPM package can, by design, execute arbitrary code when installed, this issue would allow a specially-crafted RPM package to execute arbitrary code before its digital signature has been verified. Package downloads from the Red Hat Network are protected by the use of a secure HTTPS connection in addition to the RPM package signature checks. All RPM users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-0060 CVE-2012-0061 CVE-2012-0815 CVE-2012-0815 rpm: incorrect handling of negated offsets in headerVerifyInfo() CVE-2012-0060 rpm: insufficient validation of region tags CVE-2012-0061 rpm: improper validation of header contents total size in headerLoad() cpe:/o:redhat:rhel_els cpe:/o:redhat:enterprise_linux cpe:/o:redhat:rhel_aus cpe:/o:redhat:rhel_eus Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used to generate code to handle RPC calls, resulted in multiple buffer overflows in Samba. A remote, unauthenticated attacker could send a specially-crafted RPC request that would cause the Samba daemon (smbd) to crash or, possibly, execute arbitrary code with the privileges of the root user. (CVE-2012-1182) Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically. Critical Copyright 2012 Red Hat, Inc. CVE-2012-1182 CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output cpe:/o:redhat:enterprise_linux cpe:/o:redhat:rhel_aus cpe:/o:redhat:rhel_eus Red Hat Enterprise Linux 5 Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used to generate code to handle RPC calls, resulted in multiple buffer overflows in Samba. A remote, unauthenticated attacker could send a specially-crafted RPC request that would cause the Samba daemon (smbd) to crash or, possibly, execute arbitrary code with the privileges of the root user. (CVE-2012-1182) Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically. Critical Copyright 2012 Red Hat, Inc. CVE-2012-1182 CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output cpe:/o:redhat:enterprise_linux cpe:/o:redhat:rhel_eus Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap Distribution Format (BDF), Windows .fnt and .fon, and PostScript Type 1 fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144) Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash. (CVE-2012-1126, CVE-2012-1127, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1137, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1143) Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting these issues. Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-1126 CVE-2012-1127 CVE-2012-1130 CVE-2012-1131 CVE-2012-1132 CVE-2012-1134 CVE-2012-1136 CVE-2012-1137 CVE-2012-1139 CVE-2012-1140 CVE-2012-1141 CVE-2012-1142 CVE-2012-1143 CVE-2012-1144 CVE-2012-1126 freetype: heap buffer over-read in BDF parsing _bdf_is_atom() (#35597, #35598) CVE-2012-1127 freetype: heap buffer over-read in BDF parsing _bdf_parse_glyphs() (#35599, #35600) CVE-2012-1130 freetype: heap buffer over-read in PCF parser pcf_get_properties() (#35603) CVE-2012-1131 freetype: incorrect type cast allowing input sanity check bypass in ft_smooth_render_generic() (#35604) CVE-2012-1132 freetype: heap buffer over-read in Type1 parser parse_subrs() (#35606) CVE-2012-1134 freetype: limited heap buffer overflow in Type1 parser T1_Get_Private_Dict() (#35608) CVE-2012-1136 freetype: uninitialized pointer use in BDF parser _bdf_parse_glyphs() (#35641) CVE-2012-1137 freetype: heap buffer off-by-one in BDF parsing _bdf_list_ensure() (#35643) CVE-2012-1139 freetype: data buffer underflow in BDF parser _bdf_parse_glyphs() (#35656) CVE-2012-1140 freetype: multiple buffer over-read in PS parser conversion functions (#35657) CVE-2012-1141 freetype: BDF parser _bdf_list_split() fails to properly initialize field array (#35658) CVE-2012-1142 freetype: incorrect computation of number of glyphs in FNT_Face_Init() for FNT/FON files (#35659) CVE-2012-1143 freetype: integer divide by zero in FT_DivFix() (#35660) CVE-2012-1144 freetype: insufficient checking of first outline point in TTF parser (#35689) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Two integer overflow flaws, leading to heap-based buffer overflows, were found in the way libtiff attempted to allocate space for a tile in a TIFF image file. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. (CVE-2012-1173) All libtiff users should upgrade to these updated packages, which contain a backported patch to resolve these issues. All running applications linked against libtiff must be restarted for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-1173 CVE-2012-1173 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes multiple security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB12-08, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2012-0774, CVE-2012-0775, CVE-2012-0777) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.5.1, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-4370 CVE-2011-4371 CVE-2011-4372 CVE-2011-4373 CVE-2012-0774 CVE-2012-0775 CVE-2012-0777 CVE-2011-4370 CVE-2011-4371 CVE-2011-4372 CVE-2011-4373 CVE-2012-0774 CVE-2012-0775 CVE-2012-0777 acroread: multiple unspecified flaws (APSB12-08, APSB12-01) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2011-4858) It was found that Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2012-0022) Red Hat would like to thank oCERT for reporting CVE-2011-4858. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters of CVE-2011-4858. Users of Tomcat should upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-4858 CVE-2012-0022 CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) CVE-2012-0022 tomcat: large number of parameters DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2011-4858) It was found that Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties. (CVE-2012-0022) Red Hat would like to thank oCERT for reporting CVE-2011-4858. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters of CVE-2011-4858. Users of Tomcat should upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-4858 CVE-2012-0022 CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) CVE-2012-0022 tomcat: large number of parameters DoS cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue: * A flaw in the xfrm6_tunnel_rcv() function in the Linux kernel's IPv6 implementation could lead to a use-after-free or double free flaw in tunnel6_rcv(). A remote attacker could use this flaw to send specially-crafted packets to a target system that is using IPv6 and also has the xfrm6_tunnel kernel module loaded, causing it to crash. (CVE-2012-1583, Important) If you do not run applications that use xfrm6_tunnel, you can prevent the xfrm6_tunnel module from being loaded by creating (as the root user) a "/etc/modprobe.d/xfrm6_tunnel.conf" file, and adding the following line to it: blacklist xfrm6_tunnel This way, the xfrm6_tunnel module cannot be loaded accidentally. A reboot is not necessary for this change to take effect. This update also fixes various bugs and adds an enhancement. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct this issue, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect. Important Copyright 2012 Red Hat, Inc. CVE-2012-1583 CVE-2012-1583 kernel: ipv6: panic using raw sockets RHEL5.8 NFSv4 regression - "ls" returns "-ENOTDIR" when listing a subdirectory of exported mount [rhel-5.8.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * Numerous reference count leaks were found in the Linux kernel's block layer I/O context handling implementation. This could allow a local, unprivileged user to cause a denial of service. (CVE-2012-0879, Moderate) * A flaw was found in the Linux kernel's cifs_lookup() implementation. POSIX open during lookup should only be supported for regular files. When non-regular files (for example, a named (FIFO) pipe or other special files) are opened on lookup, it could cause a denial of service. (CVE-2012-1090, Moderate) * It was found that the Linux kernel's register set (regset) common infrastructure implementation did not check if the required get and set handlers were initialized. A local, unprivileged user could use this flaw to cause a denial of service by performing a register set operation with a ptrace() PTRACE_SETREGSET or PTRACE_GETREGSET request. (CVE-2012-1097, Moderate) Red Hat would like to thank H. Peter Anvin for reporting CVE-2012-1097. This update also fixes several bugs and adds various enhancements. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancements noted in the Technical Notes. The system must be rebooted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0879 CVE-2012-1090 CVE-2012-1097 cifs: multiple process stuck waiting for page lock [rhel-6.2.z] CVE-2012-0879 kernel: block: CLONE_IO io_context refcounting issues CVE-2012-1090 kernel: cifs: dentry refcount leak when opening a FIFO on lookup leads to panic on unmount CVE-2012-1097 kernel: regset: Prevent null pointer reference on readonly regsets Anomaly in mbind memory map causing Java Hotspot JVM Seg fault with NUMA aware ParallelScavange GC [rhel-6.2.z] cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-3389, CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR13-FP1 Java release. All running instances of IBM Java must be restarted for this update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3389 CVE-2011-3557 CVE-2011-3560 CVE-2011-3563 CVE-2012-0498 CVE-2012-0499 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506 CVE-2012-0507 CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936) CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012) CVE-2012-0501 OpenJDK: off-by-one bug in ZIP reading code (JRE, 7118283) CVE-2012-0503 OpenJDK: unrestricted use of TimeZone.setDefault() (i18n, 7110687) CVE-2012-0507 OpenJDK: AtomicReferenceArray insufficient array type check (Concurrency, 7082299) CVE-2011-3563 OpenJDK: JavaSound incorrect bounds check (Sound, 7088367) CVE-2012-0502 OpenJDK: KeyboardFocusManager focus stealing (AWT, 7110683) CVE-2012-0505 OpenJDK: incomplete info in the deserialization exception (Serialization, 7110700) CVE-2012-0506 OpenJDK: mutable repository identifiers (CORBA, 7110704) CVE-2012-0498 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D) CVE-2012-0499 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 6 Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal. Several flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-1590, CVE-2011-4102, CVE-2012-1595) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2011-1143, CVE-2011-1957, CVE-2011-1958, CVE-2011-1959, CVE-2011-2174, CVE-2011-2175, CVE-2011-2597, CVE-2011-2698, CVE-2012-0041, CVE-2012-0042, CVE-2012-0067, CVE-2012-0066) Users of Wireshark should upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Wireshark must be restarted for the update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-1143 CVE-2011-1590 CVE-2011-1957 CVE-2011-1958 CVE-2011-1959 CVE-2011-2174 CVE-2011-2175 CVE-2011-2597 CVE-2011-2698 CVE-2011-4102 CVE-2012-0041 CVE-2012-0042 CVE-2012-0066 CVE-2012-0067 CVE-2012-1595 CVE-2011-1143 Wireshark: Null pointer dereference causing application crash when reading malformed pcap file CVE-2011-1590 Wireshark: Use-after-free causes heap-based buffer overflow in X.509if dissector CVE-2011-1957 wireshark: Infinite loop in the DICOM dissector CVE-2011-1959 wireshark: Stack-based buffer over-read from tvbuff buffer when reading snoop capture files CVE-2011-2174 wireshark: Double-free flaw by uncompressing of a zlib compressed packet CVE-2011-2175 wireshark: Heap-based buffer over-read in Visual Networks dissector CVE-2011-1958 wireshark (64bit): NULL pointer dereference by processing of a corrupted Diameter dictionary file CVE-2011-2597 wireshark: infinite loop DoS in lucent/ascend file parser CVE-2011-2698 wireshark: Infinite loop in the ANSI A Interface (IS-634/IOS) dissector CVE-2011-4102 wireshark: buffer overflow in the ERF file reader CVE-2012-0041 wireshark: multiple file parser vulnerabilities (wnpa-sec-2012-01) CVE-2012-0042 wireshark: NULL pointer vulnerabilities (wnpa-sec-2012-02) CVE-2012-0066 Wireshark: Dos via large buffer allocation request CVE-2012-0067 Wireshark: Dos due to integer overflow in IPTrace capture format parser CVE-2012-1595 wireshark: Heap-based buffer overflow when reading ERF packets from pcap/pcap-ng trace files cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 The IBM Java SE version 6 release includes the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java 6 SR10-FP1 release. All running instances of IBM Java must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3563 CVE-2011-5035 CVE-2012-0497 CVE-2012-0498 CVE-2012-0499 CVE-2012-0500 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506 CVE-2012-0507 CVE-2011-5035 OpenJDK: HttpServer no header count limit (Lightweight HTTP Server, 7126960) CVE-2012-0501 OpenJDK: off-by-one bug in ZIP reading code (JRE, 7118283) CVE-2012-0503 OpenJDK: unrestricted use of TimeZone.setDefault() (i18n, 7110687) CVE-2012-0507 OpenJDK: AtomicReferenceArray insufficient array type check (Concurrency, 7082299) CVE-2011-3563 OpenJDK: JavaSound incorrect bounds check (Sound, 7088367) CVE-2012-0502 OpenJDK: KeyboardFocusManager focus stealing (AWT, 7110683) CVE-2012-0505 OpenJDK: incomplete info in the deserialization exception (Serialization, 7110700) CVE-2012-0506 OpenJDK: mutable repository identifiers (CORBA, 7110704) CVE-2012-0497 OpenJDK: insufficient checking of the graphics rendering object (2D, 7112642) CVE-2012-0498 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D) CVE-2012-0499 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D) CVE-2012-0500 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (Deployment) cpe:/a:redhat:rhel_extras Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in Sanitiser for OpenType (OTS), used by Firefox to help prevent potential exploits in malformed OpenType fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3062) A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0467, CVE-2012-0468, CVE-2012-0469) A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0470) A flaw was found in the way Firefox used its embedded Cairo library to render certain fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0472) A flaw was found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0478) A cross-site scripting (XSS) flaw was found in the way Firefox handled certain multibyte character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website. (CVE-2012-0471) A flaw was found in the way Firefox rendered certain graphics using WebGL. A web page containing malicious content could cause Firefox to crash. (CVE-2012-0473) A flaw in Firefox allowed the address bar to display a different website than the one the user was visiting. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site, or allowing scripts to be loaded from the attacker's site, possibly leading to cross-site scripting (XSS) attacks. (CVE-2012-0474) A flaw was found in the way Firefox decoded the ISO-2022-KR and ISO-2022-CN character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website. (CVE-2012-0477) A flaw was found in the way Firefox handled RSS and Atom feeds. Invalid RSS or Atom content loaded over HTTPS caused Firefox to display the address of said content in the location bar, but not the content in the main window. The previous content continued to be displayed. An attacker could use this flaw to perform phishing attacks, or trick users into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker. (CVE-2012-0479) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.4 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Mateusz Jurczyk of the Google Security Team as the original reporter of CVE-2011-3062; Aki Helin from OUSPG as the original reporter of CVE-2012-0469; Atte Kettunen from OUSPG as the original reporter of CVE-2012-0470; wushi of team509 via iDefense as the original reporter of CVE-2012-0472; Ms2ger as the original reporter of CVE-2012-0478; Anne van Kesteren of Opera Software as the original reporter of CVE-2012-0471; Matias Juntunen as the original reporter of CVE-2012-0473; Jordi Chancel and Eddy Bordi, and Chris McGowen as the original reporters of CVE-2012-0474; Masato Kinugawa as the original reporter of CVE-2012-0477; and Jeroen van der Gun as the original reporter of CVE-2012-0479. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3062 CVE-2012-0467 CVE-2012-0468 CVE-2012-0469 CVE-2012-0470 CVE-2012-0471 CVE-2012-0472 CVE-2012-0473 CVE-2012-0474 CVE-2012-0477 CVE-2012-0478 CVE-2012-0479 CVE-2012-0467 CVE-2012-0468 Mozilla: Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4) (MFSA 2012-20) CVE-2012-0469 Mozilla: use-after-free in IDBKeyRange (MFSA 2012-22) CVE-2012-0470 Mozilla: Invalid frees causes heap corruption in gfxImageSurface (MFSA 2012-23) CVE-2012-0471 Mozilla: Potential XSS via multibyte content processing errors (MFSA 2012-24) CVE-2012-0472 Mozilla: Potential memory corruption during font rendering using cairo-dwrite (MFSA 2012-25) CVE-2012-0473 Mozilla: WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error (MFSA 2012-26) CVE-2012-0474 Mozilla: Page load short-circuit can lead to XSS (MFSA 2012-27) CVE-2012-0477 Mozilla: Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues (MFSA 2012-29) CVE-2012-0478 Mozilla: Crash with WebGL content using textImage2D (MFSA 2012-30) CVE-2011-3062 Mozilla: Off-by-one error in OpenType Sanitizer (MFSA 2012-31) CVE-2012-0479 Mozilla: Potential site identity spoofing when loading RSS and Atom feeds (MFSA 2012-33) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in Sanitiser for OpenType (OTS), used by Thunderbird to help prevent potential exploits in malformed OpenType fonts. Malicious content could cause Thunderbird to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3062) Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0467, CVE-2012-0468, CVE-2012-0469) Content containing a malicious Scalable Vector Graphics (SVG) image file could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0470) A flaw was found in the way Thunderbird used its embedded Cairo library to render certain fonts. Malicious content could cause Thunderbird to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0472) A flaw was found in the way Thunderbird rendered certain images using WebGL. Malicious content could cause Thunderbird to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-0478) A cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious content could cause Thunderbird to run JavaScript code with the permissions of different content. (CVE-2012-0471) A flaw was found in the way Thunderbird rendered certain graphics using WebGL. Malicious content could cause Thunderbird to crash. (CVE-2012-0473) A flaw in the built-in feed reader in Thunderbird allowed the Website field to display the address of different content than the content the user was visiting. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site, or allowing scripts to be loaded from the attacker's site, possibly leading to cross-site scripting (XSS) attacks. (CVE-2012-0474) A flaw was found in the way Thunderbird decoded the ISO-2022-KR and ISO-2022-CN character sets. Malicious content could cause Thunderbird to run JavaScript code with the permissions of different content. (CVE-2012-0477) A flaw was found in the way the built-in feed reader in Thunderbird handled RSS and Atom feeds. Invalid RSS or Atom content loaded over HTTPS caused Thunderbird to display the address of said content, but not the content. The previous content continued to be displayed. An attacker could use this flaw to perform phishing attacks, or trick users into thinking they are visiting the site reported by the Website field, when the page is actually content controlled by an attacker. (CVE-2012-0479) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Mateusz Jurczyk of the Google Security Team as the original reporter of CVE-2011-3062; Aki Helin from OUSPG as the original reporter of CVE-2012-0469; Atte Kettunen from OUSPG as the original reporter of CVE-2012-0470; wushi of team509 via iDefense as the original reporter of CVE-2012-0472; Ms2ger as the original reporter of CVE-2012-0478; Anne van Kesteren of Opera Software as the original reporter of CVE-2012-0471; Matias Juntunen as the original reporter of CVE-2012-0473; Jordi Chancel and Eddy Bordi, and Chris McGowen as the original reporters of CVE-2012-0474; Masato Kinugawa as the original reporter of CVE-2012-0477; and Jeroen van der Gun as the original reporter of CVE-2012-0479. Note: All issues except CVE-2012-0470, CVE-2012-0472, and CVE-2011-3062 cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. Critical Copyright 2012 Red Hat, Inc. CVE-2011-3062 CVE-2012-0467 CVE-2012-0468 CVE-2012-0469 CVE-2012-0470 CVE-2012-0471 CVE-2012-0472 CVE-2012-0473 CVE-2012-0474 CVE-2012-0477 CVE-2012-0478 CVE-2012-0479 CVE-2012-0467 CVE-2012-0468 Mozilla: Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4) (MFSA 2012-20) CVE-2012-0469 Mozilla: use-after-free in IDBKeyRange (MFSA 2012-22) CVE-2012-0470 Mozilla: Invalid frees causes heap corruption in gfxImageSurface (MFSA 2012-23) CVE-2012-0471 Mozilla: Potential XSS via multibyte content processing errors (MFSA 2012-24) CVE-2012-0472 Mozilla: Potential memory corruption during font rendering using cairo-dwrite (MFSA 2012-25) CVE-2012-0473 Mozilla: WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error (MFSA 2012-26) CVE-2012-0474 Mozilla: Page load short-circuit can lead to XSS (MFSA 2012-27) CVE-2012-0477 Mozilla: Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues (MFSA 2012-29) CVE-2012-0478 Mozilla: Crash with WebGL content using textImage2D (MFSA 2012-30) CVE-2011-3062 Mozilla: Off-by-one error in OpenType Sanitizer (MFSA 2012-31) CVE-2012-0479 Mozilla: Potential site identity spoofing when loading RSS and Atom feeds (MFSA 2012-33) cpe:/o:redhat:enterprise_linux cpe:/a:redhat:rhel_productivity Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. (CVE-2012-2110) All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Important Copyright 2012 Red Hat, Inc. CVE-2012-2110 CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A heap-based buffer overflow flaw was found in the way libpng processed tEXt chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3048) Users of libpng should upgrade to these updated packages, which correct this issue. For Red Hat Enterprise Linux 5, they contain a backported patch. For Red Hat Enterprise Linux 6, they upgrade libpng to version 1.2.49. All running applications using libpng must be restarted for the update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-3048 CVE-2011-3048 libpng: memory corruption flaw cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A flaw was found in the way Samba handled certain Local Security Authority (LSA) Remote Procedure Calls (RPC). An authenticated user could use this flaw to issue an RPC call that would modify the privileges database on the Samba server, allowing them to steal the ownership of files and directories that are being shared by the Samba server, and create, delete, and modify user accounts, as well as other Samba server administration tasks. (CVE-2012-2111) Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Ivano Cristofolini as the original reporter. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically. Important Copyright 2012 Red Hat, Inc. CVE-2012-2111 CVE-2012-2111 samba: Incorrect permission checks when granting/removing privileges cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. (CVE-2012-0247) A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. (CVE-2012-0248) It was found that ImageMagick utilities tried to load ImageMagick configuration files from the current working directory. If a user ran an ImageMagick utility in an attacker-controlled directory containing a specially-crafted ImageMagick configuration file, it could cause the utility to execute arbitrary code. (CVE-2010-4167) An integer overflow flaw was found in the way ImageMagick processed certain Exif tags with a large components count. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to access invalid memory and crash. (CVE-2012-0259) A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially-crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time. (CVE-2012-0260) An out-of-bounds buffer read flaw was found in the way ImageMagick processed certain TIFF image files. A remote attacker could provide a TIFF image with a specially-crafted Exif IFD value (the set of tags for recording Exif-specific attribute information), which once opened by ImageMagick, would cause it to crash. (CVE-2012-1798) Red Hat would like to thank CERT-FI for reporting CVE-2012-0259, CVE-2012-0260, and CVE-2012-1798. CERT-FI acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse Ylivainio of Codenomicon's CROSS project as the original reporters. Users of ImageMagick are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of ImageMagick must be restarted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2010-4167 CVE-2012-0247 CVE-2012-0248 CVE-2012-0259 CVE-2012-0260 CVE-2012-1798 CVE-2010-4167 ImageMagick: configuration files read from $CWD may allow arbitrary code execution CVE-2012-0247 CVE-2012-0248 ImageMagick: invalid validation of images denial of service CVE-2012-0259 ImageMagick: Out-of heap-based buffer read by processing crafted JPEG EXIF header tag value CVE-2012-0260 ImageMagick: excessive CPU use DoS by processing JPEG images with crafted restart markers CVE-2012-1798 ImageMagick: Out-of-bounds buffer read by copying image bytes for TIFF images with crafted TIFF EXIF IFD value cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. (CVE-2012-0247) A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. (CVE-2012-0248) A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially-crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time. (CVE-2012-0260) Red Hat would like to thank CERT-FI for reporting CVE-2012-0260. CERT-FI acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse Ylivainio of Codenomicon's CROSS project as the original reporters. This update also fixes the following bug: * The fix for Red Hat Bugzilla bug 694922, provided by the RHSA-2012:0301 ImageMagick update, introduced a regression. Attempting to use the "convert" utility to convert a PostScript document could fail with a "/undefinedfilename" error. With this update, conversion works as expected. (BZ#804546) Users of ImageMagick are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of ImageMagick must be restarted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0247 CVE-2012-0248 CVE-2012-0260 CVE-2012-0247 CVE-2012-0248 ImageMagick: invalid validation of images denial of service CVE-2012-0260 ImageMagick: excessive CPU use DoS by processing JPEG images with crafted restart markers cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823) Red Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations. This flaw does not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts. All php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2012-1823 CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823) Red Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations. This flaw does not affect the default configuration using the PHP module for Apache httpd to handle PHP scripts. All php53 users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. Critical Copyright 2012 Red Hat, Inc. CVE-2012-1823 CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827) cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues: * A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4086, Moderate) * A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A local, unprivileged user on a KVM host could use this flaw to crash the host. (CVE-2012-1601, Moderate) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2011-4086 CVE-2012-1601 CVE-2011-4086 kernel: jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS CVE-2012-1601 kernel: kvm: irqchip_in_kernel() and vcpu->arch.apic inconsistency AMD IOMMU driver hands out dma handles that are in the MSI address range [rhel-6.2.z] readdir64_r calls fail with ELOOP [rhel-6.2.z] Fix RPC priority queue wake up all tasks processing [rhel-6.2.z] cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. (CVE-2012-1601) A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121) This update also fixes the following bug: * An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver. (BZ#816207) All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-1601 CVE-2012-2121 CVE-2012-1601 kernel: kvm: irqchip_in_kernel() and vcpu->arch.apic inconsistency CVE-2012-2121 kvm: device assignment page leak cpe:/a:redhat:rhel_virtualization Red Hat Enterprise Linux 5 PostgreSQL is an advanced object-relational database management system (DBMS). The pg_dump utility inserted object names literally into comments in the SQL script it produces. An unprivileged database user could create an object whose name includes a newline followed by an SQL command. This SQL command might then be executed by a privileged user during later restore of the backup dump, allowing privilege escalation. (CVE-2012-0868) CREATE TRIGGER did not do a permissions check on the trigger function to be called. This could possibly allow an authenticated database user to call a privileged trigger function on data of their choosing. (CVE-2012-0866) All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0866 CVE-2012-0868 CVE-2012-0866 postgresql: Absent permission checks on trigger function to be called when creating a trigger CVE-2012-0868 postgresql: SQL injection due unsanitized newline characters in object names cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 PostgreSQL is an advanced object-relational database management system (DBMS). The pg_dump utility inserted object names literally into comments in the SQL script it produces. An unprivileged database user could create an object whose name includes a newline followed by an SQL command. This SQL command might then be executed by a privileged user during later restore of the backup dump, allowing privilege escalation. (CVE-2012-0868) When configured to do SSL certificate verification, PostgreSQL only checked the first 31 characters of the certificate's Common Name field. Depending on the configuration, this could allow an attacker to impersonate a server or a client using a certificate from a trusted Certificate Authority issued for a different name. (CVE-2012-0867) CREATE TRIGGER did not do a permissions check on the trigger function to be called. This could possibly allow an authenticated database user to call a privileged trigger function on data of their choosing. (CVE-2012-0866) These updated packages upgrade PostgreSQL to version 8.4.11, which fixes these issues as well as several data-corruption issues and lesser non-security issues. Refer to the PostgreSQL Release Notes for a full list of changes: http://www.postgresql.org/docs/8.4/static/release.html All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update. Moderate Copyright 2012 Red Hat, Inc. CVE-2012-0866 CVE-2012-0867 CVE-2012-0868 CVE-2012-0866 postgresql: Absent permission checks on trigger function to be called when creating a trigger CVE-2012-0867 postgresql: MITM due improper x509_v3 CN validation during certificate verification CVE-2012-0868 postgresql: SQL injection due unsanitized newline characters in object names cpe:/o:redhat:enterprise_linux Red Hat Enterprise Linux 6 The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers. A flaw was found in the way bind-dyndb-ldap handled LDAP query errors. If a remote attacker were able to send DNS queries to a named server that is configured to use bind-dyndb-ldap, they could trigger such an error with a DNS query leveraging bind-dyndb-ldap's insufficient escaping of the LDAP base DN (distinguished name). This would result in an invalid LDAP query that named would retry in a loop, preventing it from responding to other DNS queries. With this update, bind-dyndb-ldap only attempts to retry one time when an LDAP search returns an unexpected error. (CVE-2012-2134) Red Hat would like to thank Ronald van Zantvoort for reporting this issue. All bind-dyndb-ldap users should upgrade to this updated package, which contains a backported patch to correct this issue. For the update to take effect, the named service must be restarted. Important Copyright 2012 Red Hat, Inc. CVE-2012-2134 CVE-2012-2134 bind-dyndb-ldap: Bind DoS (named hang) by processing DNS query for zone served by bind-dyndb-ldap cpe:/o:redhat:enterprise_linux Supplementary for Red Hat Enterprise Linux 6 The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-09, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content. (CVE-2012-0779) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.19. Critical Copyright 2012 Red Hat, Inc. CVE-2012-0779 CVE-2012-0779 flash-plugin: arbitrary code execution via object confusion (APSB12-09) cpe:/a:redhat:rhel_extras